Step 2: Configuring Cisco IOS

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
After the Jamf side of the IPSec tunnel has been configured, you can configure Cisco IOS.
Important:

This configuration assumes that you created the IPSec Custom Interconnect as described above. If you submitted other values, adjust configuration as required.

These steps assume you do not have any other IPSec site-to-site VPNs configured on your router.

If you have other VPNs, you may need to modify these configuration steps or your current router configuration to accommodate this additional tunnel. Consult your Cisco IOS documentation for details.

Requirements
The ability to log in to the Cisco IOS router in config mode
Important:

As with any router changes, Jamf strongly recommends that you configure these settings with care and possibly in a pre-production environment to avoid unintended service interruptions.

  1. Configure a Jamf IKEv2 proposal, policy, and profile:
    1. Create an IKEv2 proposal that indicates the cryptography to be used for the tunnel (IKEv2 and IPSec security associations).
      crypto ikev2 proposal WanderaIKEv2Proposal
 encryption aes-cbc-256
 integrity sha256
 group 14
    2. Configure the Jamf IKEv2 policy, replacing {{WAN IP Address}} with the IP address you allocated for this connection and provided in the Jamf Security Cloud IPSec Interconnect Gateway wizard.
      crypto ikev2 policy WanderaIKEv2Policy
 match address local {{WAN IP Address}}
 proposal WanderaIkev2Proposal
    3. Configure the pre-shared key that was generated in Jamf Security Cloud. Replace {{Your PSK}} with the shared secret you copied or provided when completing the wizard.
      crypto ikev2 keyring WanderaKeys
 peer WanderaGW
  identity fqdn wpa.wandera.com
  pre-shared-key local {{Your PSK}}
  pre-shared-key remote {{Your PSK}}
    4. Create the IKEv2 profile, which associates the pre-shared key with the incoming IPSec connection from Jamf.

      Be sure to replace {{Your IKE Domain ID}} with the value used for Customer IKE Domain ID when setting up the connection in Jamf Security Cloud.

      crypto ikev2 profile WanderaIKEv2Profile
 match identity remote fqdn wpa.wandera.com
 identity local fqdn {{Your IKE Domain ID}}
 authentication remote pre-share
 authentication local pre-share
 keyring local WanderaKeys
 lifetime 28800
  2. Configure a Jamf IPSec profile and transform set:
    Note:

    You must have a transform set that supports the cryptography used by the Jamf Security Cloud IPSec tunnel. You may re-use an existing crypto set if you have one already defined with the necessary cypher sets defined, or create a new one with the following steps.

    1. Create a crypto set.
      crypto ipsec transform-set WanderaTS esp-aes esp-sha256-hmac
 mode tunnel
    2. Create an IPSec profile to use after an IKEv2 security association (Phase 1) has been completed successfully.
       crypto ipsec profile WanderaIPsecProfile
  set transform-set WanderaTS
  set pfs group14
  set ikev2-profile WanderaIKEv2Profile
  3. Create a Jamf IKEv2 dynamic crypto map to allow inbound connections from any of Jamf Security Cloud gateway IP addresses.
    1. Define an access control list (ACL) for the encryption domain which specifies the traffic source and destination IP addresses that are permitted to route through the tunnel.

      This must match the Jamf Security Cloud Subnet and Customer Subnet(s) defined in Jamf Security Cloud.

      In the default Jamf Security Cloud settings, the Customer Subnet is set to 0.0.0.0/0, allowing Jamf Security Cloud to reach all networks via the IPSec tunnel.

    2. If you set Customer Subnet to 0.0.0.0/0, either leave as it is to allow full access to the network, or replace with the specific subnet(s) the tunnel should have access to.
      Note:

      Jamf recommends that you leave the initial ACL open, locking it down once you have successfully established connectivity. Otherwise, you must define an access list row for each customer subnet defined in Jamf Security Cloud.

      In all cases, the second half of the ACL rule must match the Jamf Security Cloud Subnet that you specified in the Jamf Security Cloud.

      The ACL required for the recommended configuration using 0.0.0.0/0 for Customer Subnet and 192.168.233.0/24 for Jamf Security Cloud Subnet is achieved using the following command:

       ip access-list extended WanderaPANets
  10 permit ip any 192.168.233.0 0.0.0.255
    3. Create a dynamic crypto map to tie it all together:
      crypto dynamic-map WanderaDynamicIKEMap 10
 set transform-set WanderaTS
 set pfs group14
 set ikev2-profile WanderaIKEv2Profile
 match address WanderaPANets
 reverse-route
    4. Register a dynamic crypto map definition with the router for use with this newly created dynamic-map.
      crypto map WanderaDynamicCryptoMap 5 ipsec-isakmp dynamic WanderaDynamicIKEMap
  4. Associate the Jamf IKEv2/IPSec configuration with the outside network interface assigned to the WAN IP address designated to use this tunnel.

    This example assumes GbE0/0/1 is the outside WAN interface assigned with IPSec tunnel IP address. Be sure to modify the configuration below to the interface that is appropriate for your environment.

    interface GigabitEthernet0/0/1
 ip address {{WAN IP Address}} {{WAN IP Subnet}}
 crypto map WanderaDynamicCryptoMap