Please enable JavaScript.
Coggle requires JavaScript to display documents.
Modules 19: Implement Site-to-Site IPsec VPNs, image, image, image, image,…
Modules 19: Implement Site-to-Site IPsec VPNs
19.1 Configure a Site-to-Site IPsec VPN
19.1.1 IPsec Negotiation
An Internet Security Association Key Management Protocol (ISAKMP) tunnel is initiated when host A sends “interesting” traffic to host B. Traffic is considered interesting when it travels between the peers and meets the criteria that are defined in an ACL
19.1.2 Site-to-Site IPsec VPN Topology
The topology in the figure for XYZCORP will be used in this section to demonstrate a site-to-site IPsec VPN implementation.
19.1.3 IPsec VPN Configuration Tasks
Security Policy Requirements
All XYZCORP VPNs should be implemented using the following security policy:
Encrypt traffic with AES 256 and SHA.
Authenticate with PSK.
Exchange keys with DH group 14.
ISAKMP tunnel lifetime is 1 hour.
IPsec tunnel uses ESP with a 15-minute lifetime.
19.1.4 Existing ACL Configurations
Although XYZCORP does not have an existing ACL configuration, this would not be the case in a production network.
19.1.5 Handling Broadcast and Multicast Traffic
The XYZCORP topology uses static routing, so there is no multicast or broadcast traffic that needs to be routed through the tunnel.
19.2 ISAKMP Policy
19.2.1 The Default ISAKMP Policies
The first task is to configure the ISAKMP policy for IKE Phase 1. The ISAKMP policy lists the SAs that the router is willing to use to establish the IKE Phase 1 tunnel.
19.2.2 Syntax to Configure a New ISAKMP Policy
he crypto isakmp policy command, as shown in the figure. The only argument for the command is to set a priority for the policy (from 1 to 10000).
Hash
Authentication
Group
Lifetime
Encryption
19.2.3 ISAKMP Policy Configuration
To meet the security policy requirements for XYZCORP, configure the ISAKMP policy with the following SAs:
Hash is SHA
Authentication is pre-shared key
Group is 14
Lifetime is 3600 seconds
Encryption is AES
19.2.4 Pre-Shared Key Configuration
The XYZCORP security policy requires that a pre-shared key be used for authentication between the peers.
19.3 IPsec Policy
19.3.1 Define Interesting Traffic
Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does not yet exist. This is verified with the show crypto isakmp sa command in the figure below.
19.3.2 Configure IPsec Transform Set
19.3.2 Configure IPsec Transform Set
The next step is to configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel.
19.4 Crypto Map
19.4.1 Syntax to Configure a Crypto Map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is time to bind those configurations with the rest of the IPsec policy in a crypto map
19.4.2 Crypto Map Configuration
To finish the configuration to meet the IPsec security policy for XYZCORP, complete the following:
Step 1. Bind the ACL and the transform set to the map.
Step 2. Specify the peer’s IP address.
Step 3. Configure the DH group.
Step 4. Configure the IPsec tunnel lifetime.
19.4.3 Apply and Verify the Crypto Map
To apply the crypto map, enter interface configuration mode for the outbound interface and configure the crypto map map-name command.
19.5 IPsec VPN
19.5.1 Send Interesting Traffic
Now that both the ISAKMP and IPsec policies are configured, and the crypto map is applied to the appropriate outbound interfaces, test the two tunnels by sending interesting traffic across the link.
19.5.2 Verify the ISAKMP and IPsec Tunnels
Sending interesting traffic does not actually mean that the tunnels are established.
