Site-to-Site FlexVPN Lab 1: static tunnel + pre-shared key

This is a translation version of my original post in Chinese. There are 4 labs in my site-to-site FlexVPN series using CSR1000v on GNS3 (ref. Install

站点间FlexVPN试验(四):SPOKE和SPOKE间动态隧道
站点间FlexVPN试验(二): 静态隧道 (static tunnel)+证书认证(PKI)
站点间FlexVPN试验(三):HUB和SPOKE间动态隧道

This is a translation version of my original post in Chinese. There are 4 labs in my site-to-site FlexVPN series using CSR1000v on GNS3 (ref. Install CSR1000v on GNS3):

  1. Static tunnel + PSK
  2. Static tunnel + PKI
  3. Hub-to-spoke dynamic tunnel
  4. Spoke-to-spoke dynamic tunnel enabled by NHRP

Different from traditional DMVPN which uses IKEv1, FlexVPN adopts Internet Key Exchange Version as key exchange protocol. IOS version 15.2(1)T and plus has built-in Smart Default function to provide default IKEv2 configuration and simplify FlexVPN configuration.

Following is quick mind refresher of IKEv1 and IKEv2.

IKEv1

IKEv1 framework includes two explicit phases: Phase 1 is to authenticate IPSec peers and negotiate IKE SAs; Phase 2 is to negotiate IPSec SAs.

We can choose main mode or aggressive mode in Phase 1. Main mode requires more packet exchange, but it provides better security than aggressive mode as it protests peer identity information. In aggressive mode, PSK information is sent in clear text. Phase 2 only has one mode, which is quick mode.

IKEv2 explicitly segments the 2 phases; therefore, in troubleshooting, we will verify whether IKE/ISAKMP SA is successfully negotiated and then whether IPSEC SA is successfully negotiated.

IKEv2

IKEv2 mixes IKE SA and IPSec SA negotiation together. Whoever developed the protocol, all of sudden, noticed that everybody deploys IKE and IPSec in conjunction. Nobody configures IPSec without configuration IKE…then why separate the phases and send IKE and IPSec messages in different packets?

A single packet can carry both IKE and IPSec messages in IKEv2. In this case, fewer packets are exchanged to establish IPSec tunnel. IKEv2 combines benefits of both main mode and aggressive mode – fewer packet exchange and better security. It provides secured approach to verify peer identity, which helps prevent DoS attack.

IKEv2 framework includes 3 phases: 1) IKE_INIT phase; 2) IKE_AUTH phase ; and 3) Create_Child_SA phase.

Phase 1 is to encrypt tunnel; Phase 2 and Phase 3 information exchanges will be protected then. Phase 2 is to authenticate and exchange IKE and IPSec SA information. In addition to IKEv1 supporting RSA and PSK, IKEv2 also supports EAP, which makes remote user authentication easier. Phase 3 is similar to IKEv1 Phase 2 but with less packet exchange.

The following diagram illustrates IKEv1 vs. IKEv2 packet exchange process and phases
115936-understanding-ikev2-packet-exch-debug-01

(Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115936-understanding-ikev2-packet-exch-debug.html)

IKEv2 vs. IKEv1

In summary, IKEv2 provides better security anti-DoS, quicker tunnel establishment due to less packet exchange required, less bandwidth usage, more authentication option EAP and etc.

Lab Introduction

This lab is to establish site-to-site static FlexVPN tunnel, with PSK as authentication. Lab topology as below; only HUB1 and SPOKE1 are used in this lab. HUB2 and SPOKE1-HOST are NOT required in this lab.

NTP points to external NTP server.
FlexVPN_site

Interface Configuration

CSR-HUB1
g3: 200.1.13.1/24
Tunnel 0: 10.1.13.1/24
MGMT: 192.168.1.91/24

CSR-SPOKE1

g3: 200.1.13.3/24
Tunnel0: 10.1.13.3/24
MGMT: 192.168.1.93/24

CSR-HUB1 Configuration

Step 1 – Configure pre-share key

Step 2 – Configue IKEv2 profile

Step 3 – Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on interface the designated IKEv2 profile will be executed

Step 4 – Apply IPSec profile on tunnel interface to encrypt

CSR-SPOKE 1 Configuration

Please refer to HUB1 and configure correspondingly.

Verification

COMMENTS

WORDPRESS: 0
DISQUS: 0