This chapter describes how to configure the IPSec to IPSec service model for the Cisco Network-Based IPSec VPN Release 1.5 .
Configuring IPSec to IPSec Service Model
In this model, the IPSec Aggregator aggregates any remote sites/clients and then forwards the information to a headend enterprise VPN device. Since traffic is going over a open IP network, IPSec provides the necessary encryption over the IP backbone. This also permits private overlapping IP addressing schemes between enterprises.
Before You Begin
The procedures provided here are specific to configuring IPSec to IPSec with one box and are based on the following assumptions:
1. That the following setup and configuration tasks have already been completed:
Setup of the core IP/MPLS network.
Setup of the customer VPN
Configuration of the links between the PE and the CE.
Customer-specific information is complete.
2. That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies you will use for address management or for user authentication and authorization).
IPSec to IPSec Configuration Checklist
This section deals with configuring the router to function as an IPSec aggregator.
Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click on highlighted text to get details on the procedure.
Configure the addressed preshared key to be used during IKE authentication.
Task 5: Configure ISAKMP Policy for Phase 1 Negotiations
Command
Purpose
Step 1
crypto isakmp policy priority
Configure an IKE policy.
Step 2
encryption {des | 3des | aes | aes 192 | aes 256}
Specify the encryption algorithm within an IKE policy.
Step 3
authentication {rsa-sig | rsa-encr | pre-share}
Specify the authentication method within an IKE policy.
Task 6: Configure DPD Keepalives
Command
Purpose
crypto isakmp keepalive secs retries
Allow the gateway to send dead peer detection (DPD) messages to the router.
Task 7: Configure Client Group Definition for Local Authorization
Command
Purpose
Step 1
crypto isakmp client configuration group {group-name | default}
Specify which group's policy profile will be defined.
Step 2
key name
Configure the IKE preshared key for group policy attribute definition.
Step 3
pool (name)
Configure a local pool address.
Task 8: Configure ISAKMP Profile for VPN Sites
Command
Purpose
crypto isakmp profile profile-name
Define an ISAKMP profile for a VPN.
Task 9: Configure Dynamic VRF Association for VPN Sites
Command
Purpose
Step 1
vrf name
Associate the on-demand address pool with a VRF name.
Step 2
keyring keyring-name
Associate a keyring with an ISAKMP profile.
Step 3
match identity address address [mask] [fvrf]
Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.
Task 10: Configure ISAKMP Profile for VPN Clients
Command
Purpose
crypto isakmp profile profile-name
Define an ISAKMP profile for a VPN.
Note You can configure the Remote sites to match each peer using sequence numbers in the crypto map
definition.You can match the peer on IP address or the hostname. The IP address match list for traffic to
be encrypted is also defined for each peer. In case of VPN clients, the dynamic profile defined earlier is
used to match the clients..
Task 11: Configure Dynamic VRF Association for VPN Clients
Command
Purpose
Step 1
vrf name
Associate the on-demand address pool with a VRF name.
Step 2
match identity group-name
Match an acceptable Phase 1 identity from a peer to a Unity group.
Task 12: Configure XAUTH, Group Authorization, and Mode-Config
Command
Purpose
Step 1
client authentication list list-name
Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during AAA configuration
Step 2
isakmp authorization list list-name
Configure group authorization IKE querying of AAA for tunnel attributes in aggressive mode.
Step 3
client configuration address [initiate | respond]
Configure IKE Mode Configuration (Mode-Config).
Task 13: Configure the Transform Set for Data Encryption
Create source proxy information for a crypto map entry through RRI.
Task 17: Configure Static Crypto Map for Sites
Command
Purpose
Step 1
crypto map map-name seq-num [IPSec-isakmp]
Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Step 2
set peer {hostname | ip-address}
Specify an IP Security peer in a crypto map entry.
Step 3
set transform-set transform-set-name
Specify which transform sets can be used with the crypto map entry.
Task 18: Configure ISAKMP Site Profile Reference
Command
Purpose
Step 1
set isakmp-profile profile-name
Set the ISAKMP profile name reference.
Step 2
match identity address address [mask] [fvrf]
Match an acceptable Phase 1 identity from a peer to a particular isakmp profile.
Task 19: Configure Dynamic Crypto Map for Clients
Command
Purpose
crypto map map-name seq-num [IPSec-isakmp]
Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Task 20: Configure Crypto Map to HQ
Command
Purpose
Step 1
crypto map map-name seq-num [IPSec-isakmp]
Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Step 2
set peer {hostname | ip-address}
Specify an IP Security peer in a crypto map entry.
Step 3
set transform-set transform-set-name
Specify which transform sets can be used with the crypto map entry.
Task 21: Configure ISAKMP Site Profile Reference
Command
Purpose
Step 1
set isakmp-profile profile-name
Set the ISAKMP profile name reference.
Step 2
match identity address address [mask] [fvrf]
Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.
Task 22: Connect Internet-Facing Interface and Corresponding Crypto Maps
Command
Purpose
Step 1
interface type
Configure a loopback interface.
Step 2
ip address ip-address mask
Set an IP address for an interface.
Step 3
encapsulation dot1q vlan-id [native]
Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4
crypto map map-name
Apply a previously defined crypto map set to an interface.
Note Each interface services one VPN as the IPSec tunnel endpoint for both the sites and clients.
Task 23: Apply Crypto Map towards HQ
Command
Purpose
Step 1
interface type
Configure a loopback interface (emulates an interface that is always up).
Step 1
encapsulation dot1q vlan-id [native]
Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 2
ip address ip-address mask
Set an IP address for an interface.
Step 3
crypto map map-name
Apply a previously defined crypto map set to an interface.
Task 24: Configure the Interior Gateway Protocol (IGP) Used in the Core
Command
Purpose
Step 1
router ospf process-id
Configure an OSPF routing process.
Step 2
log-adjacency-changes
Generate a log message.
Step 3
network ip-address wildcard-mask area area-id
Configure the interfaces on which OSPF runs and to define the area ID for those interfaces.
Task 25: Configure the Pools to Distribute IP Addresses to VPN Clients
Command
Purpose
Step 1
ip local pool {default | pool-name low-ip-address [high-ip-address]}
Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.
Step 2
ip classless
Configure the router to send any packets it receives that are destined for a subnet of a network that has no network default route to the best supernet route possible.
Task 26: Configure Global Default Route
Command
Purpose
ip route network-number network-mask {ip-address | interface-name} [distance] [name name]
Establish static routes and define the next hop for large-scale dial-out.
IPSec to IPSec Configuration