Step 5: Corporate VPN with IPsec Tunnel¶
An IPsec IKEv2 VPN tunnel is configured between the the remote office and the VPN head end at the corporate office.
IPsec Deployment Parameters¶
The IPsec tunnel is built with the following parameters:
IP address of each tunnel endpoint, both the remote office and VPN head end.
Local and Remote Identity and Pre-Shared Key (PSK).
Compatible Phase 1 Proposal: AES128, SH1, DH14.
Compatible Phase 2 Proposal: AES128GCM16, DH14.
IP address assigned to the tunnel interface, typically a /30 subnet.
IP route to direct corporate traffic over IPsec tunnel via next-hop IP.
The parameters for this deployment were captured at IPsec VPN Tunnel Parameters.
ISP NAT Inbound Forwarding of ESP Packets¶
In this example, the Remote Office TNSR is behind NAT on the ISP cable mode, and using a Private IP address.
TNSR Outside IP: 192.168.0.53
TNSR Public IP: 203.0.113.65
The DMZ Host feature on the ISP cable modem is used to direct inbound ESP, IP Protocol 50, traffic to TNSR.
When possible, use a Public IP address directly on TNSR, without external NAT.
TNSR NAT Inbound Forwarding of ESP Packets¶
ESP packets use IP Protocol 50 for data transfer over the secured tunnel. TNSR NAT provides the ability to configure static mappings for IP protcols ICMP, UDP, and TCP. If using NAT on TNSR, and IPsec on the outside interface, you must enable global NAT forwarding to permit input ESP packets on the outside interface.
IKEv2 message exchange use UDP destination port 500 which if NAT static mapped will permit IKEv2 negotiation, but the ESP packets are needed to carry traffic.
nat global-options nat44 forwarding true
Configure IPsec Tunnel¶
Configure the IPsec tunnel on the remote office TNSR:
ipsec tunnel 108 local-address 192.168.0.53 remote-address 198.51.100.120 crypto config-type ike crypto ike version 2 lifetime 28800 proposal 1 encryption aes128 integrity sha1 group modp2048 exit identity local type address value 203.0.113.65 exit identity remote type address value 198.51.100.120 exit authentication local round 1 type psk psk AD78PPQMP00 exit exit authentication remote round 1 type psk psk AD78PPQMP00 exit exit child 1 lifetime 3600 proposal 1 encryption aes128gcm16 no integrity group modp2048 exit exit exit exit #
Configure IP Tunnel Address¶
Configure a static IP route to direct corporate traffic over the IPsec tunnel via the next-hop:
interface ipip108 ip address 172.21.254.30/30 exit #
To test, ping the other end of the IPsec tunnel with:
ping 172.21.254.29 source 172.21.254.30 count 5
Configure IP Route to Corporate¶
Configure a static IP route to direct corporate traffic over the IPsec tunnel via the next-hop on the IPsec tunnel:
route ipv4 table ipv4-VRF:0 route 10.0.0.0/8 next-hop 0 via 172.21.254.29 ipip108 exit exit #
configuration copy running startup