Pages

Showing posts with label network services. Show all posts
Showing posts with label network services. Show all posts

Thursday, 18 February 2021

SECURING DMVPN TUNNELS WITH IPSEC, IKEv1 or IKEv2

Introduction and Overview

In unencrypted DMVPN packets, the original packets have GRE flags added to them, and then the new GRE IP header is added for routing the packets through the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, and the GRE flags add an extra 4 bytes of overhead. These packets use the protocol field of GRE (47). By default, GRE has no in-built security features to secure the data transiting the tunnel. IPSec is used to provide encryption, data integrity, replay protection features to GRE tunnels.

IPSec provides origin authentication, data confidentiality, data integrity, replay detection, periodic rekey, perfect forward secrecy. IPSec security architecture is composed of the following;

  • Security Protocols
  • Security Associations
  • Key Management

Security Protocols

Security protocols can be used individually or in combination. They include;

  1. Authentication Header (AH): AH provides data integrity, authentication, replay protection. AH uses IP protocol number 51.
  2. Encapsulating Security Payload (ESP): ESP provides data confidentiality, integrity, authentication and replay protection. ESP uses IP protocol number 50.

Key Management

Internet Key Exchange (IKE) negotiates the IPSec security associations (SAs). This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP (IKE) shared keys. IPSec uses IKEv2 by default. IKEv2 introduced Extensible Authentication Protocol (EAP) with reduction of bandwidth consumption, network address translation (NAT) and ability to detect whether a tunnel is still alive.

Security Associations

A security association (SA) is a relationship between two or more entities that describes how the entities will use security services to communicate securely.

Security Associations (SA) contain agreed upon security parameters. The two main security associations that will be used by DMVPN to secure traffic are IKE SA and IPSec SA:

  • IKE SA: used for control plane functions like IPSec key management and management of IPSec SAs.
  • IPSec SA: used for data plane functions to secure data transmitted between two different sites. IPSec SAs are unidirectional and require at least two IPSec SAs (one for inbound traffic and another for outbound traffic) for a secure connection to a DMVPN peer.
There can only be one IKE SA between end point devices but multiple IPSec SAs can be established between the same two endpoint devices.

IPSec DMVPN Tunnel Protection Modes

Traditional IPSec provides two modes of packet protection; tunnel and transport:

  1. Tunnel mode: the entire original packet is encrypted and a new set of IPSec headers is added. For encrypted DMVPN packets that use ESP tunnel mode, the original packets have the GRE flags added to them, and then the new GRE IP header is added for routing the packets in the transport (underlay) network. That portion of the packets is encrypted, a signature for the encrypted payload is added. Then a new IPSec IP header is added for routing the packets in the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, the GRE flags add an extra 4 bytes of overhead, the IPsec IP header adds an extra 20 bytes of overhead, and depending on the encryption mechanism, a varying number of additional bytes are added for the encrypted signature.

    It is important to note that the use of IPsec tunnel mode for DMVPN networks does not add any perceived value and adds 20 bytes of overhead. It is recommended that transport mode should be used for encrypted DMVPN tunnels.

    Additionally, the header added when tunnel is configured is redundant due to the already existing GRE header.

  2. Transport mode: In this mode, only the packet payload is encrypted. The GRE header is maintained. The packet is routed based on the original IP headers. For encrypted DMVPN packets that use ESP transport mode, the original packets have the generic routing encapsulation (GRE) flags added to them, and then that portion of the packets is encrypted. A signature for the encrypted payload is added, and then the GRE IP header is added for routing the packets on the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, the GRE flags add an extra 4 bytes of overhead, and depending on the encryption mechanism, a varying number of additional bytes are added for the encrypted signature.

DMVPN Tunnel Protection using IPSec

Enabling IPsec protection on a DMVPN network requires that all devices enable IPsec protection. If some routers have IPsec enabled and others do not, devices will not be able to establish a connection on the tunnel interfaces with each other.

Key management and IPSec parameter negotiation is implemented using IKEv1 or IKEv2.

IKEv1

Originally DMVPN tunnel protection was provided by IPSec IKEv1. To enable DMVPN tunnel protection using IPsec static pre-shared keys involves the creation of the following:

  1. ISAKMP policy
  2. ISAKMP key and addresses of remote hosts.
  3. IPSec transform set
  4. IPSec profile

The configuration of DMVPN tunnel protection using DMVPN follows:

Step 1: Create the IKEv1 policy:

This is used for phase 1 negotiations (control-plane) in IPsec to generate the key information used in phase 2 for the actual data-plane.

  1. Define an IKE policy

  2. The IKE policy is configured using the command crypto isakmp policy <1-10000> where 1-10000 is the priority of the protection suite.

    HUB(config)#crypto isakmp policy 100

  3. Configure encryption method

  4. The encryption method is usually any of the synchronous encryption algorithms aes, 3des or des: encryption <aes | 3des | des> <128-256>

    • aes | 3des | des: are the synchronous encryption versions supported by the platform.
    • 128 - 256: the supported encryption key sizes. More modern platforms support a larger key size.

