Below is a sample configuration where we have setup one of our WTI boxes that links to a Cisco ISR4331/K9 in the lab with a simple IKEv2 implementation. Our IPsec implementation comes from a Linux feature set (the Linux strongSwan fork to be exact).
The WTI device IPsec default settings are IKEv2 and both ike and esp settings are aes128-sha256-modp4096 (group 16), these defaults can be changed per a connection via the "Tunnel Options" menu option.
IKEv2 Site to Site (Cisco ISR4331/K9 to WTI Unit)
- Phase One: The key exchange
- Phase Two: Encrypting the tunnel
- Applying the crypto map to the outside interface
- Creating access list to identify the traffic flow (inside LAN to peer’s inside LAN)
Cisco Router Setup
Configuring Keyring
- R1>enable
- Password:
- R1# configure terminal
- R1(config)# crypto ikev2 keyring KR-1
- R1(config-ikev2-keyring)# peer SITE-2
- R1(config-ikev2-keyring-peer)# address 192.10.10.136 (Address of the WTI Unit)
- R1(config-ikev2-keyring-peer)# pre-shared-key WTI949!
- R1(config-ikev2-keyring-exit)# exit
- R1(config-ikev2-keyring)# exit
- R1(config)# exit
Define IKEv2 Proposal
- R1# configure terminal
- R#(config)# crypto ikev2 proposal PROP-SITE2
- R1(config-ikev2-proposal)# encryption aes-cbc-256
- R1(config-ikev2-proposal)# integrity sha256
- R1(config-ikev2-proposal)# group 14
- R1(config-ikev2-proposal)# exit
- R1# exit
Define IKEv2 Policies
- R1# configure terminal
- R1(config)# crypto ikev2 policy POL-SITE2
- R1(config)# proposal PROP-SITE2
- R1(config-ikev2-policy)# exit
- R1(config)# exit
Create Access-list to use for VPN
- R1# configure terminal
- R1(config)# ip access-list extended SITE1-SITE2-CACL
- R1(config-ext-nacl)# permit ip 192.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255
- R1(config-ext-nacl)# exit
Create Transform Set (IPSEC)
- R1(config)# crypto ipsec transform-set SITE2-TS esp-aes esp-sha256-hmac
- R1(config-crypto-trans)# exit
Set IKEv2 Profile
- R1(config)# crypto ikev2 profile SITE2-PROFILE
- R1(config-ikev2-profile)# match identity remote address 192.10.10.136 255.255.255.255 (WTI)
- R1(config-ikev2-profile)# authentication local pre-share
- R1(config-ikev2-profile)# authentication remote pre-share
- R1(config-ikev2-profile)# keyring local KR-1
- R1(config-ikev2-profile)# exit
- R1(config)# exit
Define Crypto-Maps
- R1# configure terminal
- R1(config)# crypto map CMAP-SITE2 10 ipsec-isakmp
- R1(config-crypto-map)# set peer 192.10.10.136
- R1(config-crypto-map)# set pfs group14
- R1(config-crypto-map)# set security-association lifetime seconds 86400
- R1(config-crypto-map)# set transform-set SITE2-TS
- R1(config-crypto-map)# set ikev2-profile SITE2-PROFILE
- R1(config-crypto-map)# match address SITE1-SITE2-CACL
- R1(config-crypto-map)# exit
- R1(config)# exit
Apply the configurations to an interface
- R1# configure terminal
- R1(config)# interface GigabitEthernet0/0/0
- R1(config-if)# crypto map CMAP-SITE2
- R1(config-if)# exit
- R1(config-if)# exit
- R1(config)# wr
WTI Unit Setup
IPSEC VPN DETAILS: [CISCO_TEST_IKEv2] IPv4/IPv6
1. Enable: On
2. Tunnel Name: CISCO_TEST_IKEv2
3. Security: Pre-shared Secret (Static Key File)
4. Authentication Type: ESP
5. Left Address: %any
6. Left ID: 192.10.10.136 (WTI Unit)
7. Left Subnet : (undefined)
8. Right Address: 192.10.10.132 (Cisco Unit)
9. Right ID: 192.10.10.132
10. Right Subnet: 192.10.10.0/24
11. Pre-Shared Key: (defined)
12. Tunnel Options: (defined)
13. Associated Menu: (default)
Enter: #<CR> to change,
<ESC> to exit and save configuration ...
(Select option 12, to set these tunnel options)
IPSEC VPN CUSTOM OPTIONS DETAILS: [CISCO_TEST_IKEv2] IPv4/IPv6
1. Parameter: ike
2. Value: aes128-sha256-modp2048
IPSEC VPN CUSTOM OPTIONS DETAILS: [CISCO_TEST_IKEv2] IPv4/IPv6
1. Parameter: esp
2. Value: aes128-sha1
Diffie-Hellman MODP Group listing
Diffie-Hellman group 1 - 768 bit modulus
Diffie-Hellman group 2 - 1024 bit modulus
Diffie-Hellman group 5 - 1536 bit modulus
Diffie-Hellman group 14 - 2048 bit modulus
Diffie-Hellman group 15 - 3072-bit modulus
Diffie-Hellman group 16 - 4096-bit modulus
Diffie-Hellman group 17 - 6144-bit modulus
Diffie-Hellman group 18 - 8192-bit modulus
Diffie-Hellman group 19 - 256 bit elliptic curve
Diffie-Hellman group 20 - 384 bit elliptic curve
Diffie-Hellman group 21 - 521 bit elliptic curve
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup
Rev. 1.2 (4/4/2020)