Cisco Router – Configure Site to Site IPSEC VPN

KB ID 0000933

Problem

I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.

I’m going to use the IP addresses above, and my tunnel will use the following settings;

  • Encryption: AES.
  • Hashing: SHA.
  • Diffie Hellman: Group 2.
  • PFS: Enabled.
  • Authentication method: Pre-Shared Key.

Solution

1. Setup a policy for phase 1 of the tunnel (ISAKMP).

[box]

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#crypto isakmp key SecretK3y address 1.1.1.2

[/box]

2. Setup an ACL to define what traffic will be encrypted, and a ‘Transform set’ that will dictate the encryption and hashing for phase 2 (IPSEC).

[box]

R1(config)#ip access-list extended VPN-ACL
R1(config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)#crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

[/box]

3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.

[box]

R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL

[/box]

4. Apply that crypto map to an interface, (usually the Internet facing one).

[box]

R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#

[/box]

5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;

[box]

R1#show run
Building configuration...

Current configuration : 1249 bytes
------------output removed for the sake of space------------
!

ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!

------------output removed for the sake of space------------
!
line aux 0
!

[/box]

6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:

  • Permit=Perform NAT
  • Deny=Don’t perform NAT

On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console

R1#write mem
Building configuration...
[OK]

[/box]

7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.

[box]

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac

crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP

no access-list 100 permit ip 20.20.20.0 0.0.0.255 any
access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any

[/box]

8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!

[box]

show crypto isakmp sa
show crypto ipsec sa

[/box]

WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;

[box]

ip access-list extended outside-in
 permit esp host 1.1.1.1 any
 permit udp host 1.1.1.1 any eq isakmp
 permit udp host 1.1.1.1 any eq non500-isakmp

[/box]

If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!

Related Articles, References, Credits, or External Links

NA

Implementing GDOI into DMVPN

KB ID 0000956 

Problem

Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site.

One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak to another spoke site, it will dynamically build a VPN tunnel to that spoke site.

That’s great right? Well it’s pretty cool, but there is a downside. There is a slight ‘lag’ while that dynamic VPN is established, for normal network traffic you probably wont even notice, but if you are sending streaming media, or voice traffic then it becomes more of a problem.

So if we had a system where all the routers have all the same settings, the hub router wouldn’t need to ‘broker’ the initial connection and the routers get all their VPN settings from a central ‘Server’. Well that’s what GDOI gives us, we set up a router as a central ‘Key Server’ and all the other GDOI ‘Group Members’ register with the key server, and get all their settings.

So I’ll use the same network that I built the DMVPN on, I’ve added another router that will be the ‘Key Server’, other than that the topology is the same.

Note: The GDOI Key Server, cannot run on the DMVPN hub router.

Solution

GDOI Key Server Setup

1. Firstly setup the requirements for ISAKMP phase 1. Note: here I’m using pre-shared keys, this does not scale well if you have a lot of sites, you might want to look at a PKI solution and use certificates instead.

[box]

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0

EXAMPLE

KS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
KS(config)#crypto isakmp policy 10
KS(config-isakmp)#encr aes
KS(config-isakmp)#authentication pre-share
KS(config-isakmp)#group 2
KS(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
KS(config)#

[/box]

2. Then setup IPSEC phase 2 requirements. With a transform-set and a profile.

[box]

crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac

crypto ipsec profile PF-GDOI
set transform-set TS-GDOI

EXAMPLE

KS(config)#crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac
KS(cfg-crypto-trans)#crypto ipsec profile PF-GDOI
KS(ipsec-profile)#set transform-set TS-GDOI
KS(ipsec-profile)#

[/box]

3. The Key server will use its certificate for authentication, if you DO have a PKI solution and this router has already enrolled to it then you can skip this step. If not you need to generate a LOCAL certificate on the key server. (Note: This requires the device to have a hostname and domain name set).

[box]

ip domain-name testbench.local
crypto key generate rsa modulus 2048

EXAMPLE

KS(config)#ip domain-name testbench.local
KS(config)#crypto key generate rsa modulus 2048

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
*Mar 1 00:17:13.591: %SSH-5-ENABLED: SSH 1.99 has been enabled
KS(config)#

[/box]

4. To setup the key server, create a group (GDOI-VPN) and give it an identity number,all members of the group will share this number. It used the profile we created above, and will apply encryption based on ACL 123 (we will create in a minute). Finally it sets the IP that it will be used as the key servers (this is the IP in use on FastEthernet 0/0).

