Download presentation
Presentation is loading. Please wait.
Published byArabella Horton Modified over 6 years ago
1
Module 4: Configuring Site to Site VPN with Pre-shared keys
Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys
2
Module 4: Configuring Site to Site VPN with Pre-shared keys
Lesson 4.5 Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
3
IPsec Configuration Tasks
4
Configuring IPsec Encryption
Task 1: Prepare to configure VPN support. Task 2: Configure IKE parameters. Task 3: Configure IPsec parameters. Task 4: Test and verify VPN configuration.
5
Task 1:Prepare to Configure VPN Support
6
Task 1: Prepare for IKE and IPsec
Step 1: Determine the IKE (IKE Phase 1) policy. Step 2: Determine the IPsec (IKE Phase 2) policy. Step 3: Ensure that the network works without encryption. Step 4: (Optional) Implicitly permit IPsec packets to bypass security appliance ACLs and access groups.
7
Determine IKE Phase 1 Policy
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ Parameter Weak Stronger Encryption algorithm DES 3DES or AES Hash algorithm MD5 SHA-1 Authentication method Pre-share RSA Signature Key exchange DH group 1 DH Group 5 IKE SA lifetime 86,4000 seconds <86,400 seconds
8
Determine IPsec (IKE Phase 2) Policy
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ Parameter Weak Stronger Encryption algorithm DES 3DES or AES Authentication MD5 SHA-1 Perfect forward secrecy Group 1 Group 5 SA lifetime 86,400 seconds <86,400 seconds
9
Task: Configure IKE Parameters
10
Task 2: Configure IKE Step 1: Enable or disable IKE.
Step 2: Configure IKE Phase 1 policy. Step 3: Configure a tunnel group. Step 4: Configure the tunnel group attributes pre-shared key. Step 5: Verify IKE Phase 1 policy.
11
Enable or Disable IKE Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ ciscoasa(config)# isakmp enable interface-name Enables or disables IKE on the security appliance interfaces Disables IKE on interfaces not used for IPsec asa1(config)# isakmp enable outside
12
Configure IKE Phase 1 Policy
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ asa1#(Config)# isakmp policy 10 asa1#(Config-isakmp-policy)# encryption des asa1#(Config-isakmp-policy)# hash sha asa1#(Config-isakmp-policy)# authentication pre-share asa1#(Config-isakmp-policy)# group 1 asa1#(Config-isakmp-policy)# lifetime 86400 Creates a policy suite grouped by priority number Creates policy suites that match peers Can use default values
13
Configure a tunnel group
Set of records that contain tunnel connection policies Can be configured to identify AAA servers, specify connection parameters, and define a default group policy. Two default tunnel groups on the PIX. DefaultRAGroup, is the default IPSec remote-access tunnel group DefaultL2Lgroup, is the default IPSec LAN-to-LAN tunnel group Default Groups can be changed but not deleted. Used for default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group
14
Configure a Tunnel Group
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ Tunnel Group LAN-to-LAN Tunnel Group LAN-to-LAN IPsec IPsec ciscoasa(config)# tunnel-group name type type Names the tunnel group Defines the type of VPN connection that is to be established asa1(config)# tunnel-group type ipsec-l2l
15
Configuring Tunnel Groups: General Attributes
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ Tunnel Group L2L Tunnel Group L2L IPsec IPsec ciscoasa(config)# tunnel-group name general-attributes Places you in tunnel group general attribute configuration mode asa1(config)# tunnel-group general-attributes asa1(config-tunnel-general)# default-group-policy OURPOLICY Sets the default group policy
16
Configuring Tunnel Groups: IPsec Attributes
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ Tunnel Group L2L Tunnel Group L2L isakmp key cisco123 isakmp key cisco123 ciscoasa(config)# tunnel-group name ipsec-attributes Places you in tunnel group IPsec attribute configuration mode asa1(config)# tunnel-group ipsec-attributes asa1(config-tunnel-ipsec)# pre-shared-key cisco123 asa2(config)# tunnel-group ipsec-attributes asa2(config-tunnel-ipsec)# pre-shared-key cisco123 Associates a pre-shared keys with the connection policy
17
Verify IKE Phase 1 Policy
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ asa1# show run crypto isakmp isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 Displays configured and default IKE protection suites
18
Task 3: Configure IPsec Parameters
19
Task 3: Configure IPsec Step 1: Configure interesting traffic: NAT 0 and ACL. access-list 101 permit nat 0 Step 2: Configure IPsec transform set suites. crypto ipsec transform-set Step 3: Configure the crypto map. crypto map Step 4: Apply the crypto map. crypto map map-name interface interface-name
20
Configuring Interesting Traffic: Crypto ACLs
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ X Encrypt X Security Appliance 1 (asa1) asa1(config)# access-list 101 permit ip Security Appliance 6 (asa6) asa6(config)# access-list 101 permit ip Lists are symmetrical or mirrors of each other. permit = encrypt deny = do not encrypt
21
NAT 0 and Interesting Traffic
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ Do Not Translate Do Not Translate asa1(config)# nat (inside) 0 access-list 101
22
Configure an IPsec Transform Set
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ ciscoasa(config)# crypto ipsec transform-set transform-set-name transform1 [transform2] Sets are limited to two transforms Default mode is Tunnel Configures matching sets between IPsec peers asa1(config)# crypto ipsec transform-set ASA2 esp-des esp-md5-hmac
23
Available IPsec Transforms
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-aes ESP transform using AES-128 cipher esp-aes-192 ESP transform using AES-192 cipher esp-aes-256 ESP transform using AES-256 cipher esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-none ESP no authentication esp-null ESP null encryption
24
Configure the Crypto Map
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ asa1(config)# crypto map ASA1MAP 10 match address 101 asa1(config)# crypto map ASA1MAP 10 set peer asa1(config)# crypto map ASA1MAP 10 set transform-set ASA2 asa1(config)# crypto map ASA1MAP 10 set security-association lifetime seconds 28800 Specifies IPsec (IKE Phase 2) parameters Maps names and sequence numbers of group entries into a policy
25
Apply the Crypto Map to an Interface
Security Appliance 1 Security Appliance 2 Site 1 Site 2 Internet Gig0/ Gig0/ ciscoasa(config)# crypto map map-name interface interface-name Applies the crypto map to an interface Activates IPsec policy asa1(config)# crypto map ASA1MAP interface outside
26
Example: Crypto Map for Security Appliance 1
Site 1 Site 2 Internet Gig0/ Gig0/ Security Appliance 1 (asa1) asa1# show run crypto map crypto map ASA1MAP 10 match address 101 crypto map ASA1MAP 10 set peer crypto map ASA1MAP 10 set transform-set ASA2 crypto map ASA1MAP interface outside
27
Example: Crypto Map for Security Appliance 2
Site 1 Site 2 Internet Gig0/ Gig0/ Security Appliance 2 (asa2) asa2# show run crypto map crypto map ASA1MAP 10 match address 101 crypto map ASA1MAP 10 set peer crypto map ASA1MAP 10 set transform-set ASA1 crypto map ASA1MAP interface outside
28
Task 4: Test and Verify VPN Configuration
29
Task 4: Test and Verify VPN Configuration
Verify ACLs and interesting traffic. show run access-list Verify correct IKE configuration. show run isakmp show run tunnel-group Verify correct IPsec configuration. show run ipsec Verify IPsec and ISAKMP SAs show crypto ipsec sa show crypto isakmp sa
30
Task 4: Test and Verify VPN Configuration (Cont.)
Verify correct crypto map configuration. show run crypto map Clear IPsec SA. clear crypto ipsec sa Clear IKE SA. clear crypto isakmp sa Debug IKE and IPsec traffic through the security appliance. debug crypto ipsec debug crypto isakmp
31
Q and A
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.