loader
  • Subject-matter expert for interconnecting the nodes

IPsec VPN VTI

CiscoSecurityVPN
Ali A.
0 Comments
IPsec VPN Crypto Map

Introduction

Topology : Individual Point-to-Point
Technology : IPSec VTI (Virtual Tunnel Interface)

IPsec VTI solution provides a secure connection when we use Internet or service providers as the backbone. IPsec is the only method to secure VPN site-to-site. IPsec provides a security triangle which prevents several potential threats on internet such as masquerading, eavesdropping, man-in-the-middle, etc. Despite Crypto Map VPN, VTI VPN has a virtual tunnel interface. VTI solution has several advantages over outdated Crypto Map VPN Point-to-Point.

Benefit of using VTI solution:

  • Support multicast traffic : IGP could be used to advertise or receive the internal routes.
  • Security measurement : an access-list could be applied to a tunnel interface.
  • QoS : QoS policies and features can be applied to a tunnel interface
  • Simplified troubleshooting : while Cyrpto Map VPN has to send traffic in order to the tunnel comes up, VTI has a virtual tunnel interface, so tunnel is up before sending any traffic.

Components

For IKE phase1, IKE phase 2, and how IPsec works, please refer to the post in the following link: https://old.smenode.com/ipsec-vpn-site-to-site/

Configuration Flow

  • Isakmp SA configuration (IKE phase 1)
  • IPsec SA configuration (IKE phase 2)
  • IPsec Profile configuration
  • Protect tunnel by IPsec Profile

For configuration roadmap: First, IKE phase1 configuration by creating an Isakmp policy which is basically the component of IKE phase 1. (cryptographic algorithms + Key management + Lifetime). Next for IKE phase2 (IPsec SA), we create a transform-set by either AH or ESP components. Then, an IPsec profile is created and inside IPsec profile configuration, the transform-set which was created in prior section is set. Finally, Inside of Interface tunnel configuration, IPsec is set for tunnel mode, and the tunnel is protected by IPsec profile.

IPsec VTI VPN Site-to-Site flow configuration

Step by step comprehensive configuration IPSec Tunnel example (Static Route)

IPsec VTI Tunnel 

Step 1.1. Pre-configuration

Router(config)#host HQ
HQ(config)#int eth 0/0
HQ(config-if)#no shut
HQ(config-if)#ip add 2.111.12.10 255.255.255.252
HQ(config)#int lo0
HQ(config-if)#ip add 172.16.20.100 255.255.255.0
HQ(config-if)#exit
HQ(config)#ip route 0.0.0.0 0.0.0.0 2.111.12.9
Router(config)#host Branch
Branch(config)#int eth0/1
Branch(config-if)#no shut
Branch(config-if)#ip add 86.20.12.6 255.255.255.252
Branch(config-if)#int lo0
Branch(config-if)#ip add 192.168.1.100 255.255.255.0
Branch(config-if)#exit
Branch(config)#ip route 0.0.0.0 0.0.0.0 86.20.12.5

Step 1.2. IKE Phase 1

HQ(config)#crypto isakmp policy 50
HQ(config-isakmp)#encryption 3des
HQ(config-isakmp)#hash sha
HQ(config-isakmp)#authentication pre-share
HQ(config-isakmp)#group 5
HQ(config-isakmp)#exit
Branch(config)#crypto isakmp policy 50
Branch(config-isakmp)#encryption 3des
Branch(config-isakmp)#hash sha
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group 5
Branch(config-isakmp)#exit
HQ(config)#crypto isakmp key ali.a address 86.20.12.6
Bran(config)#crypto isakmp key ali.a address 2.111.12.10

Step 1.3 IKE phase 2 ( IPsec) 

HQ(config)#crypto ipsec transform-set TRANSFORM esp-sha384-hmac esp-3des
Branch(config)#crypto ipsec transform-set TRANSFORM esp-sha384-hmac esp-3des

