Scribd
Upload
168 views23 pages

Ikev2: Mubeen Nevrekar July 2021

- IKEv2 provides more scalable and efficient IPSec VPN connections compared to IKEv1. It allows for directional pre-shared keys and mixed authentication methods. - IKEv2 has a two phase setup with IKE_SA_INIT and IKE_AUTH messages to establish the IKE security association and authenticate peers. - The document outlines the steps to configure an IKEv2 based IPSec VPN using crypto maps or tunnel-based IPSec on routers R1 and R2, including Phase 1 and 2 parameters, crypto maps, and interfaces.

Uploaded by

Arun Mmohanty
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
168 views23 pages

Ikev2: Mubeen Nevrekar July 2021

- IKEv2 provides more scalable and efficient IPSec VPN connections compared to IKEv1. It allows for directional pre-shared keys and mixed authentication methods. - IKEv2 has a two phase setup with IKE_SA_INIT and IKE_AUTH messages to establish the IKE security association and authenticate peers. - The document outlines the steps to configure an IKEv2 based IPSec VPN using crypto maps or tunnel-based IPSec on routers R1 and R2, including Phase 1 and 2 parameters, crypto maps, and interfaces.

Uploaded by

Arun Mmohanty
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

IKEv2

Mubeen Nevrekar
July 2021
 IKEv2 Overview and Benefits
 Configuring IKEv2 Based IPSec VPN – Crypto Map
Outline c
 Configuring IKEv2 Based IPSec VPN – Tunnel-Based
IPSec
IKEv2 Overview
 More Scalable as it allows you to create proposals. The IKEv2 Proposal will have
all the acceptable Phase I parameters like Encryption, Integrity and DH Group.
It will auto-generate all possible combinations.
c
 Allows you to have directional PSKs. You can have a different key (cisco111) to
encrypt Phase I info from R1 -> R2 and a different PSK (cisco222) to encrypt
Phase I info from R2 -> R1.

 IKEv2 allows you the ability to use both PSK and Certificate-Based keying for
Phase I at the same. You could use PSK from R1 -> R2 and use Certificates from
R2 -> R1.

 IKEv2 is more efficient in the setup process.


IKEv2 Phase1 (IKE SA) and Phase 2 (Child SA)
Messages Exchanges
 Previous Lessons we had learned about IKEv1 and the IKEv1 messages exchanges in
Phase1 (main mode/aggressive mode) and Phase2 (Quick mode)

 There are nine message exchange if IKEv1 Phase1 is in Main Mode (Six messages for
c
Main Mode and Three messages for Quick Mode) or Six Messages exchanges if IKEv1
Phase1 is in Aggressive mode (Three messages for Aggressive mode and Three
messages for Quick Mode)

 Internet Key Exchanges Version 2 (IKEv2) is the next version of IKEv1

 IKEv2 was initially defined by RFC4306 and been obsoleted by RFC 5996

 IKEv2 current RFCs are RFC 7296 and RFC 7427. IKEv2 has most of the features of
IKEv1
IKEv2 Phase1 (IKE SA) and Phase 2 (Child SA)
Messages Exchanges
 First Phase is known as IKE_SA_INIT and the Second Phase is called as IKE_AUTH

 CHILD SA is the IKEv2 term for IKEv1 IPSec SA

c
 This exchange is called as CREATE_CHILD_SA_exchange

 IKEv2 runs over UDP ports 500 and 4500 (IPSec NAT Traversal)

 Devices configured to use IKEv2 accept packets from UDP ports 500 and 4500

 IKEv2 IPSec Peers can be validated using Pre-shared keys, Certificates, or Extensible
Authentication Protocol (EAP)

 Extensible Authentication Protocol (EAP) allows other legacy authentication methods


between IPSec Peers
IKEv2 Phase1 (IKE SA) and Phase 2 (Child SA)
Messages Exchanges
 IKEv2 Phase 1 Message 1

