2010.01_Configuring a Basic IPsec VPN_[Cisco].pdf
(
683 KB
)
Pobierz
444027318 UNPDF
BASICS
Configuring a
DANNY CHEUNG
Basic IPsec
VPN
Difficulty
The internet has become a staple of modern life. It provides us
with a fast and reliable method to send data across the world.
But what if I have an important message to send, but I don't want
the rest of the world to see it? How can I be sure that the data I
send remains confidential?
started to rely on the internet, there was an
increasing need for a standardised way to
securely send data over the internet. As a result,
Internet Protocol Security
(IPsec) was created.
This article will help you set-up a basic IPsec
VPN using a Cisco router. But before we jump
onto the terminal, we first need to understand
some of the basics of how IPsec works.
• Encryption: DES
• Hash: MD5
• Authentication method: Pre-shared keys
or
• Encryption: 3DES
• Hash: SHA
• Authentication method: Pre-shared keys
The policies of the two devices are then compared.
If there is an entry appears in both policies, they
are the settings that will be used. But what if there
are two entries that appear in both lists?
The policy entries are listed in order of
preference, with the first entry being the most
preferred. The first entry in a policy will be
compared to all entries in the peer's policy. If a
match cannot be found, the second entry will be
compared with all entries in the peer's policy.
If there are no entries that are common to the
policies of both devices, ISAKMP will fail and the VPN
will not be formed. Therefore, it is important to ensure
that at least one entry is common to both devices.
IPsec Basics
IPsec is a protocol that utilises other protocols. The
main three are ISAKMP,
Authentication Header
(AH)
and
Encapsulated Security Payload
(ESP). These
define the manner in which the devices set-up the
IPsec tunnel and what to do with the IP payload.
WHAT YOU WILL
LEARN
The user will be able to
understand the basics of the
IPsec protocol and be able to
configure a simple IPsec VPN
between two routers.
ISAKMP and ISAKMP Policies
IPsec requires that the two devices agree on a
combination of settings. ISAKMP provides a secure
environment for the negotiations to occur. ISAKMP
also allows each device to authenticate each other.
Before ISAKMP can create the secure
environment, the two devices need to agree on
the settings for the secure environment.
Each device will create a ISAKMP policy.
The policy is an ordered list of the settings that
it deems acceptable to use. These settings
include the encryption algorithm to use, the hash
to use for message integrity and the method of
authentication. As an example, a policy might look
like this:
IPsec Policies
IPsec policies are similar to ISAKMP policies.
They are an ordered list with each entry in the
policy representing an acceptable combination
of settings. For the two devices to agree on the
IPsec settings to use, they undergo a negotiation
process similar to ISAKMP.
The difference between an IPsec policy and
an ISAKMP policy is the fields that the entries
WHAT YOU SHOULD
KNOW
The reader should have a good
understanding of IP, be able to
perform basic IOS configuration
changes using CLI, familiarity
with configuring Cisco ACLs
and be familiar with basic
cryptography.
38
CISCO
1/2009
A
s more businesses and organisations
CONFIGURING AN IPSEC VPN
contain. Settings include which headers to
use (see
IPsec Headers
), the encryption
algorithm and hash function to use.
connectivity to each other. This will involve
assigning IP addresses to the interfaces
and configuring routing.
of ISAKMP and IPsec packets. You will
need to ensure that all routers, firewalls
and servers between the two devices do
not block ISAKMP and IPsec packets.
IPsec Headers
IPsec inserts extra headers between the
IP header and the payload. These headers
contain information such as the settings
being used, hashes and replay attack
countermeasures. The IPsec framework
specifies two different headers that can be
inserted:
Authentication Header
(AH) and
Encapsulated Security Payload
(ESP). They
can be used individually or both can be
used simultaneously.
AH provides features such as
message integrity, packet authentication
and anti-replay measures. Use of AH does
not encrypt the payload. ESP provides
encryption capabilities along with packet
authentication and message integrity.
Step 1.
Firstly, you need to ensure that you have
an IOS image that supports IPsec. An
easy way to tell is to run the
Router1(conig)# access-list 100
permit udp host 10.0.0.1 host
10.0.0.2 eq isakmp
Router1(conig)# access-list 100
permit ahp host 10.0.0.1 host
10.0.0.2
Router1(conig)# access-list 100
permit esp host 10.0.0.1 host
10.0.0.2
Router1# show version
command and look at the IOS type.
