Cisco

Prev Next

Available in Classic.

This section describes how to configure resources on a customer VPN gateway to create an IPsec VPN Tunnel. If the VPN gateway device is Cisco's ASA series product, please refer to the following.

Note

The local network becomes the customer network, and the remote network becomes the NAVER Cloud Platform’s private subnet. Peer IP also becomes NAVER Cloud Platform's VPN gateway public IP.

Interface IP setting

The following describes how to set an interface IP.

hostname(config)# interface ethernet0/0
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address <Public IP> <Subnet Mask>
hostname(config-if)# no shutdown

hostname(config)# interface ethernet0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address <internal private IP> <Subnet Mask>
hostname(config-if)# no shutdown

Routing setting

The following describes how to set routing:

hostname(config)# route outside 0 0 <VPN gateway public IP>

Network object group setting

Create an object group for each local network and remote network. Here's how to create it.

hostname(config)# object-group network <define group name>
hostname(config-network)# network-object host <host IP>
hostname(config-network)# network-object <network IP> <subnet mask>

Access setting

The method for setting network access is as follows:

  • Allow access from specific IP

    hostname(config)# access-list outside_20_cryptomap extended permit ip <internal private IP> <internal subnet mask> <private IP of remote network> <remote network internal subnet mask>
    
  • Allow network object group access

    hostname(config)# access-list <define access-list name> extended permit ip object-group <local object-group name> object-group <remote object-group name>
    

IKE setting

To set IKE, after configuring IKEv1 and IKEv2, you need to set encryption methods for traffic protection in IKEv1 and IKEv2 respectively.

Note

Password and authentication algorithm settings must be the same as those of the IPsec VPN Gateway created in NAVER Cloud Platform console.

IKEv1 configuration

The following describes how to configure an IKEv1.

hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 enable outside
  • D-H Group: 2
  • Authentication method: pre-share
  • Encryption Algorithm: 3des
  • Hash Algorithm: sha-1
  • lifetime: 43200

IKEv2 configuration

The following describes how to configure an IKEv2.

hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)# group 2
hostname(config-ikev2-policy)# prf sha
hostname(config-ikev2-policy)# lifetime 43200
hostname(config)# crypto ikev2 enable outside
  • D-H Group: 2
  • Pseudo Random Function (PRF) Algorithm: sha-1
  • Encryption Algorithm: 3des
  • lifetime: 43200

Create an IKEv1 transform set

Here's how to create a transform set for IKEv1 to protect traffic.

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  • Example transform set name: FirstSet
  • Encryption Algorithm: esp-3des
  • Hash Algorithm: esp-md5-hmac

Create IKEv2 proposal

Here's how to generate a proposal for IKEv2 to protect traffic.

hostname(config)# crypto ipsec ikev2 ipsec-proposal secure
hostname(config-ipsec-proposal)# protocol esp 3des integrity md5
  • Example proposal name: secure
  • Encryption Algorithm: 3des
  • Hash Algorithm: md5

Create tunnel group

Here's how to create a tunnel group using an existing Group Policy.

hostname(config)# group-policy DefaultGroupPolicy internal
hostname(config)# group-policy DefaultGroupPolicy attributes
hostname(config)# vpn-tunnel-protocol ikev1 ikev2
hostname(config)# tunnel-group <Peer IP> type ipsec-l2l
hostname(config)# tunnel-group <Peer IP> ipsec-attributes
hostname(config-tunnel-ipsec)# default-group-policy DefaultGroupPolicy
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key <Pre-shared key value>
hostname(config-tunnel-ipsec)# ikev2 remote-authentication certificate
Note

Pre-shared key value must consist of 1 to 128 alphanumeric characters.

Create an encryption map and apply it to the interface

To create an encryption map and apply it to an interface:

  • Create an encryption map

    hostname(config)# crypto map <define map name> 1 match address <access-list name>
    hostname(config)# crypto map <map name> 1 set peer <Peer IP>
    hostname(config)# crypto map <map name> 1 set ikev1 transform-set <IKEv1 transform set name>
    hostname(config)# crypto map <map name> 1 set ikev2 ipsec-proposal <IKEv2 proposal name>
    
  • Apply interface

    hostname(config)# crypto map <map name> interface outside
    

Confirm connection

After finishing all the process, you can check your interface and VPN tunnel.

Confirm interface

The following describes how to check an interface:

hostname(config)# show ip

System IP Addresses:
Interface            Name       IP address     Subnet mask     Method 
GigabitEthernet0/0   inside     192.168.1.1    255.255.255.0   manual 
GigabitEthernet0/1   outside    10.0.0.1       255.255.255.0   manual              
Current IP Addresses:
Interface            Name       IP address     Subnet mask     Method
GigabitEthernet0/0   inside     192.168.1.1    255.255.255.0   manual   
GigabitEthernet0/1   outside    10.0.0.1       255.255.255.0   manual

Check VPN tunnel

The following describes how to check VPN tunnel:

  • Enter show crypto ipsec sa

    hostname(config)# show crypto ipsec sa
    
    interface: outside
       Crypto map tag: MAP, seq num: 10, local addr: 10.0.0.1
        access-list VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/1/0)
    current_peer: 10.0.0.2
        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
        #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.0.0.2/0
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: DB680406
        current inbound spi : 1698CAC7
      inbound esp sas:
        spi: 0x1698CAC7 (379112135)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 16384, crypto-map: MAP
           sa timing: remaining key lifetime (kB/sec): (3914999/3326)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x0000001F
      outbound esp sas:
        spi: 0xDB680406 (3681027078)
           transform: esp-aes esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 16384, crypto-map: MAP
           sa timing: remaining key lifetime (kB/sec): (3914999/3326)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
           0x00000000 0x00000001
    
  • Enter show crypto isakmp sa

    hostname(config)# show crypto isakmp sa
    
    IKEv1 SAs:
    
       Active SA: 1
          Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    1   IKE Peer: 10.0.0.2
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    
  • Enter show crypto IKEv2 sa det

    hostname(config)# show crypto IKEv2 sa det
    
    IKEv2 SAs:
    
    Session-id:132, Status:UP-ACTIVE, IKE count:1, CHILD count:1
    
    Tunnel-id                  Local                Remote     Status         Role
    1574208993     198.51.100.1/4500    203.0.113.134/4500      READY    RESPONDER
          Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
          Life/Active Time: 86400/352 sec
          Session-id: 132
          Status Description: Negotiation done
          Local spi: 4FDFF215BDEC73EC       Remote spi: 2414BEA1E10E3F70
          Local id: 198.51.100.1
          Remote id: DynamicSite2Site1
          Local req mess id: 13             Remote req mess id: 17
          Local next mess id: 13            Remote next mess id: 17
          Local req queued: 13              Remote req queued: 17
          Local window: 1                   Remote window: 1
          DPD configured for 10 seconds, retry 2
          NAT-T is detected  outside
    Child sa: local selector  172.0.0.0/0 - 172.255.255.255/65535
              remote selector 172.16.1.0/0 - 172.16.1.255/65535
              ESP spi in/out: 0x9fd5c736/0x6c5b3cc9
              AH spi in/out: 0x0/0x0
              CPI in/out: 0x0/0x0
              Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
              ah_hmac: None, comp: IPCOMP_NONE, mode tunnel