cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1558
Views
15
Helpful
12
Replies

VPN and ACLs

Mark Mattix
Level 2
Level 2

I have configured a VPN using IKEv2 and IPSEC over a GRE tunnel. The link connects and operates correctly but I was wondering if someone could offer some advice for the ACLs on this edge router. Here is the current config:

crypto ikev2 keyring LAB123

peer LABRouter2

  address 192.168.1.2

  pre-shared-key labtest12345

!

!

crypto ikev2 profile LABRouter1ikev2

match identity remote address 192.168.1.2 255.255.255.252

authentication remote pre-share

authentication local pre-share

keyring local LABRouter1

dpd 60 2 on-demand

!

crypto ipsec profile LABRouter1ipsec

set ikev2-profile LABRouter1ikev2

!

interface Tunnel0

ip address 172.30.1.2 255.255.255.252

tunnel source GigabitEthernet0/0

tunnel destination 192.168.1.2

tunnel protection ipsec profile LABRouter1ipsec

!

interface GigabitEthernet0/0

description Link to Outside

ip address 192.168.1.1 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Inside

ip address 10.1.1.1 255.255.0.0

duplex auto

speed auto

!

router eigrp 10

network 10.1.0.0 0.0.255.255

network 172.30.1.0 0.0.0.3

redistribute static

!

ip route 10.150.0.0 255.255.0.0 172.30.1.1 <-LAN on remote site

_______________________________________________________

I was thinking about adding a standard ACL going IN on the interface connecting the ISP. I would configure only my networks that I want to come into my VPN. Which makes me wonder, would I apply that ACl to the physical Gi0/0 interface or the tunnel 0 interface? Also in past VPN configurations I specified with an ACL in the crypto map on what to send through the VPN. In this configuration with IKEv2 and IPSEC I am not specifying what to encrypt, does this mean anything going out interface gi0/0 will be encrypted? If not is there a way to do this? Also, what would you call my VPN configuration, just IKEv2 and IPSEC or is this considered FlexVPN? I read a document on FlexVPN and i believe the only thing different is that it used an elliptical curve algorithm, is that required for a FlexVPN configuration?

Thanks for any help!

12 Replies 12

Lei Tian
Cisco Employee
Cisco Employee

Hi Mark,

All traffic go through your tunnel interface will be encrypted. The routing protocol, EIGRP in your case controls what traffic will be encrypted. There is no need for interested ACL like you do before in IPSec VPN. You will not see real source/destination IP from outside interface, because the packets are encapsulated with tunnel endpoint IP and encrypted. You can call it flexvpn, since it is based on ikev2.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Thank you for your reply Lei Tan! I am just confused about one other thing, should I have an ACL on gi0/0 blocking any traffic that isn't from a tunnel endpoint IP? This link is a leased layer 2 link (not going over the internet) but I want to make sure I'm stopping any traffic that shouldn't be allowed. If the tunnel is applied to both interfaces does that mean the interface will only allow traffic from the opposite tunnel endpoint?

Thanks again for your help!

Lei Tian
Cisco Employee
Cisco Employee

Hi Mark,

Thanks for the great rating. If the other end of the p2p lease line is considered trusted site, I don't think is needed to apply ACL on the interfaces. If you really want to secure the box, you can apply Inbound ACL and only permit encrypted traffic.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Thank you Lei Tian, I'll look into this. I'm curious to see what will happen to the EIGRP messages, I'm not certain that they're being encrypted but I'll test it out. Thanks for your help!

Lei Tian, I created this ACL and applied it to the interface while the tunnel was operational:

ip access-list extended ONLYENCRYPTED

permit esp host 192.168.1.1 host 192.168.1.2

!

int gi0/0

ip access-group ONLYENCRYPTED in

When I applied this the link continued to operate normally but when restarting a router the link did not come up again, an ACl debug showed that it was blocking the data.

My question is, on my permit statement what protocol should I allow, all of IP or can I get more specific like I tried to here with only ESP? What protocols need to be used to get the link up and should my ACl have to reference the tunnel IPs at all or is just the physical IPs ok? I'm not sure what part is being blocked... Thanks for your help!

Hi Mark,

You almost got it. Besides ESP, you also need to allow isakmp packet, which is needed for phase 1 SA. In addition, you may want consider permit some control traffic, snmp/ssh/telnet/netflow. In case something happens to the ipsec, you still can manage the device.

HTH,

Lei Tian

Thank you Lei Tian, that's a good idea for allowing control protocols but I thought they too would be encrypted in the tunnel's ESP protocol, thus allowing them through? Do they travel outside of the tunnel? I'm going to try a few changes in the ACL shortly, thanks again for your help!  -Mark

Oh nevermind, you said to allow those protocols as well incase the tunnel goes down, that makes sense! Thanks!

