Module 4
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Module 4 as PDF for free.
More details
- Words: 4,037
- Pages: 72
Module 4: Configure Site-to-Site VPN Using Pre-shared Keys
1
PDF created with pdfFactory trial version www.pdffactory.com
Overview
2
PDF created with pdfFactory trial version www.pdffactory.com
Prepare a Router for Site-to-Site VPN using Pre-shared Keys
• • • • • • •
IPSec encryption with pre-shared keys Planning the IKE and IPSec policy Step 1 – Determine ISAKMP (IKE Phase 1) policy Step 2 – Determine IPSec (IKE Phase 2) policy Step 3 – Check the current configuration Step 4 – Ensure the network works without encryption Step 5 – Ensure ACLs are compatible with IPSec
3
PDF created with pdfFactory trial version www.pdffactory.com
IPSec encryption with pre-shared keys
• • • •
The use of pre-shared keys for authentication of IPSec sessions is relatively easy to configure, yet does not scale well for a large number of IPSec clients. The authentication is based on a pre-shared secret. Both peers share a secret password string between them. This secret is exchanged securely out-of-band. During the IKE peer authentication process, peers perform a PPP CHAP-like exchange of random values, hashed with the pre-shared secret key. Authentication via pre-shared secrets uses hashing and is therefore very fast. 4
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
•
It is important to plan IPSec details in advance to minimize configuration errors. The IPSec security policy should be defined based on the overall company security policy.
5
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
6
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
7
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
8
PDF created with pdfFactory trial version www.pdffactory.com
Step 1 – Determine ISAKMP (IKE Phase 1) policy
9
PDF created with pdfFactory trial version www.pdffactory.com
Step 2 – Determine IPSec (IKE Phase 2) policy
10
PDF created with pdfFactory trial version www.pdffactory.com
Step 3 – Check the current configuration
11
PDF created with pdfFactory trial version www.pdffactory.com
Step 3 – Check the current configuration
12
PDF created with pdfFactory trial version www.pdffactory.com
Step 4 – Ensure the network works without encryption
• •
The router ping command can be used to test basic connectivity between IPSec peers . While a successful ICMP echo, or ping, will verify basic connectivity between peers, it should be verified that the network works with any other protocols or ports that are to be encrypted, such as Telnet or FTP, before beginning IPSec configuration. 13
PDF created with pdfFactory trial version www.pdffactory.com
Step 5 – Ensure ACLs are compatible with IPSec
• •
Existing ACLs on perimeter routers, PIX Security Appliances, or other routers need to be checked to ensure that they do not block IPSec traffic. Perimeter routers typically implement a restrictive security policy with ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive policy blocks IPSec traffic, so specific permit statements need to be added to the ACL to allow IPSec traffic. 14
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • • •
Step 1 – Enable or disable IKE Step 2 – Create IKE policies Step 3 – Configure pre-shared keys Step 4 – Verify the IKE configuration
15
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • •
Step 1 – Enable or disable IKE IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but it is enabled globally for all interfaces at the router. If IKE is not used with an IPSec implementation, it can be disabled at all IPSec peers. 16
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • •
Step 2 – Create IKE policies IKE policies must be created at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation. An IKE policy is created with the crypto isakmp policy priority command 17
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • •
Step 2 (continue)– Create IKE policies There are 5 parameters to define in each IKE policy, as shown in Figure . These parameters apply to the IKE negotiations when the IKE security association is established. 18
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• •
•
Step 2 (continue)– Create IKE policies If no policies are configured, the router will use the default policy, which is always set to the lowest priority, and which contains the default value of each parameter. If a value for a parameter is not specified, the default value is assigned.
19
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys • •
•
•
Step 2 (continue)– Create IKE policies ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec. When the ISAKMP negotiation begins in IKE phase one main mode, ISAKMP looks for an ISAKMP policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match with its policies. The remote peer looks for a match by comparing its own highest priority policy against the policies received from the peer. 20
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys • •
•
Step 2 (continue)– Create IKE policies The ISAKMP identity should be set for each peer that uses preshared keys in an IKE policy . When 2 peers use IKE to establish IPSec security associations, each peer sends its identity to the remote peer. Each peer sends either its host name or its IP address, depending on how the ISAKMP identity of the router has been set up. 21
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys • Step 2 (continue)– •
•
•
PDF created with pdfFactory trial version www.pdffactory.com
Create IKE policies By default, a peer's ISAKMP identity is the IP address of the peer. If appropriate, the identity could be changed to be the peer's host name instead . As a general rule, set the identities of all peers the same way. Either all peers should use their IP addresses or all peers should use their host names. If some peers use their host names and some peers use their IP addresses to identify themselves to each other, IKE negotiations could fail if the identity of a remote peer is not recognized and a DNS lookup is unable to resolve the identity. 22
Configure a Router for IKE Using Pre-shared Keys • •
Step 3 – Configure pre-shared keys To configure pre-shared keys, perform these tasks at each peer that uses pre-shared keys in an IKE policy : – First, set the ISAKMP identity of each peer. The identity of each peer should be set to either its host name or by its IP address. By default, the peer identity is set to its IP address. – Next, specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. A given peer could be specified to use the same key to share with multiple remote peers. A more secure approach is to specify different keys to share between different pairs of peers.
23
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• •
Step 3 (continue)– Configure pre-shared keys To specify pre-shared keys at a peer, use the commands shown in Figure in global configuration mode.
24
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Encrypting and Wildcard PSK
•
It is possible to specify a wildcard address (0.0.0.0) rather than a specific IP address. If you specify a wildcard address, a remote host with any IP address can establish an IPsec tunnel using the configured preshared key. 25
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• •
Step 4 – Verify the IKE configuration The show crypto isakmp policy command can be used to display configured and default policies. The resultant ISAKMP policy for RouterA is shown in Figure . RouterB’s configuration is identical. 26
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • • •
Steps to configure IPSec Step 1 – Configure transform set suites Step 2 – Configure global IPSec SA lifetimes Step 3 – Create crypto ACLs Step 4 – Create crypto maps Step 5 – Apply crypto maps to interfaces
27
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• •
Steps to configure IPSec The general tasks and commands used to configure IPSec encryption on Cisco routers are summarized as follows : – Step 1 Configure transform set suites with the crypto ipsec transform-set command. – Step 2 Configure global IPSec security association lifetimes with the crypto ipsec security-association lifetime command. – Step 3 Configure crypto ACLs with the access-list command. – Step 4 Configure crypto maps with the crypto map command. – Step 5 Apply the crypto maps to the terminating/originating interface with the interface and crypto map commands. 28
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 1 – Configure transform set suites A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. Multiple transform sets can be specified, and then one or more of these transform sets can be specified in a crypto map entry. 29
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 1 (continue)– Configure transform set suites If a transform set definition is changed, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. To force the new settings to take effect sooner, all or part of the security association database can be cleared by using the clear crypto sa command. 30
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 1 (continue)– Configure transform set suites Transform sets are negotiated during quick mode in IKE phase two using the transform sets that were previously configured. Configure the transforms from most to least secure as dictated by the security policy. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by the ACL in that crypto map entry. 31
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • •
Step 1 (continue)– Configure transform set suites During the negotiation, the peers search for a transform set that is the same at both peers as illustrated in Figure . When such a transform set is found, it is selected and is applied to the protected traffic as part of the IPSec SA of both peers. IPSec peers agree on one transform proposal per SA in unidirectional manner. 32
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 2 – Configure global IPSec SA lifetimes These lifetimes only apply to security associations established via IKE. Manually established security associations do not expire. There are 2 lifetimes. These are a timed lifetime and a traffic-volume lifetime. A security association expires after the first of these lifetimes is reached. The default lifetimes are 3,600 seconds, or one hour, and 4,608,000 kilobytes, or 10 megabits per second for one hour. 33
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 3 – Create crypto ACLs Crypto access lists are used to define which IP traffic will be protected by IPSec and which traffic will not be protected by IPSec . These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface. For example, A crypto access list can be created to protect all IP traffic between two subnets or Telnet traffic between two individual hosts. 34
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • • •
Step 3 (continue)– Create crypto ACLs Although the ACL syntax is unchanged, the meanings are slightly different for crypto ACLs. The permit keyword specifies that matching packets must be encrypted. The deny specifies that matching packets need not be encrypted. Any unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto map entry flagged as IPSec will be dropped, because this traffic was expected to be protected by IPSec. Cisco recommends that the any keyword be avoided. 35
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 3 (continue)– Create crypto ACLs Cisco recommends that for every crypto access list specified for a static crypto map entry that is defined at the local peer, a symmetrical, or mirror image, crypto access list is configured at the remote peer. This ensures that traffic that has IPSec protection applied locally can be processed correctly at the remote peer. The crypto map entries themselves must also support common transforms and must refer to the other system as a peer. 36
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • •
Step 4 – Create crypto maps Crypto map entries created for IPSec set up security association parameters, tying together the various parts configured for IPSec. Some of these parameters are shown in Figure. Crypto map entries with the same crypto map name, but different map sequence numbers, are grouped into a crypto map set. These crypto map sets are applied to interfaces. Then all IP traffic passing through the interface is evaluated against the applied crypto map set. 37
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • •
Step 4 (continue)– Create crypto maps When two IPSec peers try to establish a security association, they must each have at least one crypto map entry that is compatible with one of the crypto map entries on the other peer. For two crypto map entries to be compatible, they must at least meet the following criteria: – The crypto map entries must contain compatible crypto access lists, such as mirror image access lists. In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be permitted by the crypto access list of the remote peer. – The crypto map entries must each identify the other peer, unless the responding peer is using dynamic crypto maps. – The crypto map entries must have at least one transform set in common. 38
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • •
Step 4 (continue)– Create crypto maps Use the crypto map global configuration command to create or modify a crypto map entry and enter the crypto map configuration mode . Set the crypto map entries referencing dynamic maps to be the lowest priority entries in a crypto map set. Remember that the lowest priority entries have the highest sequence numbers. Use the no form of this command to delete a crypto map entry or set. 39
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • •
Step 4 (continue)– Create crypto maps Figure illustrates a crypto map with two peers specified for redundancy. If the first peer cannot be contacted, the second peer is used. There is no limit to the number of redundant peers that can be configured. 40
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• •
Step 4 (continue)– Create crypto maps The crypto map command has a crypto map configuration mode with the commands and syntax shown in the table in Figure. 41
PDF created with pdfFactory trial version www.pdffactory.com
Extra: set peer
42
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 5 – Apply crypto maps to interfaces A crypto map set needs to be applied to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the traffic that passes through the interface against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by IPSec. To apply a crypto map set to an interface, use the crypto map map-name command in interface configuration mode 43
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• •
•
Step 5 (continue)– Apply crypto maps to interfaces For redundancy, the same crypto map set can be applied to more than one interface. – Each interface will have its own piece of the security association database. – The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface. To specify redundant interfaces and name an identifying interface, use the crypto map map-name local-address interface-id command in global configuration mode. 44
PDF created with pdfFactory trial version www.pdffactory.com
Test and Verify the IPSec Configuration of the Router
45
PDF created with pdfFactory trial version www.pdffactory.com
Test and verify IPSec
46
PDF created with pdfFactory trial version www.pdffactory.com
Display the configured ISAKMP policies
47
PDF created with pdfFactory trial version www.pdffactory.com
Display the configured transform sets
48
PDF created with pdfFactory trial version www.pdffactory.com
Display the current state of IPSec SAs
49
PDF created with pdfFactory trial version www.pdffactory.com
Display the configured crypto maps
50
PDF created with pdfFactory trial version www.pdffactory.com
Enable debug output for IPSec events
•
These commands generate a significant amount of output for every IP packet processed. They should only be used when IP traffic on the network is low, so that other activity on the router is not adversely affected. 51
PDF created with pdfFactory trial version www.pdffactory.com
Enable debug output for ISAKMP events
•
Cisco IOS software can generate many useful system error messages for ISAKMP . Two examples of error messages are shown below: – %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! The ISAKMP security association with the remote peer was not authenticated yet the peer attempted to begin a Quick Mode exchange. This exchange must only be done with an authenticated security association. The recommended action is to contact the administrator of the remote peer to resolve the improper configuration. – %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers negotiate policy by the initiator offering a list of possible alternate protection suites. The responder responded with an ISAKMP policy that the initiator did not offer. The recommended action is to contact the administrator of the remote peer to resolve the improper configuration. 52
PDF created with pdfFactory trial version www.pdffactory.com
Configure a VPN using SDM •
•
SDM can guide administrators through a simple VPN configuration. The VPN Wizard is accessible by clicking the VPN icon . The following two options are available in the Wizard: – Create a Site-to-Site VPN – This option allows administrators to create a VPN network connecting two routers. – Create a Secure GRE Tunnel (GRE-over-IPSec) – This option allows administrators to configure a generic routing encapsulation protocol (GRE) tunnel between the router and a peer system. When using the site-to-site VPN Wizard, SDM can be allowed to use default settings for most of the configuration values, or SDM can be used to guide the administrator in configuring a VPN.
