Introduction
Topology : Individual Point-to-Point
Technology : IPsec Crypto map
IPsec VPN site-to-site is generally used to transfer data securely when we use Internet or service providers as the backbone. IPsec is the only technology to secure VPN site-to-site. IPsec provides a security triangle which prevents several potential threats on internet such as masquerading, eavesdropping, man-in-the-middle, etc. Although IPsec Crypto map is considered by some to be an outdated technology, it is still efficient with 3Party connectivity especially when an inexpensive solution is needed. A drawback of this solution is the lack of interface tunnels which prevents the configuration of security measures such as applying any access-list, QoS , or Even flow monitoring.
Components
Components of (IKE phase 1)
- Encryption algorithms
- Hashing algorithms
- Authentication methods
- Key Management ( only different type of Diffie-Hellman algorithm)
- Life time ( Default one day, 86,400 seconds)
Components of (IKE phase 2)
IKE phase 2 might happen int two modes
- Transport mode
- Tunnel mode
Transport mode is generally used when provider networks are the backbone such as MPLS, and there is a need to just secure Data. While, tunnel mode backbone is Internet. in tunnel mode, a new IP address is added to original packet.
1. Authentication Header (AH)
Authentication Header (AH) provides Data Integrity (including Anti-Replay feature), and Authentication. However, AH doesn’t provide encryption.
AH has a stronger Authentication because authentication is applied to the whole packet, but in the senior of using NAT when IP would be changed, the peer in other side is not able to authenticate the received packet based on the hash calculation. Therefore, the packet is considered as an alter packet by peer and packet is dropped. AH might not be an accurate method choice when NAT is used.
2. Encapsulating Security Payload (ESP)
Encapsulation Security Payload (ESP) not only provides Data Integrity (including Anti-Replay feature) and authentication, but also confidentiality. ESP encrypts the whole segment. ESP does not authenticate the whole packet. Therefore, there is no conflict when NAT is used.
How IPsec Tunnel works
IPsec is used to protect data in untrusted networks, but the question is how IPsec works. IPsec uses the Internet Key Exchange (IKE) to provide data protection. IKE consists of two phases.
IKE phase1 ( ISAKMP SA : Internet Security Association and Key Management Protocol ):
- Exchange and negotiate for matching isakmp SA security policy parameters ( such as: Encryption, Hash, Authentication method) with correspond peer.
- Authenticate and Identify the peer.
- Define the type of the key management and exchange the key management (Diffie-Hellman). The key management provides a shared secret key for encryption using symmetric Algorithms.
- Life time of Tunnel.
IKE Phase 2 ( IPsec ):
Now the tunnel is used to make IPsec tunnel ( IKE Phase 2) . Either AH or ESP component is used
Data is safe and secured by the time the IPsec Tunnel is made.
Configuration Flow
- Isakmp SA configuration (IKE phase 1)
- IPsec SA configuration (IKE phase 2)
- Crypto map configuration
For configuration roadmap: First, IKE phase1 configuration by creating an Isakmp policy which is basically the component of IKE phase 1. (cryptographic algorithms + Key management + Lifetime). Next for IKE phase2 (IPsec SA), we create a transform-set by either AH or ESP components. Then, a crypto map is created and inside of crypto map configuration, the peer IP is set, traffic flow is matched, and the transform-set created in prior section is set. Finally, crypto map configuration is applied in the interface which has public IP addresses.
Step by step comprehensive configuration IPSec Tunnel example
Step 1.1. Pre-configuration
Router#conf t
Router(config)#host headquarter
headquarter(config)#int e0/0
headquarter(config-if)#ip add 2.223.119.10 255.255.255.25
headquarter(config-if)#no shut
headquarter(config-if)#int lo0
headquarter(config-if)#ip add 172.16.20.100 255.255.255.0
headquarter(config-if)#exit
headquarter(config)#ip route 0.0.0.0 0.0.0.0 2.223.119.9Router#conf t
Router(config)#host Branch
Branch(config)#int eth0/1
Branch(config-if)#ip add 142.119.125.6 255.255.255.252
Branch(config-if)#no shut
Branch(config-if)#int lo0
Branch(config-if)#ip add 192.168.1.100 255.255.255.0
Branch(config-if)#exit
Branch(config)#ip route 0.0.0.0 0.0.0.0 142.119.125.5Step 1.2. IKE Phase 1
headquarter(config)#crypto isakmp policy 10
headquarter(config-isakmp)#encryption aes
headquarter(config-isakmp)#hash sha256
headquarter(config-isakmp)#authentication pre-share
headquarter(config-isakmp)#group 2
headquarter(config-isakmp)#exit
Branch(config)#crypto isakmp policy 10
Branch(config-isakmp)#encryption aes
Branch(config-isakmp)#hash sha256
Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group 2
Branch(config-isakmp)#exit
headquarter(config)#crypto isakmp key ali.a address 142.119.125.6
Branch(config)#crypto isakmp key ali.a address 2.223.119.10
Step 1.3 IKE phase 2 ( IPsec)
headquarter(config)#crypto ipsec transform-set TRANSFORM esp-sha256-hmac esp-aes
Branch(config)#crypto ipsec transform-set TRANSFORM esp-sha256-hmac esp-aes
Step 1.4 Match traffic source and destination ( flow )
headquarter(config)#access-list 110 permit ip 172.16.20.0 0.0.0.255 192.168.1.0 0.0.0.255
Branch(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.20.0 0.0.0.255
Step 1.5 Create Crypto map
headquarter(config)#crypto map VPN 5 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.
headquarter(config-crypto-map)#set peer 142.119.125.6
headquarter(config-crypto-map)#set transform-set TRANSFORM
headquarter(config-crypto-map)#match address 110
headquarter(config-crypto-map)#exit
Branch(config)#crypto map VPN 5 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.
Branch(config-crypto-map)#set peer 2.223.119.10
Branch(config-crypto-map)#set transform-set TRANSFORM
Branch(config-crypto-map)#match address 110
Branch(config-crypto-map)#exit
Step 1.6 Apply to interface ( toward the provider)
Note : you can have multiple crypto map configurations on the routers, or any network devices play the role of VPN site-to-site but, you can apply only on crypto map to one interface at the time
headquarter(config)#int e0/0
headquarter(config-if)#crypto map VPN
Branch(config)#int e0/1
Branch(config-if)#crypto map VPN
Note : you might see the syslog message that your ISAKMP is on. one of disadvantages of IPsec crypto map is you won’t see the IPsec SA is up until traffic is sent ( Match to access-list)
headquarter(config-if)#
*Apr 12 04:33:13.142: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch(config-if)#
*Apr 12 04:33:47.418: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
2.1 Verify the route
headquarter#ping 192.168.1.100 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
Packet sent with a source address of 172.16.20.100
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/5 ms
Branch#ping 172.16.20.100 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.100, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.100
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
2.2 Verify IKE phase 1 ( Isakmp sa)
headquarter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
142.119.125.6 2.223.119.10 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
Branch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
142.119.125.6 2.223.119.10 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
2.3 Verify IKE phase 2 ( IPsec sa)
headquarter#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: VPN, local addr 2.223.119.10
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 142.119.125.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.223.119.10, remote crypto endpt.: 142.119.125.6
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xB2892215(2995331605)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8359BE9D(2203696797)
Branch#show crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: VPN, local addr 142.119.125.6
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.20.0/255.255.255.0/0/0)
current_peer 2.223.119.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 142.119.125.6, remote crypto endpt.: 2.223.119.10
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
current outbound spi: 0x8359BE9D(2203696797)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB2892215(2995331605)
1 Comment