๐Ÿ›๏ธ ArchiZeroTrustโ€บ CCIEโ€บ VPNโ€บ IPsecโ€บ IKEv2โ€บ VTI

Topologie

R1
G0/0: 10.0.0.1/30
Tunnel0: 172.16.0.1/30
LAN: 192.168.1.0/24
Initiateur
Internet / WAN ยท 10.0.0.0/30
โ•โ•โ• Tunnel IPsec ESP โ•โ•โ•
R2
G0/0: 10.0.0.2/30
Tunnel0: 172.16.0.2/30
LAN: 192.168.2.0/24
Rรฉpondeur
Mode: VTI route-based
Auth: Pre-Shared Key
IKE: AES-256 + SHA-256 + DH14
IPsec: ESP AES-256 + SHA-256
Msgs IKEv2: 4 messages (2 รฉchanges)

ร‰changes IKEv2 โ€” Clique sur un message pour voir les dรฉtails

Phase 1 โ€” IKE_SA_INIT Phase 2 โ€” IKE_AUTH
โœ… Tunnel UP
IKE SA รฉtabli
Child SA / IPsec SA รฉtabli
Interface Tunnel0 UP/UP

Config R1  Initiateur

! โ”€โ”€ 1. IKEv2 Proposal โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 proposal PROP-IKEv2
 encryption aes-cbc-256
 integrity sha256
 group 14

! โ”€โ”€ 2. IKEv2 Policy โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 policy POL-IKEv2
 proposal PROP-IKEv2

! โ”€โ”€ 3. Keyring (PSK) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 keyring KR-IKEv2
 peer R2
  address 10.0.0.2
  pre-shared-key MySecret123

! โ”€โ”€ 4. IKEv2 Profile โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 profile PROF-IKEv2
 match identity remote address 10.0.0.2 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KR-IKEv2

! โ”€โ”€ 5. IPsec Transform-Set (Child SA) โ”€โ”€โ”€โ”€โ”€โ”€
crypto ipsec transform-set TS-ESP esp-aes 256 esp-sha256-hmac
 mode tunnel

! โ”€โ”€ 6. IPsec Profile โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ipsec profile IPSEC-PROF
 set transform-set TS-ESP
 set ikev2-profile PROF-IKEv2

! โ”€โ”€ 7. Interface VTI โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROF

! โ”€โ”€ 8. Route statique โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
ip route 192.168.2.0 255.255.255.0 Tunnel0

Config R2  Rรฉpondeur

! โ”€โ”€ 1. IKEv2 Proposal โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 proposal PROP-IKEv2
 encryption aes-cbc-256
 integrity sha256
 group 14

! โ”€โ”€ 2. IKEv2 Policy โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 policy POL-IKEv2
 proposal PROP-IKEv2

! โ”€โ”€ 3. Keyring (PSK) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 keyring KR-IKEv2
 peer R1
  address 10.0.0.1
  pre-shared-key MySecret123

! โ”€โ”€ 4. IKEv2 Profile โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ikev2 profile PROF-IKEv2
 match identity remote address 10.0.0.1 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local KR-IKEv2

! โ”€โ”€ 5. IPsec Transform-Set (Child SA) โ”€โ”€โ”€โ”€โ”€โ”€
crypto ipsec transform-set TS-ESP esp-aes 256 esp-sha256-hmac
 mode tunnel

! โ”€โ”€ 6. IPsec Profile โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
crypto ipsec profile IPSEC-PROF
 set transform-set TS-ESP
 set ikev2-profile PROF-IKEv2

! โ”€โ”€ 7. Interface VTI โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
interface Tunnel0
 ip address 172.16.0.2 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROF

! โ”€โ”€ 8. Route statique โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
ip route 192.168.1.0 255.255.255.0 Tunnel0

Lรฉgende :

IKE_SA_INIT โ†’ proposal / policy
IKE_AUTH โ†’ keyring / ikev2 profile
Child SA โ†’ transform-set / ipsec profile
VTI โ†’ interface Tunnel + route