Cisco IOS IKEv1 VPN with Dynamic VTI with Pre-shared Keys

In this section we will configure a hub router that is able to offer VPN tunnels to a unknown number of dynamic VPN peers

This is useful where you may need to rapidly deploy a varied number of sites and do not want to have to reconfigure the hub router everytime a new site is activated.

The configuration we will be putting in place is suitable when the remote peers are using dynamic IP addressing but note that as we are using pre-shared key authentication the same key will be accepted from any IP address. This is not as secure as it could be and in a production deployment the use of digital signatures should be considerd.

It is assumed that the router already have basic IP connectivity and WAN routing is in place.

After the IPSec tunnel is configured working we will also setup dynamic routing through the tunnel.

Configuration Steps

On all devices: #. Configure a loopback to use a tunnel IP #. Configure the Keyring #. Configure the ISAKMP Policy #. Configure the ISAKMP Profile #. Configure the IPSec Proposal #. Configure the IPSec Profile #. Configure dynamic routing

On the Hub: #. Configure the tunnel interface template

On the Spokes: #. Configure a static tunnel interface

Step 1: Define the Loopback Interface

interface loopback <id>
  ip address <ip> 255.255.255.255

Step 1: Define the PSK Keyring

For the hub it’s necessary to define a wildcard PSK if the spokes will be using dynamic IP addresses. If they will be static they can be defined individually but that would loose some of the flexibility of the solution.

crypto  keyring <keyring-name>
  ! note the use of a wildcard key, this is used by any connecting peer
  pre-shared-key address 0.0.0.0 key <psk>

On the spokes the PSK can be defined with just the Hubs IP: .. code-block:: none

crypto keyring <keyring-name>
pre-shared-key address <hub-ip> key <psk>

Step 1: Configure the ISAKMP Policy

crypto isakmp policy <priority-number>
  authentication pre-shared
  encryption <encryption-algorithm>
  hash <integrity-algorithm>
  group <dh-group>
  lifetime <seconds>

Step 3: Configure the ISAKMP Profile

crypto isakmp profile <isakmp-profile-name>
  match identity address 0.0.0.0
  keyring <keyring-name>
  virtual-template <template-id>

Step 4: Configure the IPSec Transform Set

crypto ipsec transform-set <ts-name> <encryption-algorithm> <integrity-algorihm>
  mode tunnel

Step 5: Configure the IPSec Profile

crypto ipsec profile <ipsec-profile-name>
  set transform-set <ts-name>
  set security-association lifetime seconds <seconds>
  set isakmp-profile <isakmp-profile-name>

Step 6: Define the tunnel interfaces

On the Hub we will configure a template that will be cloned each time a client connects.

interface virtual-template <template-id> type tunnel
  ip unnumbered loopback <id>
  tunnel mode ipsec ip
  tunnel destination dynamic
  tunnel source <wan-interface>
  tunnel protection ipsec profile <ipsec-profile-name>

On the Spokes we can configure a nubmer tunnel interface:

interface Tunnel <id>
  ip unnumbered loopback <id>
  tunnel mode ipsec ip
  tunnel destination <hub-ip>
  tunnel source <wan-interface>
  tunnel protection ipsec profile <ipsec-profile-name>

Complete Example

The Hub config could be performed as follows:

interface loopback 0
  ip address 10.0.0.1 255.255.255.255

crypto  keyring DVTI-KEYRING
  pre-shared-key address 0.0.0.0 key mysecretkey

crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400

crypto isakmp profile DVTI-ISAKMP-PROF
  match identity address 0.0.0.0
  keyring DVTI-KEYRING
  virtual-template 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  mode tunnel

crypto ipsec profile IPSEC-PROF
  set transform-set ESP-3DES-MD5
  set security-association lifetime seconds 28800
  set isakmp-profile DVTI-ISAKMP-PROF

interface virtual-template 1 type tunnel
  ip unnumbered  loopback0
  tunnel mode ipsec ipv4
  tunnel destination dynamic
  tunnel source FastEthernet0/0
  tunnel protection ipsec profile IPSEC-PROF

router eigrp 10
  no auto-summary
  network 10.0.0.0 0.0.0.255
  network 10.1.0.0 0.0.255.255

The Spokes could then be configured as follows:

interface loopback 0
  ip address 10.0.0.2 255.255.255.255

crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400

crypto keyring DVTI-KEYRING
  pre-shared-key address 192.168.1.1 key mysecretkey

crypto isakmp profile DVTI-ISAKMP-PROF
  match identity address 192.168.1.1
  keyring DVTI-KEYRING

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  mode tunnel

crypto ipsec profile IPSEC-PROF
  set transform-set ESP-3DES-MD5
  set security-association lifetime seconds 28800
  set isakmp-profile DVTI-ISAKMP-PROF

interface tunnel 12
  ip unnumbered loopback 0
  tunnel mode ipsec ipv4
  tunnel source FastEthernet0/0
  tunnel destination 192.168.1.1
  tunnel protection ipsec profile IPSEC-PROF

router eigrp 10
  no auto-summary
  network 10.0.0.0 0.0.0.255
  network 10.2.0.0 0.0.255.255

When ever a new spoke needs to be deployed the same config as above can be used, just change the following:

  1. Loopback IP
  2. Subnets advertised by routing protocol