Friday, 21 December 2012

Cisco IPSec Site-to-site VPN Configuration

Introduction

IPSec Site-to-site VPN connectivity is used to secure the connection between two sites (eg.Head office and branch office). A secure VPN tunnel is created over the public network (Internet) using advanced encryption technologies where we can transmit our data with high confidentiality and integrity. The major advantages of using IPSec are 1.Confidentiality  2.Integrity  3.Origin Authentication.
  • This document will show you how to configure a site-to-site IPSec VPN tunnel using two Cisco IOS routes.
 How IPSec works on a Cisco Router

IPSec is a layer 3, protocol independent framework that is used to secure unicast network traffic. IPSec is comprised of two distinct phases:

a) Phase 1 : Responsible for session management and authentication of end points. This phase ensure that the connection between endpoints is secured.

b) Phase 2 : It is used to setup the security association (SA) that will be used to secure the target data.

Phase 1

Phase 1 process authenticates endpoints to each other. This is done by single, bidirectional security association  (SA).  The major component of Phase 1 authentication is IKE Policy.

  IKE Policy

The IKE Policy comprises of the following parameters:
  • Authentication* : Decide the authentication that will be used by the policy.
  • Encryption : Decide the encryption algorithm that will be used by the policy.
  • Hashing : Decide the hashing algorithm that will be used by the policy.
  • Diffe-Hellman group : Decide the Diffe-Hellman group that will be used by the policy.
  • Life-time : Decide the life-time of SA before re-keying.
*The authentication is based on one of the following:
  • Pre-shared key (PSK)
  • RSA  Encryption
  • Digital Certificate
Phase 2

The Phase 2 is used to setup the security associations that will be used to secure the target data between two sites.

The major components of Phase 2 authentication are :
  • Extended ACL : It is used to find the interesting traffic which should be transmitted over the VPN tunnel.
  • Transform-Set : Decide the encryption and hashing algorithm. This will provide the authentication to each protocol that is used in the ACL.
Network Diagram


This example is based on a Cisco Integrated Service Router running with 15.0(1r)M15 code.

Configuration Tasks 
  1. Create IKE Policy
  2. Setup Pre shared key (PSK)
  3. Configure extended Access-List
  4. Define IPSec Transform-set
  5. Configure Crypto-map
  6. Apply Crypto-map to Interfaces.
Now we should go in details and configure each tasks which is listed above.

1.) Creating IKE Policy

Cisco ISR* 1

Cisco_ISR(config)#crypto isakmp policy 10
Cisco_ISR(config-isakmp)#authentication pre-share
Cisco_ISR(config-isakmp)#encryption aes 256
Cisco_ISR(config-isakmp)#group 5
Cisco_ISR(config-isakmp)#lifetime 86400

Cisco ISR 2

Cisco(config)#crypto isakmp policy 10
Cisco(config-isakmp)#authentication pre-share
Cisco(config-isakmp)#encryption aes 256
Cisco(config-isakmp)#group 5
Cisco(config-isakmp)#lifetime 86400


*ISR - Integrated Service Router

2.) Setup Pre-shared key

Cisco ISR1

Cisco_ISR(config)#crypto isakmp key MYSECUREKEY address 192.168.100.2

Cisco ISR 2

Cisco(config)#crypto isakmp key MYSECUREKEY address 192.168.100.1


3.) Configure extended Access-List

Cisco ISR 1

Cisco_ISR(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
 
Cisco ISR 2

Ciscoconfig)#access-list 100 permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255


4.) Defining IPSec Transform-set

Cisco ISR 1

Cisco_ISR(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac

Cisco ISR 2

Cisco(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac


5.) Configure Crypto-map

Cisco ISR 1

Cisco_ISR(config)#crypto map MYCRYPTOMAP 10 ipsec-isakmp
Cisco_ISR(config-crypto-map)#set peer 192.168.100.2
Cisco_ISR(config-crypto-map)#set transform-set MYTRANSFORMSET
Cisco_ISR(config-crypto-map)#match address 100

While you create a crypto-map you will get a message like below:
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.

You can safely ignore this message and configure the peer as a next step.


Cisco ISR 2

Cisco(config)#crypto map MYCRYPTOMAP 10 ipsec-isakmp
Cisco(config-crypto-map)#set peer 192.168.100.1
Cisco(config-crypto-map)#set transform-set MYTRANSFORMSET
Cisco(config-crypto-map)#match address 100


6.) Apply Crypto-map to Interfaces

Cisco ISR 1

Cisco_ISR(config)#interface gigabitEthernet 0/1
Cisco_ISR(config-if)#crypto map MYCRYPTOMAP

Cisco ISR 2

Cisco(config)#interface gigabitEthernet 0/1
Cisco(config-if)#crypto map MYCRYPTOMAP


There we finish our configuration.
IPSec VPN and Zone Based Firewall

For more info visit Using IPSec VPN with Zone-Based Policy Firewall.

IPSec Verification & Troubleshooting

a.) Commands used to verify IPSec operation
  • show crypto isakmp sa
  • show crypto isakmp policy
  • show crypto ipsec sa
  • show crypto session
b.) Commands used to troubleshoot IPSec operation
  • debug crypto isakmp
  • debug crypto ipsec

1 comment:

  1. You really should be using an Android VPN, and even if you don't think so now, at some point in the future you may consider it as important as your internet connection.

    ReplyDelete