Download presentation
Presentation is loading. Please wait.
1
Building IPSEC VPNS Using Cisco Routers
Chapter 9 Building IPSEC VPNS Using Cisco Routers
2
Objectives
3
Objectives Upon completion of this chapter, you will be able to perform the following tasks: Define two types Cisco router VPN solutions. Describe the Cisco VPN router product family. Identify the IPSec and other open standards supported by Cisco VPN routers. Identify the component technologies of IPSec. Explain how IPSec works.
4
Objectives (cont.) Configure a Cisco router for IKE using pre-shared keys. Configure a Cisco router for IPSec using pre-shared keys. Verify the IKE and IPSec configuration. Explain the issues regarding configuring IPSec manually and using RSA encrypted nonces.
5
Cisco Routers Enable Secure VPNs
6
VPN Definition Mobile user Central site Analog ISDN Cable DSL Remote site Server Remote site Internet Cisco Systems defines VPN as “ an encrypted connection between private networks over a public network such as the Internet”. The “V” and “N” stand for virtual network. The information from a private network is transported over a public network, Internet, to form a virtual network. The “P” stands for private. To remain private, the traffic is encrypted to keep the data confidential. VPN is a private virtual network. There are three types of VPN networks, remote access, site-to-site, and Firewall based VPN. In this section, we’ll discuss the three VPN solutions and then we’ll cover the related Cisco products. VPN—An encrypted connection between private networks over a public network such as the Internet
7
Remote Access VPNs Remote access VPN—Extension/evolution of dial
Central site Remote access client Internet DSL cable POP Telecommuter Router POP Mobile The first VPN solution is remote access. Remote access is targeted to mobile user and Home telecommuters. Most people have access to the Internet from there homes, why not take advantage of it. In the past, corporations supported remote users via dial-in networks. This typically necessitated a toll, or 1-800, call to access the corporation. With the advent of VPNs, a mobile user can make a local call to their ISP to access corporation via Internet wherever they may be. It is an evolution of dial networks. Remote access VPN can support the needs of telecommuters, mobile users, extranet consumer-to-business, and so on. Extranet Consumer-to-business Remote access VPN—Extension/evolution of dial
8
Site-to-Site VPNs Internet Remote office 1700/2600 Series Main office
7100/7200/7400 Series Regional office 3600/3700 Series Internet Site-to-site VPNs provide cost benefits relative to private WANs and also enable new applications like extranets. However, site-to-site VPNs are still an end-to-end network and are subject to the same scalability, reliability, security, multi-protocol, etc. requirements that exist in the private WAN. In fact, since VPN are built on a public network infrastructure, they have additional requirements such as heightened security, advanced QoS capabilities, and a set of policy management tools to manage these additional features. Cisco provides a suite of VPN-optimized routers. Cisco IOS software running in Cisco routers combines rich VPN services with industry-leading routing, thus delivering a comprehensive solution. Cisco routing software adds scalability, reliability, multi-protocol, multi-service, management, Service Level Agreement monitoring, and QoS to site-to-site applications. The Cisco VPN software adds strong security via encryption and authentication. This Cisco VPN-based products provide high performance for site-to-site, intranet and extranet, VPN solutions. Small office/ home office 800/900 Series
9
Cisco VPN Router Portfolio
Cisco 2600XM/2691 This slide depicts the broad range of Cisco access router product portfolio. With this announcement, Cisco is enhancing its access router portfolio to offer enterprise customers with a broadest range of routers to meet the needs of enterprise teleworkers, small offices, branch offices, regional offices, all the way to enterprise HQ. This provides customers with the benefit of standardizing on a single operating environment which they are familiar with across all varying office sizes to simplify deployment, maintenance, and lowering support costs and training. In the small office space, with the Cisco SOHO & 800 Series, Cisco has introduced new models such as the SOHO 71 which brings affordable multi-user access and Internet security for Small Businesses as well as new DSL models with an integrated 4 port hub. Cisco 1760 Cisco 1700 Cisco 800 Teleworker/SOHO SMB/Small Branch Enterprise Branch Large Branch Enterprise HQ And Beyond
10
Cisco VPN Router Portfolio—Large Enterprise
Cat 6500 Cisco 7200/400 Cisco 7400 This slide depicts the broad range of Cisco access router product portfolio. With this announcement, Cisco is enhancing its access router portfolio to offer enterprise customers with a broadest range of routers to meet the needs of enterprise teleworkers, small offices, branch offices, regional offices, all the way to enterprise HQ. This provides customers with the benefit of standardizing on a single operating environment which they are familiar with across all varying office sizes to simplify deployment, maintenance, and lowering support costs and training. In the small office space, with the Cisco SOHO & 800 Series, Cisco has introduced new models such as the SOHO 71 which brings affordable multi-user access and Internet security for Small Businesses as well as new DSL models with an integrated 4 port hub. Cisco 7204/225 Cisco 7140 Cisco 7120 Large Enterprise
11
Small to Mid-Size—Cisco VPN Routers
The Small to mid-sized Cisco VPN routers table can be used to determine which model is best for your environment. The chart above identifies router platforms, their related hardware accelerator card, and maximum throughput. Lab performance numbers are based on the following configuration: 3DES with HMAC-SHA-1, 100% CPU utilization, and no other services running such as QoS, NAT, GRE, and so on. Actual network performance will vary depending on the services running in each router. Hardware Encryption accelerator cards provide high-performance, hardware-assisted encryption, key generation suitable for VPN applications. Hardware encryption accelerators improves overall system performance by offloading encryption decryption processing, thus freeing main system resources for other tasks such as route processing, QoS and other network services. In mid sized routers, there are four modules available. AIM-VPN/BP (Base Performance) This advanced integration module can be added to all Cisco 2600 platforms AIM-VPN/EP (Enhanced Performance) This AIM can be added to all current 2600 models but is specifically designed to take advantage of the 2650 series high performance routers. NM-VPN/MP (Mid Performance) This network module is supported on all 3620 and 3640 platforms AIM-VPN/HP (High Performance) This AIM can be added to all current 3660 models. Hardware accelerators deliver enhanced encryption performance
12
Enterprise Size—Cisco VPN Routers
7120 7140 7200 7400 CAT 6500 Maximum tunnels 2000 3000 5000 8000 Performance (Mbps) 50 85 145 90 120 1.9G Hardware encryption ISM VAM ISA Yes The Enterprise Cisco VPN routers table can be used to determine which enterprise model is best for your environment. The chart above identifies router platforms, their related hardware accelerator card, and maximum throughput. Lab performance numbers are based on the following configuration: 3DES with HMAC-SHA-1, 100% CPU utilization, and no other services running such as QoS, NAT, GRE, and so on. Actual network performance will vary depending on the services running in each router. Hardware Encryption accelerator cards provide high-performance, hardware-assisted encryption, key generation suitable for VPN applications. For the enterprise routers, there are three versions: VPN Acceleration Module (VAM) – The VAM for 7200 and 7100 series routers provides high-performance, hardware assisted encryption, and key generation. VAM also supports IP payload (LZS) compression services for VPN applications. There are two versions: VAM Service Adapter and VAM Service Module. Integrated Service Module (ISM) – ISM uses a special slot created for offloading encryption and key generating services within the Cisco 7100 series. Maximum of one ISM per 71XX. Integrated Service Adapter (ISA) – ISA is a service adapter that inserts in any open port adapter slot in any Cisco 7200 and can be used within the single port adapter of the Up to one ISA per 7140 or two per 72XX. Not available on 7120. Hardware accelerators deliver enhanced encryption performance
13
IPSec Overview
14
What Is IPSec? Main site IPSec Corporate
Business partner with a Cisco router IPSec Perimeter router PIX Firewall Concentrator POP Regional office with a PIX Firewall Mobile worker with a Cisco VPN Client on a laptop computer Corporate SOHO with a Cisco ISDN/DSL router IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices (peers), such as other PIX Firewalls, Cisco routers, VPN 3000 Concentrator Series, Cisco Secure VPN Client, and other IPSec-compliant products. IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers at the IP layer. IPSec encompasses a suite of protocols. It is not bound to any specific encryption or authentication algorithms, key generation technique, or security association. IPSec supplies the rules while existing algorithms provide the encryption, authentication, key management, and so on. In this way, IPSec can allow the use of updated algorithms and key techniques without patching the IPSec protocol. In this section, we’ll discuss how those open standards provide data confidentiality, integrity, and authentication. IPSec acts at the network layer protecting and authenticating IP packets Framework of open standards - algorithm independent Provides data confidentiality, data integrity, and origin authentication
15
IPSec Security Services
Confidentiality Data integrity Origin authentication Anti-replay protection In VPN, the framework of open standards provides three critical functions: confidentiality, data integrity, and authentication. Confidentiality (Encryption) The sender can encrypt the packets before transmitting them across a network. By doing so, no one can eavesdrop on the communication If intercepted, the communications can not be read. Data Integrity The receiver can verify the data was transmitted through the Internet without being changed or altered in anyway. Origin Authentication The receiver can authenticate the source of the packet. Can guarantee, certify, the source of the information
16
Confidentiality (Encryption)
This quarterly report does not look so good. Hmmm Internet Earnings off by 15% Server Confidentiality The good news is the Internet is a public network. The bad news is the Internet is a public network. Clear text data transported over the public Internet can be intercepted and read. In order to keep the data “private”, the data can be encrypted. By digitally scrambling, the data is rendered unreadable.
17
Types of Encryption Encryption Encryption algorithm algorithm Internet
Hmmm I cannot read a thing. Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars What is Encryption For encryption to work, both the sender and receiver need to know the rules used to transform the original message into its coded form. Rules are based on an algorithm and a key(s). An algorithm is a mathematical function which combines a message, text and/or digits, with a string of digits called a key. The output is a unreadable cipher string. Decryption is extremely difficult or impossible without the correct key. In this example, someone wants to send a financial document across the Internet. At the local end, the document is combined with a key and run through an encryption algorithm. The output is undecipherable cyber text. The cyber text is sent through the Internet. At the remote end, the message is recombined with a key and sent back through the encryption algorithm. The output is the original financial document. There are two types of encryption keys, symmetric and asymmetric. In both cases, the sender and receiver generate a public and private key pair. The private key is held by the sender and kept very private. The public keys are exchanged between the peers. With symmetric key encryption, the private and public keys are combined via the Diffie-Hellman algorithm to form a third shared key. This shared key is used at both ends to encrypt/decrypt messages. Asymmetric key encryption uses one key to encrypt and the other key to decrypt. Both will be discussed shortly. 4ehIDx67NMop9eR U78IOPotVBn45TR Internet 4ehIDx67NMop9eR U78IOPotVBn45TR
18
DH Key Exchange = Terry Alex public key B public key A + private key A
+ private key B shared secret key (BA) shared secret key (AB) = Key Key Protocol Messages Protocol Messages Data Traffic Data Traffic Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Decrypt Decrypt Pay to Terry Smith $100.00 One Hundred and xx/ Dollars DES, 3DES, HMAC-MD5, and HMAC-SHA require a symmetric shared secret key to perform encryption and decryption. The question is how does the encrypting/decrypting devices get the shared secret key. The keys could be sent by , courier, overnight express, or public key exchange. The easiest method is Diffie-Hellman public key exchange. The Diffie-Hellman key agreement (DH) is a public key encryption method that provides a way for two peers to establish a shared secret key that only they know, although they are communicating over an insecure channel. Public Key cryptosystems rely on a two key system. Public key which is exchanged between end users. Private key which is kept secret by the original owners. Diffie-Hellman public key algorithm states that if user A and user B exchange public keys and a calculation is performed on their individual private key and one another’s public key, the end result of the process is an identical shared key. The shared key will be used to encrypt and decrypt the data. Security is not a issue with the DH key exchange. Although someone may know a users Public key, the shared secret can’t be generated because the private key never becomes public knowledge. 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet
19
2. Generate private key XA 2. Generate private key XB
DH Key Exchange Peer A Peer B 1. Generate large integer p. Send p to Peer B. Receive q. Generate g. 1. Generate large integer q. Send q to Peer A. Receive p. Generate g. 2. Generate private key XA 2. Generate private key XB 3. Generate public key YA = g ^ XA mod p 3. Generate public key YB = g ^ XB mod p 4. Send public key YA 4. Send public key YB 5. Generate shared secret number ZZ = YB^ XA mod p 5. Generate shared secret number ZZ = YA^ XB mod p 6. Generate shared secret key from ZZ (DES, 3DES, or AES) 6. Generate shared secret key from ZZ (DES, 3DES, or AES)
20
RSA Encryption Local Remote Remote’s Remote’s public key private key
Decrypt Remote’s public key Remote’s private key Encrypt Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars RSA encryption uses asymmetric keys for encryption and decryption. Each end, local and remote, generates two encryption keys, a private and public key. They keep their private key and exchange their public key with people they wish to communicate. To send an encrypted message to the remote end, the local end encrypts the message using the remote’s public key and the RSA encryption algorithm. The result is a unreadable cyber text. This message is sent through the Internet. At the remote end, the remote end uses it’s private key and the RSA algorithm to decrypt the cyber text. The result is the original message. The only one who can decrypt the message is the destination who owns the private key. With RSA encryption, the opposite also holds true. The remote end can encrypt a message using their own private key. The receiver can decrypt the message using the sender’s public key. This RSA encryption technique is used for digital signatures. We’ll talk about this later in this section. KJklzeAidJfdlwiej47 DlItfd578MNSbXoE
21
Encryption Algorithms
Key Encryption key Encrypt Key Decrypt Decryption key Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Degree of security is dependent on the length of the key. If one were to try and hack the key through a brute force attack, guessing every possible combination, the number of possibilities is a function of the length of the key. The time to process all the possibilities is a function of the computing power of the computer. Therefore, the shorter the key, the easier it is to break. A 64 bit key with a relatively sophisticated computer can take approximately 1 year to break. A 128 bit key with the same machine can take roughly 10e19 years to decrypt. Some of the encryption algorithms are as follows: DES Algorithm –DES was developed by IBM. DES uses a 56-bit key, ensuring high performance encryption. DES is a symmetric key cryptosystem. Triple DES Algorithm (3DES) - The 3DES algorithm is a variant of the 56-bit DES. 3DES operates similarly to DES, in that data is broken into 64-bit blocks. 3DES then processes each block three times, each time with an independent 56-bit key. 3DES effectively doubles encryption strength over 56-bit DES. DES is a symmetric key cryptosystem RSA – RSA is a asymmetrical key cryptosystem. It uses a key length of 512, 768, 1024, or larger. RSA is used for encryption or digital signatures. In software, DES is up to 100 times faster than RSA. We’ll talk about digital signatures later in this section. Encryption algorithms DES 3DES AES RSA
22
Data Integrity Internet Yes, I am Alex Jones
The next VPN critical function is data integrity. VPN data is transported over the public Internet. Potentially, this data could be intercepted, and modified. To guard against this from happening, each message has a hash attached to the message. A hash guarantees the integrity of the original message. If the transmitted hash matches the received hash, the message has not been tampered with. However, if there is no match, the message was altered. In the example above, someone is trying to send John Smith a check for $100. At the remote end, John Jones is trying to cash the check for $ As the check progressed through the Internet, it was altered. Both the recipient and dollar amounts were changed. In this case, the hashes did not match. The transaction is no longer valid. We’ll talk about hash algorithms in the next few slides. Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Alex Jones $ One Thousand and xx/100 Dollars 4ehIDx67NMop9 12ehqPx67NMoX Match = No changes No match = Alterations
23
HMAC Local Remote Shared secret key Received
Variable-length input message Received message Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Shared secret key Pay to Terry Smith $100.00 One Hundred and xx/ Dollars 1 Hash function Hash function Hashing guarantees the integrity of the message. At the local end, the message and a shared secret key are sent through a hash algorithm which produces a hash value. Basically, a hash algorithm is a formula used to convert a variable length message into a single string of digits of a fixed length. It is a one-way algorithm. A message can produce a hash but a hash can’t produce the original message. It is analogous to dropping a plate on the floor. The plate can produce a multitude of pieces, but the pieces can not be recombined to reproduce the plate in it’s original form. The message and hash are sent over the network. At the remote end, there is a two step process. First, the received message and shared secret key are sent through the hash algorithm. Result is a re-calculated hash value. Secondly, the receiver compares the re-calculated hash with the hash that was attached to the message. If the original hash and re-calculated hash match, the integrity of the message is guaranteed. If any of the original message is changed while in transit, the hash values will be different. Pay to Terry Smith $100.00 One Hundred and xx/ Dollars 2 4ehIDx67NMop9 4ehIDx67NMop9 4ehIDx67NMop9 Message + hash
24
HMAC Algorithms HMAC algorithms Hash function HMAC-MD5 HMAC-SHA-1
Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Hash function HMAC algorithms HMAC-MD5 HMAC-SHA-1 There are two common hashing algorithms, HMAC-MD5 and HMAC-SHA-1. HMAC-MD5 - The HMAC-MD5 uses a 128 bit shared secret key. The variable length message and 128 bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end. HMAC-SHA-1- HMAC-SHA-1 uses a 160-bit secret key. The variable length message and the 160 bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end. HMAC-SHA-1 is considered cryptographically stronger that HMAC- MD5. HMAC-SHA-1 is recommended where the slightly superior security of HMAC- SHA-1 over HMAC- MD5 is important. A hash can also be used to verify the source of the message. This is known as a data origin authentication. We’ll talk more about this later. Pay to Terry Smith $100.00 One Hundred and xx/ Dollars 4ehIDx67NMop9 4ehIDx67NMop9
25
Digital Signatures Local Remote Internet Match Private key Public Hash
Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Internet Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Hash 4ehIDx67NMop9 4ehIDx67NMop9 Match Encryption algorithm Decryption algorithm Hash Private key Public key Hash The last critical function is origin authentication. In the middle ages, a seal guaranteed the authenticity of an edict. In modern times, a signed document is notarized with a seal and a signature. In the electronic era, a document is signed using the sender’s private encryption key, a digital signature. A signature is authenticated by decrypting the signature with the sender’s public key. In the above example, the local device encrypts a hash with their private key. The encrypted hash, digital signature, is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the local end’s public key. If the decrypted hash matches the re-computed hash, the signature is genuine. The sender is authenticated. A digital signature ties a message to a sender. There are two common digital signature algorithms, RSA and DSA. RSA is used commercially and is the most common. DSA is used by U.S. Government agencies and is not as common. Hash algorithm Pay to Terry Smith $100.00 One Hundred and xx/ Dollars
26
Peer Authentication Peer authentication methods: Pre-shared keys
Remote office Corporate Office Internet HR servers Peer authentication Peer authentication methods: Pre-shared keys RSA signatures RSA encrypted nonces When conducting business long distance, its necessary to know who is at the other end of the phone, , or FAX. The same is true of VPN networking. The device on the other end of the VPN tunnel must be authenticated before the communications path is considered secure. There are three data origin authentication methods: Pre-shared Keys – A secret key value entered into each peer manually used to authenticate the peer. RSA Signatures – Use the exchange of digital certificates to authenticate the peers RSA Encrypted Nonces – Nonces ( a random number generated by each peer) are encrypted then exchanged between peers. The two nonces are used during peer authentication process.
27
Pre-Shared Keys Local Peer Remote Router + ID Information + ID
Auth. Key + ID Information Auth. Key + ID Information Internet Hash Hash Authenticating hash (Hash_L) With pre-shared keys, the same pre-shared key is configured on each IPSec peer. At each end, the pre-shared key is combined with other information to form the authentication key. Starting at the local end, the authentication key and the ID information, device-specific information, are sent through a hash algorithm to form hash_L. The local IKE peer provides one-way authentication by sending hash_L to the remote peer. If the remote peer is able to independently create the same hash from stored information, the local peer is authenticated (shown above). Once the local peer is authenticated by the remote end, authentication process begins in the opposite direction. The remote peer combines its ID information with the authentication key and sends them through a hash algorithm to form hash_R. Hash_R is sent to the local peer. If the local peer is able to independently create the same hash from stored information, the remote peer is authenticated. Each peer must authenticate its opposite peer before the tunnel is considered secure. Computed hash (Hash) = Received hash (Hash_L)
28
RSA Signatures Local Remote + + ID + ID Internet Information
Auth. key + ID Information Auth. key + ID Information Hash Hash Digital signature 2 Private key Hash_I Hash 1 Encryption algorithm Internet = Decryption algorithm Hash_I With RSA signatures, hash_L and hash_R are not only authenticated, but they are also digitally signed. Starting at the local end, the authentication key and ID information (device-specific information) are sent through a hash algorithm to form hash_L. The hash_L is then encrypted using the local peer’s private encryption key. The result is a digital signature. The digital signature and a digital certificate are forwarded to the remote peer. The public encryption key for decrypting the signature is included in the digital certificate exchanged between peers. At the remote peer, local peer authentication is a two step process. First, the remote peer verifies the digital signature by decrypting the digital signature using the public encryption key enclosed in the digital certificate. The result is hash_L. Next, the remote peer independently creates hash_L from stored information. If the calculated hash_L equals the decrypted hash_L, the local peer is authenticated (shown above). Digital signatures and certificates are discussed in more detail later in the digital certificate chapter. Once the local peer is authenticated by the remote peer, authentication process begins in the opposite direction. The remote peer combines its ID information with the authentication key and sends them through a hash algorithm to form hash_R. Hash_R is encrypted using the remote peer’s private encryption key (a digital signature). The digital signature and certificate are sent to the local peer. The local peer performs two tasks. It creates the hash_R from stored information, and then decrypt the digital signature. If the calculated hash_R and the decrypted hash_R match, the remote peer is authenticated. Each peer must authenticate its opposite peer before the tunnel is considered to be secure. Digital cert Digital cert Public key Digital signature +
29
RSA Encrypted Nonces Local Remote + ID Information + ID Information
Auth. key + ID Information Auth. key + ID Information Hash Internet Hash Authenticating hash (Hash_I) Computed hash (Hash_I) RSA encrypted nonces require that each party generate a nonce (a pseudorandom number). The nonces are encrypted and then exchanged. Upon receipt of the peer’s nonce, each end formulates an authentication key made up of the initiator and responders nonces, the DH key, and the initiator and responder’s cookies. The authentication key is combined with device-specific information and run through a hash algorithm. Where the output becomes hash_L. The local IKE peer provides one-way authentication by sending hash_L to the remote peer. If the remote peer is able to independently create the same hash from stored information and its nonce-based authentication key, the local peer is authenticated (shown above). Once the local peer is authenticated by the remote end, the authentication process begins in the opposite direction. The remote peer combines its ID information with the nonce-based authentication key and sends them through a hash algorithm to form hash_R. Hash_R is sent to the local peer. If the local peer is able to independently create the same hash from stored information and the nonce-based key, the remote peer is authenticated. Each peer must authenticate its opposite peer before the tunnel is considered to be secure. = Received hash (Hash_I)
30
IPSec Protocol Framework
31
IPSec Security Protocols
Authentication Header Router A Router B All data in clear text The Authentication Header provides the following: Authentication Integrity Encapsulating Security Payload Router A Router B Data payload is encrypted IPSec consists of the following two main protocols: Authentication Header (AH) provides data authentication and integrity for IP packets passed between two systems. It is a means of verifying any message passed from Router A to B has not been modified during transit. All text is transported in the clear. AH does not provide data confidentiality (encryption) of packets. Encapsulating Security Payload (ESP) is a security protocol used to provide confidentiality (encryption), data origin authentication, integrity, and optional anti-replay service. ESP provides confidentiality by performing encryption at the IP packet layer. All ESP traffic is encrypted between Router A and B. The Encapsulating Security Payload provides the following: Encryption Authentication Integrity
32
Authentication Header
Router A Router B All data in clear text Ensures data integrity Provides origin authentication (ensures packets definitely came from peer router) Uses keyed-hash mechanism Does not provide confidentiality (no encryption) Provides anti-replay protection Authentication is achieved by applying a keyed one-way hash function to the packet to create a hash, or message digest. The hash is combined with the text and transmitted. Changes in any part of the packet that occur during transit are detected by the receiver when it performs the same one-way hash function on received packet and compares the value of the message digest that the sender has supplied. The fact that the one-way hash also involves the use of a secret shared between the two systems means that authenticity is guaranteed.
33
AH Authentication and Integrity
IP header + data + key Router B Hash Authentication data (00ABCDEF) Data AH IP HDR IP header + data + key Internet Data AH IP HDR Hash The AH function is applied to the entire datagram except for any mutable IP header fields that change in transit; for example, Time To Live (TTL) fields that are modified by the routers along the transmission path. AH works as follows: The IP header and data payload is hashed. The hash is used to build a new AH header, which is appended to the original packet. The new packet is transmitted to the IPSec peer router. The peer router hashes the IP header and data payload, extracts the transmitted hash from the AH header, and compares the two hashes. The hashes must exactly match. Even if one bit is changed in the transmitted packet, the hash output on the received packet will change and the AH header will not match. AH supports HMAC-MD5 and HMAC-SHA-1 algorithms. Received hash (00ABCDEF) Re-computed hash (00ABCDEF) Router A =
34
Data payload is encrypted
ESP Router A Router B Data payload is encrypted Data confidentiality (encryption) Data integrity Data origin authentication Anti-replay protection ESP provides confidentiality by encrypting the payload. It supports a variety of symmetric encryption algorithms. The default algorithm for IPSec is 56-bit DES. Cisco products also support use of 3DES for stronger encryption. ESP can also provide integrity and authentication of the data grams. First the payload is encrypted. Next, the encrypted payload is sent through a hash algorithm, HMAC-MD5 or HMAC-SHA-1. The hash provides authentication and data integrity for the data payload. Optionally, ESP may also enforce anti-replay protection by requiring that a receiving host set the replay bit in the header to indicate that the packet has been seen.
35
ESP Protocol Provides confidentiality with encryption
Internet Router Router IP HDR Data IP HDR Data ESP Trailer ESP Auth New IP HDR ESP HDR IP HDR Data Encrypted The original is well protected because the entire original IP data gram is encrypted. An ESP header and trailer are added to the encrypted payload. With ESP authentication, the encrypted IP data gram and the ESP header/trailer are included in the hashing process. Lastly, a new IP header is appended to the front of the authenticated payload. The new IP address is used to route the packet through the Internet. When both authentication and encryption are selected, encryption is performed first, before authentication. One reason for this order of processing is that it facilitates rapid detection and rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the receiver can authenticate inbound packets. By doing this, it can detect the problems and potentially reduce the impact of denial-of-service attacks. Authenticated Provides confidentiality with encryption Provides integrity with authentication
36
Modes of Use—Tunnel versus Transport Mode
IP HDR Data Transport mode ESP Trailer ESP Auth IP HDR ESP HDR Data Encrypted Authenticated ESP and AH can be applied to IP packets in two different ways referred to as modes. The two supported modes are transport and tunnel. In transport mode, security is provided for the upper protocol layers, transport layer and above only. Transport mode protects the payload of the packet but leaves the original IP address in the clear. The original IP address is used to route the packet through the Internet. ESP transport mode is used between hosts. Tunnel mode provides security for the whole original IP packet. The original IP packet is encrypted. Next, the encrypted packet is encapsulated in another IP packet. The outside IP address is used to route the packet through the internet. Tunnel mode New IP HDR ESP HDR IP HDR Data ESP Trailer ESP Auth Encrypted Authenticated
37
Tunnel Mode Remote office Corporate office Internet Tunnel mode
HR servers Tunnel mode Home office Corporate office ESP tunnel mode is used between a host and a security gateway or between two security gateways. For gateway-to-gateway applications, rather than load IPSec on all the computers at the remote and corporate offices, it is easier to have the security gateways perform the IP-in-IP encryption and encapsulation. In the IPSec remote access application, ESP tunnel mode is used. At a home office, there may be no router to perform the IPSec encapsulation and encryption. In this case, IPSec client running on the PC will perform the IPSec IP-in IP encapsulation and encryption. At the Corporate office, the router will de-encapsulate and decrypt the packet. Internet HR servers Tunnel mode
38
IPSec Protocol—Framework
Choices: ESP IPSec Protocol AH DES 3 DES AES Encryption Authentication MD5 SHA DH1 DH2 Diffie-Hellman
39
How IPSec Works
40
Five Steps of IPSec Host A Host B Router A Router B Interesting Traffic—The VPN devices recognize the traffic to protect. IKE Phase 1—The VPN devices negotiate an IKE security policy and establish a secure channel. IKE Phase 2—The VPN devices negotiate an IPSec security policy used to protect IPSec data. Data transfer—The VPN devices apply security services to traffic and then transmit the traffic. Tunnel terminated—The tunnel is torn down. The goal of IPSec is protect the data that you want with the security and algorithms you need. IPSec’s operation can be broken down into five main steps. The five steps are summarized as follows: Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the VPN device recognizes that traffic you want to send needs to be protected. IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure communications channel for negotiating IPSec SAs in phase two. IKE phase two —IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints. Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.
41
Step 1—Interesting Traffic
Host A Host B Router A Router B Apply IPSec Bypass IPSec Determining what traffic needs to be protected is done as part of formulating a security policy for use of a VPN. The policy is used to determine which traffic needs to be protected and which traffic can be sent in the clear. The policy is then implemented in the configuration interface for each particular IPSec peer. For example, in Cisco routers and PIX Firewalls, extended access lists are used to determine the traffic to encrypt. The access lists are defined such that permit statements indicate the selected traffic must be encrypted, and deny statements can be use to indicate the selected traffic must be sent unencrypted. With the Cisco Secure VPN Client, you use menu windows to select connections to be secured by IPSec. When interesting traffic is generated or transits the IPSec client, the client initiates the next step in the process, negotiating an IKE phase one exchange. Send in cleartext
42
Step 2—IKE Phase 1 Negotiate the policy Negotiate the policy
Host A Host B Router A Router B IKE Phase 1: main mode exchange Negotiate the policy DH exchange Verify the peer identity Negotiate the policy DH exchange Verify the peer identity The basic purpose of IKE phase one is to negotiate IKE policy sets, authenticate the peers, and to set up a secure channel between the peers. IKE phase one occurs in two modes: main mode and aggressive mode. Main mode has three two-way exchanges between the initiator and receiver: First exchange—The algorithms and hashes used to secure the IKE communications are negotiated and agreed upon between peers. Second exchange—Uses a Diffie-Hellman exchange used to generate shared secret keys, and to pass nonces, which are random numbers sent to the other party, signed and returned to prove their identity. The shared secret key is used to generate all the other encryption and authentication keys. Third exchange—Verifies the other sides’ identity. Authenticate the remote peer. The main outcome of main mode is a secure communications path for subsequent exchanges between the peers. In the aggressive mode, fewer exchanges are done and with fewer packets. On the first exchange, almost everything is squeezed in: the IKE policy set negotiation, the Diffie-Hellman public key generation, a nonce which the other party signs, and an identity packet, which can be used to verify their identity via a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange.
43
IKE Transform Sets Host A Host B Router A Router B Negotiate IKE Proposals Transform 10 DES MD5 pre-share DH1 lifetime Transform 15 DES MD5 pre-share DH1 lifetime IKE Policy Sets When trying to make a secure connection between Host A and B through the Internet, a secure path, a tunnel, is established between Router A and B. Through the tunnel, the encryption, authentication, and other protocols are negotiated. Rather than negotiate each protocol individually, the protocols are grouped into sets, an IKE policy set. IKE policy sets are exchanged during the IKE main mode, first exchange phase. If a policy match is found between peers, main mode continues. If no match is found, the tunnel is torn down. In the example, Router A sends IKE policy sets 10 and 20 to Router B. Router B compares its set, policy set 15, with those received from Router A. In this instance, there’s a policy match. Router A’s policy set 10 matches Router B’s policy set 15. In a point-to-point application, each end may only need a single IKE policy set defined. However, in a hub and spoke environment, the central site may require multiple IKE policy sets to satisfy all the remote peers. Transform 20 3DES SHA pre-share DH1 lifetime Negotiates matching IKE transform sets to protect IKE exchange
44
DH Key Exchange = Terry Alex public key B public key A + private key A
+ private key B shared secret key (BA) shared secret key (AB) = Key Key Encrypt Decrypt Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Diffie-Hellman key exchange is a public key encryption method that provides a way for two peers to establish a shared secret key over insecure communications path. With Diffie-Hellman, there are several different Diffie-Hellman algorithms, or groups defined, Diffie-Hellman groups 1-7. A group number defines and an algorithm and unique values. For instance, group 1 defines a MODP algorithm with a 768 bit prime number. Group 2 defines a MODP algorithm with a 1024 bit prime number. During IKE phase 1, the group is negotiated between peers. Between Cisco VPN devices, either group 1 or 2 is supported. Once the group negotiations are completed, the shared secret key is calculated, SKEYID. The shared secret key, SKEYID, is used in the derivation of three other keys, SKEYID_a, SKEYID_e, and SKEYID_d. Each key has a separate purpose. SKEYID_a is the keying material used during the authentication process. SKEYID_e key is the keying material used in the encryption process. SKEY_d is keying material used to derive keys for non-ISAKMP Security associations. All four keys are calculated during IKE phase 1. 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet
45
Authenticate Peer Identity
Remote office Corporate office Internet HR servers Peer authentication Peer authentication methods Pre-shared keys RSA signatures RSA encrypted nonces When conducting business over the internet, its necessary to know who is at the other end of the tunnel. The device on the other end of the VPN tunnel must be authenticated before the communications path is considered secure. The last exchange of IKE phase one is used to authenticate the remote peer. There are three data origin authentication methods: Pre-shared Keys – A secret key value entered into each peer manually used to authenticate the peer. RSA Signatures – Use the exchange of digital certificates to authenticate the peers RSA Encrypted Nonces – Nonces ( a random number generated by each peer) are encrypted then exchanged between peers. The two nonces are used during peer authentication process.
46
Step 3—IKE Phase 2 Host A Host B Router A Router B 10.0.1.3
Negotiate IPSec security parameters The purpose of IKE phase two is to negotiate the IPSec security parameters used to secure the IPSec tunnel. IKE phase two performs the following functions: Negotiates IPSec security parameters, IPSec transform sets Establishes IPSec security associations Periodically renegotiates IPSec SAs to ensure security Optionally performs an additional Diffie-Hellman exchange IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase one. It negotiates a shared IPSec transform, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs. Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase one.
47
IPSec Transform Sets Host A Host B Router A Router B Negotiate transform sets Transform set 30 ESP 3DES SHA Tunnel Lifetime Transform set 55 ESP 3DES SHA Tunnel Lifetime IPSec Transform Sets The ultimate goal of IKE phase two is to establish a secure IPSec session between endpoints. Before that can happen, each pair of endpoints negotiate the level of security required, e.g. encryption and authentication algorithms, for the session. Rather than negotiate each protocol individually, the protocols are grouped into sets, an IPSec transform set. IPSec transform set are exchanged between peers during Quick mode. If a match is found between sets, IPSec session establishment continues. If no match is found, the session is torn down. In the example, Router A sends IPSec transform set 30 and 40 to Router B. Router B compares its set, transform set 55, with those received from Router A. In this instance, there’s a match. Router A’s transform set 30 matches Router B’s transform set 55. These encryption and authentication algorithms form a security association (SA). More on SAs on the next page. Transform set 40 ESP DES MD5 Tunnel Lifetime A transform set is a combination of algorithms and protocols that enact a security policy for traffic.
48
Security Associations (SA)
SA Db Destination IP address SPI Protocol (ESP or AH) Security Policy Db Encryption Algorithm Authentication Algorithm Mode Key lifetime B A N K SPI–12 ESP/3DES/SHA tunnel 28800 Internet Once a transform set is agreed upon between peers, each VPN peer device databases the information. The information includes the encryption and authentication algorithm, peer address, transport mode, key lifetime, and so on. This information is referred to as the security association (SA) The VPN device then indexes the SA with a number, a Security Parameter Index (SPI). Rather than send the individual parameters of the SA across the tunnel, the peer will insert the SPI into the ESP header. When the IPSec peer receives the packet, it looks up the destination address and SPI in its database, and then processes the packet according to the protocols listed under the SPI. The IPSec SA is a compilation of the peer address, SPI number, encryption and authentication algorithms, mode, and key lifetime. network for s. For example in the corporate to bank connection, a very secure tunnel using 3DES, SHA, tunnel mode, and a key lifetime of is negotiated between the peer endpoints, SPI-12. For the remote user accessing s, a less secure tunnel is negotiated using DES, MD5, tunnel mode, and a key lifetime of 28800, SPI-39. SPI–39 ESP/DES/MD5 tunnel 28800
49
SA Lifetime Data-based Time-based
Like passwords on your company PC, the longer you keep it, the more vulnerable it becomes. The same thing is true of keys and security associations (SA). For good security, the SA and keys should be changed periodically. There are two parameters, lifetime type and duration. The first parameter is lifetime type. How is the lifetime measured. Is it measured by the number bytes transmitted or the amount of time transpired? The second parameter is the unit of measure, kilobytes of data or seconds of time. Some examples are as follows: lifetime based on 10,000 kilobytes of data transmitted or seconds of time expired. The keys and SAs remain active until their lifetime expires or until some external event – client drops the tunnel – causes the them to be deleted.
50
Step 4—IPSec Session SAs are exchanged between peers.
Host A Host B Router A Router B IPSec session After IKE phase two is complete and quick mode has established IPSec SAs, traffic is exchanged between Host A and B via a secure tunnel. Interesting traffic is encrypted and decrypted using the encryption specified in the IPSec SA. SAs are exchanged between peers. The negotiated security services are applied to the traffic.
51
Step 5—Tunnel Termination
Host A Host B Router A Router B IPSec tunnel A tunnel is terminated By an SA lifetime timeout If the packet counter is exceeded Removes IPSec SA IPSec SAs terminate through deletion or by timing out. An SA can time out when a specified number of seconds have elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are needed for a flow, IKE performs a new phase two and, if necessary, a new phase one negotiation. A successful negotiation results in new SAs and new keys. New SAs is established before the existing SAs expire, so that a given flow can continue uninterrupted.
52
Configuring IPSec Encryption
53
Tasks to Configure IPSec Encryption
Task 1—Prepare for IKE and IPSec. Task 2—Configure IKE. Task 3—Configure IPSec. Task 4—Test and Verify IPSec.
54
Task 1—Prepare for IKE and IPSec
55
Task 1—Prepare for IKE and IPSec
Step 1—Determine IKE (IKE phase one) policy. Step 2—Determine IPSec (IKE phase two) policy. Step 3—Check the current configuration. show running-configuration show crypto isakmp policy show crypto map Step 4—Ensure the network works without encryption. ping Step 5—Ensure access lists are compatible with IPSec. show access-lists
56
Step 1—Determine IKE (IKE Phase One) Policy
Determine the following policy details: Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers Encryption algorithm Hash algorithm IKE SA lifetime Goal: Minimize misconfiguration.
57
IKE Phase One Policy Parameters
< seconds 86400 seconds IKE SA lifetime DH Group 2 DH Group 1 Key exchange RSA encryption RSA signature Pre-shared Authentication method SHA-1 MD5 Hash algorithm 3-DES DES Encryption algorithm Stronger Strong Parameter Before you begin configuring IKE and IPSec, you should determine the following details which make up an IKE policy: IKE encryption algorithm IKE message hash algorithm Authentication method Key Exchange method IKE SA Lifetime. The default is 86,400 seconds. This information should have been gathered during the planning process. It is recommended that you confirm the details to minimize the number of configuration errors.
58
IKE Policy Example Site 1 Site 2 Internet RouterA RouterB 10.0.1.3
E0/ E0/ Parameter Site 1 Site 2 Encryption algorithm DES DES Hash algorithm MD5 MD5 Authentication method Pre-shared keys Pre-shared keys Key exchange DH Group 1 DH Group 1 Before you begin configuring IKE and IPSec, you should determine the following details which make up an IKE policy: IKE encryption algorithm IKE message hash algorithm Authentication method Key Exchange method IKE SA Lifetime. The default is 86,400 seconds. This information should have been gathered during the planning process. It is recommended that you confirm the details to minimize the number of configuration errors. IKE SA lifetime 86400 seconds 86400 seconds Peer IP address
59
Step 2—Determine IPSec (IKE Phase Two) Policy
Determine the following policy details: IPSec algorithms and parameters for optimal security and performance Transforms and, if necessary, transform sets IPSec peer details IP address and applications of hosts to be protected Manual or IKE-initiated SAs Goal: Minimize misconfiguration.
60
IPSec Transforms Supported in Cisco IOS Software
Cisco IOS software supports the following IPSec transforms: RouterA(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher ( bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IPSec protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow. You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec security associations. When IKE is not used to establish security associations, a single transform set must be used. The transform set is not negotiated. Before a transform set can be included in a crypto map entry it must be defined using this command. A transform set specifies one or two IPSec security protocols (either ESP or AH or both) and specifies which algorithms to use with the selected security protocol. To define a transform set, you specify one to three "transforms"---each transform represents an IPSec security protocol (ESP or AH) plus the algorithm you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
61
IPSec Policy Example Site 1 Site 2 Internet RouterA RouterB 10.0.1.3
E0/ E0/ Policy Site 1 Site 2 Transform set ESP-DES, tunnel ESP-DES, tunnel Peer hostname RouterB RouterA Peer IP address Hosts to be encrypted Traffic (packet) type to be encrypted TCP TCP SA establishment Ipsec-isakmp Ipsec-isakmp
62
Other vendor’s IPSec peers
Identify IPSec Peers Cisco router Remote user with Cisco VPN Client Cisco PIX Firewall Cisco router Other vendor’s IPSec peers CA server
63
Step 3—Check Current Configuration
Site 1 Site 2 RouterA Internet RouterB A B router# show running-config View router configuration for existing IPSec policies. router# show crypto isakmp policy View default and any configured IKE phase one policies. RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: seconds, no volume limit
64
Step 3—Check Current Configuration (cont.)
Site 1 Site 2 RouterA Internet RouterB A B router# show crypto map View any configured crypto maps. RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, }
65
Step 3—Check Current Configuration (cont.)
Site 1 Site 2 RouterA RouterB Internet A B router# show crypto ipsec transform-set View any configured transform sets. RouterA# show crypto ipsec transform-set mine Transform set mine: { esp-des } will negotiate = { Tunnel, },
66
Step 4—Ensure the Network Works
Cisco RouterB Remote user with Cisco Unified VPN client Cisco PIX Firewall Cisco router Cisco RouterA Basic connectivity must be checked before any VPN configuration can begin. Once VPN security is activated basic connectivity troubleshooting can be difficult due to possible security misconfigurations. Previous security settings could result in no connectivity. The IPSEC show command can be used to see existing security configurations. Other vendor’s IPSec peers CA server RouterA# ping
67
Step 5—Ensure Access Lists are Compatible with IPSec
IKE AH ESP Site 1 Site 2 RouterA Internet RouterB A B E0/ E0/ RouterA# show access-lists access-list 102 permit ahp host host access-list 102 permit esp host host access-list 102 permit udp host host eq isakmp Perimeter routers typically implement a restrictive security policy with access lists where only specific traffic is permitted, and all other traffic is denied. Such a restrictive policy would block IPSec traffic. You may need to add specific permit statements to the access list to allow IPSec traffic. Ensure that your access lists are configured so that protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by IPSec. ISAKMP uses UDP port 500. The IPSec Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols use protocol numbers 50 and 51. In some cases, you might need to add a statement to router access lists to explicitly permit this traffic. You may need to add the access list statements to the perimeter router by performing the following steps: 1. Examine the current access list configuration at the perimeter router and determine if it will block IPSec traffic: RouterA#show access-lists 2. Add access list entries to permit IPSec traffic. The easiest way to do this is to copy the existing access list configuration and paste it into a text editor, add the access list entries to the top of the list, delete the existing access list with the no access-list access-list number command, enter configuration mode, copy and paste the new access list into the router, then verify the access list is correct with the show access-lists command. A concatenated example showing access list entries permitting IPSec traffic for RouterA is as follows: RouterA# show running-config ! interface Serial0 ip address ip access-group 102 in access-list 102 permit ahp host host access-list 102 permit esp host host access-list 102 permit udp host host eq isakmp Note that the protocol keyword of esp equals the ESP protocol (number 50) and the keyword of ahp equals the AH protocol (number 51), and the isakmp keyword equals UDP port 500. Ensure protocols 50 and 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.
68
Task 2—Configure IKE
69
Step 1—Enable or disable IKE. Step 2—Create IKE policies.
Task 2—Configure IKE Step 1—Enable or disable IKE. crypto isakmp enable Step 2—Create IKE policies. crypto isakmp policy Step 3—Configure pre-shared keys. crypto isakmp key Step 4—Verify the IKE configuration. show crypto isakmp policy
70
Step 1—Enable or Disable IKE
Site 1 Site 2 RouterA Internet RouterB A B router(config)# [no] crypto isakmp enable RouterA(config)# no crypto isakmp enable RouterA(config)# crypto isakmp enable Globally enables or disables IKE at your router. IKE is enabled by default. IKE is enabled globally for all interfaces at the router. Use the no form of the command to disable IKE. An ACL can be used to block IKE on a particular interface.
71
Step 2—Create IKE Policies
Site 1 Site 2 A B Internet RouterA RouterB router(config)# crypto isakmp policy priority Defines an IKE policy, which is a set of parameters used during IKE negotiation. Invokes the config-isakmp command mode. crypto isakmp policy priority Syntax Description priority Uniquely identifies the IKE policy and assigns a priority to the policy. Use an integer from 1 to 10,000, with 1 being the highest priority and 10,000 the lowest. RouterA(config)# crypto isakmp policy 110
72
Create IKE Policies with the crypto isakmp Command
Site 1 Site 2 RouterA Internet RouterB A B Policy 110 DES MD5 Pre-Share 86400 Tunnel router(config)# crypto isakmp policy priority Defines the parameters within the IKE policy 110. ISAKMP commands: authentication Set authentication method for protection suite default Set a command to its defaults encryption Set encryption algorithm for protection suite exit Exit from ISAKMP configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults Syntax Description authentication {rsa-sig | rsa-encr | pre-share} rsa-sig Specifies RSA signatures as the authentication method. rsa-encr Specifies RSA encrypted nonces as the authentication method. pre-share Specifies pre-shared keys as the authentication method. encryption des des Specifies 56-bit DES-CBC as the encryption algorithm. RouterA(config)# crypto isakmp policy 110 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# group 1 RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# lifetime 86400
73
IKE Policy Negotiation
Site 1 Site 2 A B Internet RouterA RouterB RouterA(config)# RouterB(config)# crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig hash sha crypto isakmp policy 300 crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig hash sha crypto isakmp policy 300 Syntax Description (con’t) hash {sha | md5} sha Specifies SHA-1 (HMAC variant) as the hash algorithm. md5 Specifies MD5 (HMAC variant) as the hash algorithm. group {1 | 2} 1 Specifies the 768-bit Diffie-Hellman group. 2 Specifies the 1024-bit Diffie-Hellman group. lifetime seconds seconds Specifies how many seconds each SA should exist before expiring. Use an integer from 60 to 86,400 seconds. Default encryption (IKE policy); default = 56-bit DES-CBC hash (IKE policy); default = SHA-1 authentication (IKE policy); default = RSA signatures group (IKE policy); default = 768-bit Diffie-Hellman lifetime (IKE policy); default = 86,400 seconds (one day) The first two policies in each router can be successfully negotiated while the last one can not.
74
Step 3—Configure ISAKMP Identity
Site 1 Site 2 A B Internet RouterA RouterB router(config)# crypto isakmp identity {address | hostname} Defines whether ISAKMP identity is done by IP address or hostname. Use consistently across ISAKMP peers. To define the identity the router uses when participating in the IKE protocol, use the crypto isakmp identity global configuration command. Set an ISAKMP identity whenever you specify pre-shared keys. Use the no form of this command to reset the ISAKMP identity to the default value (address). Note: If the crypto isakmp identity command had not been performed, the ISAKMP identities would have still been set to IP address, the default identity.
75
Step 3—Configure Pre-Shared Keys
Site 1 Site 2 RouterA Internet RouterB A B Pre-shared key Cisco1234 router(config)# crypto isakmp key keystring address peer-address router(config)# crypto isakmp key keystring hostname hostname Syntax Description keystring Specify the pre-shared key. Use any combination of alphanumeric characters up to 128 bytes. This pre-shared key must be identical at both peers. peer-address. Specify the IP address of the remote peer. hostname Specify the host name of the remote peer. This is the peer's host name concatenated with its domain name (for example, myhost.domain.com). Default There is no default pre-shared authentication key. RouterA(config)# crypto isakmp key cisco1234 address Assigns a keystring and the peer address. The peer’s IP address or host name can be used.
76
Step 4—Verify the IKE Configuration
Site 1 Site 2 RouterA Internet RouterB A B RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature show crypto key ? mypubkey Show public keys associated with this pubkey-chain Show peer public keys show crypto isakmp ? policy Show ISAKMP protection suite policy sa Show ISAKMP Security Associations Displays configured and default IKE policies.
77
Task 3—Configure IPSec
78
Step 1—Configure transform set suites.
Task 3—Configure IPSec Step 1—Configure transform set suites. crypto ipsec transform-set Step 2—Configure global IPSec SA lifetimes. crypto ipsec security-association lifetime Step 3—Create crypto access lists. access-list
79
Task 3—Configure IPSec (cont.)
Step 4—Create crypto maps. crypto map Step 5—Apply crypto maps to interfaces. interface serial0
80
Step 1—Configure Transform Set Suites
81
Configure Transform Sets
Site 1 Site 2 RouterA Internet RouterB A B Mine esp-des Tunnel router(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] router(cfg-crypto-trans)# (Get syntax text from MCNS 2.0 chapter 12.) Syntax Description transform-set-name Specify the name of the transform set to create (or modify). transform1 transform2 transform3 Specify up to three "transforms." These transforms define the IPSec security protocol(s) and algorithm(s). Keep the following and make complete sentences: A transform set is combination of IPSec transforms that enact a security policy for traffic Up to three transforms can be in a set Sets are limited to up to one AH and up to two ESP transforms The crypto ipsec tranform-set command puts you in cfg-crypto-trans configuration mode Default mode is tunnel RouterA(config)# crypto ipsec transform-set mine des A transform set is a combination of IPSec transforms that enact a security policy for traffic. Sets are limited to up to one AH and up to two ESP transforms.
82
Transform Set Negotiation
Site 1 Site 2 RouterA Internet RouterB A B transform-set 10 esp-3des tunnel transform-set 20 esp-des, esp-md5-hmac transform-set 30 esp-3des, esp-sha-hmac transform-set 40 esp-des tunnel transform-set 50 esp-des, ah-sha-hmac transform-set 60 esp-3des, esp-sha-hmac Transform sets are negotiated during IKE phase 2 You can configure multiple transform sets, and then specify one or more of these transform sets in a crypto map entry. The transform set defined in the crypto map entry is used in the IPSec security association negotiation during IKE phase 2 to protect the data flows specified by that crypto map entry's access list. During the negotiation, the peers search for a transform set that is the same at both peers. When such a transform set is found, it is selected and will be applied to the protected traffic as part of both peer's IPSec security associations. IPSec peers agree on one transform proposal per SA (unidirectional) Match Transform sets are negotiated during IKE phase two.
83
Step 2—Configure Global IPSec Security Association Lifetimes
84
crypto ipsec security-association lifetime Command
Site 1 Site 2 RouterA Internet RouterB A B router(config)# crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes} RouterA(config)# crypto ipsec security-association lifetime 86400 If you change a global lifetime, the change is only applied when the crypto map entry does not have a lifetime value specified. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. You can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more detail. Syntax Description seconds seconds Specifies the number of seconds a security association will live before expiring. The default is 3600 seconds (one hour). kilobytes kilobytes Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 kilobytes. Default 3600 seconds (one hour) and 4,608,000 kilobytes (10 Mbytes per second for one hour) Configures global IPSec SA lifetime values used when negotiating IPSec security associations. IPSec SA lifetimes are negotiated during IKE phase two. Can optionally configure interface specific IPSec SA lifetimes in crypto maps. IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes.
85
Global Security Association Lifetime Examples
RouterA(config)# crypto ipsec security-association lifetime kilobytes RouterA(config)# crypto ipsec security-association lifetime seconds 2700 The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first). If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected. Related Commands set security-association lifetime show crypto ipsec security-association lifetime When a security association expires, a new one is negotiated without interrupting the data flow.
86
Step 3—Create Crypto ACLs
87
Purpose of Crypto Access Lists
Site 1 RouterA Internet A Outbound traffic Encrypt Bypass (clear text) Inbound traffic Permit Bypass (clear text) Crypto map entries group IPSec polices into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a security association is negotiated with the peer according to the parameters included in the crypto map entry; otherwise, if the crypto map entry specifies the use of manual security associations, a security association should have already been established via configuration. (If a dynamic crypto map entry sees outbound traffic that should be protected and no security association exists, the packet is dropped.) Outbound—Indicate the data flow to be protected by IPSec. Inbound—filter out and discard traffic that should have been protected by IPSec.
88
Extended IP Access Lists for Crypto Access Lists
Site 1 Site 2 A B Internet RouterA RouterB Encrypt router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] Syntax Description access-list-number Number of an access list. This is a decimal number from 100 to 199 or from 2000 to dynamic dynamic-name (Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide. timeout minutes (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an ` infinite length of time and allows an entry to remain permanently. deny Denies access if the conditions are matched. permit Permits access if the conditions are matched. protocol Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below. source Number of the network or host from which the packet is being sent. source-wildcard Wildcard bits to be applied to source. RouterA(config)# access-list 110 permit tcp Define which IP traffic will be protected by crypto. Permit = encrypt / Deny = do not encrypt.
89
Configure Symmetrical Peer Crypto Access Lists
Site 1 Site 2 E0/ A B Internet RouterA RouterB RouterA(config)# access-list 110 permit tcp RouterB(config)# access-list 101 permit tcp destination Number of the network or host to which the packet is being sent. destination-wildcard Wildcard bits to be applied to the destination. ___________________________________________________________________________ Note: Although the ACL syntax is unchanged, the meanings are slightly different—permit specifies that matching packets must be encrypted; deny specifies that matching packets need not be encrypted. Crypto access-lists are applied later using Crypto Maps You must configure mirror image ACLs.
90
Step 4—Create Crypto Maps
91
Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including Which traffic should be protected by IPSec. The granularity of the traffic to be protected by a set of SAs. Where IPSec-protected traffic should be sent. The local address to be used for the IPSec traffic. What IPSec type should be applied to this traffic. Whether SAs are established (manually or via IKE). Other parameters needed to define an IPSec SA. Crypto map entries group IPSec polices into a crypto map set. Later, you will apply these crypto map sets to interfaces; then, all IP traffic passing through the interface is evaluated against the applied crypto map set. If a crypto map entry sees outbound IP traffic that should be protected and the crypto map specifies the use of IKE, a security association is negotiated with the peer according to the parameters included in the crypto map entry; otherwise, if the crypto map entry specifies the use of manual security associations, a security association should have already been established via configuration. (If a dynamic crypto map entry sees outbound traffic that should be protected and no security association exists, the packet is dropped.)
92
Crypto Map Parameters Crypto maps define the following:
Site 1 Site 2 RouterA Internet RouterB A B Crypto maps define the following: The access list to be used. Remote VPN peers. Transform-set to be used. Key management method. Security-association lifetimes. IPSEC Policies are implemented using transform sets on Cisco Routers Crypto map Encrypted traffic Router interface
93
Configure IPSec Crypto Maps
Site 1 Site 2 RouterA Internet RouterB A B router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] Syntax Description cisco (Default value) Indicates that CET will be used instead of IPSec for protecting the traffic specified by this newly specified crypto map entry. If you use this keyword, none of the IPSec-specific crypto map configuration commands will be available. Instead, the CET-specific commands will be available. map-name The name you assign to the crypto map set. seq-num The number you assign to the crypto map entry. ipsec-manual Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. ipsec-isakmp Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. dynamic (Optional) Specifies that this crypto map entry is to reference a preexisting dynamic crypto map. Dynamic crypto maps are policy templates used in processing negotiation requests from a peer IPSec device. If you use this keyword, none of the crypto map configuration commands will be available. dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. Default No crypto maps exist. RouterA(config)# crypto map mymap 110 ipsec-isakmp Use a different sequence number for each peer. Multiple peers can be specified in a single crypto map for redundancy. One crypto map per interface
94
Example Crypto Map Commands
Site 1 Site 2 RouterA RouterB A B Internet RouterC B RouterA(config)# crypto map mymap 110 ipsec-isakmp RouterA(config-crypto-map)# match address 110 RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set pfs group1 RouterA(config-crypto-map)# set transform-set mine RouterA(config-crypto-map)# set security-association lifetime 86400 Multiple peers can be specified for redundancy.
95
Step 5—Apply Crypto Maps to Interfaces
96
Applying Crypto Maps to Interfaces
Site 1 Site 2 RouterA Internet RouterB A B E0/ E0/ mymap router(config-if)# crypto map map-name RouterA(config)# interface ethernet0/1 RouterA(config-if)# crypto map mymap Apply the crypto map to outgoing interface Activates the IPSec policy
97
IPSec Configuration Examples
Site 1 Site 2 RouterA Internet RouterB A B E0/ E0/ RouterA# show running config crypto ipsec transform-set mine esp-des ! crypto map mymap 10 ipsec-isakmp set peer set transform-set mine match address 110 interface Ethernet 0/1 ip address no ip directed-broadcast crypto map mymap access-list 110 permit tcp RouterB# show running config crypto ipsec transform-set mine esp-des ! crypto map mymap 10 ipsec-isakmp set peer set transform-set mine match address 101 interface Ethernet 0/1 ip address no ip directed-broadcast crypto map mymap access-list 101 permit tcp
98
Task 4—Test and Verify IPSec
99
Task 4—Test and Verify IPSec
Display your configured IKE policies. show crypto isakmp policy Display your configured transform sets. show crypto ipsec transform set Display the current state of your IPSec SAs. show crypto ipsec sa
100
Task 4—Test and Verify IPSec (cont.)
Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp
101
show crypto isakmp policy Command
Site 1 Site 2 RouterA Internet RouterB A B router# show crypto isakmp policy RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Encryption Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature
102
show crypto ipsec transform-set Command
Site 1 Site 2 E0/ A B Internet RouterA RouterB router# show crypto ipsec transform-set RouterA# show crypto ipsec transform-set Transform set mine: { esp-des } will negotiate = { Tunnel, }, View the currently defined transform sets.
103
show crypto ipsec sa Command
Site 1 Site 2 RouterA Internet RouterB A B E0/ E0/ router# show crypto ipsec sa RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: mymap, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C
104
show crypto map Command
E0/ Site 1 Site 2 E0/ A B Internet RouterA RouterB show crypto map View the currently configured crypto maps. router# RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, }
105
debug crypto Commands Displays debug messages about all IPSec actions.
router# debug crypto ipsec Displays debug messages about all IPSec actions. router# debug crypto isakmp Displays debug messages about all ISAKMP actions.
106
Crypto System Error Messages for ISAKMP
%CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! ISAKMP SA with the remote peer was not authenticated. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP. Purpose: Describe the two main error messages that can output from the debug command. Emphasize: In the first message, the remote peer did not prove its authentication. In the second message, the two peers could not negotiate a mutually agreeable authentication policy. Transition: Answer any final questions about your presentation then proceed to the lab exercises for this chapter.
107
Overview of Configuring IPSec Manually
108
Setting Manual Keys with security-association Commands
router(config-crypto-map)# set security-association inbound|outbound ah spi hex-key-string set security-association inbound|outbound esp spi cipher hex-key-string [authenticator hex-key-string] Specifies inbound or outbound SA. Sets Security Parameter Index (SPI) for the SA. Sets manual AH and ESP keys: ESP key length is 56 bits with DES, 168 with 3DES. AH HMAC key length is 128 bits with MD5, 160 bits with SHA. SPIs should be reciprocal for IPsec peer. Purpose: This provides some information about manual SA keying Emphasize: The manual-key method is not used for this course. The hexadecimal number that identifies an SA can quite a long string of numbers that is subject to typing errors. This method does not scale very well. The manual-key method will not work unless the hex number used into the remote peer must be reciprocal to the hex number out of the local peer. Transition: The next topic applies the map sets to one or more interfaces.
109
Overview of Configuring IPSec for RSA Encrypted Nonces
110
Tasks to Configure IPSec for RSA Encryption
Task 1—Prepare for IPSec. Task 2—Configure RSA keys. Task 3—Configure IKE. Task 4—Configure IPSec. Task 5—Test and verify IPSec.
111
Task 2—Configure RSA Keys
Step 1—Plan for RSA keys. Step 2—Configure the router’s host name and domain name. hostname name ip domain-name name Step 3—Generate RSA keys. crypto key generate rsa usage keys
112
Task 2—Configure RSA Keys (cont.)
Step 4—Enter peer RSA public keys. crypto key pubkey-chain crypto key pubkey-chain rsa addressed-key key address named-key key name key-string
113
Task 2—Configure RSA Keys (cont.)
Step 5—Verify key configuration. show crypto key mypubkey rsa show crypto key pubkey-chain rsa Step 6—Manage RSA keys. crypto key zeroize rsa
114
Summary
115
Summary Cisco supports the following IPSec standards: AH, ESP, DES, 3DES, MD5, SHA, RSA signatures, IKE (also known as ISAKMP), DH, and CAs. There are five steps to IPSec: interesting traffic, IKE phase 1, IKE phase 2, IPSec encrypted traffic, and tunnel termination. IPSec SAs consist of a destination address, SPI, IPSec transform, mode, and SA lifetime value. Define the detailed crypto IKE and IPSec security policy before beginning configuration. Ensure router access lists permit IPSec traffic.
116
Summary (cont.) IKE policies define the set of parameters used during IKE negotiation. Transform sets determine IPSec transform and mode. Crypto access lists determine traffic to be encrypted. Crypto maps pull together all IPSec details and are applied to interfaces. Use show and debug commands to test and troubleshoot. IPSec can also be configured manually or using encrypted nonces.
117
Lab Exercise
118
Lab Visual Objective PODS 1-5 PODS 6-10 .50 172.26.26.0 .150 .1 .1
WEB FTP .50 .150 PODS 1-5 PODS 6-10 .1 .1 RBB P.0 Q.0 .2 .2 ROUTER ROUTER .2 .2 RTS RTS .100 10.0.P.0 10.0.Q.0 .100 .10 .10 WEB FTP WEB FTP WEB/FTP CSACS WEB/FTP CSACS STUDENT PC STUDENT PC REMOTE: 10.1.P.12 LOCAL: 10.0.P.12 REMOTE: 10.1.Q.12 LOCAL: 10.0.Q.12
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.