The Bryant Advantage CCNP ROUTE Study Guide

Chris Bryant, CCIE #12933 www.thebryantadvantage.com

Back To Index

The Remote Workplace, Part I: VPNs And IPSec
Overview
VPN Terminology Data Encryption Technologies Key Encryption Schemes The IPSec Architecture Configuring Site-to-Site VPNs Creating An IKE Policy Configuring Transform Sets Crypto ACLs Configuring Site-to-Site VPNs with SDM Dead Peer Detection GRE Over IPSec Tunnels Configuring GRE Over IPSec Tunnels with SDM Easy VPN Server and Client Configuring Easy VPN Server In SDM Configuring Easy VPN Client

In a previous section, we discussed different methods of allowing mobile users and remote offices communicate with a central location ("HQ"). These days, it's not enough to have communication - we need secure communication. Virtual Private Networks (VPNs) are a great way to secure these transmissions.

It's the "private" part of VPNs that brings us that security. Configuring VPNs gives us the opportunity to apply security to a connection that is using a shared technology such as Frame Relay - in other words, to treat this connection as though it were on a private network. What's A VPN? VPNs are often referred to as tunnels. We can apply security rules and policies to this tunnel without applying them to other WAN communications. For example, when we configure commands directly on the Serial0 interface, all communications using that interface are subject to those commands. When we create a VPN, it's actually seen as a separate interface - you'll see this when we configure one - and we can apply rules to the VPN that are not applied to other communications using Serial0. In the following exhibit, a VPN has been created between two routers. Security policies can be enforced on the VPN between those two routers without affecting any WAN communications involving the bottom router.

There are some VPN terms that are sometimes used interchangeably, but they don't refer to the same feature. Let's take a close look at these terms. VPNs offer three vital functions. Note that two of these occur at the receiver, and one at the sender. Data origin authentication allows the receiver to guarantee the source of the packet.

Encryption is just that - the sender encrypts the packets before sending them. If an intruder picks them off the wire, they will have no meaning.

Integrity is the receiver's ability to ensure that the data was not affected or altered in any fashion as it traveled across the VPN.

There are three different protocols we can use to create this tunnel. Originally defined in RFC 1701, Generic Routing Encapsulation enables a Cisco router to encapsulate a packet in an IP header. When the packet reaches the remote router, the header is stripped off. GRE's drawback is that there's no encryption scheme, and that's a pretty big drawback. Defined in RFC 2661, The Layer 2 Tunneling Protocol (L2TP) is actually a hybrid of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's own Layer 2 Forwarding (L2F). Again, the major drawback is that L2TP doesn't have an encryption scheme either.

This giant flaw is corrected by IP Security, generally referred to as IPSec. IPSec does offer encryption along with authentication, and that's why you'll see more IPSec in today's networks than L2TP or GRE. That's also why we're going to spend the majority of this section working with IPSec. VPN Terminology Before we get to a more specific discussion of VPNs, there are some general terms you should know. We'll review the terms from the beginning of this section as well. Data Confidentiality means that only the devices that should see the data in an unencrypted form will see the data that way. Generally, this is achieved by one endpoint encrypting the data and sending it across the link in that fashion, with the second endpoint unencrypting the data. Data Integrity means that the recipient of the data can guarantee that the received data is the same as the transmitted data - in short, that the data was not altered during transport. Data Origin Authentication guarantees that the data originated from a specific endpoint. Anti-replay protection (sometimes just called "replay protection") protects against replay attacks, a malicious repeat and/or delay of a valid transmission. Replay attacks can begin innocently enough. In this example, Router C requests proof of identity from Router A. Router A responds with proof of identity.

The problem is, an Intruder is listening to the conversation and copies Router A's proof of identity.

