You are here: Cookbook > VPN > Connection between Two Private Networks Using IPSec VPN (IKEv2)

Connection between Two Private Networks Using IPSec VPN (IKEv2)

This example tells how to create IPSec VPN (IKEv2) tunnels to encrypt and protect the communication between two private networks . Usually, IPSec VPN tunnel is to connect the Device A in a branch office and the Device B in the headquarters.

* Note: This topology uses laboratory environment. In this recipe, 10.10.1.0/24 represents public network.

Device A

Step 1: Configuring interface

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.1.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 10.10.1.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configuring security policies

hostname(config)# rule from 192.168.1.0/24 to 192.168.2.0/24 service any permit

hostname(config)# rule from 192.168.2.0/24 to 192.168.1.0/24 service any permit

Step 3: Configuring IPSec VPN

1.Configuring P1 proposal for IKEv2 SA.

hostname(config)# ikev2 proposal Headquarters_to_Branch_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec IKEv2 SA.

hostname(config)# ikev2 ipsec-proposal Headquarters_to_Branch_P2

hostname(config-ikev2-ipsec-proposal)#protocol esp

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption 3des

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer2

hostname(config-ikev2-peer)# interface ethernet0/2

hostname(config-ikev2-peer)# match-peer 10.10.1.2

hostname(config-ikev2-peer)# local-id fqdn Headquarters

hostname(config-ikev2-peer)# ikev2-proposal Headquarters_to_Branch_P1

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile 1

hostname(config-ikev2-profile)# remote id fqdn Branch1

hostname(config-ikev2-profile)# remote key 123456

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.1.0/24

hostname(config-ikev2-profile)# traffic-selector dst subnet 192.168.2.0/24

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

5.Viewing the P1 and P2 proposal information of IPsec VPN IKEv2.

hostname# show ikev2 proposal Headquarters_to_Branch_P1

Name: Headquarters_to_Branch_P1

Encryption: 3des

PRF: sha

Hash: sha

Group: 2

Lifetime: 86400

hostname# show ikev2 proposal Headquarters_to_Branch_P2

Name: Headquarters_to_Branch_P2

Protocol: esp

Encryption: 3des

Hash: sha

Group: 0

Lifetime: 28800

Lifesize: 0

Step 4: Creating IPsec VPN IKEv2 tunnel

hostname(config)# tunnel ipsec test-ikev2 ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer2

hostname(config-ikev2-tunnel)# ipsec-proposal Headquarters_to_Branch_P2

hostname(config-ikev2-tunnel)# exit

hostname(config)#

Step 5 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 test-ikev2

hostname(config-if-tun1)# exit

hostname(config)#

Step 6: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 192.168.2.0/24 tunnel1

hostname(config-vrouter)# exit

Device B

Step 1: Configuring interface.

1.Configuring the interface connected to private network.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1/24

hostname(config-if-eth0/1)# exit

2.Configuring the interface connected to Internet.

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 10.10.1.2/24

hostname(config-if-eth0/2)# exit

Step 2: Configuring security policies

hostname(config)# rule from 192.168.1.0/24 to 192.168.2.0/24 service any permit

hostname(config)# rule from 192.168.2.0/24 to 192.168.1.0/24 service any permit

Step 3: Configuring IPSec VPN (IKEv2).

1.Configuring P1 proposal for IKE SA .

hostname(config)# ikev2 proposal Branch_to_Headquarters_P1

hostname(config-ikev2-proposal)# hash sha

hostname(config-ikev2-proposal)# encryption 3des

hostname(config-ikev2-proposal)# group 2

hostname(config-ikev2-proposal)# exit

2.Configuring P2 proposal for IPSec (IKEv2) SA.

hostname(config)# ikev2 ipsec-proposal Branch_to_Headquarters_P2

hostname(config-ikev2-ipsec-proposal)#protocol esp

hostname(config-ikev2-ipsec-proposal)#hash sha

hostname(config-ikev2-ipsec-proposal)#encryption 3des

hostname(config-ikev2-ipsec-proposal)#exit

3. Configuring IKEv2 peer.

hostname(config)# ikev2 peer peer1

hostname(config-ikev2-peer)# interface ethernet0/2

hostname(config-ikev2-peer)# match-peer 10.10.1.1

hostname(config-ikev2-peer)# local-id fqdn Branch1

hostname(config-ikev2-peer)# ikev2-proposal Branch_to_Headquarters_P1

4.Creating IKEv2 Profile.

hostname(config-ikev2-peer)# ikev2-profile 1

hostname(config-ikev2-profile)# remote id fqdn Headquarters

hostname(config-ikev2-profile)# remote key 123456

hostname(config-ikev2-profile)# traffic-selector src subnet 192.168.2.0/24

hostname(config-ikev2-profile)# traffic-selector dst subnet 192.168.1.0/24

hostname(config-ikev2-profile)# exit

hostname(config-ikev2-peer)# exit

hostname(config)#

5.Viewing the P1 and P2 proposal information of IPsec VPN IKEv2.

hostname# show ikev2 proposal Branch_to_Headquarters_P1

Name: Branch_to_Headquarters_P1

Encryption: 3des

PRF: sha

Hash: sha

Group: 2

Lifetime: 86400

hostname# show ikev2 proposal Branch_to_Headquarters_P2

Name: Branch_to_Headquarters_P2

Protocol: esp

Encryption: 3des

Hash: sha

Group: 0

Lifetime: 28800

Lifesize: 0

Step 4: Creating IPsec VPN IKEv2 tunnel .

hostname(config)# tunnel ipsec test-ikev2 ikev2

hostname(config-ikev2-tunnel)# ikev2-peer peer1

hostname(config-ikev2-tunnel)# ipsec-proposal Branch_to_Headquarters_P2

hostname(config-ikev2-tunnel)# auto-connect

hostname(config-ikev2-tunnel)# exit

Step 5 : Binding the tunnel interface to the IPsec VPN IKEv2 tunnel.

hostname(config)# interface tunnel1

hostname(config-if-tun1)# zone trust

hostname(config-if-tun1)# tunnel ikev2 test-ikev2

hostname(config-if-tun1)# exit

Step 6: Configuring route

hostname(config)# ip vrouter trust-vr

hostname(config-vrouter)# ip route 192.168.1.0/24 tunnel1

hostname(config-vrouter)# exit

hostname(config)#

Step 7: Results

Use PC1 in the headquarters to ping PC2 in the branch. It works.

Step 8: Check if IPSec VPN tunnel has been established

1.With the command show ikev2 ike-sa, you can see that the first phase of IPsec VPN has been successfully established.

hostname# show ikev2 ike-sa

Total: 1

L-time - Lifetime

================================================================================

Cookies Gateway Port Algorithm L-time Prof-id

--------------------------------------------------------------------------------

aba8467000~ 10.10.1.2 500 psk/sha/sha/3des 84972 1

================================================================================

2.With the command show ikev2 ipsec-sa, you can see that the second phase of IPsec VPN has been successfully established.

hostname# show ikev2 ipsec-sa

Total: 1

S - Status, I - Inactive, A - Active;

================================================================================

Id VPN Peer IP Port Algorithms SPI Life(s) S

--------------------------------------------------------------------------------

1 test-ikev2 >10.10.1.2 500 ESP:3des/sha 2c21b5d6 27355 A

1 test-ikev2 <10.10.1.2 500 ESP:3des/sha 292b6e44 27355 A

================================================================================