| 0 comments ]

IPsec VPN is an essential part of many plans to meet the security requirements of customers. In the next few pages, you will learn how to use the command-line interface (CLI) to configure a site-to-site IPsec VPN to securely connect two or more subnets over the Internet or an intranet. You will also learn how to test that configuration using the CLI.

Add a note here Site-to-Site IPsec VPN Operations

Add a note hereIPsec VPN negotiation can be broken down into five steps, as shown in Figure 5-21, including Phase 1 and Phase 2 of Internet Key Exchange (IKE):

Add a note here Step 1

Add a note hereAn IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B. Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto access control list (ACL).

Add a note here Step 2

Add a note hereIn IKE Phase 1, the IPsec peers (routers A and B) negotiate the established IKE SA policy. Once the peers are authenticated, a secure tunnel is created using ISAKMP.

Add a note here Step 3

Add a note hereIn IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.

Add a note here Step 4

Add a note hereThe IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets.

Click to collapse
Add a note hereFigure 5-21: Site-to-Site IPsec VPN

Add a note here Step 5

Add a note here The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.

Add a note here Configuring IPsec

Add a note hereFollow these steps to configure a site-to-site IPsec VPN:

Add a note here Step 1

Add a note hereCreate a crypto ACL. The crypto ACL defines which traffic should be sent through the IPsec tunnel and be protected by the IPsec process.

Add a note here Step 2

Add a note hereConfigure an ISAKMP policy to determine the ISAKMP parameters that will be used to establish the tunnel.

Add a note here Step 3

Add a note hereDefine the IPsec transform set. The definition of the transform set defines the parameters that the IPsec tunnel uses, and can include the encryption and integrity algorithms.

Add a note here Step 4

Add a note hereCreate and apply a crypto map. The crypto map groups the previously configured parameters together and defines the IPsec peer devices. The crypto map is applied to the outgoing interface of the VPN device.

Add a note here Step 5

Add a note hereConfigure the interface ACL. Usually, there are restrictions on the interface that the VPN traffic uses (for example, block all traffic that is not IPsec or IKE).

Site-to-Site IPsec Configuration: Step 1

Add a note hereThe first step in configuring Cisco IOS ISAKMP is to ensure that existing ACLs on perimeter routers, firewalls, or other routers do not block IPsec traffic. Perimeter routers typically implement a restrictive security policy with ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive policy blocks IPsec traffic. Therefore, you must add specific permit statements to the ACL to allow IPsec traffic.

Add a note hereEnsure that your ACLs are configured so that ISAKMP, ESP, and AH traffic is not blocked at interfaces used by IPsec. ISAKMP uses User Datagram Protocol (UDP) port 500. ESP is assigned IP protocol number 50, and AH is assigned IP protocol number 51. In some cases, you might need to add a statement to router ACLs to explicitly permit this traffic. You might need to add the ACL statements to the perimeter router by performing the following steps:

Add a note here Step 1

Add a note hereExamine the current ACL configuration at the perimeter router and determine whether it will block IPsec traffic:

Add a note here
RouterA# show access-lists

Add a note here Step 2

Add a note hereAdd ACL entries to permit IPsec traffic. To do this, copy the existing ACL configuration and paste it into a text editor as follows:

  • Add a note hereCopy the existing ACL configuration and paste it into a text editor.

  • Add a note hereAdd the ACL entries to the top of the list in the text editor.

  • Add a note hereDelete the existing ACL with the no access-list access-list number command.

  • Add a note here Enter configuration mode and copy and paste the new ACL into the router.

  • Add a note hereVerify that the ACL is correct with the show access-lists command.

Add a note hereIf you have a recent version of the IOS, you might also benefit from the named ACL feature, which is also available for numbered ACLs when it comes to editing your ACL so that you do not have to copy and paste it into an external text editor.

