Introduction and Overview
In unencrypted DMVPN packets, the original packets have GRE flags added to them, and then the new GRE IP header is added for routing the packets through the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, and the GRE flags add an extra 4 bytes of overhead. These packets use the protocol field of GRE (47). By default, GRE has no in-built security features to secure the data transiting the tunnel. IPSec is used to provide encryption, data integrity, replay protection features to GRE tunnels.
IPSec provides origin authentication, data confidentiality, data integrity, replay detection, periodic rekey, perfect forward secrecy. IPSec security architecture is composed of the following;
- Security Protocols
- Security Associations
- Key Management
Security Protocols
Security protocols can be used individually or in combination. They include;
- Authentication Header (AH): AH provides data integrity, authentication, replay protection. AH uses IP protocol number 51.
- Encapsulating Security Payload (ESP): ESP provides data confidentiality, integrity, authentication and replay protection. ESP uses IP protocol number 50.
Key Management
Internet Key Exchange (IKE) negotiates the IPSec security associations (SAs). This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP (IKE) shared keys. IPSec uses IKEv2 by default. IKEv2 introduced Extensible Authentication Protocol (EAP) with reduction of bandwidth consumption, network address translation (NAT) and ability to detect whether a tunnel is still alive.
Security Associations
A security association (SA) is a relationship between two or more entities that describes how the entities will use security services to communicate securely.
Security Associations (SA) contain agreed upon security parameters. The two main security associations that will be used by DMVPN to secure traffic are IKE SA and IPSec SA:
- IKE SA: used for control plane functions like IPSec key management and management of IPSec SAs.
- IPSec SA: used for data plane functions to secure data transmitted between two different sites. IPSec SAs are unidirectional and require at least two IPSec SAs (one for inbound traffic and another for outbound traffic) for a secure connection to a DMVPN peer.
IPSec DMVPN Tunnel Protection Modes
Traditional IPSec provides two modes of packet protection; tunnel and transport:
- Tunnel mode: the entire original packet is encrypted and a new set
of IPSec headers is added. For encrypted DMVPN packets that use ESP tunnel
mode, the original packets have the GRE flags added to them, and then the
new GRE IP header is added for routing the packets in the transport (underlay)
network. That portion of the packets is encrypted, a signature for the encrypted
payload is added. Then a new IPSec IP header is added for routing the packets
in the transport (underlay) network. The GRE IP header adds an extra 20 bytes
of overhead, the GRE flags add an extra 4 bytes of overhead, the IPsec IP
header adds an extra 20 bytes of overhead, and depending on the encryption
mechanism, a varying number of additional bytes are added for the encrypted signature.
It is important to note that the use of IPsec tunnel mode for DMVPN networks does not add any perceived value and adds 20 bytes of overhead. It is recommended that transport mode should be used for encrypted DMVPN tunnels.
Additionally, the header added when tunnel is configured is redundant due to the already existing GRE header.
- Transport mode: In this mode, only the packet payload is encrypted. The GRE header is maintained. The packet is routed based on the original IP headers. For encrypted DMVPN packets that use ESP transport mode, the original packets have the generic routing encapsulation (GRE) flags added to them, and then that portion of the packets is encrypted. A signature for the encrypted payload is added, and then the GRE IP header is added for routing the packets on the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, the GRE flags add an extra 4 bytes of overhead, and depending on the encryption mechanism, a varying number of additional bytes are added for the encrypted signature.
DMVPN Tunnel Protection using IPSec
Enabling IPsec protection on a DMVPN network requires that all devices enable IPsec protection. If some routers have IPsec enabled and others do not, devices will not be able to establish a connection on the tunnel interfaces with each other.
Key management and IPSec parameter negotiation is implemented using IKEv1 or IKEv2.
IKEv1
Originally DMVPN tunnel protection was provided by IPSec IKEv1. To enable DMVPN tunnel protection using IPsec static pre-shared keys involves the creation of the following:
- ISAKMP policy
- ISAKMP key and addresses of remote hosts.
- IPSec transform set
- IPSec profile
The configuration of DMVPN tunnel protection using DMVPN follows:
Step 1: Create the IKEv1 policy:
This is used for phase 1 negotiations (control-plane) in IPsec to generate the key information used in phase 2 for the actual data-plane.
Define an IKE policy
The IKE policy is configured using the command
Configure encryption method
- aes | 3des | des: are the synchronous encryption versions supported by the platform.
- 128 - 256: the supported encryption key sizes. More modern platforms support a larger key size.
Configure the authentication method
Configure the Diffie-Helman group for integrity
- Group 1 (768 bits)
- Group 14 (2048 bits)
- Group 15 uses 3072 bits
- Group 16 (4096 bits)
- Group 19 (256 bit ecp)
- Group 2 (1024 bit)
- Group 20 (384 bit ecp)
- Group 21 (521 bit ecp)
- Group 24 (2048 bit, 256 bit subgroup)
- Group 5 (1536 bit)
Configure the hash function for data integrity
crypto isakmp policy <1-10000> where 1-10000 is the
priority of the protection suite.
HUB(config)#crypto isakmp policy 100
The encryption method is usually any of the synchronous encryption algorithms
aes, 3des or des:
encryption <aes | 3des | des> <128-256>
HUB(config-isakmp)#encryption aes 256
The authentication method can be either preshared keys or RSA-signatures:
authentication <pre-share | rsa-encr | rsa-sig>.
In this configuration, we opt to use preshared keys for authentication.
HUB(config-isakmp)#authentication pre-share
Define the diffie-helman group using the command
group <1|14|15|16|19|2|20|21|24|5>.
The Diffie-Hellman groups include the following;
HUB(config-isakmp)#group 16
If not specified, the default group is enabled.
The hash algorithm provides a check for data integrity i.e, a check to ensure
that the data was not altered in transit. The main hashing functions in use are MD5
and the various versions of SHA i.e, SHA, SHA256, SHA384, SHA512.
The command is hash <md5 | sha | sha256 | sha384 | sha512>.
HUB(config-isakmp)#hash sha512
Step 2: Configure the IKE key
The IKE key is defined using the command
crypto isakmp key <password> address <ip_address>. Use of the address 0.0.0.0 0.0.0.0
is not recommended as it allows a host with any IP address to connect. However,
it may be helpful only when many spokes connect to the hub and administrative
overhead is high with managing this scalability. Otherwise, to add additional
level of security, a key should be defined for each spoke whose IP address is
explicitly configured.
HUB(config)#crypto isakmp key simplesimple address 0.0.0.0
The recommended approach is to use public-key infrastructure (PKI); here a certificate is issued to the spokes. The hub can verify that certificate with the certificate authority when spokes attempt to register.
Step 3: Configure an IPSec transform set
In phase 2 of the creation of the IPsec security, the data-plane traffic is treated to the encryption and hashing functions configured under the transform-set.
Define the transform set and ESP or AH settings
Define the ESP authentication and ESP encryption or AH authentication algorithms for encryption or authentication.
Here one SA is created for inbound traffic and one for outbound traffic to a DMVPN peer using the global configuration command;crypto ipsec transform-set <transform-set-tag> [<esp-encryption-function> <esp-authentication-function> | <ah-authentication>].The AH options available include the following:
- ah-md5-hmac: AH-HMAC-MD5 transform
- ah-sha-hmac: AH-HMAC-SHA transform
- ah-sha256-hmac: AH-HMAC-SHA256 transform
- ah-sha384-hmac: AH-HMAC-SHA384 transform
- ah-sha512-hmac: AH-HMAC-SHA512 transform
- comp-lzs: IP Compression using the LZS compression algorithm
The ESP options include the following:
- esp-3des: ESP transform using 3DES(EDE) cipher (168 bits)
- esp-aes : ESP transform using AES cipher
- esp-des : ESP transform using DES cipher (56 bits)
- esp-gcm : ESP transform using GCM cipher
- esp-gmac: ESP transform using GMAC cipher
- esp-md5-hmac: ESP transform using HMAC-MD5 auth
- esp-null: ESP transform w/o cipher
- esp-seal: ESP transform using SEAL cipher (160 bits)
- esp-sha-hmac: ESP transform using HMAC-SHA auth
- esp-sha256-hmac: ESP transform using HMAC-SHA256 auth
- esp-sha384-hmac: ESP transform using HMAC-SHA384 auth
- esp-sha512-hmac: ESP transform using HMAC-SHA512 auth
If an encryption algorithm is configured, the key size should be defined.
HUB(config)#crypto ipsec transform-set DMVPN_IPSEC_TSET esp-aes esp-sha512-hmacDefine the tunnel mode
tunnel mode can be transport or tunnel
HUB(cfg-crypto-trans)#mode transport
Step 4 Create an IPSec profile
The IPsec profiile is created and the references the IPsec transform set previously defined.
HUB(config)#crypto ipsec profile DMVPN_IPSEC_PROFILE
HUB(ipsec-profile)#set transform-set DMVPN_IPSEC_TSET
HUB(ipsec-profile)#exit
Step 5: Associate the DMVPN tunnel interface with the IPSec profile
To protect the tunnel using IPsec, reference the configured IPsec profile under
the tunnel configuration using the command
tunnel protection ipsec profile <ipsec_profile_name>.
HUB(config)#interface tunnel 0
HUB(config-if)#tunnel protection ipsec profile DMVPN_IPSEC_PROFILE
Step 1 - 5 configurations are common to both the hub and spoke. This is an example of the templating that can be used with DMVPN. To configure a specific key for each spoke, enter the spoke address. This IP address should be the one configured on the interface that is defined as the tunnel source when configuring the DMVPN tunnel interface on the spoke. The hub and spoke must share the same key.
IPsec with Frontdoor VRF
When a front-door VRF(FVRF) has been configured, to protect the tunnel using IPsec requires a slightly different configuration particularly when defining the ISAKMP key. Using the configuration process for IKEv1 above, the configuration of IPsec for a front-door VRF tunnel can be accomplished using the following sequence:
Step 2: Configure the IKEv1 key
- The key is configured using the command
crypto keyring <keyring-name> vrf <vrf-name>where:- keyring-name: is the suggested name of the keyring.
- vrf-name: is the VRF under which the key will be used.
SPOKE4(config)#crypto keyring DMVPN_ISAKMP_KEYRING vrf FVRF -
Then define the key using the command
pre-shared-key address <ip-address> <netmask> key <key>.SPOKE4(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key simplesimple
Step 3: Configure the IKEv1 Profile
- Create an IKEv1 profile:
create isakmp profile <profile-name>.SPOKE4(config)#crypto isakmp profile DMVPN_ISAKMP_PROFILE - Configure the VRF that the profile will be used under:
vrf <VRF-name>SPOKE4(conf-isa-prof)#vrf FVRF - Reference the configured keyring:
keyring <keyring-name>SPOKE4(conf-isa-prof)#keyring DMVPN_ISAKMP_KEYRING
- Define the IP address and VRF that this profile will be checked against and
applied to:
match identity address <ip-address> <vrf>SPOKE4(conf-isa-prof)#match identity address 0.0.0.0 FVRF
Step 4: Configure the IPsec Transform-set
The IPsec transform-set is configured as in step 3 above:
SPOKE4(config)#crypto ipsec transform-set DMVPN_IPSEC_TSET esp-aes esp-sha512-hmac
SPOKE4(cfg-crypto-trans)#mode transport
Step 5: Configure the IPsec Profile
- Define the IPsec profile:
crypto ipsec profile <profile-name>SPOKE4(config)#crypto ipsec profile DMVPN_IPSEC_PROFILE - Reference the configured IPsec transform-set:
set transform-set <transform-set-name>SPOKE4(ipsec-profile)#set transform-set DMVPN_IPSEC_TSET - Reference the ISAKMP/IKEv1 profile:
set isakmp-profile <isakmp-profile-name>SPOKE4(ipsec-profile)#set isakmp-profile DMVPN_ISAKMP_PROFILE
Step 6: Reference the IPsec Profile under the tunnel
Tunnel protection using IPsec is configured under the tunnel interface:
SPOKE4(config)#interface tunnel 0
SPOKE4(config-if)#tunnel protection ipsec profile DMVPN_IPSEC_PROFILE
Verification of IKEv1 Configuration
The following commands can be used to verify tunnel protection using IPsec:
show dmvpn detailshow crypto isakmp sashow crypto isakmp policyshow crypto isakmp peersshow crypto isakmp keyshow crypto ipsec sashow crypto ipsec profile
show dmvpn detail
SPOKE2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 172.30.1.2, VRF ""
Tunnel Src./Dest. addr: 99.255.30.1/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSEC_PROFILE"
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 NHS:
172.30.1.1 RE NBMA Address: 99.255.10.2 priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 4
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 99.255.10.2 172.30.1.1 UP 03:15:04 S 172.30.1.1/32
1 99.255.30.1 172.30.1.2 UP 00:48:01 DLX 172.30.1.2/32
1 99.255.60.6 172.30.1.7 UP 00:12:13 D 172.30.1.7/32
1 99.255.60.2 172.30.1.8 UP 00:48:01 D 172.30.1.8/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x680251DC]
IKEv1 SA: local 99.255.30.1/500 remote 99.255.10.2/500 Active
Capabilities:(none) connid:1001 lifetime:20:44:52
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 99.255.10.2
IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.10.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 2510 drop 0 life (KB/Sec) 4254210/2162
Outbound: #pkts enc'ed 2578 drop 0 life (KB/Sec) 4254210/2162
Outbound SPI : 0xB80CDF30, transform : esp-256-aes esp-sha512-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x68024FEC]
IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.6/500 Active
Capabilities:(none) connid:1004 lifetime:23:47:43
IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.6/500 Active
Capabilities:(none) connid:1005 lifetime:23:47:43
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 99.255.60.6
IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.60.6
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 1 drop 0 life (KB/Sec) 4608000/2866
Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4608000/2866
Outbound SPI : 0x5D0DE203, transform : esp-256-aes esp-sha512-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x680250E4]
IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.2/500 Active
Capabilities:(none) connid:1002 lifetime:23:11:55
IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.2/500 Active
Capabilities:(none) connid:1003 lifetime:23:11:55
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 99.255.60.2
IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.60.2
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 6 drop 0 life (KB/Sec) 4254542/718
Outbound: #pkts enc'ed 6 drop 0 life (KB/Sec) 4254542/718
Outbound SPI : 0xBB52CAA0, transform : esp-256-aes esp-sha512-hmac
Socket State: Open
Pending DMVPN Sessions:
SPOKE2#
show crypto isakmp sa
Command displays security association information when for the ISAKMP exchange.
SPOKE2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
99.255.10.2 99.255.30.1 QM_IDLE 1001 ACTIVE
99.255.30.1 99.255.60.2 QM_IDLE 1003 ACTIVE
99.255.30.1 99.255.60.6 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE2#
Additional keywords to the above command display the following output:
SPOKE2#show crypto isakmp sa ?
active Shows HA-enabled ISAKMP SAs in the active state
count Show the number of ISAKMP Security Associations
detail Show ISAKMP SA Detail
nat Show ISAKMP SA NAT Detail
standby Shows HA-enabled ISAKMP SAs in the standby state
vrf Show ISAKMP SA as per VRF
SPOKE2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 99.255.30.1 99.255.10.2 ACTIVE aes sha512 psk 16 23:21:51
Engine-id:Conn-id = SW:1
1003 99.255.30.1 99.255.60.2 ACTIVE aes sha512 psk 16 23:34:21
Engine-id:Conn-id = SW:3
1002 99.255.30.1 99.255.60.6 ACTIVE aes sha512 psk 16 23:33:22
Engine-id:Conn-id = SW:2
IPv6 Crypto ISAKMP SA
SPOKE2#
SPOKE2#show crypto isakmp sa count
Active ISAKMP SA's: 3
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
show crypto isakmp policy
SPOKE2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 100
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard 2 (512 bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #16 (4096 bit)
lifetime: 86400 seconds, no volume limit
SPOKE2#
show crypto isakmp peers
SPOKE2#show crypto isakmp peers
Peer: 99.255.10.2 Port: 500 Local: 99.255.30.1
Phase1 id: 99.255.10.2
Peer: 99.255.20.2 Port: 500 Local: 99.255.30.1
Phase1 id: 99.255.20.2
Peer: 99.255.60.2 Port: 500 Local: 99.255.30.1
Phase1 id: 99.255.60.2
Peer: 99.255.60.6 Port: 500 Local: 99.255.30.1
Phase1 id: 99.255.60.6
SPOKE2#
show crypto isakmp key
SPOKE2#show crypto isakmp key
Keyring Hostname/Address Preshared Key
default 0.0.0.0 [0.0.0.0] simplesimple
SPOKE2#
show crypto ipsec sa
HUB#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.10.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.10.1.3/255.255.255.255/47/0)
current_peer 10.10.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.3
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x566CA6C2(1449961154)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE65C1095(3864793237)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4266073/3469)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x566CA6C2(1449961154)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4266074/3469)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.10.1.2/255.255.255.255/47/0)
current_peer 10.10.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.2
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x11E881C1(300450241)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC5D936AE(3319346862)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4321569/3249)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x11E881C1(300450241)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4321569/3249)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
HUB#
HUB#
IKEv2
IKEv2 was developed to eliminate the weaknesses of IKEv1. Cryptographic functions consume CPU resources, so the CPU should be protected by limiting the number of packets required to process IKE establishment. CPU utilization increases to maintain SA state including negotiation of a session. If CPU utilization is high (for any other reasons), a session that has been started may not complete due to limited CPU resources.
IKEv2 advantages over IKEv1 include:
- Protection against DoS attacks
- Support for new encryption algorithms for phase 2 (suite B).
With IKEv2, asymetric authentication methods are possible where one end uses preshared keys and the other PKI.
DMVPN tunnel protection using IPSec IKEv2 through the use of a static pre-shared key involves configuration of the following:
- IKEv2 keyring
- IKEv2 profile
- IPSec transform set
- IPSec profile
Step 1: Configure the IKEv2 Keyring
The IKEv2 keyring is a repository for configured pre-shared keys. In a keyring, it is possible to define which keys apply to which hosts. Identification of the password is based on the IP address of the remote router. The IKEv2 keyring is created with the following steps:
- Define the keyring instance:
It is created with the global configuration command
crypto ikev2 keyring <keyring-name>.HUB(config)#crypto ikev2 keyring IKEv2_KEYRING - Create a peer name: Multiple peers can exist in a keyring. Each
peer has a matching qualifier and can use a different password. The peer is
created with the command
peer <peer-name>.HUB(config-ikev2-keyring)#peer ANY - Identify the IP address for the peer: Multiple peers can reside
in a keyring. The IP address is identified so that the
appropriate peer configuration is used based upon the remote device’s IP address.
The command address network netmask defines the IP address/range. Though not
recommended for a production network, the value of 0.0.0.0 0.0.0.0 may be used to
match against any peer. For IPv6, the address ::/0 matches any IPv6 address.
HUB(config-ikev2-keyring-peer)#address 0.0.0.0
- Define a preshared key:
Define the preshared key with
pre-shared-key <password>:HUB(config-ikev2-keyring-peer)#pre-shared-key cisco123
Step 2: IKEv2 Profile
IKEv2 profile is a collection of non-negotiable security parameters used during IKE security association. The IKEv2 profile is later associated with the IPSec profile. Within the IKEv2 profile, local and remote authentication methods must be defined as well as a match statement.
- Define the IKEv2 profile:
crypto ikev2 profile <profile_name>:HUB(config)#crypto ikev2 profile IKEv2_PROF - Identify the IP address for the remote router:
the IP address must be identified for the initial IKEv2 session to establish.
The peer IP address is defined with the command
match identity remote address <ip_address>. This can be 0.0.0.0 0.0.0.0 to match against any peer. For IPv6, it can be ::/0.HUB(config-ikev2-profile)#match identity remote address 0.0.0.0 -
(Optional) Configure the local router’s identity:
the local router’s identity can be set based on an IP address with the command
identity local address <ip-address>. A loopback address is recommended as it is always ‘up’. Note that the IP address configured here should match the IP address used during the certificate registration. This step is really not needed with preshared key authentication but is very important in the deployment of public key infrastructure. - Identify the Front-door VRF (FVRF) for the tunnel end:
if a front-door VRF is used on the DMVPN tunnel, then the FVRF must be associated
to the IKEv2 profile with the command
match fvrf <vrf_name | any>. Keyword any allows any configured FVRF to be selected. - Define the local authentication method:
The authentication method must be defined for connection requests that are received
by remote peers. The command
authentication local <pre-share | rsa-sig>defines the local authentication. Only one local authentication can be selected. The pre-share keyword is for pre-shared static keys and rsa-sig is used for certificate based authentication.HUB(config-ikev2-profile)#authentication local pre-share - Define the remote authentication method:
The authentication method must be defined for connection requests that are sent
to remote peers. The command
authentication remote [pre-share | rsa-sig]defines the remote authentication. The pre-share keyword is used for pre-shared static keys and rsa-sig is used for certificate-based authentication.HUB(config-ikev2-profile)#authentication remote pre-share - Define the IKEv2 keyring (for preshared authentication):
preshared authentication requires that the IKEv2 keyring be associated to the
IKEv2 profile. The command
keyring local <keyring-name>associates the IKEv2 keyring.HUB(config-ikev2-profile)#keyring local IKEv2_KEYRING
HUB(config-ikev2-profile)#exit
Step 3: Configure the IPSec Transform Set
The transform set identifies the security protocols for encrypting traffic (ESP) or protocols for authenticating the data (AH). The transform set is created with the following steps;
- Create the transform set and identify the transforms:
Only one transform set can be selected for ESP encryption, ESP authentication,
AH authentication using the command
crypto ipsec transform-set <transform_set_name> <esp-encryption esp-authentication | ah-authentication>HUB(config)#crypto ipsec transform-set IPSEC_TSET esp-aes esp-sha512-hmac - Specify the Transform Set mode:
the transform set mode is configured with
mode <transport | tunnel>. Tunnel mode is the default mode. However, it adds 20bytes of additional IPSec header to the overall packet.HUB(cfg-crypto-trans)#mode transport
Step 4: Configure the IPSec Profile
The IPSec profile combines the IPSec transform set and the IKEv2 profile. The IPSec profile is created with the following steps;
- Create the IPSec profile: use the command
crypto ipsec profile <profile-name>HUB(config)#crypto ipsec profile IPSEC_PROF - Specify the transform set:
The transform set is specified with the command
set transform-set <transform-set-name>.HUB(ipsec-profile)#set transform-set IPSEC_TSET - Specify the IKEv2 profile:
the IKEv2 profile is specified with the command
set ikev2-profile <ike2-profile-name>.HUB(ipsec-profile)#set ikev2-profile IKEv2_PROF
HUB(ipsec-profile)#exit
Securing the DMVPN Tunnel
To secure the DMVPN tunnel, the IPSec profile should be associated with the DMVPN
tunnel interface with the command; tunnel protection ipsec profile <profile-name>
[shared]. The shared keyword is required for routers that terminate multiple secured
DMVPN tunnels on the same transport interface.
HUB(config)#interface tunnel 0
HUB(config-if)#tunnel protection ipsec profile IPSEC_PROF
The command shares the IPSec security association database (SADB) among multiple DMVPN tunnels. Because the SADB is shared, a unique tunnel key must be defined on each DMVPN tunnel interface to ensure that the encrypted/decrypted traffic aligns to the proper DMVPN tunnel.
Verification of IKEv2 Tunnels
show crypto ipsec profile
show dmvpn
HUB#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/up, Addr. is 192.168.1.1, VRF ""
Tunnel Src./Dest. addr: 10.10.1.1/Multipoint, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "IPSEC_PROF"
Interface State Control: Disabled
nhrp event-publisher : Disabled
Type:Hub, Total NBMA Peers (v4/v6): 2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.10.1.2 192.168.1.2 UP 00:13:26 D 192.168.1.2/32
1 10.10.1.3 192.168.1.3 UP 00:02:57 D 192.168.1.3/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x1110A890]
Session ID: 2
IKEv2 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Active
Capabilities:(none) connid:1 lifetime:23:46:29
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 10.10.1.2
IPSEC FLOW: permit 47 host 10.10.1.1 host 10.10.1.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1020 drop 0 life (KB/Sec) 4173553/2789
Outbound: #pkts enc'ed 1020 drop 0 life (KB/Sec) 4173553/2789
Outbound SPI : 0xD07B32DF, transform : esp-aes esp-sha512-hmac
Socket State: Open
Interface: Tunnel0
Session: [0x1110A798]
Session ID: 3
IKEv2 SA: local 10.10.1.1/500 remote 10.10.1.3/500 Active
Capabilities:(none) connid:2 lifetime:23:56:23
Crypto Session Status: UP-ACTIVE
fvrf: (none), Phase1_id: 10.10.1.3
IPSEC FLOW: permit 47 host 10.10.1.1 host 10.10.1.3
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1022 drop 0 life (KB/Sec) 4181658/3383
Outbound: #pkts enc'ed 1014 drop 0 life (KB/Sec) 4181659/3383
Outbound SPI : 0xB5895749, transform : esp-aes esp-sha512-hmac
Socket State: Open
Pending DMVPN Sessions:
HUB#
On the spoke
SPOKE1(config-if)#do show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable, I2 - Temporary
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel0 is up/down, Addr. is 192.168.1.2, VRF ""
Tunnel Src./Dest. addr: 10.10.1.2/10.10.1.1, Tunnel VRF ""
Protocol/Transport: "GRE/IP", Protect "IPSEC_PROF"
Interface State Control: Disabled
nhrp event-publisher : Disabled
IPv4 NHS:
192.168.1.1 E NBMA Address: 10.10.1.1 priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.10.1.1 192.168.1.1 INTF 00:04:17 S 192.168.1.1/32
Crypto Session Details:
--------------------------------------------------------------------------------
Interface: Tunnel0
Session: [0x10F9C2E8]
Session ID: 0
IKEv1 SA: local 10.10.1.2/500 remote 10.10.1.1/500 Inactive
Capabilities:(none) connid:0 lifetime:0
Crypto Session Status: DOWN-NEGOTIATING
fvrf: (none), IPSEC FLOW: permit 47 host 10.10.1.2 host 10.10.1.1
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Outbound SPI : 0x 0, transform :
Socket State: Closed
Pending DMVPN Sessions:
SPOKE1(config-if)#
show crypto ipsec sa detail
HUB#show crypto ipsec sa detail
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.10.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.10.1.3/255.255.255.255/47/0)
current_peer 10.10.1.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1016, #pkts encrypt: 1016, #pkts digest: 1016
#pkts decaps: 1024, #pkts decrypt: 1024, #pkts verify: 1024
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.3
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xB5895749(3045676873)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x70EA8A16(1894418966)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 7, flow_id: SW:7, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4181657/2972)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB5895749(3045676873)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 8, flow_id: SW:8, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4181659/2972)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.10.1.2/255.255.255.255/47/0)
current_peer 10.10.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1022, #pkts encrypt: 1022, #pkts digest: 1022
#pkts decaps: 1022, #pkts decrypt: 1022, #pkts verify: 1022
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.2
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xD07B32DF(3497734879)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x75C10060(1975582816)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 5, flow_id: SW:5, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4173553/2378)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD07B32DF(3497734879)
transform: esp-aes esp-sha512-hmac ,
in use settings ={Transport, }
conn id: 6, flow_id: SW:6, sibling_flags 80000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4173552/2378)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
HUB#
show crypto ikev2 sa detailed
HUB#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.10.1.1/500 10.10.1.3/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/610 sec
CE id: 1004, Session-id: 2
Status Description: Negotiation done
Local spi: A0F8071EC395BD3C Remote spi: 97AE858B6CAA71A2
Local id: 10.10.1.1
Remote id: 10.10.1.3
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
Tunnel-id Local Remote fvrf/ivrf Status
1 10.10.1.1/500 10.10.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1204 sec
CE id: 1003, Session-id: 1
Status Description: Negotiation done
Local spi: B085F9ECBA72967E Remote spi: 69A6A65ED87EC303
Local id: 10.10.1.1
Remote id: 10.10.1.2
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
On the client
SPOKE2#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.10.1.3/500 10.10.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/78 sec
CE id: 1002, Session-id: 1
Status Description: Negotiation done
Local spi: 97AE858B6CAA71A2 Remote spi: A0F8071EC395BD3C
Local id: 10.10.1.3
Remote id: 10.10.1.1
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
show crypto ikev2 profile
HUB#show crypto ikev2 profile
IKEv2 profile: IKEv2_PROF
Ref Count: 6
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 0.0.0.0
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEv2_KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
HUB#
show crypto ikev2 stats
SPOKE1#show crypto ikev2 stats
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0 negotiating: 0
Total outgoing IKEv2 SA Count: 1 active: 1 negotiating: 0
Incoming IKEv2 Requests: 0 accepted: 0 rejected: 0
Outgoing IKEv2 Requests: 1 accepted: 1 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0
SPOKE1#
show crypto ipsec profile
SPOKE1(config-if)#do show crypto ipsec profile
IPSEC profile IPSEC_PROF
IKEv2 Profile: IKEv2_PROF
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
IPSEC_TSET: { esp-aes esp-sha512-hmac } ,
}
IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}
SPOKE1(config-if)#
show crypto ikev2 profile
SPOKE1#show crypto ikev2 profile
IKEv2 profile: IKEv2_PROF
Ref Count: 5
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address 0.0.0.0
Certificate maps: none
Local identity: none
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: IKEv2_KEYRING
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
SPOKE1#
show crypto ikev2 policy
SPOKE1#show crypto ikev2 policy
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default
SPOKE1#
show crypto ikev2 session
SPOKE1#show crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 10.10.1.2/500 10.10.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/132 sec
Child sa: local selector 10.10.1.2/0 - 10.10.1.2/65535
remote selector 10.10.1.1/0 - 10.10.1.1/65535
ESP spi in/out: 0xD07B32DF/0x75C10060
&bnsp;IPv6 Crypto IKEv2 Session
SPOKE1#
show crypto ikev2 session detail
SPOKE1#show crypto ikev2 session detail
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 10.10.1.2/500 10.10.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/137 sec
CE id: 1002, Session-id: 1
Status Description: Negotiation done
Local spi: 69A6A65ED87EC303 Remote spi: B085F9ECBA72967E
Local id: 10.10.1.2
Remote id: 10.10.1.1
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Child sa: local selector 10.10.1.2/0 - 10.10.1.2/65535
remote selector 10.10.1.1/0 - 10.10.1.1/65535
ESP spi in/out: 0xD07B32DF/0x75C10060
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 128, esp_hmac: SHA512
ah_hmac: None, comp: IPCOMP_NONE, mode transport
IPv6 Crypto IKEv2 Session
SPOKE1#
Protection and Optimisation of DMVPN Tunnel
Protection of IKEv2
The command crypto ikev2 limit max-in-negotiation-sa limit | max-sa limit outgoing
limits the number of sessions being established or that are allowed to establish.
- Max-sa: limits the total count of SAs that a router can establish under normal conditions. The value should be set to double the number of ongoing sessions in order to cater for renegotiation.
- Max-in-negotiation-sa: limits the number of SAs being negotiated at any one time.
To protect the IKE from half open sessions, a cookie can be used to validate that
sessions are valid IKEv2 sessions and not a Denial of Service (DoS) attack. The
command crypto ikev2 cookie-challege <challenge-number> defines the threshold of
half-open SAs before issuing an IKEv2 challenge.
Verification
show crypto ikev2 stats
IPSec Packet Replay Protection
The IPSec implementation includes an anti-replay mechanism that prevents intruders from duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. When a router decrypts the IPSec packets, it keeps track of the packets it has received. The IPSec anti-replay service rejects (discards) duplicate packets or old packets.
The router identifies acceptable packet age according to the following logic; the router maintains a sequence number window size (default of 64 packets). The minimum sequence number is defined as the highest sequence number for a packet minus the window size. A packet is considered of age when the sequence number is between the minimum sequence number and the highest sequence number.
At times, the default 64-packet window size is not adequate. Encryption is where the sequence number is set and this happens before any Quality of Server (QoS) policies are processed. Packets can be delayed because of QoS priorities, resulting in out-of-order packets where low-priority packets are queued, whereas high-priority packets are immediately forwarded. The sequence number increases on the receiving router because the high-priority packets shift the window ahead and when the lower priority packets arrive, they are discarded.
Increasing the anti-replay window size does not impact throughput or security.
An additional 128 bytes per incoming IPSec SA are needed to store the sequence
number on the decryptor. The window size is increased globally with the command
crypto ipsec security-association replay window-size <size>. Cisco recommends using
the largest window size possible for the hardware. Usually it is 1024.
Dead Peer Detection (DPD)
When two routers establish an IPSec VPN tunnel between them, it is possible that connectivity between the two routers can be lost for some reason. In most scenarios, IKE and IPSec do not natively detect a loss of peer connectivity, which results in network traffic being black-holed until the SA lifetime expires.
The use of dead peer detection (DPD) helps detect the loss of connectivity to a remote IPSec peer.
Cisco supports two types of DPD: on-demand and periodic. When DPD is enabled in on-demand mode, the two routers check for connectivity only when traffic needs to be sent and the peer’s liveliness is questionable. In such scenarios, the router sends a DPD R-U-THERE request to query the status of the remote peer. If the remote peer does not respond, the requesting router starts to transmit additional R-U-THERE messages every retry interval for a maximum of five retries. If no response is received, that peer is declared dead.
DPD is supported by IKEv1 and IKEv2:
- IKEv2: DPD is configured with the global configuration command
crypto ikev2 dpd <interval-time> <retry-time> [on-demand | periodic]. DPD is also configured using the IKEV2 profile mode commanddpd <interval-time> <retry-time> [on-demand | periodic]. It is recommended that the interval time be set to twice that of the routing protocol hold time.
As it consumes CPU, it is recommended that DPD be configured on the spokes and not on the hubs because a hub may have to maintain state of hundreds of branch routers.
Network Address Translation (NAT) Keepalives
NAT keepalives are enabled to keep the dynamic NAT mapping alive during a
connection between two peers. NAT keepalives are UDP packets that contain an
unencrypted payload of 1 byte. When DPD is used to detect peer liveliness, NAT
keepalives are sent if the IPSec entity has not transmitted or received a packet
within a specified period of time. It is configured on sopes because the routing
protocol messages such as Hello and update messages between the hub and spoke
keeps the NAT state active whereas spoke to spoke tunnels do not maintain a
routing neighborship so NAT state is not maintained. NAT keepalives are enabled
with the command crypto isakmp nat keepalive <seconds>.
No comments:
Post a Comment