After A and C are done with their conversation, the Intruder starts a

. where one bit or byte is encrypted/decrypted at a time. but the effective security provided is considered to be only 112 bits. These data blocks are usually 64 bits in size. . The Advanced Encryption Standard (AES) is being rapidly adopted by governments and organizations around the world. When C asks for proof of identity.) Thirty years ago.wikipedia. Data Encryption Technologies For data to be encrypted. DES keys can be broken in any time frame from 24 hours to ten minutes.. If you'd like to take a peek at how it works . Variations of symmetric encryption include stream algorithms. The main issue is that the key used by DES to encrypt data is only 56 bits in size. To me. including the one-time use of tokens for the proof of identity or by using sequence numbers. but then again floppy disks used to be the largest storage unit any of us needed! Depending on which documentation you read. AES can run on any Cisco router that has IPSec DES/3DES capability. with three different 56-bit DES keys. where blocks of data are encrypted/decrypted as a whole. DES was developed in 1976. the Intruder submits A's ID. and a few problems have developed with DES since then. Both DES and 3DES use symmetric encryption.conversation with C. Anti-replay protection can use several different methods of defeating such an attack. pretending to be A. a repeated sequence number will be rejected. it follows that something's got to perform this encryption! One such encryption tool is the Data Encryption Standard (DES). The actual function of AES is far beyond the scope of this exam. (A key is a random string of binary digits.org/wiki/Advanced_Encryption_Standard Key Encryption Schemes Symmetric encryption is an algorithm where the key that is used for encryption is also used for decryption.. and C will accept it. Symmetric encryption is sometimes called secret key encryption. anyway.the DES encryption procedure is run three times. Triple DES (3DES) is just what it sounds like . that was fine. http://en. and block algorithms. but it really is quite fascinating. That's a total of 168 bits.

but it's still in use today in networks around the world. The CA may be global. to create the VPN. the secret keys must be exchanged over a non-secure connection! The DiffieHellman algorithm allows the exchange of secret keys over a non-secure communications channel. Exchanging Secret Keys Over A Non-Secure Connection It seems like quite a Catch-22. Referred to in some documentation as exponential key agreement. The digital certificate is a combination of Dan's public key and the CA's private root key. the CA will make sure Dan is who he says he is. Before starting the actual encryption process. This public key encryption scheme involves a public and private key for each user. Dan will actually use Bob's public key to encrypt the message. such as www. Now that the CA has verified Dan and Bob. In contrast. this protocol was also designed in 1976 . The key here (no pun intended) is that you better trust your CA.com. or it may be a CA in your very own organization. making it that much easier for an intruder to discover the key. The IPSec Architecture IPSec is a combination of three following protocols: . public key encryption can be put into use. If "Dan" has a public key. but since the VPN doesn't exist yet. we need the endpoints to exchange secret keys. asymmetric encryption involves two keys for both the sender and receiver.The drawback to symmetric encryption is that the key is used for two purposes. and the CA will then issue a digital certificate saying just that. In this example. because the entire public key encryption process is built around the CA verifying users and their public keys. Dan will send an email to Bob using PKE. the public key should be certified by a third party called a Certificate Authority (CA). The email is then sent to Bob. who will use his private key to de-encrypt the email.verisign.

In Tunnel mode. and encrypting data Internet Key Exchange (IKE). there is an ESP Header and ESP Trailer surrounding. which isn't available and/or allowed everywhere.it provides data origin authentication as well as offering optional anti-replay protection. the data. The Encapsulating Security Payload (ESP) does just that . which defines a method for authenticating. which negotiates the security parameters and authentication keys The IPSec Packet Format Defined in RFC 2402. That's because some of the IP fields can't be correctly predicted by the receiver .as you can see from the IPSec packet illustration. The drawback with AH is that the authentication it provides for the IP Header is not complete. If your data does not require data confidentiality. ESP offers all of the following: data origin authentication anti-replay protection data confidentiality Comparing AH and ESP. or encapsulating.Tunnel Mode and Transport Mode. you might be wondering why you'd ever choose AH over ESP. securing. To sum it up. ESP requires strong cryptography. which authentication and securing data defines a method for Encapsulating Security Payload (ESP). Authentication Header (AH) offers solid security -. AH has no such requirement. Here are a few things to consider: ESP is more processor-intensive than AH.Authentication Header (AH). AH will successfully protect the IP packet's payload. which is really what we're interested in. the entire IPSec process is . AH may meet all your requirements.these are mutable fields which may change during transmission. Both ESP and AH can be run in one of two modes . though. AH does offer: data origin authentication data integrity anti-replay protection (optional) AH does not offer data confidentiality.

