![Page 1: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/1.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1
Chapter 9
Building IPSEC VPNS Using Cisco Routers
![Page 2: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/2.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-2
Objectives
![Page 3: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/3.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-3
Objectives
Upon completion of this chapter, you will be able to perform the following tasks:• Define two types Cisco router VPN solutions.
• Describe the Cisco VPN router product family.
• Identify the IPSec and other open standards supported by Cisco VPN routers.
• Identify the component technologies of IPSec.
• Explain how IPSec works.
![Page 4: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/4.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-4
Objectives (cont.)
• Configure a Cisco router for IKE using pre-shared keys.
• Configure a Cisco router for IPSec using pre-shared keys.
• Verify the IKE and IPSec configuration.
• Explain the issues regarding configuring IPSec manually and using RSA encrypted nonces.
![Page 5: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/5.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-5
Cisco Routers Enable Secure VPNs
![Page 6: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/6.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-6
Internet
VPN Definition
VPN—An encrypted connection between private networks over a public network such as the Internet
Mobileuser
AnalogISDNCableDSL
Central site
Server
Remotesite
Remotesite
![Page 7: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/7.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-7
Internet
DSLcable
MobileExtranetConsumer-to-business
Telecommuter
Remote Access VPNs
Router
Remote access client
Remote access VPN—Extension/evolution of dial
Central site
POP
POP
![Page 8: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/8.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-8
Site-to-Site VPNs
Main office7100/7200/7400
Series
Small office/home office
800/900 Series
Remoteoffice
1700/2600 Series
Regionaloffice
3600/3700 Series
Internet
![Page 9: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/9.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-9
Cisco VPN Router Portfolio
Enterprise HQAnd Beyond
Cisco 3600
Cisco 1700
Teleworker/SOHO SMB/Small Branch Enterprise Branch Large Branch
Cisco 800
Cisco 1760
Cisco 2600XM/2691
Cisco 3725
Cisco 3745
![Page 10: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/10.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-10
Cisco VPN Router Portfolio—Large Enterprise
Cat 6500
Cisco 7140
Cisco 7120
Cisco 7400
Cisco 7200/400
Cisco 7204/225
Large Enterprise
![Page 11: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/11.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-11
Small to Mid-Size—Cisco VPN Routers
• Hardware accelerators deliver enhanced encryption performance
800 925 1700 2621 2651 3620 3640 3660
Maximum tunnels 10 20 100 300 800 800 800 1300
Performance (Mbps)
0.384 6 4 12 15 10 18 40
Hardware encryption
None YesVPN
moduleAIM-
VPN/BPAIM-
VPN/BPNM-
VPN/MPNM-
VPN/MPAIM-
VPN/BP
![Page 12: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/12.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-12
Enterprise Size—Cisco VPN Routers
• Hardware accelerators deliver enhanced encryption performance
7120 7140 7140 7200 7400 7200CAT 6500
Maximum tunnels 2000 2000 3000 2000 5000 5000 8000
Performance (Mbps)
50 85 145 90 120 145 1.9G
Hardware encryption
ISM ISM VAM ISA VAM VAM Yes
![Page 13: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/13.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-13
IPSec Overview
![Page 14: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/14.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-14
What Is IPSec?
• IPSec acts at the network layer protecting and authenticating IP packets
– Framework of open standards - algorithm independent
– Provides data confidentiality, data integrity, and origin authentication
Perimeterrouter
Main site
PIXFirewall
Concentrator
SOHO with a Cisco ISDN/DSL router
POP
Mobile worker with aCisco VPN Client on a laptop computer
Business partner with a Cisco router
Regional office with a PIX Firewall
IPSec
Corporate
![Page 15: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/15.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-15
IPSec Security Services
• Confidentiality
• Data integrity
• Origin authentication
• Anti-replay protection
![Page 16: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/16.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-16
Confidentiality (Encryption)
This quarterly report does not look so
good. Hmmm . . . .
Earnings off by 15%
Internet
Server
![Page 17: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/17.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-17
Internet
Types of Encryption
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9eRU78IOPotVBn45TR
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Hmmm . . . .I cannot
read a thing.
