Using Cisco SDM to Configure IPsec on a Siteto Site VPN

CLI-based IPsec configuration can become a daunting task for network administrators who aren't thoroughly familiar with the myriad of IPsec parameters and options. Fortunately, Cisco SDM offers a Site-to-Site VPN configuration wizard that can help you configure an IPsec site-to-site VPN, as shown in this section.

Introduction to the Cisco SDM VPN Wizard

Cisco SDM makes available both a Quick Setup wizard and a Step-by-Step wizard. These wizards combine administrator input with preconfigured VPN elements to produce VPN configurations. However, a successful VPN configuration requires some VPN elements (such as a PKI) to already be in place.

Figure 15-10 shows how to get started with the Cisco SDM Site-to-Site VPN Configuration Wizard using the following steps:

,■— Step 1 Click the Configure button in the Cisco SDM interface.

Topic

Figure 15-10 Invoking the Cisco SDM Site-to-Site VPN Configuration Wizard

Step 2

Step 1

Step 4 Step 3

Step 5

Figure 15-10 Invoking the Cisco SDM Site-to-Site VPN Configuration Wizard

Step 2

Step 1

Step 4 Step 3

Step 5

Step 2 Click the VPN button in the Tasks pane.

Step 3 Click the Site to Site VPN object.

Step 4 Select the Create a Site to Site VPN. radio button.

Step 5 Click the Launch the selected task button.

Next you are prompted to select either Quick setup or Step by step wizard, as shown in Figure 15-11.

Figure 15-11 Selecting a VPN Wizard

Figure 15-11 Selecting a VPN Wizard

Quick Setup

To demonstrate an IPsec site-to-site VPN configuration using the Quick Setup wizard, consider the topology shown in Figure 15-12.

Figure 15-12 Quick Setup Wizard Sample Topology 29 —^ S1/0

192.168.0.0/24

Fa0/0

(Running SDM)

(Not Running SDM)

The following steps illustrate how to configure the topology shown in Figure 15-12 to protect traffic traveling between network 192.168.0.0/24 and network 10.1.1.0/24:

Step 1 The Quick Setup wizard offers two default IKE policies and a default IPsec transform set for your use. However, you still need to enter a few parameters into this wizard, as shown in Figure 15-13.

Figure 15-13 Entering Parameters for the Quick Setup Wizard

Figure 15-13 Entering Parameters for the Quick Setup Wizard

In Figure 15-13, the following parameters are entered:

• Interface for this VPN connection: Serial 1/0

• Preshared key: cisco

• Source interface where encrypted traffic originates: FastEthernet0/0

• Destination IP address (or subnet) where encrypted traffic terminates: 10.1.1.0 255.255.255.0

Step 2 After entering these parameters, click the Next button. You see a configuration summary, as shown in Figure 15-14.

Figure 15-14 Configuration Summary

Figure 15-14 Configuration Summary

Click to Deliver Commands to the Router

Step 3

After reviewing the summary, click the Finish button. The commands are delivered to the router you are configuring. Click the OK button, as shown in Figure 15-15, to enter the Edit Site to Site VPN screen.

Figure 15-15 Command Delivery Confirmation

Figure 15-15 Command Delivery Confirmation

Click to Confirm Delivery Notification

Step 4 In the Edit Site to Site VPN screen, shown in Figure 15-16, notice that the VPN is down. This is because the router at the other side of the tunnel has not yet been configured.

Figure 15-16 Edit Site-to-Site VPN Configuration Screen

VPN Status

Figure 15-16 Edit Site-to-Site VPN Configuration Screen

VPN Status

Click to Generate a Mirrored Configuration

Step 5 Cisco SDM helps you configure the router at the far side of the tunnel, even if the other router is not running Cisco SDM. Specifically, if you click the Generate Mirror button, the window shown in Figure 15-17 appears, showing a generic form of the configuration to be applied to the far-end router. The configuration does need some tweaking before being applied, because you need to specify which interface on the remote router the generated crypto map should be applied to.

Figure 15-17 Generated Mirror Configuration

Figure 15-17 Generated Mirror Configuration

Step 6 Manually apply the generated configuration to the far-end router, and manually apply the generated crypto map to the appropriate interface on the far-end router using the crypto map crypto-map-name command. Then you can click the Test Tunnel button, which opens the VPN Troubleshooting window, shown in Figure 15-18.

Figure 15-18 VPN Troubleshooting Window

Figure 15-18 VPN Troubleshooting Window

Click to Begin Troubleshooting

Step 7 In the VPN Troubleshooting window, click the Start button. The first time you test the connection, you are prompted for a destination IP address available off the far-end router to test. If everything is configured correctly, you receive a message that the VPN tunnel is up, as shown in Figure 15-19.

Figure 15-19 Tunnel Test Success Message

Figure 15-19 Tunnel Test Success Message

Step 8 After closing the VPN Troubleshooting window, notice that the VPN tunnel status has changed to up, as shown in Figure 15-20.

