Crypto Access Lists An Example

Consider the scenario depicted in Figure 7-10 with two routers that must peer across an untrusted network and provide IPsec services on behalf of devices located in multiple subnets. Figure 7-10 Scenario for Configuring Crypto Access Lists Figure 7-10 Scenario for Configuring Crypto Access Lists Suppose all subnets have a 16 mask and you are given the following requirements Traffic between subnets 172.17.0.0 and 10.1.0.0 requires EPsec. Traffic between subnets 172.17.0.0 and 10.2.0.0 requires...

Transport and Tunnel Modes

IPsec defines two kinds of SAs transport and tunnel mode SAs. A transport mode SA is an association between two hosts. In transport mode, the IP pay load is protected by IPsec and the original IP header isjeft intact. Additionally, an IPsec header is inserted after the IP header. This is illustrated in Figure 7-2. Transport mode protects traffic between two IPscc hosts (between a PC and a server, for example) and does not afford any traffic flow confidentiality. That is, the volume of traffic...

J All of the Pieces Together A Comprehensive Example with IPsec and IKE

The sections up to this point have covered the building blocks of IPsec, but how do all of these technologies work together The following sequence between Alice and Bob incorporates the concepts covered in the preceding sections and describes how IPscc's cryptographic techniques can achieve secure communication over an untrusted network. in this example, assume that no prior communication has occurred between Alice and Bob. To make the example more concrete, further assume that Alice needs to...

Basic IPsec Security Concepts and Cryptography

IPsec is a fairly large collection of technologies that encompasses network and security protocols, cryptographic algorithms, and recommendations. IPsec is an architecture for building secure communications over untrusted networks and provides the security services listed in the following sections. These services are confidentiality, integrity, origin authentication, and anti-replay. The following sections cover these services and introduce basic security and cryptographic principles as they...

Configuring IKE with Pre Shared Keys

Authentication with pre-shared keys is the simplest implementation of IKE and-might be suitable for small networks (10 routers and fewer, perhaps). As mentioned previously, this configuration does not have the scaling advantages of public key cryptography and digital certificates. Instead, two peers arc manually configured with the same key (a shared key). How the keys are determined and programmed into the routers is the responsibility of the router administrators. When a pre-shared key needs...

Validating IPsec Configuration

The following enable mode commands are useful for validating the IPsec configuration show crypto isakmp policy returns the router's active IKE transform sets (policies) in order of priority. show crypto isakmp sa displays the status of the router's IKE SAs. A state of QM_IDLE means the IKE SA is up and functioning properly. Recall that both IKE and IPsec SAs are built only when they are needed and are triggered by traffic that matches a crypto map. show crypto map displays the crypto maps...

Enable Debugging and Clearing Existing SAs

To get more detailed information and observe IKE and IPsec negotiations, enable debugging with these commands RTA debug crypto isakmp RTAtfdebug crypto ipsec With debugging enabled, the router displays the status of IKE and IPsec events in detail. See the following section Messages for IKE Negotiation and CA Servers. To debug CA events, issue these additional commands RTA debug crypto pki messages RTAtfdebug crypto pki transactions To observe IKE negotiation, you might want to clear any...

Configuring IPsec SA Lifetimes

The following commands modify the lifetimes associated with IPsec SAs RTA(config) crypto map MAP-TO NY 20 ipsec-isakmp RTA(config crypto-map) set security-association lifetime seconds 2700 RTA(config-crypto-map) set security association lifetime kilobytes 2000000 The command set security-association lifetime seconds 2700 sets the lifetime of IPsec SAs created by this crypto map entry to 2700 seconds (45 minutes). The default is 3600 seconds (60 minutes). The command set security-association...

Tunnel Endpoint Discovery

Tunnel Endpoint Discovery (TED) is a Cisco feature that improves the scalability and availability of IPsec VPNs by extending the capabilities of dynamic crypto maps. As mentioned in the preceding section, Configuring Dynamic Crypto Maps, dynamic crypto maps greatly reduce your work by eliminating the configuration of specific IPsec peers. However, dynamic crypto maps (by default) are only receivers of IKE negotiation requests. That is, unlike regular crypto maps, they cannot initiate outbound...

Configuring IKE with RSA Signatures and Digital Certificates

IKE authentication with digital certificates uses RSA digital signatures and provides scalability for larger networks. As mentioned previously, digital certificates provide nonrepudiation through the service of a CA. Your organization might administer a CA server and act as the CA for all of the devices and people that belong to your organization. Also, you might be the CA for third parties (suppliers, partners, customers) that do business with your organization. With digital certificate...

Transform Sets

A transform set is a list of IPsec protocols and cryptographic algorithms that a peer can accept. Because IPsec allows for the use of different protocols and algorithms, a peer needs to declare and negotiate with other peers what it can support. Peers communicate the protocols and algorithms they support by exchanging transform sets. For two peers to communicate successfully, they must share a common transform set. If they do not, their attempt to establish a peering will fail and they will not...