20.1 Key Terms
IKE
Phase 1 = Internet Key Exchange Phase 1 negotiates the parameters for
the IKE Phase 1 tunnel, including hash, DH group, encryption, and lifetime.
IKE
Phase 2 = Internet Key Exchange Phase 2 builds the actual IPsec tunnel.
This includes negotiating the transform set for the IPsec SA.
transform
set = A set of secure protocol parameters to be used by IPsec in IKE
Phase 2. To properly peer, both sides must agree on a common set.
DH
group = The Diffie-Hellman exchange, refers to the security algorithm
used to exchange keys securely, even over an unsecured network connection.
Groups refer to the lengths of the keys involved in the exchange. Group 1 is a
768-bit key exchange, Group 2 is a 1024-bit key exchange, and Group 5 is a
1536-bit key exchange. The purpose of this algorithm is to establish shared
symmetrical secret keys on both peers. The symmetric keys are used by symmetric
algorithms such as AES. DH itself is an asymmetrical algorithm.
Lifetime
= The amount of time, in seconds or amount of data that has gone by, that a key
or security association is considered valid.
PFS
= Perfect Forward Secrecy. New keys within DH are not based on seeds from
previous keys when PFS is enabled, further increasing security. PFS is
associated only with IKE Phase 2.
20.2 Things to
Remember
20.2.1 IKE Phase 1 Policy Options
Function: Hashing
Strong Method:
MD5, 128-bit
Stronger Method:
SHA1, 160-bit
Function: Authentication
Strong Method:
Pre-shared key (PSK)
Stronger Method: RSA-Sigs (digital signatures)
Function: Group # for DH key exchange
Strong Method:
1, 2
Stronger Method:
5
Function: Lifetime
Strong Method:
86400 seconds (1 day, default)
Stronger Method:
Shorter than 1 day, 3600
Function: Encryption
Strong Method:
3DES
Stronger Method:
AES-128 (or 192, or 256)
20.2.2 IKE Phase 2 Policy Options
Item to Plan: Peer IP addresses
Implemented By: Crypto
map
Notes: Having a known reachable IP address for the VPN peer is critical for
the traditional IPsec site-to-site tunnel to negotiate and establish the VPN
(both phases).
Item to Plan: Traffic to encrypt
Implemented By: Crypto
ACL, which is referred to in the crypto map
Notes: Extended ACL that is not applied to an interface but is referenced in
the crypto map. This should only reference outbound (egress) traffic, which
should be protected by IPsec. Traffic not matching the crypto ACL will not be
encrypted, but will be sent as a normal packet.
Item to Plan: Encryption method
Implemented By: Transform
set, which is referred to in the crypto map
Notes: DES, 3DES, AES are all options. IKE phase 2 does not need to be the
same method as Phase 1. The method does need to match the peer’s policy
(transform sets) for Phase 2.
Item to Plan: Hashing (HMAC) method
Implemented By: Transform
set, which is referred to in the crypto map
Notes: MD5 and SHA HMACs may be used, and need to match the Phase 2 policy of
the peer.
Item to Plan: Lifetime (time, or data)
Implemented By: Global
configuration command: crypto ipsec security-association lifetime ...
Notes: Lifetime for Phase 2 should match between the peers. If both use the
default lifetime (by not specifying a lifetime), both peers would have
compatible lifetime policies. The lifetime can be specified as number of
seconds or number of kilobytes.
Item to Plan: Perfect Forward Secrecy (PFS)
(run DH again or not)
Implemented By: Crypto
map
Notes: DH is run during IKE Phase 1, and Phase 2 reuses that same keying material
that was generated. If you want Phase 2 to rerun the DH, it is called Perfect
Forward Secrecy (PFS), and you must choose a DH group number 1,2 or 5 for Phase
2 to use.
Item to Plan: Which interface used to peer
with the other VPN device
Implemented By: Crypto
map applied to the outbound interface
Notes: From a routing perspective, this is the interface of a VPN peer that is
closest to the other peer, where outbound IPsec packets are leaving the router
and inbound IPsec packets are coming into the router.
20.3 Command
References
Command > Description
crypto
map MYMAP 1 ipsec-isakmp > Generate or edit a crypto map named MYMAP,
sequence number 1, and request the services of ISAKMP.
crypto
isakmp policy 3 > Enter IKE Phase 1 configuration mode for policy
number 3.
show
crypto map > Verify what components are included in the crypto map,
including the ACL, the peer address, the transform set, and where the crypto map
is applied.
set
peer 1.2.3.4 > Used inside a crypto map to indicate who the VPN peer
should be.
match
address 100 > Used inside a crypto map to indicate which ACL should
be used to indicate interesting outbound traffic for the purpose of encryption.
crypto
map MYMAP > Applies a crypto map to an interface.
crypto
ipsec transform set MYSET > This is the beginning sequence to
creating an IKE Phase 2 transform set named MYSET. This is followed by the HMAC
(hashing with authentication) and encryption method (3DES, or AES preferably) that
you want to use.
20.4 Command
Examples
Verifying NTP
Status
R1# show ntp
status
R1# show ntp
association
R1# show ntp
status
Preparing for and
Obtaining Digital Certificates
R1 (config)# ip
domain name cisco.com
R1 (config)# crypto
key generate rsa
R1 (config)# crypto
pki trustpoint CA
R1 (ca-trustpoint)# enrolment
URL http://3.3.3.3
R1 (ca-trustpoint)#
exit
R1 (config)# crypto
pki authenticate CA
R1 (config)# crypto
pki enrol CA
CLI Implementation
of the Crypto Policy for R1
R1 (config)# crypto
isakmp policy 1
R1 (config-isakmp)# encr
aes 256
R1 (config-isakmp)# group
5
R1 (config-isakmp)# lifetime
3600
R1 (config-isakmp)# authentication
rsa-sig
R1 (config-isakmp)# hash
sha
R1# show crypto
isakmp policy
R1 (config)# crypto
ipsec transform-set MYSET esp-aes esp-sha-hmac
R1 (cfg-crypto-trans)# exit
R1 (config)# access-list
100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
R1 (config)# crypto
map MYMAP 1 ipsec-isakmp
R1 (config-crypto-map)# match address 100
R1 (config-crypto-map)# set peer 23.0.0.2
R1 (config-crypto-map)# set transform-set MYSET
R1 (config-crypto-map)# set pfs group2
R1 (config-crypto-map)# exit
R1 (config)# interface
GigabitEthernet1/0
R1 (config-if)# crypto
map MYMAP
R1 (config-if)# exit
Verifying the IPsec
Configuration
R1# show crypto
isakmp policy
R1# show crypto
map
Interesting Traffic
to Trigger IPsec
R1# ping
192.168.0.2 source g1/0
Debug Used for
Troubleshooting IKE Phase 1
R1# debug crypto
isakmp
R1# ping
192.168.0.2 source g1/0
Troubleshooting by
Verifying Configuration
R1# show crypto
map
R1# show ip int
brief
R1# show crypto
isakmp sa
R1# show ip route
R1# conf t
R1 (config)# int
g1/0
R1 (config-if)# no
crypto map MYMAP
R1 (config-if)# crypto
map MYMAP
R1 (config-if)# crypto
map MYMAP
R1 (config-if)#
R1# show debug
R1# ping
192.168.0.2 source g1/0
Test Ping Using the
Correct Source Interface and Associated IP Address
R1# ping
192.168.0.2 source g2/0
R1# show crypto
isakmp sa
Verifying the
Configuration on R2
R2# show crypto
isakmp policy
R2 (config)# crypto
isakmp policy 1
R2 (config-isakmp)# encryption
aes 256
R2 (config-isakmp)# end
R2# debug crypto
isakmp
R2# ping
172.16.0.1 source g2/0
Troubleshooting IKE
Phase 2, the IPsec Tunnel
R1# show crypto
map
R2# show crypto
map
R2 (config)# crypto
map MYMAP 1 ipsec-isakmp
R2 (config-crypto-map)# set pfs group2
R2 (config-crypto-map)# end
R2# ping
172.16.0.1 source g2/0
R2#
R2# ping
172.16.0.1 source g2/0 repeat 500
R2# show crypto
isakmp sa
R2# show crypto
isakmp sa detail
R2# show crypto
ipsec sa
R2# show crypto
engine connections active
Comments
Post a Comment