Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 19: Implement Site-to- Site IPsec VPNs - Coggle Diagram
Module 19: Implement Site-to- Site IPsec VPNs
ISAKMP Policy
Syntax to Configure a New ISAKMP Policy
To configure a new ISAKMP policy, use the crypto isakmp policy command
When in ISAKMP policy configuration mode, the SAs for the IKE Phase 1 tunnel can be configured. Use the mnemonic HAGLE to remember the five SAs to configure:
Hash
Authentication
Group
Lifetime
Encryption
ISAKMP Policy Configuration
To meet the security policy requirements for XYZCORP, configure the ISAKMP policy with the following SAs:
Hash is SHA
Authentication is pre-shared key
Group is 14
Lifetime is 3600 seconds
Encryption is AES
The default ISAKMP Policy
The first task is to configure the ISAKMP policy for IKE Phase 1. The ISAKMP policy lists the SAs that the router is willing to use to establish the IKE Phase 1 tunne
Pre-Shared Key Configuration
The XYZCORP security policy requires that a pre-shared key be used for authentication between the peers. The administrator can either specify a host name or an IP address for the peer. The command syntax is shown below.
Router(config)# crypto isakmp key keystring address peer-address
XYZCORP uses the key phrase cisco12345 and the IP address of the peer as shown in the examples after the figure.
Router(config)# crypto isakmp key keystring hostname peer-hostname
Configure a Site-to-Site IPsec VPN
IPsec VPN Configuration Tasks
Security Policy Requirements
All XYZCORP VPNs should be implemented using the following security policy:
Encrypt traffic with AES 256 and SHA.
Authenticate with PSK.
Exchange keys with DH group 14.
ISAKMP tunnel lifetime is 1 hour.
IPsec tunnel uses ESP with a 15-minute lifetime.
Configuration Tasks:
The configuration tasks required to meet this policy are:
Task 1: Configure the ISAKMP Policy for IKE Phase 1
Task 2: Configure the IPsec Policy for IPsec Phase 2
Task 3: Configure a Crypto Map for the IPsec Policy
Task 4: Apply the IPsec Policy
Task 5: Verify that the IPsec Tunnel is Operational
Existing ACL Configurations
Although XYZCORP does not have an existing ACL configuration, this would not be the case in a production network. Perimeter routers typically implement a restrictive security policy, blocking all traffic except for traffic specifically allowed.
Router(config)# ip access-list extended name
Router(config-ext-nacl)# permit udp source wildcard destination wildcard eq isakmp
Router(config-ext-nacl)# permit esp source wildcard destination wildcard
Router(config-ext-nacl)# permit ahp source wildcard destination wildcard
Site-to-Site IPsec VPN Topology
Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and Phase 2. In the phase 1 configuration, the two sites are configured with the necessary ISAKMP security associations to ensure that an ISAKMP tunnel can be created. In the phase 2 configuration, the two sites are configured with the IPsec security associations to ensure that an IPsec tunnel is created within the ISAKMP tunnel. Both tunnels will be created only when interesting traffic is detected.
Handing Broadcast and Multicast Traffic
The XYZCORP topology uses static routing, so there is no multicast or broadcast traffic that needs to be routed through the tunnel. But what if XYZCORP decided to implement EIGRP or OSPF? These routing protocols use multicast addresses to exchange routing information with neighbors. IPsec only supports unicast traffic. To enable routing protocol traffic, the peers in a site-to-site IPsec VPN implementation would need to b
IPsec Negotiation
Step 3
IKE Phase 2 begins. The IPsec peers use the authenticated secure tunnel to negotiate the IPsec SA policy. The negotiation of the shared policy determines how the IPsec tunnel is established.
Step 4
The IPsec tunnel is created, and data is transferred between the IPsec peers based on the IPsec SAs.
Step 2
IKE Phase 1 begins. The peers negotiate the ISAKMP SA policy. When the peers agree on the policy and are authenticated, a secure tunnel is created.
Step 5
The IPsec tunnel terminates when the IPsec SAs are manually deleted, or when their lifetime expires.
Step 1
An Internet Security Association Key Management Protocol (ISAKMP) tunnel is initiated when host A sends “interesting” traffic to host B. Traffic is considered interesting when it travels between the peers and meets the criteria that are defined in an ACL.
Ipsec VPN
Define Interesting Traffic
Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does not yet exist. This is verified with the show crypto isakmp sa command in the figure below. Interesting traffic must be detected before IKE Phase 1 negotiations can begin. For the XYXCORP site-to-site VPN, interesting traffic is any permitted communications between the Site 1 and Site 2 LANs.
To define interesting traffic, configure each router with an ACL to permit traffic from the local LAN to the remote LAN, as shown in the following examples for R1 and R2. The ACL will be used in the crypto map configuration to specify what traffic will trigger the start of IKE Phase 1.
Configure IPsec Transform Set
The next step is to configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel. This is called the transform set. During IKE Phase 2 negotiations, the peers agree on the IPsec transform set to be used for protecting interesting traffic.
Configure a transform set using the crypto ipsec transform-set command
Crypto Map
Crypto Map Configuration
To finish the configuration to meet the IPsec security policy for XYZCORP, complete the following:
Step 2
Specify the peer’s IP address.
Step 3
Configure the DH group.
Step 1
Bind the ACL and the transform set to the map.
Step 4
Configure the IPsec tunnel lifetime.
Use the show crypto map command to verify the crypto map configuration
Apply and Verify the Crypto Map
To apply the crypto map, enter interface configuration mode for the outbound interface and configure the crypto map map-name command. Below is the configuration for XYZCORP. Notice the show crypto map output now displays that the Serial 0/0/0 interface is using the crypto map. R2 is configured with the same command on its Serial 0/0/0 interface.
Syntax to Configure a Crypto Map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is time to bind those configurations with the rest of the IPsec policy in a crypto map. The syntax to start a crypto map set is shown below. The sequence number is important when configuring multiple crypto map entries.
seq-num
Description
Sequence number you assign to the crypto map entry. Use the crypto map map-name seq-num command without any keyword to modify the existing crypto map entry or profile.
inspect-isakmp
Description
Indicates that IKE will be used to establish the IPsec for protecting the traffic specified by this crypto map entry.
ipsec-manual
Description
Indicates that IKE will not be used to establish the IPsec SAs for protecting the traffic specified by this crypto map entry.
map-name
Description
Identifies the crypto map set.
