Site to Site IPSec VPN Tunnel :
Site-to-Site IPSec VPN Tunnels are used
to allow the secure transmission of data, voice and video between two
sites (e.g offices or branches). The VPN tunnel is created over the
Internet public network and encrypted using a number of advanced
encryption algorithms to provide confidentiality of the data transmitted
between the two sites.
This article will show how to setup and
configure two Cisco routers to create a permanent secure site-to-site
VPN tunnel over the Internet, using the IPSec protocol.
ISAKMP (Internet Security Association
and Key Management Protocol) and IPSec are essential to building and
encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key
Exchange), is the negotiation protocol that allows two hosts to agree on
how to build an IPsec security association. ISAKMP negotiation consists
of two phases:
1. Phase 1 : creates the first tunnel, which protects later ISAKMP negotiation messages.2. Phase 2 : creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services.
IPSec VPN Requirements :
To help make this an easy-to-follow
exercise, we have split it into two steps that are required to get the
Site-to-Site IPSec VPN Tunnel to work.
These steps are :
(1) Configure ISAKMP (ISAKMP Phase 1)
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
Our example setup is between two
branches of a small company, these are Site 1 and Site 2. Both the
branch routers connect to the Internet and have a static IP Address
assigned by their ISP as shown on the diagram :
#. Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.
#. Configure ISAKMP (IKE) – (ISAKMP Phase 1) :
To begin, we’ll start working on the Site 1 router (R1).
First step is to configure an ISAKMP Phase 1 policy :
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
#.The above commands define the following (in listed order) :
3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 – Session key
lifetime. Expressed in either kilobytes (after x-amount of traffic,
change the key) or seconds. Value set is the default value.
Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:
R1(config)# crypto isakmp key firewallcx address 1.1.1.2
The peer’s pre shared key is set to firewallcx and
its public IP Address is 1.1.1.2. Every time R1 tries to establish a
VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
Configure IPSec :
To configure IPSec we need to setup the following in order :
- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interface
#.Creating Extended ACL :
Next step is to create an access-list and define the traffic we would
like the router to pass through the VPN tunnel. In this example, it
would be traffic from one network to the other, 10.10.10.0/24 to
20.20.20.0/24. Access-lists that define VPN traffic are sometimes
calledcrypto access-list or interesting traffic access-list.
R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Create IPSec Transform (ISAKMP Phase 2 policy)Next step is to create the transform set used to protect our data. We’ve named this TS:
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
The above command defines the following :
- ESP-3DES - Encryption method
- MD5 - Hashing algorithm
Create Crypto Map :The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together.R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address VPN-TRAFFIC
Apply Crypto Map to the Public Interface :The
final step is to apply the crypto map to the outgoing interface of the
router. Here, the outgoing interface is FastEthernet 0/1.
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP
R1(config- if)# crypto map CMAP
Note : You can assign only one crypto map to an interface .
#. We
now move to the Site 2 router to complete the VPN configuration. The
settings for Router 2 are identical, with the only difference being the
peer IP Addresses and access lists :
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
R2(config)# crypto isakmp key firewallcx address 1.1.1.1
R2(config)# ip access-list extended VPN-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TS
R2(config-crypto-map)# match address VPN-TRAFFIC
R2(config)# interface FastEthernet0/1
R2(config- if)# crypto map CMAP
0 comments:
Post a Comment