Table of Contents

Lab 18: eBGP with IKEv2 crypto as transit between r2 and r3

Prerequisites

  1. Complete Lab 16: eBGP with OSPF underlay
  2. Complete Lab 17: eBGP with OSPF underlay and IKEv2 between r2 and r3

Task Instructions for r2 and r3:

  1. Remove interface crypto map from interfaces.
  2. Configure Tunnel 0 using the IP of Loopback 0.
  3. Configure IKEv2 policy.
  4. Configure IKEv2 keyring.
  5. Configure IKEv2 profile.
  6. Configure ipsec transform-set in tunnel mode.
  7. Configure crypto ipsec-isakmp map.
  8. Configure the crypto map on the physical interface.
  9. Verify crypto ipsec sa (may need to ping neighbor first).
  10. Verify crypto IKEv2 sa.
  11. Verify crypto between r2 and r3 using Wirehsark (optional).

Answer Section

Task 1

r2 

r2(config)#int g 2
r2(config-if)#no crypto map
r2(config-if)#
*Oct  4 21:14:46.484: (ipsec_license_release) IPSEC License handle release failed (20)
r2(config-if)#do show r
*Oct  4 21:14:46.563: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
r2(config-if)#do show run int g 2
Building configuration...

Current configuration : 117 bytes
!
interface GigabitEthernet2
 ip address 23.1.1.2 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
end

r3 

r3(config)#int g 2
r3(config-if)#  no crypto map
r3(config-if)#
*Oct  4 21:15:07.044: (ipsec_license_release) IPSEC License handle release failed (20)
r3(config-if)#
*Oct  4 21:15:07.139: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
r3(config-if)#do show run int g 2
Building configuration...

Current configuration : 117 bytes
!
interface GigabitEthernet2
 ip address 23.1.1.3 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
end

Task 2

r2 

crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14

r3 

crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14

Task 3

r2 

crypto ikev2 policy svpn-policy 
 proposal rook-proposal

r3 

crypto ikev2 policy svpn-policy 
 proposal rook-proposal

Task 4

r2 

crypto ikev2 keyring lion-key
 peer peer-remote
  address 23.1.1.3
  pre-shared-key cisco

r3 

crypto ikev2 keyring lion-key
 peer peer-remote
  address 23.1.1.2
  pre-shared-key cisco

Task 5

r2 

crypto ikev2 profile side-profile
 match identity remote address 23.1.1.3 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key

r3 

crypto ikev2 profile side-profile
 match identity remote address 23.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key

Task 6

r2 

crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel

r3 

crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel

Task 7

r2 

crypto map svpn-map 10 ipsec-isakmp 
 set peer 23.1.1.3
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl

r3 

crypto map svpn-map 10 ipsec-isakmp 
 set peer 23.1.1.2
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl/code>
----
===Task 8===
r2
<code>interface GigabitEthernet2
 crypto map svpn-map

r3 

interface GigabitEthernet2
 crypto map svpn-map

Task 9

r2 

r2#show crypto ipsec sa

interface: GigabitEthernet2
    Crypto map tag: svpn-map, local addr 23.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
   current_peer 23.1.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.1.1.2, remote crypto endpt.: 23.1.1.3
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
     current outbound spi: 0xF48D2703(4102891267)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCDBEBD9A(3451829658)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
         sa timing: remaining key lifetime (k/sec): (4607999/3594)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF48D2703(4102891267)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
         sa timing: remaining key lifetime (k/sec): (4607999/3594)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

r3 

r3#show crypto ipsec sa

interface: GigabitEthernet2
    Crypto map tag: svpn-map, local addr 23.1.1.3

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (23.1.1.3/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (23.1.1.2/255.255.255.255/0/0)
   current_peer 23.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 23.1.1.3, remote crypto endpt.: 23.1.1.2
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
     current outbound spi: 0xCDBEBD9A(3451829658)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF48D2703(4102891267)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
         sa timing: remaining key lifetime (k/sec): (4607999/3508)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCDBEBD9A(3451829658)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80000048, crypto map: svpn-map
         sa timing: remaining key lifetime (k/sec): (4607999/3508)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

* Notice the inbound and outbound esp sas are populated.

Task 10

r2 

r2#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         23.1.1.2/500          23.1.1.3/500          none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/411 sec

r3 

r3#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         23.1.1.3/500          23.1.1.2/500          none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/449 sec

Task 11

—-

Cisco
Cisco Labs
Cisco-IOS-XE Labs