This interesting traffic initializes the IPSec process. Assuming we're running Main mode. Transport mode encrypts the IP payload. . The initiator will first transmit proposals for the encryption and authentication schemes to be used. The routers will now enter IKE Phase I. and it's those tunnel IP addresses that will be used to route the packet. As a result: There is no protection for the original IP address The original IP address will be used for routing Only data from the Transport layer up is protected by IPSec (easy enough to remember!) Configuring Site-to-Site IPSec VPNs Configuring a site-to-site VPN is basically a five-step process. A crypto access-list will define interesting traffic for our VPN.it requires interesting traffic to be sent by a host. there will be six messages overall. but the IPSec header is inserted directly after the IP header in the packet. right?) IKE Phase 1 (IKE SA negotiation) IKE Phase 2 (IPSec SA negotiation) Data Transfer Tunnel Termination IPSec doesn't just start working by itself . The tunnel mode process encrypts the entire IP packet. and then that encrypted packet is placed into another IP packet. That encapsulating packet will have the IP addresses configured on the tunnel endpoints. IKE's looking for an ISAKMP policy that's a match at both endpoints.transparent to the end hosts. uninteresting kind. Process Initialization via "interesting traffic" (as opposed to the usual. At this point. We'll configure one later in this section. specialized IPSec gateway devices handle the IPSec workload.

In the second exchange of IKE Phase I. The initiator and recipient authenticate each other in the third exchange of Phase I. the rest of the negotiation is encrypted. the devices will exchange DiffieHellman public keys. including its Diffie-Hellman public key. using an encrypted form of their IP addresses. (If we had chosen to run IKE in Aggressive Mode. from this point on. The IKE SA is then established and Phase II can begin. ) The initiator packets everything needed for the SA negotiation in the first message. this would have been a three-message process. .

Quick mode.The recipient responds with the acceptable parameters and authentication information. . the hosts can now exchange data. The initiator then sends a confirmation that it received that information. the recipient responds with a list of acceptable parameters. With the IPSec SA in place. This message is called proof of liveness. and we're done! IKE Phase 2 has one mode. This is also a three-message process. The initiator proposes parameters for the IPSec SA. and its Diffie-Hellman public key. and the initiator then transmits a message that lets the responder know that message 2 was received and processed.

Creating An IKE Policy Before configuring the IKE policy. But what if traffic is flowing through the tunnel at the same time the tunnel's supposed to be torn down? No fear . the tunnel can be torn down. There is no default. however. but we all know how that is! R1(config)#crypto isakmp enable To display the current IKE policies.Data Encryption Standard (56 bit keys). as shown below by IOS Help. hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds. make sure ISAKMP is enabled with the crypto isakmp enable command. This tunnel termination can be configured to occur after a certain number of bytes have passed through the tunnel.a new Security Association can be agreed upon while the existing one is still in place. with 1 being the highest priority.Once the data exchange is complete. or perhaps after the tunnel have been up for a certain number of seconds. R1#show crypto isakmp policy Global IKE policy Default protection suite encryption algorithm: DES . Policies can be assigned priorities. the higher the priority. run show crypto isakmp policy. R1(config)#crypto isakmp policy ? <1-10000> Priority of protection suite R1(config)#crypto isakmp policy 100 IOS Help shows the options for the IKE policy. The lower the number. no volume limit We're not going to use the default. . We'll create a custom policy with the crypto isakmp policy command. It's supposed to be on by default.

so we'll set the policy to MD5. We'll configure the policy to use preshared keys. R1(config-isakmp)#lifetime ? <60-86400> lifetime in seconds R1(config-isakmp)#lifetime 42400 show crypto isakmp policy displays both policies on the router . and RSA Encryption. which equals 24 hours.Advanced Encryption Standard. R1(config-isakmp)#encryption ? 3des Three key triple DES aes AES . We'll set that to 42. AES. R1(config-isakmp)#group ? 1 Diffie-Hellman group 1 2 Diffie-Hellman group 2 5 Diffie-Hellman group 5 R1(config-isakmp)#group The hash algorithm will be either MD5 or SHA. R1(config-isakmp)#hash ? md5 Message Digest 5 sha Secure Hash Standard R1(config-isakmp)#hash md5 Finally. 86.the default and the one we just wrote.Data Encryption Standard (56 bit keys). The default is RSA Signature. The default is SHA. We'll use 3DES. des DES . we need to set the SA lifetime.The options for authentication are preshared keys. The default is DES. so we'll use group 5. RSA Signature.400. R1(config-isakmp)#encryption 3des We do have options for the Diffie-Hellman group. The default is group 1. R1(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R1(config-isakmp)#authentication pre-share The options for encryption are DES.400 seconds. . The default is the maximum number of seconds. and 3DES (TDES).

