Please enable JavaScript.
Coggle requires JavaScript to display documents.
Implement Site-to-Site IPsec VPNs :lock: - Coggle Diagram
Implement Site-to-Site IPsec VPNs
:lock:
Configure site-to-site ipsec vpn
IPsec negotiation
An Internet Security Association Key Management Protocol (ISAKMP) tunnel is initiated when host A sends “interesting” traffic to host B
The peers negotiate the ISAKMP SA policy. When the peers agree on the policy and are authenticated, a secure tunnel is created.
The IPsec peers use the authenticated secure tunnel to negotiate the IPsec SA policy. The negotiation of the shared policy determines how the IPsec tunnel is established.
The IPsec tunnel is created, and data is transferred between the IPsec peers based on the IPsec SAs.
Site-to-Site IPsec VPN Topology
In the phase 1 configuration, the two sites are configured with the necessary ISAKMP security associations to ensure that an ISAKMP tunnel can be created.
In the phase 2 configuration, the two sites are configured with the IPsec security associations to ensure that an IPsec tunnel is created within the ISAKMP tunnel. Both tunnels will be created only when interesting traffic is detected.
IPsec VPN configuration tasks
All XYZCORP VPNs should be implemented using the following security policy:
Task 2: Configure the IPsec Policy for IPsec Phase 2
Task 3: Configure a Crypto Map for the IPsec Policy
Task 1: Configure the ISAKMP Policy for IKE Phase 1
Task 4: Apply the IPsec Policy
Task 5: Verify that the IPsec Tunnel is Operational
Existing ACL configurations
Perimeter routers typically implement a restrictive security policy, blocking all traffic except for traffic specifically allowed.
The ACL command syntax to permit ISAKMP, ESP, and AH traffic is:
Router(config)# ip access-list extended name
Router(config-ext-nacl)# permit udp source wildcard destination wildcard eq isakmp
Router(config-ext-nacl)# permit esp source wildcard destination wildcard
Router(config-ext-nacl)# permit ahp source wildcard destination wildcard
Handling broadcast and multicast traffic
IPsec only supports unicast traffic. To enable routing protocol traffic, the peers in a site-to-site IPsec VPN implementation would need to be configured with a Generic Routing Encapsulation tunnel.
GRE also supports IP multicast tunneling. Routing protocols that are used across the tunnel enable dynamic exchange of routing information in the virtual network
ISAKMP Policy
:fountain_pen:
Default ISAKMP policies
The Cisco IOS comes with default ISAKMP policies already in place. To view the default policies, enter the show crypto isakmp default policy command
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Configure new ISAKMP policy
To configure the ISAKMP with this SAs:
Hash is SHA
Authentication is pre-shared key
Group is 14
Lifetime is 3600 seconds
Encryption is AES
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# hash sha
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 24
R1(config-isakmp)# lifetime 3600
IPsec policy
Interesting traffic must be detected before IKE Phase 1 negotiations can begin
To define interesting traffic, configure each router with an ACL to permit traffic from the local LAN to the remote LAN,
Then we need to configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel.
Configure a transform set using the crypto ipsec transform-set command
Crypto Map
Configure a crypto map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is time to bind those configurations with the rest of the IPsec policy in a crypto map.
crypto map map-name seq-num { ipsec-isakmp | ipsec-manual }
The available configurations for a crypto map entry when you are in crypto map configuration mode are shown below. The map name is R1-R2_MAP, and the sequence number is 10.
Crypto map configuration
Step 1. Bind the ACL and the transform set to the map.
Step 2. Specify the peer’s IP address.
Step 3. Configure the DH group.
Step 4. Configure the IPsec tunnel lifetime.
