Flex VPN Reference

Published by Matt Clemons on

Only IKEv2
Unified config
Scalable
Server/Client
CA Server recommended

Prereq 1 – CA Server/Client:

Server:

ip domain-name cisco.com

crypto key generate rsa modulus 1024

ip http server

crypto pki server CA

crypto pki trustpoint CA

issuer-name O=CISCO L=SanJose C=US 

grant auto 

sh crypto pki certificates 
Client:

ip domain-name cisco.com

crypto key generate rsa modulus 1024

crypto pki trustpoint CA 

enrollment url http://150.22.22.1:80

rsakeypair CSR8.cisco.com

crypto pki authenticate CA 

crypto pki enroll CA

sh crypto pki certificates

Headend Configuration: 

aaa new-model
aaa authorization network AUTHZ local 
ip local pool MYPOOL 199.0.0.1 199.0.0.10

ip access-list standard V2INST
  permit host 150.8.8.3

crypto ikev2 proposal V2PROPOSAL
  encryption aes-cbc-256 aes-cbc-192 
  integrity sha512 sha384 
  group 14 15 crypto ikev2 policy V2POLICY
  proposal V2PROPOSAL

crypto ikev2 authorization policy V2AUTHZPOLICY
  dns 150.11.11.1
  no dns 150.11.11.1
  pool MYPOOL
  route set access-list V2INST
  def-domain cisco.com

crypto ikev2 profile V2PROFILE
  authentication local rsa-sig 
  authentication remote rsa-sig 
  match identity remote fqdn domain cisco.com
  identity local fqdn CSR8.cisco.com
  pki trustpoint CA
  authorization group cert list AUTHZ V2AUTHZPOLICY
  virtual-template 1

crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac

crypto ipsec profile V2IPSEC
  set transform-set V2TS
  set ikev2-profile V2PROFILE

int virtual-template 1 type tunnel
  ip unnumbered G1.55
  tunnel source G1.55
  tunnel mode ipsec ipv4 
  tunnel protection ipsec profile V2IPSEC

Client Side:

aaa new-model 
aaa authorization network AUTHZ local

ip access-list standard V2INST
  permit host 150.5.5.3

crypto ikev2 proposal V2PROPOSAL 
  encryption aes-cbc-256 aes-cbc-192
  integrity sha512 sha384
  group 14 15

crypto ikev2 policy V2POLICY 
  proposal V2PROPOSAL

crypto ikev2 authorization policy V2AUTHZPOLICY
  route set access-list V2INST

crypto ikev2 profile V2PROFILE
  match identity remote fqdn domain cisco.com
  identity local fqdn CSR5.cisco.com
  authentication local rsa-sig
  authentication remote rsa-sig
  pki trustpoint CA
  authorization group cert list AUTHZ V2AUTHZPOLICY      

crypto ipsec transform-set V2TS esp-aes 256 esp-sha512-hmac

crypto ipsec profile V2IPSEC
  set transform-set V2TS
  set ikev2-profile V2PROFILE

int tunnel 58
  ip address negotiated 
  tunnel source G1.35
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile V2IPSEC
  tunnel destination 155.1.55.8

Categories: NetworkingSecurity

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Networking

GetVPN Reference

Does not support IKEv2. Only IKE v1. Does not have an overlay routing protocol or tunnel. Encrypts data in the underlay itself. Since there’s no overlay tunnel you don’t need additional subnets created. Centralized policy Read more…

Security

Bro 2.6 and FreeBSD

Using FreeBSD 12 RELEASE disc1https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.0/ Once the system is up, install the packages below. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/12.0-RELEASE/src.txz# tar -C / -xzvf src.txz# portsnap fetch && portsnap extract# pkg update -f && pkg upgrade && pkg Read more…

Networking

Bypassing Google Fiber

Google doesn’t allow you to bridge their network box so you would have to double NAT and double port forward. Maybe some people are fine with that, but I hate it. Luckily, it’s really easy Read more…