Available in Classic.
This section describes how to configure resources on a customer VPN gateway to create an IPsec VPN Tunnel. If the VPN gateway device is Cisco's ASA series product, please refer to the following.
The local network becomes the customer network, and the remote network becomes the NAVER Cloud Platform’s private subnet. Peer IP also becomes NAVER Cloud Platform's VPN gateway public IP.
Interface IP setting
The following describes how to set an interface IP.
hostname(config)# interface ethernet0/0
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address <Public IP> <Subnet Mask>
hostname(config-if)# no shutdown
hostname(config)# interface ethernet0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address <internal private IP> <Subnet Mask>
hostname(config-if)# no shutdown
Routing setting
The following describes how to set routing:
hostname(config)# route outside 0 0 <VPN gateway public IP>
Network object group setting
Create an object group for each local network and remote network. Here's how to create it.
hostname(config)# object-group network <define group name>
hostname(config-network)# network-object host <host IP>
hostname(config-network)# network-object <network IP> <subnet mask>
Access setting
The method for setting network access is as follows:
-
Allow access from specific IP
hostname(config)# access-list outside_20_cryptomap extended permit ip <internal private IP> <internal subnet mask> <private IP of remote network> <remote network internal subnet mask> -
Allow network object group access
hostname(config)# access-list <define access-list name> extended permit ip object-group <local object-group name> object-group <remote object-group name>
IKE setting
To set IKE, after configuring IKEv1 and IKEv2, you need to set encryption methods for traffic protection in IKEv1 and IKEv2 respectively.
Password and authentication algorithm settings must be the same as those of the IPsec VPN Gateway created in NAVER Cloud Platform console.
IKEv1 configuration
The following describes how to configure an IKEv1.
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 enable outside
- D-H Group: 2
- Authentication method: pre-share
- Encryption Algorithm: 3des
- Hash Algorithm: sha-1
- lifetime: 43200
IKEv2 configuration
The following describes how to configure an IKEv2.
hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)# prf sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config)# crypto ikev2 enable outside
- D-H Group: 2
- Pseudo Random Function (PRF) Algorithm: sha-1
- Encryption Algorithm: 3des
- lifetime: 43200
Create an IKEv1 transform set
Here's how to create a transform set for IKEv1 to protect traffic.
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
- Example transform set name: FirstSet
- Encryption Algorithm: esp-3des
- Hash Algorithm: esp-md5-hmac
Create IKEv2 proposal
Here's how to generate a proposal for IKEv2 to protect traffic.
hostname(config)# crypto ipsec ikev2 ipsec-proposal secure
hostname(config-ipsec-proposal)# protocol esp 3des integrity md5
- Example proposal name: secure
- Encryption Algorithm: 3des
- Hash Algorithm: md5
Create tunnel group
Here's how to create a tunnel group using an existing Group Policy.
hostname(config)# group-policy DefaultGroupPolicy internal
hostname(config)# group-policy DefaultGroupPolicy attributes
hostname(config)# vpn-tunnel-protocol ikev1 ikev2
hostname(config)# tunnel-group <Peer IP> type ipsec-l2l
hostname(config)# tunnel-group <Peer IP> ipsec-attributes
hostname(config-tunnel-ipsec)# default-group-policy DefaultGroupPolicy
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key <Pre-shared key value>
hostname(config-tunnel-ipsec)# ikev2 remote-authentication certificate
Pre-shared key value must consist of 1 to 128 alphanumeric characters.
Create an encryption map and apply it to the interface
To create an encryption map and apply it to an interface:
-
Create an encryption map
hostname(config)# crypto map <define map name> 1 match address <access-list name> hostname(config)# crypto map <map name> 1 set peer <Peer IP> hostname(config)# crypto map <map name> 1 set ikev1 transform-set <IKEv1 transform set name> hostname(config)# crypto map <map name> 1 set ikev2 ipsec-proposal <IKEv2 proposal name> -
Apply interface
hostname(config)# crypto map <map name> interface outside
Confirm connection
After finishing all the process, you can check your interface and VPN tunnel.
Confirm interface
The following describes how to check an interface:
hostname(config)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.1.1 255.255.255.0 manual
GigabitEthernet0/1 outside 10.0.0.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.1.1 255.255.255.0 manual
GigabitEthernet0/1 outside 10.0.0.1 255.255.255.0 manual
Check VPN tunnel
The following describes how to check VPN tunnel:
-
Enter
show crypto ipsec sahostname(config)# show crypto ipsec sa interface: outside Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1 access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0) current_peer: 10.0.0.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: DB680406 current inbound spi : 1698CAC7 inbound esp sas: spi: 0x1698CAC7 (379112135) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 16384, crypto-map: MAP sa timing: remaining key lifetime (kB/sec): (3914999/3326) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x0000001F outbound esp sas: spi: 0xDB680406 (3681027078) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 16384, crypto-map: MAP sa timing: remaining key lifetime (kB/sec): (3914999/3326) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 -
Enter
show crypto isakmp sahostname(config)# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 10.0.0.2 Type : L2L Role : responder Rekey : no State : MM_ACTIVE -
Enter
show crypto IKEv2 sa dethostname(config)# show crypto IKEv2 sa det IKEv2 SAs: Session-id:132, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 1574208993 198.51.100.1/4500 203.0.113.134/4500 READY RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/352 sec Session-id: 132 Status Description: Negotiation done Local spi: 4FDFF215BDEC73EC Remote spi: 2414BEA1E10E3F70 Local id: 198.51.100.1 Remote id: DynamicSite2Site1 Local req mess id: 13 Remote req mess id: 17 Local next mess id: 13 Remote next mess id: 17 Local req queued: 13 Remote req queued: 17 Local window: 1 Remote window: 1 DPD configured for 10 seconds, retry 2 NAT-T is detected outside Child sa: local selector 172.0.0.0/0 - 172.255.255.255/65535 remote selector 172.16.1.0/0 - 172.16.1.255/65535 ESP spi in/out: 0x9fd5c736/0x6c5b3cc9 AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-CBC, keysize: 256, esp_hmac: SHA96 ah_hmac: None, comp: IPCOMP_NONE, mode tunnel