R2:
1. Create keyring
crypto ikev2 keyring MYKEYS
peer R3
address 203.0.113.1
pre-shared-key Cisco123
2. Create ikev2 profile
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 203.0.113.1 255.255.255.255
identity local address 203.0.113.3 << without this, peer receives identity 192.168.1.10
authentication remote pre-share
authentication local pre-share
keyring local MYKEYS
3. Create IPSec profile
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKEV2-PROFILE
4. Create tunnel interface
interface Tunnel1
ip address 172.16.11.1 255.255.255.252
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 203.0.113.1
tunnel protection ipsec profile IPSEC-PROFILE
R3:
1. Create keyring
crypto ikev2 keyring MYKEYS
peer R2
address 203.0.113.3
pre-shared-key Cisco123
2. Create ikev2 profile
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 203.0.113.3 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local MYKEYS
3. Create IPSec profile
crypto ipsec profile IPSEC-PROFILE
set ikev2-profile IKEV2-PROFILE
4. Create tunnel interface
interface Tunnel1
ip address 172.16.11.2 255.255.255.252
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 203.0.113.3
tunnel protection ipsec profile IPSEC-PROFILE
Palo Alto:
one way is needed to allows tunnel to be established
R2 e0/0 capture
two IKE_SA_INIT packets on UDP/500
two IKE_AUTH packets on UDP 4500
Log
R3 to R2 is denied since no security policy this direction
session on UDP/500 will be timed out after 10 mins, but IKEv2 sa has default lifetime 1 day.
session on UDP/4500 has one hour timeout, if enable DPD on router, it's sent over this port.
note:
note:
at the beginning, VPN didn't come up, IKE_SA_INIT didn't pass through FW for some reason, clear the session resolved the issue.
capture on transmt and receive stages
Comments
Post a Comment