    HUB(config-isakmp)#encryption aes 256

  5. Configure the authentication method

  6. The authentication method can be either preshared keys or RSA-signatures: authentication <pre-share | rsa-encr | rsa-sig>. In this configuration, we opt to use preshared keys for authentication.

    HUB(config-isakmp)#authentication pre-share

  7. Configure the Diffie-Helman group for integrity

  8. Define the diffie-helman group using the command group <1|14|15|16|19|2|20|21|24|5>. The Diffie-Hellman groups include the following;

    • Group 1 (768 bits)
    • Group 14 (2048 bits)
    • Group 15 uses 3072 bits
    • Group 16 (4096 bits)
    • Group 19 (256 bit ecp)
    • Group 2 (1024 bit)
    • Group 20 (384 bit ecp)
    • Group 21 (521 bit ecp)
    • Group 24 (2048 bit, 256 bit subgroup)
    • Group 5 (1536 bit)

    HUB(config-isakmp)#group 16

    If not specified, the default group is enabled.

  9. Configure the hash function for data integrity

  10. The hash algorithm provides a check for data integrity i.e, a check to ensure that the data was not altered in transit. The main hashing functions in use are MD5 and the various versions of SHA i.e, SHA, SHA256, SHA384, SHA512. The command is hash <md5 | sha | sha256 | sha384 | sha512>.

    HUB(config-isakmp)#hash sha512

Step 2: Configure the IKE key

The IKE key is defined using the command crypto isakmp key <password> address <ip_address>. Use of the address 0.0.0.0 0.0.0.0 is not recommended as it allows a host with any IP address to connect. However, it may be helpful only when many spokes connect to the hub and administrative overhead is high with managing this scalability. Otherwise, to add additional level of security, a key should be defined for each spoke whose IP address is explicitly configured.

HUB(config)#crypto isakmp key simplesimple address 0.0.0.0

The recommended approach is to use public-key infrastructure (PKI); here a certificate is issued to the spokes. The hub can verify that certificate with the certificate authority when spokes attempt to register.

Step 3: Configure an IPSec transform set

In phase 2 of the creation of the IPsec security, the data-plane traffic is treated to the encryption and hashing functions configured under the transform-set.

  1. Define the transform set and ESP or AH settings

    Define the ESP authentication and ESP encryption or AH authentication algorithms for encryption or authentication.

    Here one SA is created for inbound traffic and one for outbound traffic to a DMVPN peer using the global configuration command; crypto ipsec transform-set <transform-set-tag> [<esp-encryption-function> <esp-authentication-function> | <ah-authentication>].

    The AH options available include the following:

    • ah-md5-hmac: AH-HMAC-MD5 transform
    • ah-sha-hmac: AH-HMAC-SHA transform
    • ah-sha256-hmac: AH-HMAC-SHA256 transform
    • ah-sha384-hmac: AH-HMAC-SHA384 transform
    • ah-sha512-hmac: AH-HMAC-SHA512 transform
    • comp-lzs: IP Compression using the LZS compression algorithm

    The ESP options include the following:

    • esp-3des: ESP transform using 3DES(EDE) cipher (168 bits)
    • esp-aes : ESP transform using AES cipher
    • esp-des : ESP transform using DES cipher (56 bits)
    • esp-gcm : ESP transform using GCM cipher
    • esp-gmac: ESP transform using GMAC cipher
    • esp-md5-hmac: ESP transform using HMAC-MD5 auth
    • esp-null: ESP transform w/o cipher
    • esp-seal: ESP transform using SEAL cipher (160 bits)
    • esp-sha-hmac: ESP transform using HMAC-SHA auth
    • esp-sha256-hmac: ESP transform using HMAC-SHA256 auth
    • esp-sha384-hmac: ESP transform using HMAC-SHA384 auth
    • esp-sha512-hmac: ESP transform using HMAC-SHA512 auth

    If an encryption algorithm is configured, the key size should be defined.

    HUB(config)#crypto ipsec transform-set DMVPN_IPSEC_TSET esp-aes esp-sha512-hmac

  2. Define the tunnel mode

    tunnel mode can be transport or tunnel

    HUB(cfg-crypto-trans)#mode transport

Step 4 Create an IPSec profile

The IPsec profiile is created and the references the IPsec transform set previously defined.

HUB(config)#crypto ipsec profile DMVPN_IPSEC_PROFILE
HUB(ipsec-profile)#set transform-set DMVPN_IPSEC_TSET
HUB(ipsec-profile)#exit

Step 5: Associate the DMVPN tunnel interface with the IPSec profile

To protect the tunnel using IPsec, reference the configured IPsec profile under the tunnel configuration using the command tunnel protection ipsec profile <ipsec_profile_name>.

HUB(config)#interface tunnel 0
HUB(config-if)#tunnel protection ipsec profile DMVPN_IPSEC_PROFILE

Step 1 - 5 configurations are common to both the hub and spoke. This is an example of the templating that can be used with DMVPN. To configure a specific key for each spoke, enter the spoke address. This IP address should be the one configured on the interface that is defined as the tunnel source when configuring the DMVPN tunnel interface on the spoke. The hub and spoke must share the same key.

IPsec with Frontdoor VRF

When a front-door VRF(FVRF) has been configured, to protect the tunnel using IPsec requires a slightly different configuration particularly when defining the ISAKMP key. Using the configuration process for IKEv1 above, the configuration of IPsec for a front-door VRF tunnel can be accomplished using the following sequence:

Step 2: Configure the IKEv1 key

  1. The key is configured using the command crypto keyring <keyring-name> vrf <vrf-name> where:
    • keyring-name: is the suggested name of the keyring.
    • vrf-name: is the VRF under which the key will be used.

    SPOKE4(config)#crypto keyring DMVPN_ISAKMP_KEYRING vrf FVRF

  2. Then define the key using the command pre-shared-key address <ip-address> <netmask> key <key>.

    SPOKE4(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key simplesimple

Step 3: Configure the IKEv1 Profile

  1. Create an IKEv1 profile: create isakmp profile <profile-name>.

    SPOKE4(config)#crypto isakmp profile DMVPN_ISAKMP_PROFILE

  2. Configure the VRF that the profile will be used under: vrf <VRF-name>

    SPOKE4(conf-isa-prof)#vrf FVRF

  3. Reference the configured keyring: keyring <keyring-name>

    SPOKE4(conf-isa-prof)#keyring DMVPN_ISAKMP_KEYRING

  4. Define the IP address and VRF that this profile will be checked against and applied to: match identity address <ip-address> <vrf>

    SPOKE4(conf-isa-prof)#match identity address 0.0.0.0 FVRF

Step 4: Configure the IPsec Transform-set

The IPsec transform-set is configured as in step 3 above:

SPOKE4(config)#crypto ipsec transform-set DMVPN_IPSEC_TSET esp-aes esp-sha512-hmac
SPOKE4(cfg-crypto-trans)#mode transport

Step 5: Configure the IPsec Profile

  1. Define the IPsec profile:crypto ipsec profile <profile-name>

    SPOKE4(config)#crypto ipsec profile DMVPN_IPSEC_PROFILE

  2. Reference the configured IPsec transform-set: set transform-set <transform-set-name>

    SPOKE4(ipsec-profile)#set transform-set DMVPN_IPSEC_TSET

  3. Reference the ISAKMP/IKEv1 profile: set isakmp-profile <isakmp-profile-name>

    SPOKE4(ipsec-profile)#set isakmp-profile DMVPN_ISAKMP_PROFILE

Step 6: Reference the IPsec Profile under the tunnel

Tunnel protection using IPsec is configured under the tunnel interface:

SPOKE4(config)#interface tunnel 0
SPOKE4(config-if)#tunnel protection ipsec profile DMVPN_IPSEC_PROFILE

Verification of IKEv1 Configuration

The following commands can be used to verify tunnel protection using IPsec:

  • show dmvpn detail
  • show crypto isakmp sa
  • show crypto isakmp policy
  • show crypto isakmp peers
  • show crypto isakmp key
  • show crypto ipsec sa
  • show crypto ipsec profile

show dmvpn detail

SPOKE2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
                
Interface Tunnel0 is up/up, Addr. is 172.30.1.2, VRF ""
   Tunnel Src./Dest. addr: 99.255.30.1/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSEC_PROFILE"
   Interface State Control: Disabled
   nhrp event-publisher : Disabled
                
IPv4 NHS:        
172.30.1.1  RE NBMA Address: 99.255.10.2 priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 4
                
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------          
    1 99.255.10.2          172.30.1.1    UP 03:15:04    S      172.30.1.1/32
    1 99.255.30.1          172.30.1.2    UP 00:48:01  DLX      172.30.1.2/32
    1 99.255.60.6          172.30.1.7    UP 00:12:13    D      172.30.1.7/32
    1 99.255.60.2          172.30.1.8    UP 00:48:01    D      172.30.1.8/32
                
                
Crypto Session Details:
--------------------------------------------------------------------------------
                
Interface: Tunnel0
Session: [0x680251DC]
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.10.2/500 Active
          Capabilities:(none) connid:1001 lifetime:20:44:52
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 99.255.10.2
  IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.10.2
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 2510 drop 0 life (KB/Sec) 4254210/2162
        Outbound: #pkts enc'ed 2578 drop 0 life (KB/Sec) 4254210/2162
   Outbound SPI : 0xB80CDF30, transform : esp-256-aes esp-sha512-hmac
    Socket State: Open
                
Interface: Tunnel0
Session: [0x68024FEC]
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.6/500 Active
          Capabilities:(none) connid:1004 lifetime:23:47:43
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.6/500 Active
          Capabilities:(none) connid:1005 lifetime:23:47:43
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 99.255.60.6
  IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.60.6
        Active SAs: 4, origin: crypto map
        Inbound: #pkts dec'ed 1 drop 0 life (KB/Sec) 4608000/2866
        Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4608000/2866
   Outbound SPI : 0x5D0DE203, transform : esp-256-aes esp-sha512-hmac
    Socket State: Open
                
Interface: Tunnel0
Session: [0x680250E4]
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.2/500 Active
          Capabilities:(none) connid:1002 lifetime:23:11:55
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.2/500 Active
          Capabilities:(none) connid:1003 lifetime:23:11:55
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 99.255.60.2
  IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.60.2
        Active SAs: 4, origin: crypto map
        Inbound: #pkts dec'ed 6 drop 0 life (KB/Sec) 4254542/718
        Outbound: #pkts enc'ed 6 drop 0 life (KB/Sec) 4254542/718
   Outbound SPI : 0xBB52CAA0, transform : esp-256-aes esp-sha512-hmac
    Socket State: Open

Pending DMVPN Sessions:
SPOKE2#

show crypto isakmp sa

Command displays security association information when for the ISAKMP exchange.

