19.1 Key Terms
IKE
Phase 1 = Internet Key Exchange Phase 1: negotiates the parameters for
the IKE Phase 1 tunnel, including hash, DH group, encryption, and lifetime.
IKE
Phase 2 = Internet Key Exchange Phase 2: builds the actual IPsec tunnel.
This includes negotiating the transform set for the IPsec SA.
transform
set = A set of secure protocol parameters to be used by IPsec in IKE
Phase 2. To properly peer, both sides must agree on a common set
DH
group = The Diffie-Hellman exchange, refers to the security algorithm
used to exchange keys securely, even over an unsecured network connection.
Groups refer to the lengths of the keys involved in the exchange. Group 1 is a
768-bit key exchange, Group 2 is a 1024-bit key exchange, and Group 5 is a
1536-bit key exchange. The purpose of this algorithm is to establish shared
symmetrical secret keys on both peers. The symmetric keys are used by symmetric
algorithms such as AES. DH itself is an asymmetrical algorithm.
Lifetime
= The amount of time, in seconds or amount of data that has gone by, that a key
or security association is considered valid.
19.2 Things to
Remember
19.2.1 IPsec Goals and the Methods Used to Implement
Them
Goal > Method
That Provides the Feature
Confidentiality
> Encryption
Data
integrity > Hashing
Peer
authentication > Pre-shared keys, RSA digital signatures
Antireplay
> Integrated into IPsec, basically applying serial numbers to packets
19.3 Command
References
Command >
Description
crypto
map mymap 1 ipsec-isakmp > Generate or edit a crypto map named MYMAP,
sequence number 1, and request the services of ISAKMP.
crypto
isakmp policy 3 > Enter IKE Phase 1 configuration mode for policy
number 3.
show
crypto map > Verify which components are included in the crypto map,
including the ACL, the peer address, the transform set, and where the crypto
map is applied.
crypto
ipsec transform set myset > This is the beginning sequence to
creating an IKE Phase 2 transform set named MYSET. This is followed by the HMAC
(hashing with authentication) and encryption method (3DES, or AES preferably)
that you want to use.
19.4 Command
Examples
The CLI Equivalent
Commands to Implement IPsec VPNs
R1 (config-isakamp)# crypto
isakmp policy 2
R1 (config-isakamp)# authentication
pre-share
R1 (config-isakamp)# encr
aes 128
R1 (config-isakamp)# hash
md5
R1 (config-isakamp)# group
2
R1 (config-isakamp)# lifetime
600
R1 (config-isakamp)#
exit
R1 (config)# crypto
isakmp key cisco123 address 43.0.0.2
R1 (config)# access-list
100 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
R1 (config)# crypto
ipsec transform-set MY-SET esp-sha-hmac esp-aes 256
R1 (cfg-crypto-trans)# mode tunnel
R1 (cfg-crypto-trans)# exit
R1 (config)# crypto
map SDM_CMAP_1 1 ipsec-isakmp
R1 (config-crypto-map)# match address 100
R1 (config-crypto-map)# set transform-set MY-SET
R1 (config-crypto-map)# set peer 43.0.0.2
R1 (config-crypto-map)# exit
R1 (config)# interface
GigabitEthernet1/0
R1 (config-if)# crypto
map SDM_CMAP_!
R1 (config-if)# exit
Verifying the IPsec
VPN from the CLI
R1# show crypto
isakmp policy
R1# show crypto
map
R1# show crypto
isakmp sa detail
R1# show crypto
ipsec sa
R1# show crypto
engine connections active
Comments
Post a Comment