Understanding
the FlexVPN constructs and how they work together is shortest way to understand
what the smart defaults feature is and what it can do for us. The FlexVPN
constructs can be categorized into two main categories:
Internet Key Exchange Version 2 (IKEv2) Constructs:
IKEv2 Proposal
An
Internet Key Exchange Version 2 (IKEv2) proposal is a collection of transforms
used in the negotiation
of
Internet Key Exchange (IKE) security associations (SAs) as part of the
IKE_SA_INIT exchange. The
transform
types used in the negotiation are encryption, integrity and Diffie-Hellman (DH) group algorithms
IKEv2 Policy
An
IKEv2 policy contains proposals that are used to negotiate the encryption,
integrity, PRF algorithms, and
DH
group in the IKE_SA_INIT exchange. It can have match statements, which are used
as selection criteria
to
select a policy during negotiation.
IKEv2 Profile
An
IKEv2 profile is a repository of nonnegotiable parameters of the IKE SA, such
as local or remote identities
and
authentication methods and services that are available to authenticated peers
that match the profile. An
IKEv2
profile must be attached to either a crypto map or an IPsec profile on the
initiator. An IKEv2 profile
is
not mandatory on the responder.
IKEv2 Key Ring
An
IKEv2 key ring is a repository of symmetric and asymmetric preshared keys and
is independent of the
IKEv1
key ring. The IKEv2 key ring is associated with an IKEv2 profile and hence
supports a set of peers
that
match the IKEv2 profile.
FlexVPN IPsec Constructs:
Transform Set
An
IPsec transform set is a collection of transforms used in the negotiation of
IPsec security associations (SAs) used for data protection. The transform types
used in the negotiation are encryption, integrity and Diffie-Hellman (DH) group algorithms
IPsec Profile
An
IPsec profile will contain the IKEv Profile and will be applied to the tunnel
interface as protection profile.
IKEv2 Smart Defaults
The
IKEv2 Smart Defaults feature minimizes the FlexVPN configuration by Pre-existing constructs known as smart defaults. The defaults of IKEv2 includes a default proposal (default)
and a default policy (default) also the IPsec defaults includes a default
transform set (default) and a default profile (default) so Only an IKEv2 profile needs to be created.
The following rules apply to the IKEv2 Smart Defaults
feature:
1 A default
configuration is displayed in the corresponding show command
with default as a keyword and
with
no argument. For example, the show
crypto ikev2 proposal default command
displays the default
IKEv2
proposal and the show crypto ikev2 proposal command displays the default IKEv2 proposal,
along
with any user-configured proposals.
2 A default
configuration is displayed in the show
running-config all command; it is not displayed in the
show running-config command.
3 You can modify the
default configuration, which is displayed in the show running-config all command.
4 A default
configuration can be disabled using the no
form of the command; for example, no crypto ikev2
proposal default. A
disabled default configuration is not used in negotiation but the configuration
is
displayed
in the show running-config command. A disabled default configuration loses any user
modification
and restores system-configured values.
5 A default
configuration can be reenabled using the default form of the command, which
restores
system-configured
values; for example, default crypto ikev2 proposal.
6 The default mode for
the default transform set is transport; the default mode for all other
transform sets
is
tunnel.
"In this senario i will show you how to configure Site to Site FlexVPN using Smart Defaults also you can download the configuration file from here"
R1
Configuration:
IKEv2
Configuration.
IKEV2 Proposal
and Policy Configuration.
-No need to create new proposals or policy for the security association
of IKEv2 hence Smart defaults already created IKEv2 proposal (default) that has
encryption, integrity, Diffie-Hellman (DH) group algorithms pre-configured also
it will create an IKEv2 profile (default) and will associate the default IKEv2
proposal into the IKEv2 profile.
-Use the “show crypto ikev2 proposal default “to list the (default)
proposal algorithms including encryption, integrity, Diffie-Hellman (DH) group algorithms.
R1#sh crypto ikev2 proposal default
IKEv2
proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256
SHA96 MD596
PRF : SHA512 SHA384 SHA256
SHA1 MD5
DH
Group : DH_GROUP_1536_MODP/Group 5
DH_GROUP_1024_MODP/Group 2
-Use the “show crypto ikev2 policy default” to verify the smart
defaults configuration of the (default) IKEv2 policy and the association of the
(default) proposal.
R1#sh crypto ikev2 policy default
IKEv2
policy : default
Match fvrf : any
Match address local : any
Proposal : default
Notice: You can customize the (default) proposal and (default)
IKEv2 policy if you want also you can reset the changes back to the defaults
using the “default crypto ikev2 proposal” and “default crypto ikev2 policy”
commands.
Key Ring
Configuration.
-Create a new IKEv2 key ring and define the peer name, public
IP address, pre-shared key used locally by R1 to authenticate its self to the
peer and the key that will be received by R1 from the remote peer. Notice that
I’m using asymmetric pre-shared keys because the local and remote keys are not
the same.
R1(config)#crypto ikev2 keyring IKEV2-Key-Ring
R1(config-ikev2-keyring)# peer R2
R1(config-ikev2-keyring-peer)# address 192.168.1.2
R1(config-ikev2-keyring-peer)# pre-shared-key local R1-KEY
R1(config-ikev2-keyring-peer)# pre-shared-key remote R2-KEY
Configure IKEv2
Profile.
-Create a new IKEv2 profile to define the remote peer public
IP address, local and remote authentication methods and the key ring used for
authentication.
R1(config)#crypto ikev2 profile IKEV2-Profile
IKEv2 profile MUST have:
1. A
local and a remote authentication method.
2. A
match identity or a match certificate statement.
R1(config-ikev2-profile)# match identity remote address 192.168.1.2 255.255.255.255
R1(config-ikev2-profile)# authentication remote
pre-share
R1(config-ikev2-profile)# authentication local
pre-share
R1(config-ikev2-profile)# keyring local
IKEV2-Key-Ring
IPsec
Configuration.
Configure
IPsec Profile.
-No need to create a new IPsec profile or transform set for
IPsec security association (SA) since they are already configured as smart
defaults.
-In the default IPsec profile (default) there are two
parameters to configure, the IKEv2 profile and the default transform set
(default) that is pre-configured using smart defaults.
R1(config)#crypto ipsec profile default
R1(ipsec-profile)# set ikev2-profile
IKEV2-Profile
-Use the “show crypto ipsec profile default” command to list
the (default) IPsec profile and verify the (default) transform set association.
You can customize the IPsec profile and reset the changes back to the default
using the “default crypto ipsec profile” command.
R1#sh crypto ipsec profile default
IPSEC profile default
IKEV2 profile IKEV2-Profile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
-Use the “show crypto ipsec transform-set default” command
to list the (default) transform set algorithms.
R1#sh crypto ipsec transform-set default
{ esp-aes esp-sha-hmac }
will
negotiate = { Transport, },
Note: You can customize the default transform set and reset the
changes back to the default using the “default crypto ipsec transform-set”
command.
Unnumbered
Interface and Public Interface Configuration.
-Configure the public interface facing the internet that
will be used to connect to the VPN peer and create a loopback interface to
barrow its IP address by the tunnel interface. Using a loopback interface will
result in independency on a specific physical interface.
R1(config)#interface FastEthernet0/0
R1(config-if)# ip address 192.168.1.1
255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#interface Loopback1
R1(config-if)# ip address 192.168.10.1
255.255.255.0
R1(config-if)#no shut
Virtual
Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI
tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface
that will be used to connect to the VPN peer and the tunnel destination will
the public interface on that peer.
-Apply the IPsec protection profile to the VTI tunnel
interface.
R1(config)#interface Tunnel 1
R1(config-if)# ip unnumbered Loopback1
R1(config-if)# tunnel source FastEthernet0/0
R1(config-if)# tunnel destination 192.168.1.2
R1(config-if)# tunnel protection ipsec profile
default
R2
Configuration:
IKEv2
Configuration.