Encryptionalgorithm
4ehIDx67NMop9eRU78IOPotVBn45TR
Encryptionalgorithm
![Page 18: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/18.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-18
DH Key Exchange
Protocol Messages
Terry Alexpublic key A
+ private key Bshared secret
key (BA)
Internet
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Protocol Messages
public key B+ private key A
shared secretkey (AB)=
4ehIDx67NMop9eRU78IOPotVBn45TR
4ehIDx67NMop9eRU78IOPotVBn45TR
Key Key
Data Traffic
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Data Traffic
Decrypt Decrypt
![Page 19: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/19.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-19
1. Generate large integer p. Send p to Peer B. Receive q. Generate g.
2. Generate private key XA
5. Generate shared secret number ZZ = YB^ XA mod p
2. Generate private key XB
3. Generate public key YA = g ^ XA mod p
3. Generate public key YB = g ^ XB mod p
4. Send public key YA 4. Send public key YB
5. Generate shared secret number ZZ = YA^ XB mod p
6. Generate shared secret key from ZZ (DES, 3DES, or AES)
6. Generate shared secret key from ZZ (DES, 3DES, or AES)
Peer BPeer A
1. Generate large integer q. Send q to Peer A. Receive p. Generate g.
DH Key Exchange
![Page 20: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/20.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-20
RSA Encryption
Key Key
Remote’spublic key
Remote’sprivate key
KJklzeAidJfdlwiej47DlItfd578MNSbXoE
Local Remote
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Terry Smith $100.00
One Hundred and xx/100 DollarsDecryptEncrypt
![Page 21: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/21.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-21
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Encryption Algorithms
Encryption algorithms
• DES
• 3DES
• AES
• RSA
Key
Decryption key
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9eRU78IOPotVBn45TR
Decrypt
Key
Encryption key
Encrypt
![Page 22: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/22.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-22
Data Integrity
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Alex Jones $1000.00
One Thousand and xx/100 Dollars
Yes, I am
Alex Jones
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changesNo match = Alterations
Internet
![Page 23: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/23.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-23
HMAC
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9
Message + hash
Variable-length input message
Shared secret key
Hashfunction
4ehIDx67NMop9
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Local
1
Received message
Hashfunction
4ehIDx67NMop9
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Shared secret key
Remote
2
![Page 24: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/24.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-24
Hashfunction
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9 4ehIDx67NMop9
HMAC Algorithms
HMAC algorithms
• HMAC-MD5
• HMAC-SHA-1
![Page 25: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/25.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-25
Internet
Digital Signatures
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9
Hashalgorithm
Hashalgorithm
Encryptionalgorithm
Encryptionalgorithm
Hash
Decryptionalgorithm
Decryptionalgorithm Hash
Privatekey Public
key
Local Remote
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9
Hash
Match
![Page 26: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/26.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-26
Peer Authentication
Peer authentication methods:• Pre-shared keys
• RSA signatures
• RSA encrypted nonces
HR servers
Peerauthentication
Remote officeCorporate Office
Internet
![Page 27: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/27.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-27
Pre-Shared Keys
Authenticating hash (Hash_L)
+ ID Information
Local Peer
Hash
Auth. Key
Remote Router
Computedhash (Hash)
Hash
Receivedhash
(Hash_L)
=
+ ID Information
Auth. Key
Internet
![Page 28: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/28.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-28
RSA Signatures
Encryptionalgorithm
Encryptionalgorithm
Hash_I
Decryptionalgorithm
Decryptionalgorithm Hash_I
Privatekey
Publickey
Local Remote
Hash
=
+ ID Information
Hash
Auth. key
Digitalsignature
Digitalsignature
+ ID Information
Hash
Auth. key
1
2
Digitalcert +
Digitalcert
Internet
![Page 29: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/29.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-29
RSA Encrypted Nonces
Authenticating hash (Hash_I)
+ ID Information
Local Remote
Hash
Computedhash
(Hash_I)
Hash
Receivedhash
(Hash_I)
=
+ ID Information
Auth. key
Internet
Auth. key
![Page 30: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/30.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-30
IPSec Protocol Framework
![Page 31: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/31.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-31
IPSec Security Protocols
The Encapsulating Security Payload provides the following:• Encryption
• Authentication
• Integrity
All data in clear textRouter A Router B
