| 0 comments ]

Configuring IPsec on a Site-to-Site VPN Using Cisco SDM

Add a note here The steps to implement an IPsec site-to-site VPN using the Cisco router, as described in the preceding portions of the chapter, can be also performed using the Security Device Manager (SDM), as described in the sections that follow.

Add a note here Introducing the Cisco SDM VPN Wizard Interface

Add a note hereTo select and start a VPN wizard, follow these steps, as illustrated Figure 5-29:

Add a note here Step 1

Add a note hereChoose Configure.

Add a note here Step 2

Add a note hereChoose VPN to open the VPN Page.

Add a note here Step 3

Add a note hereChoose a wizard from the VPN window. In Figure 5-29, the Site-to-Site VPN Wizard is chosen.

Add a note here Step 4

Add a note hereClick the VPN implementation subtype. In Figure 5-29, the Create a Site to Site VPN option is chosen.

Add a note here Step 5

Add a note hereClick the Launch the Selected Task button to start the wizard.

Image from book
Add a note hereFigure 5-29: Cisco SDM VPN Wizard Interface

Add a note here Site-to-Site VPN Components

Add a note hereThe Cisco SDM VPN wizards use two sources to create a VPN connection:

  • Add a note hereUser input during a step-by-step wizard process

  • Add a note herePreconfigured VPN components

Add a note here The Cisco SDM provides some default VPN components:

  • Add a note hereTwo IKE policies

  • Add a note hereAn IPsec transform set for the quick setup wizard

Add a note hereThe VPN wizards create other components during the step-by-step configuration process. You must configure some components before you can use the wizards (for example, PKI).

Add a note here Figure 5-30 illustrates the VPN navigation bar, which contains three major sections:

  • Add a note hereVPN wizards

    • Add a note hereSite-to-site VPN

    • Add a note hereEasy VPN Remote

    • Add a note hereEasy VPN Server

    • Add a note hereDynamic Multipoint VPN

  • Add a note hereSSL VPN

  • Add a note hereVPN components:

    • Add a note hereIPsec (main component)

    • Add a note hereIKE (main component)

    • Add a note hereEasy VPN Server (optional component): Group Policies and Browser Proxy Settings

    • Add a note herePublic Key Infrastructure (optional component): For IKE authentication using digital certificates

  • Add a note here VPN Keys Encryption

Image from book
Add a note hereFigure 5-30: Cisco SDM VPN Navigation Bar

Add a note hereThis option appears if the Cisco IOS Software image on your router supports type 6 encryption, also referred to as VPN key encryption. You can use this window to specify a master key to use when encrypting VPN keys, such as PSKs, Cisco Easy VPN keys, and Extended Authentication (XAUTH) keys. When the keys are encrypted, they are not readable by someone viewing the router configuration file.

  • Add a note hereThe VPN wizards simplify the configuration of individual VPN components. On the other hand, you can use the individual IPsec components section to modify parameters that may have been misconfigured during the VPN wizard step-by-step configuration.

Add a note here Using the Cisco SDM Wizards to Configure Site-to-Site VPNs

Add a note hereUse a web browser to start the Cisco SDM on a router. Select the VPN wizard by choosing Configure > VPN > Site-to-Site VPN, as shown in Figure 5-31. Follow these steps to create and configure a classic site-to-site VPN:

Add a note here Step 1

Add a note hereClick the Create a Site to Site VPN radio button on the Create Site to Site VPN tab and click the Launch the Selected Task button.

Add a note here Step 2

Add a note hereA window displays, which allows you to select the wizard mode, as shown in Figure 5-32:

  • Add a note hereThe Quick Setup option uses the Cisco SDM default IKE policies and IPsec transform sets.

  • Add a note here The Step by Step Wizard option allows the administrator to specify all the details.

Add a note here Step 3

Add a note hereClick the Next button to configure the parameters of the VPN connection.

