Module 4: Configure Site-To-Site VPN Using Pre-Shared Keys: PDF Created With Pdffactory Trial Version

Module 4: Configure Site-to-Site VPN
Using Pre-shared Keys
PDF created with pdfFactory trial version www.pdffactory.com

Overview

Prepare a Router for Site-to-Site VPN
using Pre-shared Keys
• IPSec encryption with pre-shared keys

• Planning the IKE and IPSec policy
• Step 1 – Determine ISAKMP (IKE Phase 1) policy
• Step 2 – Determine IPSec (IKE Phase 2) policy
• Step 3 – Check the current configuration
• Step 4 – Ensure the network works without encryption
• Step 5 – Ensure ACLs are compatible with IPSec

IPSec encryption with pre-shared keys
• The use of pre-shared keys for authentication of IPSec sessions is relatively

easy to configure, yet does not scale well for a large number of IPSec clients.
• The authentication is based on a pre-shared secret. Both peers share a secret
password string between them. This secret is exchanged securely out-of-band.
• During the IKE peer authentication process, peers perform a PPP CHAP-like
exchange of random values, hashed with the pre-shared secret key.
• Authentication via pre-shared secrets uses hashing and is therefore very fast.
4

Planning the IKE and IPSec policy
• It is important to plan IPSec details in advance to minimize

configuration errors. The IPSec security policy should be defined
based on the overall company security policy.




Step 1 – Determine ISAKMP (IKE Phase 1) policy

Step 2 – Determine IPSec (IKE Phase 2) policy
10

Step 3 – Check the current configuration
11

Step 3 – Check the current configuration
12

Step 4 – Ensure the network works without encryption
• The router ping command can be used to test basic connectivity between
IPSec peers .
• While a successful ICMP echo, or ping, will verify basic connectivity between
peers, it should be verified that the network works with any other protocols or
ports that are to be encrypted, such as Telnet or FTP, before beginning IPSec
configuration.
13

Step 5 – Ensure ACLs are compatible with IPSec
• Existing ACLs on perimeter routers, PIX Security Appliances, or other

routers need to be checked to ensure that they do not block IPSec
traffic.
• Perimeter routers typically implement a restrictive security policy with
ACLs, where only specific traffic is permitted and all other traffic is
denied. Such a restrictive policy blocks IPSec traffic, so specific permit
statements need to be added to the ACL to allow IPSec traffic.
14

Configure a Router for IKE Using Pre-shared Keys
• Step 1 – Enable or disable IKE

• Step 2 – Create IKE policies
• Step 3 – Configure pre-shared keys
• Step 4 – Verify the IKE configuration
15

• Step 1 – Enable or disable IKE

• IKE is enabled by default. IKE does not have to be enabled for
individual interfaces, but it is enabled globally for all interfaces at the
router.
• If IKE is not used with an IPSec implementation, it can be disabled at
all IPSec peers.
16

• Step 2 – Create IKE policies

• IKE policies must be created at each peer.
• An IKE policy defines a combination of security parameters to be used
during the IKE negotiation. An IKE policy is created with the crypto
isakmp policy priority command
17

• Step 2 (continue)– Create IKE policies

• There are 5 parameters to define in each IKE policy, as shown in
Figure .
• These parameters apply to the IKE negotiations when the IKE security
association is established.
18

• Step 2 (continue)–
Create IKE policies
• If no policies are
configured, the
router will use the
default policy, which
is always set to the
lowest priority, and
which contains the
default value of each
parameter.
• If a value for a
parameter is not
specified, the default
value is assigned.
19

• Step 2 (continue)– Create

IKE policies
• ISAKMP peers negotiate
acceptable ISAKMP policies
before agreeing upon the SA
to be used for IPSec.
• When the ISAKMP
negotiation begins in IKE
phase one main mode,
ISAKMP looks for an
ISAKMP policy that is the
same on both peers. The
peer that initiates the
negotiation sends all its
policies to the remote peer,
and the remote peer tries to
find a match with its policies.
• The remote peer looks for a
match by comparing its own
highest priority policy
against the policies received
from the peer.
20

Create IKE policies
• The ISAKMP identity
should be set for each
peer that uses pre-
shared keys in an IKE
policy .
• When 2 peers use IKE
to establish IPSec
security associations,
each peer sends its
identity to the remote
peer. Each peer sends
either its host name or
its IP address,
depending on how the
ISAKMP identity of the
router has been set up.
21

Create IKE policies
• By default, a peer's
ISAKMP identity is the IP
address of the peer. If
appropriate, the identity
could be changed to be
the peer's host name
instead .
• As a general rule, set the
identities of all peers the
same way. Either all peers
should use their IP
addresses or all peers
should use their host
names.
• If some peers use their
host names and some
peers use their IP
addresses to identify
themselves to each other,
IKE negotiations could fail
if the identity of a remote
peer is not recognized and
a DNS lookup is unable to
resolve the identity. 22

