This is document about configuring of Site-to-Site IPSec VPN:
"What is VPN IPsec and how they work together"
"What is VPN IPsec and how they work together"
IKE Phase 1: Define
ISAKMP Policy and other Required Elements:
IKE Phase 1 configure for establishing authentication and a
secure tunnel for IKE Phase 2 (IPsec Tunnel) exchange data over VPN
The Required elements for IKE Phase 1 on both sites and some
of elements must be match on both sites:
Remote peer IP or
Hostname (IKE Phase 1) – IP address of both sites or may use hostname “Fully
Qualified Domain Name” (Host name also
good cause if your router get IP address from DHCP, means your IP constantly
changes).
Key distribution
method – what level of protection key you use, like DH (1,2,5,7) Asymmetric
Algorithm.
Authentication method
– you may have “pre-share key” or “Certificate” on both sites that say who you
are.
Encryption Algorithm
– After complete Asymmetric encryption (once the DH public key exchange), what
symmetric encryption you use for Phase 1 encryption tunnel
Hashing Algorithm
– may use MD5 or SHA
Lifetime – How
long time you want to take for the IPsec VPN timeout (86,400 is Default)
Policy for both Routers of IKE Phase 1:
Encryption: AES 128
Hashing: SHA-1
Authentication: Pre-Shared
Protection: DH2
Lifetime: 86,400
IKE Phase 2: Define IPsec
Policy and other Required Elements:
IKE Phase 2 focuses on Establishing secure IPsec tunnel for
data transfer. (Once the Phase 1 is
completed than bring separate tunnel for data transfer by using those keys)
The Required elements for IKE Phase 2 on both sites and some
of elements must be match on both sites:
Transform Set – Set the level of encryption (DES, 3DES, AES)
and hashing (MD5, SHA) use for data transfer tunnel
Peer Information – Just about IP address of both (Duplicate
information)
Interesting Traffic – Configure Access-list for Interesting
Traffic that need to be encrypted from one to other.
Policy for both Routers of IKE Phase 2 (IPsec tunnel):
Encryption – ESP-AES
Hassing – ESP-SHA-HMAC
About ISAKMP (Internet Security Association and Key Management
Protocol) – this protocol defined by “RFC 2408” for establishing SA (Security
Associations) and cryptographic key in an internet environment. ISAKMP only
provides a framework for authentication and key exchange and is designed to be
key exchange independent protocols such as IKE (Internet Key Exchange) and KINK
(Kerberized Internet Negotiation of Keys) provide authenticated keying material
for use with ISAKMP. (Reference:http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol)
Here I design an simple topology for implement site to site IPsec
VPN
Step by Step Configuration
of IKE Phase 1 and 2 For IPSec VPN:
IKE Phase 1 Configuration step:
Step 1: Enable ISAKMP: (Must
be enable)
HQ(config)#crypto isakmp enable
Step 2: Create ISAKMP Policy (Configure policy as your requirement)
HQ(config)#crypto isakmp policy 10 >> 10 is Priority, Lower is best.
HQ(config-isakmp)#encryption aes
128 > aes with 128 bits
HQ(config-isakmp)#authentication
pre-share > use pre-share key
HQ(config-isakmp)#group 2 >>DH Level 2 (1024 bits encryption)
HQ(config-isakmp)#hash sha >> 160 bits
HQ(config-isakmp)#lifetime 86400 > default lifetime
Step 3: Configure ISAKMP Identity (May be Address/Hostname)
HQ(config)#crypto isakmp identity
address
Step 4: Configure Pre-Shared Keys
HQ(config)#crypto isakmp key 0
cisco123 address 200.200.1.2 > 0
means password not encrypted.
IKE Phase 2 Configuration Step:
Step 1: Create Transform sets (Set encryption and hashing for data tunnel “IPsec”)
HQ(config)#crypto ipsec
transform-set site2site esp-aes 128 esp-sha-hmac
Note: HQ(config)#crypto ipsec transform-set site2site
esp-aes 128 esp-sha-hmac mode transport >> enable IPsec transport mode (everything
is encrypted) over LAN environment. But tunnel mode is on by default.