IKEV2 Proposal
and Policy Configuration.
-Remember, No need to create new proposals or policy for the
security association of IKEv2 hence Smart defaults already created IKEv2
proposal (default) that has encryption, integrity, Diffie-Hellman (DH) group algorithms
also it will create an IKEv2 profile (default) and will associate the default
IKEv2 proposal into the IKEv2 profile.
-Use the “show crypto ikev2 proposal default “to list the (default)
proposal algorithms including encryption, integrity, Diffie-Hellman (DH) group algorithms.
R2#sh crypto ikev2 proposal default
IKEv2
proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256
SHA96 MD596
PRF : SHA512 SHA384 SHA256
SHA1 MD5
DH
Group : DH_GROUP_1536_MODP/Group 5
DH_GROUP_1024_MODP/Group 2
-Use the “show crypto ikev2 policy default” to verify the smart
defaults configuration of the (default) IKEv2 policy and the association of the
(default) proposal.
R2#sh crypto ikev2 policy default
IKEv2
policy : default
Match fvrf : any
Match address local : any
Proposal : default
Key Ring
Configuration.
-Create a new IKEv2 key ring and define the peer name,
public IP address, pre-shared key used locally by R1 to authenticate its self
to the peer and the key that will be received by R1 from the remote peer.
R2(config)#crypto ikev2 keyring IKEV2-Key-Ring
R2(config-ikev2-keyring)# peer R1
R2(config-ikev2-keyring-peer)# address 192.168.1.1
R2(config-ikev2-keyring-peer)# pre-shared-key local R2-KEY
R2(config-ikev2-keyring-peer)# pre-shared-key remote R1-KEY
Configure IKEv2
Profile.
-Create a new IKEv2 profile to define the remote peer public
IP address, local and remote authentication methods and the key ring used for
authentication.
R2(config)#crypto ikev2 profile IKEV2-Profile
IKEv2 profile MUST have:
1. A
local and a remote authentication method.
2. A
match identity or a match certificate statement.
R2(config-ikev2-profile)# match identity remote address 192.168.1.1
255.255.255.255
R2(config-ikev2-profile)# authentication remote
pre-share
R2(config-ikev2-profile)# authentication local
pre-share
R2(config-ikev2-profile)# keyring local
IKEV2-Key-Ring
Configure
The IPsec Profile.
-Again, no need to create a new IPsec profile or transform
set for IPsec security association (SA) since they are already configured as
smart defaults.
-In the default IPsec profile (default) there are two
parameters to configure, the IKEv2 profile and the default transform set
(default) that is pre-configured using smart default.
R2(config)#crypto ipsec profile default
R2(ipsec-profile)# set ikev2-profile
IKEV2-Profile
-Use the “show crypto ipsec profile default” command to list
the (default) IPsec profile and verify the (default) transform set association.
R2#sh crypto ipsec profile default
IPSEC profile default
IKEV2 profile IKEV2-Profile
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
default: { esp-aes
esp-sha-hmac } ,
}
-Use the “show crypto ipsec transform-set default” command
to list the (default) transform set algorithms.
R2#sh crypto ipsec transform-set default
{ esp-aes esp-sha-hmac }
will
negotiate = { Transport, },
Unnumbered
Interface and Public Interface Configuration.
-Configure the public interface facing the internet that
will be used to connect to the VPN peer and create a loopback interface to
barrow its IP address by the tunnel interface. Using a loopback interface will
result in independency on a specific physical interface.
R2(config)#interface FastEthernet0/0
R2(config-if)# ip address 192.168.1.2
255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#interface Loopback 2
R2(config-if)# ip address 192.168.10.2
255.255.255.0
R2(config-if)#no shut
Virtual
Tunnel Interface (VTI) Configuration.
-Assign the IP address of the loopback interface to the VTI
tunnel interface using the unnumbered command.
-Configure the VTI tunnel source as the public interface
that will be used to connect to the VPN peer and the tunnel destination will
the public interface on that peer.
