Friday 5 April 2013

Site to Site IOS IPsec Tunnel - Part I PreShared Key

Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites 

ISAKMP (IKE Phase I)

IKE exists only to establish SAs for IPsec. Before it can do this, IKE must negotiate an SA (an ISAKMP SA) relationship with the peer. Since IKE negotiates its own policy, it is possible to configure multiple policy statements with different configuration statements, then let the two hosts come to an agreement.


ISAKMP negotiates:

  •  An Encryption Algorithm
  •  A Hashing Algorithm (MD5 or SHA)
  •  Authentication—RSA signatures, RSA Encrypted nonces (random numbers), or pre-shared keys
  •  Lifetime of the SA—In seconds

There are two methods used in order to configure ISAKMP:

  • Use pre-shared keys, which are simple to configure.
  • Use a CA (Certification Authority), which is scalable throughout the Enterprise.

IPSEC (IKE Phase II)

Whether you use pre-shared keys or configure a CA, once you setup Internet Key Exchange IKE, you still have to setup IPsec. Regardless of which IKE method you use, the configuration steps for IPsec are the same.


You need to do these in order to configure IPsec:
  •    Create extended ACL. Specify traffic that must be encrypted ( permit means encrypt and deny means do not encrypt.)
  •    Create IPsec transform(s). A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. A transform set specifies one or two IPSec security protocols (either Encapsulation Security Protocol or Authentication Header or both) and specifies which algorithms to use with the selected security protocol. ESP provides packet encryption and optional data authentication and anti-replay services. AH provides data authentication and anti-replay services.
  •    Create crypto map. Crypto maps provide two functions: (1) filtering and classifying traffic to be protected and (2) defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
    • IPSec crypto maps link together definitions of the following:
      • What traffic should be protected
      • Which IPSec peers the protected traffic can be forwarded to—these are the peers with which a security association can be established
      • Which transform sets are acceptable for use with the protected traffic
      • How keys and security associations should be used or managed (or what the keys are, if IKE is not used)
  • Apply crypto map to the interface.  You can assign only one crypto map set to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are part of the same set and are all applied to the interface. The security appliance evaluates the crypto map entry with the lowest seq-num first.


Scenario:


  • ISAKMP (IKE Phase I) configuration
    • R1 config
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key CISCO address 172.20.1.5
    • R2 config
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key CISCO address 172.20.1.1

  • IPsec (IKE Phase II) configuration
    • R1 config
ip access-list extended SITE1_TO_SITE2
 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 

 crypto map VPN_SITE_TO_SITE 10 ipsec-isakmp
 set peer 172.20.1.5
 set transform-set 3DES_MD5
 match address SITE1_TO_SITE2
 crypto map VPN_SITE_TO_SITE
    • R2 config

ip access-list extended SITE2_TO_SITE1
 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 


crypto map VPN_SITE_TO_SITE 10 ipsec-isakmp
 set peer 172.20.1.1
 set transform-set 3DES_MD5
 match address SITE2_TO_SITE1
 crypto map VPN_SITE_TO_SITE

  • ASA config

access-list TRAFIC_IN extended permit udp any any eq isakmp
access-list TRAFIC_IN extended permit esp any any
access-group TRAFIC_IN in interface outside


  • Verification
ISAKMP(IKE Phase I)

R1#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
1002  172.20.1.1      172.20.1.5               ACTIVE 3des md5  psk  1  23:54:05  
       Engine-id:Conn-id =  SW:2

IPSEC 

R1#show crypto ipsec sa map VPN_SITE_TO_SITE
interface: FastEthernet1/0
    Crypto map tag: VPN_SITE_TO_SITE, local addr 172.20.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 172.20.1.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 172.20.1.1, remote crypto endpt.: 172.20.1.5
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0xE9ED8C35(3924659253)



R1#show crypto session
Crypto session current status
Interface: FastEthernet1/0
Session status: UP-ACTIVE  
Peer: 172.20.1.5 port 500
  IKE SA: local 172.20.1.1/500 remote 172.20.1.5/500 Active
  IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.2.2.0/255.255.255.0
        Active SAs: 2, origin: crypto map



No comments:

Post a Comment