Add a note hereA concatenated example showing ACL entries permitting IPsec traffic for Router A, shown in Figure 5-22, is as follows:

Add a note hereRouterA# show running-config
!
interface Serial0/1
ip address 172.30.1.2 255.255.255.0
ip access-group 102 in
!
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
Click to collapse
Add a note hereFigure 5-22: Step 1: Ensure That ACLs Are Compatible with IPsec and Topology

Note

Add a note hereNote that the protocol keyword esp equals the ESP protocol (number 50), the keyword ahp equals the AH protocol (number 51), and the isakmp keyword equals UDP port 500.

Site-to-Site IPsec Configuration: Step 2

Add a note hereThe second major step in configuring Cisco IOS ISAKMP support is to define a suite of ISAKMP policies. The goal of defining a suite of IKE policies is to establish ISAKMP peering between two IPsec endpoints.

Add a note hereMultiple ISAKMP policies can be configured on each peer participating in IPsec. ISAKMP peers negotiate the acceptable ISAKMP policies before they agree on the SA to use for IPsec.

Add a note here Use the crypto isakmp policy command to define an IKE Phase I policy. IKE policies define a set of parameters that IKE uses during negotiation. Use the no form of this command to delete an IKE policy. The command syntax is crypto isakmp policy priority, where priority is a number that uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest.

Add a note hereThis command invokes the ISAKMP policy configuration (config-isakmp) command mode.


Note

Add a note hereAssign the most secure policy the lowest priority number so that the most secure policy will find a match before any less-secure policies are configured.

Add a note hereThe crypto isakmp policy command invokes the ISAKMP policy configuration command mode where you can set ISAKMP parameters. If you do not specify one of these commands for a policy, the default value is used for that parameter. Table 5-4 lists the keywords available to specify the parameters in the policy while you are in the config-isakmp command mode, and displays the default value for the parameters that you do not specifically configure.

Add a note here Table 5-4: ISAKMP Parameters
Open table as spreadsheet

Add a note hereParameters

Add a note hereKeyword

Add a note hereAccepted Values

Add a note hereDefault Value

Add a note hereDescription

Add a note here encryption

Add a note here des

Add a note here aes

Add a note here56-bit DES-CBC

Add a note here128-bit AES

Add a note here des

Add a note hereMessage-encryption algorithm

Add a note here aes 192

Add a note here192-bit AES

Add a note here aes 256

Add a note here256-bit AES

Add a note here hash

Add a note here sha

Add a note here md5

Add a note hereSHA-1 (HMAC variant)

Add a note hereMD5 (HMAC variant)

Add a note here sha

Add a note hereMessage-integrity (hash) algorithm

Add a note here authentication

Add a note here rsa-sig

Add a note here rsa-encr

Add a note hereRSA signatures

Add a note hereRSA encrypted nonces

Add a note here rsa-sig

Add a note herePeer-authentication method

Add a note here pre-share

Add a note herePreshared keys

Add a note here group

Add a note here 1

Add a note here 2

Add a note here768-bit Diffie-Hellman

Add a note here1024-bit Diffie-Hellman

Add a note here 1

Add a note hereKey-exchange parameters (DH group identifier)

Add a note here 5

Add a note here1536-bit Diffie-Hellman

Add a note here lifetime

Add a note here seconds

Add a note hereCan specify any number of seconds

Add a note here 86400 (second; 1 day)

Add a note hereISAKMP-established SA lifetime

Add a note hereThe current default protection suite offers DES, SHA, DH Group 1, RSA signature, and a lifetime of 86,400 seconds with no volume limit.

Add a note here Example 5-1 shows an example of configuration of the ISAKMP (IKE) policies that could be negotiated on Figure 5-23. Table 5-4 lists and describes the parameters for the configuration.

