Configuring IPsec on a Site-to-Site VPN Using Cisco SDM
The steps to implement an IPsec site-to-site VPN using the Cisco router, as described in the preceding portions of the chapter, can be also performed using the Security Device Manager (SDM), as described in the sections that follow.
Introducing the Cisco SDM VPN Wizard Interface
To select and start a VPN wizard, follow these steps, as illustrated Figure 5-29:
Step 1 | Choose Configure. |
Step 2 | Choose VPN to open the VPN Page. |
Step 3 | Choose a wizard from the VPN window. In Figure 5-29, the Site-to-Site VPN Wizard is chosen. |
Step 4 | Click the VPN implementation subtype. In Figure 5-29, the Create a Site to Site VPN option is chosen. |
Step 5 | Click the Launch the Selected Task button to start the wizard. |
Site-to-Site VPN Components
The Cisco SDM VPN wizards use two sources to create a VPN connection:
-
User input during a step-by-step wizard process
-
Preconfigured VPN components
The Cisco SDM provides some default VPN components:
-
Two IKE policies
-
An IPsec transform set for the quick setup wizard
The VPN wizards create other components during the step-by-step configuration process. You must configure some components before you can use the wizards (for example, PKI).
Figure 5-30 illustrates the VPN navigation bar, which contains three major sections:
-
VPN wizards
-
Site-to-site VPN
-
Easy VPN Remote
-
Easy VPN Server
-
Dynamic Multipoint VPN
-
-
SSL VPN
-
VPN components:
-
IPsec (main component)
-
IKE (main component)
-
Easy VPN Server (optional component): Group Policies and Browser Proxy Settings
-
Public Key Infrastructure (optional component): For IKE authentication using digital certificates
-
This option appears if the Cisco IOS Software image on your router supports type 6 encryption, also referred to as VPN key encryption. You can use this window to specify a master key to use when encrypting VPN keys, such as PSKs, Cisco Easy VPN keys, and Extended Authentication (XAUTH) keys. When the keys are encrypted, they are not readable by someone viewing the router configuration file.
-
The VPN wizards simplify the configuration of individual VPN components. On the other hand, you can use the individual IPsec components section to modify parameters that may have been misconfigured during the VPN wizard step-by-step configuration.
Using the Cisco SDM Wizards to Configure Site-to-Site VPNs
Use a web browser to start the Cisco SDM on a router. Select the VPN wizard by choosing Configure > VPN > Site-to-Site VPN, as shown in Figure 5-31. Follow these steps to create and configure a classic site-to-site VPN:
Step 1 | Click the Create a Site to Site VPN radio button on the Create Site to Site VPN tab and click the Launch the Selected Task button. |
Step 2 | A window displays, which allows you to select the wizard mode, as shown in Figure 5-32: |
Step 3 | Click the Next button to configure the parameters of the VPN connection. |
Quick Setup
The quick setup uses a single window to configure the VPN connection, as shown in Figure 5-33, and includes the following parameters:
-
Interface to use for the VPN connection (usually the outside interface)
-
-
Type of peer
-
IP address of the peer
-
-
Authentication method:
-
PSKs (specify the secret)
-
Digital certificates (choose a certificate that should have been created beforehand)
Traffic to encrypt:
-
Source interface
-
Destination IP subnet
-
Step-by-Step Setup
The step-by-step wizard, shown in Figure 5-34, requires multiple steps to configure the VPN connection and includes the following parameters:
-
Connection settings: Outside interface, peer identity, and authentication credentials
-
IKE proposals: IKE proposal priority, encryption, hashing algorithm, IKE authentication method, DH group, and IKE lifetime
-
IPsec transform sets: Name, integrity algorithm, encryption algorithm, mode of operation (tunnel or transport), and compression
-
Traffic to protect: Define single source and destination subnets or define an ACL to use for more complex VPNs
The last task of the step-by-step wizard is to review and complete the configuration.
Connection Settings
The first task in the step-by-step wizard is to configure the connection settings. Follow these steps, shown in Figure 5-35, to configure the connection settings:
Step 1 | Choose the outside interface that is used to connect to the IPsec peer over the untrusted network. |
Step 2 | Specify the IP address of the peer. |
Step 3 | Choose the authentication method and specify the credentials. Use long and random PSKs to prevent brute-force and dictionary attacks against IKE. |
Step 4 | Click the Next button to proceed to the next task. |
IKE Proposals
The second task in the step-by-step wizard is to configure IKE proposals, as shown in Figure 5-36. Follow these steps to configure the IKE proposals:
Step 1 | To use the IKE proposal that is predefined by Cisco SDM, click the Next button (the predefined IKE proposal is chosen by default). |
Step 2 | If you want to use a custom IKE proposal, click the Add button to define a proposal and specify the following required parameters: |
Step 3 | Click the OK button when you have finished configuring the IKE proposal. |
Step 4 | When you have finished with adding IKE policies, choose the proposal you want to use, and then click the Next button to proceed to the next task. |
Transform Sets
The third task in the step-by-step wizard is to configure a transform set, as shown in Figure 5-37. Follow these steps to configure a transform set:
Defining What Traffic to Protect
The next steps involve using the Cisco SDM to define what traffic the VPN should protect.