Figure 15-20 Tunnel Status Up

VPN Status

Figure 15-20 Tunnel Status Up

VPN Status

As a reference, Examples 15-10 and 15-11 provide the IPsec-relevant commands entered on routers R1 and R2, with assistance from the Cisco SDM Quick Setup wizard.

Example 15-10 IPsec-Relevant Configuration Commands on R1

crypto isakmp policy 1 encr 3des authentication pre-share group 2

crypto isakmp key cisco address 172.16.1.2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to172.16.1.2 set peer 172.16.1.2 set transform-set ESP-3DES-SHA match address 100

interface FastEthernet0/0

Example 15-10 IPsec-Relevant Configuration Commands on R1 (Continued) ip address 192.168.0.29 255.255.255.0

interface Seriall/0 ip address 172.16.1.1 255.255.255.0 crypto map SDM_CMAP_1

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255

Example 15-11 IPsec-Relevant Configuration Commands on R2

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.1.1

i

crypto ipsec transform-set ESP-3DES-SHA esp i

3des esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

set peer 172.16.1.1

set transform-set ESP-3DES-SHA

i

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

i

interface Serial1/0

ip address 172.16.1.2 255.255.255.0

i

ip route 192.168.0.0 255.255.255.0 172.16.1 i

1

ip access-list extended SDM_1

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0

0.0.255

remark SDM_ACL Category=4

remark IPSec Rule

Using the Step-by-Step wizard, as opposed to the Quick Setup wizard, requires additional input from the administrator. Table 15-7 describes parameters required by the Step-by-Step wizard.

Table 15-7 Step-by-Step Wizard Parameters

Parameter

Description

Connection settings

The connection settings identify the interface to be used to establish the VPN connection, the IP address of the VPN peer, and the credentials used for authentication.

IKE proposals

The IKE proposals, used to establish the IKE Phase 1 tunnel, include the priority of a specific IKE proposal, the encryption algorithm, the hashing algorithm, the authentication method used for IKE, the Diffie-Hellman group, and the IKE lifetime.

IPsec transform sets

IPsec transform sets identify the encryption algorithms, hashing algorithms, mode of operation (that is, tunnel or transport mode), and compression type used in establishing the IKE Phase 2 tunnel (that is, the IPsec tunnel).

Protected traffic

You can identify the traffic you want to protect over the IPsec VPN by matching traffic with ACLs.

The following sections cover the details of setting these up.

Configuring Connection Settings

If you select Step by step wizard from the initial Site-to-Site VPN Wizard screen, as shown earlier in Figure 15-11, you see the connection settings screen, as shown in Figure 15-21.

Figure 15-21 Connection Parameters

Figure 15-21 Connection Parameters

On this initial screen, you are prompted to enter the following information:

Interface for this VPN connection Peer IP address type (dynamic or static) IP address of the remote peer (for a peer with a static IP address) Authentication type (preshared keys or digital certificates) Preshared key (for preshared key authentication)

NOTE When selecting a preshared key, make the key strong, just as you would create a strong password. For example, select a key that is long and that is not an actual word. Doing so makes the key more resistant to a brute-force attack or a dictionary attack.

After setting the parameters in this initial connection settings screen, click the Next button to proceed to the next screen in the wizard. This screen allows you to configure an IKE proposal.

Selecting an IKE Proposal

You can select the default IKE proposal provided by Cisco SDM, as shown in Figure 15-22, or you can click the Add button to configure parameters for your own custom IKE policy.

Figure 15-22 IKE Proposal Parameters

Default IKE Proposal

Figure 15-22 IKE Proposal Parameters

Default IKE Proposal

Custom Proposal

Specifically, you can set the following parameters for an IKE policy:

■ Priority (set to 1 in the default policy)

■ Encryption (set to 3DES in the default policy)

■ Diffie-Hellman group (set to group2 in the default policy)

■ Authentication (either PRE_SHARE or RSA_SIG)

■ Lifetime (the Security Association [SA] lifetime in seconds)

After identifying the IKE proposal(s) you want to use, click the Next button to proceed to the next screen in the wizard. This screen allows you to configure a transform set.

Selecting a Transform Set

Whereas an IKE proposal specifies security parameters for an ISAKMP tunnel (an IKE Phase 1 tunnel), a transform set specifies security parameters for an IPsec tunnel (an IKE Phase 2 tunnel). The Transform Set configuration screen, shown in Figure 15-23, allows you to either select Cisco SDM's default transform set or click the Add button to create a custom transform set.

Figure 15-23 Transform Set Parameters

Custom Transform Set

Figure 15-23 Transform Set Parameters

Custom Transform Set

Add Transform Set

Default Transform Set

Add Transform Set

Default Transform Set

When creating a custom transform set, you can specify the parameters listed in Table 15-8.

After identifying the transform set(s) you want to use, click the Next button to proceed to the next screen in the wizard. This screen allows you to identify traffic to protect in the IPsec tunnel.

Table 15-8 Transform Set Parameters

Table 15-8 Transform Set Parameters

Parameter Description

Default Transform Set Value

Transform set name

ESP-3DES-SHA

Encapsulating Security Payload (ESP) or Authentication Header (AH) protocol

Encapsulating Security Payload (ESP)

Integrity algorithm (used to perform hashing)

SHA

Encryption algorithm (if ESP is used, as opposed to AH)

3DES

Mode (tunnel or transport)

Tunnel

IP compression (COMP-LZS)

Not enabled

Selecting Traffic to Protect in the IPsec Tunnel

From the Traffic to protect screen, you can select either Protect all traffic between the following subnets or Create/Select an access-list for IPsec traffic. Figure 15-24 shows a scenario in which all traffic between two subnets (192.168.0.0/24 and 10.1.1.0/24) is identified.

Figure 15-24 Protecting All Traffic Between Two Subnets

Figure 15-24 Protecting All Traffic Between Two Subnets

However, if you prefer to protect specific traffic to protect (as identified by an ACL), you can select the Create/Select an access-list for IPsec traffic radio button and choose Create a new rule(ACL) and select from the adjacent drop-down menu, as shown in Figure 15-25.

Figure 15-25 Protecting Traffic Identified by an ACL

Figure 15-25 Protecting Traffic Identified by an ACL

Click to Create a New ACL Rule

After selecting Create a new rule(ACL) and select, you see the Add a Rule window, shown in Figure 15-26.

Figure 15-26 Add a Rule Window

Figure 15-26 Add a Rule Window

From the Add a Rule window, you can specify a number or name for the ACL you will use to identify traffic to be protected by the IPsec tunnel. Also, you can optionally give a description. To add a rule to the ACL, click the Add button.

After you click the Add button, the Add an Extended Rule Entry window appears, as shown in Figure 15-27.

Figure 15-27 Creating an Extended Rule Entry

Figure 15-27 Creating an Extended Rule Entry

In Figure 15-27, the extended rule matches Telnet traffic sourced from network 192.168.0.0/24 and destined for network 10.1.1.0/24. After creating the rule, click the OK button.

Applying the Generated Configuration

After selecting the traffic to protect from the Traffic to protect screen (either all traffic between two subnets or specific traffic identified by an ACL), click the Next button to view a summary of the configuration, as shown in Figure 15-28.

Figure 15-28 Configuration Summary Screen

Figure 15-28 Configuration Summary Screen

Click to Deliver to Router

After reviewing the configuration summary, click the Finish button to send the configuration commands to the router. Click the OK button in the Commands Delivery Status window, as shown in Figure 15-29.

Figure 15-29 Commands Delivery Status Window

Figure 15-29 Commands Delivery Status Window

Click to Confirm Delivery

After clicking the Finish button, you are sent to the Edit Site to Site VPN screen, as shown in Figure 15-30.

Figure 15-30 Edit Site-to-Site VPN Screen

VPN Status

Figure 15-30 Edit Site-to-Site VPN Screen

VPN Status

Click to Test VPN Tunnel Click to Generate a Mirrored Configuration —

Notice that this screen reports that the tunnel is down. From this screen, as previously described for the Quick Configuration Wizard, you can generate a mirror configuration template to be applied to the router at the other end of the tunnel and then test the VPN tunnel.

Monitoring the Configuration

After the VPN tunnel becomes operational, you can monitor the tunnel status. Click the Monitor button (in the button bar at the top of the Cisco SDM screen). Then click the VPN Status button (in the Tasks pane, on the left of the Cisco SDM screen). Finally, click the IPSec Tunnels option (in the middle pane of the Cisco SDM screen). This monitoring interface, as shown in Figure 15-31, graphically provides traffic statistics for the IPsec VPN tunnel.

Figure 15-31 IPsec Tunnels Monitoring Screen

fa Cisco Router and Security Device Manager (SDM): 192.168.0.29

WEE

File Edit View

Tools Help

Home

®{oji Configuie

^jïv^l Monitoi

Refresh Save-

Search

Help

CISCO

Tasks

| Sg VPN Status

llPSec Tunnels I DMVPN Tunnels Easy VPN Server IKESAs

WebVPN (All Contexts)

Each row represents one IPSec Tunnel

Stop Monitoring Test Tunnel..

llPSec Tunnels I DMVPN Tunnels Easy VPN Server IKESAs

WebVPN (All Contexts)

Each row represents one IPSec Tunnel

Stop Monitoring Test Tunnel..

17 Encapsulation Packets 17 Decapsulation Packets 17 Send Error Packets

01:15:17 UTC Fri Mar 01 2002

Key Topic

Alternatively, you can issue monitoring and troubleshooting commands from the router's command line. Table 15-9 lists examples of these commands.

Table 15-9 IPsec VPN Monitoring Commands

Command

Description

show crypto isakmp sa

Shows all existing IKE Phase 1 (ISAKMP) security associations

show crypto ipsec sa

Shows all existing IKE Phase 2 (IPsec) security associations

debug crypto isakmp

Shows detailed information about the IKE Phase 1 (ISAKMP) and IKE Phase 2 (IPsec) negotiations

Exam Preparation Tasks

0 0

Post a comment