Click to collapse
Add a note hereFigure 5-23: Defining ISAKMP (IKE Phase 1) Policies
Add a note here Example 5-1: Configuring ISAKMP (IKE) Policies

Add a note hereRouterA# configure terminal
RouterA(config)# crypto isakmp policy 110
RouterA(config–isakmp)# authentication pre-share
RouterA(config–isakmp)# encryption des
RouterA(config–isakmp)# group 1
RouterA(config–isakmp)# hash md5
RouterA(config–isakmp)# lifetime 86400

IKE Policy Negotiation

Add a note hereISAKMP peers negotiate the acceptable ISAKMP policies before they agree on the SA to use for IPsec.

Add a note hereWhen the ISAKMP negotiation begins in IKE Phase 1 main mode, the following occurs:

Add a note here Step 1

Add a note hereISAKMP looks for an ISAKMP policy that is the same on both peers.

Add a note here Step 2

Add a note hereThe peer that initiates the negotiation sends all of its policies to the remote peer.

Add a note here Step 3

Add a note hereThe remote peer tries to find a match with its policies. The remote peer looks for a match by comparing its own highest-priority policy against the policies it received from the other peer.

Add a note hereThe remote peer checks each of its policies in order of its priority (highest priority first) until a match is found.

Add a note hereA match is made when both policies from the two peers contain the same encryption, hash, authentication, DH parameter values, and when the policy of the remote peer specifies a lifetime less than or equal to the lifetime of the policy that is being compared. If the lifetimes are not identical, the shorter lifetime from the remote peer policy is used. Assign the most secure policy the lowest priority number so that the most secure policy will find a match before any less-secure policies are configured.

Add a note here Step 4

Add a note here If an acceptable match is not found, ISAKMP refuses negotiation, and IPsec is not established. If a match is found, ISAKMP completes the main mode negotiation, and IPsec SAs are created during IKE Phase 2 quick mode.

Add a note here Figure 5-24 shows the negotiation between Router A and Router B and how the first two policies would be successfully negotiated but the last one could not.

Click to collapse
Add a note hereFigure 5-24: IKE Phase I: Policy Negotiation
Configuring Pre-Shared Keys

Add a note hereTo configure a PSK, use the crypto isakmp key global configuration command. You must configure this key whenever you specify PSKs in an ISAKMP policy. Use the no form of this command to delete a PSK. The syntax for the command is as follows:

Add a note here
crypto isakmp key encryption-type-digit keystring address peer-address
crypto isakmp key encryption-type-digit keystring hostname peer-hostname

Add a note here Table 5-5 lists the command syntax parameter definitions.

Add a note here Table 5-5: crypto isakmp Key Command Parameters
Open table as spreadsheet

Add a note hereParameters

Add a note hereDescription

Add a note here encryption-type-digit

Add a note hereSpecifies whether the password to be used is encrypted or unencrypted.

Add a note here 0: Specifies that an unencrypted password follows

Add a note here 6: Specifies that an encrypted password follows

Add a note here keystring

Add a note hereThis parameter specifies the PSK. Use any combination of alphanumeric characters up to 128 bytes. This PSK must be identical on both peers.

Add a note here peer-address

Add a note hereThis parameter specifies the IP address of the remote peer.

Add a note here hostname

Add a note hereThis parameter specifies the hostname of the remote peer. This is the peer hostname concatenated with its domain name (for example, myhost.domain.com).


Note

Add a note hereTo use the hostname parameter, you must configure the ISAKMP identity to use the hostname. Use the crypto isakmp identity hostname command in global configuration mode to configure this option. By default, the ISAKMP identity is set to use the IP address.

Add a note hereA given PSK is shared between two peers. At a given peer, you can specify the same key to share with multiple remote peers; however, a more secure approach is to specify different keys to share between different pairs of peers.

Add a note hereBoth peers are required to agree on the identity mode, which can be either address or hostname.

Add a note here Example 5-2 shows some of ISAKMP and PSK configuration for Router A and Router B in the topology in Figure 5-24. Note that the keystring of cisco1234 matches. The address identity method is specified. The ISAKMP policies are compatible. Default values do not have to be configured.

