Introduction
IPSec Site-to-site VPN connectivity is used to secure the connection between two sites (eg.Head office and branch office). A secure VPN tunnel is created over the public network (Internet) using advanced encryption technologies where we can transmit our data with high confidentiality and integrity. The major advantages of using IPSec are 1.Confidentiality 2.Integrity 3.Origin Authentication.
IPSec is a layer 3, protocol independent framework that is used to secure unicast network traffic. IPSec is comprised of two distinct phases:
a) Phase 1 : Responsible for session management and authentication of end points. This phase ensure that the connection between endpoints is secured.
b) Phase 2 : It is used to setup the security association (SA) that will be used to secure the target data.
Phase 1
Phase 1 process authenticates endpoints to each other. This is done by single, bidirectional security association (SA). The major component of Phase 1 authentication is IKE Policy.
IKE Policy
The IKE Policy comprises of the following parameters:
The Phase 2 is used to setup the security associations that will be used to secure the target data between two sites.
The major components of Phase 2 authentication are :
This example is based on a Cisco Integrated Service Router running with 15.0(1r)M15 code.
Configuration Tasks
Now we should go in details and configure each tasks which is listed above.IPSec Site-to-site VPN connectivity is used to secure the connection between two sites (eg.Head office and branch office). A secure VPN tunnel is created over the public network (Internet) using advanced encryption technologies where we can transmit our data with high confidentiality and integrity. The major advantages of using IPSec are 1.Confidentiality 2.Integrity 3.Origin Authentication.
- This document will show you how to configure a site-to-site IPSec VPN tunnel using two Cisco IOS routes.
IPSec is a layer 3, protocol independent framework that is used to secure unicast network traffic. IPSec is comprised of two distinct phases:
a) Phase 1 : Responsible for session management and authentication of end points. This phase ensure that the connection between endpoints is secured.
b) Phase 2 : It is used to setup the security association (SA) that will be used to secure the target data.
Phase 1
Phase 1 process authenticates endpoints to each other. This is done by single, bidirectional security association (SA). The major component of Phase 1 authentication is IKE Policy.
IKE Policy
The IKE Policy comprises of the following parameters:
- Authentication* : Decide the authentication that will be used by the policy.
- Encryption : Decide the encryption algorithm that will be used by the policy.
- Hashing : Decide the hashing algorithm that will be used by the policy.
- Diffe-Hellman group : Decide the Diffe-Hellman group that will be used by the policy.
- Life-time : Decide the life-time of SA before re-keying.
- Pre-shared key (PSK)
- RSA Encryption
- Digital Certificate
The Phase 2 is used to setup the security associations that will be used to secure the target data between two sites.
The major components of Phase 2 authentication are :
- Extended ACL : It is used to find the interesting traffic which should be transmitted over the VPN tunnel.
- Transform-Set : Decide the encryption and hashing algorithm. This will provide the authentication to each protocol that is used in the ACL.
This example is based on a Cisco Integrated Service Router running with 15.0(1r)M15 code.
Configuration Tasks
- Create IKE Policy
- Setup Pre shared key (PSK)
- Configure extended Access-List
- Define IPSec Transform-set
- Configure Crypto-map
- Apply Crypto-map to Interfaces.
1.) Creating IKE Policy
Cisco ISR* 1
Cisco_ISR(config)#crypto isakmp policy 10
Cisco_ISR(config-isakmp)#authentication pre-share
Cisco_ISR(config-isakmp)#encryption aes 256
Cisco_ISR(config-isakmp)#group 5
Cisco_ISR(config-isakmp)#lifetime 86400
Cisco ISR 2
Cisco(config)#crypto isakmp policy 10
Cisco(config-isakmp)#authentication pre-share
Cisco(config-isakmp)#encryption aes 256
Cisco(config-isakmp)#group 5
Cisco(config-isakmp)#lifetime 86400
*ISR - Integrated Service Router
2.) Setup Pre-shared key
Cisco ISR1
Cisco_ISR(config)#crypto isakmp key MYSECUREKEY address 192.168.100.2
Cisco ISR 2
Cisco(config)#crypto isakmp key MYSECUREKEY address 192.168.100.1
3.) Configure extended Access-List
Cisco ISR 1
Cisco_ISR(config)#access-list 100 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
Cisco ISR 2
Ciscoconfig)#access-list 100 permit ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
4.) Defining IPSec Transform-set
Cisco ISR 1
Cisco ISR 2
Cisco(config)#crypto ipsec transform-set MYTRANSFORMSET esp-aes 256 esp-sha-hmac
5.) Configure Crypto-map
Cisco ISR 1
Cisco_ISR(config)#crypto map MYCRYPTOMAP 10 ipsec-isakmp
Cisco_ISR(config-crypto-map)#set peer 192.168.100.2
Cisco_ISR(config-crypto-map)#set transform-set MYTRANSFORMSET
Cisco_ISR(config-crypto-map)#match address 100
While you create a crypto-map you will get a message like below:
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
You can safely ignore this message and configure the peer as a next step.
Cisco ISR 2
Cisco(config)#crypto map MYCRYPTOMAP 10 ipsec-isakmp
Cisco(config-crypto-map)#set peer 192.168.100.1
Cisco(config-crypto-map)#set transform-set MYTRANSFORMSET
Cisco(config-crypto-map)#match address 100
6.) Apply Crypto-map to Interfaces
Cisco ISR 1
Cisco_ISR(config)#interface gigabitEthernet 0/1
Cisco_ISR(config-if)#crypto map MYCRYPTOMAP
Cisco ISR 2
Cisco(config)#interface gigabitEthernet 0/1
Cisco(config-if)#crypto map MYCRYPTOMAP
There we finish our configuration.
IPSec VPN and Zone Based Firewall
For more info visit Using IPSec VPN with Zone-Based Policy Firewall.
IPSec Verification & Troubleshooting
a.) Commands used to verify IPSec operation
- show crypto isakmp sa
- show crypto isakmp policy
- show crypto ipsec sa
- show crypto session
- debug crypto isakmp
- debug crypto ipsec