Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005

IPsec – An Introduction  IPsec is a suite of protocols used to create virtual private networks (VPNs)  Creates encrypted tunnel between 2 private networks  Authenticates both ends of the tunnel

IPsec – An Introduction (Cont’d)  Can choose what traffic to encrypt and how to encrypt it  Encapsulates and encrypts IP data only (can use GRE for non-IP traffic)  IPsec is composed of the following main protocols:  Internet Key Exchange (IKE) protocol  Encapsulating Security Payload (ESP) protocol  Authentication Header (AH) protocol

IPsec - Fundamental Mechanisms  Packet Encapsulation Encapsulating Security Payload (ESP) - encrypts and authenticates data Authentication Header (AH) – authenticates data and header Tunnel mode - new IP header appended in front of original IP header of packet Transport mode - uses original IP header of packet  Encryption Uses symmetric key algorithms DES or 3DES  Integrity Checking Uses Message Authentication Codes using Hashing (HMAC) Hashing algorithms used are MD5 or SHA-1

IPsec Implementation  LAN-to-LAN IPsec VPN Also called site-to-site IPsec VPN Merges 2 private networks across a public network Appears as one virtual network with shared resources

IKE – An Introduction  Responsible for negotiating the details of the IPsec tunnel between the 2 peers  Main functions of IKE in IPsec: Negotiate protocol parameters Exchanging public keys Authenticate both ends Managing keys after exchange

How IKE Works  IKE is a two phase protocol Phase 1  Uses main mode or aggressive mode exchanges between peers  Negotiates a secure, authenticated communication channel between the IPsec peers Phase 2  Uses quick mode exchanges between peers  Negotiates security associations for the IPsec services

IKE - Main Mode  The main functions of the main mode (or aggressive mode) are: Agree on a set of parameters that will be used to authenticate the 2 IPsec peers Agree on a set of parameters that will be used to encrypt a part of the main mode and all of the quick mode exchange. Authenticate the 2 IPsec peers to each other Generate keys that can be used to generate the necessary data encryption keys after negotiations are done.

IKE - Main Mode (Cont’d)  All the information negotiated in main mode is stored as an IKE or ISAKMP security association (SA).  There is only one SA between any 2 IPsec peers.

IKE - Quick Mode  The main functions of the quick mode are: Agree on a set of parameters for creating the IPsec SAs used to encrypt (for ESP) the data between the 2 peers If Perfect Forward Secrecy (FPS) is being used, performs another Diffie-Hellman (DH) exchange to generate new keys for generating the data encryption keys

IKE Authentication Mechanisms  Preshared Keys Define the same key on both IPsec peers Simple but not scalable  Digital Signatures Uses public/private key pairs generated on both IPsec peers Public key is exchanged using a digital certificate that also contains sender info Certificate issued by a certificate authority (CA) server  Encrypted Nonces Pseudo-random numbers are encrypted and exchanged by the IPsec peers

IPsec Negotiation Using IKE  IKE negotiates IPsec tunnels between IPsec peers using one of three main methods: 1.Main mode using preshared key authentication followed by quick mode negotiation 2.Main mode using digital signature authentication followed by quick mode negotiation 3.Aggressive mode using preshared key authentication followed by quick mode negotiation

Configuration of LAN-to-LAN IPsec - Network Diagram Initiator Responder / /24  Cisco Routers R1 and R2 both running IOS version T11 (including support for IPsec and 3DES)  Cisco Catalyst Switch running IOS version (EA1a)

Configuration of LAN-to-LAN IPsec - Setup of Routers  Step 1: Ensure that IKE is enabled Router(config)# crypto isakmp enable  Step 2: Create the ISAKMP policy which defines the attributes negotiated between the peers for the IKE SA Router(config)# crypto isakmp policy 1 Router(config-isakmp)# encryption 3des Router(config-isakmp)# hash md5 Router(config-isakmp)# authentication pre-share Router(config-isakmp)# group 1 Router(config-isakmp)# lifetime priority

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 3: Define the pre-shared key and the IP address of the IPsec peer Router(config)# crypto isakmp key 42DB72B3 address  Step 4: Define a transform-set for use with IPsec as follows: Router(config)# crypto ipsec transform-set myset1 esp-3des esp-md5-hmac  Step 5: Define the mode associated with the transform-set (optional) Router(cfg-crypto-tran)# mode tunnel

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 6: Define an access list which specifies the interesting traffic for IPsec Can be used to specify “interesting” traffic for IPsec Router(config)# access-list 101 permit ip  Step 7: Define a crypto map The crypto map links together all of the details of the IPsec configuration Router(config)# crypto map mymap1 ipsec-isakmp

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 8: Within the identified crypto map, define the IP address of the IPsec peer Router(config-crypto-m)# set peer  Step 9: Within the identified crypto map, define which transform-set is to be used with this crypto map Router(config-crypto-m)# set transform-set myset1  Step 10: Within the identified crypto map, define which access list is to be used with this crypto map Router(config-crypto-m)# match address access-list 101

Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 11: Assign the crypto map to the specific interface of the router on which IPsec traffic will flow Router(config)# interface Ethernet 0/0 Router(config-if)# crypto map mymap1  Step 12: Verify that the defined policy, transform-set, and pre-shared key are the same on both IPsec peers

Configuration of LAN-to-LAN IPsec – Viewing IPsec attributes  Assigned IPsec attributes can be viewed using following commands: Router# show crypto isakmp policy Router# show crypto isakmp sa Router# show crypto isakmp key Router# show crypto ipsec transform-set Router# show crypto map Router# show crypto ipsec sa Router# show crypto ipsec security-association lifetime

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 crypto

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 crypto

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 config

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 config

Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 1 config

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 crypto

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 crypto

Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 config

Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 config

Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 2 config

Configuration of LAN-to-LAN IPsec Debug output on router 1 (initiator)

Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

Configuration of LAN-to-LAN IPsec Debug output on router 2 (responder)

Configuration of LAN-to-LAN IPsec Debug output on router 2 (cont’d)

References  Network Security Principles and Practices by Saadat Malik  Cisco IOS Security Configuration Guide, Release 12.2  Cisco IOS Security Command Reference, Release 12.2  Cisco IOS Configuration Fundamental Configuration Guide, Release 12.2  Cisco IOS Interface Command Reference, Release 12.2