Incoming Connection of Cisco IOS to SafeUTM via IPsec

Following the steps in this article, you can combine Cisco and SafeUTM networks via IPsec using PSK.

Find below the connection setup according to the scheme shown in the figure:

Step 1. Initial Setup of SafeUTM

Configure the local and external interfaces on SafeUTM. Detailed information can be found in the article Initial setup.

Step 2. Initial setup of Cisco IOS EX

Cisco configuration can be done through the device console (the configuration is described below)

1. Setting up the local interface:

enable

conf t

interface GigabitEthernet2

ip address {local IP Cisco} {subnet mask}

no shutdown

ip nat inside

exit

2. Configuring the external interface:

interface GigabitEthernet1

ip address {Cisco external IP} {subnet mask}

no shutdown

ip nat outside

exit

3. Check if there is a connection between the external interfaces of SafeUTM and Cisco. To do this, use the ping {external IP UTM} command in the Cisco console. The result of the command output is the presence of ICMP responses.

4. Creating an access list with local network addressing:

ip access-list extended NAT

permit ip {Cisco local subnet} {reverse subnet mask} any

exit

5. Configuring NAT (for more information on configuring this item, you can read the article on the official Cisco website):

ip nat inside source list NAT interface GigabitEthernet1 overload

exit

6. Saving configuration settings:

write memory

7. Having saved the settings, make sure that there is Internet access from the Cisco LAN. To do this, visit any website (for example: https://www.cisco.com) from a device on the Cisco LAN.

Step 3. Configuring IKEv2+IPsec on Cisco

1. Creating a proposal (you can read detailed information on setting up this item in the article on the official Cisco website):

conf t

crypto ikev2 proposal ikev2proposal

encryption aes-cbc-256

integrity sha256

group 19

exit

2. Creating a policy (you can read detailed information on setting up this item in the article on the official Cisco website):

crypto ikev2 policy ikev2policy

match fvrf any

proposal ikev2proposal

exit

3. Creating a peer (key_id is the ID of the remote party, i.e. SafeUTM). Detailed information on setting up this item can be found in the article on the official Cisco website.

crypto ikev2 keyring key

peer strongswan

address {UTM external IP}

identity key-id {key_id}

pre-shared-key local {psk}

pre-shared-key remote {psk}

exit

exit

4. Creating an IKEv2 profile (you can read detailed information on configuring this item in the article on the official Cisco website):

crypto ikev2 profile ikev2profile

match identity remote address {UTM external IP} 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local key

exit

5. Setting up encryption in esp:

crypto ipsec transform-set TS esp-gcm 256

mode tunnel

exit

6. Creating ipsec-isakmp:

crypto map cmap 10 ipsec-isakmp

set peer {UTM external IP}

set transform-set TS

set ikev2-profile ikev2profile

match address cryptoacl

exit

7. Configuring the crypto map on the external interface:

interface GigabitEthernet1

crypto map cmap

exit

8. Creating an access list for traffic between Cisco and UTM local networks:

ip access-list extended cryptoacl

permit ip {Cisco local subnet} {reverse subnet mask} {UTM local subnet} {reverse subnet mask}

exit

9. Adding traffic exceptions between Cisco and UTM local networks to the NAT access list (the deny rule should be higher than permit):

ip access-list extended NAT

no permit ip {Cisco local subnet} {reverse subnet mask} any

deny ip {Cisco local subnet} {reverse subnet mask} {local UTM subnet} {reverse subnet mask}

permit ip {Cisco local subnet} {reverse subnet mask} any

exit

end

10. Saving configuration settings:

write memory

Step 4. Creating an incoming IPsec connection on UTM

1. In the SafeUTM web interface, open tab Services -> IPsec -> Devices.2. Add a new connection:

Connection name – any.

Type – incoming.

Authorization type – PSK.

PSK – specify the PSK key that you entered in Step 3 item 3.

Remote side identifier – insert the Cisco ID (Key ID parameter in Step 3 item 3).

Home local network – specify the SafeUTM local area network.

Remote local networks – specify the Cisco local network.

3. Save the created connection, then click on Turn on4. Check that the connection is established (your connection will appear in the list of connections, in column Statuses the word Installed will be highlighted in green).5. Check for traffic between local networks (TCP and web).

The final configuration of Cisco IOS

The final configuration of IKEv2 IPsec on Cisco IOS should look like this:

crypto ikev2 proposal ikev2proposal 

 encryption aes-cbc-256

 integrity sha256

 group 19

crypto ikev2 policy ikev2policy 

 match fvrf any

 proposal ikev2proposal

crypto ikev2 keyring key

 peer strongswan

 address 5.5.5.5

 pre-shared-key local QWEqwe1234567890

 pre-shared-key remote QWEqwe1234567890

crypto ikev2 profile ikev2profile

 match identity remote key-id key-id

 authentication remote pre-share

 authentication local pre-share

 keyring local key

crypto ipsec transform-set TS esp-gcm 256 

 mode tunnel

crypto map cmap 10 ipsec-isakmp 

 set peer 5.5.5.5

 set transform-set TS 

 set ikev2-profile ikev2profile

 match address cryptoacl

interface GigabitEthernet1

! external interface

 ip address 1.1.1.1 255.255.255.0

 ip nat outside

 negotiation auto

 no mop enabled

 no mop sysid

 crypto map cmap

interface GigabitEthernet2

! local interface

 ip address 2.2.2.2 255.255.255.0

 ip nat inside

 negotiation auto

 no mop enabled

 no mop sysid

ip nat inside source list NAT interface GigabitEthernet1 overload

ip access-list extended NAT

 deny ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255

 permit ip 2.2.2.0 0.0.0.255 any

ip access-list extended cryptoacl

 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255