53
PDF created with pdfFactory trial version www.pdffactory.com
Configure a VPN using SDM
54
PDF created with pdfFactory trial version www.pdffactory.com
Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
55
PDF created with pdfFactory trial version www.pdffactory.com
IPSec configuration tasks
• • •
•
Task 1 – Prepare to configure VPN support. This task consists of several steps that determine IPSec policies, ensure that the network works, and ensure that the PIX Security Appliance can support IPSec. Task 2 – Configure IKE parameters. This task consists of several configuration steps that ensure that IKE can set up secure channels to desired IPSec peers during IKE Phase 1. Task 3 – Configure IPSec parameters. This task consists of several configuration steps that specify IPSec SA parameters between peers, and set global IPSec values. IKE negotiates SA parameters and sets up IPSec SAs during IKE Phase 2. Task 4 – Test and verify VPN configuration. After IPSec is configured, it is necessary to verify that it has been configured correctly and ensure that it works. 56
PDF created with pdfFactory trial version www.pdffactory.com
Task 1 – Prepare to configure VPN support
• • • •
Step 1 Determine the IKE (IKE Phase 1) policy. Determine the IKE policies between peers based on the number and location of IPSec peers. Step 2 Determine the IPSec (IKE Phase 2) policy. Identify IPSec peer details such as IP addresses and IPSec modes. Determine the IPSec policies applied to the encrypted data passing between peers. Step 3 Ensure that the network works without encryption. Ensure that basic connectivity has been achieved between IPSec peers using the desired IP services before configuring firewall appliance IPSec. Step 4 Implicitly permit IPSec packets to bypass PIX Secuity Appliance ACLs and access groups. This can be done with the sysopt connection permit-ipsec command. 57
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
58
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
59
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
60
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
61
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
62
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
63
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
64
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
65
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
66
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
67
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
68
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
69
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
70
PDF created with pdfFactory trial version www.pdffactory.com
Task 4 – Test and verify the IPSec configuration
71
PDF created with pdfFactory trial version www.pdffactory.com
Summary •
•
This module covered the configuration of site-to-site VPNs using Cisco IOS routers and PIX Security Appliances. Upon completion of this module, the student should be to identify and configure the protocols used to ensure authenticity, data integrity, and confidentiality with a Siteto-Site VPN using pre-shared keys. The student learned that successful implementation of an IPSec network requires advance planning before beginning configuration of individual devices. The steps that one must follow when configuring an IPSec network were introduced and the student gained hands-on experience with these tasks through the lab activities.
72
PDF created with pdfFactory trial version www.pdffactory.com
1
PDF created with pdfFactory trial version www.pdffactory.com
Overview
2
PDF created with pdfFactory trial version www.pdffactory.com
Prepare a Router for Site-to-Site VPN using Pre-shared Keys
• • • • • • •
IPSec encryption with pre-shared keys Planning the IKE and IPSec policy Step 1 – Determine ISAKMP (IKE Phase 1) policy Step 2 – Determine IPSec (IKE Phase 2) policy Step 3 – Check the current configuration Step 4 – Ensure the network works without encryption Step 5 – Ensure ACLs are compatible with IPSec
3
PDF created with pdfFactory trial version www.pdffactory.com
IPSec encryption with pre-shared keys
• • • •
The use of pre-shared keys for authentication of IPSec sessions is relatively easy to configure, yet does not scale well for a large number of IPSec clients. The authentication is based on a pre-shared secret. Both peers share a secret password string between them. This secret is exchanged securely out-of-band. During the IKE peer authentication process, peers perform a PPP CHAP-like exchange of random values, hashed with the pre-shared secret key. Authentication via pre-shared secrets uses hashing and is therefore very fast. 4
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
•
It is important to plan IPSec details in advance to minimize configuration errors. The IPSec security policy should be defined based on the overall company security policy.
5
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
6
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
7
PDF created with pdfFactory trial version www.pdffactory.com
Planning the IKE and IPSec policy
8
PDF created with pdfFactory trial version www.pdffactory.com
Step 1 – Determine ISAKMP (IKE Phase 1) policy
9
PDF created with pdfFactory trial version www.pdffactory.com
Step 2 – Determine IPSec (IKE Phase 2) policy
10
PDF created with pdfFactory trial version www.pdffactory.com
Step 3 – Check the current configuration
11
PDF created with pdfFactory trial version www.pdffactory.com
Step 3 – Check the current configuration
12
PDF created with pdfFactory trial version www.pdffactory.com
Step 4 – Ensure the network works without encryption
• •
The router ping command can be used to test basic connectivity between IPSec peers . While a successful ICMP echo, or ping, will verify basic connectivity between peers, it should be verified that the network works with any other protocols or ports that are to be encrypted, such as Telnet or FTP, before beginning IPSec configuration. 13
PDF created with pdfFactory trial version www.pdffactory.com
Step 5 – Ensure ACLs are compatible with IPSec
• •
Existing ACLs on perimeter routers, PIX Security Appliances, or other routers need to be checked to ensure that they do not block IPSec traffic. Perimeter routers typically implement a restrictive security policy with ACLs, where only specific traffic is permitted and all other traffic is denied. Such a restrictive policy blocks IPSec traffic, so specific permit statements need to be added to the ACL to allow IPSec traffic. 14
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • • •
Step 1 – Enable or disable IKE Step 2 – Create IKE policies Step 3 – Configure pre-shared keys Step 4 – Verify the IKE configuration
15
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • •
Step 1 – Enable or disable IKE IKE is enabled by default. IKE does not have to be enabled for individual interfaces, but it is enabled globally for all interfaces at the router. If IKE is not used with an IPSec implementation, it can be disabled at all IPSec peers. 16
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • •
Step 2 – Create IKE policies IKE policies must be created at each peer. An IKE policy defines a combination of security parameters to be used during the IKE negotiation. An IKE policy is created with the crypto isakmp policy priority command 17
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• • •
Step 2 (continue)– Create IKE policies There are 5 parameters to define in each IKE policy, as shown in Figure . These parameters apply to the IKE negotiations when the IKE security association is established. 18
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• •
•
Step 2 (continue)– Create IKE policies If no policies are configured, the router will use the default policy, which is always set to the lowest priority, and which contains the default value of each parameter. If a value for a parameter is not specified, the default value is assigned.
19
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys • •
•
•
Step 2 (continue)– Create IKE policies ISAKMP peers negotiate acceptable ISAKMP policies before agreeing upon the SA to be used for IPSec. When the ISAKMP negotiation begins in IKE phase one main mode, ISAKMP looks for an ISAKMP policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match with its policies. The remote peer looks for a match by comparing its own highest priority policy against the policies received from the peer. 20
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys • •
•
Step 2 (continue)– Create IKE policies The ISAKMP identity should be set for each peer that uses preshared keys in an IKE policy . When 2 peers use IKE to establish IPSec security associations, each peer sends its identity to the remote peer. Each peer sends either its host name or its IP address, depending on how the ISAKMP identity of the router has been set up. 21
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys • Step 2 (continue)– •
•
•
PDF created with pdfFactory trial version www.pdffactory.com
Create IKE policies By default, a peer's ISAKMP identity is the IP address of the peer. If appropriate, the identity could be changed to be the peer's host name instead . As a general rule, set the identities of all peers the same way. Either all peers should use their IP addresses or all peers should use their host names. If some peers use their host names and some peers use their IP addresses to identify themselves to each other, IKE negotiations could fail if the identity of a remote peer is not recognized and a DNS lookup is unable to resolve the identity. 22
Configure a Router for IKE Using Pre-shared Keys • •
Step 3 – Configure pre-shared keys To configure pre-shared keys, perform these tasks at each peer that uses pre-shared keys in an IKE policy : – First, set the ISAKMP identity of each peer. The identity of each peer should be set to either its host name or by its IP address. By default, the peer identity is set to its IP address. – Next, specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. A given peer could be specified to use the same key to share with multiple remote peers. A more secure approach is to specify different keys to share between different pairs of peers.