Step 2: Configure IPsec Lifetime (Optional, may be time or
kilobytes)
HQ(config)#crypto ipsec
security-association lifetime “seconds/kilobytes” “number” >> configure
as requirement (86400), but careful about Voice network
Step 3: Create access-list (ACLs) for interesting traffic
(everything is encrypted)
HQ(config)#ip access-list extended
hq2branch
HQ(config-ext-nacl)#permit ip
172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255
Step 4: Set up IPsec Crypto-map (Crypto-map keep tied everything together)
HQ(config)#crypto map s2s_VPN 10 ipsec-isakmp > one
sequence (10) no per interface
HQ(config-crypto-map)#match address
hq2branch >> ACL
HQ(config-crypto-map)#set peer
200.200.10.2
HQ(config-crypto-map)#set pfs
group2 >> DH L2 for data tunnel
(Optional)
HQ(config-crypto-map)#set
transform-set site2site
Apply on Interface:
HQ(config)#interface s0/0
HQ(config-if)#crypto map s2s_VPN
Note: Configure as same on other site router (Branch),
just change Peer and ACL as your requirement
IPsec VPN Verification Command Lists, for more details check out below:
HQ#show crypto isakmp policy
HQ#show crypto map
HQ#show running-config | section crypto map
HQ#show crypto ipsec transform-set
HQ#show crypto isakmp sa
HQ#show crypto ipsec sa
HQ#debug crypto ipsec
HQ#debug crypto isakmp
HQ#clear crypto sa
IPsec VPN Verification Command with More Details:
HQ#show crypto isakmp policy
>> to view isakmp policy that I created
HQ#show crypto map
>> to view crypto map
After apply "HQ(config-if)#crypto map s2s_VPN" command
HQ#show running-config | section crypto map >> to view
only such crypto section
Before apply "HQ(config-if)#crypto map s2s_VPN" command
HQ#show crypto ipsec transform-set
HQ#show crypto isakmp sa >> SA (Security Association)
to show IKE Phase 1 tunnel
View IKE Phase 1 without passing any traffic through tunnel (interesting traffic)
View IKE Phase 1 without passing any traffic through tunnel (interesting traffic)
View IKE Phase 1 after passing traffic through tunnel (interesting traffic)
Note: first time you may see there are no entry, when some
traffic pass through tunnel than you will see the entry (destination and source
addresses, QM_IDLE – means the tunnel is engaged and good to go, Active – means
the tunnel is active)
HQ#show crypto ipsec sa >> SA (Security Association) to show IKE
Phase 2 tunnel
View IKE Phase 2 without Creating IPsec Session
View IKE Phase 2 without Creating IPsec Session
View IKE Phase 2 after Creating IPsec Session
Note: If something unmatched found on above marked fields,
than something was wrong in tunnel 2 (like crypto map, ACL etc).
HQ#debug crypto ipsec
HQ#debug crypto isakmp > to show message how to VPN form
HQ#clear crypto sa >
Clear VPN sessions, on #debug crypto iskmp command before apply #clear crypto
sa command to see all messages
Running Configuration of all routers on above topology
(VPN):
Router HQ:
!
hostname HQ
!
crypto isakmp policy 10
encr aes
authentication
pre-share
group 2
crypto isakmp key cisco123 address 200.200.1.2
no crypto isakmp ccm
!
crypto ipsec transform-set site2site esp-aes esp-sha-hmac
!
crypto map s2s_VPN 10 ipsec-isakmp
set peer 200.200.1.2
set transform-set
site2site
match address
hq2branch
!
interface Serial0/0
description
"Connected to IPS"
ip address
100.100.1.2 255.255.255.252
serial restart-delay
0
no
dce-terminal-timing-enable
crypto map s2s_VPN
!
interface FastEthernet1/0
description
"Connected to HQ Inside Network"
ip address
172.16.10.1 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended hq2branch
permit ip 172.16.10.0
0.0.0.255 192.168.10.0 0.0.0.255
!
end
Router Branch:
!
hostname Branch
!
crypto isakmp policy 10
encr aes
authentication
pre-share
group 2
crypto isakmp key cisco123 address 100.100.1.2
no crypto isakmp ccm
!
crypto ipsec transform-set site2site esp-aes esp-sha-hmac
!
crypto map s2s_VPN 10 ipsec-isakmp
set peer 100.100.1.2
set transform-set
site2site
match address
branch2hq
!
interface Serial0/1
description
"Connected to ISP"
ip address
200.200.1.2 255.255.255.252
serial restart-delay
0
no
dce-terminal-timing-enable
crypto map s2s_VPN
!
interface FastEthernet1/0
description
"Connected to Branch Inside Network"
ip address 192.168.10.1
255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1
!
ip access-list extended branch2hq
permit ip
192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255
!
end
Router ISP:
!
hostname ISP
!
interface Loopback0
ip address
10.10.10.10 255.255.255.255
!
interface Serial0/0
description
"Connected to HQ"
ip address
100.100.1.1 255.255.255.252
serial restart-delay
0
clockrate 64000
no
dce-terminal-timing-enable
!
interface Serial0/1
description
"Connected to Branch"
ip address
200.200.1.1 255.255.255.252
serial restart-delay
0
clockrate 64000
no
dce-terminal-timing-enable
!
no ip http server
no ip http secure-server
ip classless
ip route 100.100.1.0 255.255.255.252 Serial0/0
ip route 200.200.1.0 255.255.255.252 Serial0/1
!
end
good
ReplyDelete