• Step 3 – Configure pre-shared

keys
• To configure pre-shared keys,
perform these tasks at each
peer that uses pre-shared keys
in an IKE policy :
– First, set the ISAKMP
identity of each peer. The
identity of each peer should
be set to either its host
name or by its IP address.
By default, the peer identity
is set to its IP address.
– Next, specify the shared
keys at each peer. Note
that a given pre-shared key
is shared between two
peers. A given peer could
be specified to use the
same key to share with
multiple remote peers. A
more secure approach is to
specify different keys to
share between different
pairs of peers.
23

• Step 3 (continue)– Configure pre-shared keys

• To specify pre-shared keys at a peer, use the commands shown in Figure in global
configuration mode.
24

Extra: Encrypting and Wildcard PSK
• It is possible to specify a wildcard address (0.0.0.0) rather than a specific IP

address. If you specify a wildcard address, a remote host with any IP address
can establish an IPsec tunnel using the configured preshared key.
25

• Step 4 – Verify the IKE configuration

• The show crypto isakmp policy command can be used to display
configured and default policies. The resultant ISAKMP policy for
RouterA is shown in Figure . RouterB’s configuration is identical.
26

Configure a Router with IPSec Using Pre-shared Keys
• Steps to configure IPSec

• Step 1 – Configure transform set suites
• Step 2 – Configure global IPSec SA lifetimes
• Step 3 – Create crypto ACLs
• Step 4 – Create crypto maps
• Step 5 – Apply crypto maps to interfaces
27

• Steps to configure IPSec

• The general tasks and commands used to configure IPSec encryption on Cisco
routers are summarized as follows :
– Step 1 Configure transform set suites with the crypto ipsec transform-set
command.
– Step 2 Configure global IPSec security association lifetimes with the
crypto ipsec security-association lifetime command.
– Step 3 Configure crypto ACLs with the access-list command.
– Step 4 Configure crypto maps with the crypto map command.
– Step 5 Apply the crypto maps to the terminating/originating interface with
the interface and crypto map commands.
28

• Step 1 – Configure transform set suites

• A transform set represents a certain combination of security protocols and
algorithms.
• During the IPSec security association negotiation, the peers agree to use a
particular transform set for protecting a particular data flow.
• Multiple transform sets can be specified, and then one or more of these
transform sets can be specified in a crypto map entry.
29

• Step 1 (continue)– Configure transform set suites

• If a transform set definition is changed, the change is only applied to crypto
map entries that reference the transform set.
• The change will not be applied to existing security associations, but will be
used in subsequent negotiations to establish new security associations.
• To force the new settings to take effect sooner, all or part of the security
association database can be cleared by using the clear crypto sa command.
30


• Transform sets are negotiated during quick mode in IKE phase two
using the transform sets that were previously configured.
• Configure the transforms from most to least secure as dictated by the
security policy.
• The transform set defined in the crypto map entry is used in the IPSec
SA negotiation to protect the data flows specified by the ACL in that
crypto map entry.
31


• During the negotiation, the peers search for a transform set that is the
same at both peers as illustrated in Figure .
• When such a transform set is found, it is selected and is applied to the
protected traffic as part of the IPSec SA of both peers. IPSec peers
agree on one transform proposal per SA in unidirectional manner.
32

• Step 2 – Configure global IPSec SA lifetimes

• These lifetimes only apply to security associations established via IKE.
Manually established security associations do not expire.
• There are 2 lifetimes. These are a timed lifetime and a traffic-volume lifetime. A
security association expires after the first of these lifetimes is reached.
• The default lifetimes are 3,600 seconds, or one hour, and 4,608,000 kilobytes,
or 10 megabits per second for one hour.
33

• Step 3 – Create crypto ACLs

• Crypto access lists are used to define which IP traffic will be protected
by IPSec and which traffic will not be protected by IPSec .
• These access lists are not the same as regular access lists, which
determine what traffic to forward or block at an interface.
• For example, A crypto access list can be created to protect all IP traffic
between two subnets or Telnet traffic between two individual hosts.
34

• Step 3 (continue)– Create crypto ACLs

• Although the ACL syntax is unchanged, the meanings are slightly different for
crypto ACLs.
• The permit keyword specifies that matching packets must be encrypted.
• The deny specifies that matching packets need not be encrypted.
• Any unprotected inbound traffic that matches a permit entry in the crypto ACL
for a crypto map entry flagged as IPSec will be dropped, because this traffic
was expected to be protected by IPSec.
• Cisco recommends that the any keyword be avoided.
35

