Enterprise Networking

c. View the various IKE parameters available using Cisco IOS help by typing a question mark ( ?).

R1(config-isakmp)# ?

ISAKMP commands:

authentication Set authentication method for protection suite

default Set a command to its defaults

encryption Set encryption algorithm for protection suite

exit Exit from ISAKMP protection suite configuration mode

group Set the Diffie-Hellman group

hash Set hash algorithm for protection suite

lifetime Set lifetime for ISAKMP security association

no Negate a command or set its defaults

As shown in the table below, several parameters can be configured in ISAKMP policy configuration mode.

Note: The last column lists the minimum recommended options.

d. Entering the ISAKMP policy configuration mode automatically assigns default parameters to the policy. To view these defaults, use the do show crypto isakmp policy command.

R1(config-isakmp)# do show crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

The output highlights the default parameters automatically assigned to the new policy. For security reason, most of these should be updated to the recommended minimum listed in the table.

Your choice of an encryption algorithm determines how confidential the control channel between the endpoints is. The hash algorithm controls data integrity, ensuring that the data received from a peer has not been tampered with in transit. The authentication type ensures that the packet was sent and signed by the remote peer. The Diffie-Hellman group is used to create a secret key shared by the peers that has not been sent across the network.

· Encryption: aes 256

· Hash: sha256

· Authentication method: pre-share key

· Diffie-Hellman group: 14

· Lifetime: 3600 seconds (60 minutes / 1 hour)

Note: Older versions of Cisco IOS do not support AES 256 encryption and SHA as a hash algorithm. Substitute whatever encryption and hashing algorithm your router supports. Ensure that the same changes are made on R3 in order to be in sync.

R1(config-isakmp)# encryption aes 256

R1(config-isakmp)# hash sha256

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 14

R1(config-isakmp)# lifetime 3600

R1(config-isakmp)# exit

close configuration window

f. Configure the same policy on R3.

Open configuration window

R3(config)# crypto isakmp policy 10

R3(config-isakmp)# encryption aes 256

R3(config-isakmp)# hash sha256

R3(config-isakmp)# authentication pre-share

R3(config-isakmp)# group 14

R3(config-isakmp)# lifetime 3600

close configuration window

g. Verify the IKE policy with the show crypto isakmp policy command on R1 and R3.

Open configuration window

R1(config)# do show crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).

hash algorithm: Secure Hash Standard 2 (256 bit)

authentication method: Pre-Shared Key

Diffie-Hellman group: #14 (2048 bit)

lifetime: 3600 seconds, no volume limit

close configuration window

R3(config)# do show crypto isakmp policy

close configuration window

Global IKE policy

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).

hash algorithm: Secure Hash Standard 2 (256 bit)

authentication method: Pre-Shared Key

Diffie-Hellman group: #14 (2048 bit)

lifetime: 3600 seconds, no volume limit

The policies must match. Troubleshoot and verify that the configurations were done correctly on both routers.

close configuration window

Step 2: On R1 and R3, configure the pre-shared keys.

Because pre-shared keys are used as the authentication method in the IKE policy, a key must be configured on each router that points to the other VPN endpoint. These keys must match for authentication to be successful.

Use the crypto isakmp key key-string address ip-address global configuration mode command to enter a pre-shared key. Use the global IP address of the remote peer, which is the outside interface of the remote peer router.

Note: The ip-address parameter can be assigned 0.0.0.0 0.0.0.0 to allow a match against any peer.

Question:

Which IP addresses should you use to configure the IKE peers, given the topology diagram and IP addressing table?

Type your answer here.

Open configuration window

Note: Production networks should use longer and more complex keys.

R1(config)# crypto isakmp key cisco123 address 64.100.1.2

close configuration window

b. Configure the pre-shared key cisco123 on router R3. The command for R3 points to the R1 G0/0/0 IP address.

Open configuration window

R3(config)# crypto isakmp key cisco123 address 64.100.0.2

close configuration window

Step 3: On R1 and R3, configure the IPsec transform set and lifetime.

The IPsec transform set is another crypto configuration parameter that routers negotiate to form a security association. To create an IPsec transform set, use the crypto ipsec transform-set transform-set-name transform1 [ transform2 [ transform3]] command.

a. On R1 and R3, create a transform set with the name S2S-VPN and use ? to see which parameters are available.