[box]

crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2

EXAMPLE

KS(config)#crypto gdoi group GDOI-DMVPN
KS(config-gdoi-group)#identity number 999
KS(config-gdoi-group)#server local
KS(gdoi-local-server)# rekey retransmit 10 number 2
KS(gdoi-local-server)# rekey authentication mypubkey rsa rsa
KS(gdoi-local-server)# rekey transport unicast
KS(gdoi-local-server)# sa ipsec 10
KS(gdoi-sa-ipsec)# profile PF-GDOI
KS(gdoi-sa-ipsec)# match address ipv4 123
KS(gdoi-sa-ipsec)# replay counter window-size 64
KS(gdoi-sa-ipsec)# address ipv4 5.5.5.2
KS(gdoi-local-server)#

[/box]

5. Create the ACL we specified above, this ACL will get downloaded to all the group members. As will the VPN profile, they will then apply that profile to traffic defined in the ACL. It’s an ‘interesting traffic ACL, (if you are used to working with VPN’s).

[box]

access-list 123 permit gre any any

EXAMPLE

KS(config)#access-list 123 permit gre any any
KS(config)#

[/box]

Setup GDOI Group Members

Note: These settings are the same for the DMVPN hub router and all the spoke routers.

6. As above we specify a matching phase 1 policy.

[box]

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0

EXAMPLE

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)#encr aes
Branch1(config-isakmp)#authentication pre-share
Branch1(config-isakmp)#group 2
Branch1(config-isakmp)#crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
Branch1(config)#

[/box]

7. Then join the router to the GDOI group.

[box]

crypto gdoi group GDOI-DMVPN
identity number 999
server address ipv4 5.5.5.2

EXAMPLE

Branch1(config)#crypto gdoi group GDOI-DMVPN
Branch1(config-gdoi-group)#identity number 999
Branch1(config-gdoi-group)#server address ipv4 5.5.5.2
Branch1(config-gdoi-group)#exit

[/box]

8. Then use that group to create a ‘crypto map’, and apply that map to the public interface that ‘faces outwards’. Note: Normally when applying encryption to DMVPN you would apply your crypto to the tunnel interface, with GDOI you do NOT.

[box]

crypto map CM-GDOI 10 gdoi
set group GDOI-DMVPN
interface FastEthernet0/0
crypto map CM-GDOI

EXAMPLE

Branch1(config)#crypto map CM-GDOI 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
group has been configured.
Branch1(config-crypto-map)#set group GDOI-DMVPN
Branch1(config-crypto-map)#interface FastEthernet0/0
Branch1(config-if)#crypto map CM-GDOI
*Mar 1 05:11:31.546: %CRYPTO-5-GM_REGSTER: Start registration to KS 5.5.5.2 for group GDOI-DMVPN using address 2.2.2.1
*Mar 1 05:11:31.582: %CRYPTO-6-GDOI_ON_OFF: GDOI is ON

[/box]

9. Now I could add a route to my DMVPN network, with a static statement (i.e. ip route 192.168.0.0 0.0.255.255 Tunnel0), but I’m using EIGRP anyway, so I can just advertise the DMVPN network into my EIGRP group.

[box]

router eigrp 20
network 192.168.0.0

EXAMPLE

Branch1(config)#router eigrp 20
Branch1(config-router)#network 192.168.0.0
Branch1(config-router)#exit
Branch1(config)#

[/box]

Testing GDOI

[box]

Branch1#show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: port 848
IKE SA: local 2.2.2.1/848 remote 5.5.5.2/848 Active
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Branch1#

Branch1#show crypto gdoi
GROUP INFORMATION

    Group Name               : GDOI-DMVPN
    Group Identity           : 999
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 5.5.5.2
    Group Server list        : 5.5.5.2

    GM Reregisters in        : 2042 secs
    Rekey Received           : never


    Rekeys received
         Cumulative          : 0
         After registration  : 0

 ACL Downloaded From KS 5.5.5.2:
   access-list  permit gre any any

TEK POLICY for the current KS-Policy ACEs Downloaded:
  FastEthernet0/0:
    IPsec SA:
        spi: 0x93842CD3(2474912979)
        transform: esp-aes esp-sha-hmac
        sa timing:remaining key lifetime (sec): (2197)
        Anti-Replay : Disabled

[/box]

Complete GDOI with DMVPN Configs

Below I’ll show the configs, with the GDOI config highlighted in Red and the DMVPN config highlighted in blue.

