Month: May 2012

IPSec VPN Configuration

May 29, 2012

vpnFACT SHEET – VPN IPSEC (Cisco based)

  1. Understanding VPN components – IPSec and encryption (data integrity)
    1. Defining a VPN
    2. Understanding the need for encryption
    3. Types of encryption
  2. VPN benefits
    1. Cheaper connections
    2. Available anywhere
    3. Heavily encrypted and secure
    4. Many to many connection
  3. The world of IPSec
    1. Authentication
    2. Data Integrity
    3. Confidentiality
    4. Anti-Replay
  4. IPSec components
    1. Negotiation protocol – AH, ESP
    2. Encryption – DES, 3DES, AES
    3. Authentication – MD5, SHA-1
    4. Protection – DH1, 2,5,7
  5. IPSec modes of communication
    1. Transport mode
    2. Tunnel mode
  6. Two types of encryption keys
    1. Symmetric and asymmetric keys.
    2. Security over public network.
    3. Mixed approach.
    4. Encryption algorithms used today.
      • DES(64/56), 3DES(168), AES(128,192,256), RSA(512, 768, 1024) and DH(768, 1024, 1536).

Key IPSec negotiation protocol

  1. AH – Authentication, data integrity
  2. ESP – Encryption, authentication, data integrity.

IPSec Negotiation process

  1. Interesting traffic triggers VPN
  2. IKE phase1
  3. IKE phase2
  4. Data transfer
  5. VPN teardown

Interesting traffic decision

  1. Encrypt using IPSec
  2. Send in clear text
  3. Discard.

IKE Phase1

  1. Exchange the negotiation policy (Policy list [pres, dh, aes…])
  2. Exchange DH keys
  3. Identity verification

IKE phase2

  1. IPSec transform set and encryption keys negotiated and exchanged.
  2. Lifetime.

Designing IKE phase1 (IKE phase 1 focuses on establishing authentication and a secure tunnel for IKE phase2 exchange)

  1. Required elements
  1. Remote peer IP or hostname
  2. Key distribution method
  3. Authentication method
  4. Encryption algorithm
  5. Hash algorithm
  6. Lifetime
Side A IKE1 Parameters Side B IKE1 Parameters
Encryption AES-128 Encryption AES-128
Hashing SHA-1 Hashing SHA-1
Authentication Pre-Shared Authentication Pre-Shared
DH Level 2 DH Level 2
Lifetime 86400 Lifetime 86400

Designing IKE Phase2 policy (IKE2 focuses on establishing secure IPSec tunnel for data transfer).

Required elements

  1. Transform set
  2. Interesting traffic designation.
  3. IPSec crypto-map
Side A IKE2 Parameters Side B IKE2 Parameters
Encryption ESP-AES Encryption ESP-AES
Hashing ESP-SHA-HMAC Hashing ESP-SHA-HMAC
  1. IKE1 configurations.
Enable ISAKMP: Router(config)#crypto isakmp enable

Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>

Router(config)#crypto isakmp policy 100
Router(config-isakmp)#encryption aes 128
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config-isakmp)#hash sha
Configure ISAKMP Identity: Router(config)#crypto isakmp identity <address/hostname>
Configure pre-shared keys: Router(config)#crypto isakmp key <key> address <remote_ip>

IKE2 Configurations.

Create transform sets: Router(config)#crypto ipsec transform-set <name> <methods>

Router(config)#crypto ipsec transform-set TEST esp-aes 128 esp-sha-hmac

(optional) Configure IPSec lifetime: : Router(config)#crypto ipsec <seconds/kilobytes> <value>

Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted

Set up IPSec crypto-map: Router(config)#crypto isakmp map <name> <seq> ipsec-isakmp

Router(config)#crypto map TESTING 100 ipsec-isakmp

Router(config-crypto-map)#match address <acl>

Router(config-crypto-map)#set peer <remote_ip>

Router(config-crypto-map)#set pfs <group1/2/5>

Router(config-crypto-map)#set transform-set <set>

Verification commands

  1. show crypto isakmp policy
  2. show crypto ipsec transform-set
  3. show crypto ipsec sa
  4. show crypto map
  5. debug crypto isakmp
  6. debug crypto ipsec

Image: http://ccnabolivia.blogspot.com/2016/12/como-configurar-vpn-ipsec-site-to-site.html?spref=pi