Constructing an IPsec Siteto Site VPN

Now that you have a foundational understanding of IPsec site-to-site VPN concepts, this section introduces the configuration of an IPsec site-to-site VPN. Specifically, the next subsection focuses on CLI-based configuration versus the graphical SDM configuration approach, which is covered after the next subsection.

The Five Steps in the Life of an IPsec Site-to-Site VPN

The process of establishing, maintaining, and tearing down an IPsec VPN has five primary steps. These steps are illustrated in Figure 15-8 and described in Table 15-5.

Figure 15-8 IPsec VPN Steps

Routerl

STEP 1

STEP 2

Route r2

IKE Phase 1 Tunnel

IKE Phase 2 Tunnel

STEP 3

IKE Phase 1 Tunnel

STEP 4

STEP 5

Table 15-5 Establishing, Maintaining, and Tearing Down an IPsec Site-to-Site VPN

Step

Configuration

Step 1

PC1 sends traffic destined for PC2. Routerl classifies the traffic as "interesting," which initiates the creation of an IPsec tunnel.

Step 2

Routerl and Router2 negotiate a Security Association (SA) used to form an IKE Phase 1 tunnel, which is also known as an ISAKMP tunnel.

Step 3

Within the protection of the IKE Phase 1 tunnel, an IKE Phase 2 tunnel is negotiated and set up. An IKE Phase 2 tunnel is also known as an IPsec tunnel.

Table 15-5 Establishing, Maintaining, and Tearing Down an IPsec Site-to-Site VPN (Continued)

Table 15-5 Establishing, Maintaining, and Tearing Down an IPsec Site-to-Site VPN (Continued)

Step

Configuration

Step 4

After the IPsec tunnel is established, interesting traffic flows through the protected IPsec tunnel. Note that traffic not deemed interesting can still be sent between PC1 and PC2. However, the noninteresting traffic is transmitted outside of the protection of the IPsec tunnel.

Step 5

After no interesting traffic has been seen for a specified amount of time, or if the IPsec SA is deleted, the IPsec tunnel is torn down.

The Five Steps of Configuring an IPsec Site-to-Site VPN

An IPsec site-to-site VPN can be configured by using IOS commands issued from a router's CLI or by using the graphical SDM interface. The CLI approach to configuring an IPsec site-to-site VPN involves five primary steps, as described in Table 15-6.

Table 15-6 Steps of Configuring an IPsec Site-to-Site VPN

Table 15-6 Steps of Configuring an IPsec Site-to-Site VPN

Step

Configuration

Step 1

Define what parameters will be used for the IKE Phase 1 tunnel (that is, the ISAKMP tunnel). This set of parameters is called an ISAKMP policy.

Step 2

Define what parameters will be used for the IKE Phase 2 tunnel (that is, the IPsec tunnel). This set of parameters is called a transform set.

Step 3

Create an ACL to identify "interesting" traffic, which should be protected and sent over the IPsec tunnel.

Step 4

Create a crypto map, which logically groups the parameters identified in previous steps and points to an IPsec peer. The crypto map should then be applied to the appropriate interface.

Step 5

Optionally, create an additional ACL to block noninteresting traffic from passing between VPN termination devices.

Configuring an IKE Phase 1 Tunnel

To illustrate the CLI configuration of an IPsec site-to-site VPN, consider a scenario using the topology shown in Figure 15-9. The goal of this scenario is to allow all IP traffic to securely flow between network 10.1.1.0/24 (connected to Routerl) and network 192.168.0.0/24 (connected to Router2).

Figure 15-9 IPsec Site-to-Site VPN Configuration A S1/0

S1/0

192.168.0.0/24

To begin the configuration, you specify the ISAKMP parameters. Example 15-1 shows this initial configuration for Routerl, and Example 15-2 provides the configuration for Router2.