Image from book
Add a note hereFigure 5-31: Launching the Site-to-Site VPN Wizard
Image from book
Add a note hereFigure 5-32: Starting the Site-to-Site VPN Wizard

Quick Setup

Add a note hereThe quick setup uses a single window to configure the VPN connection, as shown in Figure 5-33, and includes the following parameters:

  • Add a note hereInterface to use for the VPN connection (usually the outside interface)

  • Add a note here Peer identity information

    • Add a note hereType of peer

    • Add a note hereIP address of the peer

  • Add a note hereAuthentication method:

    • Add a note herePSKs (specify the secret)

    • Add a note hereDigital certificates (choose a certificate that should have been created beforehand)

    Add a note hereTraffic to encrypt:

    • Add a note hereSource interface

    • Add a note hereDestination IP subnet

Image from book
Add a note hereFigure 5-33: Quick VPN Setup

Step-by-Step Setup

Add a note hereThe step-by-step wizard, shown in Figure 5-34, requires multiple steps to configure the VPN connection and includes the following parameters:

  • Add a note here Connection settings: Outside interface, peer identity, and authentication credentials

  • Add a note here IKE proposals: IKE proposal priority, encryption, hashing algorithm, IKE authentication method, DH group, and IKE lifetime

  • Add a note here IPsec transform sets: Name, integrity algorithm, encryption algorithm, mode of operation (tunnel or transport), and compression

  • Add a note here Traffic to protect: Define single source and destination subnets or define an ACL to use for more complex VPNs

    Add a note here Image from book
    Add a note hereFigure 5-34: Summary of Quick Setup Configuration

Add a note hereThe last task of the step-by-step wizard is to review and complete the configuration.

Connection Settings

Add a note here The first task in the step-by-step wizard is to configure the connection settings. Follow these steps, shown in Figure 5-35, to configure the connection settings:

Add a note here Step 1

Add a note hereChoose the outside interface that is used to connect to the IPsec peer over the untrusted network.

Add a note here Step 2

Add a note hereSpecify the IP address of the peer.

Add a note here Step 3

Add a note hereChoose the authentication method and specify the credentials. Use long and random PSKs to prevent brute-force and dictionary attacks against IKE.

Add a note here Step 4

Add a note hereClick the Next button to proceed to the next task.

Image from book
Add a note hereFigure 5-35: Configuring the Connection Settings

IKE Proposals

Add a note hereThe second task in the step-by-step wizard is to configure IKE proposals, as shown in Figure 5-36. Follow these steps to configure the IKE proposals:

Add a note here Step 1

Add a note hereTo use the IKE proposal that is predefined by Cisco SDM, click the Next button (the predefined IKE proposal is chosen by default).

Add a note here Step 2

Add a note hereIf you want to use a custom IKE proposal, click the Add button to define a proposal and specify the following required parameters:

  • Add a note hereIKE proposal priority

  • Add a note hereEncryption algorithm

  • Add a note hereHashing algorithm

  • Add a note here IKE authentication method

  • Add a note hereDH group

  • Add a note hereIKE lifetime

Add a note here Step 3

Add a note hereClick the OK button when you have finished configuring the IKE proposal.

Add a note here Step 4

Add a note hereWhen you have finished with adding IKE policies, choose the proposal you want to use, and then click the Next button to proceed to the next task.

Image from book
Add a note hereFigure 5-36: IKE Proposals

Transform Sets

Add a note hereThe third task in the step-by-step wizard is to configure a transform set, as shown in Figure 5-37. Follow these steps to configure a transform set:

Add a note here Step 1

Add a note hereTo use the IPsec transform set that is predefined by Cisco SDM, click the Next button (the predefined transform set is chosen by default).