1. First message from Initiator to responder (IKE_SA_INIT) contains the security


association protocols, Encryption, Integrity Algorithms, Diffie-Hellman Keys and
Nonces c

 IKEv2 Phase 1 Message 2

1. Second message from Responder to Initiator (IKE_SA_INIT) contains the security


Association protocols, Encryption and Integrity algorithm, Diffie-Hellman keys and
Nonces

2. IPSec peers generate the SKEYSEED which is used to drive the Keys used in IKE-SA

3. Messages are protected by encrypting and authenticating it


IKEv2 Phase1 (IKE SA) and Phase 2 (Child SA)
Messages Exchanges
 IKEv2 Phase 1 Message 3 and 4

1. Third and fourth messages (IKE_AUTH) are encrypted and authenticated over the IKE
SA created by the previous Messages 1 and 2 (IKE_SA_INIT)
c
2. Initiator’s and responder’s identity, certificates exchange (if available) are completed
at this stage

3. Third and Fourth messages (IKE_AUTH) are used authenticate the previous
messages, validate the identity of IPSec peers and to establish the first CHILD_SA

4. At the end of messages 3 and 4, identities of IPSec Peers are verified and first
CHILD_SA is established
IKEv2 Phase1 (IKE SA) and Phase 2 (Child SA)
Messages Exchanges
In the following descriptions, the payloads
contained in the message are indicated by Initiator (i) Responder (r)
names as listed below.

Notation Payload HDR, SAi1, KEi, Ni


AUTH Authentication IKE_SA_INIT
CERT Certificate
CERTREQ Certificate Request Exchange c HDR, SAr1, KEr, Nr, [CERTREQ]
CP Configuration
D Delete
E Encrypted
EAP Extensible Authentication
IKE_SA
HDR IKE Header
IKE_AUTH HDR, SK {IDi [CERT], [CERTREQ], AUTH, SAI2, TSi, TSr
IDi Identification - Initiator
IDr Identification - Responder Exchange
KE Key Exchange HDR, SK {IDr [CERT], AUTH, SAr2, TSi, TSr
Ni, Nr Nonce
N Notify
SA Security Association
TSi Traffic Selector - Initiator
TSr Traffic Selector - Responder
V Vendor ID
CHILD_SA
IPSec LAN – To – LAN Tunnel using Crypto Maps
Internet
10.1.1.0/24 10.2.2.0/24

c
199.1.1.0/24 200.1.1.0/24
R1 R2

10.1.2.0/24 10.2.1.0/24

Configure an IPSec LAN – To – LAN VPN to encrypt the traffic between the internal private
networks using IKEv2
L2L IPSec VPN – Step # 1
Step 1. Configure Phase I Parameters
R1 R2

! 1A. Configure an IKEv2 Proposal ! 1A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP-1


c crypto ikev2 proposal PROP-1
encryption 3des encryption 3des
integrity md5 sha1 integrity md5 sha1
group 2 5 group 2 5

! 1B. Configure an IKEv2 Policy and call the proposal ! 1B. Configure an IKEv2 Policy and call the proposal

crypto ikev2 policy POL-1 crypto ikev2 policy POL-1


proposal PROP-1 proposal PROP-1
L2L IPSec VPN – Step # 1
Step 1. Configure Phase I Parameters
R1 R2

! 1C. Configure an IKEv2 Keyring ! 1C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1 c crypto ikev2 keyring KR-1


peer R2 peer R1
address 200.1.1.1 address 199.1.1.1
pre-shared-key local cisco111 pre-shared-key local cisco222
pre-shared-key remote cisco222 pre-shared-key remote cisco111

! 1D. Configure an IKEv2 Profile. ! 1D. Configure an IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF crypto ikev2 profile IKEv2-PROF


match identity remote address 200.1.1.1 match identity remote address 199.1.1.1
authentication local pre-share authentication local pre-share
authentication remote pre-share authentication remote pre-share
keyring local KR-1 keyring local KR-1
L2L IPSec VPN – Step # 2
Step 2. Configure Phase II Parameters

R1
c
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac

R2

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


L2L IPSec VPN – Step # 3
Step 3. Configure the Interesting Traffic ACL, also known as the “Crypto ACL”

R1
c
Access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

R2

Access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255


L2L IPSec VPN – Step # 4
Step 4. Link the Above Parameters to each other using a Crypto Map.