Add a note here Example 5-2: ISAKMP and PSK Configuration for Router A and Router B

Add a note hereRouterA(config)# crypto isakmp key cisco1234 address 172.30.2.2
RouterA(config)# crypto isakmp policy 110
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# authentication pre-share
_______________________________________________________________
RouterB(config)# crypto isakmp key cisco1234 address 172.30.1.2
RouterB(config)# crypto isakmp policy 110
RouterB(config-isakmp)# hash md5
RouterB(config-isakmp)# authentication pre-share

Site-to-Site IPsec Configuration: Phase 1

Add a note hereTo recapitulate, Example 5-3 shows the comprehensive configuration for Router A and Router B to be successful with the Phase 1 of IPsec.

Add a note here Example 5-3: Site-to-Site IPsec Configuration: Phase 1 for Router A and Router B

Add a note hereRouterA(config)# crypto isakmp policy 110
RouterA(config–isakmp)# authentication pre-share
RouterA(config–isakmp)# encryption des
RouterA(config–isakmp)# group 1
RouterA(config–isakmp)# hash md5
RouterA(config–isakmp)# lifetime 86400
RouterA(config–isakmp)# exit
RouterA(config)# crypto isakmp key cisco1234 address 172.30.2.2
_______________________________________________________________
RouterB(config)# crypto isakmp policy 110
RouterB(config–isakmp)# authentication pre-share
RouterB(config–isakmp)# encryption des
RouterB(config–isakmp)# group 1
RouterB(config–isakmp)# hash md5
RouterB(config–isakmp)# lifetime 86400
RouterB(config–isakmp)# exit
RouterB(config)# crypto isakmp key cisco1234 address 172.30.1.2


Note

Add a note herePolicy names and PSK are case sensitive.

Site-to-Site IPsec Configuration: Step 3

Add a note here A transform set is a combination of individual IPsec transforms that are designed to enact a specific security policy for data traffic. During the ISAKMP IPsec SA negotiation that occurs in IKE Phase 2 quick mode, the peers agree to use a particular transform set for protecting a particular data flow. Transform sets combine the following IPsec factors:

  • Add a note hereMechanism for payload authentication: AH transform

  • Add a note hereMechanism for payload encryption: ESP transform

  • Add a note hereIPsec mode (transport mode versus tunnel mode)

Add a note hereTransform sets are limited to one AH transform, one ESP encryption transform, and one ESP authentication transform. To define a transform set, use the crypto ipsec transform-set global configuration command. To delete a transform set, use the no form of the command. Table 5-6 defines the parameters for the crypto ipsec transform-set command, the syntax for which is as follows:

Add a note here
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
Add a note here Table 5-6: crypto ipsec transform-set Parameters
Open table as spreadsheet

Add a note hereCommand

Add a note hereDescription

Add a note here transform-set-name

Add a note hereThis parameter specifies the name of the transform set to create (or modify).

Add a note here transform1, transform2, transform3

Add a note hereThis parameter specifies up to three transforms. These transforms define the IPsec security protocols and algorithms.

Add a note here Example 5-4 shows an example of a transform set configuration on Router A.

Add a note here Example 5-4: Transform Set Configuration

Add a note hereRouterA(config)# crypto ipsec transform-set mine esp-des

Add a note hereYou can configure multiple transform sets and then specify one or more of the transform sets in a crypto map entry. The IPsec SA negotiation uses the transform set that is defined in the crypto map entry to protect the data flows that are specified by the ACL of that crypto map entry. During the negotiation, the peers search for a transform set that has the same criteria at both peers. When such a transform set is found, it is selected and applied to the protected traffic as part of the IPsec SAs of both peers.

Add a note here When ISAKMP is not used to establish SAs, a single transform set must be used. The transform set is not negotiated.

Transform Set Negotiation

Add a note hereTransform sets are negotiated during quick mode in IKE Phase 2 using the transform sets that you previously configured. You can configure multiple transform sets and then specify one or more of the transform sets in a crypto map entry. Configure the transforms from the most to the least secure, according to your policy. The IPsec SA negotiation uses the transform set defined in the crypto map entry to protect the data flows that are specified by the ACL of that crypto map entry.

Add a note hereDuring the negotiation, the peers search for a transform set that is the same at both peers, as shown in Figure 5-25. Each of the Router A transform sets are compared against each of the Router B transform sets in succession. Router A transform sets 10, 20, and 30 are compared with Router B transform set 40. The result is no match. All of Router A transform sets are then compared against Router B transform sets. Finally, Router A transform set 30 matches Router B transform set 60. When such a transform set match is found, it is selected and is applied to the protected traffic as part of the IPsec SAs of both peers. IPsec peers agree on one unidirectional transform proposal per SA.

Click to collapse
Add a note hereFigure 5-25: Transform Set Negotiation

Key Topic

Add a note hereTransform sets are negotiated during IKE Phase 2.

Add a note hereTunnels by which the encrypted data is transferred are unidirectional, as shown in Figure 5-20, which shows two ESP tunnels (each unidirectional).

Site-to-Site IPsec Configuration: Step 4

Add a note here Crypto ACLs perform different functions depending on whether the traffic is inbound or outbound to the interface:

  • Add a note here Outbound: Selects outbound traffic that IPsec should protect. Traffic that is not selected is sent in plaintext.

  • Add a note here Inbound: If desired, you can create inbound ACLs to filter and discard traffic that should have been protected by IPsec.

Add a note hereThe crypto ACLs identify the traffic flows that should be protected. Extended IP ACLs select IP traffic to encrypt based on protocol, IP address, network, subnet, and port. Although the ACL syntax is unchanged from extended IP ACLs, the meanings differ slightly for crypto ACLs. That is, permit specifies that matching packets must be encrypted, and deny specifies that matching packets should not be encrypted. Crypto ACLs behave similarly to an extended IP ACL that is applied to outbound traffic on an interface.

Add a note here Table 5-7 defines the parameters for the access-list command used for extended IP ACLs, the basic syntax for which is as follows:

Add a note hereaccess-list access-list-number { permit | deny } protocol source source-wildcard
destination destination-wildcard
Add a note here Table 5-7: access-list access-list-number Parameters
Open table as spreadsheet

Add a note hereaccess-list access-list-number Command

Add a note hereDescription

Add a note here permit

Add a note hereThis option causes all IP traffic that matches the specified conditions to be protected by cryptography, using the policy described by the corresponding crypto map entry.

Add a note here deny

Add a note hereThis option instructs the router to route traffic in plaintext.

Add a note here protocol

Add a note hereThis option specifies which traffic to protect by cryptography based on the protocol, such as TCP, UDP, or ICMP. If the protocol is IP, all traffic IP traffic that matches that permit statement is encrypted.

Add a note here source and destination

Add a note hereIf the ACL statement is a permit statement, these are the networks, subnets, or hosts between which traffic should be protected. If the ACL statement is a deny statement, the traffic between the specified source and destination is sent in plaintext.


Key Topic

Add a note hereCrypto ACL defines which IP traffic the tunnel will protect. The permit statement specifies that traffic will be encrypted, and the deny statement specifies that the traffic will go out in cleartext.


Note

Add a note hereCrypto ACLs are the same as normal ACLs, but apply only to the crypto map, and therefore define the interesting traffic to be encrypted. All other traffic passes as plaintext.

Add a note here Any unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto map entry that is flagged as IPsec is dropped. This drop occurs because this traffic was expected to be protected by IPsec.

Add a note hereIf you want certain traffic to receive one combination of IPsec protection (authentication only) and other traffic to receive a different combination (both authentication and encryption), create two different crypto ACLs to define the two different types of traffic. Different crypto map entries then use these different ACLs to specify different IPsec policies.


Caution

Add a note herePer recommended practice, you should avoid using the any keyword to specify source or destination addresses. The permit any any statement is strongly discouraged because this causes all outbound traffic to be protected and all protected traffic to be sent to the peer that is specified in the corresponding crypto map entry. Then, all inbound packets that lack IPsec protection are silently dropped, including packets for routing protocols, NTP, echo, echo response, and so on.

Add a note hereTry to be as restrictive as possible when defining which packets to protect in a crypto ACL. If you must use the any keyword in a permit statement, you must preface that statement with a series of deny statements to filter out any traffic (that would otherwise fall within that permit statement) that you do not want to be protected.

Configuring Symmetric Peer Crypto ACLS

Add a note hereYou must configure symmetric crypto ACLs for use by IPsec. Both inbound and outbound traffic are evaluated against the same outbound IPsec ACL. The ACL criteria are applied in the forward direction to traffic exiting your router, and the reverse direction to traffic entering your router. When a router receives encrypted packets back from an IPsec peer, it uses the same ACL to determine which inbound packets to decrypt by viewing the source and destination addresses in the ACL in reverse order.

Add a note hereThe example shown in Figure 5-26 illustrates why symmetric ACLs are recommended.

Image from book
Add a note hereFigure 5-26: Symmetric Peer Crypto Access Lists

Add a note here For site 1, IPsec protection is applied to traffic between hosts on the 10.0.1.0 network as the data exits the Router A S0/1 interface in route to site 2 hosts on the 10.0.2.0 network. For traffic from site 1 hosts on the 10.0.1.0 network to site 2 hosts on the 10.0.2.0 network, the ACL entry on Router A is evaluated as follows:

  • Add a note hereSource = Hosts on 10.0.1.0 network

  • Add a note hereDestination = Hosts on 10.0.2.0 network

Add a note hereFor incoming traffic from site 2 hosts on the 10.0.2.0 network to site 1 hosts on the 10.0.1.0 network, that same ACL entry on Router A is evaluated as follows:

  • Add a note hereSource = Hosts on 10.0.2.0 network

  • Add a note hereDestination = Hosts on 10.0.1.0 network


Key Topic

Add a note hereThe crypto ACLs used by IPsec must mirror-image ACLs because both inbound and outbound traffic is evaluated against the same outbound IPsec ACL.

Site-to-Site IPsec Configuration: Step 5

Add a note hereCrypto map entries that you create for IPsec combine the needed configuration parameters of IPsec SAs, including the following parameters:

  • Add a note hereWhat traffic should be protected by IPsec, using a crypto ACL

  • Add a note hereThe granularity of the flow to be protected by a set of SAs

  • Add a note hereWho the remote IPsec peer is, which determines where the IPsec-protected traffic is sent

  • Add a note hereThe local address that is to be used for the IPsec traffic (optional)

  • Add a note hereWhat IPsec security should be applied to this traffic, choosing from a list of one or more transform sets

Add a note hereCrypto map entries with the same crypto map name, but different map sequence numbers, are grouped into a crypto map set.

Add a note hereYou can apply only one crypto map set to a single interface. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces. If you create more than one crypto map entry for a given interface, use the sequence number (seq-num) of each map entry to rank the map entries. The lower the seq-num, the higher the priority. At the interface that has the crypto map set, traffic is evaluated against higher-priority map entries first.

Add a note hereYou must create multiple crypto map entries for a given interface if any of these conditions exist:

  • Add a note hereDifferent data flows are to be handled by separate IPsec peers.

  • Add a note hereYou want to apply different IPsec security to different types of traffic (to the same or separate IPsec peers); for example, if you want traffic between one set of subnets to be authenticated, and traffic between another set of subnets to be both authenticated and encrypted. In this case, the different types of traffic should be defined in two separate ACLs, and you must create a separate crypto map entry for each crypto ACL.