Data payload is encryptedRouter A Router B
The Authentication Header provides the following:
• Authentication
• Integrity
Authentication Header
Encapsulating Security Payload
![Page 32: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/32.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-32
All data in clear textRouter A Router B
Authentication Header
• Ensures data integrity
• Provides origin authentication (ensures packets definitely came from peer router)
• Uses keyed-hash mechanism
• Does not provide confidentiality (no encryption)
• Provides anti-replay protection
![Page 33: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/33.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-33
Authentication data (00ABCDEF)
IP header + data + key
AH Authentication and Integrity
Router A
Router BHash
Re-computedhash
(00ABCDEF)
IP header + data + key
Hash
Receivedhash
(00ABCDEF) =
DataAHIP HDR
DataAHIP HDR
Internet
![Page 34: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/34.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-34
Data payload is encryptedRouter A Router B
ESP
• Data confidentiality (encryption)
• Data integrity
• Data origin authentication
• Anti-replay protection
![Page 35: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/35.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-35
ESP Protocol
• Provides confidentiality with encryption
• Provides integrity with authentication
Router Router
IP HDR Data
ESP HDRNew IP HDRESP
TrailerESP AuthIP HDR Data
EncryptedAuthenticated
IP HDR Data
Internet
![Page 36: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/36.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-36
Modes of Use—Tunnel versus Transport Mode
IP HDR
Encrypted
ESP HDR Data
IP HDR Data
ESP HDR IP HDRNew IP HDR Data
Tunnel mode
Transport mode
ESP Trailer
ESP Auth
ESP Trailer
ESP Auth
Authenticated
EncryptedAuthenticated
![Page 37: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/37.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-37
Tunnel Mode
HR servers
Tunnel mode
Remote officeCorporate office
HR servers
Tunnel mode
Corporate officeHome office
Internet
Internet
![Page 38: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/38.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-38
IPSec Protocol—Framework
MD5 SHA
IPSec Framework
DES 3DES
DH2DH1
ESP AHIPSec Protocol
Encryption
Diffie-Hellman
Authentication
Choices:
AES
![Page 39: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/39.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-39
How IPSec Works
![Page 40: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/40.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-40
Five Steps of IPSec
• Interesting Traffic—The VPN devices recognize the traffic to protect.
• IKE Phase 1—The VPN devices negotiate an IKE security policy and establish a secure channel.
• IKE Phase 2—The VPN devices negotiate an IPSec security policy used to protect IPSec data.
• Data transfer—The VPN devices apply security services to traffic and then transmit the traffic.
• Tunnel terminated—The tunnel is torn down.
Host A Host BRouter A Router B
![Page 41: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/41.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-41
Step 1—Interesting Traffic
Host A Host BRouter A Router B
10.0.1.3 10.0.2.3Apply IPSec
Bypass IPSec
Send in cleartext
![Page 42: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/42.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-42
Step 2—IKE Phase 1
Host A Host BRouter A Router B
10.0.1.3 10.0.2.3IKE Phase 1:main mode exchange
Negotiate thepolicy
DH exchange
Verify the peeridentity
Negotiate thepolicy
DH exchange
Verify the peeridentity
![Page 43: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/43.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-43
IKE Transform Sets
Transform 15DESMD5
pre-shareDH1
lifetime
Transform 10DESMD5
pre-shareDH1
lifetime
IKE Policy Sets
Transform 203DESSHA
pre-shareDH1
lifetime
Host A Host BRouter A Router B
10.0.1.3 10.0.2.3Negotiate IKE Proposals
• Negotiates matching IKE transform sets to protect IKE exchange
![Page 44: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/44.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-44
Internet
DH Key Exchange
Terry Alexpublic key A
+ private key Bshared secret
key (BA)
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
public key B+ private key A
shared secretkey (AB)=
4ehIDx67NMop9eRU78IOPotVBn45TR
4ehIDx67NMop9eRU78IOPotVBn45TR
Key Key
DecryptEncrypt
![Page 45: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/45.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-45
Authenticate Peer Identity
Peer authentication methods
• Pre-shared keys
• RSA signatures
• RSA encrypted nonces
HR servers
Peerauthentication
Remote officeCorporate office
Internet
![Page 46: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/46.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-46
Step 3—IKE Phase 2
Host A Host BRouter A Router B
10.0.1.3 10.0.2.3Negotiate IPSec security parameters
![Page 47: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/47.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-47
IPSec Transform Sets
• A transform set is a combination of algorithms and protocols that enact a security policy for traffic.