Open configuration window

R1(config)# crypto ipsec transform-set S2S-VPN ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

ah-sha256-hmac AH-HMAC-SHA256 transform

ah-sha384-hmac AH-HMAC-SHA384 transform

ah-sha512-hmac AH-HMAC-SHA512 transform

esp-192-aes ESP transform using AES cipher (192 bits)

esp-256-aes ESP transform using AES cipher (256 bits)

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-gcm ESP transform using GCM cipher

esp-gmac ESP transform using GMAC cipher

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-seal ESP transform using SEAL cipher (160 bits)

esp-sha-hmac ESP transform using HMAC-SHA auth

esp-sha256-hmac ESP transform using HMAC-SHA256 auth

esp-sha384-hmac ESP transform using HMAC-SHA384 auth

esp-sha512-hmac ESP transform using HMAC-SHA512 auth

R1(config)# crypto ipsec transform-set S2S-VPN

b. On R1 and R3, use the AES 256 cipher with ESP and the SHA 256 hash function.

R1(config)# crypto ipsec transform-set S2S-VPN esp-aes 256 esp-sha256-hmac

R1(cfg-crypto-trans)# exit

close configuration window

Open configuration window

R3(config)# crypto ipsec transform-set S2S-VPN esp-aes 256 esp-sha256-hmac

R3(cfg-crypto-trans)# exit

close configuration window

Question:

What is the function of the IPsec transform set?

Type your answers here.

c. You can also change the IPsec security association lifetime from the default of 3600 seconds. On R1 and R3, set the IPsec security association lifetime to 30 minutes, or 1800 seconds.

Open configuration window

R1(config)# crypto ipsec security-association lifetime seconds 1800

close configuration window

Open configuration window

R3(config)# crypto ipsec security-association lifetime seconds 1800

close configuration window

Step 4: On R1 and R3, define interesting traffic.

It is necessary to define interesting traffic that will tell the router to enable an IPsec VPN with the other VPN peer. Do this by using an extended access list to tell the router which traffic to encrypt. A packet that is permitted by an access list used for defining IPsec traffic is encrypted if the IPsec session is configured correctly. A packet that is denied by one of these access lists is not dropped but is instead forwarded to its destination unencrypted. Also, like any other access list, there is an implicit deny at the end, which means the default action is to not encrypt traffic. If there is no IPsec security association correctly configured, no traffic is encrypted and traffic is forwarded unencrypted.

In this scenario, from the perspective of R1, the traffic you want to encrypt is traffic going from the R1 LANs to the R3 Ethernet LANs or vice versa from the perspective of R3. These access lists are used outbound on the VPN endpoint interfaces and must mirror each other.

1) On R1, identify interesting IPsec VPN traffic using a named extended ACL called S2S-VPN-ACL.

Open configuration window

R1(config)# ip access-list extended S2S-VPN-ACL

R1(config-ext-nacl)# remark ACL identifies interesting traffic going to R3

R1(config-ext-nacl)# permit ip 10.10.0.0 0.0.3.255 10.10.4.0 0.0.3.255

R1(config-ext-nacl)# permit ip 10.10.0.0 0.0.3.255 10.10.16.0 0.0.7.255

R1(config-ext-nacl)# exit

The ACL identifies traffic from the R1 networks going to the R3 networks as interesting.

close configuration window

Open configuration window

2) Configure the IPsec VPN interesting traffic named extended ACL on R1.

R3(config)# ip access extended S2S-VPN-ACL

R3(config-ext-nacl)# remark ACL identifies interesting traffic going to R1

R3(config-ext-nacl)# permit ip 10.10.4.0 0.0.3.255 10.10.0.0 0.0.3.255

R3(config-ext-nacl)# permit ip 10.10.16.0 0.0.7.255 10.10.0.0 0.0.3.255

R3(config-ext-nacl)# exit

The ACL identifies traffic from the R3 networks going to the R1 networks as interesting.

close configuration window

Question:

Does IPsec evaluate whether the access lists are mirrored as a requirement to negotiate its security association?

Type your answers here

Step 5: On R1 and R3, create and apply a crypto map.

A crypto map associates traffic that matches an access list to a peer and various IKE and IPsec settings. After the crypto map is created, it can be applied to one or more interfaces. The interfaces that it is applied to should be the ones facing the IPsec peer.

