Skip to main content

Incoming Connection of Cisco IOS to SafeUTM via IPsec

Following the steps in this article, you can combine Cisco and SafeUTM networks via IPsec using PSK.


Find below the connection setup according to the scheme shown in the figure:
1. Incoming Connection of Cisco IOS to SafeUTM via IPsec.png


Step 1. Initial Setup of SafeUTM

Configure the local and external interfaces on SafeUTM. Detailed information can be found in the article Initial setup.


Step 2. Initial setup of Cisco IOS EX

Cisco configuration can be done through the device console (the configuration is described below) 

1. Setting up the local interface:

enable
conf t
interface GigabitEthernet2
ip address {local IP Cisco} {subnet mask}
no shutdown
ip nat inside
exit

2. Configuring the external interface:

interface GigabitEthernet1
ip address {Cisco external IP} {subnet mask}
no shutdown
ip nat outside
exit

3. Check if there is a connection between the external interfaces of SafeUTM and Cisco. To do this, use the ping {external IP UTM} command in the Cisco console. The result of the command output is the presence of ICMP responses.

4. Creating an access list with local network addressing:

ip access-list extended NAT
permit ip {Cisco local subnet} {reverse subnet mask} any
exit

5. Configuring NAT (for more information on configuring this item, you can read the article on the official Cisco website):

ip nat inside source list NAT interface GigabitEthernet1 overload
exit

6. Saving configuration settings:

write memory

7. Having saved the settings, make sure that there is Internet access from the Cisco LAN. To do this, visit any website (for example: https://www.cisco.com) from a device on the Cisco LAN.


Step 3. Configuring IKEv2+IPsec on Cisco

1. Creating a proposal (you can read detailed information on setting up this item in the article on the official Cisco website):

conf t
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-256
integrity sha256
group 19
exit

2. Creating a policy (you can read detailed information on setting up this item in the article on the official Cisco website):

crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
exit

3. Creating a peer (key_id is the ID of the remote party, i.e. SafeUTM). Detailed information on setting up this item can be found in the article on the official Cisco website.

crypto ikev2 keyring key
peer strongswan
address {UTM external IP}
identity key-id {key_id}
pre-shared-key local {psk}
pre-shared-key remote {psk}
exit
exit

4. Creating an IKEv2 profile (you can read detailed information on configuring this item in the article on the official Cisco website):

crypto ikev2 profile ikev2profile
match identity remote address {UTM external IP} 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
exit

5. Setting up encryption in esp:

crypto ipsec transform-set TS esp-gcm 256
mode tunnel
exit

6. Creating ipsec-isakmp:

crypto map cmap 10 ipsec-isakmp
set peer {UTM external IP}
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
exit

7. Configuring the crypto map on the external interface:

interface GigabitEthernet1
crypto map cmap
exit

8. Creating an access list for traffic between Cisco and UTM local networks:

ip access-list extended cryptoacl
permit ip {Cisco local subnet} {reverse subnet mask} {UTM local subnet} {reverse subnet mask}
exit

9. Adding traffic exceptions between Cisco and UTM local networks to the NAT access list (the deny rule should be higher than permit):

ip access-list extended NAT
no permit ip {Cisco local subnet} {reverse subnet mask} any
deny ip {Cisco local subnet} {reverse subnet mask} {local UTM subnet} {reverse subnet mask}
permit ip {Cisco local subnet} {reverse subnet mask} any
exit
end

10. Saving configuration settings:

write memory

Step 4. Creating an incoming IPsec connection on UTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.
2. Add a new connection:

  • Connection name – any.
  • Type – incoming.
  • Authorization type – PSK.
  • PSK – specify the PSK key that you entered in Step 3 item 3.
  • Remote side identifier – insert the Cisco ID (Key ID parameter in Step 3 item 3).
  • Home local network – specify the SafeUTM local area network.
  • Remote local networks – specify the Cisco local network.

3. Save the created connection, then click on Turn on
4. Check that the connection is established (your connection will appear in the list of connections, in column Statuses the word Installed will be highlighted in green).
5. Check for traffic between local networks (TCP and web).


The final configuration of Cisco IOS

The final configuration of IKEv2 IPsec on Cisco IOS should look like this:

crypto ikev2 proposal ikev2proposal 
 encryption aes-cbc-256
 integrity sha256
 group 19

crypto ikev2 policy ikev2policy 
 match fvrf any
 proposal ikev2proposal

crypto ikev2 keyring key
 peer strongswan
  address 5.5.5.5
  pre-shared-key local QWEqwe1234567890
  pre-shared-key remote QWEqwe1234567890

crypto ikev2 profile ikev2profile
 match identity remote key-id key-id
 authentication remote pre-share
 authentication local pre-share
 keyring local key

crypto ipsec transform-set TS esp-gcm 256 
 mode tunnel

crypto map cmap 10 ipsec-isakmp 
 set peer 5.5.5.5
 set transform-set TS 
 set ikev2-profile ikev2profile
 match address cryptoacl

interface GigabitEthernet1
! external interface
 ip address 1.1.1.1 255.255.255.0
 ip nat outside
 negotiation auto
 no mop enabled
 no mop sysid
 crypto map cmap

interface GigabitEthernet2
! local interface
 ip address 2.2.2.2 255.255.255.0
 ip nat inside
 negotiation auto
 no mop enabled
 no mop sysid

ip nat inside source list NAT interface GigabitEthernet1 overload

ip access-list extended NAT
 deny   ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 permit ip 2.2.2.0 0.0.0.255 any
ip access-list extended cryptoacl
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255