Configuration of a Site-to-Site IPsec Virtual Private Network

Anuradha KalluryCS 580 Special ProjectAugust 23, 2005

IPsec – An Introduction

IPsec is a suite of protocols used to create virtual private networks (VPNs)

Creates encrypted tunnel between 2 private networks

Authenticates both ends of the tunnel

IPsec – An Introduction (Cont’d) Can choose what traffic to encrypt and how

to encrypt it

Encapsulates and encrypts IP data only (can use GRE for non-IP traffic)

IPsec is composed of the following main protocols:

Internet Key Exchange (IKE) protocol Encapsulating Security Payload (ESP) protocol Authentication Header (AH) protocol

IPsec - Fundamental Mechanisms Packet Encapsulation

Encapsulating Security Payload (ESP) - encrypts and authenticates data

Authentication Header (AH) – authenticates data and header

Tunnel mode - new IP header appended in front of original IP header of packet

Transport mode - uses original IP header of packet

Encryption Uses symmetric key algorithms DES or 3DES

Integrity Checking Uses Message Authentication Codes using Hashing (HMAC)

Hashing algorithms used are MD5 or SHA-1

IPsec Implementation

LAN-to-LAN IPsec VPN Also called site-to-site IPsec VPN

Merges 2 private networks across a public network

Appears as one virtual network with shared resources

IKE – An Introduction Responsible for negotiating the

details of the IPsec tunnel between the 2 peers

Main functions of IKE in IPsec: Negotiate protocol parameters Exchanging public keys Authenticate both ends Managing keys after exchange

How IKE Works IKE is a two phase protocol

Phase 1 Uses main mode or aggressive mode exchanges

between peers

Negotiates a secure, authenticated communication channel between the IPsec peers

Phase 2 Uses quick mode exchanges between peers

Negotiates security associations for the IPsec services

IKE - Main Mode The main functions of the main mode (or aggressive mode)

are:

Agree on a set of parameters that will be used to authenticate the 2 IPsec peers

Agree on a set of parameters that will be used to encrypt a part of the main mode and all of the quick mode exchange.

Authenticate the 2 IPsec peers to each other

Generate keys that can be used to generate the necessary data encryption keys after negotiations are done.

IKE - Main Mode (Cont’d)

All the information negotiated in main mode is stored as an IKE or ISAKMP security association (SA).

There is only one SA between any 2 IPsec peers.

IKE - Quick Mode The main functions of the quick mode

are: Agree on a set of parameters for

creating the IPsec SAs used to encrypt (for ESP) the data between the 2 peers

If Perfect Forward Secrecy (FPS) is being used, performs another Diffie-Hellman (DH) exchange to generate new keys for generating the data encryption keys

IKE Authentication Mechanisms Preshared Keys

Define the same key on both IPsec peers Simple but not scalable

Digital Signatures Uses public/private key pairs generated on both IPsec peers Public key is exchanged using a digital certificate that also

contains sender info Certificate issued by a certificate authority (CA) server

Encrypted Nonces Pseudo-random numbers are encrypted and exchanged by the

IPsec peers

IPsec Negotiation Using IKE IKE negotiates IPsec tunnels between IPsec

peers using one of three main methods:1. Main mode using preshared key authentication

followed by quick mode negotiation

2. Main mode using digital signature authentication followed by quick mode negotiation

3. Aggressive mode using preshared key authentication followed by quick mode negotiation

Configuration of LAN-to-LAN IPsec - Network Diagram

Initiator Responder

192.1.12.5 192.1.12.20

10.1.1.0/24 10.1.2.0/24

Cisco Routers R1 and R2 both running IOS version

12.2.15T11 (including support for IPsec and 3DES)

Cisco Catalyst Switch 3550-01 running IOS version

12.1.22(EA1a)

Configuration of LAN-to-LAN IPsec - Setup of Routers Step 1: Ensure that IKE is enabled

Router(config)# crypto isakmp enable

Step 2: Create the ISAKMP policy which defines the attributes negotiated between the peers for the IKE SA

Router(config)# crypto isakmp policy 1

Router(config-isakmp)# encryption 3des

Router(config-isakmp)# hash md5

Router(config-isakmp)# authentication pre-share

Router(config-isakmp)# group 1

Router(config-isakmp)# lifetime 14400

priority

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) Step 3: Define the pre-shared key and the IP address

of the IPsec peer

Router(config)# crypto isakmp key 42DB72B3 address 192.1.12.20

Step 4: Define a transform-set for use with IPsec as follows:

Router(config)# crypto ipsec transform-set myset1 esp-3des esp-md5-hmac

Step 5: Define the mode associated with the transform-set (optional)

Router(cfg-crypto-tran)# mode tunnel

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) Step 6: Define an access list which specifies the

interesting traffic for IPsec Can be used to specify “interesting” traffic for IPsec

Router(config)# access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

Step 7: Define a crypto map The crypto map links together all of the details of the

IPsec configuration

Router(config)# crypto map mymap1 ipsec-isakmp

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) Step 8: Within the identified crypto map, define the IP

address of the IPsec peer

Router(config-crypto-m)# set peer 192.1.12.20

Step 9: Within the identified crypto map, define which transform-set is to be used with this crypto map

Router(config-crypto-m)# set transform-set myset1

Step 10: Within the identified crypto map, define which access list is to be used with this crypto map

Router(config-crypto-m)# match address access-list 101

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)

Step 11: Assign the crypto map to the specific interface of the router on which IPsec traffic will flow

Router(config)# interface Ethernet 0/0Router(config-if)# crypto map mymap1

Step 12: Verify that the defined policy, transform-set, and pre-shared key are the same on both IPsec peers

Configuration of LAN-to-LAN IPsec – Viewing IPsec attributes Assigned IPsec attributes can be viewed using following

commands:

Router# show crypto isakmp policy

Router# show crypto isakmp sa

Router# show crypto isakmp key

Router# show crypto ipsec transform-set

Router# show crypto map

Router# show crypto ipsec sa

Router# show crypto ipsec security-association lifetime

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 crypto

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 crypto

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 config

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 config

Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 1 config

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 crypto

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 crypto

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 config

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 config

Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 2 config

Configuration of LAN-to-LAN IPsec Debug output on router 1 (initiator)

Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 2 (responder)

Configuration of LAN-to-LAN IPsec Debug output on router 2 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 2 (cont’d)

References Network Security Principles and Practices by Saadat

Malik

Cisco IOS Security Configuration Guide, Release 12.2

Cisco IOS Security Command Reference, Release 12.2

Cisco IOS Configuration Fundamental Configuration Guide, Release 12.2

Cisco IOS Interface Command Reference, Release 12.2