Outline
This page introduces a setting example of connecting between the Edge Gateway device and the Cisco router over IPsec.
Preconditions
It is recommended to have knowledge on the following items:
- Basic knowledge of the CLI operation of Cisco router
- Basic knowledge of the VPN settings on the Cisco IOS
- Basic knowledge of the CLI of Edge Gateway
Table of contents
Configuration
Encrypt packet data between the Edge Gateway and the Cisco router with IPsec.
Cisco router
- Model: Cisco 841J
- IOS: Ver 15.5
- IP address on the WAN side: 172.16.10.1 (GigabitEtherner0/4)
- IP address on the LAN side: 192.168.10.1/24 (Vlan1)
Gateway for checking communication (Edge Gateway is used in this procedure)
- IP address: 192.168.10.2/24
Edge Gateway
- Firmware: Ver 1.2.3
- IP address on the WAN side: 172.16.10.2/24 (eth0)
- IP address on the LAN side: 192.168.0.254/24 (br0)
PC for checking communication
- OS: Windows 10
- IP address: 192.168.0.10/24
Authentication method
- Use the IKE Version2
- AES-CBC 128bits
- SHA1 HMAC
Encryption method
- Pre-shared key: password123
STEP1: Setting each device
Setting the Cisco router
Configure the following settings on the Cisco side.
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-128
integrity sha1
group 5
crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
crypto ikev2 keyring keys
peer strongswan
address 172.16.10.2 ← IP address on the WAN side of Edge Gateway
pre-shared-key local password123 ← Pre-shared key
pre-shared-key remote password123 ← Pre-shared key
crypto ikev2 profile ikev2profile
match identity remote address 172.16.10.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map cmap 10 ipsec-isakmp
set peer 172.16.10.2 ← IP address on the WAN side of Edge Gateway
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
interface Vlan1
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/4
ip address 172.16.10.1 255.255.255.0 ← IP address on the WAN side of Cisco
crypto map cmap
ip access-list extended cryptoacl
permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
ip route 192.168.0.0 255.255.255.0 172.16.10.2 ← Configuring routing for Edge Gateway (br0 side)
Setting the Edge Gateway
Setting the interface
In configuration mode, set the IP address for eth0.
amnimo(cfg)# interface eth0
amnimo(cfg-interface-br0)#
amnimo(cfg-interface-br0)# address 172.16.10.2/24 ← IP address on the WAN side of Edge Gateway
amnimo(cfg-interface-br0)# exit
amnimo(cfg)#
The IP address of br0 is set to 192.168.0.254 by default. Therefore, it is unnecessary to configure special settings.
For the detailed procedure of changing the IP address, refer to "エッジゲートウェイシリーズ CLIユーザーズマニュアル (amnimo.com)". (Japanese Only)
Configuring static routing
Configure static routing to connect with the environment under the Cisco router.
amnimo(cfg)# routing static cisco
amnimo(cfg-rts-default)# to 192.168.10.0/24 ← Network address on the LAN side of Cisco
amnimo(cfg-rts-default)# via 172.16.10.1 ← IP address on the WAN side of Cisco
amnimo(cfg-rts-default)# interface eth0 ← Set to eth0
amnimo(cfg-rts-default)# exit
IKE settings
Transit to configuration mode, and configure the settings as follows:
amnimo(cfg)# ipsec ike ike01 ← Specify the setting name. (In this example, ike01 is specified as a name.)
amnimo(cfg-ips-ike-{ike01})# local address 172.16.10.2 ← IP address on the WAN side of Edge Gateway
amnimo(cfg-ips-ike-{ike01})# local id ipv4 172.16.10.2 ← Local ID
amnimo(cfg-ips-ike-{ike01})# remote address 172.16.10.1 ← IP address on the WAN side of Cisco
amnimo(cfg-ips-ike-{ike01})# remote id ipv4 172.16.10.1 ← Remote ID
amnimo(cfg-ips-ike-{ike01})# authentication pre-shard-key
Enter new password: password123 ← Pre-shared key set for Cisco
Retype new password: password123 ← Enter it again for confirmation.
amnimo(cfg-ips-ike-{ike01})# transform encryption aes128 integrity sha1 prf sha1 dh-group 5
amnimo(cfg-ips-ike-{ike01})# exit
Check the settings in IKE mode.
SA settings
Similarly, configure the settings in configuration mode as follows:
amnimo(cfg)# ipsec sa sa01 ← Specify the setting name. (In this example, sa01 is specified as a name.)
amnimo(cfg-ips-sa-{sa01})# enable
amnimo(cfg-ips-sa-{sa01})# key-exchange ike ike01 ← Specify the IKE name used for key exchange.
amnimo(cfg-ips-sa-{sa01})# transform encryption aes128 integrity sha1 ← Specify the authentication method.
amnimo(cfg-ips-sa-{sa01})# negotiation-mode initiate ← Establish IPsec automatically.
amnimo(cfg-ips-sa-{sa01})# local subnet 192.168.0.0/24 ← br0 local subnet
amnimo(cfg-ips-sa-{sa01})# remote subnet 192.168.10.0/24 ← Cisco Vlan1 subnet
amnimo(cfg-ips-sa-{sa01})# exit
In SA mode, check the settings.
amnimo(cfg-ips-sa-{sa01})# show config
enable
key-exchange ike ike01
negotiation-mode initiate
rekey
type esp
mode tunnel
anti-replay
transform encryption aes128 integrity sha1
lifetime 1h
local subnet 192.168.0.0/24
remote subnet 192.168.10.0/24
Save the settings. (Please note that if you do not save the settings, they will be deleted when rebooting the Edge Gateway device.)
amnimo(cfg)# config file save
startup-config file already exists. Do you want to overwrite? (y/N): y
Setting the PC for checking communication
Setting the IP address
- IP address: 192.168.0.10
Setting the default gateway
-
- Confirm that the default gateway (192.168.0.254) has been set.
*For Windows 10, you can check the status of the interface connected to the Edge Gateway device from [Control Panel] - [Network and Internet] - [Network Connection].
- Confirm that the default gateway (192.168.0.254) has been set.
Setting the gateway for checking communication
- Check that the default gateway (192.168.10.1) has been set.
STEP2: Connection
Starting an IPsec connection
Check the status of IPsec. If "ESTABLISHED" is displayed as follows, a connection between the Edge Gateway device and the Cisco router will have been established.
amnimo(cfg)# show ipsec status
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.145-00788-g94f928acd636, aarch64):
uptime: 97 minutes, since Sep 02 13:51:37 2021
malloc: sbrk 3211264, mmap 532480, used 1421008, free 1790256
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 14
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
172.16.10.2
192.168.0.254
Connections:
sa01: 172.16.10.2...172.16.10.1 IKEv2
sa01: local: [172.16.10.2] uses pre-shared key authentication
sa01: remote: [172.16.10.1] uses pre-shared key authentication
sa01: child: 192.168.0.0/24 === 192.168.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
sa01[7]: ESTABLISHED 4 seconds ago, 172.16.10.2[172.16.10.2]...172.16.10.1[172.16.10.1]
sa01[7]: IKEv2 SPIs: 7e360231d40de635_i* 7c54a1e881a9972f_r, pre-shared key reauthentication in 2 hours
sa01[7]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
sa01{9}: INSTALLED, TUNNEL, reqid 7, ESP SPIs: ca251b76_i 477efee0_o
sa01{9}: AES_CBC_128/HMAC_SHA1_96, 540 bytes_i (7 pkts, 0s ago), 540 bytes_o (7 pkts, 0s ago), rekeying in 42 minutes
sa01{9}: 192.168.0.0/24 === 192.168.10.0/24
Additional information
If establishing a connection has not been started, start it with the following command:
amnimo(cfg)# ipsec connect sa01
STEP3: Checking communication
Notes
If Ping communication cannot be established, the network settings of each device may be affecting it. Check the following points in advance for the device used for checking communication.
- Has the firewall been disabled?
- Have the routing settings been configured correctly?
- Has the default gateway been set correctly?
- Is ICMP allowed?
*If communication cannot be established even after trying the above, disable the other interfaces such as WiFi.
Ping communication from the PC to the gateway
Perform a ping test from the PC for checking communication (192.168.0.10) to the gateway for checking communication (192.168.10.2).
C:¥WINDOWS¥system32>ping -t 192.168.10.2
Send a ping to 192.168.10.2 Data of 32 bytes:
Response from 192.168.10.2: Number of bytes = 32 hours =3ms TTL=62
Response from 192.168.10.2: Number of bytes = 32 hours =4ms TTL=62
Response from 192.168.10.2: Number of bytes = 32 hours =4ms TTL=62
ping statistics of 192.168.10.2:
Packet count: Send = 11, Receive = 11, Loss = 0 (Loss of 0%),
Approximate round trip time (milliseconds):
Minimum = 3ms, Maximum = 8ms, Average = 4ms
Ctrl+C
^C
C:¥WINDOWS¥system32>
Ping communication from the gateway to the PC
Similarly, perform a ping test from the gateway for checking communication (192.168.10.2) to the PC (192.168.0.10).
admin@amnimo:~$ ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=2 ttl=126 time=4.38 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=126 time=5.31 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=126 time=4.07 ms
64 bytes from 192.168.0.10: icmp_seq=5 ttl=126 time=3.79 ms
64 bytes from 192.168.0.10: icmp_seq=6 ttl=126 time=3.75 ms
^C
--- 192.168.0.10 ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5029ms
rtt min/avg/max/mdev = 3.750/4.262/5.311/0.572 ms
admin@amnimo:~$
Checking with the Edge Gateway
On the Edge Gateway device, run the show ipsec status command and confirm that the packet count has increased before and after the ping.
↓↓↓ Before Ping communication ↓↓↓
amnimo(cfg)# show ipsec status
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.145-00788-g94f928acd636, aarch64):
uptime: 5 hours, since Sep 01 11:15:35 2021
malloc: sbrk 3211264, mmap 532480, used 1414256, free 1797008
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
172.16.10.2
192.168.0.254
Connections:
sa01: 172.16.10.2...172.16.10.1 IKEv2
sa01: local: [172.16.10.2] uses pre-shared key authentication
sa01: remote: [172.16.10.1] uses pre-shared key authentication
sa01: child: 192.168.0.0/24 === 192.168.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
sa01[4]: ESTABLISHED 38 minutes ago, 172.16.10.2[172.16.10.2]...172.16.10.1[172.16.10.1]
sa01[4]: IKEv2 SPIs: 1ac4fe925dbb594c_i 9ebabf6f5bb47ea1_r*, pre-shared key reauthentication in 2 hours
sa01[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
sa01{9}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: ce761180_i c356d5ca_o
sa01{9}: AES_CBC_128/HMAC_SHA1_96, 52 bytes_i (1 pkt, 2292s ago), 80 bytes_o (1 pkt, 2289s ago), rekeying in 6 minutes
sa01{9}: 192.168.0.0/24 === 192.168.10.0/24
sa01{10}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: caedd284_i c07dc0e8_o
sa01{10}: AES_CBC_128/HMAC_SHA1_96, 124512 bytes_i (1676 pkts, 0s ago), 107580 bytes_o (1503 pkts, 0s ago), rekeying in 7 minutes
sa01{10}: 192.168.0.0/24 === 192.168.10.0/24
amnimo(cfg)# show date
2021-09-01 17:13:24+09:00
↓↓↓ After Ping communication ↓↓↓
amnimo(cfg)# show ipsec status
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.145-00788-g94f928acd636, aarch64):
uptime: 5 hours, since Sep 01 11:15:35 2021
malloc: sbrk 3211264, mmap 532480, used 1417440, free 1793824
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
172.16.10.2
192.168.0.254
Connections:
sa01: 172.16.10.2...172.16.10.1 IKEv2
sa01: local: [172.16.10.2] uses pre-shared key authentication
sa01: remote: [172.16.10.1] uses pre-shared key authentication
sa01: child: 192.168.0.0/24 === 192.168.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
sa01[4]: ESTABLISHED 38 minutes ago, 172.16.10.2[172.16.10.2]...172.16.10.1[172.16.10.1]
sa01[4]: IKEv2 SPIs: 1ac4fe925dbb594c_i 9ebabf6f5bb47ea1_r*, pre-shared key reauthentication in 2 hours
sa01[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
sa01{9}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: ce761180_i c356d5ca_o
sa01{9}: AES_CBC_128/HMAC_SHA1_96, 52 bytes_i (1 pkt, 2312s ago), 80 bytes_o (1 pkt, 2309s ago), rekeying in 5 minutes
sa01{9}: 192.168.0.0/24 === 192.168.10.0/24
sa01{10}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: caedd284_i c07dc0e8_o
sa01{10}: AES_CBC_128/HMAC_SHA1_96, 127392 bytes_i (1716 pkts, 0s ago), 110623 bytes_o (1546 pkts, 0s ago), rekeying in 6 minutes
sa01{10}: 192.168.0.0/24 === 192.168.10.0/24
amnimo(cfg)#
Comments
0 comments
Please sign in to leave a comment.