Transform set 55ESP
3DESSHA
TunnelLifetime
Transform set 30ESP
3DESSHA
TunnelLifetime
IPSec Transform Sets
Transform set 40ESPDESMD5
TunnelLifetime
Host A Host BRouter A Router B
10.0.1.3 10.0.2.3Negotiate transform sets
![Page 48: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/48.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-48
Security Associations (SA)
SASA Db
• Destination IP address
• SPI
• Protocol (ESP or AH)
Security Policy Db
• Encryption Algorithm
• Authentication Algorithm
• Mode
• Key lifetime
B A N K
192.168.2.1SPI–12
ESP/3DES/SHAtunnel28800
192.168.12.1 SPI–39
ESP/DES/MD5tunnel28800
Internet
![Page 49: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/49.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-49
SA Lifetime
Data-based Time-based
![Page 50: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/50.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-50
Step 4—IPSec Session
• SAs are exchanged between peers.
• The negotiated security services are applied to the traffic.
Host A Host BRouter A Router B
IPSec session
![Page 51: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/51.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-51
Step 5—Tunnel Termination
• A tunnel is terminated
– By an SA lifetime timeout
– If the packet counter is exceeded
• Removes IPSec SA
Host A Host BRouter A Router B
IPSec tunnel
![Page 52: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/52.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-52
Configuring IPSec Encryption
![Page 53: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/53.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-53
Task 1—Prepare for IKE and IPSec.Task 2—Configure IKE.Task 3—Configure IPSec.
Task 4—Test and Verify IPSec.
Tasks to Configure IPSec Encryption
![Page 54: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/54.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-54
Task 1—Prepare for IKE and IPSec
![Page 55: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/55.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-55
Task 1—Prepare for IKE and IPSec
Step 1—Determine IKE (IKE phase one) policy.
Step 2—Determine IPSec (IKE phase two) policy.
Step 3—Check the current configuration. show running-configuration
show crypto isakmp policy
show crypto map
Step 4—Ensure the network works without encryption.ping
Step 5—Ensure access lists are compatible with IPSec.show access-lists
![Page 56: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/56.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-56
Determine the following policy details: Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers
Encryption algorithm Hash algorithm IKE SA lifetime
Goal: Minimize misconfiguration.
Step 1—Determine IKE (IKE Phase One) Policy
![Page 57: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/57.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-57
IKE Phase One Policy Parameters
< 86400 seconds86400 secondsIKE SA lifetime
DH Group 2DH Group 1Key exchange
RSA encryption
RSA signaturePre-shared
Authentication method
SHA-1MD5Hash algorithm
3-DESDESEncryption algorithm
StrongerStrongParameter
![Page 58: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/58.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-58
IKE Policy Example
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
172.30.1.2172.30.2.2Peer IP address
86400 seconds86400 secondsIKE SA lifetime
DH Group 1DH Group 1Key exchange
Pre-shared keysPre-shared keysAuthentication method
MD5MD5Hash algorithm
DESDESEncryption algorithm
Site 2Site 1Parameter
![Page 59: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/59.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-59
Determine the following policy details: IPSec algorithms and parameters for optimal
security and performance Transforms and, if necessary, transform
sets IPSec peer details IP address and applications of hosts to be
protected Manual or IKE-initiated SAs
Goal: Minimize misconfiguration.
