Cisco Ios Ipsec Configuration

To enable IPSec between Cisco IOS routers, the following steps are required:

Step 1 Enable ISAKMP with the IOS command crypto isakmp enable.

This step globally enables or disables ISAKMP at your peer router.

ISAKMP is enabled by default (optionally, define what interesting traffic will be encrypted using defined access lists).

Step 2 Define an ISAKMP policy, a set of parameters used during ISAKMP negotiation:

crypto isakmp policy priority You will enter config-isakmp command mode.

Options available include the following:


authentication {rsa-sig I rsa-encr I pre-share} default encryption {des}

exit group hash {md5 I sha} lifetime seconds no

This command invokes the Internet Security Association Key Management Protocol policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, the following commands are available to specify the parameters in the policy:

— Encryption (IKE policy)—The default is 56-bit DES-CBC. To specify the encryption algorithm within an Internet Key Exchange policy, options are des or 3des.

— Hash (IKE policy)—The default is SHA-1. To specify the hash algorithm within an Internet Key Exchange policy, options are sha, which specifies SHA-1 (HMAC variant) as the hash algorithm, or md5, which specifies MD5 (HMAC variant) as the hash algorithm.

— Authentication (IKE policy)—The default is RSA signatures. To specify the authentication method within an Internet Key Exchange policy, options are rsa-sig, which specifies RSA signatures as the authentication method, rsa-encr, which specifies RSA encrypted as the authentication method, or pre-share, which specifies pre-shared keys as the authentication method.

— Group {112}—The default is 768-bit Diffie-Hellman. To specify the Diffie-Hellman group identifier within an Internet Key Exchange policy, options are 1, which specifies the 768-bit Diffie-Hellman group, or 2, which specifies the 1024-bit Diffie-Hellman group.

— Lifetime (IKE policy)—The default is 86,400 seconds (once a day). To specify the lifetime of an Internet Key Exchange security association (SA), use the Lifetime Internet Security Association Key Management Protocol policy configuration command. If two IPSec peers share different lifetime values, the chosen value is the shortest lifetime.

Step 3 Set the ISAKMP identity (can be IP address or host name based).

crypto isakmp identity {address I hostname}

Step 4 Define transform sets.

A transform set represents a combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

To define a transform set, use the following commands starting in global configuration mode:

crypto ipsec transform-set transform-set-name transforml [transform2 [transform3]]

This command puts you into the crypto transform configuration mode. Then define the mode associated with the transform set.

Router(cfg-crypto-tran)# mode [tunnel I transport]

Step 5 Define crypto maps. Crypto maps tie the IPSec policies and SAs together.

crypto map name seq method [dynamic dynamic-map-name]

NOTE Crypto map entries created for IPSec pull together the various parts used to set up IPSec SAs, including the following:

• Which traffic should be protected by IPSec (per a crypto access list)

• The granularity of the flow to be protected by a set of SAs

• Where IPSec-protected traffic should be sent (who the remote IPSec peer is)

• The local address to be used for the IPSec traffic

• What IPSec security should be applied to this traffic

• Whether SAs are manually established or are established through IKE

• Other parameters that might be necessary to define an IPSec SA

A dynamic crypto map entry is essentially a crypto map entry without all the parameters configured. It acts as a policy template where the missing parameters are later dynamically configured (as the result of an IPSec negotiation) to match a remote peer's requirements. This allows remote peers to exchange IPSec traffic with the router even if the router does not have a crypto map entry specifically configured to meet all the remote peer's requirements. Dynamic crypto maps are typically used to ensure security between a dialup IPSec client and Cisco IOS router, for example.

The following typical configuration scenario illustrates the IPSec configuration tasks with a two-router network. Figure 5-20 displays two routers configured with the networks and, respectively. Suppose the Frame relay cloud is an unsecured network and you want to enable IPSec between the two routers, R1 and R2.

The network administrator has decided to define the following ISAKMP parameters:

• Authentication will be pre-share

• The shared key phrase is CCIE

• IPSec mode is transport mode

Figure 5-20 Typical IPSec Topology Between Two Remote Routers

IKE Peers

Host A

Host A

0 0

Post a comment