For example:
Router1#show version
Cisco IOS Software, 3700 Software
(C3725-ADVENTERPRISEK9-M),
Version 12.4(15)T5, RELEASE
SOFTWARE (fc4)
Step 4.
Create ISAKMP policies. An ISAKMP policy
is a group of settings that your device is
willing to use for communication.
...
Router1(conig)# crypto isakmp policy
10
We can see that this copy of IOS is for a
Cisco 3725 router. The
K9
denotes that
cryptographic features are available. This
is necessary for IPsec.
Make sure that both devices are
capable of establishing IPsec tunnels.
Basic IPsec Configuration
Now it's time for the fun part, setting up
IPsec on our Cisco routers.
This command will drop you into ISAKMP
configuration mode. The number
10
indicates the priority of this set of
configuration options. The lower the
priority, the higher the preference.
Set the encryption algorithm to use.
Available options are: des, 3des and aes.
DES is so weak that it is no longer used,
but is fastest. AES is the new standard, but
is more CPU and memory intensive.
Scenario
In this scenario, we have two networks.
The two networks are separated by the
Internet and each network contains a
router and a PC. We want to configure the
routers to use IPsec to encrypt the data
between the PCs, but not data from the
PCs to other hosts on the Internet.
From the diagram, you can see that
each router has one 100Mb Ethernet port
for the LAN and a serial port for the WAN.
Step 2.
Enable ISAKMP. ISAKMP is a protocol
used to both authenticate the other
device and to set-up a secure tunnel
to perform IPsec configuration
negotiations.
Router1(conig)# crypto isakmp enable
Router1(conig-isakmp)# encryption
aes
Preparation
Before we begin, make sure that the
two routers and the two PCs have
Step 3.
If you have access control lists configured
on your router, you will need to make sure
that they allow the sending and receiving
Choose the hashing algorithm to
use. Available options are: md5 and
sha. MD5 is faster, but is no longer
cryptographically secure. SHA is the
���
�������
�������
���
������������
������������
�����������
����������������
�������������
����������
��������
����������
��������
����������������
�������������
������������
�����������
������������
Figure 1.
A basic IPsec scenario
1/2009
CISCO
39
BASICS
new satndard, but is requires a more
resources.
Router1(conig-isakmp)# authentication
pre-share
transform set is a combination of
encryption and hashing algorithms that
will be applied to your data.
Router1(conig-isakmp)# hash sha
Specify the how long before Diffie-Hellman
will be re-run.
Router1(conig)# crypto ipsec
transform-set TRANSFORM_SET_1
esp-aes esp-sha-hmac
Router1(cfg-crypto-tran)# exit
Set the Diffie-Hellman group. Available
values are 1,2 and 5.
When the two devices derive a
shared secret using the Diffie-Hellman
algorithm, the group will determine the
range of possible secrets to choose
from. Choosing a higher group will mean
it is more secure, but will require more
resources.
Router1(conig-isakmp)# lifetime 3600
Return to global configuration mode
Router1(conig-isakmp)# exit
Step 7.
Specify the traffic that we wish to encrypt. This
is done through the use of access control
lists. Anything that is
pemitted
by this access
list will be encrypted. Anything that is
denied
will not be considered for IPsec. This does not
mean the packet will be dropped.
Step 5.
Setup ISAKMP authentication settings. In
this example, we will identity other devices
based on their IP address. The two
devices will the pre-shared key
ABC123
to
authenticate each other.
Router1(conig-isakmp)# group 5
Choose the method this device will
authenticate with other devices. Available
options are pre-share, rsa-encr and rsa-
sig.
Router1(conig)# access-list 101
permit host 192.168.1.1 host
192.168.2.2
Router1(conig)# crypto isakmp
identity address
Router1(conig)# crypto isakmp key
ABC123 address 10.0.0.2
Using pre-shared keys to authenticate
devices is simple, but can be pain to
manage with a large number of devices.
Use of the rsa-encr and rsa-sig requires
PKI to be configured.
Step 8.
Setup the IPsec policy. Create an
crypto
map
entry. A crypto map is collection
of security settings to be applied to an
interface. We will specify that this policy
entry belongs to the crypto map
CRYPTO_
MAP_1
and it is to be entry number 10.