Add a note here Step 2

Add a note hereIf you want to use a custom IPsec transform set, click the Add button to define it and specify the following parameters:

  • Add a note hereTransform set name

  • Add a note hereIntegrity algorithm

  • Add a note hereEncryption algorithm

  • Add a note hereMode of operation

  • Add a note hereOptional compression

Add a note here Step 3

Add a note here Click the OK button when you have finished configuring the transform set.

Add a note here Step 4

Add a note hereWhen you have finished adding transform sets, choose the transform set you want to use, and then click the Next button to precede to the next task.

Image from book
Add a note hereFigure 5-37: IPsec Transform Sets

Defining What Traffic to Protect

Add a note hereThe next steps involve using the Cisco SDM to define what traffic the VPN should protect.

Option 1: Single Source and Destination Subnet

Add a note hereTo define what traffic needs protection, you can use the simple mode, which allows the protection of traffic between one pair of IP subnets.

Add a note hereTo protect the traffic between a particular pair of IP subnets, as shown in Figure 5-38, follow these steps:

Add a note here Step 1

Add a note hereFrom the Traffic to Protect window, click the Protect All Traffic Between the Following Subnets radio button.

Add a note here Step 2

Add a note hereDefine the IP address and subnet mask of the local network where IPsec traffic originates.

Add a note here Step 3

Add a note hereDefine the IP address and subnet mask of the remote network where IPsec traffic is sent.

Image from book
Add a note hereFigure 5-38: Source and Destination Subnets
Option 2: Using an ACL

Add a note hereTo specify an IPsec rule that defines the traffic types to be protected, as shown in Figure 5-39, follow these steps:

Add a note here Step 1

Add a note hereFrom the Traffic to Protect window, click the Create/Select an Access-List for IPsec Traffic radio button.

Add a note here Step 2

Add a note hereClick the ellipsis (...) button to choose an existing ACL or to create a new one.

Add a note here Step 3

Add a note hereIf you want to use an existing ACL, choose the Select an Existing Rule (ACL) option. If you would like to create a new ACL, choose the Create a New Rule (ACL) and Select option.

Image from book
Add a note hereFigure 5-39: Using an ACL

Add a note hereWhen you create a new ACL to define traffic that needs protection, you are presented with a window that lists the created access rule entries if any already exist. If none exist, you will be required to create a new rule, as shown in Figure 5-40. To create a new rule, follow these steps:

Add a note here Step 1

Add a note hereGive the access rule a name and description.

Add a note here Step 2

Add a note hereClick the Add button to start adding rule entries.

Image from book
Add a note hereFigure 5-40: Using an ACL

Add a note hereFollow these steps to configure a new rule entry, as shown in Figure 5-41:

Add a note here Step 1

Add a note hereChoose an action from the Select an Action list box and enter a description of the rule entry in the Description text box.

Add a note here Step 2

Add a note here Define the source hosts or networks in the Source Host/Network pane, and the destination hosts or networks in the Destination Host/Network pane. Each rule entry defines one pair of source and destination addresses or networks.


Note

Add a note hereYou must use wildcard bits rather than subnet masks in the Wildcard Mask field.

Add a note here Step 3

Add a note here Optionally, you can provide protection for specific OSI protocols by choosing the specific protocol radio box (TCP, UDP, or ICMP) and the desired port numbers. If IP is chosen as the protocol, the rule applies to all IP traffic.

Image from book
Add a note hereFigure 5-41: Creating a New Rule

Add a note here Completing the Configuration

Add a note hereAt the end of the configuration, the wizard presents a summary of all the configured parameters, as shown in Figure 5-42. To modify the configuration, click the Back button. Click the Finish button to complete the configuration.

Image from book
Add a note hereFigure 5-42: Summary of Step-by-Step Setup Configuration

Testing the Tunnel Configuration and Operation

Add a note hereTo run a test to determine the configuration of the tunnel, choose Configure > VPN > Site-to-Site VPN > Edit Site to Site VPN and click the Test Tunnel button, as shown in Figure 5-43. You can also click the Generate Mirror button to generate a mirroring configuration that is required on the other end of the tunnel. This is useful if the other router does not have Cisco SDM and if you have to use the CLI to configure the tunnel.