Step 2—Determine IPSec (IKE Phase Two) Policy
![Page 60: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/60.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-60
RouterA(config)# crypto ipsec transform-set
transform-set-name ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transformesp-3des ESP transform using 3DES(EDE) cipher (168
bits)esp-des ESP transform using DES cipher (56 bits)esp-md5-hmac ESP transform using HMAC-MD5 authesp-sha-hmac ESP transform using HMAC-SHA authesp-null ESP transform w/o cipher
Cisco IOS software supports the following IPSec transforms:
IPSec Transforms Supported in Cisco IOS Software
![Page 61: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/61.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-61
IPSec Policy Example
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
Ipsec-isakmpIpsec-isakmpSA establishment
TCPTCPTraffic (packet) type to be encrypted
10.0.2.310.0.1.3Hosts to be encrypted
172.30.1.2172.30.2.2Peer IP address
RouterARouterBPeer hostname
ESP-DES, tunnelESP-DES, tunnelTransform set
Site 2Site 1Policy
![Page 62: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/62.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-62
Identify IPSec Peers
Cisco router
Remote user withCisco VPN Client
Other vendor’s IPSec peers
Cisco router
CiscoPIX Firewall
CA server
![Page 63: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/63.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-63
Step 3—Check Current Configuration
show crypto isakmp policy • View default and any configured IKE phase one policies.
RouterA# show crypto isakmp policyDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
router#
show running-config • View router configuration for existing IPSec policies.
router#172.30.1.2
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 64: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/64.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-64
Step 3—Check Current Configuration (cont.)
show crypto map• View any configured crypto maps.
router#
RouterA# show crypto mapCrypto Map "mymap" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N
Transform sets={ mine, }
172.30.1.2
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 65: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/65.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-65
Step 3—Check Current Configuration (cont.)
show crypto ipsec transform-set• View any configured transform sets.
router#
RouterA# show crypto ipsec transform-set mine Transform set mine: { esp-des } will negotiate = { Tunnel, },
172.30.1.2 172.30.2.2
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 66: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/66.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-66
Step 4—Ensure the Network Works
RouterA# ping 172.30.2.2
Cisco router
Remote user withCisco Unified
VPN client
Other vendor’s IPSec peers
Cisco RouterB172.30.2.2
Cisco PIX Firewall
CA server
Cisco RouterA172.30.1.2
![Page 67: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/67.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-67
Step 5—Ensure Access Lists are Compatible with IPSec
RouterA# show access-lists access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2access-list 102 permit esp host 172.30.2.2 host 172.30.1.2access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
IKEAH
ESP
• Ensure protocols 50 and 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 68: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/68.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-68
Task 2—Configure IKE
![Page 69: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/69.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-69
Task 2—Configure IKE
Step 1—Enable or disable IKE.crypto isakmp enable
Step 2—Create IKE policies.crypto isakmp policy
Step 3—Configure pre-shared keys.crypto isakmp key
Step 4—Verify the IKE configuration.show crypto isakmp policy
![Page 70: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/70.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-70
Step 1—Enable or Disable IKE
RouterA(config)# no crypto isakmp enable RouterA(config)# crypto isakmp enable
• Globally enables or disables IKE at your router.
• IKE is enabled by default.
• IKE is enabled globally for all interfaces at the router.
• Use the no form of the command to disable IKE.
• An ACL can be used to block IKE on a particular interface.
router(config)#
[no] crypto isakmp enable
172.30.1.2
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 71: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/71.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-71
Step 2—Create IKE Policies
crypto isakmp policy priority
• Defines an IKE policy, which is a set of parameters used during IKE negotiation.
• Invokes the config-isakmp command mode.
router(config)#
RouterA(config)# crypto isakmp policy 110
172.30.1.2
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 72: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/72.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-72
Create IKE Policies with the crypto isakmp Command
• Defines the parameters within the IKE policy 110.
crypto isakmp policy priority
router(config)#
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
RouterA(config)# crypto isakmp policy 110RouterA(config-isakmp)# authentication pre-shareRouterA(config-isakmp)# encryption desRouterA(config-isakmp)# group 1RouterA(config-isakmp)# hash md5RouterA(config-isakmp)# lifetime 86400
Policy 110DESMD5
Pre-Share86400
Tunnel
![Page 73: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/73.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-73
IKE Policy Negotiation
crypto isakmp policy 100 hash md5 authentication pre-sharecrypto isakmp policy 200 authentication rsa-sig hash shacrypto isakmp policy 300 authentication pre-share hash md5
• The first two policies in each router can be successfully negotiated while the last one can not.