  • Add a note hereYou are not using IKE to establish a particular set of SAs, and you want to specify multiple ACL entries, you must create separate ACLs (one per permit entry) and specify a separate crypto map entry for each ACL. Although it is possible to establish SAs manually, it is not recommended because the keys never expire. The longer a key is in production, the more vulnerable it becomes.

Add a note hereUse the crypto map global configuration command, explained in Table 5-8, to create or modify a crypto map entry and enter the crypto map configuration mode. Set the crypto map entries that reference dynamic maps to the lowest priority in a crypto map set (that is, they should have the highest sequence numbers). Use the no form of this command to delete a crypto map entry or set. The command syntax and parameter definitions are as follows:

Add a note here    crypto map map-name seq-num cisco
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
no crypto map map-name [seq-num]
Add a note here Table 5-8: crypto map Command Parameters
Open table as spreadsheet

Add a note hereCommand

Add a note hereDescription

Add a note here cisco

Add a note here(Default value) This option indicates that Cisco Encryption Technology (CET) will be used rather than IPsec for protecting the traffic specified by this newly specified crypto map entry. Note that CET is end-of-life.

Add a note here map-name

Add a note hereThis parameter defines the name you assign to the crypto map set, or indicates the name of the crypto map you want to edit.

Add a note here seq-num

Add a note hereThis parameter is the number you assign to the crypto map entry.

Add a note here ipsec-manual

Add a note hereThis option indicates that ISAKMP will not be used to establish the IPsec SAs for protecting the traffic specified by this crypto map entry.

Add a note here ipsec-isakmp

Add a note hereThis option indicates that ISAKMP will be used to establish the IPsec SAs for protecting the traffic specified by this crypto map entry.

Add a note here dynamic

Add a note here(Optional) This option specifies that this crypto map entry references a preexisting static crypto map. If you use this keyword, none of the crypto map configuration commands are available.

Add a note here dynamic-map-name

Add a note here(Optional) This parameter specifies the name of the dynamic crypto map set that should be used as the policy template.

Add a note here Use the crypto map command in crypto map configuration mode, to define the crypto map entries, with the commands shown in the Table 5-9.

Add a note here Table 5-9: crypto map Configuration Mode Commands
Open table as spreadsheet

Add a note hereCommand

Add a note hereDescription

Add a note here set

Add a note hereUsed with the peer, pfs, transform-set, and security-association commands.

Add a note here peer [hostname | ip-address]

Add a note hereSpecifies the allowed IPsec peer by IP address or hostname.

Add a note here pfs [group1 | group2]

Add a note hereSpecifies DH Group 1 or Group 2.

Add a note here transform-set [set_name(s)]

Add a note hereSpecify list of transform sets in priority order. For an ipsec-manual crypto map, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.

Add a note here security-association lifetime

Add a note hereSets SA lifetime parameters in seconds or kilobytes.

Add a note here match address [access-list-id | name]

Add a note hereIdentifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched.

Add a note here no

Add a note hereUsed to delete commands entered with the set command.

Add a note here exit

Add a note hereExits crypto map configuration mode.

Add a note hereAfter you define the crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface configuration) command.


Note

Add a note hereACLs for crypto map entries that are tagged as ipsec-manual are restricted to a single permit entry, and subsequent entries are ignored. The SAs that are established by that particular crypto map entry are for a single data flow only. To be able to support multiple manually established SAs for different kinds of traffic, you must define multiple crypto ACLs and then apply each one to a separate ipsec-manual crypto map entry. Each ACL should include one permit statement that defines the traffic that it must protect.

Add a note here Figure 5-27 illustrates a topology in which two peers are specified for redundancy, as configured by the crypto map in Example 5-5. If the first peer cannot be contacted, the second peer is used. There is no limit to the number of redundant peers you can configure.

