Tuesday, October 16, 2012

How to Configure Site-to-Site IPSec VPN



This is document about configuring of Site-to-Site IPSec VPN:

"What is VPN IPsec and how they work together"

IKE Phase 1: Define ISAKMP Policy and other Required Elements:
IKE Phase 1 configure for establishing authentication and a secure tunnel for IKE Phase 2 (IPsec Tunnel) exchange data over VPN

The Required elements for IKE Phase 1 on both sites and some of elements must be match on both sites:
Remote peer IP or Hostname (IKE Phase 1) – IP address of both sites or may use hostname “Fully Qualified Domain Name” (Host name also good cause if your router get IP address from DHCP, means your IP constantly changes).
Key distribution method – what level of protection key you use, like DH (1,2,5,7) Asymmetric Algorithm.
Authentication method – you may have “pre-share key” or “Certificate” on both sites that say who you are.
Encryption Algorithm – After complete Asymmetric encryption (once the DH public key exchange), what symmetric encryption you use for Phase 1 encryption tunnel
Hashing Algorithm – may use MD5 or SHA
Lifetime – How long time you want to take for the IPsec VPN timeout (86,400 is Default)

Policy for both Routers of IKE Phase 1:
Encryption: AES 128
Hashing: SHA-1
Authentication: Pre-Shared
Protection: DH2
Lifetime: 86,400

IKE Phase 2: Define IPsec Policy and other Required Elements:
IKE Phase 2 focuses on Establishing secure IPsec tunnel for data transfer. (Once the Phase 1 is completed than bring separate tunnel for data transfer by using those keys)

The Required elements for IKE Phase 2 on both sites and some of elements must be match on both sites:
Transform Set – Set the level of encryption (DES, 3DES, AES) and hashing (MD5, SHA) use for data transfer tunnel
Peer Information – Just about IP address of both (Duplicate information)
Interesting Traffic – Configure Access-list for Interesting Traffic that need to be encrypted from one to other.

Policy for both Routers of IKE Phase 2 (IPsec tunnel):
Encryption – ESP-AES
Hassing – ESP-SHA-HMAC
 
About ISAKMP (Internet Security Association and Key Management Protocol) – this protocol defined by “RFC 2408” for establishing SA (Security Associations) and cryptographic key in an internet environment. ISAKMP only provides a framework for authentication and key exchange and is designed to be key exchange independent protocols such as IKE (Internet Key Exchange) and KINK (Kerberized Internet Negotiation of Keys) provide authenticated keying material for use with ISAKMP. (Reference:http://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol)


Here I design an simple topology for implement site to site IPsec VPN

Step by Step Configuration of IKE Phase 1 and 2 For IPSec VPN:

IKE Phase 1 Configuration step:
Step 1: Enable ISAKMP: (Must be enable)
HQ(config)#crypto isakmp enable 

Step 2: Create ISAKMP Policy (Configure policy as your requirement)
HQ(config)#crypto isakmp policy 10   >> 10 is Priority, Lower is best.
HQ(config-isakmp)#encryption aes 128  > aes with 128 bits
HQ(config-isakmp)#authentication pre-share  > use pre-share key
HQ(config-isakmp)#group 2  >>DH Level 2 (1024 bits encryption)
HQ(config-isakmp)#hash sha  >> 160 bits
HQ(config-isakmp)#lifetime 86400  > default lifetime
                             
Step 3: Configure ISAKMP Identity (May be Address/Hostname)
HQ(config)#crypto isakmp identity address

Step 4: Configure Pre-Shared Keys
HQ(config)#crypto isakmp key 0 cisco123 address 200.200.1.2  > 0 means password not encrypted.

IKE Phase 2 Configuration Step:
Step 1: Create Transform sets (Set encryption and hashing for data tunnel “IPsec”)
HQ(config)#crypto ipsec transform-set site2site esp-aes 128 esp-sha-hmac

Note: HQ(config)#crypto ipsec transform-set site2site esp-aes 128 esp-sha-hmac mode transport >> enable IPsec transport mode (everything is encrypted) over LAN environment. But tunnel mode is on by default.

