IPsec – CONFIG

A VPN is a communications channel that is used to form a logical connection between two endpoints over a public network. VPNs do not necessarily include encryption or

authentication. IPsec VPNs rely on the IKE protocol to establish secure communications. ! Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto ACL. ! Some basic tasks must be completed to configure a site-to-site IPsec VPN. !!!! Task 1. Ensure that ACLs configured on interfaces are compatible with the IPsec configuration. Usually there are restrictions on the interface that the VPN traffic

uses. For example, block all traffic that is not IPsec or IKE. !!!! Task 2. Create an ISAKMP policy. This policy determines the ISAKMP parameters that will be used to establish the tunnel. !!!! Task 3. Configure the IPsec transform set. The transform set defines the parameters that the IPsec tunnel uses. The set can include the encryption and integrity

algorithms. !!!! Task 4. Create a crypto ACL. The crypto ACL defines which traffic is sent through the IPsec tunnel and protected by the IPsec process. !!!! Task 5. Create and apply a crypto map. The crypto map groups the previously configured parameters together and defines the IPsec peer devices. The crypto map is

applied to the outgoing interface of the VPN device. ! ! Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and Authentication Header (AH) traffic is not blocked at the interfaces used

by IPsec. !!!! ESP is assigned IP protocol number 50. AH is assigned IP protocol number 51. ISAKMP uses UDP port 500. ! Multiple ISAKMP policies can be configured on each peer participating in IPsec. When configuring policies, each policy must be given a unique priority number. ! Assign the most secure policy the smallest available number. ! When the ISAKMP negotiation begins in IKE Phase 1 main mode, the peer that initiates the negotiation sends all its policies to the remote peer. The remote peer tries

to find a match with its own policies. The remote peer looks for a match by comparing its own highest priority policy against the policies it received from the other

peer. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found. ! A match is made when both policies from the two peers contain the same encryption, hash, authentication, DH parameter values, and when the policy of the remote peer

specifies a lifetime less than or equal to the lifetime of the policy that is being compared. If the lifetimes are not identical, the shorter lifetime from the remote

peer policy is used. ! By default, the ISAKMP identity is set to use the IP address. To use the hostname parameter, the ISAKMP identity must be configured to use the host name with the

crypto isakmp identity hostname global configuration mode command. In addition, DNS must be accessible to resolve the hostname. ! Transform sets consist of a combination of an AH transform, an ESP transform, and the IPsec mode (either tunnel or transport mode). ! When ISAKMP is not used to establish SAs, a single transform set must be used. In this instance, the transform set is not negotiated. ! Type of transform set. Specify up to four “transforms”: one AH, one ESP encryption, one ESP authentication, and optionally IP compression. These transforms define the

IPsec security protocols and algorithms. ! Transform sets are negotiated during IKE Phase 2 quick mode. When configuring multiple transform sets, configure the transforms from most to least secure, according to

the network security policy. ! Outbound crypto ACLs select outbound traffic that IPsec should protect. Traffic that is not selected is sent in plaintext. If desired, inbound ACLs can be created to

filter and discard traffic that should have been protected by IPsec. ! Symmetric crypto ACLs must be configured for use by IPsec. When a router receives encrypted packets back from an IPsec peer, it uses the same ACL to determine which

inbound packets to decrypt by viewing the source and destination addresses in the ACL in reverse order. The ACL criteria are applied in the forward direction to

traffic exiting a router, and in the backward direction to traffic entering the router, so that the outbound ACL source becomes the inbound ACL destination. !!!!! Crypto map entries with the same crypto map name but different map sequence numbers are grouped into a crypto map set. ! Only one crypto map can be set to a single interface. The crypto map set can include a combination of Cisco Encryption Technology (CET) and IPsec using IKE. Multiple

interfaces can share the same crypto map set if the same policy is applied to multiple interfaces. If more than one crypto map entry is created for a given interface,

use the sequence number (seq-num) of each map entry to rank the map entries. The smaller the sequence number, the higher the priority. At the interface that has the

crypto map set, traffic is evaluated against higher priority map entries first. !!!!!!! Create multiple crypto map entries for a given interface if any of these conditions exist: !!!!!! Separate IPsec peers handle different data flows. Different IPsec security must be applied to different types of traffic (to the same or separate IPsec peers). For example, if traffic between one set of subnets needs

to be authenticated, and traffic between another set of subnets needs to be both authenticated and encrypted. In this case, define the different types of traffic in

two separate ACLs, and create a separate crypto map entry for each crypto ACL. IKE is not used to establish a particular set of SAs, and multiple ACL entries must be specified, create separate ACLs (one per permit entry) and specify a separate

crypto map entry for each ACL. ! Two peers can be specified in a crypto map for redundancy. If the first peer cannot be contacted, the second peer is used. There is no limit to the number of redundant

peers that can be configured. ! Multiple peers can be specified for redundancy.  set peer 192.168.1.2 default  set peer 192.168.1.1 ! The crypto map is applied to the outgoing interface of the VPN tunnel using the crypto map command in interface configuration mode. ! ! Make sure that the routing information that is needed to send packets into the tunnel is also configured. ! show crypto map show crypto isakmp policy show crypto ipsec sa show crypto isakmp sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec ! QM_IDLE status indicates an active IKE SA. !

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s