Cisco's IOS 15.9(3)M10 introduces improvements and potential changes to VPN configurations, especially when implementing site-to-site IPSec VPN using **EasyVPN Network Extension Mode (NEM)**. Below is a comparison of configuring an **old router** versus a **new router** post-15.9(3)M10 for this type of VPN:
---
### **Old Router (Pre-IOS 15.9(3)M10)**
1. **EasyVPN NEM Basics**:
- EasyVPN Network Extension Mode (NEM) extends the corporate network to the branch, treating the remote site as part of the main network.
- Commonly used commands:
- `crypto ipsec client ezvpn`
- NEM mode set with `mode network-extension`.
2. **Configuration Example**:
crypto ipsec client ezvpn CLIENT
connect auto
group GROUP_NAME key GROUP_KEY
mode network-extension
peer 203.0.113.1
xauth userid local
username USERNAME password PASSWORD
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
crypto ipsec client ezvpn CLIENT
3. **Limitations**:
- No support for modern algorithms (e.g., AES-GCM or SHA-2).
- Legacy encryption profiles (DES, 3DES).
- Static negotiation and legacy group settings.
---
### **New Router (Post-IOS 15.9(3)M10)**
1. **Key Enhancements in IOS 15.9(3)M10**:
- Improved support for modern cryptographic standards:
- AES-GCM, AES-256.
- SHA-2 for integrity.
- Streamlined configuration for enhanced security and efficiency.
- Easier integration with modern IKEv2 standards.
2. **Configuration Changes**:
- Replace `crypto ipsec client ezvpn` with IKEv2-based configurations.
- Use Virtual Tunnel Interface (VTI) for scalability and better flexibility.
- Include modern security proposals (AES, DH groups, SHA-2).
- Improved XAUTH and user-based authentication.
3. **Configuration Example**:
crypto ikev2 proposal VPN-PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy VPN-POLICY
proposal VPN-PROPOSAL
crypto ikev2 keyring VPN-KEYRING
peer PEER1
address 203.0.113.1
pre-shared-key GROUP_KEY
crypto ikev2 profile VPN-PROFILE
match identity remote address 203.0.113.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local VPN-KEYRING
crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha256-hmac
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM
set ikev2-profile VPN-PROFILE
interface Tunnel0
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
4. **Benefits**:
- Enhanced security with modern encryption and hashing.
- Scalability with VTI instead of EasyVPN NEM.
- Improved interoperability with other vendors and newer Cisco devices.
---
**Migration Note**: If you are migrating from an older EasyVPN NEM setup to a new router with IOS 15.9(3)M10, it is advisable to redesign using IKEv2 and VTIs to leverage modern capabilities while maintaining compatibility with legacy configurations if required.
No comments:
Post a Comment