R3(config)#crypto isakmp policy 100 R3(config-isakmp)#hash md5 R3(config-isakmp)#lifetime 42400 R3(config-isakmp)#group 5 R3(config-isakmp)#authentication pre-share R3(config-isakmp)#encryption 3des When IKE Phase 1 negotiation begins.The exact same policy has been configured on R3. but that's not quite true. so there's no match.12. 100. R2 then checks its Policy 200.12. R2 begins with its lowest-numbered policy. the initiator sends its policies to the receiver. It's vital to remember that just because the first policy comparison doesn't result in a match. with their router number as the last octet. If that policy doesn't match. and that does not match the incoming policy. Here's a list of the parameters . the receiver checks its next lowest numbered policy. so the negotiation is successful. and the receiver starts this search with its lowest numbered policy. In the following example. You'd think that all five values would have to match for the negotiation to be successful. the recipient will continue to search for a match. 172. Policy 300 matches all the requirements.0 /24. R1 and R3 are on the same Serial segment. R2 checks its own policies for a match with the policy sent by the initiator. The receiver will then attempt to find a match for that policy among its own policies. That policy requires SHA and the incoming policy names MD5. which requires DES. R1.

IOS Help shows that the options are slightly different between the IOS versions we're using. Hash: exact match Encryption: exact match Authentication: exact match DH Group number: exact match Lifetime: Remote peer policy must have lifetime equal to or less than initiator.there's a good deal of configuration. as it differs between IOS versions. If Phase I is successful. this is something you need to get used to. . Since our policies referred to preshared keys. the IP address of the remote peer must be configured. As a CCNP and world-class Cisco engineer. Watch the syntax with this command. we better create them! The crypto isakmp key command does this. there's nothing to show! The ISAKMP SA doesn't exist until the entire IPSec configuration is in place and interesting traffic has started the process. Not all versions have the 0 / 6 option you'll see below on R1. the lower value is used. We can verify this with show crypto isakmp sa. but you really can't test it until the entire thing is done. R3#show crypto isakmp sa dst src R3# state conn-id slot As always. That's one frustrating thing about IPSec . Along with the key itself. if the output of a show command shows nothing.and what has to happen for successful negotiation. Trust me. an ISAKMP SA will be created. If less.

but IOS Help reveals that the command that changes this value on a global basis sets the IPSec SA lifetime in seconds. and then the exact same transform set is configured on R1. IPSec SA Lifetimes The default lifetime of an IPSec SA is 1 hour.Configuring The IPSec Transform Sets An IPSec Transform Set is simply a group of individual parameters that will enforce a security policy. A transform set is built with the crypto ipsec transform-set command. As with ISAKMP policies. as shown here on R3. Crypto Access Lists Remember way back when I mentioned that interesting traffic triggers the IPSec process? We're finally getting to the part of IPSec that identifies this interesting traffic . .crypto access lists. Crypto ACLs are used to define the traffic that is protected by IPSec. The endpoints must agree exactly on which encryption and algorithms will be used to create the IPSec SA. the process is terminated and the session torn down. if there's no match. Options are shown with IOS Help. The SA lifetime can also be based on volume. If there's an exact match. Always use IOS Help to double-check the measuring unit in use by any given command. the IPSec process continues. The below command sets this value to 30 minutes (1800 seconds). multiple transform sets can be configured and sent to a remote peer. and when a match is found. The remote peer will compare each set received against its own transform sets. the IPSec SA will be built.

simply because it's unprotected. unprotected traffic that matches the ACL is dropped . but there's a major difference in operation between the two. If inbound Crypto ACLs are configured. Such traffic will be discarded. Outbound crypto ACLs identify the traffic to be secured by IPSec.While most of the Crypto ACLs you write will be configured to affect outbound traffic. but wasn't. matched traffic is encrypted and unmatched traffic is unencrypted but still transmitted. they can also be configured to affect inbound traffic. and traffic not named by the crypto ACL will be sent in clear text. Let's use the following network to show you what I mean. Extended ACLs can serve as Crypto ACLs. . Inbound crypto ACLs can identify traffic that should have been protected by IPSec. With Crypto ACLs. With Extended ACLs. matched traffic is permitted and unmatched traffic denied (by the implicit deny). The trickiest part of writing Crypto ACLs for IPSec peers is making sure they're symmetrical rather than identical.