The type of crypto map is ipsec-isakmp.
Step 6.
Create the IPsec Transform sets. A
Router1(conig)# crypto map CRYPTO_
MAP_1 10 ipsec-isakmp
Specify the peer to establish the tunnel
with.
Router1(conig-crypto-map)# set peer
10.0.0.2
Specify the access control list that
matches traffic we wish to encrypt. This is
the ACL created in Step 7.
Router1(conig-crypto-map)# match
address 101
Specify the transform sets to use on the
data.
Router1(conig-crypto-map)# set
transform-set TRANSFORM_SET_1
TRANSFORM_SET_2 ...
Figure 2.
Tunnel statistics with no data sent
Specify the time before the IPsec tunnel
will need to re-negotiate the IPsec settings.
40
1/2009
CISCO
CONFIGURING AN IPSEC VPN
Router1(conig-crypto-map)# set
security-association lifetime
seconds 3600
Step 10.
All of the above commands were for Router1.
Apply the same commands on Router2.
When you do it, you will need to make the
following IP address changes:
Running the command privilege mode
command
show crypto ipsec sa
should
produce the following output: see Figure 2.
From the highlighted area, you can that
nothing has needed to use the IPsec tunnel.
After PC1 has sent some data to PC2,
running the command will produce (Figure 3).
From the highlighted region you can
see that data has been protected by IPsec.
Hooray! Our IPsec tunnel works.
Return to global configuration mode.
Router1(conig-crypto-map)# exit
10.0.0.1 to 10.0.0.2
10.0.0.2 to 10.0.0.1
192.168.1.1 to 192.168.2.2
192.168.2.2 to 192.168.1.1
Step 9.
Apply the IPsec policy to an interface
Router1(conig)# interface serial0/0
Router1(conig-if)# crypto map CRYPTO_
MAP_1
Step 11.
It's now time to verify and test that our
IPsec tunnel works.
Further Considerations
When configuring IPsec, there are a few
things to consider.
Firstly, the encryption and hashing
algorithms that you will be using is
important. AES and SHA provide a much
higher level security and protection, but they
use up more CPU and memory. If you router
does not have the necessary resources, the
router performance will suffer. You should
also check that your copy of IOS is capable
of performing AES and SHA.
If you plan on using having a large
number of IPsec tunnels, the use of pre-
shared keys is not recommended. If you
use the same key for every IPsec tunnel
and the key is compromised, then all of
the tunnels are at risk. If you use different
keys for each pair of routers, then you run
into the issue of managing the keys.
The use of digital certificates solves
these problems, but requires the installation
and configuration of PKI. Since IPsec inserts
extra headers after the IP header, there
will be less room in the IP packet for data.
Depending on your traffic, this can lead
to fragmentation. The MTU of the link may
need to be adjusted to accommodate.
Summary
In this tutorial, we set-up a basic IPsec
VPN between two Cisco routers. Whilst
our example scenario was basic, the
configuration can be applied to larger
networks.
Since IPsec is a standard, it is
implemented in routers from other vendors.
This means that you can set-up a VPN from
your home ADSL router back to the office.
Figure 3.
Tunnel statistics with data sent
Danny Cheung
Danny Cheung is a working member of
the IT industry in Sydney, specialising in
Linux and Cisco. Danny is CCNA and
CCNP certified, a Certified Cisco Academy Instructor
teaching CCNA Wireless and CCNA Voice.
1/2009
CISCO
41
Plik z chomika:
akunseth
Inne pliki z tego folderu:
2010.01_Secure Switching with Cisco Platforms_[Cisco].pdf
(1514 KB)
2010.01_Secure Network Access Points_[Cisco].pdf
(1716 KB)
2010.01_Evolution of Cisco_[Cisco].pdf
(1643 KB)
2010.01_Configuring a Basic IPsec VPN_[Cisco].pdf
(683 KB)
2010.01_Cisco Routers with PPPOE Internet Connection_[Cisco].pdf
(175 KB)
Inne foldery tego chomika:
Akademia CISCO
Akademia CISCO - Materiały z roku pierwszego
CCNA2
CISCO
Cisco(1)
Zgłoś jeśli
naruszono regulamin