RouterA(config)# RouterB(config)#crypto isakmp policy 100 hash md5 authentication pre-sharecrypto isakmp policy 200 authentication rsa-sig hash shacrypto isakmp policy 300 authentication rsa-sig hash md5
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 74: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/74.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-74
Step 3—Configure ISAKMP Identity
router(config)#
crypto isakmp identity {address | hostname}
• Defines whether ISAKMP identity is done by IP address or hostname.
• Use consistently across ISAKMP peers.
Site 1 Site 2
172.30.1.2 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 75: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/75.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-75
Step 3—Configure Pre-Shared Keys
RouterA(config)# crypto isakmp key cisco1234 address 172.30.2.2
• Assigns a keystring and the peer address.
• The peer’s IP address or host name can be used.
router(config)#
crypto isakmp key keystring address peer-address
crypto isakmp key keystring hostname hostname
router(config)#
Pre-shared keyCisco1234
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 76: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/76.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-76
Step 4—Verify the IKE Configuration
RouterA# show crypto isakmp policyProtection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
• Displays configured and default IKE policies.
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 77: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/77.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-77
Task 3—Configure IPSec
![Page 78: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/78.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-78
Step 1—Configure transform set suites.crypto ipsec transform-set
Step 2—Configure global IPSec SA lifetimes.crypto ipsec security-association lifetime
Step 3—Create crypto access lists.access-list
Task 3—Configure IPSec
![Page 79: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/79.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-79
Step 4—Create crypto maps.crypto map
Step 5—Apply crypto maps to interfaces.interface serial0
crypto map
Task 3—Configure IPSec (cont.)
![Page 80: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/80.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-80
Step 1—Configure Transform Set Suites
![Page 81: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/81.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-81
Configure Transform Sets
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]router(cfg-crypto-trans)#
• A transform set is a combination of IPSec transforms that enact a security policy for traffic.
• Sets are limited to up to one AH and up to two ESP transforms.
router(config)#
RouterA(config)# crypto ipsec transform-set mine des
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
Mineesp-desTunnel
![Page 82: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/82.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-82
Transform Set Negotiation
• Transform sets are negotiated during IKE phase two.
transform-set 10 esp-3des tunnel
transform-set 20 esp-des, esp-md5-hmac tunnel
transform-set 30 esp-3des, esp-sha-hmac tunnel
transform-set 40 esp-des tunnel
transform-set 50 esp-des, ah-sha-hmac tunnel
transform-set 60 esp-3des, esp-sha-hmac tunnel
Match
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 83: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/83.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-83
Step 2—Configure Global IPSec Security Association
Lifetimes
![Page 84: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/84.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-84
crypto ipsec security-association lifetime Command
• Configures global IPSec SA lifetime values used when negotiating IPSec security associations.
• IPSec SA lifetimes are negotiated during IKE phase two.
• Can optionally configure interface specific IPSec SA lifetimes in crypto maps.
• IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes.
crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
router(config)#
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
RouterA(config)# crypto ipsec security-association lifetime 86400
![Page 85: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/85.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-85
Global Security Association Lifetime Examples
RouterA(config)# crypto ipsec security-association lifetime kilobytes 1382400
• When a security association expires, a new one is negotiated without interrupting the data flow.
RouterA(config)# crypto ipsec security-association lifetime seconds 2700
![Page 86: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/86.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-86
Step 3—Create Crypto ACLs
![Page 87: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/87.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-87
Purpose of Crypto Access Lists
• Outbound—Indicate the data flow to be protected by IPSec.
• Inbound—filter out and discard traffic that should have been protected by IPSec.
EncryptBypass (clear text)
Outboundtraffic
Inboundtraffic
PermitBypass (clear text)
Site 1
A
InternetRouterA
![Page 88: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/88.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-88
Extended IP Access Lists for Crypto Access Lists
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log]
router(config)#
• Define which IP traffic will be protected by crypto.
• Permit = encrypt / Deny = do not encrypt.
RouterA(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
10.0.1.0 10.0.2.0Encrypt
![Page 89: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/89.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-89
RouterA(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
RouterB(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
Configure Symmetrical Peer Crypto Access Lists
• You must configure mirror image ACLs.
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 90: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/90.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-90
Step 4—Create Crypto Maps
![Page 91: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/91.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-91
Purpose of Crypto Maps
Crypto maps pull together the various parts configured for IPSec, including• Which traffic should be protected by IPSec.
