This is a quick diagram of the network right noiw. I can create something more if requested.
( HOMELAN a.a.a.a2 ) - ( a.a.a.a1 FIREWALL b.b.b.b1 ) - ( Routerboard RB2011UiAS b.b.b.b2) - ( Cisco IOS h.h.h.h ) - (CLIENTLAN i.i.i.i)
The config I was given:
PHASE 1 (Main mode / IKE phase)
IP Addresses: b.b.b.b2 / h.h.h.h
Encryption Algorithm: AES-256
Authentication / Data Integrity Method: SHA-256
Diffie-Hellman Group: Group 16
Key Lifetime /IKE Renegotiation Lifetime: 28800 sec
IKE Mode: Main
IKE Version: 2
XAuth: Disabled
Encryption Domain (hosts / subnets to be included in routed via VPN Interface): Client Destination x.x.x.x/32 / My source VTI IP y.y.y.y
PHASE 2 (Main mode / IPSEC phase)
Encryption Algorithm: AES-256
Data Integrity Method: SHA-256
Encapsulation: ESP
Perfect Forward Secrecy: Yes – DH group 16
Key Lifetime / IPsec Renegotiation Lifetime: 28800 sec
Selectors - Local Address: Subnet 0.0.0.0/0.0.0.0
Selectors - Remote Address: Subnet 0.0.0.0/0.0.0.0
Auth Method / Pre Shared Key: n0tr3allyth3k3y
Whaty I have done:
Flags: X - disabled, D - dynamic, R - responder
0 ;;; CLIENT Link - Phase 1 Equivalent)
address=h.h.h.h/32 auth-method=pre-shared-key
secret=“n0tr3allyth3k3y”
generate-policy=no policy-template-group=Client_Link_Group
exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha256
enc-algorithm=aes-256 dh-group=modp4096 lifetime=8h dpd-interval=48m
I have additionally created a proposal and a policy, which I am not sharing at this time (primarily because I believe they are faulty and would prefer a fresh start).
Is my initial config correct? What should I be doing moving forward? Can anyone give an example of a proposal and policy, and any other config? Let’s call the tunnel interface IP addresses t.t.t.t1/20 and t.t.t.t2/30
Thanks in advance for the help. Feel free to be as blunt as necessary about any mistakes.