Step 1.5 Create IPSec profile

HQ(config)#crypto ipsec profile PROFILE
HQ(ipsec-profile)#set transform-set TRANSFORM
Branch(config)#crypto ipsec profile PROFILE
Branch(ipsec-profile)#set transform-set TRANSFORM

Step 1.5 Create Tunnel interface 

HQ(config)#interface tunnel 0
HQ(config-if)#tunnel source ethernet 0/0
HQ(config-if)#tunnel destination 86.20.12.6
*May 16 01:16:26.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
HQ(config-if)#ip unnumbered lo0

Branch(config)#int tun 0
Branch(config-if)#tunnel source eth 0/1
Branch(config-if)#tunnel destination 2.111.12.10
*May 16 01:24:32.252: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch(config-if)#ip unnumbered lo0

Note: when “ip unnumbered lo0” is used. the tunnel gets the same IP address has been configured for loopback 0 interface. the tunnel interface still forwards packets without having a configured IP address. one of the most practical use is when a lot of floating networks in IGP are used, specially /30 network.

HQ(config-if)#tunnel mode ipsec ipv4
Branch(config-if)#tunnel mode ipsec ipv4
*May 16 01:17:42.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*May 16 01:25:29.880: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

HQ(config-if)#tunnel protection ipsec profile PROFILE

Branch(config-if)#tunne protection ipsec profile PROFILE

Note: It is normal a tunnel goes down when a VPN configuration is changed in one side, either tunnel mode or tunnel protection. The tunnel is coming back again after having the mirror configuration in other side. 

*May 16 01:18:45.905: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 16 01:26:04.676: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
HQ(config-if)
*May 16 01:26:04.704: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch(config-if)#
*May 16 01:26:04.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Step 1.6 Optimize routing 

HQ(config)#ip route 192.168.1.0 255.255.255.0 tunnel 0
Bran(config)#ip route 172.16.20.0 255.255.255.0 tunnel 0

2.1 Verify the route 

HQ(config)#do sh ip route static | b Gate
Gateway of last resort is 2.111.12.9 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 2.111.12.9
S     192.168.1.0/24 is directly connected, Tunnel0
Branch(config)#do sh ip route static | b Gate
Gateway of last resort is 86.20.12.5 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 86.20.12.5
S     172.16.20.0 is directly connected, Tunnel0
HQ(config)#do ping 192.168.1.100 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
Packet sent with a source address of 172.16.20.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
HQ(config)#
Branch(config)#do ping 172.16.20.100 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.100, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
Branch(config)#

2.2 Verify IKE phase 1 ( Isakmp sa)

HQ(config)#do sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
2.111.12.10     86.20.12.6      QM_IDLE           1001 ACTIVE
86.20.12.6      2.111.12.10     QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA
Branch(config)#do sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
2.111.12.10     86.20.12.6      QM_IDLE           1001 ACTIVE
86.20.12.6      2.111.12.10     QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

2.3 Verify IKE phase 2 ( IPsec sa)

HQ(config)#do sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 2.111.12.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 86.20.12.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.111.12.10, remote crypto endpt.: 86.20.12.6
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x64E00718(1692403480)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBBC96B33(3150539571)

Branch(config)#do sh crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 86.20.12.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 2.111.12.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 86.20.12.6, remote crypto endpt.: 2.111.12.10
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
     current outbound spi: 0xD52AAFCF(3576344527)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x64E00718(1692403480)

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Recent Comments

Archives

Categories

Elissa Garlin

Think of a news blog that’s filled with content hourly on the day of going live.

Recent Posts

Categories

Tags

BGP EVPN Broadcast CCIE CCIE DC CCNP cisco Clos network CyberSecurity Data Center datacenter DC Exchange GNU/Linux Incident Response InfoSec IS-IS Kali Layer 2 Connectivity Layer 2 Technologies linus torvalds Linux linux bash linux basic commands linux commands Linux file structure Linux file system linux path linux tutorial lpic1 lpic1 linux Multitenancy Network Network Virtualization Overlay Nexus NVO NX-OS NXOS Overlay shell Underlay Unicast Virtual eXtensible LAN VNI VTEP VXLAN