Step 5: Corporate VPN with IPsec Tunnel

An IPsec IKEv2 VPN tunnel is configured between the the remote office and the VPN head end at the corporate office.

TNSR remote office IPsec VPN diagram

TNSR remote office IPsec VPN diagram

IPsec Deployment Parameters

The IPsec tunnel is built with the following parameters:

  • IP address of each tunnel endpoint, both the remote office and VPN head end.

  • Local and Remote Identity and Pre-Shared Key (PSK).

  • Compatible Phase 1 Proposal: AES128, SH1, DH14.

  • Compatible Phase 2 Proposal: AES128GCM16, DH14.

  • IP address assigned to the tunnel interface, typically a /30 subnet.

  • IP route to direct corporate traffic over IPsec tunnel via next-hop IP.

The parameters for this deployment were captured at IPsec VPN Tunnel Parameters.

ISP NAT Inbound Forwarding of ESP Packets

In this example, the Remote Office TNSR is behind NAT on the ISP cable mode, and using a Private IP address.

  • TNSR Outside IP: 192.168.0.53

  • TNSR Public IP: 203.0.113.65

The DMZ Host feature on the ISP cable modem is used to direct inbound ESP, IP Protocol 50, traffic to TNSR.

ISP Modem - DMZ Host

ISP Modem - DMZ Host

When possible, use a Public IP address directly on TNSR, without external NAT.

TNSR NAT Inbound Forwarding of ESP Packets

ESP packets use IP Protocol 50 for data transfer over the secured tunnel. TNSR NAT provides the ability to configure static mappings for IP protcols ICMP, UDP, and TCP. If using NAT on TNSR, and IPsec on the outside interface, you must enable global NAT forwarding to permit input ESP packets on the outside interface.

IKEv2 message exchange use UDP destination port 500 which if NAT static mapped will permit IKEv2 negotiation, but the ESP packets are needed to carry traffic.

nat global-options nat44 forwarding true

Configure IPsec Tunnel

Configure the IPsec tunnel on the remote office TNSR:

ipsec tunnel 108
  local-address 192.168.0.53
  remote-address 198.51.100.120
  crypto config-type ike
  crypto ike
    version 2
    lifetime 28800
    proposal 1
      encryption aes128
      integrity sha1
      group modp2048
      exit
    identity local
      type address
      value 203.0.113.65
      exit
    identity remote
      type address
      value 198.51.100.120
      exit
    authentication local
      round 1
        type psk
        psk AD78PPQMP00
        exit
      exit
    authentication remote
      round 1
        type psk
        psk AD78PPQMP00
        exit
      exit
    child 1
      lifetime 3600
      proposal 1
        encryption aes128gcm16
        no integrity
        group modp2048
        exit
      exit
    exit
  exit
#

Configure IP Tunnel Address

Configure a static IP route to direct corporate traffic over the IPsec tunnel via the next-hop:

interface ipip108
  ip address 172.21.254.30/30
  exit
#

To test, ping the other end of the IPsec tunnel with:

ping 172.21.254.29 source 172.21.254.30 count 5

Configure IP Route to Corporate

Configure a static IP route to direct corporate traffic over the IPsec tunnel via the next-hop on the IPsec tunnel:

route ipv4 table ipv4-VRF:0
  route 10.0.0.0/8
    next-hop 0 via 172.21.254.29 ipip108
    exit
  exit
#

Save changes:

configuration copy running startup