IPSec VPN Requirements
The VPN configuration has been split into two steps to help make this an easy-to-follow
exercise.
These steps are:
(1) Configure ISAKMP (ISAKMP Phase 1)
(2) Configure IPSec (ISAKMP Phase 2, ACLs, Crypto MAP)
Configure ISAKMP (IKE) - (ISAKMP Phase 1)
IKE exists only to establish SAs
(Security Association) for IPsec. Before it can do this, IKE must
negotiate an SA (an ISAKMP SA) relationship with the peer.
Step 1 : Configure an ISAKMP Phase 1 policy:
R1(config)# crypto isakmp policy 1
R1(config-isakmp)# encr 3des
R1(config-isakmp)# hash md5
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# lifetime 86400
3DES - The encryption method to be used for Phase 1.
MD5 - The hashing algorithm
Pre-share - Use Pre-shared key as the authentication method
Group 2 - Diffie-Hellman group to be used
86400 – Session key
lifetime. In kilobytes seconds.
We should note that ISAKMP Phase 1
policy is defined globally. This means that if we have five different
remote sites and configured five different ISAKMP Phase 1 policies (one
for each remote router), when our router tries to negotiate a VPN tunnel
with each site it will send all five policies and use the first match
that is accepted by both ends.
Step 2: Pre shared key for authentication with peer R2 router
R1(config)# crypto isakmp key CCIE address 1.1.1.2
The peer’s pre shared key is set to CCIE
and its public IP Address is 1.1.1.2. Every time R1 tries to establish a
VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.
Configure IPSec
To configure IPSec we need to setup the following in order:
- Create extended ACL
- Create IPSec Transform
- Create Crypto Map
- Apply crypto map to the public interfaceLet us examine each of the above steps.
Creating Extended ACL
Next step is to create an access-list
and define the traffic we would like the router to pass through the VPN
tunnel. In this example, it would be traffic from one network to the
other, 10.10.10.0/24 to 20.20.20.0/24. Access-lists that define VPN
traffic are sometimes called crypto access-list or interesting traffic access-list.
R1(config)# ip access-list extended R1-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config-ext-nacl)# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
Create IPSec Transform (ISAKMP Phase 2 policy)
Next step is to create the transform set used to protect our data. We’ve named this TS:
R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac
The above command defines the following:
- ESP-3DES - Encryption method
- MD5 - Hashing algorithm
Create Crypto Map
The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together:
R1(config)# crypto map Traffic 10 ipsec-isakmp
We’ve named our crypto map CMAP. The ipsec-isakmp tag
tells the router that this crypto map is an IPsec crypto map. Although
there is only one peer declared in this crypto map (1.1.1.2), it is
possible to have multiple peers within a given crypto map.
R1(config-crypto-map)# set peer 1.1.1.2
R1(config-crypto-map)# set transform-set TS
R1(config-crypto-map)# match address R1-TRAFFIC
Apply Crypto Map to the Public Interface
The final step is to apply the crypto
map to the outgoing interface of the router. Here, the outgoing
interface is FastEthernet 0/1.
R1(config)# interface FastEthernet0/1
R1(config- if)# crypto mapTraffic
R1(config- if)# crypto mapTraffic
Note that you can assign only one crypto map to an interface.
As soon as we apply crypto map on the
interface, we receive a message from the router that confirms isakmp is
on: “ISAKMP is ON”.
At this point, we have completed the IPSec VPN configuration on the Site 1 router.
We now move to the Site 2 router to
complete the VPN configuration. The settings for Router 2 are identical,
with the only difference being the peer IP Addresses and access lists:
R2(config)# crypto isakmp policy 1
R2(config-isakmp)# encr 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 86400
R2(config)# crypto isakmp key CCIE address 1.1.1.1
R2(config)# ip access-list extended R2-TRAFFIC
R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R2(config)# crypto ipsec transform-set Tunnel esp-3des esp-md5-hmac
R2(config)# crypto map Traffic 10 ipsec-isakmp
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set Tunnel
R2(config-crypto-map)# match address R2-TRAFFIC
R2(config)# interface FastEthernet0/1
R2(config- if)# crypto map Traffic
Network Address Translation (NAT) and IPSec VPN Tunnels
Network Address Translation (NAT) is most likely to be configured to provide Internet access to internal hosts. When configuring a Site-to-Site VPN tunnel, it is imperative to instruct the router not to perform NAT (deny NAT) on packets destined to the remote VPN network(s).This is easily done by inserting a deny statement at the beginning of the NAT access lists as shown below:
For Site 1’s router:
R1(config)# ip nat inside source list 100 interface fastethernet0/1 overload
R1(config)# access-list 100 remark -=[Define NAT Service]=-
R1(config)# access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)# access-list 100 remark
And Site 2’s router:
R2(config)# ip nat inside source list 100 interface fastethernet0/1 overload
R2(config)# access-list 100 remark -=[Define NAT Service]=-
R2(config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
R2(config)# access-list 100 permit ip 20.20.20.0 0.0.0.255 any
R2(config)# access-list 100 remark
Bringing Up and Verifying the VPN Tunnel
At this point, we’ve completed our configuration and the VPN Tunnel is ready to be brought up. To initiate the VPN Tunnel, we need to force one packet to traverse the VPN and this can be achieved by pinging from one router to another:
R1# ping 20.20.20.1 source fastethernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/47/48 ms
The first ping received a timeout, but the rest received a reply, as expected. The time required to bring up the VPN Tunnel is sometimes slightly more than 2 seconds, causing the first ping to timeout.
To verify the VPN Tunnel, use the show crypto session command:
R1# show crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 1.1.1.2 port 500
IKE SA: local 1.1.1.1/500 remote 1.1.1.2/500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 20.20.20.0/255.255.255.0
Active SAs: 2, origin: crypto map
