Chapter 05: Site-to-Site VPNs (Part05)

Configuring IPsec on a Site-to-Site VPN Using Cisco SDM

The steps to implement an IPsec site-to-site VPN using the Cisco router, as described in the preceding portions of the chapter, can be also performed using the Security Device Manager (SDM), as described in the sections that follow.

Introducing the Cisco SDM VPN Wizard Interface

To select and start a VPN wizard, follow these steps, as illustrated Figure 5-29:

Step 1	Choose Configure.
Step 2	Choose VPN to open the VPN Page.
Step 3	Choose a wizard from the VPN window. In Figure 5-29, the Site-to-Site VPN Wizard is chosen.
Step 4	Click the VPN implementation subtype. In Figure 5-29, the Create a Site to Site VPN option is chosen.
Step 5	Click the Launch the Selected Task button to start the wizard.

Figure 5-29: Cisco SDM VPN Wizard Interface

Site-to-Site VPN Components

The Cisco SDM VPN wizards use two sources to create a VPN connection:

• User input during a step-by-step wizard process

• Preconfigured VPN components

The Cisco SDM provides some default VPN components:

• Two IKE policies

• An IPsec transform set for the quick setup wizard

The VPN wizards create other components during the step-by-step configuration process. You must configure some components before you can use the wizards (for example, PKI).

Figure 5-30 illustrates the VPN navigation bar, which contains three major sections:

• VPN wizards

  • Site-to-site VPN

  • Easy VPN Remote

  • Easy VPN Server

  • Dynamic Multipoint VPN

• SSL VPN

• VPN components:

  • IPsec (main component)

  • IKE (main component)

  • Easy VPN Server (optional component): Group Policies and Browser Proxy Settings

  • Public Key Infrastructure (optional component): For IKE authentication using digital certificates

• VPN Keys Encryption

Figure 5-30: Cisco SDM VPN Navigation Bar

This option appears if the Cisco IOS Software image on your router supports type 6 encryption, also referred to as VPN key encryption. You can use this window to specify a master key to use when encrypting VPN keys, such as PSKs, Cisco Easy VPN keys, and Extended Authentication (XAUTH) keys. When the keys are encrypted, they are not readable by someone viewing the router configuration file.

• The VPN wizards simplify the configuration of individual VPN components. On the other hand, you can use the individual IPsec components section to modify parameters that may have been misconfigured during the VPN wizard step-by-step configuration.

Using the Cisco SDM Wizards to Configure Site-to-Site VPNs

Use a web browser to start the Cisco SDM on a router. Select the VPN wizard by choosing Configure > VPN > Site-to-Site VPN, as shown in Figure 5-31. Follow these steps to create and configure a classic site-to-site VPN:

Step 1	Click the Create a Site to Site VPN radio button on the Create Site to Site VPN tab and click the Launch the Selected Task button.
Step 2	A window displays, which allows you to select the wizard mode, as shown in Figure 5-32: The Quick Setup option uses the Cisco SDM default IKE policies and IPsec transform sets. The Step by Step Wizard option allows the administrator to specify all the details.
Step 3	Click the Next button to configure the parameters of the VPN connection.

Figure 5-31: Launching the Site-to-Site VPN Wizard

Figure 5-32: Starting the Site-to-Site VPN Wizard

Quick Setup

The quick setup uses a single window to configure the VPN connection, as shown in Figure 5-33, and includes the following parameters:

• Interface to use for the VPN connection (usually the outside interface)

• Peer identity information

  • Type of peer

  • IP address of the peer

• Authentication method:

  • PSKs (specify the secret)

  • Digital certificates (choose a certificate that should have been created beforehand)

  Traffic to encrypt:

  • Source interface

  • Destination IP subnet

Figure 5-33: Quick VPN Setup

Step-by-Step Setup

The step-by-step wizard, shown in Figure 5-34, requires multiple steps to configure the VPN connection and includes the following parameters:

• Connection settings: Outside interface, peer identity, and authentication credentials

• IKE proposals: IKE proposal priority, encryption, hashing algorithm, IKE authentication method, DH group, and IKE lifetime

• IPsec transform sets: Name, integrity algorithm, encryption algorithm, mode of operation (tunnel or transport), and compression

• Traffic to protect: Define single source and destination subnets or define an ACL to use for more complex VPNs

  
  Figure 5-34: Summary of Quick Setup Configuration

The last task of the step-by-step wizard is to review and complete the configuration.

