Topology
To implement Flex VPN or IPSEC VPN the topology shown above. The motive is to make the reachability between LAN to LAN network i.e from 20.20.20.0 to 30.30.30.0 & vice versa.
Currently we have configure simple connectivity in which R1 and R2 is reachable to each other via internet cloud.
The basic requirement of any VPN is the rechability between source and destination end point of tunnel.
Current configuration
We have basic configuration on R1 and R2 where we running ospf and the rechbility till end point is provided by the ISP.
The very first requirement of any VPN is the reachability between tunnel end points.So let’s ping the tunnel endpoints.Here we will create tunnel between 1.1.1.1 on R1 and 2.2.2.2 on R2 respectively.
Lets ping 30.30.30.1 from 20.20.20.1 which is LAN network configured on R2 and R1 respectively.LAN network is not reachable.
LAN network should be reachable once we created the site to site VPN between R1/R2
Lets proceed for FLEX/IPSEC VPN using IKEv2.
There are 6 component for creating IPSEC VPN using IKEv2.
- IKEv2 Proposal
- IKEv2 Policy
- IKEv2 Keyring
- IKEv2 Profile
- Ipsec transform Set
- IPsec Profile
Lets create it one by one
- IKEv2 Proposal
In proposal define the type of encryption , hashing that you want to set at both end.
Let’s create proposal with name pro.
- IKEv2 Policy
We need to create policy with name pol and call the IKEv2 profile under this policy.
- IKEv2 keying
Define the key for authentication for both end. Here we have used pre-shared key for local and remote authentication. We can even use rsa cert for authentication.We have created a keyring with name key.
- IKEv2 Profile
In IKEv2 Profile consists of identity ,authentication & keyring.Use local identity as any fqdn name and match remote identity which is configured as local identity on R2
- IPsec Transform set.
Now create transform set to define how your actual data should travel under VPN.
- IPsec Profile.
Create IPsec profile or SVTI to finally group all thing together and apply on the tunnel interface.
Call IKEv2 profile and transform set under IPsec profile.
Apply IPSec profile on R1 tunnel0 interface. Change the tunnel mode as ipsec ipv4
Lets point the static routes towards R2 lan network 30.30.30.0 with tunnel0 as exit point.
Apply the same configuration on R2.
Let’s check the tunnel status and crypto sa
Lets check crypto the number of encrypted/decrypted packet on R1
Now let’s check the ping from R1 to R2 for 30.30.30.1 using 20.20.20.1 as source.
Great!! We can ping the lan IP , let check the packet encapsulation.