=====Lab 18: eBGP with IKEv2 crypto as transit between r2 and r3=====
====Prerequisites====
- Complete [[:cisco:labs:ios-xe:lab16|Lab 16: eBGP with OSPF underlay]]\\
- Complete [[:cisco:labs:ios-xe:lab17|Lab 17: eBGP with OSPF underlay and IKEv2 between r2 and r3]]\\
====Task Instructions for r2 and r3:====
- Remove interface crypto map from interfaces.
- Configure Tunnel 0 using the IP of Loopback 0.
- Configure IKEv2 policy.
- Configure IKEv2 keyring.
- Configure IKEv2 profile.
- Configure ipsec transform-set in tunnel mode.
- Configure crypto ipsec-isakmp map.
- Configure the crypto map on the physical interface.
- Verify crypto ipsec sa (may need to ping neighbor first).
- Verify crypto IKEv2 sa.
- Verify crypto between r2 and r3 using Wirehsark (optional).
{{:cisco:labs:ios-xe:lab_17_-_ebgp_with_ospf_underlay_and_ikev2_between_r2_and_r3.png?500|}}
====Answer Section====
===Task 1===
r2
r2(config)#int g 2
r2(config-if)#no crypto map
r2(config-if)#
*Oct 4 21:14:46.484: (ipsec_license_release) IPSEC License handle release failed (20)
r2(config-if)#do show r
*Oct 4 21:14:46.563: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
r2(config-if)#do show run int g 2
Building configuration...
Current configuration : 117 bytes
!
interface GigabitEthernet2
ip address 23.1.1.2 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
end
r3
r3(config)#int g 2
r3(config-if)# no crypto map
r3(config-if)#
*Oct 4 21:15:07.044: (ipsec_license_release) IPSEC License handle release failed (20)
r3(config-if)#
*Oct 4 21:15:07.139: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
r3(config-if)#do show run int g 2
Building configuration...
Current configuration : 117 bytes
!
interface GigabitEthernet2
ip address 23.1.1.3 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
end
----
===Task 2===
r2
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
r3
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
----
===Task 3===
r2
crypto ikev2 policy svpn-policy
proposal rook-proposal
r3
crypto ikev2 policy svpn-policy
proposal rook-proposal
----
===Task 4===
r2
crypto ikev2 keyring lion-key
peer peer-remote
address 23.1.1.3
pre-shared-key cisco
r3
crypto ikev2 keyring lion-key
peer peer-remote
address 23.1.1.2
pre-shared-key cisco
----
===Task 5===
r2
crypto ikev2 profile side-profile
match identity remote address 23.1.1.3 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
r3
crypto ikev2 profile side-profile
match identity remote address 23.1.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
----
===Task 6===
r2
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
r3
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
----
===Task 7===
r2
crypto map svpn-map 10 ipsec-isakmp
set peer 23.1.1.3
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl
r3
crypto map svpn-map 10 ipsec-isakmp
set peer 23.1.1.2
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl/code>
----
===Task 8===
r2
interface GigabitEthernet2
crypto map svpn-map
r3
interface GigabitEthernet2
crypto map svpn-map
----
===Task 9===
r2
r2#show crypto ipsec sa
interface: GigabitEthernet2
Crypto map tag: svpn-map, local addr 23.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
current_peer 23.1.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.1.1.2, remote crypto endpt.: 23.1.1.3
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xF48D2703(4102891267)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCDBEBD9A(3451829658)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
sa timing: remaining key lifetime (k/sec): (4607999/3594)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF48D2703(4102891267)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
sa timing: remaining key lifetime (k/sec): (4607999/3594)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
r3
r3#show crypto ipsec sa
interface: GigabitEthernet2
Crypto map tag: svpn-map, local addr 23.1.1.3
protected vrf: (none)
local ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/0/0)
current_peer 23.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.1.1.3, remote crypto endpt.: 23.1.1.2
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xCDBEBD9A(3451829658)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF48D2703(4102891267)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
sa timing: remaining key lifetime (k/sec): (4607999/3508)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCDBEBD9A(3451829658)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
sa timing: remaining key lifetime (k/sec): (4607999/3508)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
* Notice the inbound and outbound esp sas are populated.
----
===Task 10===
r2
r2#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 23.1.1.2/500 23.1.1.3/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/411 sec
r3
r3#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 23.1.1.3/500 23.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/449 sec
----
===Task 11===
{{:cisco:labs:ios-xe:lab_17_-_ss1.png?500|}}
* In a later lab, all transit traffic will be encrypted through a tunnel interface.
----
=====Backlinks=====
[[:cisco|Cisco]]\\
[[:cisco:labs|Cisco Labs]]\\
[[:cisco:labs:ios-xe|Cisco-IOS-XE Labs]]\\