Connection Settings

The first task in the step-by-step wizard is to configure the connection settings. Follow these steps, shown in Figure 5-35, to configure the connection settings:

Step 1	Choose the outside interface that is used to connect to the IPsec peer over the untrusted network.
Step 2	Specify the IP address of the peer.
Step 3	Choose the authentication method and specify the credentials. Use long and random PSKs to prevent brute-force and dictionary attacks against IKE.
Step 4	Click the Next button to proceed to the next task.

Figure 5-35: Configuring the Connection Settings

IKE Proposals

The second task in the step-by-step wizard is to configure IKE proposals, as shown in Figure 5-36. Follow these steps to configure the IKE proposals:

Step 1	To use the IKE proposal that is predefined by Cisco SDM, click the Next button (the predefined IKE proposal is chosen by default).
Step 2	If you want to use a custom IKE proposal, click the Add button to define a proposal and specify the following required parameters: IKE proposal priority Encryption algorithm Hashing algorithm IKE authentication method DH group IKE lifetime
Step 3	Click the OK button when you have finished configuring the IKE proposal.
Step 4	When you have finished with adding IKE policies, choose the proposal you want to use, and then click the Next button to proceed to the next task.

Figure 5-36: IKE Proposals

Transform Sets

The third task in the step-by-step wizard is to configure a transform set, as shown in Figure 5-37. Follow these steps to configure a transform set:

Step 1	To use the IPsec transform set that is predefined by Cisco SDM, click the Next button (the predefined transform set is chosen by default).
Step 2	If you want to use a custom IPsec transform set, click the Add button to define it and specify the following parameters: Transform set name Integrity algorithm Encryption algorithm Mode of operation Optional compression
Step 3	Click the OK button when you have finished configuring the transform set.
Step 4	When you have finished adding transform sets, choose the transform set you want to use, and then click the Next button to precede to the next task.

Figure 5-37: IPsec Transform Sets

Defining What Traffic to Protect

The next steps involve using the Cisco SDM to define what traffic the VPN should protect.

Option 1: Single Source and Destination Subnet

To define what traffic needs protection, you can use the simple mode, which allows the protection of traffic between one pair of IP subnets.

To protect the traffic between a particular pair of IP subnets, as shown in Figure 5-38, follow these steps:

Step 1	From the Traffic to Protect window, click the Protect All Traffic Between the Following Subnets radio button.
Step 2	Define the IP address and subnet mask of the local network where IPsec traffic originates.
Step 3	Define the IP address and subnet mask of the remote network where IPsec traffic is sent.

Figure 5-38: Source and Destination Subnets

Option 2: Using an ACL

To specify an IPsec rule that defines the traffic types to be protected, as shown in Figure 5-39, follow these steps:

Step 1	From the Traffic to Protect window, click the Create/Select an Access-List for IPsec Traffic radio button.
Step 2	Click the ellipsis (...) button to choose an existing ACL or to create a new one.
Step 3	If you want to use an existing ACL, choose the Select an Existing Rule (ACL) option. If you would like to create a new ACL, choose the Create a New Rule (ACL) and Select option.

Figure 5-39: Using an ACL

When you create a new ACL to define traffic that needs protection, you are presented with a window that lists the created access rule entries if any already exist. If none exist, you will be required to create a new rule, as shown in Figure 5-40. To create a new rule, follow these steps:

Step 1	Give the access rule a name and description.
Step 2	Click the Add button to start adding rule entries.

Figure 5-40: Using an ACL

Follow these steps to configure a new rule entry, as shown in Figure 5-41:

Step 1	Choose an action from the Select an Action list box and enter a description of the rule entry in the Description text box.
Step 2	Define the source hosts or networks in the Source Host/Network pane, and the destination hosts or networks in the Destination Host/Network pane. Each rule entry defines one pair of source and destination addresses or networks. Note You must use wildcard bits rather than subnet masks in the Wildcard Mask field.
Step 3	Optionally, you can provide protection for specific OSI protocols by choosing the specific protocol radio box (TCP, UDP, or ICMP) and the desired port numbers. If IP is chosen as the protocol, the rule applies to all IP traffic.

Figure 5-41: Creating a New Rule

Completing the Configuration

At the end of the configuration, the wizard presents a summary of all the configured parameters, as shown in Figure 5-42. To modify the configuration, click the Back button. Click the Finish button to complete the configuration.

Figure 5-42: Summary of Step-by-Step Setup Configuration

Testing the Tunnel Configuration and Operation

To run a test to determine the configuration of the tunnel, choose Configure > VPN > Site-to-Site VPN > Edit Site to Site VPN and click the Test Tunnel button, as shown in Figure 5-43. You can also click the Generate Mirror button to generate a mirroring configuration that is required on the other end of the tunnel. This is useful if the other router does not have Cisco SDM and if you have to use the CLI to configure the tunnel.

Figure 5-43: Testing the Configuration

Monitoring Tunnel Operation

To see all the IPsec tunnels, their parameters, and status, follow these steps, as shown in Figure 5-44:

Step 1	Choose Monitor.
Step 2	Choose VPN Status.
Step 3	Choose IPN Status.

Figure 5-44: Monitor Tunnel Operation

Advanced Monitoring

The basic Cisco IOS web interface also allows administrators to use the web interface to enter Cisco IOS CLI commands to monitor and troubleshoot the router, as shown in Figure 5-45.

Figure 5-45: Monitoring Using the Web Interface

Two of the most useful show commands to determine the status of the IPsec VPN connections are as follows:

• show crypto isakmp sa: This command displays all the current IKE SAs. QM_IDLE status indicates an active IKE SA.

• show crypto ipsec sa: This command displays the settings used by the current SAs. Nonzero encryption and decryption statistics can indicate a working set of IPsec SAs.

Example 5-11 shows some sample output from the show crypto ipsec sa command. If this command shows that an SA has been established, it indicates that the rest of the configuration is working. Take special note of the pkts encrypt and pkts decrypt values because these indicate that traffic is flowing through the tunnel.

Example 5-11: show crypto ipsec sa Output

---

RouterA# show crypto ipsec sa
interface: Ethernet0/1
   Crypto map tag: mymap, local addr. 172.16.100.100
   local ident (addr/mask/prot/port): (172.16.100.100/255.255.255.255/0/0)
  remote ident (addr/mask/prot/port): (172.16.200.200/255.255.255.255/0/0)
  current_peer: 172.16.200.200
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
   #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
   #send errors 0, #recv errors 0
    local crypto endpt.: 172.16.100.100, remote crypto endpt.: 172.16.200.200
    path mtu 1500, media mtu 1500
    current outbound spi: 8AE1C9C

---

Troubleshooting

Use a terminal to connect to the Cisco IOS router if you want to use debugging commands to troubleshoot VPN connectivity.

The debug crypto isakmp command displays detailed information about the IKE Phase 1 and IKE Phase 2 negotiation processes. The debug crypto ipsec command displays detailed information about IPsec events.

Caution

Use debug commands with caution because the debug processes run the risk of causing performance problems on your devices. Use the undebug all command to turn off the debug as soon as possible. Also to improve throughput, it is recommended that you send loggings to a syslog server rather than the console port. The console port has a bandwidth of 9600 bauds compared to the minimum 10 Mb/s for the Ethernet interface used for reaching the syslog server. To disable logging on the console, use the no logging console command.

Summary

The key points covered in this chapters are as follows:

• IPsec is an ubiquitous VPN technology that provides confidentiality, data-integrity, authentication, and antireplay services.

• A crypto ACL defines interesting traffic, which is the traffic to be protected by the VPN tunnel.

• The IPsec VPN wizard offers two choices: user input via a step-by-step process or preconfigured VPN components.

References

For additional information, refer to these resources:

• Cisco Systems, Inc. Cisco IOS IPSEC Introduction, http://www.cisco.com/en/US/products/ps6635/products_ios_protocol_group_home.html

• Systems, Inc. Export Compliance & Regulatory Affairs: Encryption Control Guidance, http://www.cisco.com/wwl/export/crypto

• Carmouche, J. H. IPsec Virtual Private Network Fundamentals (Cisco Press, 2007)

• Deal, R. The Complete Cisco VPN Configuration Guide (Cisco Press, 2005)