HPE Community
Comware Based
1822504 Members
2353 Online
109642 Solutions
New Discussion

IKEv2 with VPN-Instances

 
Kiilerich
Occasional Contributor

‎09-18-2017 11:34 AM - edited ‎09-24-2017 08:16 AM

‎09-18-2017 11:34 AM - edited ‎09-24-2017 08:16 AM

IKEv2 with VPN-Instances

Hi

Currently I have a working GRE/IPSec setup with IKEv1. The outside(internet facing) interfcaces are member of a VPN-Instance called "outside". The rest of the interface are in the defaule VPN-Instance.

 I really like to move this configuration to IKEv2 but i´m having problems with the VPN-Instance part of it.

In IKEv1 I simply make the keychain member of the "outside" VPN-Instance and tell the GRE tunnel to use the "outside" VPN-Instance.

However when switching to IKEv2 im missing how get the GRE to en encapsulated in IPSEC and transported in the "outside" VPN-Instance. IKEv2 never goes into established.

 

Below are a working IKEv1 and my attempts to get a IKEv2 setup.

Anyone done something like this or might be able to spot what im missing?

 

Working IKEv1

RouterA-IKEv1
ip vpn-instance outside
route-distinguisher 123:123
#
interface GigabitEthernet1/0/1
description "Internet"
port link-mode route
ip binding vpn-instance outside
ip address 3.3.3.1 255.255.255.0
ipsec apply policy IpSecPolicy-1
#
interface GigabitEthernet1/0/2
description "LAN"
port link-mode route
ip address 171.20.1.252 255.255.255.0
#
interface Tunnel1 mode gre
ip address 10.1.1.2 255.255.255.252
source GigabitEthernet1/0/1
destination 1.1.1.1
tunnel vpn-instance outside
#
ip route-static vpn-instance outside 0.0.0.0 0 3.3.3.254
#
acl advanced 3000
rule 5 permit gre vpn-instance outside source 3.3.3.1 0 destination 1.1.1.1 0
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
pfs dh-group24
#
ipsec policy IpSecPolicy-1 10 isakmp
transform-set IpSecTransformSet-1
security acl 3000
local-address 3.3.3.1
remote-address 1.1.1.1
ike-profile IkeProfile-1
#
ike profile IkeProfile-1
keychain IkeKeyChain
exchange-mode aggressive
match remote identity address 1.1.1.1 255.255.255.255 vpn-instance outside
proposal 10
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group24
authentication-algorithm sha512
sa duration 600
#
ike keychain IkeKeyChain vpn-instance outside
pre-shared-key address 1.1.1.1 255.255.255.255 key cipher $c$3$bmECnXoNrRFWI/Q4gI3KehOid+cWgiUenA==

RouterB-IKEv1
ip vpn-instance outside
route-distinguisher 123:123
#
interface GigabitEthernet1/0/1
description "Internet"
port link-mode route
ip binding vpn-instance outside
ip address 1.1.1.1 255.255.255.0
ipsec apply policy IpSecPolicy-1
#
interface GigabitEthernet1/0/2
description "LAN"
port link-mode route
ip address 10.151.0.252 255.255.255.0
#
interface Tunnel1 mode gre
ip address 10.1.1.1 255.255.255.252
source GigabitEthernet1/0/1
destination 3.3.3.1
tunnel vpn-instance outside
#
ip route-static vpn-instance outside 0.0.0.0 0 1.1.1.254
#
acl advanced 3000
rule 5 permit gre vpn-instance outside source 1.1.1.1 0 destination 3.3.3.1 0
#
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
pfs dh-group24
#
ipsec policy IpSecPolicy-1 10 isakmp
transform-set IpSecTransformSet-1
security acl 3000
local-address 1.1.1.1
remote-address 3.3.3.1
ike-profile IkeProfile-1
#
ike profile IkeProfile-1
keychain IkeKeyChain
exchange-mode aggressive
match remote identity address 3.3.3.1 255.255.255.255 vpn-instance outside
proposal 10
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group24
authentication-algorithm sha512
sa duration 600
#
ike keychain IkeKeyChain vpn-instance outside
pre-shared-key address 3.3.3.1 255.255.255.255 key cipher $c$3$GH9iK18VFX/LdzAbIgBV6eK2A+83jMoAAw==

 


