Figure 1 IPsec VPN Steps
Establishing, Maintaining, and Tearing
Down an IPsec Site-to-Site VPN
An IPsec site-to-site VPN can be configured by using IOS commands issued from a router’s CLI or by using the graphical SDM interface. The CLI approach to configuring an IPsec site-to-site VPN involves five primary steps, as described in the next Table.
Configuring an IKE Phase 1 Tunnel
To illustrate the CLI configuration of an IPsec site-to-site VPN, consider a scenario using the topology shown in the next Figure. The goal of this scenario is to allow all IP traffic to securely flow between network 10.1.1.0/24 (connected to Router1) and network 192.168.0.0/24 (connected to Router2).
To begin the configuration, you specify the ISAKMP parameters. Example 1 shows this initial configuration for Router1, and Example 2 provides the configuration for Router2.
Example 1:
R1# conf t
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# hash sha
R1(config-isakmp)# encryption aes 128
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
R1(config-isakmp)# exit
R1(config)# crypto isakmp key aloha01 address 172.30.2.2
R1(config)# end
R1#
Example 2:
R2# conf t
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# hash sha
R2(config-isakmp)# encryption aes 128
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
R2(config-isakmp)# exit
R2(config)# crypto isakmp key aloha01 address 172.30.2.1
R2(config)# exit
R2#
In the preceding examples, the crypto isakmp policy 1 command is used to enter ISAKMP configuration mode. From within this mode, the authentication pre-share command specifies that preshared keys are to be used for authentication. The hash sha command specifies that Secure Hash Algorithm (SHA) will be used as the hashing algorithm for the ISAKMP Security Association (SA). The encryption aes 128 command causes 128-bit Advanced Encryption Standard (AES) encryption to be used. The group 2 command specifies that Diffie-Hellman Group 2 be used for the secure exchange of shared keys. Finally in this configuration mode, the lifetime of the SA is set to one day (86,400 seconds) with the lifetime 86400 command. Then, in global configuration mode, the crypto isakmp key aloha01 address peer-IP-address command sets the shared key to aloha01 when communicating with the other router (that is, the peer IP address).
Configuring an IKE Phase 2 Tunnel
Recall that an IKE Phase 2 tunnel (an IPsec tunnel) is negotiated and set up within the protection of an IKE Phase 1 tunnel (an ISAKMP tunnel). Now that you have seen how to configure an IKE Phase 1 tunnel, examine Examples 3 and 4. They show the syntax to configure an IKE Phase 2 tunnel, building on the topology shown previously in Figure above.
Example 3:
R1# conf t
R1(config)# crypto ipsec transform-set MYSET esp-aes esp-sha
R1(cfg-crypto-trans)# exit
R1(config)# access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255
R1(config)# crypto map R1toR2 10 ipsec-isakmp
R1(config-crypto-map)# set peer 172.30.2.2
R1(config-crypto-map)# match address 101
R1(config-crypto-map)# set transform-set MYSET
R1(config-crypto-map)# exit
R1(config)# exit
R1#
Example 4:
R2# conf t
R2(config)# crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
R2(cfg-crypto-trans)# exit
R2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.255
R2(config)# crypto map R2toR1 10 ipsec-isakmp
R2(config-crypto-map)# set peer 172.30.2.1
R2(config-crypto-map)# match address 101
R2(config-crypto-map)# set transform-set MYSET
R2(config-crypto-map)# end
R2# exit
R2#
In Examples 3 and 4, a transform set named MYSET is created with the crypto ipsec transform-set MYSET esp-aes esp-sha-hmac command. The esp-aes parameter specifies the encryption algorithm to be used, and the esp-sha-hmac parameter specifies the hashing algorithm (that is, the integrity algorithm) to be used. Each example then contains an ACL numbered 101, which specifies what traffic the IPsec tunnel will protect. By combining these examples, you can see that this scenario configures Router1 and Router2 to protect all IP traffic traveling between the 10.1.1.0/24 network and the 192.168.0.0/24 network. Next, a crypto map is created with the crypto map crypto-map-name 10 ipsec-isakmp command. In crypto map configuration mode, the set peer peer-IP-address command specifies the IP address of the IPsec peer (that is, the IP address of the other router). The match address 101 address associates the previously created ACL 101 with the crypto map, and the MYSET transform set is linked with the crypto map using the set transform-set MYSET command.
Applying Crypto Maps
A crypto map needs to be applied to an interface for an IPsec tunnel to be set up. Continuing with the current scenario, examine Examples 5 and 6. They illustrate the application of the R1toR2 crypto map to Router1 and the application of the R2toR1 crypto map to Router 2.
Example 5:
R1# conf t
R1(config)# interface serial 1/0
R1(config-if)# crypto map R1toR2
R1(config-if)# end
R1(config)# ip route 192.168.0.0 255.255.255.0 172.30.2.2
R1(config)# end
R1#
Example 6:
R2# conf t
R2(config)# interface serial 1/0
R2(config-if)# crypto map R2toR1
R2(config-if)# exit
R2(config)# ip route 10.1.1.0 255.255.255.0 172.30.2.1
R2(config)# end
R2#
In the preceding examples, notice that you enter interface configuration mode to apply a crypto map. Then you issue the crypto map crypto-map-name command to apply the previously configured crypto map. Also notice that Examples 5 and 6 each have an ip route command. This command is used to create a static route, pointing to the remote network available off the far-end router.
To test the IPsec configuration, an extended ping can be performed, as shown in Example 7. Specifically, Example 7 shows an extended ping being initiated from Router1’s LAN interface (IP address 10.1.1.1), destined for Router2’s LAN interface (IP address 192.168.0.95). Notice that the first ping fails, because the IPsec tunnel is being set up during this time. However, the remaining pings succeed.
Example 7:
R1# ping
Protocol [ip]:
Target IP address: 192.168.0.95
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.95, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
After establishing an IPsec tunnel, you can verify and view the tunnel’s parameters by issuing the show crypto engine connections active and show crypto session commands, as shown in Examples.
IPsec VPN Monitoring Commands
See Also:
R1 cfg:
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
logging queue-limit 100
!
memory-size iomem 15
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key aloha01 address 172.30.2.2
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map R1toR2 10 ipsec-isakmp
set peer 172.30.2.2
set transform-set MYSET
match address 101
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
speed auto
!
interface Serial0/0
description R1 <-> R2
bandwidth 64
ip address 172.30.2.1 255.255.255.0
crypto map R1toR2
!
ip classless
ip route 192.168.0.0 255.255.255.0 172.30.2.2
no ip http server
no ip http secure-server
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
R2.cfg:
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
logging queue-limit 100
!
memory-size iomem 15
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key aloha01 address 172.30.2.1
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map R2toR1 10 ipsec-isakmp
set peer 172.30.2.1
set transform-set MYSET
match address 101
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
speed auto
!
interface Serial0/0
description R2 <-> R1
bandwidth 64
ip address 172.30.2.2 255.255.255.0
crypto map R2toR1
!
ip classless
ip route 10.1.1.0 255.255.255.0 172.30.2.1
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
end
My Dynagen Lab Config:
autostart = False
[127.0.0.1:7200]
workingdir = /tmp
udp = 10000
[[1751]]
image = c1700-bk9no3r2sv8y7-mz.122-15.T2.bin
ram = 64
idlepc = 0x80216c0c
ghostios = True
chassis = 1751
WIC0/0 = WIC-1T
[[ROUTER R1]]
model = 1751
s0/0 = R2 s0/0
[[ROUTER R2]]
model = 1751
[*] IPSec VPN Lab
biOos
No comments:
Post a Comment