To implement Flex VPN or IPSEC VPN the topology shown above. The motive is to make the reachability between LAN to LAN network i.e from 220.127.116.11 to 18.104.22.168 & vice versa.
Currently we have configure simple connectivity in which R1 and R2 is reachable to each other via internet cloud.
The basic requirement of any VPN is the rechability between source and destination end point of tunnel.
We have basic configuration on R1 and R2 where we running ospf and the rechbility till end point is provided by the ISP.
The very first requirement of any VPN is the reachability between tunnel end points.So let’s ping the tunnel endpoints.Here we will create tunnel between 22.214.171.124 on R1 and 126.96.36.199 on R2 respectively.
Lets ping 188.8.131.52 from 184.108.40.206 which is LAN network configured on R2 and R1 respectively.LAN network is not reachable.
LAN network should be reachable once we created the site to site VPN between R1/R2
Lets proceed for FLEX/IPSEC VPN using IKEv2.
There are 6 component for creating IPSEC VPN using IKEv2.
- IKEv2 Proposal
- IKEv2 Policy
- IKEv2 Keyring
- IKEv2 Profile
- Ipsec transform Set
- IPsec Profile
Lets create it one by one
In proposal define the type of encryption , hashing that you want to set at both end.
Let’s create proposal with name pro.
We need to create policy with name pol and call the IKEv2 profile under this policy.
Define the key for authentication for both end. Here we have used pre-shared key for local and remote authentication. We can even use rsa cert for authentication.We have created a keyring with name key.
In IKEv2 Profile consists of identity ,authentication & keyring.Use local identity as any fqdn name and match remote identity which is configured as local identity on R2
Now create transform set to define how your actual data should travel under VPN.
Create IPsec profile or SVTI to finally group all thing together and apply on the tunnel interface.
Call IKEv2 profile and transform set under IPsec profile.
Apply IPSec profile on R1 tunnel0 interface. Change the tunnel mode as ipsec ipv4
Lets point the static routes towards R2 lan network 220.127.116.11 with tunnel0 as exit point.
Apply the same configuration on R2.
Let’s check the tunnel status and crypto sa
Lets check crypto the number of encrypted/decrypted packet on R1
Now let’s check the ping from R1 to R2 for 18.104.22.168 using 22.214.171.124 as source.
Great!! We can ping the lan IP , let check the packet encapsulation.