[box]

GDOI Key Server Config

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KS
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TS-GDOI esp-aes esp-sha-hmac 
!
crypto ipsec profile PF-GDOI
set transform-set TS-GDOI
!
crypto gdoi group GDOI-DMVPN
identity number 999
server local
rekey retransmit 10 number 2
rekey authentication mypubkey rsa rsa
rekey transport unicast
sa ipsec 10
profile PF-GDOI
match address ipv4 123
replay counter window-size 64
address ipv4 5.5.5.2
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
ip address 5.5.5.2 255.255.255.252
speed auto
half-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 20
network 5.5.5.0 0.0.0.3
no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 123 permit gre any any
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

[/box]

DMVPN Hub Server Config

[box]


version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname MainSiteRTR
! 
boot-start-marker 
boot-end-marker 
! 
no aaa new-model 
memory-size iomem 5 
no ip icmp rate-limit unreachable 
ip cef ! no ip domain lookup 
! 
multilink bundle-name authenticated 
! 
archive 
log config 
hidekeys 
! 
crypto isakmp policy 10 
encr aes 
authentication pre-share 
group 2 
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0
 
!
crypto gdoi group GDOI-DMVPN 
identity number 999 
server address ipv4 5.5.5.2 
!
crypto map CM-GDOI 10 gdoi 
set group GDOI-DMVPN 
! 
ip tcp synwait-time 5 
!
interface Tunnel0 
ip address 192.168.0.1 255.255.255.0 
no ip redirects 
ip nhrp map multicast dynamic 
ip nhrp network-id 1 tunnel source 1.1.1.1 
tunnel mode gre multipoint 
! 
interface FastEthernet0/0 
ip address 172.16.1.1 255.255.0.0 
duplex auto 
speed auto 
! 
interface FastEthernet0/1 
ip address 1.1.1.1 255.255.255.252 
duplex auto 
speed auto 
crypto map CM-GDOI 
! 
interface FastEthernet1/0 
ip address 5.5.5.1 255.255.255.252 
duplex auto 
speed auto 
! 
router eigrp 20 
network 1.1.1.0 0.0.0.3 
network 5.5.5.0 0.0.0.3 
network 172.16.1.0 0.0.0.255 
network 192.168.0.0 
no auto-summary 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 
! 
no ip http server 
no ip http secure-server 
! 
no cdp log mismatch duplex 
! 
control-plane 
! 
line con 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line aux 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line vty 0 4 
login 
! 
end 

Branch (Spoke) Routers 

version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname Branch1 
! 
boot-start-marker 
boot-end-marker 
! 
no aaa new-model
memory-size iomem 5 
no ip icmp rate-limit unreachable 
ip cef 
! 
no ip domain lookup 
! 
multilink bundle-name authenticated 
! 
archive log 
config hidekeys 
! 
 crypto isakmp policy 10 
encr aes 
authentication pre-share 
group 2 
crypto isakmp key P@ssword123 address 0.0.0.0 0.0.0.0 
!
 crypto gdoi group GDOI-DMVPN 
identity number 999 
server address ipv4 5.5.5.2 
!
 crypto map CM-GDOI 10 gdoi 
set group GDOI-DMVPN 
! 
ip tcp synwait-time 5 
!
 interface Tunnel0 ip address 192.168.0.2 255.255.255.0 
no ip redirects 
ip nhrp map 192.168.0.1 1.1.1.1 
ip nhrp map multicast 1.1.1.1 
ip nhrp network-id 1 
ip nhrp nhs 192.168.0.1 tunnel source 2.2.2.1 
tunnel mode gre multipoint 
! 
interface FastEthernet0/0 
ip address 2.2.2.1 255.255.255.252 
duplex auto 
speed auto 
crypto map CM-GDOI 
! 
interface FastEthernet0/1
ip address 172.17.1.1 255.255.0.0
duplex auto 
speed auto 
! 
router eigrp 20 
network 2.2.2.0 0.0.0.3 
network 172.17.0.0 
network 192.168.0.0
 no auto-summary 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 
! 
no ip http server 
no ip http secure-server 
! 
control-plane
! 
line con 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line aux 0 
exec-timeout 0 0 
privilege level 15 
logging synchronous 
line vty 0 4 
login 
! 
end

[/box]

Related Articles, References, Credits, or External Links

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

Using OSPF over DMVPN