23
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• •
Step 3 (continue)– Configure pre-shared keys To specify pre-shared keys at a peer, use the commands shown in Figure in global configuration mode.
24
PDF created with pdfFactory trial version www.pdffactory.com
Extra: Encrypting and Wildcard PSK
•
It is possible to specify a wildcard address (0.0.0.0) rather than a specific IP address. If you specify a wildcard address, a remote host with any IP address can establish an IPsec tunnel using the configured preshared key. 25
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router for IKE Using Pre-shared Keys
• •
Step 4 – Verify the IKE configuration The show crypto isakmp policy command can be used to display configured and default policies. The resultant ISAKMP policy for RouterA is shown in Figure . RouterB’s configuration is identical. 26
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • • •
Steps to configure IPSec Step 1 – Configure transform set suites Step 2 – Configure global IPSec SA lifetimes Step 3 – Create crypto ACLs Step 4 – Create crypto maps Step 5 – Apply crypto maps to interfaces
27
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• •
Steps to configure IPSec The general tasks and commands used to configure IPSec encryption on Cisco routers are summarized as follows : – Step 1 Configure transform set suites with the crypto ipsec transform-set command. – Step 2 Configure global IPSec security association lifetimes with the crypto ipsec security-association lifetime command. – Step 3 Configure crypto ACLs with the access-list command. – Step 4 Configure crypto maps with the crypto map command. – Step 5 Apply the crypto maps to the terminating/originating interface with the interface and crypto map commands. 28
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 1 – Configure transform set suites A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. Multiple transform sets can be specified, and then one or more of these transform sets can be specified in a crypto map entry. 29
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 1 (continue)– Configure transform set suites If a transform set definition is changed, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. To force the new settings to take effect sooner, all or part of the security association database can be cleared by using the clear crypto sa command. 30
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 1 (continue)– Configure transform set suites Transform sets are negotiated during quick mode in IKE phase two using the transform sets that were previously configured. Configure the transforms from most to least secure as dictated by the security policy. The transform set defined in the crypto map entry is used in the IPSec SA negotiation to protect the data flows specified by the ACL in that crypto map entry. 31
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • •
Step 1 (continue)– Configure transform set suites During the negotiation, the peers search for a transform set that is the same at both peers as illustrated in Figure . When such a transform set is found, it is selected and is applied to the protected traffic as part of the IPSec SA of both peers. IPSec peers agree on one transform proposal per SA in unidirectional manner. 32
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 2 – Configure global IPSec SA lifetimes These lifetimes only apply to security associations established via IKE. Manually established security associations do not expire. There are 2 lifetimes. These are a timed lifetime and a traffic-volume lifetime. A security association expires after the first of these lifetimes is reached. The default lifetimes are 3,600 seconds, or one hour, and 4,608,000 kilobytes, or 10 megabits per second for one hour. 33
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 3 – Create crypto ACLs Crypto access lists are used to define which IP traffic will be protected by IPSec and which traffic will not be protected by IPSec . These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface. For example, A crypto access list can be created to protect all IP traffic between two subnets or Telnet traffic between two individual hosts. 34
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • • •
Step 3 (continue)– Create crypto ACLs Although the ACL syntax is unchanged, the meanings are slightly different for crypto ACLs. The permit keyword specifies that matching packets must be encrypted. The deny specifies that matching packets need not be encrypted. Any unprotected inbound traffic that matches a permit entry in the crypto ACL for a crypto map entry flagged as IPSec will be dropped, because this traffic was expected to be protected by IPSec. Cisco recommends that the any keyword be avoided. 35
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 3 (continue)– Create crypto ACLs Cisco recommends that for every crypto access list specified for a static crypto map entry that is defined at the local peer, a symmetrical, or mirror image, crypto access list is configured at the remote peer. This ensures that traffic that has IPSec protection applied locally can be processed correctly at the remote peer. The crypto map entries themselves must also support common transforms and must refer to the other system as a peer. 36
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • •
Step 4 – Create crypto maps Crypto map entries created for IPSec set up security association parameters, tying together the various parts configured for IPSec. Some of these parameters are shown in Figure. Crypto map entries with the same crypto map name, but different map sequence numbers, are grouped into a crypto map set. These crypto map sets are applied to interfaces. Then all IP traffic passing through the interface is evaluated against the applied crypto map set. 37
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • •
Step 4 (continue)– Create crypto maps When two IPSec peers try to establish a security association, they must each have at least one crypto map entry that is compatible with one of the crypto map entries on the other peer. For two crypto map entries to be compatible, they must at least meet the following criteria: – The crypto map entries must contain compatible crypto access lists, such as mirror image access lists. In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be permitted by the crypto access list of the remote peer. – The crypto map entries must each identify the other peer, unless the responding peer is using dynamic crypto maps. – The crypto map entries must have at least one transform set in common. 38
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • • •
Step 4 (continue)– Create crypto maps Use the crypto map global configuration command to create or modify a crypto map entry and enter the crypto map configuration mode . Set the crypto map entries referencing dynamic maps to be the lowest priority entries in a crypto map set. Remember that the lowest priority entries have the highest sequence numbers. Use the no form of this command to delete a crypto map entry or set. 39
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • •
Step 4 (continue)– Create crypto maps Figure illustrates a crypto map with two peers specified for redundancy. If the first peer cannot be contacted, the second peer is used. There is no limit to the number of redundant peers that can be configured. 40
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• •
Step 4 (continue)– Create crypto maps The crypto map command has a crypto map configuration mode with the commands and syntax shown in the table in Figure. 41
PDF created with pdfFactory trial version www.pdffactory.com
Extra: set peer
42
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• • • •
Step 5 – Apply crypto maps to interfaces A crypto map set needs to be applied to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the traffic that passes through the interface against the crypto map set and to use the specified policy during connection or security association negotiation on behalf of traffic to be protected by IPSec. To apply a crypto map set to an interface, use the crypto map map-name command in interface configuration mode 43
PDF created with pdfFactory trial version www.pdffactory.com
Configure a Router with IPSec Using Pre-shared Keys
• •
•
Step 5 (continue)– Apply crypto maps to interfaces For redundancy, the same crypto map set can be applied to more than one interface. – Each interface will have its own piece of the security association database. – The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface. To specify redundant interfaces and name an identifying interface, use the crypto map map-name local-address interface-id command in global configuration mode. 44
PDF created with pdfFactory trial version www.pdffactory.com
Test and Verify the IPSec Configuration of the Router
45
PDF created with pdfFactory trial version www.pdffactory.com
Test and verify IPSec
46
PDF created with pdfFactory trial version www.pdffactory.com
Display the configured ISAKMP policies
47
PDF created with pdfFactory trial version www.pdffactory.com
Display the configured transform sets
48
PDF created with pdfFactory trial version www.pdffactory.com
Display the current state of IPSec SAs
49
PDF created with pdfFactory trial version www.pdffactory.com
Display the configured crypto maps
50
PDF created with pdfFactory trial version www.pdffactory.com
Enable debug output for IPSec events
•
These commands generate a significant amount of output for every IP packet processed. They should only be used when IP traffic on the network is low, so that other activity on the router is not adversely affected. 51
PDF created with pdfFactory trial version www.pdffactory.com
Enable debug output for ISAKMP events
•
Cisco IOS software can generate many useful system error messages for ISAKMP . Two examples of error messages are shown below: – %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! The ISAKMP security association with the remote peer was not authenticated yet the peer attempted to begin a Quick Mode exchange. This exchange must only be done with an authenticated security association. The recommended action is to contact the administrator of the remote peer to resolve the improper configuration. – %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers negotiate policy by the initiator offering a list of possible alternate protection suites. The responder responded with an ISAKMP policy that the initiator did not offer. The recommended action is to contact the administrator of the remote peer to resolve the improper configuration. 52
PDF created with pdfFactory trial version www.pdffactory.com
Configure a VPN using SDM •
•
SDM can guide administrators through a simple VPN configuration. The VPN Wizard is accessible by clicking the VPN icon . The following two options are available in the Wizard: – Create a Site-to-Site VPN – This option allows administrators to create a VPN network connecting two routers. – Create a Secure GRE Tunnel (GRE-over-IPSec) – This option allows administrators to configure a generic routing encapsulation protocol (GRE) tunnel between the router and a peer system. When using the site-to-site VPN Wizard, SDM can be allowed to use default settings for most of the configuration values, or SDM can be used to guide the administrator in configuring a VPN.
