The following lab exercise is how to create an IPsec VPN.
We originally created this lab as part of one of our courses, and we hope you find it useful.
Lab Preparation
This lab is designed to help you learn the basics of IPSec VPN’s and how Service Providers uses IPSec to provide VPN services to their OFF Network customers. Those who dial-in to an ISP, other than the Service Provider, as well those who my have a dedicated connection to another ISP using xDSL or a T-1 type of connection.
Because of the limited equipment we have in the LAB we will not be able to demonstrate all of these functions.
Student Objectives
After completing this lab, you will be able to do the following:
§ Explain the behaviour of IPSec and how it provides security over the Internet for users that are not directly connected to Service Provider
§ Configure IPSec on the routers and understand how it works.
§ Explain how Session Associations are established and maintained between IPSec peers.
§ Utilize the proper router commands to determine that an IPSec session has been established and how to debug a session if it is not working correctly.
Basic IPSec Set Up Lab Topology
IPsec Configuration – Part 1
Using the Network Configuration on the previous page, the first step in this lab is for the students to be divided into teams. The teams will work together to properly configure our entire lab network. Please refer to the chart below as to what part of the lab you are responsible for.
NOTE: Teams 1, 2, 3 and 5 should be sure and save your present router configurations. At end of this LAB you will need to restore it to the present configuration so that you can continue with the MPLS sessions.
|
Team Number |
Router |
|
1 |
PE-1 & CE-1 |
|
2 |
PE-2 & CE-3 |
|
3 |
PE-3 & CE-2 |
|
4 |
PE-4 & CE-5 |
|
5 |
PE-5 & CE-4 |
IKE/ISAKMP Configuration Steps
To configure IKE we will perform the following steps:
A. Enable IKE
B. Ensure access lists are compatible with IKE
C. Create IKE policies
D. Configure pre-hared Keys
E. Clear IKE connections
F. Troubleshoot IKE
Perform the following steps on the routers in the network that require IKE configuration:
1. Enable IKE
Router(config)# crypto isakmp enable
Just in case it is not enabled – typically it is enabled by default
2. Ensure that Access Lists are Compatible with IKE: (Note: make sure they do not block UDP port 500 or IP port 50 and 51)
Router#show access-lists
3. Configure the isakmp policy. Keep in mind you can have multiple policies. The lowest number will be searched first. When a match is made the search stops, and the match is performed.
A. Create the crypto policy
Router(config)#crypto isakmp policy <priority> ( priority = 1 to 10,000: 1 is the highest priority)
B. Specify the encryption algorithm
Router(config-isakmp)#encryption {des | 3des}
NOTE: because the 2500’s only support des, this is the one to use, although 3des is what Service Provider will use.
C. Specify the hash algorithm. Be sure to use the same on both ends. For the LAB we will use md5.
Router(config-isakmp)#hash {sha |md5}
D. Specify one of the authentication methods. We will use pre-share for the lab:
Router(config-isakmp)#authentication {rsa-sig | rsa-encr | pre-share}
E. Define Diffe-Hillman group ID: 1 = 768-bit, 2 = 1024-bit
Router(config-isakmp)#group {1 | 2}
F. Specify the security associations lifetime in seconds.
Router(config-isakmp)#lifetime <seconds>(default 86,400 or 1 day. )
G. Exit
Configuring pre-shared Keys on both routers.
1. First, set each peer’s ISAKMP identity. You should set each peer’s identity to either its host name or its IP address. By default, the IOS sets a peer’s identity to its IP address.
2. Next, specify the shared keys at each peer. Note that two peers share a given pre-shared key. At a given peer you could specify the same key to share with multiple remote peers; however, a more secure approach is to specify different keys to share between different pairs of peers.
Router(config)#crypto isakmp key <keystring> [address peeraddress | hostname peerhostname]
NOTE: Make sure that both ends use the same approach, i.e. address or host-name. It is best to use the IP address. (May assign up to eight address)
Also the keystringneeds to be the same on both of the peer routers in the LAB.
Clearing IKE Connections
1. router# show crypto isakmp sa
This command allows you to view existing IKE’ connections so that you can note the connection identifiers for the connections you wish to clear.
2. router(config)#clear crypto isakmp [connection-id]
CAUTION: If you do not use the connection-id keyword, the router will clear all existing connections, even those that are active VPN sessions. The connection-id has a value from 0 to 299.
Troubleshooting IKE
router# show crypto key mypubkey rsa
router# show crypto key pubkey-chain rsa [name key-name | address key-address]
router# show crypto ca certificates
router# show crypto isakmp policy
router# show crypto isakmp sa
router# debug crypto isakmp
Please wait here until all other teams are ready to proceed to Part 2.
IPSec – Part 2
The following basic steps will be followed to complete the configuration of IPsec:
A. Create crypto access lists
B. Define transform sets
C. Create crypto map entries
D. Apply crypto map sets to interfaces
E. Monitor and maintaining IPSec
Preparation
1. Set global Lifetimes for IPSec Security Associations
router#crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
2. You can clear the SA’s to help reset them, by using the following commands. See WARNING below!
a. router#clear crypto sa
b. router#clear crypto sa peer {ip-address | peer-name}
c. router#clear crypto sa map map-name
d. router#clear crypto sa spi destination-address protocol spi
Warning: using the clear crypto sa command without a parameter will clear out the full SA database, which will clear out all active security sessions and will cause interruption to those using a session.
Creating Crypto Access Lists
First, some notes:
- Select outbound traffic for IPSec protection (permit = Protect)
- Indicate the data flow for protection by the new security associations
- Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec.
- Determine whether or not to accept requests for IPSec SA on behalf of the requested data flows.
1. Numbered extended access list – access-list-number = 100 to 199
Router#access-list access-list-number (deny | permit} protocol source source-widcard destination destination-wildcard [precedence precedence] [tos tos] [log]
2. Named access list – preferred
Router# ip access-list extended name
NOTE: use a mirror image of the access list on the peer router.
Defining Transform Sets
1. Router(config)#crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3]
Transforms =: (use the same on both ends)
ah-md5-hmac
esp-des
esp-des and esp-md5-hmac
ah-sha-hmac and esp-des and esp-sha-hmac
ah-rfc1828 and esp-rfc1829
Sample:
Router(config)#crypto ipsec transform-set myset esp-des ah-sha-hmac esp-md5-hmac
2. router(config)#mode {tunnel | transport}
Creating Crypto Map Entries
Create Crypto Maps to establish Manual SA’s.
For reference only – not used in the lab
1. Define the crypto map to use. The sequence number is between 0 to 65,535
Router(config)#crypto map map-name seq-numbner ipsec-manual
2. Specify the access list to use
Router(config-crypto-map)#match address [access-list-id | name]
3. Specify the remote IPSec peer
Router(config_crypto-map)#set peer {hosthame | ip-address}
4. Specify transform set to use
Router(config-crypto-map)# set transform-set transform-set-name
5. Set the session keys
Router(config-crypto-map)#set session-key {inbound | outbound} ah spi hex-key-data
Create Crypto Maps that Use IKE to establish SA’s.
This is the one we will use in the lab.
1. Define the crypto map to use. The sequence number is between 0 to 65,535
Router(confg)#crypto map map-name seq-number ipsec-isakmp
2. Specify the access list to use
Router(config-crypto-map)#match address [access-list-id | name]
3. Specify the remote IPSec peer
Router(config_crypto-map)#set peer {hosthame | ip-address}
4. Specify transform set to use
Router(config-crypto-map)# set transform-set transform-set-name1 [transform-set-name2… transform-set-name6]
NOTE: list multiple transform set in order or priority, highest priority first.
5. Specify the SA lifetime for the Crypto map
Router(config-crypto-map)#set security-association lifetime seconds seconds
And/or
Router(config-crypto-map)#set security-association lifetime kilobytes kilobytes
NOTE: seconds from 120 to 86,400 or KB 2560 to 536,870,912KB
6. Specify that the router establish separate SAs for each source and destination host-pair. Use with CAUTION. It can quickly overload the router if there are many SA established. (optional)
Router(config-crypto-map)# set security-association level per-host
7. Specify if IPSec should ask for Perfect Forward Secrecy (PFS) when requesting new SAs. (Optional)
Router(config-crypto-map)# set pfs [group1 | group2]
Creating Dynamic Crypto Maps
For reference only – not used in the lab
1. To create a dynamic crypto map do:
Router(config)#crypto dynamic-map dynamic-map-name dynamic-seq-num
2. Specify the transform set to use
Router(config-crypto-map)# set transform-set transofm-set-name1 [transform-set-name2.. transform-set-name6]
3. Assign the extended access list
Router(config-crypto-map)#match address [access-list-id | name]
4. Specify the remote IPSec peer
Router(config-crypto-map)# set peer {host | ip-address}
5. Specify the lifetime for the key
Router(config-crypto-map)# set security-association lifetime seconds seconds
And/or
Router(config-crypto-map)# set security-association lifetime kilobytes kilobytes
6. Specify if IPSec should ask for Perfect Forward Secrecy (PFS) when requesting new SAs. (Optional)
Router(config-crypto-map)# set pfs [group1 | group2]
7. Adding a Dynamic crypto Map to a Static Crypto Map set
Router(config)#crypto map man-name seq-number ipsec-isakmp synamic dynamic-map-name
8. Applying crypto Map set to Interfaces
Router(config-if)#crypto map map-name
Monitoring and Maintaining IPSec
Begin an extended ping from one router to its peer and then on the outer router issue:
Router#show crypto ipsec sa [map map-name | address | identity] [detail]
You should be able to see the encrypted/decrypted traffic increase each time you re-issue the command. This validates that the traffic you are generating is being sent across the connection in the encrypted format.
Other commands you may want to use to trouble shoot IPSec connections:
Clear crypto sa
Clear crypto sa peer {ip-address | peer-name}
Clear crypto sa map map-name
Clear crypto sa spi destination-address protocol spi
Clear crypto sa counters
Show crypto ipsec transform-set [tag transform-set-name]
Show crypto map [interface interface | tag map-name]
Show crypto dynamic-map [tag map-name]
Show crypto ipsec security-association
Lab Summary
In this lab you have learned how IKE is used to establish Security Associations that IPSec uses to transfer encrypted information over an other wise clear connection.
I hope you find this article and its content helpful. Comments are welcomed below. If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!