R

131.108.100.0/24 access-list 100 permit ip <131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255

IKE Protocol

131.108.255.0/24

IPSec Tunnel

Mirrored ACLs -

IKE Peers

Host B

Host B

131.108.200.0/24 ->• access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108.100.0 0.0.0.255

To start, configure IKE on Router R1. Example 5-15 displays the IKE configuration on R1. Remember that IKE policies define a set of parameters to be used during IKE negotiation.

Example 5-15 R1 IKE Configuration

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key CCIE address 131.10

3.255.2

R1 is configured to use the MD5 algorithm, and the authentication method is defined as pre-shared. The pre-share key value (password) is CCIE, and the remote IPSec peer's address is 131.108.255.2 (R2 Serial Link to R1 in Figure 5-20).

Pre-shared Keys Versus Manual Keys

The example shown here is an example of pre-shared keys whereby IKE is used to negotiate all SA parameters. You can also define IPSec not to use IKE, and this is referred to as manual IPSec or manual keys. Cisco strongly recommends that you use IKE or pre-shared keys because it is very difficult to ensure that all SA parameters are matching between remote peers. The Diffie-Hellman algorithm is a more secure method when generating secret keys between peers. Manual keys are prone to intruders and unauthorized sources that gain entry to Cisco configuration files. Another major disadvantage of manual keys is that the IOS crypto map command used to establish SAs does not expire.

Following the IKE configuration, you can configure IPSec parameters. Example 5-16 enables the IPSec configuration parameters.

Example 5-16 IPSec Configuration

crypto ipsec transform-set anyname esp-des esp-sha-hmac

mode

transport

crypto map anynamel 1 ipsec-isakmp

set peer 131.108.255.2

set security-association lifetime seconds 180 set transform-set anyname

match address 100

access-list 100 permit ip 131.108.100.0 0.0.0.255 131.10

8.200

0 0.0.0.255

The transform set command defines an acceptable combination of security protocols and algorithms. This example applies ESP-DES (ESP with the 56-bit DES encryption algorithm) and ESP with the SHA (HMAC variant) authentication algorithm. The next-hop peer address is defined and access-list 100 defines what traffic will be encrypted. In Figure 5-20, only IP traffic sourced from 131.108.100.0 destined for 131.108.200.0/24 is sent across the IPSec tunnel.

Example 5-17 displays the configuration on R2.

Example 5-17 R2 IKE and IPSec Configuration

Example 5-17 displays the configuration on R2.

Example 5-17 R2 IKE and IPSec Configuration

! IKE configuration

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key CCIE address 131.108.255.1 !

crypto ipsec transform-set anyname esp-des esp-sha-hmac

mode transport

!IPSec configuration

crypto map anyname1 1 ipsec-isakmp

set peer 131.108.255.1

set security-association lifetime seconds 180

set transform-set anyname

match address 100

!Access list defines traffic to be encrypted

access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108

¡.100.0 0

0.0.255

Notice that the routers have mirrored access lists. This ensures that when encrypted data is received from a source, such as R1, the corresponding IPSec peer router, R2, enables encryption in the reverse direction. For example, when traffic from the network 131.108.100.0/24 residing on Router R1 is sent across destined for R2's Ethernet network, the IP subnet 131.108.200.0/24, R2 must have a corresponding ACL permitting traffic from the locally-connected Ethernet segment, 131.108.200.0/24, to the remote network, the IP subnet on R1, 131.108.100.0/24.

This is referred to as mirrored access lists.

Example 5-17 configures R2 to peer to R1 and only encrypt traffic sourced from 131.108.200.0/24 destined for R1's Ethernet network, 131.108.100.0/24. The crypto predefined map name is anyname1.

Finally, you must apply a previously defined crypto map (in our example the name defined is anyname1) in Example 5-16. The defined crypto map name is anyname1, so apply that configuration to the interface. The IOS command that applies the crypto map to an interface is as follows:

crypto map anyname1

Example 5-18 assigns the serial links on R1 and R2 the crypto map name anyname1.

Example 5-18 assigns the crypto map to interface Serial 0/0 on R1/R2.

Example 5-18 Serial Links and crypto map on R1/R2

Hostname R1

interface Serial0/0 ip address 131.108.255.1

255

255

255

252

crypto map anyname1

Hostname R2 !

interface Serial0/0 ip address 131.108.255.2

255

255

255

252

crypto map anyname1

To display the status of all crypto engine active connections, use the IOS command show crypto engine connections active.