Step 2: Configure IPsec Lifetime (Optional, may be time or kilobytes)
HQ(config)#crypto ipsec security-association lifetime “seconds/kilobytes” “number” >> configure as requirement (86400), but careful about Voice network

Step 3: Create access-list (ACLs) for interesting traffic (everything is encrypted)
HQ(config)#ip access-list extended hq2branch
HQ(config-ext-nacl)#permit ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255

Step 4: Set up IPsec Crypto-map (Crypto-map keep tied everything together)
HQ(config)#crypto map s2s_VPN 10 ipsec-isakmp > one sequence (10) no per interface
HQ(config-crypto-map)#match address hq2branch >> ACL
HQ(config-crypto-map)#set peer 200.200.10.2
HQ(config-crypto-map)#set pfs group2  >> DH L2 for data tunnel (Optional)
HQ(config-crypto-map)#set transform-set site2site

Apply on Interface:
HQ(config)#interface s0/0
HQ(config-if)#crypto map s2s_VPN

Note: Configure as same on other site router (Branch), just change Peer and ACL as your requirement

IPsec VPN Verification Command Lists, for more details check out below:
HQ#show crypto isakmp policy
HQ#show crypto map 
HQ#show running-config | section crypto map
HQ#show crypto ipsec transform-set
HQ#show crypto isakmp sa
HQ#show crypto ipsec sa  

HQ#debug crypto ipsec
HQ#debug crypto isakmp
HQ#clear crypto sa  

IPsec VPN Verification Command with More Details:

HQ#show crypto isakmp policy  >> to view isakmp policy that I created
HQ#show crypto map  >> to view crypto map
Before apply "HQ(config-if)#crypto map s2s_VPN" command

After apply "HQ(config-if)#crypto map s2s_VPN" command
HQ#show running-config | section crypto map >> to view only such crypto section
HQ#show crypto ipsec transform-set
HQ#show crypto isakmp sa >> SA (Security Association) to show IKE Phase 1 tunnel
View IKE Phase 1 without passing any traffic through tunnel (interesting traffic)
View IKE Phase 1 after passing traffic through tunnel (interesting traffic)
Note: first time you may see there are no entry, when some traffic pass through tunnel than you will see the entry (destination and source addresses, QM_IDLE – means the tunnel is engaged and good to go, Active – means the tunnel is active)

HQ#show crypto ipsec sa  >> SA (Security Association) to show IKE Phase 2 tunnel
View IKE Phase 2 without Creating IPsec Session 
View IKE Phase 2 after Creating IPsec Session
Note: If something unmatched found on above marked fields, than something was wrong in tunnel 2 (like crypto map, ACL etc).

HQ#debug crypto ipsec
HQ#debug crypto isakmp > to show message how to VPN form
HQ#clear crypto sa  > Clear VPN sessions, on #debug crypto iskmp command before apply #clear crypto sa command to see all messages  


Running Configuration of all routers on above topology (VPN):

Router HQ:
!
hostname HQ
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 200.200.1.2
no crypto isakmp ccm
!
crypto ipsec transform-set site2site esp-aes esp-sha-hmac
!
crypto map s2s_VPN 10 ipsec-isakmp
 set peer 200.200.1.2
 set transform-set site2site
 match address hq2branch
!
interface Serial0/0
 description "Connected to IPS"
 ip address 100.100.1.2 255.255.255.252
 serial restart-delay 0
 no dce-terminal-timing-enable
 crypto map s2s_VPN
!
interface FastEthernet1/0
 description "Connected to HQ Inside Network"
 ip address 172.16.10.1 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended hq2branch
 permit ip 172.16.10.0 0.0.0.255 192.168.10.0 0.0.0.255
!
end

Router Branch:
!
hostname Branch
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 100.100.1.2
no crypto isakmp ccm
!
crypto ipsec transform-set site2site esp-aes esp-sha-hmac
!
crypto map s2s_VPN 10 ipsec-isakmp
 set peer 100.100.1.2
 set transform-set site2site
 match address branch2hq
!
interface Serial0/1
 description "Connected to ISP"
 ip address 200.200.1.2 255.255.255.252
 serial restart-delay 0
 no dce-terminal-timing-enable
 crypto map s2s_VPN
!
interface FastEthernet1/0
 description "Connected to Branch Inside Network"
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1
!
ip access-list extended branch2hq
 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255
!
end

Router ISP:
!
hostname ISP
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface Serial0/0
 description "Connected to HQ"
 ip address 100.100.1.1 255.255.255.252
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
!
interface Serial0/1
 description "Connected to Branch"
 ip address 200.200.1.1 255.255.255.252
 serial restart-delay 0
 clockrate 64000
 no dce-terminal-timing-enable
!
no ip http server
no ip http secure-server
ip classless
ip route 100.100.1.0 255.255.255.252 Serial0/0
ip route 200.200.1.0 255.255.255.252 Serial0/1
!
end



1 comment: