Adjacent Node
Networking, explained. No BS.
IPsec
What It Is
IPsec protects IP traffic with encryption, integrity, peer authentication, and anti-replay. Modern site-to-site VPNs usually use IKEv2 and route-based tunnels, often with VTIs, cloud VPN gateways, or firewall tunnel interfaces. The important operational questions are: how peers authenticate, what traffic is protected, which proposals match, how routes enter the tunnel, and what NAT or MTU does to the path.
Core Pieces
| Component | Purpose | Modern Notes |
|---|---|---|
| IKEv2 | Negotiates and maintains SAs | Prefer over IKEv1 where supported |
| IKE SA | Secure control channel | Authenticates peers and negotiates child SAs |
| Child SA | Protects data traffic | Replaces old "phase 2" wording in IKEv2 |
| ESP | Encryption, integrity, anti-replay | Main IPsec data protocol |
| AH | Integrity without encryption | Rare, NAT-unfriendly |
| NAT-T | Encapsulates ESP in UDP/4500 | Common across NAT |
| VTI | Routable tunnel interface | Cleaner than crypto maps for most site-to-site VPNs |
| Crypto map | Policy-based VPN selector | Common legacy and firewall style |
Modern note: People still say phase 1 and phase 2, but IKEv2 uses IKE SA and Child SA terminology.
Ports And Protocols
| Item | Transport | Purpose |
|---|---|---|
| IKE | UDP/500 | Initial negotiation |
| NAT-T | UDP/4500 | IKE and ESP through NAT |
| ESP | IP protocol 50 | Protected data without UDP encapsulation |
| AH | IP protocol 51 | Integrity-only header, uncommon |
Watch out: Allowing UDP/500 but blocking UDP/4500 breaks many real VPNs because NAT-T is common even when only one side is behind NAT.
Modes
| Mode | What Is Protected | Common Use |
|---|---|---|
| Tunnel mode | Original IP packet is protected inside a new outer IP header | Site-to-site VPN |
| Transport mode | Payload is protected behind original IP header | Host-to-host or specialized overlays |
| Policy-based | Interesting traffic selectors decide encryption | Legacy site-to-site or firewall policy |
| Route-based | Routes point traffic into tunnel interface | Modern site-to-site and cloud VPNs |
Design note: Route-based VPNs are easier to operate with dynamic routing, failover, monitoring, and multiple prefixes.
Crypto Choices
| Area | Prefer | Avoid |
|---|---|---|
| IKE version | IKEv2 | IKEv1 for new designs |
| Encryption | AES-GCM or AES-CBC with SHA-2 integrity | DES, 3DES |
| Integrity | SHA-256 or stronger | MD5, SHA-1 for new designs |
| DH group | 14 or stronger, often 19/20/21 if supported | Group 1, 2, 5 |
| Peer auth | Certificates or strong PSK | Weak shared PSK |
| PFS | Enable when supported | No PFS for sensitive tunnels |
Watch out: Cloud VPN and firewall peers often support overlapping but not identical proposal sets. Match exact encryption, integrity, DH group, lifetime, PFS, and traffic selectors.
Route And Selector Design
| Design Item | What To Decide |
|---|---|
| Local prefixes | What this site encrypts |
| Remote prefixes | What the peer encrypts |
| Routing | Static, BGP, OSPF, or policy route |
| NAT exemption | Which traffic must not be translated |
| MTU/MSS | How to avoid fragmentation and blackholes |
| Failover | DPD, routing metrics, tunnel tracking |
| Monitoring | SA state, route state, packet counters |
Modern note: If both sides use 0.0.0.0/0 selectors, understand whether the VPN is full tunnel, default route, or just broad policy matching.
Cisco IOS/IOS-XE Examples
IKEv2 route-based VPN with VTI:
crypto ikev2 proposal IKEV2-PROP
encryption aes-gcm-256
prf sha256
group 14
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROP
!
crypto ikev2 keyring SITE-B
peer SITE-B
address 198.51.100.2
pre-shared-key ExampleStrongSecret
!
crypto ikev2 profile SITE-B
match identity remote address 198.51.100.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local SITE-B
!
crypto ipsec transform-set TS esp-gcm 256
mode tunnel
!
crypto ipsec profile IPSEC-SITE-B
set transform-set TS
set ikev2-profile SITE-B
!
interface Tunnel10
description IPsec VTI to SITE-B
ip address 169.254.10.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 198.51.100.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-SITE-B
!
ip route 10.20.0.0 255.255.0.0 Tunnel10Notes:
- Use real, private tunnel addressing and real peer IPs. Documentation addresses are examples only.
- Prefer certificates or managed key rotation for high-value tunnels.
- If the peer is behind NAT, verify NAT-T and identity matching.
- If using dynamic routing over the VTI, protect the routing protocol too.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| IKE never starts | UDP/500, peer IP, source interface | No reachability or wrong peer |
| IKE fails negotiation | Proposal, auth, ID, PSK/cert | Mismatched IKE settings |
| IKE up, no data SA | Traffic selectors, route, ACL, child SA proposal | Protected traffic mismatch |
| Encaps increase, decaps zero | Return routing, peer policy, NAT | One-way tunnel |
| Works one direction only | NAT exemption, selectors, route table | Asymmetric or translated traffic |
| Large packets fail | MTU, MSS, DF, ICMP | Fragmentation or PMTUD issue |
| Tunnel flaps | DPD, Internet loss, lifetime mismatch, CPU | Underlay or timer issue |
| Cloud VPN rejects | Proposal, IKE version, PSK, local/remote CIDRs | Provider constraint mismatch |
Commands
show crypto ikev2 sa
show crypto ikev2 session detail
show crypto ipsec sa
show crypto ipsec profile
show interface Tunnel10
show ip route 10.20.0.0
show access-listsExpected clues:
- IKE SA is established with the expected peer.
- Child SA has matching local and remote selectors.
- Encaps and decaps counters both increase during test traffic.
- Routes point protected traffic into the tunnel.
- NAT rules do not translate protected traffic unless intentionally designed.
- MTU and MSS avoid fragmentation problems.
Watch Out
- Do not build new VPNs with DES, 3DES, MD5, SHA-1, or weak DH groups unless forced by legacy constraints.
- Do not assume "VPN up" means routes are correct.
- Do not forget NAT exemption for policy-based VPNs.
- Do not ignore MTU. IPsec overhead is real.
- Do not use one broad PSK across many peers.
- Do not leave debug crypto running during normal operation.