Professional Documents
Culture Documents
How to Configure Site-To-Site IKEv2 IPsec VPN
How to Configure Site-To-Site IKEv2 IPsec VPN
Search
Configure Site- Search
to-Site IKEv2
VPN Penetration Testing
Kali Linux
Networking
GNS3
Networking, Security
Backbox Linux Packet Tracer
Not all Virtual Private Networks (VPNs) are Caine Linux EVE-NG
Parrot Security Wireshark
created equal.
secure tunnel.
Password Managers Freebies
In the corporate world, whether it’s a site- KeePassXC QuiteRSS
to-site VPN or a more complex DMVPN a Bitwarden Cherrytree
secure VPN is a sine qua non. KeePassX LibreOffice
Keepass2 Thunderbird
Dashlane GParted
In the VPN universe, IKEv1 is slowly
making way to the more secure IKEv2.
Recent Posts
EIGRP – Various Packet Types
EIGRP Routing Protocol – Primer
How to Configure Basic EIGRP
Secure File Deletion on Ubuntu
How to Configure EIGRP Named Mode
In this post, we’ll configure a site-to-site Authentication
IKEv2 VPN and run a bunch of show How to Configure DMVPN
commands. IPSEC VTI Site-to-Site VPN
Configure Site-to-Site IKEv2 VPN
This post is not meant for someone
completely new to networking. I’m Free Linux Books
assuming readers will have at least CCNA-
Linux Fundamentals
level knowledge of IP addressing, subnets,
Linux Command Line
routing, network security and VPNs.
Linux System Administration
RHEL 8 Security Guide
IKEv2 Configuration
The IP addresses of the three routers and
end-devices have already been configured.
1. IKEv2 Proposal
2. IKEv2 Policy
3. IKEv2 Keyring
4. IKEv2 Profile
5. IPsec Transformset
6. IPsec Profile
7. Tunnel Interface
8. Routing
=========================
R1 Configuration
Checking Interfaces on R1
R1#sh ip int brief
Interface IP-Address OK? Method Status
Protocol
GigabitEthernet1 40.1.1.1 YES manual up
up
GigabitEthernet2 192.168.1.1 YES manual
up up
GigabitEthernet3 unassigned YES unset
administratively down down
GigabitEthernet4 unassigned YES unset
administratively down down
Tunnel0 10.1.1.1 YES manual up up
Verifying Routing on R1
The show ip route command shows that the
192.168.2.0 is being reached via the
overlay network (see below).
R1#sh ip route
Codes: L – local, C – connected, S – static,
R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF,
IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 –
OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF
external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS
level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default,
U – per-user static route
o – ODR, P – periodic downloaded static
route, H – NHRP, l – LISP
a – application route
+ – replicated route, % – next hop
override, p – overrides from PfR
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local
addr 40.1.1.1
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA5DADA1A(2782583322)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: CSR:3,
sibling_flags FFFFFFFF80000048, crypto
map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):
(4607999/3596)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
================================
R1#show crypto session
Crypto session current status
Interface: Tunnel0
Profile: September-PROFILE
Session status: UP-ACTIVE
Peer: 40.1.2.2 port 500
Session ID: 2
IKEv2 SA: local 40.1.1.1/500 remote
40.1.2.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0
0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
================================
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local
addr 40.1.2.2
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x533E0924(1396574500)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: CSR:1,
sibling_flags FFFFFFFF80000048, crypto
map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):
(4607994/3244)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
================================
R2#show crypto session
Crypto session current status
Interface: Tunnel0
Profile: September-PROFILE
Session status: UP-ACTIVE
Peer: 40.1.1.1 port 500
Session ID: 1
IKEv2 SA: local 40.1.2.2/500 remote
40.1.1.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0
0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Share this: