FlexVPN IKEv2 Setup can be summarized:
The details are below:
- FlexVPN follows legacy IKEv2 messaging by exchanging IKE_SA_INIT followed by IKE_AUTH exchange
- For sites with virtual template interface (such as DVTI spoke), initiator will include CFG_Req in its IKE_AUTH message
*Feb 13 03:58:03.389: IKEv2:(SESSION ID = 23,SA ID =
1):Received Packet [From 10.150.3.1:500/To 10.150.1.1:500/VRF i0:f0]
Initiator SPI : 98DB5FD5979EAC12 - Responder SPI :
1398F140044ABC30 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH CFG SA
TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE)
NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
- CFG_Req includes the authorization group name and password configured in the spoke IKEv2 profile which was picked during initiation
Spoke Config
…………………………………………………………………………….
crypto
ikev2 profile prof-01
match identity remote address 0.0.0.0
authentication local pre-share
authentication remote pre-share
keyring local kr-01
aaa
authorization group psk list flex
flex
virtual-template 2
- Based on the IDi, the appropriate IKEv2 profile is selected with its associated virtual access interface
*Feb 13 03:58:03.402: IKEv2:(SESSION ID = 23,SA ID = 1):Searching
policy based on peer's identity '10.150.3.1' of type 'IPv4 address'
*Feb 13 03:58:03.402: IKEv2:found matching IKEv2 profile 'prof-01'
*Feb 13 03:58:03.402: IKEv2:% Getting preshared key from
profile keyring kr-01
*Feb 13 03:58:03.403: IKEv2:% Matched peer block 'all'
*Feb 13 03:58:03.404: IKEv2:Searching Policy with fvrf 0,
local address 10.150.1.1
*Feb 13 03:58:03.404: IKEv2:Found Policy 'pol-01'
*Feb 13 03:58:03.406: IKEv2:(SESSION ID = 23,SA ID =
1):Verify peer's policy
*Feb 13 03:58:03.408: IKEv2:(SESSION ID = 23,SA ID =
1):Peer's policy verified
*Feb 13 03:58:03.410: IKEv2:(SESSION ID = 23,SA ID = 1):Get
peer's authentication method
*Feb 13 03:58:03.410: IKEv2:(SESSION ID = 23,SA ID =
1):Peer's authentication method is 'PSK'
*Feb 13 03:58:03.410: IKEv2:(SESSION ID = 23,SA ID = 1):Get
peer's preshared key for 10.150.3.1
*Feb 13 03:58:03.411: IKEv2:(SESSION ID = 23,SA ID =
1):Verify peer's authentication data
*Feb 13 03:58:03.411: IKEv2:(SESSION ID = 23,SA ID = 1):Use
preshared key for id 10.150.3.1, key len 8
*Feb 13 03:58:03.411: IKEv2:[IKEv2 -> Crypto Engine]
Generate IKEv2 authentication data
*Feb 13 03:58:03.412: IKEv2:[Crypto Engine -> IKEv2]
IKEv2 authentication data generation PASSED
*Feb 13 03:58:03.412: IKEv2:(SESSION ID = 23,SA ID = 1):Verification of
peer's authentication data PASSED
- After successful authentication:
- The responder will create virtual access interface for that peer communication, e.g. Vi1
- The responder will verify the received aaa group name/password against associated authorization policy with the IKEv2 profile
*Feb 13 03:58:03.417: IKEv2:Using mlist flex and username flex for group author
request …… This was received from
initiator
*Feb 13 03:58:03.418: IKEv2:(SA ID
= 1):[IKEv2 -> AAA] Authorisation request
sent …… IKEv2 process is sending the verification
request to AAA process
*Feb 13 03:58:03.418: IKEv2:(SESSION ID = 22,SA ID =
2):Check for existing active SA
*Feb 13 03:58:03.419: IKEv2:(SESSION ID = 22,SA ID =
2):Deleting SA
*Feb 13 03:58:03.437: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Virtual-Access2, changed state to down
*Feb 13 03:58:03.440: %LINK-3-UPDOWN: Interface
Virtual-Access2, changed state to down
- After successful authorization, configuration data will be sent to initiator (IP, Mask, Route, etc)
*Feb 13 03:58:03.449: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA
authorisation response
*Feb 13 03:58:03.451: IKEv2:(SESSION ID = 23,SA ID =
1):Received valid config mode data
*Feb 13 03:58:03.452: IKEv2:Config data recieved:
………………output omitted………………
*Feb 13 03:58:03.517: IKEv2:(SESSION ID = 23,SA ID = 1):Config-type:
Config-reply
*Feb 13 03:58:03.517: IKEv2:(SESSION ID = 23,SA ID = 1):Attrib type:
ipv4-addr, length: 4, data: 192.168.1.13
*Feb 13 03:58:03.518: IKEv2:(SESSION ID = 23,SA ID = 1):Attrib type:
ipv4-subnet, length: 8, data: 192.168.1.1 255.255.255.255
*Feb 13 03:58:03.526: IKEv2:(SESSION ID = 23,SA ID =
1):Building packet for encryption.
Payload contents:
VID IDr AUTH CFG SA
TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT)
NOTIFY(NON_FIRST_FRAGS)
- Initiator will apply the received configuration and send INFORMATIONAL message to responder.
- This message will include CFG_Set payload to configure host route towards the initiator tunnel IP (route set interface command)
*Feb 13 03:59:05.377: IKEv2:(SESSION ID = 26,SA ID =
2):Received Packet [From 10.150.3.1:500/To 10.150.1.1:500/VRF i0:f0]
Initiator SPI : 8F721AF1CE7527FD - Responder SPI :
E891556AF0D35777 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
CFG
*Feb 13 03:59:05.381: IKEv2:Config data recieved:
*Feb 13 03:59:05.381: IKEv2:(SESSION ID = 26,SA ID = 2):Config-type:
Config-set
*Feb 13 03:59:05.384: IKEv2:(SESSION ID = 26,SA ID = 2):Attrib type:
ipv4-subnet, length: 8, data: 192.168.1.13 255.255.255.255
*Feb 13 03:59:05.385: IKEv2:VPN Route Added 192.168.1.13
255.255.255.255 via Virtual-Access2 in vrf global
*Feb 13 03:59:05.386: IKEv2:(SESSION ID = 26,SA ID = 2):Set
received config mode data
- The responder will acknowledge this message with CFG_Ack payload
*Feb 13 03:59:05.390: IKEv2:Config data to send:
*Feb 13 03:59:05.390: IKEv2:(SESSION ID = 26,SA ID = 2):Config-type:
Config-ack
*Feb 13 03:59:05.391: IKEv2:(SESSION ID = 26,SA ID =
2):Attrib type: ipv4-subnet, length: 0
*Feb 13 03:59:05.392: IKEv2:(SESSION ID = 26,SA ID = 2):Have
config mode data to send
*Feb 13 03:59:05.392: IKEv2:(SESSION ID = 26,SA ID =
2):Sending info exch config resp
*Feb 13 03:59:05.393: IKEv2:(SESSION ID = 26,SA ID =
2):Building packet for encryption.
Payload contents:
CFG
No comments:
Post a Comment