#

Tuesday, October 8, 2019

IPSec over Static Virtual Tunnel Interface on Cisco IOS

Please read my post on IPSec over GRE Tunneling with Crypto Maps on Cisco IOS before reading this because this post explains how we can do same kind of thing without ACLs and Crypto Maps. So this method will be much more simpler and straight forward.

Following links will give you much idea about what I am going to do here.


Topology looks like the following..














Configuration of R1 will look like the following..

R1(config)#int e0/1
R1(config-if)#ip ospf 1 area 0

R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
R1(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha                 
R1(config-isakmp)#authentication pre-share 
R1(config-isakmp)#group 2                  
R1(config-isakmp)#lifetime 60              
R1(config-isakmp)#encryption aes 

R1(config)#crypto isakmp key PASSWORD address 3.3.3.3

R1(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R1(config)#crypto ipsec profile IPSECPROFILE
R1(ipsec-profile)#set transform-set TRANSFORMSET

R1(config)#int t0
R1(config-if)#ip address 13.13.13.1 255.255.255.0
R1(config-if)#tunnel source loopback0
R1(config-if)#tunnel destination 3.3.3.3
R1(config-if)#ip ospf 1 area 0
R1(config-if)#tunnel mode ipsec ipv4
R1(config-if)#tunnel protection ipsec profile IPSECPROFILE

Configuration of R3 will be like the following..

R3(config)#int e0/1
R3(config-if)#ip ospf 1 area 0

R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.12.1
R3(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1

R3(config)#crypto isakmp policy 1
R3(config-isakmp)#hash sha                 
R3(config-isakmp)#authentication pre-share 
R3(config-isakmp)#group 2                  
R3(config-isakmp)#lifetime 60              
R3(config-isakmp)#encryption aes 

R3(config)#crypto isakmp key PASSWORD address 1.1.1.1

R3(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

R3(config)#crypto ipsec profile IPSECPROFILE
R3(ipsec-profile)#set transform-set TRANSFORMSET

R3(config)#int t0
R3(config-if)#ip address 13.13.13.3 255.255.255.0
R3(config-if)#tunnel source loopback0
R3(config-if)#tunnel destination 3.3.3.3
R3(config-if)#ip ospf 1 area 0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile IPSECPROFILE

Also not to forget that the R2 needs following routes to route the traffic between R1 and R3,

R2(config)#ip route 1.1.1.0 255.255.255.0 192.168.12.1
R2(config)#ip route 3.3.3.0 255.255.255.0 192.168.23.3

Red lines shows the new changes done. We have removed ACLs and Crypto Maps and we have created something called an IPSec profile and set the transform set and directly applied in to the tunnel interface.

Following show command will verify the implementation..

R1#show crypto ipsec sa

Note :- 
We can use static routes here instead of dynamic routing. Point is the route must be pointed to the tunnel interface.
Aslo note that the IPSec peer address is taken from the tunnel source and destination, this can be a physical interface instead of the loopbacks I have used here.
by at
Tags ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)