R1

Crypto map CMAP 10 ipsec-isakmp c


match address 101
set peer 200.1.1.1
set transform-set TSET
set ikev2-profile IKEv2-PROF

R2

Crypto map CMAP 10 ipsec-isakmp


match address 101
set peer 199.1.1.1
set transform-set TSET
set ikev2-profile IKEv2-PROF
L2L IPSec VPN – Step # 5
Step 5. Apply the ACL to the Outgoing Interface

R1

Interface E 0/0 c
crypto map CMAP

R2

Interface E 0/0
crypto map CMAP
IPSec Tunnel-based VPN – S-VTI
Internet
10.1.1.0/24 10.2.2.0/24

c
199.1.1.0/24 200.1.1.0/24
R1 R2

10.1.2.0/24 10.2.1.0/24
L2L IPSec VPN – Step # 1
Step 1. Configure Phase I Parameters
R1 R2

! 1A. Configure an IKEv2 Proposal ! 1A. Configure an IKEv2 Proposal

crypto ikev2 proposal PROP-1


c crypto ikev2 proposal PROP-1
encryption 3des encryption 3des
integrity md5 sha1 integrity md5 sha1
group 2 5 group 2 5

! 1B. Configure an IKEv2 Policy and call the proposal ! 1B. Configure an IKEv2 Policy and call the proposal

crypto ikev2 policy POL-1 crypto ikev2 policy POL-1


proposal PROP-1 proposal PROP-1
L2L IPSec VPN – Step # 1
Step 1. Configure Phase I Parameters
R1 R2

! 1C. Configure an IKEv2 Keyring ! 1C. Configure an IKEv2 Keyring

crypto ikev2 keyring KR-1 c crypto ikev2 keyring KR-1


peer R2 peer R1
address 200.1.1.1 address 199.1.1.1
pre-shared-key local cisco111 pre-shared-key local cisco222
pre-shared-key remote cisco222 pre-shared-key remote cisco111

! 1D. Configure an IKEv2 Profile. ! 1D. Configure an IKEv2 Profile.

crypto ikev2 profile IKEv2-PROF crypto ikev2 profile IKEv2-PROF


match identity remote address 200.1.1.1 match identity remote address 199.1.1.1
authentication local pre-share authentication local pre-share
authentication remote pre-share authentication remote pre-share
keyring local KR-1 keyring local KR-1
L2L IPSec VPN – Step # 2
Step 2. Configure Phase II Parameters

R1
c
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac

R2

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


L2L IPSec VPN – Step # 3
Step 3. Configure an IPSec Profile to link the Transform-set and the IKEv2 Profile to it.

R1
c
Crypto ipsec profile IPROF
set transform-set TSET
set ikev2-profile IKEv2-PROF

R2

Crypto ipsec profile IPROF


set transform-set TSET
set ikev2-profile IKEv2-PROF
L2L IPSec VPN – Step # 4
Step 4. Create the IPSec based Tunnel (Static-Virtual Tunnel Interface)

R1

Interface Tunnel 1 c
ip address 192.168.1.1 255.255.255.0
tunnel source 199.1.1.1
tunnel destination 200.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF

R2

Interface Tunnel 1
ip address 192.168.1.2 255.255.255.0
tunnel source 200.1.1.1
tunnel destination 199.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPROF
L2L IPSec VPN – Step # 5
Step 5. Configure a Dynamic Routing Protocol to route the internal LAN Segments

R1

Router eigrp 111 c


network 192.168.1.0
network 10.0.0.0

R2

Router eigrp 111


network 192.168.1.0
network 10.0.0.0
Whiteboard

You might also like