Requirement:
- Prior to 6.4.4.0 code the implementation only support configuration of ip address as remote end point
- And the implementation mandates use of ip address as src-net.
Solution:For a scalable solution to deploy Site-to-Site tunnels using branch office following enhancements done moving from 6.4.4.0 versions
- Flexibility of configuring FQDN as peer-ip
- Configuring src-net within crypto map as vlan.
- Support for factory certs for Site-to-Site will allows customer to use TPM certs and reduce complication of certificate configuration process.
Note: The same enhancements are available for Site-to-Site configuration on controller and not just limited only to BOC solution.
Configuration:CLI configurations:
(config) #ip domain-name france.inditex.com
Operation may not take effect until a reboot
(config) #ip name-server 10.15.92.51
Operation may not take effect until a reboot
Note: Reboot the controller in order for the configuration to take effect
(config) #crypto-local ipsec-map toc3 100
(config-ipsec-map)# version v2
(config-ipsec-map)# set ikev2-policy 10006
(config-ipsec-map)# peer-ip payment
(config-ipsec-map)# vlan 1
(config-ipsec-map)# src-net vlan 100
(config-ipsec-map)# dst-net 130.0.0.0 255.255.255.0
(config-ipsec-map)# set transform-set defaul-transform
(config-ipsec-map)# pre-connect enable
(config-ipsec-map)# factory-cert-auth
(config-ipsec-map)# factory-cert-auth enable
(config-ipsec-map)# trusted enable
(config-ipsec-map)# uplink-failover disable
(config-ipsec-map)# ip-compression disable
(config-ipsec-map)# force-natt disable
UI Configuration:
Verification#show crypto isakmp sa
ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
10.15.33.1 10.15.33.3 i-v2-c Jul 16 14:30:25 -
Flags: i = Initiator; r = Responder
m = Main Mode; a = Aggressive Mode; v2 = IKEv2
p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature
x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
3 = 3rd party AP; C = Campus AP; R = RAP; Ru = Custom Certificate RAP; I = IAP
V = VIA; S = VIA over TCP
Total ISAKMP SAs: 1
#show crypto ipsec sa
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
10.15.33.1 10.15.33.3 4b279b00/745c4100 T2 Jul 16 14:26:22 -
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
Total IPSEC SAs: 1
#show crypto-local ipsec-map | begin toc3
Crypto Map Template"toc3" 100
IKE Version: 2
IKEv2 Policy: DEFAULT
Security association lifetime seconds : [300 -86400]
Security association lifetime kilobytes: N/A
PFS (Y/N): N
Transform sets={ default-transform }
Peer gateway: payment
Interface: VLAN 1
Source network: vlan 100
Destination network: 130.0.0.0/255.255.255.0
Pre-Connect (Y/N): Y
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
IP Compression (Y/N): N
Factory Certificate