Configuration example for a hub-to-spoke VPN using IPsec
IPsec may be used to secure communications in a hub-to-spoke (tunnel stitching) deployment such as a virtual private network (VPN).
Figure 23
Hub-to-spoke deployment of IPsec
NOTE
Tunnel endpoints may be multiple hops away and the base path reachable over any interior gateway protocols such as static routing, RIP, OSPF, BGP and so on.
NOTE
The
Ruckus ICX 7450 has a 50 percent performance degradation when used in a tunnel stitching configuration. You should verify if there are platform limitations on any other devices that you use in a tunnel stitching configuration.
In the following configuration example, the IPsec tunnels are running in the user VRF (vrf1) and the base path is in the default VRF.
Router1
Router1# configure terminal Router1(config)# ikev2 proposal ikev2_propA Router1(config-ike-proposal-ikev2_propA)# exit Router1(config)# ikev2 auth-proposal ikev2_auth_propA Router1(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router1(config-ike-auth-proposal-ikev2_auth_propA)# exit Router1(config)# ikev2 policy ikev2_policyA Router1(config-ike-policy-ikev2_policyA)# proposal ikev2_proposal Router1(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.1 255.255.255.255 Router1(config-ike-policy-ikev2_policyA)# exit Router1(config)# ikev2 profile ikev2_profA Router1(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router1(config-ike-profile-ikev2_profA)# local-identifier address 10.1.1.1 Router1(config-ike-profile-ikev2_profA)# remote-identifier address 10.4.4.4 Router1(config-ike-profile-ikev2_profA)# match-identity local address 10.1.1.1 Router1(config-ike-profile-ikev2_profA)# match-identity remote address 10.4.4.4 Router1(config-ike-profile-ikev2_profA)# exit Router1(config)# ipsec proposal ipsec_propA Router1(config-ipsec-proposal-ipsec_propA)# exit Router1(config)# ipsec profile ipsec_profA Router1(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router1(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router1(config-ipsec-profile-ipsec_profA)# exit Router1(config)# interface loopback 1 Router1(config-lbif-1)# ip address 10.100.100.1 255.255.255.255 Router1(config-lbif-1)# ip ospf area 0 Router1(config-lbif-1)# exit Router1(config)# interface tunnel 1 Router1(config-tnif-1)# vrf forwarding vrf1 Router1(config-tnif-1)# tunnel mode ipsec ipv4 Router1(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router1(config-tnif-1)# tunnel source loopback 1 Router1(config-tnif-1)# tunnel destination 10.100.100.4 Router1(config-tnif-1)# ip address 10.11.1.1 255.255.255.252 Router1(config-tnif-1)# ip ospf area 0 Router1(config-tnif-1)# exit Router1(config)# router ospf vrf vrf1 Router1(config-router-ospf-vrf-vrf1)# area 0 Router1(config-router-ospf-vrf-vrf1)# exit Router1(config)# router ospf Router1(config-router-ospf-vrf-default-vrf)# area 0 Router1(config-router-ospf-vrf-default-vrf)# end
Router2
Router2# configure terminal Router2(config)# ikev2 proposal ikev2_propA Router2(config-ike-proposal-ikev2_propA)# exit Router2(config)# ikev2 auth-proposal ikev2_auth_propA Router2(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router2(config-ike-auth-proposal-ikev2_auth_propA)# exit Router2(config)# ikev2 policy ikev2_policyA Router2(config-ike-policy-ikev2_policyA)# proposal ikev2_proposal Router2(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.2 255.255.255.255 Router2(config-ike-policy-ikev2_policyA)# exit Router2(config)# ikev2 profile ikev2_profA Router2(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router2(config-ike-profile-ikev2_profA)# local-identifier address 10.2.2.2 Router2(config-ike-profile-ikev2_profA)# remote-identifier address 10.4.4.4 