1 / 39

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005. IPsec – An Introduction. IPsec is a suite of protocols used to create virtual private networks (VPNs) Creates encrypted tunnel between 2 private networks

gene
Download Presentation

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005

  2. IPsec – An Introduction • IPsec is a suite of protocols used to create virtual private networks (VPNs) • Creates encrypted tunnel between 2 private networks • Authenticates both ends of the tunnel

  3. IPsec – An Introduction (Cont’d) • Can choose what traffic to encrypt and how to encrypt it • Encapsulates and encrypts IP data only (can use GRE for non-IP traffic) • IPsec is composed of the following main protocols: • Internet Key Exchange (IKE) protocol • Encapsulating Security Payload (ESP) protocol • Authentication Header (AH) protocol

  4. IPsec - Fundamental Mechanisms • Packet Encapsulation • Encapsulating Security Payload (ESP) - encrypts and authenticates data • Authentication Header (AH) – authenticates data and header • Tunnel mode - new IP header appended in front of original IP header of packet • Transport mode - uses original IP header of packet • Encryption • Uses symmetric key algorithms DES or 3DES • Integrity Checking • Uses Message Authentication Codes using Hashing (HMAC) • Hashing algorithms used are MD5 or SHA-1

  5. IPsec Implementation • LAN-to-LAN IPsec VPN • Also called site-to-site IPsec VPN • Merges 2 private networks across a public network • Appears as one virtual network with shared resources

  6. IKE – An Introduction • Responsible for negotiating the details of the IPsec tunnel between the 2 peers • Main functions of IKE in IPsec: • Negotiate protocol parameters • Exchanging public keys • Authenticate both ends • Managing keys after exchange

  7. How IKE Works • IKE is a two phase protocol • Phase 1 • Uses main mode or aggressive mode exchanges between peers • Negotiates a secure, authenticated communication channel between the IPsec peers • Phase 2 • Uses quick mode exchanges between peers • Negotiates security associations for the IPsec services

  8. IKE - Main Mode • The main functions of the main mode (or aggressive mode) are: • Agree on a set of parameters that will be used to authenticate the 2 IPsec peers • Agree on a set of parameters that will be used to encrypt a part of the main mode and all of the quick mode exchange. • Authenticate the 2 IPsec peers to each other • Generate keys that can be used to generate the necessary data encryption keys after negotiations are done.

  9. IKE - Main Mode (Cont’d) • All the information negotiated in main mode is stored as an IKE or ISAKMP security association (SA). • There is only one SA between any 2 IPsec peers.

  10. IKE - Quick Mode • The main functions of the quick mode are: • Agree on a set of parameters for creating the IPsec SAs used to encrypt (for ESP) the data between the 2 peers • If Perfect Forward Secrecy (FPS) is being used, performs another Diffie-Hellman (DH) exchange to generate new keys for generating the data encryption keys

  11. IKE Authentication Mechanisms • Preshared Keys • Define the same key on both IPsec peers • Simple but not scalable • Digital Signatures • Uses public/private key pairs generated on both IPsec peers • Public key is exchanged using a digital certificate that also contains sender info • Certificate issued by a certificate authority (CA) server • Encrypted Nonces • Pseudo-random numbers are encrypted and exchanged by the IPsec peers

  12. IPsec Negotiation Using IKE • IKE negotiates IPsec tunnels between IPsec peers using one of three main methods: • Main mode using preshared key authentication followed by quick mode negotiation • Main mode using digital signature authentication followed by quick mode negotiation • Aggressive mode using preshared key authentication followed by quick mode negotiation

  13. Configuration of LAN-to-LAN IPsec - Network Diagram Responder Initiator 192.1.12.5 192.1.12.20 10.1.2.0/24 10.1.1.0/24 • Cisco Routers R1 and R2 both running IOS version 12.2.15T11 (including support for IPsec and 3DES) • Cisco Catalyst Switch 3550-01 running IOS version 12.1.22(EA1a)

  14. priority Configuration of LAN-to-LAN IPsec - Setup of Routers • Step 1: Ensure that IKE is enabled Router(config)# crypto isakmp enable • Step 2: Create the ISAKMP policy which defines the attributes negotiated between the peers for the IKE SA Router(config)# crypto isakmp policy 1 Router(config-isakmp)# encryption 3des Router(config-isakmp)# hash md5 Router(config-isakmp)# authentication pre-share Router(config-isakmp)# group 1 Router(config-isakmp)# lifetime 14400

  15. Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) • Step 3: Define the pre-shared key and the IP address of the IPsec peer Router(config)# crypto isakmp key 42DB72B3 address 192.1.12.20 • Step 4: Define a transform-set for use with IPsec as follows: Router(config)# crypto ipsec transform-set myset1 esp-3des esp-md5-hmac • Step 5: Define the mode associated with the transform-set (optional) Router(cfg-crypto-tran)# mode tunnel

  16. Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) • Step 6: Define an access list which specifies the interesting traffic for IPsec • Can be used to specify “interesting” traffic for IPsec Router(config)# access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 • Step 7: Define a crypto map • The crypto map links together all of the details of the IPsec configuration Router(config)# crypto map mymap1 ipsec-isakmp

  17. Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) • Step 8: Within the identified crypto map, define the IP address of the IPsec peer Router(config-crypto-m)# set peer 192.1.12.20 • Step 9: Within the identified crypto map, define which transform-set is to be used with this crypto map Router(config-crypto-m)# set transform-set myset1 • Step 10: Within the identified crypto map, define which access list is to be used with this crypto map Router(config-crypto-m)# match address access-list 101

  18. Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d) • Step 11: Assign the crypto map to the specific interface of the router on which IPsec traffic will flow Router(config)# interface Ethernet 0/0 Router(config-if)# crypto map mymap1 • Step 12: Verify that the defined policy, transform-set, and pre-shared key are the same on both IPsec peers

  19. Configuration of LAN-to-LAN IPsec – Viewing IPsec attributes • Assigned IPsec attributes can be viewed using following commands: Router# show crypto isakmp policy Router# show crypto isakmp sa Router# show crypto isakmp key Router# show crypto ipsec transform-set Router# show crypto map Router# show crypto ipsec sa Router# show crypto ipsec security-association lifetime

  20. Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 crypto

  21. Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 crypto

  22. Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 config

  23. Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 config

  24. Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 1 config

  25. Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 crypto

  26. Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 crypto

  27. Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 config

  28. Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 config

  29. Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 2 config

  30. Configuration of LAN-to-LAN IPsec Debug output on router 1 (initiator)

  31. Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

  32. Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

  33. Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

  34. Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

  35. Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

  36. Configuration of LAN-to-LAN IPsec Debug output on router 2 (responder)

  37. Configuration of LAN-to-LAN IPsec Debug output on router 2 (cont’d)

  38. Configuration of LAN-to-LAN IPsec Debug output on router 2 (cont’d)

  39. References • Network Security Principles and Practices by Saadat Malik • Cisco IOS Security Configuration Guide, Release 12.2 • Cisco IOS Security Command Reference, Release 12.2 • Cisco IOS Configuration Fundamental Configuration Guide, Release 12.2 • Cisco IOS Interface Command Reference, Release 12.2

More Related