To create a crypto map, use crypto map name sequence-number type command in global configuration mode to enter crypto map configuration mode for that sequence number. Multiple crypto map statements can belong to the same crypto map and are evaluated in ascending numerical order.

a. Create the crypto map on R1, name it S2S-CMAP, use 10 as the sequence number, and set the type as ipsec-isakmp, which means IKE is used to establish IPsec security associations.

Open configuration window

R1(config)# crypto map S2S-CMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

Notice that a message is displayed after the command is issued.

b. Use the match address ACL command to specify which access list defines which traffic to encrypt.

R1(config-crypto-map)# match address S2S-VPN-ACL

c. To view the list of possible set commands that you can do with a crypto map, use the help function.

R1(config-crypto-map)# set ?

identity Identity restriction.

ikev2-profile Specify ikev2 Profile

ip Interface Internet Protocol config commands

isakmp-profile Specify isakmp Profile

nat Set NAT translation

peer Allowed Encryption/Decryption peer.

pfs Specify pfs settings

reverse-route Reverse Route Injection.

security-association Security association parameters

transform-set Specify list of transform sets in priority order

d. Setting a peer IP or hostname is required. Set it to R3’s remote VPN endpoint interface using the following command:

R1(config-crypto-map)# set peer 64.100.1.2

e. Use the set transform-set name command to hard code the transform set to be used with this peer. Set the perfect forwarding secrecy type using the set pfs type command, and modify the default IPsec security association lifetime with the set security-association lifetime seconds seconds command.

R1(config-crypto-map)# set pfs group14

R1(config-crypto-map)# set transform S2S-VPN

R1(config-crypto-map)# set security-association lifetime seconds 900

R1(config-crypto-map)# exit

close configuration window

f. Create a mirrored matching crypto map on R3.

Open configuration window

R3(config)# crypto map S2S-CMAP 10 ipsec-isakmp

% NOTE: This new crypto map will remain disabled until a peer

and a valid access list have been configured.

R3(config-crypto-map)# match address S2S-VPN-ACL

R3(config-crypto-map)# set peer 64.100.0.2

R3(config-crypto-map)# set pfs group14

R3(config-crypto-map)# set transform S2S-VPN

R3(config-crypto-map)# set security-association lifetime seconds 900

R3(config-crypto-map)# exit

close configuration window

g. Apply the crypto map to interfaces.

Note: The SAs are not established until the crypto map has been activated by interesting traffic. The router generates a notification that crypto is now on.

Apply the crypto maps to the appropriate interfaces on R1 and R3.

Open configuration window

R1(config)# interface g0/0/0

R1(config-if)# crypto map S2S-CMAP

R1(config-if)# end

*Jan 29 15:45:20.117: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

close configuration window

Open configuration window

R3(config)# interface g0/0/0

R3(config-if)# crypto map S2S-CMAP

R3(config-if)# end

*Jan 29 15:43:29.524: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

close configuration window

Part 3: Verify a Site-to-Site VPN Between R1 and R3

After a VPN is configured, it must be tested to see if it performs as expected.

Step 1: Verify the Site-to-Site IPsec VPN Configuration.

Previously, you used the show crypto isakmp policy command to display the configured ISAKMP policies on the router.

a. Use the show crypto ipsec transform-set [ transform-set-name] command to display the configured IPsec policies in the form of the transform sets.

Open configuration window

R1# show crypto ipsec transform-set S2S-VPN

{ esp-256-aes esp-sha256-hmac }

will negotiate = { Tunnel, },

The S2S-VPN transform set settings are highlighted in the output.

b. On R1 and R3, use the show crypto map command to display the crypto maps applied to the router.

R1# show crypto map

Crypto Map IPv4 "S2S-CMAP" 10 ipsec-isakmp

Peer = 64.100.1.2

Extended IP access list S2S-VPN-ACL

access-list S2S-VPN-ACL permit ip 10.10.0.0 0.0.3.255 10.10.4.0 0.0.3.255

access-list S2S-VPN-ACL permit ip 10.10.0.0 0.0.3.255 10.10.16.0 0.0.7.255

Current peer: 64.100.1.2

Security association lifetime: 4608000 kilobytes/900 seconds

Responder-Only (Y/N): N

PFS (Y/N): Y

DH group: group14

Mixed-mode : Disabled

Transform sets={

S2S-VPN: { esp-256-aes esp-sha256-hmac } ,

}

Interfaces using crypto map S2S-CMAP:

GigabitEthernet0/0/0

close configuration window

Open configuration window

R3# show crypto map

Crypto Map IPv4 "S2S-CMAP" 10 ipsec-isakmp

Peer = 64.100.0.2

Extended IP access list S2S-VPN-ACL

access-list S2S-VPN-ACL permit ip 10.10.4.0 0.0.3.255 10.10.0.0 0.0.3.255

access-list S2S-VPN-ACL permit ip 10.10.16.0 0.0.7.255 10.10.0.0 0.0.3.255

Current peer: 64.100.0.2

Security association lifetime: 4608000 kilobytes/900 seconds

Responder-Only (Y/N): N

PFS (Y/N): Y

DH group: group14

Mixed-mode : Disabled

Transform sets={

S2S-VPN: { esp-256-aes esp-sha256-hmac } ,

}

Interfaces using crypto map S2S-CMAP:

GigabitEthernet0/0/0

Note: The output of these show commands does not change when the VPN tunnel is enabled.

close configuration window

Step 2: Display ISAKMP and IPsec security associations.

a. The show crypto isakmp as command reveals that no IKE SAs exist yet. When interesting traffic is sent, this command output will change.

Open configuration window

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

b. The show crypto ipsec sa command displays packet statistics information for each of the ACE statements in the VPN ACL. The first portion of the output displays the packet statistics for traffic from the R1 10.10.0.0/22 networks to the R3 10.10.4.0/22 networks. The bottom portion displays the statistics for traffic from the R1 10.10.0.0/22 networks to the R3 10.10.16.0/21 networks.

R1# show crypto ipsec sa

interface: GigabitEthernet0/0/0

Crypto map tag: S2S-CMAP, local addr 64.100.0.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.252.0/0/0)

remote ident (addr/mask/prot/port): (10.10.4.0/255.255.252.0/0/0)

current_peer 64.100.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 64.100.0.2, remote crypto endpt.: 64.100.1.2

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.0.0/255.255.252.0/0/0)

remote ident (addr/mask/prot/port): (10.10.16.0/255.255.248.0/0/0)

current_peer 64.100.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 64.100.0.2, remote crypto endpt.: 64.100.1.2

<Output omitted>

close configuration window

Note: The output lists the current status for each ACE in the S2S-VPN-ACL.

Question:

Why haven’t any SAs been negotiated?

Type your answers here.

c. Next, we will generate some “uninteresting” test traffic and observe the results. From R1, ping the R3 G0/0/0 interface IP address (i.e., 64.100.1.2) and then ping the R3 G0/0/1 interface IP address (i.e., 10.10.4.1). These pings should be successful.

d. Issue the show crypto isakmp sa command again.

Question:

Was an SA created for these pings? Explain.

Type your answers here.

Step 3: Generate some interesting test traffic and observe the results.

A VPN is initiated when interesting traffic is generated. Typically, inside users connecting to the remote network can initiate a VPN connection.

a. From PC1, ping PC3 to generate interesting traffic.

PC1> ping 10.10.5.10

Pinging 10.10.5.10 with 32 bytes of data:

Request timed out.

Reply from 10.10.5.10: bytes=32 time=1ms TTL=64

Reply from 10.10.5.10: bytes=32 time=1ms TTL=64

Reply from 10.10.5.10: bytes=32 time=1ms TTL=64

Ping statistics for 10.10.5.10:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

Notice how the first ping reply timed out. The reason is because, the first echo request triggered the S2S-VPN-ACL which made R1 negotiate and establish the IPsec VPN tunnel with R3.

b. An alternate method to initiate interesting traffic would be to use an extended ping on R1. An extended ping allows you to control the source address of the packets.

R1# ping 10.10.16.1 source g0/0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.16.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 2/3/4 ms

Like the previous ping, the first echo reply timed out. The reason was to establish an SA for the 10.10.16.0/23 networks.

c. Re-issue the show crypto isakmp sa command.

Open configuration window

R1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

64.100.1.2 64.100.0.2 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

The SA displays that the tunnel is active.

Question:

Why was an SA created between R1 and R3 this time?

Type your answers here.

3) Verify the IPsec traffic statistics using the show crypto ipsec sa command.

Question:

How many packets have been transformed between R1 and R3?

Type your answers here.

close configuration window

d. The previous example used pings to generate interesting traffic.

Questions:

What other types of traffic would result in an SA forming and tunnel establishment?

Type your answers here.

Are routing protocols able to traverse an IPsec site-to-site VPN?