Router2(config-ike-profile-ikev2_profA)# match-identity local address 10.2.2.2 Router2(config-ike-profile-ikev2_profA)# match-identity remote address 10.4.4.4 Router2(config-ike-profile-ikev2_profA)# exit Router2(config)# ipsec proposal ipsec_propA Router2(config-ipsec-proposal-ipsec_propA)# exit Router2(config)# ipsec profile ipsec_profA Router2(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router2(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router2(config-ipsec-profile-ipsec_profA)# exit Router2(config)# interface loopback 1 Router2(config-lbif-1)# ip address 10.100.100.2 255.255.255.255 Router2(config-lbif-1)# ip ospf area 0 Router2(config-lbif-1)# exit Router2(config)# interface tunnel 1 Router2(config-tnif-1)# vrf forwarding vrf1 Router2(config-tnif-1)# tunnel mode ipsec ipv4 Router2(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router2(config-tnif-1)# tunnel source loopback 1 Router2(config-tnif-1)# tunnel destination 10.100.100.4 Router2(config-tnif-1)# ip address 10.12.1.1 255.255.255.252 Router2(config-tnif-1)# ip ospf area 0 Router2(config-tnif-1)# exit Router2(config)# router ospf vrf vrf1 Router2(config-router-ospf-vrf-vrf1)# area 0 Router2(config-router-ospf-vrf-vrf1)# exit Router2(config)# router ospf Router2(config-router-ospf-vrf-default-vrf)# area 0 Router2(config-router-ospf-vrf-default-vrf)# end
Router3
Router3# configure terminal Router3(config)# ikev2 proposal ikev2_propA Router3(config-ike-proposal-ikev2_propA)# exit Router3(config)# ikev2 auth-proposal ikev2_auth_propA Router3(config-ike-auth-proposal-ikev2_auth_propA)# pre-shared-key ps_key Router3(config-ike-auth-proposal-ikev2_auth_propA)# exit Router3(config)# ikev2 policy ikev2_policyA Router3(config-ike-policy-ikev2_policyA)# proposal ikev2_proposal Router3(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.3 255.255.255.255 Router3(config-ike-policy-ikev2_policyA)# exit Router3(config)# ikev2 profile ikev2_profA Router3(config-ike-profile-ikev2_profA)# authentication ikev2_auth_propA Router3(config-ike-profile-ikev2_profA)# local-identifier address 10.3.3.3 Router3(config-ike-profile-ikev2_profA)# remote-identifier address 10.4.4.4 Router3(config-ike-profile-ikev2_profA)# match-identity local address 10.3.3.3 Router3(config-ike-profile-ikev2_profA)# match-identity remote address 10.4.4.4 Router3(config-ike-profile-ikev2_profA)# exit Router3(config)# ipsec proposal ipsec_propA Router3(config-ipsec-proposal-ipsec_propA)# exit Router3(config)# ipsec profile ipsec_profA Router3(config-ipsec-profile-ipsec_profA)# proposal ipsec_propA Router3(config-ipsec-profile-ipsec_profA)# ike-profile ikev2_profA Router3(config-ipsec-profile-ipsec_profA)# exit Router3(config)# interface loopback 1 Router3(config-lbif-1)# ip address 10.100.100.3 255.255.255.255 Router3(config-lbif-1)# ip ospf area 0 Router3(config-lbif-1)# exit Router3(config)# interface tunnel 1 Router3(config-tnif-1)# vrf forwarding vrf1 Router3(config-tnif-1)# tunnel mode ipsec ipv4 Router3(config-tnif-1)# tunnel protection ipsec profile ipsec_profA Router3(config-tnif-1)# tunnel source loopback 1 Router3(config-tnif-1)# tunnel destination 10.100.100.4 Router3(config-tnif-1)# ip address 10.13.1.1 255.255.255.252 Router3(config-tnif-1)# ip ospf area 0 Router3(config-tnif-1)# exit Router3(config)# router ospf vrf vrf1 Router3(config-router-ospf-vrf-vrf1)# area 0 Router3(config-router-ospf-vrf-vrf1)# exit Router3(config)# router ospf Router3(config-router-ospf-vrf-default-vrf)# area 0 Router3(config-router-ospf-vrf-default-vrf)# end
Router4
Router4 may be any device that supports IPsec. The following example shows how to configure Router4 when the device is a Ruckus ICX 7450 switch.
