Example setting up site-to-site VPN using IPsec

Owned by Scott Leishman
Last updated: Dec 17, 2019 by Laxman Patil
7 min read

Work in progress

Overview


IPSec is a framework consisting of protocols and algorithms for protecting data through an un-trusted network such as the internet. IPSec’s protocol objective is to provide security services encrypting sensitive data, authentication, protection and confidentiality.

Topology

 

 

Instructions

  1. The first step is to configure the interfaces, establish the layer-3 reachability between IPSec tunnel source and destination. Configure the tunnel interface with encapsulation type, specify the tunnel source/remote IP

  2. Configure IPSec parameters for ESP-group and IKE-group with “encryption” and “hash” protocol along with IKE version type to be used

  3. Configure IPSec site-to-site configuration with local and remote peer IP, authentication mode/pre-shared-key, tunnel interface with local/remote prefix for the intended data traffic

  4. Verify the IPSec and IKE tunnel is UP using show commands

  5. Send end-to-end traffic, validate flows are getting encrypted/decrypted at tunnel source/destination end respectively

 

Configure R1 router (Head-Office)

 

Configuring IP Addresses, Routing protocol (OSPF) - Enter into exec… mode set interfaces dataplane dp0s3 address 10.1.1.1/24 set interfaces dataplane dp0s4 address 140.1.1.1/24 Tunnel interface used for Source/Destination interface - set interfaces tunnel tun0 local-ip 140.1.1.1 set interfaces tunnel tun0 remote-ip 150.1.1.1 set interfaces tunnel tun0 encapsulation gre set protocols ospf area 0 network 140.1.1.0/24 IPSec VPN configuration - set security vpn ike make-before-break Configure IPSec proposal with esp/encryption/dh/hash alg... - set security vpn ipsec esp-group vm1-esp proposal 1 encryption aes128gcm128 set security vpn ipsec esp-group vm1-esp proposal 1 hash null set security vpn ipsec ike-group vm1-ike ike-version 2 set security vpn ipsec ike-group vm1-ike proposal 1 dh-group 19 set security vpn ipsec ike-group vm1-ike proposal 1 encryption aes128gcm128 set security vpn ipsec ike-group vm1-ike proposal 1 hash sha2_512 Configure IPSec site-to-site parameters set security vpn ipsec site-to-site peer 150.1.1.1 set security vpn ipsec site-to-site peer 150.1.1.1 authenticat mode pre-shared-secret set security vpn ipsec site-to-site peer 150.1.1.1 authenticat pre-shared-secret test123 set security vpn ipsec site-to-site peer 150.1.1.1 default-esp-group vm1-esp set security vpn ipsec site-to-site peer 150.1.1.1 ike-group vm1-ike set security vpn ipsec site-to-site peer 150.1.1.1 local-address 140.1.1.1 set security vpn ipsec site-to-site peer 150.1.1.1 tunnel 0 set security vpn ipsec site-to-site peer 150.1.1.1 tunnel 0 local prefix 10.1.1.0/24 set security vpn ipsec site-to-site peer 150.1.1.1 tunnel 0 remote prefix 172.16.1.0/24

 Configure Router-R2

 

set interfaces dataplane dp0s8 address 140.1.1.2/24 set interfaces dataplane dp0s9 address 150.1.1./24 set protocols ospf area 0 network 140.1.1.0/24 set protocols ospf area 0 network 150.1.1.0/24

 

Configure R3 router (Branch-Office)

 

Configuring IP Addresses, Routing protocol (OSPF) set interfaces dataplane dp0s3 address 172.16.1.1/24 set interfaces dataplane dp0s9 address 150.1.1.1/24 Tunnel interface used for Source/Destination interface set interfaces tunnel tun0 local-ip 150.1.1.1 set interfaces tunnel tun0 remote-ip 140.1.1.1 set interfaces tunnel tun0 encapsulation gre set protocols ospf area 0 network 150.1.1.0/24 IPSec VPN configuration - set security vpn ike make-before-break Configure IPSec proposal with esp/encryption/dh/hash alg... set security vpn ipsec esp-group vm3-esp proposal 1 encryption aes128gcm128 set security vpn ipsec esp-group vm3-esp proposal 1 hash null set security vpn ipsec ike-group vm2-ike ike-version 2 set security vpn ipsec ike-group vm2-ike proposal 1 dh-group 19 set security vpn ipsec ike-group vm2-ike proposal 1 encryption aes128gcm128 set security vpn ipsec ike-group vm2-ike proposal 1 hash sha2_512 Configure IPSec site-to-site parameters set security vpn ipsec site-to-site peer 140.1.1.1 set security vpn ipsec site-to-site peer 140.1.1.1 authenticat mode pre-shared-secret set security vpn ipsec site-to-site peer 140.1.1.1 authenticat pre-shared-secret test123 set security vpn ipsec site-to-site peer 140.1.1.1 default-esp-group vm3-esp set security vpn ipsec site-to-site peer 140.1.1.1 ike-group vm2-ike set security vpn ipsec site-to-site peer 140.1.1.1 local-address 150.1.1.1 set security vpn ipsec site-to-site peer 140.1.1.1 tunnel 0 set security vpn ipsec site-to-site peer 140.1.1.1 tunnel 0 remote prefix 10.1.1.0/24 set security vpn ipsec site-to-site peer 140.1.1.1 tunnel 0 local prefix 172.16.1.0/24

 

Verification

 

 

Validation

 

Troubleshooting / Debug commands