Click to collapse
Add a note hereFigure 5-27: Network Topology for Crypto Map Example
Add a note here Example 5-5: crypto map Command Example

Add a note hereRouterA(config)# crypto map mymap 10 ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 172.30.2.2
RouterA(config-crypto-map)# set peer 172.30.3.2
RouterA(config-crypto-map)# set pfs group1
RouterA(config-crypto-map)# set tranform-set mine
RouterA(config-crypto-map)# set security-association lifetime seconds 86400

Applying Crypto Maps to Interfaces

Add a note here In this step, you apply the crypto map to the outgoing interface of the VPN tunnel using the crypto map command in interface configuration mode. Use the no form of the command to remove the crypto map set from the interface. The command syntax is crypto map map-name, where map-name is the name of the crypto map set to apply to the interface.

Add a note hereAlso, make sure that you configure the routing information that is needed to send packets into the tunnel.

Add a note hereAll IP traffic passing through the interface where the crypto map is applied is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, an SA is negotiated with the remote peer according to the parameters that are included in the crypto map entry.

Add a note here Example 5-6 demonstrates how to apply a crypto map.

Add a note here Example 5-6: Applying a Crypto Map

Add a note hereRouterA (config)# interface serial0/1
RouterA (config -if)#crypto map mymap

Add a note here Verifying the IPsec Configuration

Add a note hereYou can use the Cisco IOS commands explained in Table 5-10 to verify the VPN configuration.

Add a note here Table 5-10: IPsec Verification Commands
Open table as spreadsheet

Add a note hereCommand

Add a note hereDescription

Add a note here show crypto isakmp policy

Add a note hereDisplays configured IKE policies

Add a note here show crypto isakmp sa

Add a note hereDisplays current IKE SAs

Add a note here show crypto ipsec transform-set

Add a note hereDisplays configured IPsec transform sets

Add a note here show crypto map

Add a note hereDisplays configured crypto maps

Add a note here show crypto ipsec sa

Add a note hereDisplays established IPsec tunnels

Add a note here debug crypto isakmp

Add a note hereDebugs IKE events

Add a note here debug crypto ipsec

Add a note hereDebugs IPsec events

show crypto isakmp policy Command

Add a note here Use the show crypto isakmp policy command to display configured IKE policies and the default IKE policy settings. This command, shown in Example 5-7, is useful because it reveals your ISAKMP (IKE) configuration all with one command.

Add a note here Example 5-7: show crypto isakmp policy Command Output

Add a note hereRouterA# show crypto isakmp policy
Protection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: preshared
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

show crypto ipsec transform-set Command

Add a note hereYou can use the show crypto ipsec transform-set command, shown in Example 5-8, to show all the configured transform sets. Because transform sets determine the level of protection that your data will have as it is tunneled, it is important to verify the strength of your IPsec protection policy.

Add a note here Example 5-8: show crypto ipsec transform-set Example

Add a note hereRouterA# show crypto ipsec transform-set
Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },

show crypto map Command

Add a note here To see all the configured crypto maps, use the show crypto map command, shown in Example 5-9. This command verifies configurations and shows the SA lifetime. The show running-config command reveals many of these same settings.

Add a note here Example 5-9: show crypto map Example

Add a note hereRouterA# show crypto map
Crypto Map "mymap" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 102
access-list 110 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ mine, }

show crypto ipsec sa Command

Add a note hereOne of the more useful commands is show crypto ipsec sa, shown in Example 5-10. The output of Example 5-10 relates to the topology of Figure 5-28.

Image from book
Add a note hereFigure 5-28: Topology Used for Example 5-10

Add a note hereWhen you see that an SA has been established, it indicates that the rest of the configuration is working. Make special note of the pkts encrypt and pkts decrypt values because they indicate that traffic is flowing through the tunnel.

Add a note here Example 5-10: show crypto ipsec sa Command Output

Add a note hereRouterA# show crypto ipsec sa
Interface: Serial0/1
Crypto map tag: mymap, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C

Add a note here The debug crypto isakmp and debug crypto sa commands are discussed later in the section “Troubleshooting.”



0 comments

Post a Comment