• Step 3 (continue)– Create crypto ACLs

• Cisco recommends that for every crypto access list specified for a
static crypto map entry that is defined at the local peer, a symmetrical,
or mirror image, crypto access list is configured at the remote peer.
• This ensures that traffic that has IPSec protection applied locally can
be processed correctly at the remote peer.
• The crypto map entries themselves must also support common
transforms and must refer to the other system as a peer.
36

• Step 4 – Create crypto maps

• Crypto map entries created for IPSec set up security association parameters,
tying together the various parts configured for IPSec.
• Some of these parameters are shown in Figure.
• Crypto map entries with the same crypto map name, but different map
sequence numbers, are grouped into a crypto map set.
• These crypto map sets are applied to interfaces. Then all IP traffic passing
through the interface is evaluated against the applied crypto map set.
37

• Step 4 (continue)– Create crypto maps

• When two IPSec peers try to establish a security association, they must each
have at least one crypto map entry that is compatible with one of the crypto
map entries on the other peer.
• For two crypto map entries to be compatible, they must at least meet the
following criteria:
– The crypto map entries must contain compatible crypto access lists, such
as mirror image access lists. In the case where the responding peer is
using dynamic crypto maps, the entries in the local crypto access list must
be permitted by the crypto access list of the remote peer.
– The crypto map entries must each identify the other peer, unless the
responding peer is using dynamic crypto maps.
– The crypto map entries must have at least one transform set in common.
38


• Use the crypto map global configuration command to create or modify a
crypto map entry and enter the crypto map configuration mode .
• Set the crypto map entries referencing dynamic maps to be the lowest priority
entries in a crypto map set.
• Remember that the lowest priority entries have the highest sequence numbers.
• Use the no form of this command to delete a crypto map entry or set.
39


• Figure illustrates a crypto map with two peers specified for
redundancy. If the first peer cannot be contacted, the second peer is
used.
• There is no limit to the number of redundant peers that can be
configured.
40


• The crypto map command has a crypto map configuration mode with
the commands and syntax shown in the table in Figure.
41

Extra: set peer
42

• Step 5 – Apply crypto maps to interfaces

• A crypto map set needs to be applied to each interface through which IPSec
traffic will flow.
• Applying the crypto map set to an interface instructs the router to evaluate all
the traffic that passes through the interface against the crypto map set and to
use the specified policy during connection or security association negotiation
on behalf of traffic to be protected by IPSec.
• To apply a crypto map set to an interface, use the crypto map map-name
command in interface configuration mode
43

• Step 5 (continue)– Apply crypto maps to interfaces

• For redundancy, the same crypto map set can be applied to more than one
interface.
– Each interface will have its own piece of the security association database.
– The IP address of the local interface will be used as the local address for
IPSec traffic originating from or destined to that interface.
• To specify redundant interfaces and name an identifying interface, use the
crypto map map-name local-address interface-id command in global
configuration mode.
44

Test and Verify the IPSec Configuration
of the Router
45

Test and verify IPSec
46

Display the configured ISAKMP policies
47

Display the configured transform sets
48

Display the current state of IPSec SAs
49

Display the configured crypto maps
50

Enable debug output for IPSec events
• These commands generate a significant amount of output for every IP

packet processed. They should only be used when IP traffic on the
network is low, so that other activity on the router is not adversely
affected.
51

Enable debug output for ISAKMP events
• Cisco IOS software can generate many useful system error messages for
ISAKMP . Two examples of error messages are shown below:
– %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode
exchange from %15i if SA is not authenticated!
The ISAKMP security association with the remote peer was not
authenticated yet the peer attempted to begin a Quick Mode exchange.
This exchange must only be done with an authenticated security
association. The recommended action is to contact the administrator of the
remote peer to resolve the improper configuration.
– %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i
responded with attribute [chars] not offered or changed
ISAKMP peers negotiate policy by the initiator offering a list of possible
alternate protection suites. The responder responded with an ISAKMP
policy that the initiator did not offer. The recommended action is to contact
the administrator of the remote peer to resolve the improper configuration.
52

Configure a VPN using SDM
• SDM can guide administrators through a simple VPN configuration.