Example 1B-1 Routerl's IKE Phase 1 Configuration

Router1# conf term

Router1(config)# crypto

isakmp policy 1

Router1(config-isakmp)#

authentication pre-share

Router1(config-isakmp)#

hash sha

Router1(config-isakmp)#

encryption aes 128

Router1(config-isakmp)#

group 2

Router1(config-isakmp)#

lifetime 86400

Router1(config-isakmp)#

exit

Router1(config)# crypto

isakmp key C1sc0Press address 172.30.2.2

Router1(config)# end

Router1#

Example 15-2 Router2's IKE Phase 1 Configuration

Router2# conf term

Router2(config)# crypto

isakmp policy 1

Router2(config-isakmp)#

authentication pre-share

Router2(config-isakmp)#

hash sha

Router2(config-isakmp)#

encryption aes 128

Router2(config-isakmp)#

group 2

Router2(config-isakmp)#

lifetime 86400

Router2(config-isakmp)#

exit

Router2(config)# crypto

isakmp key C1sc0Press address 172.30.2.1

Router2(config)# exit

Router2#

In the preceding examples, the crypto isakmp policy 1 command is used to enter ISAKMP configuration mode. From within this mode, the authentication pre-share command specifies that preshared keys are to be used for authentication. The hash sha command specifies that Secure Hash Algorithm (SHA) will be used as the hashing algorithm for the ISAKMP Security Association (SA). The encryption aes 128 command causes 128-bit Advanced Encryption Standard (AES) encryption to be used. The group 2 command specifies that Diffie-Hellman Group 2 be used for the secure exchange of shared keys. Finally in this configuration mode, the lifetime of the SA is set to one day (86,400 seconds) with the lifetime 86400 command. Then, in global configuration mode, the crypto isakmp key C1sc0Press address peer-IP-address command sets the shared key to C1sc0Press when communicating with the other router (that is, the peer IP address).

Configuring an IKE Phase 2 Tunnel

Recall that an IKE Phase 2 tunnel (an IPsec tunnel) is negotiated and set up within the protection of an IKE Phase 1 tunnel (an ISAKMP tunnel). Now that you have seen how to configure an IKE Phase 1 tunnel, examine Examples 15-3 and 15-4. They show the syntax to configure an IKE Phase 2 tunnel, building on the topology shown previously in Figure 15-9.

Example 15-3 Routerl's IKE Phase 2 Configuration

Router1# conf term

Router1(config)# crypto ipsec transform-set MYSET

esp-aes esp-sha

Router1(cfg-crypto-trans)# exit

Router1(config)# access-list 101 permit ip 10.1.1

0 0.0

0.255 192.168.0.0 0.0.255

Router1(config)# crypto map ROUTER1_TO_ROUTER2 10

ipsec

isakmp

Router1(config-crypto-map)# set peer 172.30.2.2

Router1(config-crypto-map)# match address 101

Router1(config-crypto-map)# set transform-set MYSET

Router1(config-crypto-map)# exit

Router1(config)# exit

Router1#

Example 15-4 Router2's IKE Phase 2 Configuration Router2# conf term

Router2(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

Router2(cfg-crypto-trans)# exit

Router2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.255 Router2(config)# crypto map ROUTER2_TO_ROUTER1 10 ipsec-isakmp

Router2(config-crypto-map)# set peer 172.30.2.1 Router2(config-crypto-map)# match address 101 Router2(config-crypto-map)# set transform-set MYSET Router2(config-crypto-map)# end Router2# exit Router2#

Example 15-4 Router2's IKE Phase 2 Configuration Router2# conf term

Router2(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

Router2(cfg-crypto-trans)# exit

Router2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.255 Router2(config)# crypto map ROUTER2_TO_ROUTER1 10 ipsec-isakmp

Router2(config-crypto-map)# set peer 172.30.2.1 Router2(config-crypto-map)# match address 101 Router2(config-crypto-map)# set transform-set MYSET Router2(config-crypto-map)# end Router2# exit Router2#

In Examples 15-3 and 15-4, a transform set named MYSET is created with the crypto ipsec transform-set MYSET esp-aes esp-sha-hmac command. The esp-aes parameter specifies the encryption algorithm to be used, and the esp-sha-hmac parameter specifies the hashing algorithm (that is, the integrity algorithm) to be used. Each example then contains an ACL numbered 101, which specifies what traffic the IPsec tunnel will protect. By combining these examples, you can see that this scenario configures Router1 and Router2 to protect all IP traffic traveling between the 10.1.1.0/24 network and the 192.168.0.0/24 network. Next, a crypto map is created with the crypto map crypto-map-name 10 ipsec-isakmp command. In crypto map configuration mode, the set peer peer-IP-address command specifies the IP address of the IPsec peer (that is, the IP address of the other router). The match address 101 address associates the previously created ACL 101 with the crypto map, and the MYSET transform set is linked with the crypto map using the set transformset MYSET command.

Applying Crypto Maps

A crypto map needs to be applied to an interface for an IPsec tunnel to be set up. Continuing with the current scenario, examine Examples 15-5 and 15-6. They illustrate the application of the ROUTER1_TO_ROUTER2 crypto map to Routerl and the application of the ROUTER2_TO_ROUTER1 crypto map to Router 2.

Example 15-5 Applying a Crypto Map to Routerl

Router1# conf term

Router1(config)# interface serial 1/0

Router1(config-if)# crypto map ROUTER1_TO_

ROUTER2

Router1(config-if)# end

Router1(config)# ip route 192.168.0.0 255

255.255.0 172.30.2.2

Router1(config)# end

Router1#

Example 15-6 Applying a Crypto Map to Router2

Router2# conf term

Router2(config)# interface serial 1/0

Router2(config-if)# crypto map ROUTER2_

TO_ROUTER1

Router2(config-if)# exit

Router2(config)# ip route 10.1.1.0 255

255.255.0 172.30.2.1

Router2(config)# end

Router2#

In the preceding examples, notice that you enter interface configuration mode to apply a crypto map. Then you issue the crypto map crypto-map-name command to apply the previously configured crypto map. Also notice that Examples 5-5 and 5-6 each have an ip route command. This command is used to create a static route, pointing to the remote network available off the far-end router.

To test the IPsec configuration, an extended ping can be performed, as shown in Example 15-7. Specifically, Example 15-7 shows an extended ping being initiated from Routerl's LAN interface (IP address 10.1.1.1), destined for Router2's LAN interface (IP address 192.168.0.95). Notice that the first ping fails, because the IPsec tunnel is being set up during this time. However, the remaining pings succeed.

Example 15-7 Testing the IPsec Tunnel with an Extended Ping

Router1# ping

Protocol [ip]:

Target IP address: 192.168.0.95

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.1

1.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp,

Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to

192.168.0.95, timeout is 2 seconds:

Packet sent with a source address !!!!

of 10.1.1.1

Success rate is 80 percent (4/5),

round-trip min/avg/max = 164/209/296 ms

After establishing an IPsec tunnel, you can verify and view the tunnel's parameters by issuing the show crypto engine connections active and show crypto session commands, as shown in Examples 15-8 and 15-9.

Example 15-8 show crypto engine connections active Command

Router1# show crypto engine connections active

Crypto Engine Connections

ID Interface

Type Algorithm

Encrypt

Decrypt

IP-Address

1 Se1/0

IPsec AES+SHA

0

4

172.30.2.1

2 Se1/0

IPsec AES+SHA

4

0

172.30.2.1

1001 Se1/0

IKE SHA+AES

0

0

172.30.2.1

Example 15-9 show crypto session Command

Router1# show crypto session

Crypto session current status

Interface: Serial1/0

Session status: UP-ACTIVE

Peer: 172.30.2.2 port 500

IKE SA: local 172.30.2.1/500

remote 172.30

2.2/500 Active

IPSEC FLOW: permit ip 10.1.1

0/255.255.255

0 192.168.0.0/255.255.255.0

Active SAs: 2, origin:

crypto map

0 0

Post a comment