Site to Site IPsec VPN

Topology

Summary:

To implement Flex VPN or IPSEC VPN the topology shown above. The motive is to make the reachability between LAN to LAN network i.e from 20.20.20.0 to 30.30.30.0 & vice versa.

Currently we have configure simple connectivity in which R1 and R2 is reachable to each other via internet cloud.

The basic requirement of any VPN is the rechability between source and destination end point of tunnel.

Current configuration

We have basic configuration on R1 and R2 where we running ospf and the rechbility till end point is provided by the ISP.

The very first requirement of any VPN is the reachability between tunnel end points.So let’s ping the tunnel endpoints.Here we will create tunnel between 1.1.1.1 on R1 and 2.2.2.2 on R2 respectively.

Lets ping 30.30.30.1 from 20.20.20.1 which is LAN network configured on R2 and R1 respectively.LAN network is not reachable.

LAN network should be reachable once we created the site to site VPN between R1/R2

Lets proceed for FLEX/IPSEC VPN using IKEv2.

There are 6 component for creating IPSEC VPN using IKEv2.

IKEv2 Proposal
IKEv2 Policy
IKEv2 Keyring
IKEv2 Profile
Ipsec transform Set
IPsec Profile

Lets create it one by one

IKEv2 Proposal

In proposal define the type of encryption , hashing that you want to set at both end.

Let’s create proposal with name pro.

IKEv2 Policy

We need to create policy with name pol and call the IKEv2 profile under this policy.

IKEv2 keying

Define the key for authentication for both end. Here we have used pre-shared key for local and remote authentication. We can even use rsa cert for authentication.We have created a keyring with name key.

IKEv2 Profile

In IKEv2 Profile consists of identity ,authentication & keyring.Use local identity as any fqdn name and match remote identity which is configured as local identity on R2