Configuring a VPN is often quite simple, specially if we understand what's going on and what's supposed to happen. But somewhat, Cisco decided it would be awfully complicated to configure a VPN on their router... Let's dig into that.
First I'd like to point to a very well done blog post explaining how VPN works and what they are made of : https://www.network-node.com/blog/2017/7/24/ccie-security-ipsec-vpn-overview
2 main difficulties to handle in the configuration : VRF context and IKE v1 vs v2
Also, the local and remote proxy (subnets) are defined via access-list.
To configure IPSEC on a Cisco router, you need a non NPE firmware, and a securityK9 license active.
Configuration example for IKEv1 (Not recommended):
crypto keyring keyring1 vrf VRF1
pre-shared-key address <remote
IP> key <pre shared key>
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 20
lifetime 3600
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile isaprofile1
vrf VRF1
keyring keyring1
match identity address <remote
IP> <remote mask> VRF1
!
!
crypto ipsec transform-set FCDQSET esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto map FCDQMAP 10 ipsec-isakmp
set peer <remote IP>
set transform-set FCDQSET
set isakmp-profile isaprofile1
match address
102
end
!
access-list 102 permit ip <local proxy> <remote proxy>
!
!
interface GigabitEthernet0/0/0
ip vrf forwarding VRF1
ip address <remote IP>
<remote mask>
negotiation auto
crypto map FCDQMAP
!
Configuration example for IKEv2 (Recommended):
crypto ikev2 proposal proposl1
encryption aes-cbc-256
aes-cbc-192
integrity sha512
group 20 24
!
crypto ikev2 policy POLIKE1
match fvrf VRF1
proposal proposl1
!
crypto ikev2 keyring keyring2
peer peer_hostname
description link to peer
address <remote IP>
pre-shared-key local
a$j4V!X7m*r)3333
pre-shared-key remote
a$j4V!X7m*r)2222
!
!
!
crypto ikev2 profile PROFIKE1
match fvrf VRF1
match address local interface
GigabitEthernet0/0/0
match identity remote address <remote
IP> <remote mask>
authentication remote pre-share
authentication local pre-share
keyring local
keyring2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set FCDQSET esp-aes 256 esp-sha512-hmac
mode tunnel
!
!
!
crypto map FCDQMAP 10 ipsec-isakmp
set peer <remote IP>
set transform-set FCDQSET
set ikev2-profile PROFIKE1
match address 102
reverse-route
!
access-list 102 permit ip host
!
!
interface GigabitEthernet0/0/0
ip vrf forwarding VRF1
ip address <remote IP>
<remote mask>
negotiation auto
crypto map FCDQMAP
!
Assuming Gi0/0/0 is the interface you'd like to mount your VPN on. It is also possible to declare a virtual interface Tunnel1 and match it to the physical interface if your prefer, or is the setup is easier.
Important note: it seems you CANNOT configure IPSEC VPN on a Management Interface. Use a normal interface for it.
Make sure you can ping the remote IP (inside the VRF1 if applicable) and it should be all good !
Of course if it doesn't come up, make sure that the ciphers and the subnets/proxy match. You may know more by issuing the following commands :
IKEv1:
Router#show crypto session
...
Router#show crypto isakmp sa [vrf VRF1]
...
Router#show crypto ipsec sa [vrf VRF1]
!
IKEv2:
Router#show crypto session
...
Router#show crypto ikev2 sa [fvrf VRF1]
...
Router#show crypto ipsec sa [vrf VRF1]
!
and the useful debug functions to see where it could block.
Router#debug crypto isakmp
Router#debug crypto ikev2
Router#debug crypto ipsec
You should be good to go !
Good luck on your cisco vpn configuration journey.