Example 5-19 displays the current active crypto engines on R1. Example 5-19 show crypto engine connections active on R1

R1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 Serial0/0 131.108.255.1 set HMAC_MD5+DES_56_CB 5 5

R1 has an IPSec peer connection to R2, through the Serial0/0 interface (131.108.255.1). The algorithm in use is defined and displayed, as well.

To view the crypto map configuration from the privilege prompt, use the IOS command show crypto map.

Example 5-20 displays the configuration present on R1. Example 5-20 show crypto map on R1

R1#show crypto map

Crypto

Map "anyname1" 1 ipsec-isakmp

Peer = 131.108.255.2

Extended IP access list 100

access

list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255

Current peer: 131.108.255.2

Security association lifetime: 4608000 kilobytes/180 seconds

PFS (Y/N): N

Transform sets={ anyname, }

Interfaces using crypto map anyname1:

Serial0/0

Example 5-20 displays the fact that the crypto map named "MAP1" is peered to a remote router, 131.108.255.2, and the access-list 100 defines what traffic will be encrypted across the tunnel.

IPSec is a large field, and to define every possible scenario would require a book in itself. What is presented here in this guide is a conceptual overview of IPSec and a common configuration example.

For more extensive details, visit www.cisco.com/univercd/cc/td/doc/product/software/ ios122/122cgcr/fsecur_c/index.htm.

For the written exam, expect to see scenarios of the variant presented in Figure 5-20 and questions on terminology and the main characteristics of IPSec.

NOTE IPSec can also be supported over the Cisco software tunnel interface. Typically, the tunnel (IP tunnel; GRE, for example) can be configured to carry non-IP traffic by defining a crypto map to the tunnel interface and a crypto control list.

Table 5-9 defines some key configuration show and debug IPSec commands available on Cisco IOS routers.

Table 5-9 IOS IPSec Configuration, Show, and Debug Commands

Table 5-9 defines some key configuration show and debug IPSec commands available on Cisco IOS routers.

Table 5-9 IOS IPSec Configuration, Show, and Debug Commands

Command

Description

crypto map map-name seq-num ipsec-isakmp

[dynamic dynamic-map-name] [discover]

Creates a crypto map entry.

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

Defines a transform set, an acceptable combination of security protocols and algorithms.

match address [access-list-id I name]

This command is required for all static crypto map entries.

crypto dynamic-map dynamic-map-name dynamic-seq-num

Use dynamic crypto maps to create policy templates that can be used when processing negotiation requests for new SAs from a remote IP Security peer, even if you do not know all the crypto map parameters.

crypto ca authenticate name

This command is required when you initially configure CA support at your router.

crypto ca identity name

Use this command to declare a CA.

crypto isakmp enable

Globally enables Internet Key Exchange (IKE) at your peer router.

Show crypto engine connection active

View phase II SA and traffic sent.

Table 5-9 IOS IPSec Configuration, Show, and Debug Commands (Continued)

Command

Description

authentication {rsa-sig 1 rsa-encr 1 pre-share}

Specifies the authentication method within an IKE policy.

show crypto ipsec sa

Use this command to view the settings used by current SAs to declare a CA.

show crypto map

This command views the crypto map configuration.

show crypto isakmp sa

This command views all current IKE SAs at a peer.

debug crypto engine

Use this command to display debug messages about crypto engines, which perform encryption and decryption.

debug crypto ipsec

Use this command to display IPSec events.

debug crypto pki messages

This command displays debug messages for the details of the interaction (message dump) between the CA and the router.

NOTE A number of PC-based applications are available to the public that allow application layer encryptions.

An excellent e-mail encryption application is a product called Pretty Good Privacy (PGP).

Designed and freely available on the Internet (www.pgp.com/), PGP allows users to authenticate files and e-mail text, allowing only the intended recipient the ability to decrypt the message. Users who send and receive encrypted data exchange keys. With encrypted data, the remote user's key is used to encrypt clear text data or files. This ensures that the data is authenticated and not forged.

Microsoft Outlook 2000 supports PGP and allows the client to encrypt and decrypt data using the pre-shared private keys.

Was this article helpful?

0 0

Post a comment