Image from book
Add a note hereFigure 5-43: Testing the Configuration

Monitoring Tunnel Operation

Add a note here To see all the IPsec tunnels, their parameters, and status, follow these steps, as shown in Figure 5-44:

Add a note here Step 1

Add a note hereChoose Monitor.

Add a note here Step 2

Add a note hereChoose VPN Status.

Add a note here Step 3

Add a note hereChoose IPN Status.

Image from book
Add a note hereFigure 5-44: Monitor Tunnel Operation

Advanced Monitoring

Add a note hereThe basic Cisco IOS web interface also allows administrators to use the web interface to enter Cisco IOS CLI commands to monitor and troubleshoot the router, as shown in Figure 5-45.

Image from book
Add a note hereFigure 5-45: Monitoring Using the Web Interface

Add a note hereTwo of the most useful show commands to determine the status of the IPsec VPN connections are as follows:

  • Add a note here show crypto isakmp sa: This command displays all the current IKE SAs. QM_IDLE status indicates an active IKE SA.

  • Add a note here show crypto ipsec sa: This command displays the settings used by the current SAs. Nonzero encryption and decryption statistics can indicate a working set of IPsec SAs.

Add a note here Example 5-11 shows some sample output from the show crypto ipsec sa command. If this command shows that an SA has been established, it indicates that the rest of the configuration is working. Take special note of the pkts encrypt and pkts decrypt values because these indicate that traffic is flowing through the tunnel.

Add a note here Example 5-11: show crypto ipsec sa Output

Add a note hereRouterA# show crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: mymap, local addr. 172.16.100.100
local ident (addr/mask/prot/port): (172.16.100.100/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.200.200/255.255.255.255/0/0)
current_peer: 172.16.200.200
PERMIT, flags={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.100.100, remote crypto endpt.: 172.16.200.200
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C

Troubleshooting

Add a note here Use a terminal to connect to the Cisco IOS router if you want to use debugging commands to troubleshoot VPN connectivity.

Add a note hereThe debug crypto isakmp command displays detailed information about the IKE Phase 1 and IKE Phase 2 negotiation processes. The debug crypto ipsec command displays detailed information about IPsec events.


Caution

Add a note hereUse debug commands with caution because the debug processes run the risk of causing performance problems on your devices. Use the undebug all command to turn off the debug as soon as possible.

Add a note hereAlso to improve throughput, it is recommended that you send loggings to a syslog server rather than the console port. The console port has a bandwidth of 9600 bauds compared to the minimum 10 Mb/s for the Ethernet interface used for reaching the syslog server. To disable logging on the console, use the no logging console command.


Summary

Add a note hereThe key points covered in this chapters are as follows:

  • Add a note hereIPsec is an ubiquitous VPN technology that provides confidentiality, data-integrity, authentication, and antireplay services.

  • Add a note hereA crypto ACL defines interesting traffic, which is the traffic to be protected by the VPN tunnel.

  • Add a note hereThe IPsec VPN wizard offers two choices: user input via a step-by-step process or preconfigured VPN components.

Add a note here References

Add a note hereFor additional information, refer to these resources:

  • Add a note hereCisco Systems, Inc. Cisco IOS IPSEC Introduction, http://www.cisco.com/en/US/products/ps6635/products_ios_protocol_group_home.html

  • Add a note hereSystems, Inc. Export Compliance & Regulatory Affairs: Encryption Control Guidance, http://www.cisco.com/wwl/export/crypto

  • Add a note hereCarmouche, J. H. IPsec Virtual Private Network Fundamentals (Cisco Press, 2007)

  • Add a note hereDeal, R. The Complete Cisco VPN Configuration Guide (Cisco Press, 2005)


0 comments

Post a Comment