IPSec VPN

Let’s start by discussing some of the functions used in a VPN connection:

1) Encryption algorithms used for encrypting the data:

  • DES
  • 3DES
  • AES

2) Data integrity algorithms:

  • MD5
  • SHA1

3) Authentication:

  • Pre-Shared Key – both ends are configured with the same secret key
  • RSA Signature – uses certificates for authentication between the two peers

4) Diffie Hellman is an algorithm that enable the two peers to generate the same secret key, key that can be used by an encryption algorithm like AES.

The establishment of the IPSec VPN takes place in two steps:

1) IKE Phase 1 – IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase 2. A Security Association (SA) is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the connection. The framework for establishing security associations is provided by the Internet Security Association and Key Management Protocol (ISAKMP).

2) IKE Phase 2 – The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSec tunnel.

The last important thing to keep in mind is that IPSec is an encapsulation that provides encryption, but it’s not actually a tunnel, you will need a tunneling protocol like GRE for that. IMPORTANT: If you want your routing information (OSPF, Eigrp, etc.) to propagate over the VPN tunnel to another site you will need to use GRE.

IPSec VPN Configuration

ISAKMP SA
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption aes
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)# lifetime 86400

Pre-shared Key
R1(config)#crypto isakmp key cisco address 220.50.50.2

ACL for VPN traffic     //one for each map sequence number
R1(config)# ip access-list extended 100
R1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Transformation Set
R1(config)#crypto ipsec transform-set TRANSFORM esp-3des     //transformation set specifies how data will be exchanged

Crypto MAP
R1(config)#crypto map MAP 1 ipsec-isakmp     //use the sequence number after MAP to create multiple VPN tunnels
R1(config-crypto-map)#set peer 220.50.50.2     //multiple peers can be specified
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transformation-set TRANSFORM
R1(config-crypto-map)#match address 100

Apply MAP to interface
R1(config)#interface fa0/0
R1(config-if)#crypto map MAP

NAT Access
In case you are using both NAT and IPSec on the same interface you need to configure an ACL.

R1(config)# ip nat inside source list 101 interface fa0/0 overload
R1(config)# access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 any

GRE tunnel
R1(config)#interface tunnel 0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#tunnel source fa0/0     //interface to remote site
R1(config-if)#tunnel destination 220.50.50.2     //physical interface ip address of remote site
R1(config-if)#tunnel mode gre ip     //tunnel type

The configuration must be identical on the second router. I don’t recommand using 3DES, i used it in this example to show that there are 2 encryptions taking place (AES and 3DES), one for each IKE Phase.

You can also check out these 3 posts about IPSec VPNs:
http://www.petenetlive.com/KB/Article/0000213.htm
http://www.petenetlive.com/KB/Article/0000933.htm
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s