• The granularity of the traffic to be protected by a set of SAs.
• Where IPSec-protected traffic should be sent.
• The local address to be used for the IPSec traffic.
• What IPSec type should be applied to this traffic.
• Whether SAs are established (manually or via IKE).
• Other parameters needed to define an IPSec SA.
![Page 92: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/92.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-92
Crypto Map Parameters
Crypto maps define the following:• The access list to be used.
• Remote VPN peers.
• Transform-set to be used.
• Key management method.
• Security-association lifetimes.
Cryptomap
Routerinterface
Encrypted traffic
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 93: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/93.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-93
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
router(config)#
• Use a different sequence number for each peer.
• Multiple peers can be specified in a single crypto map for redundancy.
• One crypto map per interface
Configure IPSec Crypto Maps
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
RouterA(config)# crypto map mymap 110 ipsec-isakmp
![Page 94: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/94.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-94
Example Crypto Map Commands
RouterA(config)# crypto map mymap 110 ipsec-isakmpRouterA(config-crypto-map)# match address 110RouterA(config-crypto-map)# set peer 172.30.2.2RouterA(config-crypto-map)# set peer 172.30.3.2RouterA(config-crypto-map)# set pfs group1RouterA(config-crypto-map)# set transform-set mineRouterA(config-crypto-map)# set security-association lifetime 86400
• Multiple peers can be specified for redundancy.
Site 1 Site 2
172.30.2.2
A B10.0.1.3 10.0.2.3
RouterA RouterB
172.30.3.2
B
RouterC
Internet
![Page 95: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/95.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-95
Step 5—Apply Crypto Maps to Interfaces
![Page 96: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/96.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-96
RouterA(config)# interface ethernet0/1RouterA(config-if)# crypto map mymap
• Apply the crypto map to outgoing interface
• Activates the IPSec policy
Applying Crypto Maps to Interfaces
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
mymap
router(config-if)#
crypto map map-name
![Page 97: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/97.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-97
IPSec Configuration Examples
RouterA# show running configcrypto ipsec transform-set mine esp-des!crypto map mymap 10 ipsec-isakmpset peer 172.30.2.2set transform-set minematch address 110!interface Ethernet 0/1ip address 172.30.1.2 255.255.255.0no ip directed-broadcastcrypto map mymap!access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
RouterB# show running configcrypto ipsec transform-set mine esp-des!crypto map mymap 10 ipsec-isakmpset peer 172.30.1.2set transform-set minematch address 101!interface Ethernet 0/1ip address 172.30.2.2 255.255.255.0no ip directed-broadcastcrypto map mymap!access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
![Page 98: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/98.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-98
Task 4—Test and Verify IPSec
![Page 99: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/99.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-99
Task 4—Test and Verify IPSec
• Display your configured IKE policies.
show crypto isakmp policy
• Display your configured transform sets.
show crypto ipsec transform set
• Display the current state of your IPSec SAs.
show crypto ipsec sa
![Page 100: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/100.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-100
Task 4—Test and Verify IPSec (cont.)
• Display your configured crypto maps.
show crypto map
• Enable debug output for IPSec events.
debug crypto ipsec
• Enable debug output for ISAKMP events.
debug crypto isakmp
![Page 101: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/101.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-101
show crypto isakmp policy Command
show crypto isakmp policy
RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Encryption Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
router#
Site 1 Site 2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 102: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/102.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-102
show crypto ipsec transform-set
• View the currently defined transform sets.
RouterA# show crypto ipsec transform-set Transform set mine: { esp-des }
will negotiate = { Tunnel, },
show crypto ipsec transform-set Command
router#
E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 103: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/103.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-103
show crypto ipsec sa Command
show crypto ipsec sa
RouterA# show crypto ipsec sainterface: Ethernet0/1
Crypto map tag: mymap, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2 path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C
router#E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 104: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/104.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-104
show crypto map Command
RouterA# show crypto mapCrypto Map "mymap" 10 ipsec-isakmp
Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, }
show crypto map
• View the currently configured crypto maps.
router#E0/1 172.30.1.2
Site 1 Site 2
E0/1 172.30.2.2
A B10.0.1.3 10.0.2.3
InternetRouterA RouterB
![Page 105: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/105.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-105
debug crypto Commands
debug crypto ipsec
• Displays debug messages about all IPSec actions.
debug crypto isakmp
• Displays debug messages about all ISAKMP actions.
router#
router#
![Page 106: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/106.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-106
%CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated!
• ISAKMP SA with the remote peer was not authenticated.
%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed
• ISAKMP peers failed protection suite negotiation for ISAKMP.
Crypto System Error Messages for ISAKMP
![Page 107: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/107.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-107
Overview of Configuring IPSec Manually
![Page 108: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/108.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-108
Setting Manual Keys withsecurity-association Commands
set security-association inbound|outbound ah spihex-key-string
set security-association inbound|outbound esp spi cipherhex-key-string [authenticator hex-key-string]
• Specifies inbound or outbound SA.• Sets Security Parameter Index (SPI) for the SA.• Sets manual AH and ESP keys:
– ESP key length is 56 bits with DES, 168 with 3DES.– AH HMAC key length is 128 bits with MD5, 160 bits with SHA.
• SPIs should be reciprocal for IPsec peer.
router(config-crypto-map)#
![Page 109: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/109.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-109
Overview of Configuring IPSec for RSA Encrypted Nonces
![Page 110: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/110.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-110
Tasks to Configure IPSec for RSA Encryption
Task 1—Prepare for IPSec.
Task 2—Configure RSA keys.
Task 3—Configure IKE.
Task 4—Configure IPSec.
Task 5—Test and verify IPSec.
![Page 111: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/111.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-111
Task 2—Configure RSA Keys
Step 1—Plan for RSA keys.
Step 2—Configure the router’s host name and domain name.hostname name
ip domain-name name
Step 3—Generate RSA keys.crypto key generate rsa usage keys
![Page 112: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/112.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-112
Task 2—Configure RSA Keys (cont.)
Step 4—Enter peer RSA public keys.crypto key pubkey-chain
crypto key pubkey-chain rsa
addressed-key key address
named-key key name
key-string
![Page 113: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/113.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-113
Task 2—Configure RSA Keys (cont.)
Step 5—Verify key configuration.show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
Step 6—Manage RSA keys.crypto key zeroize rsa
![Page 114: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/114.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-114
Summary
![Page 115: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/115.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-115
Summary
• Cisco supports the following IPSec standards: AH, ESP, DES, 3DES, MD5, SHA, RSA signatures, IKE (also known as ISAKMP), DH, and CAs.
• There are five steps to IPSec: interesting traffic, IKE phase 1, IKE phase 2, IPSec encrypted traffic, and tunnel termination.
• IPSec SAs consist of a destination address, SPI, IPSec transform, mode, and SA lifetime value.
• Define the detailed crypto IKE and IPSec security policy before beginning configuration.
• Ensure router access lists permit IPSec traffic.
![Page 116: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/116.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-116
Summary (cont.)
• IKE policies define the set of parameters used during IKE negotiation.
• Transform sets determine IPSec transform and mode.
• Crypto access lists determine traffic to be encrypted.
• Crypto maps pull together all IPSec details and are applied to interfaces.
• Use show and debug commands to test and troubleshoot.
• IPSec can also be configured manually or using encrypted nonces.
![Page 117: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/117.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-117
Lab Exercise
![Page 118: © 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-1 Chapter 9 Building IPSEC VPNS Using Cisco Routers](https://reader037.vdocument.in/reader037/viewer/2022110206/56649ceb5503460f949b63d0/html5/thumbnails/118.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. SECUR 1.0—9-118
Lab Visual Objective
172.30.Q.0172.30.P.0
STUDENT PC
.2
.2
STUDENT PC
ROUTER
WEB/FTPCSACS
WEB/FTPCSACS
.1
.2
.2
ROUTER
.1
REMOTE: 10.1.P.12LOCAL: 10.0.P.12
REMOTE: 10.1.Q.12LOCAL: 10.0.Q.12
10.0.P.0 10.0.Q.0
PODS 1-5 PODS 6-10
.10WEBFTP
WEBFTP
.10
172.26.26.0.150
.50
WEBFTP
RBB
.100
RTS
.100
RTS