Popular Posts

Cisco CLI Site-to-Site IPsec VPN



Cisco CLI Site-to-Site IPsec VPN
By D. Kankam


A site-to-site IPsec VPN is an essential part of many plans of companies to meet the security requirements
of customers.
IPsec VPN negotiation can be broken down into five steps comprising of a Phase 1 and 2:
Step 1. An IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B.
Traffic is considered interesting when it travels between the IPsec peers and
meets the criteria that is defined in the crypto access control list (ACL).

Step 2. In IKE Phase 1, the IPsec peers (routers A and B) negotiate the established
IKE SA policy. Once the peers are authenticated, a secure tunnel is created using
ISAKMP.

Step 3. In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate
IPsec SA transforms. The negotiation of the shared policy determines
how the IPsec tunnel is established.

Step 4. The IPsec tunnel is created and data is transferred between the IPsec peers
based on the IPsec parameters configured in the IPsec transform sets.




Part 1 Site-to-Site IPsec Configuration:
The first step in configuring Cisco IOS ISAKMP is to ensure that existing ACLs on
perimeter routers, firewalls, or other routers do not block IPsec traffic. Perimeter routers
typically implement a restrictive security policy with ACLs, where only specific traffic is
permitted and all other traffic is denied. Such a restrictive policy blocks IPsec traffic.
Therefore, you must add specific permit statements to the ACL to allow IPsec traffic.
Ensure that your ACLs are configured so that ISAKMP, ESP, and AH traffic is not blocked
at interfaces used by IPsec. ISAKMP uses User Datagram Protocol (UDP) port 500. ESP is
assigned IP protocol number 50, and AH is assigned IP protocol number 51. In some
cases, you might need to add a statement to router ACLs to explicitly permit this traffic.
Examine the current ACL configuration at the perimeter router and determine
whether it will block IPsec traffic: use the commands below
RouterA# show access-lists
If there are no ACL then,
Add these ACL entries to permit IPsec traffic.
RouterA# configure terminal
RouterA#(config t)# interface Serial0/1
RouterA#(config t-if)# ip address 172.30.1.2 255.255.255.0
RouterA#(config t-if)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
RouterA#(config t-if)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
RouterA#(config t-if)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
RouterA#(config t-if)# ip access-group 102 in

Part 2 Site-to-Site IPsec policy Configuration:
Now we need to define a suite of ISAKMP policies, so as to establish an ISAKMP
peering between two IPsec endpoints.

RouterA# configure terminal
RouterA(config)# crypto isakmp policy 110
RouterA(config–isakmp)# authentication pre-share
RouterA(config–isakmp)# encryption des
RouterA(config–isakmp)# group 1
RouterA(config–isakmp)# hash md5
RouterA(config–isakmp)# lifetime 86400

Now the ISAKMP peers will negotiate the acceptable ISAKMP policies before they agree on the SA to
use for IPsec because both have to agree on the policy.

We must now Configure the ISAKMP and Pre-Shared Keys that will be used between the two routers(A&B):
Router A Configuration:
RouterA(config)# crypto isakmp key cisco1234 address 172.30.2.2
RouterA(config)# crypto isakmp policy 110

RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# authentication pre-share
RouterA(config–isakmp)# encryption des
RouterA(config–isakmp)# group 1

RouterA(config–isakmp)# lifetime 86400
RouterA(config–isakmp)# exit

Router B configuration:
RouterB(config)# crypto isakmp key cisco1234 address 172.30.1.2
RouterB(config)# crypto isakmp policy 110

RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# authentication pre-share
RouterB(config–isakmp)# encryption des
RouterB(config–isakmp)# group 1
RouterB(config–isakmp)# lifetime 86400
RouterB(config–isakmp)# exit
Part 3 Transform set Site-to-Site IPsec Configuration:
Transform set Site-to-Site IPsec Configuration:
Here the peers (router A&B) agree on a specific security policy for data on how to protect a particular data flow.

RouterA(config)# crypto ipsec transform-set mine esp-des
RouterB(config)# crypto ipsec transform-set mine esp-des

Part 4 Crypto ACLs Site-to-Site IPsec Configuration:
The crypto ACLs identify the traffic flows that should be protected. Extended IP ACLs
select IP traffic to encrypt based on protocol, IP address, network, subnet, and port. Although
the ACL syntax is unchanged from extended IP ACLs, the meanings differ slightly
for crypto ACLs.
That is, permit specifies that matching packets must be encrypted, and
deny specifies that matching packets should not be encrypted.
Crypto ACLs behave similarly to an extended IP ACL that is applied to outbound traffic on an interface.
They apply only to the crypto map, and therefore define the interesting traffic to be encrypted. All other traffic passes as plaintext.

Now Configuration:

RouterA(config)# access-list 110 permit tcp
10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Source = Hosts on 10.0.1.0 network
Destination = Hosts on 10.0.2.0 network
RouterB(config)# access-list 101 permit tcp
10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
Source = Hosts on 10.0.2.0 network

Destination = Hosts on 10.0.1.0 network
You must configure symmetric crypto ACLs for use by IPsec. Both inbound and outbound
traffic are evaluated against the same outbound IPsec ACL. The ACL criteria are
applied in the forward direction to traffic exiting your router, and the reverse direction to
traffic entering your router. When a router receives encrypted packets back from an IPsec
peer, it uses the same ACL to determine which inbound packets to decrypt by viewing the
source and destination addresses in the ACL in reverse order.
Note Important:
The crypto ACLs used by IPsec must mirror-image ACLs because both inbound and outbound
traffic is evaluated against the same outbound IPsec ACL.


Crypto map Site-to-Site IPsec Configuration(both A&B):
Crypto map entries with the same crypto map name, but different map sequence numbers,
are grouped into a crypto map set.
You can apply only one crypto map set to a single interface. Multiple interfaces can share
the same crypto map set if you want to apply the same policy to multiple interfaces. If
you create more than one crypto map entry for a given interface, use the sequence number
of each map entry to rank the map entries. The lower the sequence, the
higher the priority. At the interface that has the crypto map set, traffic is evaluated against
higher-priority map entries first.
RouterA(config)# crypto map mymap 10 ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 172.30.2.2
RouterA(config-crypto-map)# set peer 172.30.3.2
RouterA(config-crypto-map)# set pfs group1
RouterA(config-crypto-map)# set tranform-set mine
RouterA(config-crypto-map)# set security-association lifetime seconds 86400

Applying the Crypto Maps to Interfaces
Here you apply the crypto map to the outgoing interface of the VPN tunnel using
the crypto map command in interface configuration mode.
RouterA (config)# interface serial0/1
RouterA (config -if)#crypto map mymap
Now Verifying the IPsec Configuration
To Displays configured IPsec transform sets
show crypto ipsec transform-set

To Displays configured crypto maps
show crypto map


To Displays established IPsec tunnels
show crypto ipsec sa

Debugs IKE events
debug crypto isakmp

Debugs IPsec events
debug crypto ipsec




 

Tags


Powered by WidgetsForFree

Featured Content

Our Partners

© 2010 Logical Network Security. All Rights Reserved Thesis WordPress Theme Converted into Blogger Template by Hack Tutors.info