Nonworking IKEv2

RouterA-IKEv2
ip vpn-instance outside
route-distinguisher 123:123
#
interface GigabitEthernet1/0/1
description "Internet"
port link-mode route
ip binding vpn-instance outside
ip address 4.4.4.1 255.255.255.0
ipsec apply policy IpSecPolicy-1
#
interface GigabitEthernet1/0/2
description "LAN"
port link-mode route
ip address 10.20.1.253 255.255.255.0
#
interface Tunnel1 mode gre
ip address 10.1.1.6 255.255.255.252
source GigabitEthernet1/0/1
destination 2.2.2.1
tunnel vpn-instance outside
#
ip route-static vpn-instance outside 0.0.0.0 0 4.4.4.254
#
acl advanced 3000
rule 5 permit gre vpn-instance outside source 4.4.4.1 0 destination 2.2.2.1 0
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
#
ipsec policy IpSecPolicy-1 10 isakmp
transform-set IpSecTransformSet-1
security acl 3000
local-address 4.4.4.1
remote-address 2.2.2.1
ikev2-profile IkeV2Profile-1
#
ikev2 keychain IkeV2KeyChain
peer Taulov
address 2.2.2.1 255.255.255.255
identity address 2.2.2.1
pre-shared-key ciphertext $c$3$NuHqjBfo3lFRqaZro+/xW0K5bdOdKPyqhA==
#
ikev2 profile IkeV2Profile-1
authentication-method local pre-share
authentication-method remote pre-share
keychain IkeV2KeyChain
sa duration 600
dpd interval 10 periodic
identity local address 4.4.4.1
match remote identity address 2.2.2.1 255.255.255.255
#
ikev2 proposal 10
encryption aes-ctr-256
integrity sha512
dh group24
prf sha512
#
ikev2 policy IkeV2Policy-1
match vrf name outside
proposal 10
#

RouterB-IKEv2
ip vpn-instance outside
route-distinguisher 123:123
#
interface GigabitEthernet1/0/1
description "Internet"
port link-mode route
ip binding vpn-instance outside
ip address 2.2.2.1 255.255.255.0
ipsec apply policy IpSecPolicy-1
#
interface GigabitEthernet1/0/2
description "LAN"
port link-mode route
ip address 10.151.0.253 255.255.255.0
#
interface Tunnel1 mode gre
ip address 10.1.1.5 255.255.255.252
source GigabitEthernet1/0/1
destination 4.4.4.1
tunnel vpn-instance outside
#
ip route-static vpn-instance outside 0.0.0.0 0 2.2.2.254
#
acl advanced 3000
rule 5 permit gre vpn-instance outside source 2.2.2.1 0 destination 4.4.4.1 0
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
#
ipsec policy IpSecPolicy-1 10 isakmp
transform-set IpSecTransformSet-1
security acl 3000
local-address 2.2.2.1
remote-address 4.4.4.1
ikev2-profile IkeV2Profile-1
#
ikev2 keychain IkeV2KeyChain
peer Billund
address 4.4.4.1 255.255.255.255
identity address 4.4.4.1
pre-shared-key ciphertext $c$3$0w8agWeKr3oNEHMkgGb86QnsYzHdmIifQA==
#
ikev2 profile IkeV2Profile-1
authentication-method local pre-share
authentication-method remote pre-share
keychain IkeV2KeyChain
sa duration 600
dpd interval 10 periodic
identity local address 2.2.2.1
match remote identity address 4.4.4.1 255.255.255.255
#
ikev2 proposal 10
encryption aes-ctr-256
integrity sha512
dh group24
prf sha512
#
ikev2 policy IkeV2Policy-1
match vrf name outside
proposal 10

 

0 Kudos
1 REPLY 1
Kiilerich
Occasional Contributor

‎09-24-2017 08:13 AM - edited ‎09-24-2017 08:18 AM

‎09-24-2017 08:13 AM - edited ‎09-24-2017 08:18 AM

Re: IKEv2 with VPN-Instances

Hi as no one have answered on this I post my solution. This took many many hours as I cannot find any real good doc. from HPE or H3C.

The config below are made on a MSR958 the same router have 2 tunnels : 

 * Tunnel 0 running IKEv2 within a VPN

 * Tunnel 1 running IKEv1 within another VPN

I only show sample config for one router as the peer router are the same just with oter IPs.

 

If you find this usefull please "kudos" and add any comments.