SPOKE2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
99.255.10.2     99.255.30.1     QM_IDLE           1001 ACTIVE
99.255.30.1     99.255.60.2     QM_IDLE           1003 ACTIVE
99.255.30.1     99.255.60.6     QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

SPOKE2#

Additional keywords to the above command display the following output:

SPOKE2#show crypto isakmp sa ?
  active   Shows HA-enabled ISAKMP SAs in the active state
  count    Show the number of ISAKMP Security Associations
  detail   Show ISAKMP SA Detail
  nat      Show ISAKMP SA NAT Detail
  standby  Shows HA-enabled ISAKMP SAs in the standby state
  vrf      Show ISAKMP SA as per VRF

SPOKE2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection                          
       K - Keepalives, N - NAT-traversal                                            
       T - cTCP encapsulation, X - IKE Extended Authentication                      
       psk - Preshared key, rsig - RSA signature                                    
       renc - RSA encryption                                                        
IPv4 Crypto ISAKMP SA                                                              
                                                                                    
C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.
                                                                                    
1001  99.255.30.1     99.255.10.2            ACTIVE aes  sha512 psk  16 23:21:51    
       Engine-id:Conn-id =  SW:1                                                    
                                                                                    
1003  99.255.30.1     99.255.60.2            ACTIVE aes  sha512 psk  16 23:34:21    
       Engine-id:Conn-id =  SW:3                                                    
                                                                                    
1002  99.255.30.1     99.255.60.6            ACTIVE aes  sha512 psk  16 23:33:22    
       Engine-id:Conn-id =  SW:2                                                    
                                                                                    
IPv6 Crypto ISAKMP SA                                                              
                                                                                    
SPOKE2#

SPOKE2#show crypto isakmp sa count
Active ISAKMP SA's: 3
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

show crypto isakmp policy

SPOKE2#show crypto isakmp policy

Global IKE policy
Protection suite of priority 100
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard 2 (512 bit)
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #16 (4096 bit)
        lifetime:               86400 seconds, no volume limit
SPOKE2#

show crypto isakmp peers

SPOKE2#show crypto isakmp peers Peer: 99.255.10.2 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.10.2
Peer: 99.255.20.2 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.20.2
Peer: 99.255.60.2 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.60.2
Peer: 99.255.60.6 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.60.6
SPOKE2#

show crypto isakmp key

SPOKE2#show crypto isakmp key
Keyring      Hostname/Address                            Preshared Key
                                                                      
default      0.0.0.0        [0.0.0.0]                    simplesimple
SPOKE2#

show crypto ipsec sa

HUB#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.10.1.1
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.3/255.255.255.255/47/0)
   current_peer 10.10.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.3
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x566CA6C2(1449961154)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0xE65C1095(3864793237)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4266073/3469)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0x566CA6C2(1449961154)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4266074/3469)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.2/255.255.255.255/47/0)
   current_peer 10.10.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.2
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x11E881C1(300450241)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0xC5D936AE(3319346862)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4321569/3249)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0x11E881C1(300450241)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4321569/3249)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
HUB#
HUB#

IKEv2

IKEv2 was developed to eliminate the weaknesses of IKEv1. Cryptographic functions consume CPU resources, so the CPU should be protected by limiting the number of packets required to process IKE establishment. CPU utilization increases to maintain SA state including negotiation of a session. If CPU utilization is high (for any other reasons), a session that has been started may not complete due to limited CPU resources.

IKEv2 advantages over IKEv1 include:

  • Protection against DoS attacks
  • Support for new encryption algorithms for phase 2 (suite B).

With IKEv2, asymetric authentication methods are possible where one end uses preshared keys and the other PKI.

DMVPN tunnel protection using IPSec IKEv2 through the use of a static pre-shared key involves configuration of the following:

  1. IKEv2 keyring
  2. IKEv2 profile
  3. IPSec transform set
  4. IPSec profile

Step 1: Configure the IKEv2 Keyring

The IKEv2 keyring is a repository for configured pre-shared keys. In a keyring, it is possible to define which keys apply to which hosts. Identification of the password is based on the IP address of the remote router. The IKEv2 keyring is created with the following steps:

  1. Define the keyring instance: It is created with the global configuration command crypto ikev2 keyring <keyring-name>.

    HUB(config)#crypto ikev2 keyring IKEv2_KEYRING

  2. Create a peer name: Multiple peers can exist in a keyring. Each peer has a matching qualifier and can use a different password. The peer is created with the command peer <peer-name>.

    HUB(config-ikev2-keyring)#peer ANY

  3. Identify the IP address for the peer: Multiple peers can reside in a keyring. The IP address is identified so that the appropriate peer configuration is used based upon the remote device’s IP address. The command address network netmask defines the IP address/range. Though not recommended for a production network, the value of 0.0.0.0 0.0.0.0 may be used to match against any peer. For IPv6, the address ::/0 matches any IPv6 address.

    HUB(config-ikev2-keyring-peer)#address 0.0.0.0

  4. Define a preshared key: Define the preshared key with pre-shared-key <password>:

    HUB(config-ikev2-keyring-peer)#pre-shared-key cisco123

Step 2: IKEv2 Profile

IKEv2 profile is a collection of non-negotiable security parameters used during IKE security association. The IKEv2 profile is later associated with the IPSec profile. Within the IKEv2 profile, local and remote authentication methods must be defined as well as a match statement.

  1. Define the IKEv2 profile: crypto ikev2 profile <profile_name>:

    HUB(config)#crypto ikev2 profile IKEv2_PROF

  2. Identify the IP address for the remote router: the IP address must be identified for the initial IKEv2 session to establish. The peer IP address is defined with the command match identity remote address <ip_address>. This can be 0.0.0.0 0.0.0.0 to match against any peer. For IPv6, it can be ::/0.

    HUB(config-ikev2-profile)#match identity remote address 0.0.0.0

  3. (Optional) Configure the local router’s identity: the local router’s identity can be set based on an IP address with the command identity local address <ip-address>. A loopback address is recommended as it is always ‘up’. Note that the IP address configured here should match the IP address used during the certificate registration. This step is really not needed with preshared key authentication but is very important in the deployment of public key infrastructure.
  4. Identify the Front-door VRF (FVRF) for the tunnel end: if a front-door VRF is used on the DMVPN tunnel, then the FVRF must be associated to the IKEv2 profile with the command match fvrf <vrf_name | any>. Keyword any allows any configured FVRF to be selected.
  5. Define the local authentication method: The authentication method must be defined for connection requests that are received by remote peers. The command authentication local <pre-share | rsa-sig> defines the local authentication. Only one local authentication can be selected. The pre-share keyword is for pre-shared static keys and rsa-sig is used for certificate based authentication.

    HUB(config-ikev2-profile)#authentication local pre-share

  6. Define the remote authentication method: The authentication method must be defined for connection requests that are sent to remote peers. The command authentication remote [pre-share | rsa-sig] defines the remote authentication. The pre-share keyword is used for pre-shared static keys and rsa-sig is used for certificate-based authentication.

    HUB(config-ikev2-profile)#authentication remote pre-share

  7. Define the IKEv2 keyring (for preshared authentication): preshared authentication requires that the IKEv2 keyring be associated to the IKEv2 profile. The command keyring local <keyring-name> associates the IKEv2 keyring.

    HUB(config-ikev2-profile)#keyring local IKEv2_KEYRING
    HUB(config-ikev2-profile)#exit

Step 3: Configure the IPSec Transform Set

The transform set identifies the security protocols for encrypting traffic (ESP) or protocols for authenticating the data (AH). The transform set is created with the following steps;

  1. Create the transform set and identify the transforms: Only one transform set can be selected for ESP encryption, ESP authentication, AH authentication using the command crypto ipsec transform-set <transform_set_name> <esp-encryption esp-authentication | ah-authentication>

    HUB(config)#crypto ipsec transform-set IPSEC_TSET esp-aes esp-sha512-hmac

  2. Specify the Transform Set mode: the transform set mode is configured with mode <transport | tunnel>. Tunnel mode is the default mode. However, it adds 20bytes of additional IPSec header to the overall packet.

    HUB(cfg-crypto-trans)#mode transport

Step 4: Configure the IPSec Profile

The IPSec profile combines the IPSec transform set and the IKEv2 profile. The IPSec profile is created with the following steps;

  1. Create the IPSec profile: use the command crypto ipsec profile <profile-name>

    HUB(config)#crypto ipsec profile IPSEC_PROF

  2. Specify the transform set: The transform set is specified with the command set transform-set <transform-set-name>.

    HUB(ipsec-profile)#set transform-set IPSEC_TSET

  3. Specify the IKEv2 profile: the IKEv2 profile is specified with the command set ikev2-profile <ike2-profile-name>.

    HUB(ipsec-profile)#set ikev2-profile IKEv2_PROF
    HUB(ipsec-profile)#exit

Securing the DMVPN Tunnel

To secure the DMVPN tunnel, the IPSec profile should be associated with the DMVPN tunnel interface with the command; tunnel protection ipsec profile <profile-name> [shared]. The shared keyword is required for routers that terminate multiple secured DMVPN tunnels on the same transport interface.

HUB(config)#interface tunnel 0
HUB(config-if)#tunnel protection ipsec profile IPSEC_PROF

The command shares the IPSec security association database (SADB) among multiple DMVPN tunnels. Because the SADB is shared, a unique tunnel key must be defined on each DMVPN tunnel interface to ensure that the encrypted/decrypted traffic aligns to the proper DMVPN tunnel.

Verification of IKEv2 Tunnels

show crypto ipsec profile

show dmvpn

HUB#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete              
        N - NATed, L - Local, X - No Socket                              
        T1 - Route Installed, T2 - Nexthop-override                      
        C - CTS Capable, I2 - Temporary                                  
        # Ent --> Number of NHRP entries with same NBMA peer          
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel                    
==========================================================================
                                                                          
Interface Tunnel0 is up/up, Addr. is 192.168.1.1, VRF ""                  
   Tunnel Src./Dest. addr: 10.10.1.1/Multipoint, Tunnel VRF ""            
   Protocol/Transport: "multi-GRE/IP", Protect "IPSEC_PROF"              
   Interface State Control: Disabled                                      
   nhrp event-publisher : Disabled                                        
Type:Hub, Total NBMA Peers (v4/v6): 2                                    
                                                                          
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 10.10.1.2           192.168.1.2    UP 00:13:26     D     192.168.1.2/32
    1 10.10.1.3           192.168.1.3    UP 00:02:57     D     192.168.1.3/32
                                                                          
                                                                          
Crypto Session Details:                                                  
--------------------------------------------------------------------------------
                                                                          
Interface: Tunnel0                                                        
Session: [0x1110A890]                                                    
  Session ID: 2                                                          
  IKEv2 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Active              
          Capabilities:(none) connid:1 lifetime:23:46:29                  
  Crypto Session Status: UP-ACTIVE                                        
  fvrf: (none), Phase1_id: 10.10.1.2                                      
  IPSEC FLOW: permit 47 host 10.10.1.1 host 10.10.1.2                    
        Active SAs: 2, origin: crypto map                                
        Inbound:  #pkts dec'ed 1020 drop 0 life (KB/Sec) 4173553/2789    
        Outbound: #pkts enc'ed 1020 drop 0 life (KB/Sec) 4173553/2789    
   Outbound SPI : 0xD07B32DF, transform : esp-aes esp-sha512-hmac        
    Socket State: Open                                                    
                                                                          
Interface: Tunnel0                                                        
Session: [0x1110A798]                                                    
  Session ID: 3                                                          
  IKEv2 SA: local 10.10.1.1/500 remote 10.10.1.3/500 Active              
          Capabilities:(none) connid:2 lifetime:23:56:23                  
  Crypto Session Status: UP-ACTIVE                                        
  fvrf: (none), Phase1_id: 10.10.1.3                                      
  IPSEC FLOW: permit 47 host 10.10.1.1 host 10.10.1.3                    
        Active SAs: 2, origin: crypto map                                
        Inbound:  #pkts dec'ed 1022 drop 0 life (KB/Sec) 4181658/3383    
        Outbound: #pkts enc'ed 1014 drop 0 life (KB/Sec) 4181659/3383    
   Outbound SPI : 0xB5895749, transform : esp-aes esp-sha512-hmac        
    Socket State: Open                                                    
                                                                          
Pending DMVPN Sessions:                                                  
                                                                          
HUB#

On the spoke

SPOKE1(config-if)#do show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable, I2 - Temporary
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/down, Addr. is 192.168.1.2, VRF ""
   Tunnel Src./Dest. addr: 10.10.1.2/10.10.1.1, Tunnel VRF ""
   Protocol/Transport: "GRE/IP", Protect "IPSEC_PROF"
   Interface State Control: Disabled
   nhrp event-publisher : Disabled

IPv4 NHS:
192.168.1.1   E NBMA Address: 10.10.1.1 priority = 0 cluster = 0            
Type:Spoke, Total NBMA Peers (v4/v6): 1                                      
                                                                            
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 10.10.1.1           192.168.1.1  INTF 00:04:17     S     192.168.1.1/32


Crypto Session Details:
--------------------------------------------------------------------------------

Interface: Tunnel0
Session: [0x10F9C2E8]          
  Session ID: 0                
  IKEv1 SA: local 10.10.1.2/500 remote 10.10.1.1/500 Inactive
          Capabilities:(none) connid:0 lifetime:0
  Crypto Session Status: DOWN-NEGOTIATING
  fvrf: (none),   IPSEC FLOW: permit 47 host 10.10.1.2 host 10.10.1.1
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
   Outbound SPI : 0x       0, transform :
    Socket State: Closed      
                              
Pending DMVPN Sessions:

SPOKE1(config-if)#

show crypto ipsec sa detail

HUB#show crypto ipsec sa detail
          
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.10.1.1
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.3/255.255.255.255/47/0)
   current_peer 10.10.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1016, #pkts encrypt: 1016, #pkts digest: 1016
    #pkts decaps: 1024, #pkts decrypt: 1024, #pkts verify: 1024
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.3
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xB5895749(3045676873)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0x70EA8A16(1894418966)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: SW:7, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4181657/2972)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xB5895749(3045676873)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: SW:8, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4181659/2972)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.2/255.255.255.255/47/0)
   current_peer 10.10.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1022, #pkts encrypt: 1022, #pkts digest: 1022
    #pkts decaps: 1022, #pkts decrypt: 1022, #pkts verify: 1022
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.2
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xD07B32DF(3497734879)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0x75C10060(1975582816)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4173553/2378)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xD07B32DF(3497734879)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4173552/2378)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
HUB#      

show crypto ikev2 sa detailed

HUB#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2 SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.10.1.1/500         10.10.1.3/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/610 sec                                          
      CE id: 1004, Session-id: 2                                              
      Status Description: Negotiation done                                    
      Local spi: A0F8071EC395BD3C       Remote spi: 97AE858B6CAA71A2          
      Local id: 10.10.1.1                                                      
      Remote id: 10.10.1.3                                                    
      Local req msg id:  0              Remote req msg id:  2                  
      Local next msg id: 0              Remote next msg id: 2                  
      Local req queued:  0              Remote req queued:  2                  
      Local window:      5              Remote window:      5                  
      DPD configured for 0 seconds, retry 0                                    
      Fragmentation not  configured.                                          
      Dynamic Route Update: disabled                                          
      Extended Authentication not configured.                                  
      NAT-T is not detected                                                    
      Cisco Trust Security SGT is disabled                                    
      Initiator of SA : No                                                    
                                                                              
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.10.1.1/500         10.10.1.2/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1204 sec                                        
      CE id: 1003, Session-id: 1                                              
      Status Description: Negotiation done                                    
      Local spi: B085F9ECBA72967E       Remote spi: 69A6A65ED87EC303          
      Local id: 10.10.1.1                                                      
      Remote id: 10.10.1.2                                                    
      Local req msg id:  0              Remote req msg id:  2                  
      Local next msg id: 0              Remote next msg id: 2                  
      Local req queued:  0              Remote req queued:  2                  
      Local window:      5              Remote window:      5                  
      DPD configured for 0 seconds, retry 0                                    
      Fragmentation not  configured.                                          
      Dynamic Route Update: disabled                                          
      Extended Authentication not configured.                                  
      NAT-T is not detected                                                    
      Cisco Trust Security SGT is disabled                                    
      Initiator of SA : No                                                    
                                                                              
IPv6 Crypto IKEv2 SA

On the client

SPOKE2#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2 SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status  
1         10.10.1.3/500         10.10.1.1/500         none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/78 sec                                              
      CE id: 1002, Session-id: 1                                                  
      Status Description: Negotiation done                                        
      Local spi: 97AE858B6CAA71A2       Remote spi: A0F8071EC395BD3C              
      Local id: 10.10.1.3                                                          
      Remote id: 10.10.1.1                                                        
      Local req msg id:  2              Remote req msg id:  0                      
      Local next msg id: 2              Remote next msg id: 0                      
      Local req queued:  2              Remote req queued:  0                      
      Local window:      5              Remote window:      5                      
      DPD configured for 0 seconds, retry 0                                        
      Fragmentation not  configured.                                              
      Dynamic Route Update: disabled                                              
      Extended Authentication not configured.                                      
      NAT-T is not detected                                                        
      Cisco Trust Security SGT is disabled                                        
      Initiator of SA : Yes                                                        
                                                                                  
 IPv6 Crypto IKEv2  SA                                                            

show crypto ikev2 profile

HUB#show crypto ikev2 profile

IKEv2 profile: IKEv2_PROF
 Ref Count: 6
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 0.0.0.0
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEv2_KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 mode auto: none
 AAA AnyConnect EAP authentication mlist: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
HUB#

show crypto ikev2 stats

SPOKE1#show crypto ikev2 stats
--------------------------------------------------------------------------------
                          Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit:   0        Max IKEv2 SAs: 0        Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count:    0        active:        0        negotiating: 0
Total outgoing IKEv2 SA Count:    1        active:        1        negotiating: 0
Incoming IKEv2 Requests: 0        accepted:      0        rejected:    0  
Outgoing IKEv2 Requests: 1        accepted:      1        rejected:    0  
Rejected IKEv2 Requests: 0        rsrc low:      0        SA limit:    0  
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
    accepted: 0        rejected: 0        rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0

SPOKE1#

show crypto ipsec profile

SPOKE1(config-if)#do show crypto ipsec profile
IPSEC profile IPSEC_PROF
        IKEv2 Profile: IKEv2_PROF
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                IPSEC_TSET: { esp-aes esp-sha512-hmac } ,
        }          
                  
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                default:  { esp-aes esp-sha-hmac } ,
        }          
                  
SPOKE1(config-if)#

show crypto ikev2 profile

SPOKE1#show crypto ikev2 profile

IKEv2 profile: IKEv2_PROF
 Ref Count: 5
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 0.0.0.0
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEv2_KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 mode auto: none
 AAA AnyConnect EAP authentication mlist: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
SPOKE1#

show crypto ikev2 policy

SPOKE1#show crypto ikev2 policy

 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default
SPOKE1#

show crypto ikev2 session

SPOKE1#show crypto ikev2 session
 IPv4 Crypto IKEv2 Session

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.10.1.2/500         10.10.1.1/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/132 sec
Child sa: local selector  10.10.1.2/0 - 10.10.1.2/65535
          remote selector 10.10.1.1/0 - 10.10.1.1/65535
          ESP spi in/out: 0xD07B32DF/0x75C10060
                          
&bnsp;IPv6 Crypto IKEv2 Session

SPOKE1#

show crypto ikev2 session detail

SPOKE1#show crypto ikev2 session detail
IPv4 Crypto IKEv2 Session

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.10.1.2/500         10.10.1.1/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/137 sec
      CE id: 1002, Session-id: 1
      Status Description: Negotiation done
      Local spi: 69A6A65ED87EC303       Remote spi: B085F9ECBA72967E
      Local id: 10.10.1.2                
      Remote id: 10.10.1.1                
      Local req msg id:  2              Remote req msg id: 0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued: 0
      Local window:      5              Remote window: 5
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
Child sa: local selector 10.10.1.2/0 - 10.10.1.2/65535
          remote selector 10.10.1.1/0 - 10.10.1.1/65535
          ESP spi in/out: 0xD07B32DF/0x75C10060
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 128, esp_hmac: SHA512
          ah_hmac: None, comp: IPCOMP_NONE, mode transport
          
IPv6 Crypto IKEv2 Session

SPOKE1#

Protection and Optimisation of DMVPN Tunnel

Protection of IKEv2

The command crypto ikev2 limit max-in-negotiation-sa limit | max-sa limit outgoing limits the number of sessions being established or that are allowed to establish.

  • Max-sa: limits the total count of SAs that a router can establish under normal conditions. The value should be set to double the number of ongoing sessions in order to cater for renegotiation.
  • Max-in-negotiation-sa: limits the number of SAs being negotiated at any one time.

To protect the IKE from half open sessions, a cookie can be used to validate that sessions are valid IKEv2 sessions and not a Denial of Service (DoS) attack. The command crypto ikev2 cookie-challege <challenge-number> defines the threshold of half-open SAs before issuing an IKEv2 challenge.

Verification

show crypto ikev2 stats

IPSec Packet Replay Protection

The IPSec implementation includes an anti-replay mechanism that prevents intruders from duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. When a router decrypts the IPSec packets, it keeps track of the packets it has received. The IPSec anti-replay service rejects (discards) duplicate packets or old packets.

The router identifies acceptable packet age according to the following logic; the router maintains a sequence number window size (default of 64 packets). The minimum sequence number is defined as the highest sequence number for a packet minus the window size. A packet is considered of age when the sequence number is between the minimum sequence number and the highest sequence number.

At times, the default 64-packet window size is not adequate. Encryption is where the sequence number is set and this happens before any Quality of Server (QoS) policies are processed. Packets can be delayed because of QoS priorities, resulting in out-of-order packets where low-priority packets are queued, whereas high-priority packets are immediately forwarded. The sequence number increases on the receiving router because the high-priority packets shift the window ahead and when the lower priority packets arrive, they are discarded.

Increasing the anti-replay window size does not impact throughput or security. An additional 128 bytes per incoming IPSec SA are needed to store the sequence number on the decryptor. The window size is increased globally with the command crypto ipsec security-association replay window-size <size>. Cisco recommends using the largest window size possible for the hardware. Usually it is 1024.

Dead Peer Detection (DPD)

When two routers establish an IPSec VPN tunnel between them, it is possible that connectivity between the two routers can be lost for some reason. In most scenarios, IKE and IPSec do not natively detect a loss of peer connectivity, which results in network traffic being black-holed until the SA lifetime expires.

The use of dead peer detection (DPD) helps detect the loss of connectivity to a remote IPSec peer.

Cisco supports two types of DPD: on-demand and periodic. When DPD is enabled in on-demand mode, the two routers check for connectivity only when traffic needs to be sent and the peer’s liveliness is questionable. In such scenarios, the router sends a DPD R-U-THERE request to query the status of the remote peer. If the remote peer does not respond, the requesting router starts to transmit additional R-U-THERE messages every retry interval for a maximum of five retries. If no response is received, that peer is declared dead.

DPD is supported by IKEv1 and IKEv2:

  • IKEv2: DPD is configured with the global configuration command crypto ikev2 dpd <interval-time> <retry-time> [on-demand | periodic]. DPD is also configured using the IKEV2 profile mode command dpd <interval-time> <retry-time> [on-demand | periodic]. It is recommended that the interval time be set to twice that of the routing protocol hold time.
  • As it consumes CPU, it is recommended that DPD be configured on the spokes and not on the hubs because a hub may have to maintain state of hundreds of branch routers.

Network Address Translation (NAT) Keepalives

NAT keepalives are enabled to keep the dynamic NAT mapping alive during a connection between two peers. NAT keepalives are UDP packets that contain an unencrypted payload of 1 byte. When DPD is used to detect peer liveliness, NAT keepalives are sent if the IPSec entity has not transmitted or received a packet within a specified period of time. It is configured on sopes because the routing protocol messages such as Hello and update messages between the hub and spoke keeps the NAT state active whereas spoke to spoke tunnels do not maintain a routing neighborship so NAT state is not maintained. NAT keepalives are enabled with the command crypto isakmp nat keepalive <seconds>.