IPSec IKEv1 Cisco Routers Formula

IPSec IKEv1 Cisco Routers Formula

IPSec tunnels between Cisco Routers a tool that all network technicians must have in their belt.

If you follow this simple rules it is very simple to get a VPN going between to Cisco routers.

On both router we will need to configure a ISAKMP (Internet Security Association Key Management Protocol) policy that will govern the IKE phase 1 of the connection. In this policy we will identify an encryption algorithm, a hashing algorithm, a diffie-hellman group and an authentication method.

For the encryption we can use: DES, 3DES, AES 128-192-256;

For hashing we can use: MD5 or SHA;

For the diffie-hellman group we can choose: group 1 (768bits), group 2 (1024bits) or group 5 (1536bits);

For the authentication methods we can either choose: pre-share or RSA signatures.

ISAKMP POLICY EXAMPLE:

! This configuration must match in both routers
crypto isakmp policy 10
 encryption aes
 hash sha
 authentication pre-share
 group 5

PRE-SHARE KEY

crypto isakmp key 0 preshare-key address remote-external-address
! On R1
crypto isakmp key 0 cisco12345 address 10.0.1.2
!On R2
crypto isakmp key 0 cisco12345 address 10.0.0.1

The next step is to configure an ipsec transform-set that will dictate the rules to protected the data traffic between endpoints. This is denominated as IKE phase 2.

For this part of the configuration we will need to decide the type of encapsulation and thus the security protocol to use. We cad choose between AH (Authentication Header) and ESP (encapsulation Secure Payload), but keep in mind that AH does not guarantee data confidentiality because it does not use any encryption algorithm. This being said almost all configuration use ESP.

Then we must decide which encryption and hasing algorithm to use. The same option available in phase 1 are also available in phase 2.

TRANSFORM-SET EXAMPLE

crypto ipsec transform-set NAME esp-aes esp-sha-hmac
! This configuration must match in both routers
crypto ipsec transform-set TSET esp-aes esp-sha-hmac

Next we need to create an ACL (Access Control List) to identify the traffic that must be encapsulated through the tunnel, leaving out the rest of the traffic that uses the same interface to reach the Internet, thus unencrypted. The ACL must be mirrored with in the routers.

ACL EXAMPLE

ip access-list extended NAME
 permit ip local-lan-address wild-card remote-lan-address wild-card
 deny   ip any any
!On R1
ip access-list extended VPN
 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
 deny   ip any any
!On R2
ip access-list extended VPN
 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip any any

Now, to join all the element configured until this point, we need to configure a crypto map that will be then applied to the outside interface. In the crypto map we need to indicate the ACL, the TRANSFORM-SET and the peer. We can also specify a diffie-hellman to harden the re-keying process with the PFS (Perfect Forward Secrecy) configuration.

CRYPTO MAP EXAMPLE

crypto map NAME 10 ipsec-isakmp 
 set peer remote-external-address
 set transform-set TRANSFORM-SET 
 set pfs diffie-hellman-group
 match address ACL
!On R1
crypto map CMAP 10 ipsec-isakmp 
 set peer 10.0.1.2
 set transform-set TSET 
 set pfs group5
 match address VPN
!On R2
crypto map CMAP 10 ipsec-isakmp 
 set peer 10.0.0.1
 set transform-set TSET 
 set pfs group5
 match address VPN

Final step, apply the crypto map to the external interface.

ADD CRYPTO MAP TO THE EXTERNAL INTERFACE

!On both Routers
interface Ethernet0/0
 crypto map CMAP

Bonus step

It is normal that all traffic originated from the internal lan be natted to access remote networks (mainly Internet). On this process the traffic from the local lan to the remote lan is also translate. Because off the packet flow process when the traffic reaches the crypto ACL it is already translate and thus it does not match the condition. To solve this, we need to exempt the traffic between LANs from the translation.

EXEMPT TRAFFIC FROM TRANSLATION

!NAT ACL in R1
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny ip any any
!Remote Inter-lan Traffic from NAT on R1
no ip access-list extended NAT
ip access-list extended NAT
 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255 
 permit ip 192.168.0.0 0.0.0.255 any
 deny ip any any
!NAT ACL in R2
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
 deny ip any any
!Remote Inter-lan Traffic from NAT on R2
no ip access-list extended NAT
ip access-list extended NAT
 deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255 
 permit ip 172.16.0.0 0.0.0.255 any
 deny ip any any

VERIFICATION

VPCS> sh ip        

NAME        : VPCS[1]
IP/MASK     : 192.168.0.1/24
GATEWAY     : 192.168.0.254
DNS         : 
DHCP SERVER : 192.168.0.254
DHCP LEASE  : 84212, 86400/43200/75600
MAC         : 00:50:79:66:68:05
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

VPCS> ping 172.16.0.1

84 bytes from 172.16.0.1 icmp_seq=1 ttl=62 time=3.066 ms
84 bytes from 172.16.0.1 icmp_seq=2 ttl=62 time=1.707 ms
84 bytes from 172.16.0.1 icmp_seq=3 ttl=62 time=1.895 ms
84 bytes from 172.16.0.1 icmp_seq=4 ttl=62 time=1.767 ms
84 bytes from 172.16.0.1 icmp_seq=5 ttl=62 time=2.238 ms
R1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.0.1.2        10.0.0.1        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1# show crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: CMAP, local addr 10.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   current_peer 10.0.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
  
 

That´s all for now, see you in the next post.

Stay good.

Advertisements