-Apply the IPsec protection profile to the VTI tunnel
interface.
R2(config)#interface Tunnel 2
R2(config-if)# ip unnumbered Loopback 2
R2(config-if)# tunnel source FastEthernet0/0
R2(config-if)# tunnel destination 192.168.1.1
R2(config-if)# tunnel protection ipsec profile
default
Verification.
IKEv2 Verification.
R1 IKEv2 Verification.
-Use the “show
crypto ikev2 sa” command to verify IKEv2 SA between R1 to R2.
R1#sh crypto ikev2 sa
IPv4
Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1
192.168.1.1/500
192.168.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/211 sec
IPv6
Crypto IKEv2 SA
R2 IKEv2 Verification.
-Use the “show
crypto ikev2 sa” command to verify IKEv2 SA between R2 to R1.
R2#sh crypto ikev2 sa
IPv4
Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2
192.168.1.2/500
192.168.1.1/500
none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/483 sec
IPv6
Crypto IKEv2 SA
IPsec
Verification.
R1 IPsec
Verification.
-Use the “show
crypto ipsec sa” command to verify IPsec inbound/outbound SA.
R1#sh crypto ipsec sa
interface: Tunnel1
Crypto
map tag: Tunnel1-head-0, local addr 192.168.1.1
protected vrf: (none)
local ident
(addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
remote
ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts
encaps: 96, #pkts encrypt: 96, #pkts digest: 96
#pkts
decaps: 94, #pkts decrypt: 94, #pkts verify: 94
#pkts
compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr.
failed: 0
#pkts
not decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local
crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.1.2
path
mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x91510770(2438006640)
PFS
(Y/N): N, DH group: none
inbound esp sas:
spi:
0x5A3580A4(1513455780)
transform: esp-aes esp-sha-hmac ,
in
use settings ={Transport, }
conn id: 4, flow_id: 4, sibling_flags 80000000, crypto map:
Tunnel1-head-0
sa
timing: remaining key lifetime (k/sec): (4329051/3175)
IV
size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi:
0x91510770(2438006640)
transform: esp-aes esp-sha-hmac ,
in
use settings ={Transport, }
conn id: 3, flow_id: 3, sibling_flags 80000000, crypto map:
Tunnel1-head-0
sa
timing: remaining key lifetime (k/sec): (4329051/3175)
IV
size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R2 IPsec
Verification.
-Use the “show
crypto ipsec sa” command to verify IPsec inbound/outbound SA.
R2#sh crypto ipsec sa
interface: Tunnel2
Crypto
map tag: Tunnel2-head-0, local addr 192.168.1.2
protected vrf: (none)
local ident
(addr/mask/prot/port): (192.168.1.2/255.255.255.255/47/0)
remote
ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/47/0)
current_peer 192.168.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts
encaps: 116, #pkts encrypt: 116, #pkts digest: 116
#pkts
decaps: 117, #pkts decrypt: 117, #pkts verify: 117
#pkts
compressed: 0, #pkts decompressed: 0
#pkts
not compressed: 0, #pkts compr. failed: 0
#pkts
not decompressed: 0, #pkts decompress failed: 0
#send
errors 0, #recv errors 0
local
crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.1.1
path
mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x5A3580A4(1513455780)
PFS
(Y/N): N, DH group: none
inbound esp sas:
spi:
0x91510770(2438006640)
transform: esp-aes esp-sha-hmac ,
in
use settings ={Transport, }
conn id: 1, flow_id: 1, sibling_flags 80000000, crypto map:
Tunnel2-head-0
sa
timing: remaining key lifetime (k/sec): (4306232/3076)
IV
size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi:
0x5A3580A4(1513455780)
transform: esp-aes esp-sha-hmac ,
in
use settings ={Transport, }
conn id: 2, flow_id: 2, sibling_flags 80000000, crypto map:
Tunnel2-head-0
sa
timing: remaining key lifetime (k/sec): (4306232/3076)
IV
size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: