1. Different negotiation processes
− IKEv1
- IKEv1 SA negotiation consists of two phases.
- IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
- IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.
- Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.
2. Different authentication methods
- IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.
3. Different supports for IKE SA integrity algorithms
- IKE SA integrity algorithms are supported only in IKEv2.
- IKEv2 supports EAP authentication. IKEv2 can use an AAA server to remotely authenticate mobile and PC users and assign private addresses to these users. IKEv1 does not provide this function and must use L2TP to assign private addresses.
3. Different supports for IKE SA integrity algorithms
- IKE SA integrity algorithms are supported only in IKEv2.
4. Different implementations of DPD packet retransmission
- The retry-interval parameter is supported only in IKEv1. If the NGFW sends a DPD packet but receives no reply within the specified retry-interval, the device records a DPD failure event and retransmits a DPD packet. When the number of failure events reaches 5, both the IKE SA and IPSec SA are deleted. The IKE SA negotiation will be started again when the device has IPSec traffic to handle.
5. Different supports for manual lifetime settings
- In IKEv2, the IKE SA soft lifetime is 9/10 of the IKE SA hard lifetime plus or minus a random value to reduce the likelihood that two endpoints initiate re-negotiation at the same time. Therefore, soft lifetime does not require manual settings in IKEv2.
Topology:
IKEv2 Configuration Steps:
- Keyring
- Proposal
- Profile
- Policy
- ACL
- Transform Set
- Crypto Map (including Peer, ACL, and Transform Set)
- Apply to interface
1. Define IKEv2 Keyring
crypto ikev2 keyring customer-1
peer customer1
address 20.8.91.1
pre-shared-key cisco1234
2. Define IKEv2 Proposal
crypto ikev2 proposal Prop-customer1 encryption aes-cbc-256 integrity sha256 group 19
3. Define IKEv2 Profiles
crypto ikev2 profile PROFILE-Customer1 match identity remote address 20.8.91.1 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local customer-1
4. Define IKEv2 Policy
crypto ikev2 policy POL-Customer1
proposal Prop-customer1
5. Define Cyrpto ACL
ip access-list extended VPNACL-Customer1 permit ip host 10.8.100.210 host 19.3.157.115 permit ip host 10.8.100.211 host 19.3.157.2
6. Define IPSecTransform SET
crypto ipsec transform-set TS-Customer1 esp-aes 256 esp-sha256-hmac
7. Define Crypto Map (including Peer, ACL, and Transform Set)
crypto map CMAP-Customer1 10 ipsec-isakmp set peer 20.8.91.1 set security-association lifetime seconds 3600 set transform-set TS-Customer1 set pfs group19 set ikev2-profile PROFILE-Customer1 match address VPNACL-Customer1
8. Activate Crypto Map by add it to Router's InterfaceÂ
interface GigabitEthernet0/0/0 ip address 9.10.62.77 255.255.255.224 negotiation auto crypto map CMAP-Customer1
Verification:
R-VPN1#sh ver Cisco IOS XE Software, Version 16.04.02 Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.4.2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Thu 27-Apr-17 11:56 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: IOS-XE ROMMON R-TWN1-VPN1 uptime is 4 days, 50 minutes Uptime for this control processor is 4 days, 53 minutes System returned to ROM by Reload Command System restarted at 11:32:04 EDT Thu Sep 1 2017 System image file is "bootflash:isr4200-universalk9_ias.16.04.08.SPA.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Suite License Information for Module:'esg' -------------------------------------------------------------------------------- Suite Suite Current Type Suite Next reboot -------------------------------------------------------------------------------- FoundationSuiteK9 None None None securityk9 appxk9 Technology Package License Information: ----------------------------------------------------------------- Technology Technology-package Technology-package Current Type Next reboot ------------------------------------------------------------------ appxk9 None None None securityk9 securityk9 Permanent securityk9 ipbase ipbasek9 Permanent ipbasek9 cisco ISR4221/K9 (1RU) processor with 1636344K/6147K bytes of memory. Processor board ID FGL213893E9 2 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7086079K bytes of flash memory at bootflash:. 0K bytes of at webui:. Configuration register is 0x2102
Debug commands
deb crypto ikev2 packet
deb crypto ikev2 internal
Show commands
show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session
Reference:
- How to configure Site-to-Site IKEv2 IPSec VPN using Pre-Shared Key Authentication
- FAQ -Â What are the differences between IKEv1 and IKEv2?
No comments:
Post a Comment