 

IKEv2 setup

- Create a VPN for the outside interface(internet) used for IKEv2
#
ip vpn-instance outside-3
route-distinguisher 3:3


- Create IKEv2 with settings as per your need. Keep special attension to the VPN
- Warning RANT... (COMWARE now suddenly use the name "vrf".... W.T.F.!!!!!!!! COMWARE select one and stick to it!! Same goes for "simple" and "plain" in PSK for the KeyChain )
#
ikev2 keychain IkeV2KeyChain
peer OtherRouter
address 11.22.33.44 255.255.255.255
pre-shared-key plaintext <aPSK>
#
ikev2 profile IkeV2Profile-1
authentication-method local pre-share
authentication-method remote pre-share
keychain IkeV2KeyChain
match vrf name outside-3
match remote identity address 11.22.33.44 255.255.255.255
#
ikev2 proposal IkeV2Proposal-1
encryption aes-ctr-256
integrity sha512
dh group24
prf sha512
#
ikev2 policy IkeV2Policy-1
priority 10
match vrf name outside-3
proposal IkeV2Proposal-1
#

 

- Create a IPSEC with setting as per your need
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm camellia-cbc-256
esp authentication-algorithm aes-xcbc-mac
pfs dh-group24
#
ipsec policy IpSecPolicy-1 10 isakmp
transform-set IpSecTransformSet-1
security acl name aclCryptoDomain
remote-address 11.22.33.44
ikev2-profile IkeV2Profile-1
#
ipsec transform-set IpSecTransformSet-1
esp encryption-algorithm camellia-cbc-256
esp authentication-algorithm aes-xcbc-mac
pfs dh-group24

 

- Assign interface to VPN, apply IP and apply IPSEC policy
#
interface GigabitEthernet0/0
ip binding vpn-instance outside-3
ip address 1.2.3.4 255.255.255.0
ipsec apply policy IpSecPolicy-1

- Create tunnel interface of type GRE. Assign the tunnel to VPN. Remember source and destination IPs as well as tunnel IPs
#
interface Tunnel 0 mode gre
ip address 10.11.24.54 255.255.255.252
source GigabitEthernet0/0
destination 11.22.33.44
tunnel vpn-instance outside-3

- Create a "0" route in the VPN to reach the internet
#
ip route-static vpn-instance outside-3 0.0.0.0 0 1.2.3.254

 

 

 

 

 

 

 

 


IKEv1 setup

- Create a VPN for the outside interface(internet) used for IKEv1
#
ip vpn-instance outside-7
route-distinguisher 7:7

 

- Create IKEv2 with settings as per your need. Keep special attension to the VPN
#
ike proposal 10
encryption-algorithm aes-cbc-256
dh group24
authentication-algorithm sha512
sa duration 1200
#
ike keychain IkeKeyChain vpn-instance outside-7
pre-shared-key address 55.66.77.88 255.255.255.255 key simple <aPSK>
#
ike profile IkeProfile-1
keychain IkeKeyChain
match remote identity address 55.66.77.88 255.255.255.255 vpn-instance outside-7
proposal 10


- Create a IPSEC with setting as per your need
#
ipsec transform-set IpSecTransformSet-2
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha512
pfs dh-group14
#
ipsec policy IpSecPolicy-2 10 isakmp
transform-set IpSecTransformSet-2
security acl name aclCryptoDomain
remote-address 55.66.77.88
ike-profile IkeProfile-1

 

- Assign interface to VPN, apply IP and apply IPSEC policy
#
interface GigabitEthernet0/1
ip binding vpn-instance outside-7
ip address 5.6.7.8 255.255.255.0
ipsec apply policy IpSecPolicy-2

 

- Create tunnel interface of type GRE. Assign the tunnel to VPN. Remember source and destination IPs as well as tunnel IPs
#
interface Tunnel 1 mode gre
ip address 10.11.24.62 255.255.255.252
source GigabitEthernet0/1
destination 55.66.77.88
tunnel vpn-instance outside-7
#


- Create a "0" route in the VPN to reach the internet
#
ip route-static vpn-instance outside-7 0.0.0.0 0 5.6.7.254

 

 


Shared:
#
acl advanced name aclCryptoDomain
rule 0 permit gre vpn-instance outside-3 source 1.2.3.4 0 destination 11.22.33.44 0
rule 5 deny ip vpn-instance outside-3
rule 10 permit gre vpn-instance outside-7 source 5.6.7.8 0 destination 55.66.77.88 0
rule 15 deny ip vpn-instance outside-7
#

 

 

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.