The VPN Wizard is accessible by clicking the VPN icon . The following
two options are available in the Wizard:
– Create a Site-to-Site VPN – This option allows administrators to
create a VPN network connecting two routers.
– Create a Secure GRE Tunnel (GRE-over-IPSec) – This option
allows administrators to configure a generic routing encapsulation
protocol (GRE) tunnel between the router and a peer system.
• When using the site-to-site VPN Wizard, SDM can be allowed to use
default settings for most of the configuration values, or SDM can be
used to guide the administrator in configuring a VPN.
53

Configure a VPN using SDM
54

Configure a PIX Security Appliance
Site-to-Site VPN using Pre-shared Keys
55

IPSec configuration tasks
• Task 1 – Prepare to configure VPN support. This task consists of

several steps that determine IPSec policies, ensure that the network
works, and ensure that the PIX Security Appliance can support IPSec.
• Task 2 – Configure IKE parameters. This task consists of several
configuration steps that ensure that IKE can set up secure channels to
desired IPSec peers during IKE Phase 1.
• Task 3 – Configure IPSec parameters. This task consists of several
configuration steps that specify IPSec SA parameters between peers,
and set global IPSec values. IKE negotiates SA parameters and sets
up IPSec SAs during IKE Phase 2.
• Task 4 – Test and verify VPN configuration. After IPSec is configured,
it is necessary to verify that it has been configured correctly and ensure
that it works.
56

Task 1 – Prepare to configure VPN support
• Step 1 Determine the IKE (IKE Phase 1) policy.

Determine the IKE policies between peers based on the number and
location of IPSec peers.
• Step 2 Determine the IPSec (IKE Phase 2) policy.
Identify IPSec peer details such as IP addresses and IPSec modes.
Determine the IPSec policies applied to the encrypted data passing
between peers.
• Step 3 Ensure that the network works without encryption.
Ensure that basic connectivity has been achieved between IPSec
peers using the desired IP services before configuring firewall
appliance IPSec.
• Step 4 Implicitly permit IPSec packets to bypass PIX Secuity Appliance
ACLs and access groups.
This can be done with the sysopt connection permit-ipsec
command.
57

Task 2 – Configure IKE parameters
58

59

60

61

62

Task 3 – Configure IPSec parameters
63

64

65

66

67

68

69

70

Task 4 – Test and verify the IPSec configuration
71

Summary
• This module covered the configuration of site-to-site VPNs

using Cisco IOS routers and PIX Security Appliances.
Upon completion of this module, the student should be to
identify and configure the protocols used to ensure
authenticity, data integrity, and confidentiality with a Site-
to-Site VPN using pre-shared keys.
• The student learned that successful implementation of an
IPSec network requires advance planning before beginning
configuration of individual devices. The steps that one must
follow when configuring an IPSec network were introduced
and the student gained hands-on experience with these
tasks through the lab activities.
72

Module 4: Configure Site-To-Site VPN Using Pre-Shared Keys: PDF Created With Pdffactory Trial Version

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 4: Configure Site-To-Site VPN Using Pre-Shared Keys: PDF Created With Pdffactory Trial Version

Uploaded by

Copyright:

Available Formats

Module 4: Configure Site-to-Site VPN

Using Pre-shared Keys

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• IPSec encryption with pre-shared keys

PDF created with pdfFactory trial version www.pdffactory.com

• The use of pre-shared keys for authentication of IPSec sessions is relatively

PDF created with pdfFactory trial version www.pdffactory.com

• It is important to plan IPSec details in advance to minimize

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Existing ACLs on perimeter routers, PIX Security Appliances, or other

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 – Enable or disable IKE

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 – Enable or disable IKE

PDF created with pdfFactory trial version www.pdffactory.com

• Step 2 – Create IKE policies

PDF created with pdfFactory trial version www.pdffactory.com

• Step 2 (continue)– Create IKE policies

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 2 (continue)– Create

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

PDF created with pdfFactory trial version www.pdffactory.com

• Step 3 – Configure pre-shared

PDF created with pdfFactory trial version www.pdffactory.com

• Step 3 (continue)– Configure pre-shared keys

PDF created with pdfFactory trial version www.pdffactory.com

• It is possible to specify a wildcard address (0.0.0.0) rather than a specific IP

PDF created with pdfFactory trial version www.pdffactory.com

• Step 4 – Verify the IKE configuration

PDF created with pdfFactory trial version www.pdffactory.com

• Steps to configure IPSec

PDF created with pdfFactory trial version www.pdffactory.com

• Steps to configure IPSec

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 – Configure transform set suites

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 (continue)– Configure transform set suites

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 (continue)– Configure transform set suites

PDF created with pdfFactory trial version www.pdffactory.com

• Step 1 (continue)– Configure transform set suites

PDF created with pdfFactory trial version www.pdffactory.com

• Step 2 – Configure global IPSec SA lifetimes

PDF created with pdfFactory trial version www.pdffactory.com

• Step 3 – Create crypto ACLs

PDF created with pdfFactory trial version www.pdffactory.com

• Step 3 (continue)– Create crypto ACLs

PDF created with pdfFactory trial version www.pdffactory.com

• Step 3 (continue)– Create crypto ACLs

PDF created with pdfFactory trial version www.pdffactory.com

• Step 4 – Create crypto maps