Professional Documents
Culture Documents
How To Configure Site-To-Site IKEv2 IPSec VPN Using Pre-Shared Key Authentication
How To Configure Site-To-Site IKEv2 IPSec VPN Using Pre-Shared Key Authentication
Home Knowledgebase CCNA Security How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication
Basic Networking If you are new to the basic concepts of VPN (Virtual Private Network) and IPSec, please learn following lessons
TCP/IP before continuing.
Security What are the terms Encryption, Decryption, Clear-Text and Cipher-Text
Windows 2003 What are the terms Symmetric Encryption and Assymetric Encryption
IKEv1 Main Mode, Aggressive Mode and Quick mode Message Exchanges
IKEv2 Phase 1 (IKE SA) and Phase 2 (Child SA) Message Exchanges
Step 1: Configure Host name and Domain name in IPSec peer Routers
To configure Hostname on OmniSecuR1 use the following commands.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname OmniSecuR1
OmniSecuR1(config)#exit
OmniSecuR1#
To configure Domain name on OmniSecuR1, use the following commands.
OmniSecuR1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OmniSecuR1(config)#ip domain-name omnisecu.com
OmniSecuR1(config)#exit
OmniSecuR1#
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname OmniSecuR2
OmniSecuR2(config)#exit
OmniSecuR2#
OmniSecuR2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OmniSecuR2(config)#ip domain-name omnisecu.com
OmniSecuR2(config)#exit
Following are the main components which are used to construct Site-to-Site IKEv2 IPSec VPN.
IKEv2 Proposal
IKEv2 Policy
IKEv2 Profile
IKEv2 Keyring
Crypto Map
OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 keyring KR-1
OmniSecuR1(config-ikev2-keyring)#peer SITE-2
OmniSecuR1(config-ikev2-keyring-peer)#address 192.168.0.2
OmniSecuR1(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotCom
OmniSecuR1(config-ikev2-keyring-peer)#exit
OmniSecuR1(config-ikev2-keyring)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 keyring KR-1
OmniSecuR2(config-ikev2-keyring)#peer SITE-1
OmniSecuR2(config-ikev2-keyring-peer)#address 192.168.0.1
OmniSecuR2(config-ikev2-keyring-peer)#pre-shared-key OmniSecuDotCom
OmniSecuR2(config-ikev2-keyring-peer)#exit
OmniSecuR2(config-ikev2-keyring)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
Encryption Algorithm
Integrity Algorithm
Pseudo-Random Function (PRF) algorithm
Diffie-Hellman (DH) Group
OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 proposal PROP-SITE2
OmniSecuR1(config-ikev2-proposal)#encryption aes-cbc-256
OmniSecuR1(config-ikev2-proposal)#integrity sha512
OmniSecuR1(config-ikev2-proposal)#group 24
OmniSecuR1(config-ikev2-proposal)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 proposal PROP-SITE1
OmniSecuR2(config-ikev2-proposal)#encryption aes-cbc-256
OmniSecuR2(config-ikev2-proposal)#integrity sha512
OmniSecuR2(config-ikev2-proposal)#group 24
OmniSecuR2(config-ikev2-proposal)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 policy POL-SITE2
OmniSecuR1(config-ikev2-policy)#proposal PROP-SITE2
OmniSecuR1(config-ikev2-policy)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 policy POL-SITE1
OmniSecuR2(config-ikev2-policy)#proposal PROP-SITE1
OmniSecuR2(config-ikev2-policy)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
New to Access Control Lists (ACLs)? Please refer below lessons if you wish.
Extended Access Control List (ACL) - TCP and UDP port numbers and names
How to create and configure Access Control Lists (ACLs) for vty lines (telnet and ssh)
How to create and configure Standard Named Access Control Lists (ACLs)
How to create and configure Extended Named Access Control List (ACL)
To configure a Crypto ACL in OmniSecuR1 (to identify the traffic to OmniSecuR2), use the following commands.
OmniSecuR1#configure terminal
OmniSecuR1(config)#ip access-list extended SITE1-SITE2-CACL
OmniSecuR1(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
OmniSecuR1(config-ext-nacl)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
To configure a Crypto ACL in OmniSecuR2 (to identify the traffic to OmniSecuR1), use the following commands.
OmniSecuR2#configure terminal
OmniSecuR2(config)#ip access-list extended SITE2-SITE1-CACL
OmniSecuR2(config-ext-nacl)#permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
OmniSecuR2(config-ext-nacl)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ipsec transform-set SITE2-TS esp-aes esp-sha512-hmac
OmniSecuR1(cfg-crypto-trans)#exit
OmniSecuR1(config)#exit
OmniSecuR1#f
OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ipsec transform-set SITE1-TS esp-aes esp-sha512-hmac
OmniSecuR2(cfg-crypto-trans)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto ikev2 profile SITE2-PROFILE
OmniSecuR1(config-ikev2-profile)#match identity remote address 192.168.0.2 255.255.255.255
OmniSecuR1(config-ikev2-profile)#authentication local pre-share
OmniSecuR1(config-ikev2-profile)#authentication remote pre-share
OmniSecuR1(config-ikev2-profile)#keyring local KR-1
OmniSecuR1(config-ikev2-profile)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto ikev2 profile SITE1-PROFILE
OmniSecuR2(config-ikev2-profile)#match identity remote address 192.168.0.1 255.255.255.255
OmniSecuR2(config-ikev2-profile)#authentication local pre-share
OmniSecuR2(config-ikev2-profile)#authentication remote pre-share
OmniSecuR2(config-ikev2-profile)#keyring local KR-1
OmniSecuR2(config-ikev2-profile)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
OmniSecuR1#configure terminal
OmniSecuR1(config)#crypto map CMAP-SITE2 10 ipsec-isakmp
OmniSecuR1(config-crypto-map)#set peer 192.168.0.2
OmniSecuR1(config-crypto-map)#set pfs group24
OmniSecuR1(config-crypto-map)#set security-association lifetime seconds 3600
OmniSecuR1(config-crypto-map)#set transform-set SITE2-TS
OmniSecuR1(config-crypto-map)#set ikev2-profile SITE2-PROFILE
OmniSecuR1(config-crypto-map)#match address SITE1-SITE2-CACL
OmniSecuR1(config-crypto-map)#exit
OmniSecuR1(config)#exit
OmniSecuR2#configure terminal
OmniSecuR2(config)#crypto map CMAP-SITE1 10 ipsec-isakmp
OmniSecuR2(config-crypto-map)#set peer 192.168.0.1
OmniSecuR2(config-crypto-map)#set pfs group24
OmniSecuR2(config-crypto-map)#set security-association lifetime seconds 3600
OmniSecuR2(config-crypto-map)#set transform-set SITE1-TS
OmniSecuR2(config-crypto-map)#set ikev2-profile SITE1-PROFILE
OmniSecuR2(config-crypto-map)#match address SITE2-SITE1-CACL
OmniSecuR2(config-crypto-map)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
Step 9: Activate Crypto Maps by applying the Crypto Map to Router's Interface
To apply Crypto Map to the WAN Interface on OmniSecuR1, use following commands.
OmniSecuR1#configure terminal
OmniSecuR1(config)#interface gi0/0
OmniSecuR1(config-if)#crypto map CMAP-SITE2
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
To apply Crypto Map to the WAN Interface on OmniSecuR2, use following commands.
OmniSecuR2#configure terminal
OmniSecuR2(config)#interface gi0/0
OmniSecuR2(config-if)#crypto map CMAP-SITE1
OmniSecuR2(config-if)#exit
OmniSecuR2(config)#exit
OmniSecuR2#
After configuring, initiate an IP traffic from device inside at Site-1 network to reach a device at Site-2 network. Your
IPSec VPN Main mode IPSec tunnel will be built when any router find interesting traffic.
Jajish Thomas on
<< How to configure Site-to-Site IPSec VPN using IKEv1 Coming Soon!!! >>
(Main Mode) using Pre-shared Key Authentication
Related Topics
Sponsored Links
Sort by Newest
Recommend Share
LOG IN WITH
Name
Home | About Us | Knowledge Base | FAQ | Feedback | Disclaimer | Terms of Use | Trademarks | Privacy Policy | Support Us | Contact Us | Sitemap
Free Networking Tutorials, Free System Administration Tutorials and Free Security Tutorials
This Web site is best viewed on a Desktop PC, using Mozilla Firefox browser at a screen resolution of 1366 x 768 pixels or higher. This Web Site is not optimized for Mobile Operating
Systems. If you are experiencing distorted display, change your screen resolution to 1366 x 768 pixels. Copyright 2008 - 2017 OmniSecu.com. All Rights Reserved