Router4# configure terminal Router4(config)# ikev2 proposal ikev2_propA Router4(config-ike-proposal-ikev2_propA)# exit Router4(config)# ikev2 auth-proposal ikev2_auth_propB Router4(config-ike-auth-proposal-ikev2_auth_propB)# pre-shared-key ps_key Router4(config-ike-auth-proposal-ikev2_auth_propB)# exit Router4(config)# ikev2 auth-proposal ikev2_auth_propC Router4(config-ike-auth-proposal-ikev2_auth_propC)# pre-shared-key ps_key Router4(config-ike-auth-proposal-ikev2_auth_propC)# exit Router4(config)# ikev2 auth-proposal ikev2_auth_propD Router4(config-ike-auth-proposal-ikev2_auth_propD)# pre-shared-key ps_key Router4(config-ike-auth-proposal-ikev2_auth_propD)# exit Router4(config)# ikev2 policy ikev2_policyA Router4(config-ike-policy-ikev2_policyA)# proposal ikev2_propA Router4(config-ike-policy-ikev2_policyA)# match address-local 10.100.100.4 255.255.255.255 Router4(config-ike-policy-ikev2_policyA)# exit Router4(config)# ikev2 profile ikev2_profB Router4(config-ike-profile-ikev2_profB)# authentication ikev2_auth_propB Router4(config-ike-profile-ikev2_profB)# local-identifier address 10.4.4.4 Router4(config-ike-profile-ikev2_profB)# remote-identifier address 10.1.1.1 Router4(config-ike-profile-ikev2_profB)# match-identity local address 10.4.4.4 Router4(config-ike-profile-ikev2_profB)# match-identity remote address 10.1.1.1 Router4(config-ike-profile-ikev2_profB)# exit Router4(config)# ikev2 profile ikev2_profC Router4(config-ike-profile-ikev2_profC)# authentication ikev2_auth_propC Router4(config-ike-profile-ikev2_profC)# local-identifier address 10.4.4.4 Router4(config-ike-profile-ikev2_profC)# remote-identifier address 10.2.2.2 Router4(config-ike-profile-ikev2_profC)# match-identity local address 10.4.4.4 Router4(config-ike-profile-ikev2_profC)# match-identity remote address 10.2.2.2 Router4(config-ike-profile-ikev2_profC)# exit Router4(config)# ikev2 profile ikev2_profD Router4(config-ike-profile-ikev2_profD)# authentication ikev2_auth_propD Router4(config-ike-profile-ikev2_profD)# local-identifier address 10.4.4.4 Router4(config-ike-profile-ikev2_profD)# remote-identifier address 10.3.3.3 Router4(config-ike-profile-ikev2_profD)# match-identity local address 10.4.4.4 Router4(config-ike-profile-ikev2_profD)# match-identity remote address 10.3.3.3 Router4(config-ike-profile-ikev2_profD)# exit Router4(config)# ipsec proposal ipsec_propA Router4(config-ipsec-proposal-ipsec_propA)# exit Router4(config)# ipsec profile ipsec_profB Router4(config-ipsec-profile-ipsec_profB)# proposal ipsec_propA Router4(config-ipsec-profile-ipsec_profB)# ike-profile ikev2_profB Router4(config-ipsec-profile-ipsec_profB)# exit Router4(config)# ipsec profile ipsec_profC Router4(config-ipsec-profile-ipsec_profC)# proposal ipsec_propA Router4(config-ipsec-profile-ipsec_profC)# ike-profile ikev2_profC Router4(config-ipsec-profile-ipsec_profC)# exit Router4(config)# ipsec profile ipsec_profD Router4(config-ipsec-profile-ipsec_profD)# proposal ipsec_propA Router4(config-ipsec-profile-ipsec_profD)# ike-profile ikev2_profD Router4(config-ipsec-profile-ipsec_profD)# exit Router4(config)# interface loopback 1 Router4(config-lbif-1)# ip address 10.100.100.4 255.255.255.255 Router4(config-lbif-1)# exit Router4(config)# interface tunnel 1 Router4(config-tnif-1)# vrf forwarding vrf1 Router4(config-tnif-1)# tunnel mode ipsec ipv4 Router4(config-tnif-1)# tunnel protection ipsec profile ipsec_profB Router4(config-tnif-1)# tunnel source loopback 1 Router4(config-tnif-1)# tunnel destination 10.100.100.1 Router4(config-tnif-1)# ip address 10.11.1.2 255.255.255.252 Router4(config-tnif-1)# ip ospf area 0 Router4(config-tnif-1)# exit Router4(config)# interface tunnel 2 Router4(config-tnif-2)# vrf forwarding vrf1 Router4(config-tnif-2)# tunnel mode ipsec ipv4 Router4(config-tnif-2)# tunnel protection ipsec profile ipsec_profC Router4(config-tnif-2)# tunnel source loopback 1 Router4(config-tnif-2)# tunnel destination 10.100.100.2 Router4(config-tnif-2)# ip address 10.12.1.2 255.255.255.252 Router4(config-tnif-2)# ip ospf area 0 Router4(config-tnif-2)# exit Router4(config)# interface tunnel 3 Router4(config-tnif-3)# vrf forwarding vrf1 Router4(config-tnif-3)# tunnel mode ipsec ipv4 Router4(config-tnif-3)# tunnel protection ipsec profile ipsec_profD Router4(config-tnif-3)# tunnel source loopback 1 Router4(config-tnif-3)# tunnel destination 10.100.100.3 Router4(config-tnif-3)# ip address 10.13.1.2 255.255.255.252 Router4(config-tnif-3)# ip ospf area 0 Router4(config-tnif-3)# exit Router4(config)# router ospf vrf vrf1 Router4(config-router-ospf-vrf-vrf1)# area 0 Router4(config-router-ospf-vrf-vrf1)# exit Router4(config)# router ospf Router4(config-router-ospf-vrf-default-vrf)# area 0 Router4(config-router-ospf-vrf-default-vrf)# end