Reset Search
 

 

Article

How to Create SITE-SITE VPN using IKEV1

« Go Back

Information

 
TitleHow to Create SITE-SITE VPN using IKEV1
Objective
Configure SITE-SITE VPN using CLI
Environment
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG v5.X Software
Procedure
  • IKE Protocol uses UDP port 500 by default
  • UDP Port 4500 When a NAT device is detected between peers
Step by Steps create the IPSEC Tunnel,

Create IKEv1 Policy,
RFS6000#
crypto ikev1 policy ikev1-default
  dpd-keepalive 30
  dpd-retries 5
  lifetime 86400
  isakmp-proposal default encryption aes-256 group 2 hash sha
  mode main
ap7532#
crypto ikev1 policy ikev1-default
  dpd-keepalive 30
  dpd-retries 5
  lifetime 86400
  isakmp-proposal default encryption aes-256 group 2 hash sha
  mode main

Create IKEv1 Peer,
RFS6000#
 crypto ikev1 peer IPSEC
  ip address 0.0.0.0
  no remoteid
  no localid
  authentication psk 0 hellomoto
  use ikev1-policy ikev1-default
ap7532#
 crypto ikev1 peer IPSEC
  ip address 172.16.1.174
  no remoteid
  no localid
  authentication psk 0 hellomoto
  use ikev1-policy ikev1-default

Create Transform Sets,
RFS6000#  
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
mode tunnel
ap7532#
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
  mode tunnel

For site-to-site IPsec VPN each peer will need an ACL defined with one or more permit rules to determine the source and destination of the IP packets which are to be protected between the IPsec peers. Each rule may permit a specific host or subnet and may optionally contain specific protocols and ports.

3 ACL Rule is created
INTERNET-IN > permits IKE, NAT-T and ESP protocols but denies and logs all other inbound traffic
NAT > provide many-to-one NAT translation to provide hosts at each site access the Internet
IPSEC > determine which IP traffic is to be encapsulated and forwarded over the IPsec VPN tunnel
rfs6000#
ip access-list INTERNET-IN
 permit udp any any eq 500 rule-precedence 10
 permit udp any any eq 4500 rule-precedence 20
 permit proto esp any any rule-precedence 30
 permit ip any any log rule-precedence 90
 deny ip any any log rule-precedence 100

rfs6000#
ip access-list NAT
 deny ip 172.16.10.0/23 172.16.20.0/23 rule-precedence 10
 permit ip 172.16.10.0/23 any rule-precedence 100

rfs6000#
ip access-list IPSEC
 permit ip 172.16.10.0/23 172.16.20.0/23 rule-precedence 10
ap7532#
ip access-list INTERNET-IN
 permit udp any any eq 500 rule-precedence 10
 permit udp any any eq 4500 rule-precedence 20
 permit proto esp any any rule-precedence 30
 permit ip any any rule-precedence 90
 deny ip any any log rule-precedence 100

ap7532#
ip access-list NAT
 deny ip 172.16.20.0/23 172.16.10.0/23 rule-precedence 10
 permit ip 172.16.20.0/23 any rule-precedence 100

ap7532#
ip access-list IPSEC
 permit ip 172.16.20.0/23 172.16.10.0/23 rule-precedence 10

Create IKEv1 Crypto Map
rfs6000#
crypto map IPSEC 1 ipsec-isakmp
  use ip-access-list IPSEC
  peer 1 ikev1 IPSEC
  transform-set default
  no ip nat crypto
ap7532#
crypto map IPSEC 1 ipsec-isakmp
  use ip-access-list IPSEC
  peer 1 ikev1 IPSEC
  transform-set default
  no ip nat crypto
Configured public SVI (VLAN 10) for which the IPsec VPN tunnel is terminated on.
rfs6000#
interface vlan10
  description PUBLIC
  ip address 172.16.1.174/24
  use ip-access-list in INTERNET-IN
  ip nat outside
  crypto map IPSEC
ap7532#
 interface vlan10
 description PUBLIC 
  ip address dhcp
  use ip-access-list in INTERNET-IN
  ip nat outside
  crypto map IPSEC

To permit remote management access into the RFS X000 Controllers at each site
rfs6000#
crypto plain-text-deny-acl-scope interface
ap7532#
crypto plain-text-deny-acl-scope interface

Remember to commit write to save the configuration






 
Additional notes
CLI command displays the active IKE SAs
rfs6000-6DCF45#show crypto ike sa
------------------------------------------------------------------------------------------------------------
IDX     PEER              VERSION    ENCR ALGO       HASH ALGO       DH GROUP        IKE STATE
------------------------------------------------------------------------------------------------------------
1       172.16.1.179      IKEv1      AES_CBC_256     HMAC_SHA1       MODP_1024       sent MR3, IKE SA established
------------------------------------------------------------------------------------------------------------
ap7532-1893F0#ap7532-1893F0#show crypto ike sa
------------------------------------------------------------------------------------------------------------
IDX     PEER              VERSION    ENCR ALGO       HASH ALGO       DH GROUP        IKE STATE
------------------------------------------------------------------------------------------------------------
1       172.16.1.174      IKEv1      AES_CBC_256     HMAC_SHA1       MODP_1024       IKE SA established
------------------------------------------------------------------------------------------------------------
Total IKE SAs: 1




 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255