Option 1: Single Source and Destination Subnet
To define what traffic needs protection, you can use the simple mode, which allows the protection of traffic between one pair of IP subnets.
To protect the traffic between a particular pair of IP subnets, as shown in Figure 5-38, follow these steps:
Step 1 | From the Traffic to Protect window, click the Protect All Traffic Between the Following Subnets radio button. |
Step 2 | Define the IP address and subnet mask of the local network where IPsec traffic originates. |
Step 3 | Define the IP address and subnet mask of the remote network where IPsec traffic is sent. |
Option 2: Using an ACL
To specify an IPsec rule that defines the traffic types to be protected, as shown in Figure 5-39, follow these steps:
Step 1 | From the Traffic to Protect window, click the Create/Select an Access-List for IPsec Traffic radio button. |
Step 2 | Click the ellipsis (...) button to choose an existing ACL or to create a new one. |
Step 3 | If you want to use an existing ACL, choose the Select an Existing Rule (ACL) option. If you would like to create a new ACL, choose the Create a New Rule (ACL) and Select option. |
When you create a new ACL to define traffic that needs protection, you are presented with a window that lists the created access rule entries if any already exist. If none exist, you will be required to create a new rule, as shown in Figure 5-40. To create a new rule, follow these steps:
Step 1 | Give the access rule a name and description. |
Step 2 | Click the Add button to start adding rule entries. |
Follow these steps to configure a new rule entry, as shown in Figure 5-41:
Completing the Configuration
At the end of the configuration, the wizard presents a summary of all the configured parameters, as shown in Figure 5-42. To modify the configuration, click the Back button. Click the Finish button to complete the configuration.
Testing the Tunnel Configuration and Operation
To run a test to determine the configuration of the tunnel, choose Configure > VPN > Site-to-Site VPN > Edit Site to Site VPN and click the Test Tunnel button, as shown in Figure 5-43. You can also click the Generate Mirror button to generate a mirroring configuration that is required on the other end of the tunnel. This is useful if the other router does not have Cisco SDM and if you have to use the CLI to configure the tunnel.
Monitoring Tunnel Operation
To see all the IPsec tunnels, their parameters, and status, follow these steps, as shown in Figure 5-44:
Step 1 | Choose Monitor. |
Step 2 | Choose VPN Status. |
Step 3 | Choose IPN Status. |
Advanced Monitoring
The basic Cisco IOS web interface also allows administrators to use the web interface to enter Cisco IOS CLI commands to monitor and troubleshoot the router, as shown in Figure 5-45.
Two of the most useful show commands to determine the status of the IPsec VPN connections are as follows:
-
show crypto isakmp sa: This command displays all the current IKE SAs. QM_IDLE status indicates an active IKE SA.
-
show crypto ipsec sa: This command displays the settings used by the current SAs. Nonzero encryption and decryption statistics can indicate a working set of IPsec SAs.
Example 5-11 shows some sample output from the show crypto ipsec sa command. If this command shows that an SA has been established, it indicates that the rest of the configuration is working. Take special note of the pkts encrypt and pkts decrypt values because these indicate that traffic is flowing through the tunnel.
RouterA# show crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: mymap, local addr. 172.16.100.100
local ident (addr/mask/prot/port): (172.16.100.100/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.200.200/255.255.255.255/0/0)
current_peer: 172.16.200.200
PERMIT, flags={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.100.100, remote crypto endpt.: 172.16.200.200
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C
Troubleshooting
Use a terminal to connect to the Cisco IOS router if you want to use debugging commands to troubleshoot VPN connectivity.
The debug crypto isakmp command displays detailed information about the IKE Phase 1 and IKE Phase 2 negotiation processes. The debug crypto ipsec command displays detailed information about IPsec events.
Caution | Use debug commands with caution because the debug processes run the risk of causing performance problems on your devices. Use the undebug all command to turn off the debug as soon as possible. Also to improve throughput, it is recommended that you send loggings to a syslog server rather than the console port. The console port has a bandwidth of 9600 bauds compared to the minimum 10 Mb/s for the Ethernet interface used for reaching the syslog server. To disable logging on the console, use the no logging console command. |
Summary
The key points covered in this chapters are as follows:
-
IPsec is an ubiquitous VPN technology that provides confidentiality, data-integrity, authentication, and antireplay services.
-
A crypto ACL defines interesting traffic, which is the traffic to be protected by the VPN tunnel.
-
The IPsec VPN wizard offers two choices: user input via a step-by-step process or preconfigured VPN components.
References
For additional information, refer to these resources:
-
Cisco Systems, Inc. Cisco IOS IPSEC Introduction, http://www.cisco.com/en/US/products/ps6635/products_ios_protocol_group_home.html
-
Systems, Inc. Export Compliance & Regulatory Affairs: Encryption Control Guidance, http://www.cisco.com/wwl/export/crypto
-
Carmouche, J. H. IPsec Virtual Private Network Fundamentals (Cisco Press, 2007)
-
Deal, R. The Complete Cisco VPN Configuration Guide (Cisco Press, 2005)
0 comments
Post a Comment