Site-to-Site IPSec VPN using EasyVPN with ISAKMP Profiles (Old vs New Cisco IOS)
Table of Contents
- Introduction
- What is EasyVPN?
- Core Components
- Crypto Math Explained
- Old IOS Config
- New IOS Config
- Old vs New Comparison
- Packet Flow
- Verification
- Troubleshooting
- Interview Q&A
- Related Articles
Introduction
EasyVPN is designed to simplify IPSec VPN deployment by reducing configuration complexity on remote routers.
However, modern IOS versions introduce significant architectural changes such as:
- IKEv2 adoption
- Keyrings instead of global keys
- VTI-based VPNs (FlexVPN)
What is EasyVPN?
EasyVPN allows a central router (server) to push VPN configuration to remote routers (clients).
Core Components
- ISAKMP Policy (Phase 1)
- ISAKMP Profile (Identity matching)
- Transform Set (Encryption)
- Crypto Map / IPsec Profile
IPSec Crypto Math Explained (From Zero to CCNP Level)
IPSec security is not magic — it is built on a few simple mathematical ideas:
- Multiplication (encryption)
- One-way functions (hashing)
- Modular arithmetic (Diffie-Hellman)
Let’s break each one in the simplest possible way.
1. Encryption (Confidentiality)
Encryption converts readable data into unreadable data using a key.
Ciphertext = Encrypt(Plaintext, Key)
Simple Understanding
Think of it like a lock:
- Data = message
- Key = password
- Encryption = locking the message
Step-by-Step Example
Plaintext = 10
Key = 3
Encrypted = 10 × 3 = 30
๐ Without the key, you can't easily go back.
2. Hashing (Integrity)
Hashing ensures data is not changed during transmission.
Hash = H(Data)
Key Properties
- One-way (cannot reverse)
- Same input → same output
- Small change → completely different output
Example
Data: HELLO → Hash: X123
Data: HELLo → Hash: Z987
๐ Even a tiny change completely alters the hash.
3. Why Hashing is Used in IPSec
When data is sent:
- Sender computes hash
- Receiver recomputes hash
๐ If hashes match → data is safe
๐ If not → data was altered
4. Diffie-Hellman (Key Exchange - Most Important)
This is the heart of IPSec.
๐ It allows two routers to create a shared secret WITHOUT sending it.
Math Formula
Shared Key = (g^a mod p)^b mod p
Step-by-Step Simple Example
Let’s simplify:
- g = 5 (public)
- p = 23 (public)
Router A:
Private = 6
Public = (5^6) mod 23 = 8
Router B:
Private = 15
Public = (5^15) mod 23 = 19
Now Exchange Public Keys
Router A computes:
Shared = (19^6) mod 23 = 2
Router B computes:
Shared = (8^15) mod 23 = 2
๐ Both get SAME key = 2 ๐ But they NEVER sent it!
Why This is Secure
- Public values are visible
- Private values are secret
- Attacker cannot compute shared key easily
5. Putting It All Together (IPSec Flow)
Here’s what happens in real IPSec:
- Diffie-Hellman → generate shared key
- Hash → verify identity
- Encryption → secure data
Real IPSec Mapping
| Concept | Purpose |
|---|---|
| Diffie-Hellman | Key exchange |
| Hash (SHA) | Integrity |
| AES | Encryption |
6. Why Math Matters in EasyVPN
EasyVPN simplifies configuration — but internally:
- DH creates keys
- Hash verifies identity
- Encryption protects traffic
IPSec is just three math ideas repeated:
Multiply (encrypt) + Verify (hash) + Share secret (DH)
Final Intuition
Think of IPSec like this:
- Diffie-Hellman → agree on secret password
- Hash → verify no tampering
- Encryption → lock the data
๐ That’s the entire VPN system simplified.
Old IOS Configuration
Full Config
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
crypto isakmp key MY-SECRET-KEY address 192.0.2.2
crypto ipsec transform-set MY-TRANSFORM esp-aes 256 esp-sha-hmac
crypto isakmp profile MY-ISAKMP-PROFILE
keyring default
match identity address 192.0.2.2
local-address Gig0/0
crypto map MY-CRYPTOMAP 10 ipsec-isakmp
set peer 192.0.2.2
set transform-set MY-TRANSFORM
set isakmp-profile MY-ISAKMP-PROFILE
match address 100
interface Gig0/0
crypto map MY-CRYPTOMAP
New IOS Configuration (IKEv2 + VTI)
Modern Config
crypto ikev2 proposal PROP
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy POLICY
proposal PROP
crypto ikev2 keyring KR
peer PEER1
address 192.0.2.2
pre-shared-key local KEY
pre-shared-key remote KEY
crypto ikev2 profile PROFILE
match identity remote address 192.0.2.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local KR
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
set ikev2-profile PROFILE
interface Tunnel0
tunnel source Gig0/0
tunnel destination 192.0.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
Old vs New (Critical Differences)
| Feature | Old IOS | New IOS |
|---|---|---|
| IKE Version | IKEv1 | IKEv2 |
| Keys | Global | Keyring |
| VPN Type | Crypto Map | VTI (Tunnel) |
| Scalability | Limited | High |
Packet Flow (Simplified)
- IKE Phase 1 → Secure channel
- IKE Phase 2 → Data encryption
- IPSec tunnel established
Verification
show crypto ikev2 sa
show crypto ipsec sa
Troubleshooting
- Check key mismatch
- Verify policies
- Check ACL
debug crypto ikev2
Interview Questions
Expand
Q: Why IKEv2?
Better security and efficiency
Q: Why VTI?
Simplifies routing and scalability
Related Articles
Conclusion
Modern IOS shifts towards IKEv2 and FlexVPN. Understanding both old and new models is critical for real-world deployments and interviews.