Lei Tian, I was wondering if you could answer another question I've been over looking. 2 remote sites are going to connect to This router1, if I want another router to connect to it over the same type of IPSec configuration will I have to have another ikev2 keyring.profile and ipsec profile statment for the 2nd remote site and apply it to a second virtual tunnel?

Thanks for your help!

Hi Mark,

You dont have to create new profiles if remotes can share same policy. Here is a configure example for hub spoke flexvpn config:

HTH,

Lei Tian

Hub Configuration

  1. Configure an IKEv2 Keyring
    crypto ikev2 keyring All-SPOKES
    peer all
      address 0.0.0.0 0.0.0.0
      pre-shared-key Cisco123
  2. Configure an IKEv2 Profile:
    • Match the ISKAMP identities of any IPv4 address to this profile
    • Set authentication method for local and remote peers to be pre-shared-keys
    • Reference the keyring defined above
    • Reference the virtual-template that will be used to spawn the virtual-access for the incoming connection
    crypto ikev2 profile All-SPOKES
    match identity remote address 0.0.0.0
    authentication remote pre-share
    authentication local pre-share
    keyring local All-SPOKES
    virtual-template 1
  3. Configure the default IPsec profile to use the IKEv2 profile.
    crypto ipsec profile default
    set ikev2-profile All-SPOKES
  4. Configure the Virtual-Template to:
    • Enable IP on the Virtual-Accesses but borrow the LAN interface IP (Ethernet 0/0 here is the inside interface)
    • Enable IPsec/IKEv2 protection of the tunnel
    interface Virtual-Template1 type tunnel
    ip unnumbered Ethernet0/0
    tunnel protection ipsec profile default
  5. Configure EIGRP Routing to advertise out the inside interface and  the spawned virtual-access interfaces (since the Virtual-Template uses  unnumber from the Ethernet0/0)
    router eigrp 100
    no auto-summary
    network 172.16.0.1 0.0.0.0

Spoke Configuration

  1. Configure an IKEv2 Keyring on Spoke-1
    crypto ikev2 keyring All-SPOKES
    peer all
      address 0.0.0.0 0.0.0.0
      pre-shared-key Cisco123
  2. Configure an IKEv2 Profile:
    • Match the ISKAMP identities of any IPv4 address to this profile
    • Set authentication method for local and remote peers to be pre-shared-keys
    • Reference the keyring defined above
    • Reference the virtual-template (will be used in the Spoke to Spoke section)
    crypto ikev2 profile All-SPOKES
    match identity remote address 0.0.0.0
    authentication remote pre-share
    authentication local pre-share
    keyring local All-SPOKES
    virtual-template 1
  3. Configure the default IPsec profile to use the IKEv2 profile.
    crypto ipsec profile default
     set ikev2-profile All-SPOKES
    
  4. Configure a Tunnel interface:
    • To enable IP on the interface but borrow the LAN interface IP
    • To specify the source interface
    • To specify the destionation IP address
    • To enable IPsec/IKEv2 protection of the tunnel
    interface Tunnel 1
    ip unnumbered Ethernet0/1
    tunnel source Ethernet0/0
    tunnel destination 200.1.1.2
    tunnel protection ipsec profile default
  5. Configure EIGRP to exchange information across the link
    router eigrp 100
    no auto-summary
    network 172.16.1.1 0.0.0.0
  6. Repeat the steps for Spoke-2
    crypto ikev2 keyring All-SPOKES
     peer all
      address 0.0.0.0 0.0.0.0
      pre-shared-key Cisco123
    !
    crypto ikev2 profile All-SPOKES
     match identity remote address 0.0.0.0
     authentication remote pre-share
     authentication local pre-share
     keyring local All-SPOKES
     virtual-template 1
    !
    crypto ipsec profile default 
     set ikev2-profile All-SPOKES
    !
    interface Tunnel 1
     ip unnumbered Ethernet0/1
     tunnel source Ethernet0/0
     tunnel destination 200.1.1.2
     tunnel protection ipsec profile default
    !
    router eigrp 100
     no auto-summary
     network 172.16.2.1 0.0.0.0
    

Thank you for that configuration Lei, it helped a lot! Thanks again for all your help!!!

Lei Tian, I was wondering, do you know why it's best to configure the unnumbered virtual interface? The physical fiber link connecting the locations will be a 192 subnet, why do I want to use my local LAN gateway address instead of the outside 192 address?

Also, where in the configuration is data told to be encrypted when traversing the outside 192 link?  Thanks for all your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: