Skip to main content

Cisco IOS Site-to-Site VPN using IKEv1

Cisco IOS Site-to-Site IPSEC VPN



What is VPN?

VPN is a process to send private traffic over the public network.

VPN can be categorized into 2 categories:
Ø  Un-Secured VPN
o   Frame-Relay
o   MPLS – VPN
Ø  Secured VPN
o   IPSEC
o   SSL

Secured VPN using IPSEC

IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. It acts at the network level and implements the following standards:
 1. Internet Key Exchange (IKE)
 2. Data Encryption Standard (DES)
 3. MD5 (HMAC variant)
 4. SHA (HMAC Variant)
 5. Authentication Header (AH)
 6. Encapsulated Secure Payload (ESP)

Internet Key Exchange (IKE)—A hybrid protocol that implements Oakley and SKEME key exchanges inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys.

DES—The Data Encryption Standard (DES) is used to encrypt packet data. Cisco IOS implements the mandatory 56-bit DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet. For backward compatibility, Cisco IOS IPSec also implements the RFC 1829 version of ESP DES-CBC

MD5 (HMAC variant)—MD5 (Message Digest 5) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.


SHA (HMAC variant)—SHA (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.

AH—Authentication Header. A security protocol which provides data authentication and optional anti-replay services. AH is embedded in the data to be protected (a full IP datagram).

ESP—Encapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication, and anti-replay services. ESP encapsulates the data to be protected.



IPSec provides the following network security services. These services are optional. In general, local security policy will dictate the use of one or more of these services:
Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.
Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
Anti-Replay—The IPSec receiver can detect and reject replayed packets.

Security Association
A security association is a description of how two or more entities will use security services in the context of a particular security protocol (AH or ESP) to communicate securely on behalf of a particular data flow. It includes such things as the transform and the shared secret keys to be used for protecting the traffic.

Transform
Transform is the list of operations done on a data flow to provide data authentication, data confidentiality, and data compression. For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm; another transform is the AH protocol with the 56-bit DES encryption algorithm and the ESP protocol with the HMAC-SHA authentication algorithm.

Tunnel
In the context of this chapter, "tunnel" is a secure communication path between two peers, such as two routers. It does not refer to using IPSec in tunnel mode.

IPSec also works with the GRE and IPinIP Layer 3, L2F, L2TP, DLSw+, and SRB tunneling protocols; however, multipoint tunnels are not supported. Other Layer 3 tunneling protocols may not be supported for use with IPSec.

Configuration Example:



Task-1: Configuration of IPSEC Lan-to-Lan VPN Between R1 & R2 with following Parameters:

           
ISAKMP Parameters
           
Encryption: 3DES
            Hash: MD5
            DH Group: 2
            Authentication: Pre-Share
            Key: cisco123

IPSEC Parameters:

            Encryption: AES
                        Hash: SHA
                        Interested Traffic: Between 10.1.1.0/24 & 10.2.2.0/24

Task-2: Configuration of IPSEC Lan-to-Lan VPN Between R1 & R3 with following Parameters:
           
ISAKMP Parameters
           
Encryption: 3DES
            Hash: MD5
            DH Group: 2
            Authentication: Pre-Share
            Key: cisco123

IPSEC Parameters:

            Encryption: 3DES
                        Hash: MD5
                        Interested Traffic: Between 10.1.1.0/24 & 10.3.3.0/24

Initial Configuration:

R1:

interface FastEthernet0/0
 ip address 192.1.10.1 255.255.255.0
 duplex auto
 speed auto
end

interface Loopback0
 ip address 10.1.1.1 255.255.255.0
end

ip route 0.0.0.0 0.0.0.0 192.1.10.10


R2:

interface FastEthernet1/0
 ip address 192.1.20.2 255.255.255.0
 duplex auto
 speed auto
end

interface Loopback0

 ip address 10.2.2.2 255.255.255.0
end

ip route 0.0.0.0 0.0.0.0 192.1.20.10

R3:

interface FastEthernet0/0
 ip address 192.1.30.3 255.255.255.0
 duplex auto
 speed auto
end

interface Loopback0
 ip address 10.3.3.3 255.255.255.0
end

ip route 0.0.0.0 0.0.0.0 192.1.30.10


Task-1: Lan-to-Lan IPSEC Configuration between R1 & R2

R1:

Step – 1: ISAKMP Phase – 1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 192.1.20.2

Step – 2: IPSEC Phase – 2

crypto ipsec transform-set TO-R2 esp-aes esp-sha-hmac

Step – 3: Interested Traffic

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

Step – 4: Crypto Map

crypto map CMAP 1 ipsec-isakmp 
 set peer 192.1.20.2
 set transform-set TO-R2 
 match address 101

Step – 5: Apply to Interface

interface FastEthernet0/0
 crypto map CMAP
end



R2:

Step – 1: ISAKMP Phase – 1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 192.1.10.1

Step – 2: IPSEC Phase – 2

crypto ipsec transform-set TO-R1 esp-aes esp-sha-hmac

Step – 3: Interested Traffic

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Step – 4: Crypto Map

crypto map CMAP 1 ipsec-isakmp 
 set peer 192.1.10.1
 set transform-set TO-R1 
 match address 101

Step – 5: Apply to Interface

interface FastEthernet1/0
 crypto map CMAP
end


Verification:

R1#ping 10.2.2.2 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/108/112 ms

R2#ping 10.1.1.1 source 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/85/148 ms

 R1#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.1.20.2      192.1.10.1      QM_IDLE           1001    0 ACTIVE


R2#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.1.20.2      192.1.10.1      QM_IDLE           1001    0 ACTIVE

R1#show crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: CMAP, local addr 192.1.10.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 192.1.20.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.1.10.1, remote crypto endpt.: 192.1.20.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x1C998955(479824213)

     inbound esp sas:
      spi: 0xEED992B0(4007236272)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4589328/3494)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1C998955(479824213)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4589328/3494)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


R2#show crypto ipsec sa 

interface: FastEthernet1/0
    Crypto map tag: CMAP, local addr 192.1.20.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer 192.1.10.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.1.20.2, remote crypto endpt.: 192.1.10.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0xEED992B0(4007236272)

     inbound esp sas:
      spi: 0x1C998955(479824213)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4421645/3447)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEED992B0(4007236272)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4421645/3447)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE





Thank You !!!! 

Comments

  1. Rahish Khan2 March 2018 at 06:19

    A great explanation and good clearly understandable language... Good work and hats off to the writter, great work Suraj Soni

    ReplyDelete
  2. Unknown2 October 2018 at 20:22

    Nice work bro,keep it up always

    ReplyDelete
  3. Unknown3 December 2018 at 15:26

    This comment has been removed by the author.

    ReplyDelete

Post a Comment

Popular posts from this blog

VRF Aware IPSEC Site-to-Site VPN

VRF [Virtual Routing & Forwarding] Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a  VPN routing/forwarding (VRF) table. About VRF-lite VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but a Layer 3 interface cannot belong to more than one VRF at any time. Terminology ·  ...
1 comment
Read more

Flex VPN

Cisco FLEX VPN with IKEv2 Large customers deploying IPSec VPN over IP networks are faced with high complexity and high cost of deploying multiple types of VPN to meet different types of connectivity requirements. Customers often have to learn different types of VPNs to manage and operate different types of network. And once a technology is selected for a deployment, migrating or adding functionality to enhance the VPN is often avoided. FlexVPN was created to simplify the deployment of VPNs, to address the complexity of multiple solutions, and as a unified ecosystem to cover all types of VPN: remote access, teleworker, site to site, mobility, managed security services, and others. Cisco IOS FlexVPN Features and Benefits: Cisco IOS FlexVPN is a unified VPN solution and provides the following benefits: ●     Scalability:  IKEv2 provides scalability feature with the help of IKEv2 Proposal, in which we can use multiple integrity, encryption & DH...
Post a Comment
Read more

Introduction to Segment Routing

Segment Routing Introduction Before we proceed to understand the segment routing technology, we must understand that SR is a technology and every technology has made for a solution. So, first, we need to understand the solution and its need. All the Service providers are facing following issues with current infrastructure: 1.     A lot of manual configuration for reserving the path in the SP Core network for a different type of traffics. 2.     Lack of application-level visibility which leads to classifying network based on only IP, Port and QoS classification. 3.     Lack of application integration with the network. 4.     No centralized control over the path based on different type of services. 5.     No end-to-end visibility from Data Center to an End user, which leads to sub-optimal paths for application in different domains. 6.     The separate signaling protocol is r...
2 comments
Read more