IPSec - jibingl/CCNA-CCNP GitHub Wiki

IPsec VPN

Protocols

Terms RFC Doc Full Names
IKEv1 RFC 2409 Internet Key Exchange
IKEv2 RFC 7296 Internet Key Exchange Version 2
ISAKMP RFC 2408 Internet Security Association and Key Management Protocol

IKE protocol formerly is referred to as ISAKMP/Oakley. It negotiates IPsec parameters (aka. security associations (SAs)) between devices.

Operation Modes

Type ESP AH
Best Practice Acceptable Avoid
Cryptopgrahy Encryption, Integrity, and Authentication Integrity and Authentication
Hashing Packet exclude new IP header include new IP header (Whole IP packet)
Mode ESP Encapsulation
Transport ip-header:ESP-header:Payload:ESP-tail:ESP-auth
Tunnel new-ip-header:ESP-header:ip-header:Payload:ESP-tail:ESP-auth
  1. Only when new-ip-header and ip-header are the same, transport mode is available.
  2. ESP-authn is HMAC hash algorithm against the part from ESP-header to ESP-tail.

Site-to-Site IPSec VPN

image

Configuration Stages

Configurations on the router Site-A:

  1. IKE/ISAKMP SA (Encryption, authentication, key-exchange algorithms, respectively) 
    crypto isakmp policy 10                                         //"10" is a policy number that smaller is preferred
 encryption aes                                                 //Encryption algorithm
 authentication pre-share                                       //Authentication method
 group 16                                                       //Key-exchange algorithm

crypto isakmp key cisco123 address 61.232.0.2                          //Set the pre-shared key (password)
  2. IPsec SA (Transform Set: ESP or AH mode alongwith encryption & authentication algorithms) 
    crypto ipsec transform VPN-ESP-TS esp-aes 256 esp-sha256-hmac
  3. Crypto Map (Mapping isakmp with ipsec, transform set, interresting traffic, and setting peers.) 
    ip access-list extend VPN permit ip 172.16.0.0 0.0.0.255 192.168.2.0 0.0.0.255       //The traffic needs VPN

crypto map IPSec-SIteA_to_SiteB isakmp-ipsec
 set transform VPN-ESP-TS
 match address list VPN
 set peer 61.232.0.2
  4. Apply crypto map to interface (If applicable)

IPSec VPN + NAT

Exclude the VPN traffic from the NAT traffic.

  • As NAT is happened before IPSec, the source IP of the traffic iniated from internal subnet will be translated to the outbound public IP, which causes a mismatch with the configured match address (VPN interested traffic) and no IPSec encryption will happen.

  • Exclude VPN traffic from the NAT translation in the router Site-A; image

  • Also, exclude VPN traffic from the router Site-B; image

GRE over IPSec

IPSec doesn't support multicast and broadcast, so it can't be used on some protocols (like OSPF) to create VPN tunnel. GRE creates tunnels like IPSec, but not encryp the original packets. However, it supports multicast/broadcast. GRE-over-IPSec combines the GRE's flexibility and IPSec's security.

     +---------------+------------+---Encrypted---------------------------+
     |               |            |+-----------+------------+------------+|
     | New Ip Header |IPSec Header|| IP Header | GRE Header |  IP Packet ||
     |               |            |+-----------+------------+------------+|
     +---------------+------------+---------------------------------------+

Configuring Stateful Failover for IPsec on Cisco ASA

Configuring stateful failover for IPsec VPN on a Cisco ASA (Adaptive Security Appliance) ensures that VPN connections remain active when a failover occurs between primary and secondary ASAs in an Active/Standby High Availability (HA) setup.

Step 1: Configure ASA Failover

Before enabling stateful IPsec failover, you must have a working Active/Standby failover setup. If you havenโ€™t configured failover yet, follow these steps:

1. Enable Failover on Both ASAs

On the Primary ASA:

failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/1
failover link STATE GigabitEthernet0/2
failover interface ip FAILOVER 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover interface ip STATE 192.168.2.1 255.255.255.0 standby 192.168.2.2

On the Secondary ASA:

failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/1
failover link STATE GigabitEthernet0/2
failover interface ip FAILOVER 192.168.1.2 255.255.255.0 standby 192.168.1.1
failover interface ip STATE 192.168.2.2 255.255.255.0 standby 192.168.2.1

Make sure to connect the failover and stateful failover interfaces.

2. Enable Stateful Failover

To ensure VPN session persistence, enable stateful failover:

failover replication http
failover replication enable
failover stateful failover

Step 2: Enable Stateful IPsec VPN Failover

To ensure that IPsec SAs, ISAKMP SAs, and IKEv2 sessions fail over seamlessly:

1. Enable IPsec Stateful Failover

crypto ikev1 enable failover
crypto ikev2 enable failover
failover stateful-sync enable

Explanation:

  • crypto ikev1 enable failover โ†’ Synchronizes IKEv1 sessions
  • crypto ikev2 enable failover โ†’ Synchronizes IKEv2 sessions
  • failover stateful-sync enable โ†’ Enables replication of VPN state information

2. Verify Stateful IPsec Failover Configuration

To check if VPN sessions and failover settings are synchronized:

show failover state
show failover
show vpn-sessiondb detail
show crypto isakmp sa
show crypto ikev2 sa

Step 3: Test Failover

  1. Establish a VPN connection (e.g., from a remote site or AnyConnect client).

  2. Manually trigger a failover:

    failover active

  3. Verify that the VPN session remains active:

    show vpn-sessiondb

If configured correctly, IPsec VPN sessions should persist without disconnecting when failover occurs.

Summary

  • Failover must be stateful (failover stateful failover).
  • Enable replication for IKEv1 and IKEv2 sessions (crypto ikev1 enable failover and crypto ikev2 enable failover).
  • Test failover to ensure VPN session persistence.

Would you like help with any specific failover troubleshooting?