53
PDF created with pdfFactory trial version www.pdffactory.com
Configure a VPN using SDM
54
PDF created with pdfFactory trial version www.pdffactory.com
Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
55
PDF created with pdfFactory trial version www.pdffactory.com
IPSec configuration tasks
• • •
•
Task 1 – Prepare to configure VPN support. This task consists of several steps that determine IPSec policies, ensure that the network works, and ensure that the PIX Security Appliance can support IPSec. Task 2 – Configure IKE parameters. This task consists of several configuration steps that ensure that IKE can set up secure channels to desired IPSec peers during IKE Phase 1. Task 3 – Configure IPSec parameters. This task consists of several configuration steps that specify IPSec SA parameters between peers, and set global IPSec values. IKE negotiates SA parameters and sets up IPSec SAs during IKE Phase 2. Task 4 – Test and verify VPN configuration. After IPSec is configured, it is necessary to verify that it has been configured correctly and ensure that it works. 56
PDF created with pdfFactory trial version www.pdffactory.com
Task 1 – Prepare to configure VPN support
• • • •
Step 1 Determine the IKE (IKE Phase 1) policy. Determine the IKE policies between peers based on the number and location of IPSec peers. Step 2 Determine the IPSec (IKE Phase 2) policy. Identify IPSec peer details such as IP addresses and IPSec modes. Determine the IPSec policies applied to the encrypted data passing between peers. Step 3 Ensure that the network works without encryption. Ensure that basic connectivity has been achieved between IPSec peers using the desired IP services before configuring firewall appliance IPSec. Step 4 Implicitly permit IPSec packets to bypass PIX Secuity Appliance ACLs and access groups. This can be done with the sysopt connection permit-ipsec command. 57
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
58
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
59
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
60
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
61
PDF created with pdfFactory trial version www.pdffactory.com
Task 2 – Configure IKE parameters
62
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
63
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
64
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
65
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
66
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
67
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
68
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
69
PDF created with pdfFactory trial version www.pdffactory.com
Task 3 – Configure IPSec parameters
70
PDF created with pdfFactory trial version www.pdffactory.com
Task 4 – Test and verify the IPSec configuration
71
PDF created with pdfFactory trial version www.pdffactory.com
Summary •
•
This module covered the configuration of site-to-site VPNs using Cisco IOS routers and PIX Security Appliances. Upon completion of this module, the student should be to identify and configure the protocols used to ensure authenticity, data integrity, and confidentiality with a Siteto-Site VPN using pre-shared keys. The student learned that successful implementation of an IPSec network requires advance planning before beginning configuration of individual devices. The steps that one must follow when configuring an IPSec network were introduced and the student gained hands-on experience with these tasks through the lab activities.
72
PDF created with pdfFactory trial version www.pdffactory.com
Related Documents
Module 4
May 2020 20
Module 4
December 2019 27
Module 4
October 2019 24
Module 4
April 2020 25
Module 4
June 2020 12