0. R2's ACL will look like this: access-list 123 permit ip 172.0.255 172.255 172.10.0 0.10. Any SA lifetime value configured here overrides the globally configured .0 0.0. that will use ISAKMP to establish the IPSec Security Associations.0 0.0 0. We don't want the two ACLs to be an exact copy of each other ." Always double-check your ACLs . peers.if they're identical. We're now in crypto map configuration mode.5. That's just one purpose of a Crypto Map.rather.0. where the ACL. it's time to apply them to the appropriate interfaces.1. courtesy of IOS Help.To have traffic on R1's ethernet segment protected by IPSec if it's destined for the ethernet segment on R2. there is a problem. transform sets. sequence number 100.10. and security association lifetime for this particular crypto map can be set. we need them to be mirror images. R1's ACL will look like this: access-list 123 permit ip 172.255 When you're configuring IPSec and concentrating on the many details we've discussed in this chapter.255 For traffic on R2's ethernet segment to be protected by IPSec if it's destined for the ethernet segment on R1. I'll just write the ACL on one router and then copy and paste it to the other. Let's look at the basic command to write a Crypto Map along with some options.0. exact reverses of each other. it's really easy to think "Hey.0. Once the Crypto ACLs are written.5.0. R3(config)#crypto <1-65535> client isakmp isakmp-profile local-address map CCNP ? Sequence to insert into crypto map entry Specify client configuration settings Specify isakmp configuration settings Specify isakmp profile to use Interface to use for local address for this crypto map R3(config)#crypto map CCNP 100 ? ipsec-isakmp IPSEC w/ISAKMP ipsec-manual IPSEC w/manual keying <cr> R3(config)#crypto map CCNP 100 ipsec-isakmp ? dynamic Enable dynamic crypto map support profile Enable crypto map as a crypto-profile <cr> R3(config)#crypto map CCNP 100 ipsec-isakmp R3(config-crypto-map)# We've successfully created a crypto map named CCNP.1.0.10.

12. transform= ah-md5-hmac (Tunnel). we'll enable debug crypto ipsec on R3 to allow us to see the details of the SA negotiations.3.591: IPSEC(initialize_sas): . lifedur= 0s and 0kb. (key eng.12. protocol= AH.) INBOUND local= 172. 100-byte ICMP Echos to 172.12.12.591: IPSEC(key_engine): got a queue event with 2 kei messages *Jun 6 23:51:17.value. flags= 0x2 *Jun 6 23:51:17. flags= 0x400A.12. conn_id= 0.12. *Jun 6 23:51:17. keysize= 0.1 Type escape sequence to abort. msg. you can see that two separate unidirectional SAs have been built.12.12.999: IPSEC(sa_request): .1. protocol= AH.579: IPSEC(validate_proposal_request): proposal part #1.12.12. R3#debug crypto ipsec Crypto IPSEC debugging is on R3#ping 172.3 dst addr : 172. lifedur= 1800s and 4608000kb. lifedur= 1800s and 4608000kb. transform= ah-md5-hmac (Tunnel). spi= 0x0(0).3. Sending 5. flags= 0x2 *Jun 6 23:51:17. msg. transform= ah-md5-hmac (Tunnel). protocol= AH. conn_id= 0.3.1. conn_id= 0.12. remote= 172. R1(config-crypto-map)#match address 123 R1(config-crypto-map)#set peer 172.12. remote= 172.807: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config)#crypto map CCNP 100 ipsec-isakmp R3(config-crypto-map)#match address 123 R3(config-crypto-map)#set peer 172.) OUTBOUND local= 172. round-trip min/avg/max = 48/49/52 ms R2#.12.12. spi= 0x91791CF(152539599).) INBOUND local= 172. . Near the bottom of the debug output.1. but we'll leave that value alone for now.!!! Success rate is 60 percent (3/5).1 protocol : 0 src port : 0 dst port : 0 *Jun 6 23:51:17.583: Crypto mapdb : proxy_match src addr : 172.12. (key eng. timeout is 2 seconds: *Jun 6 23:51:14.260: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Before sending interesting traffic to start the entire process. msg.1 R3(config-crypto-map)#set transform-set R3_TRANSFORM_SET R3(config-crypto-map)#set security-association lifetime ? kilobytes Volume-based key duration seconds Time-based key duration R3(config)#int s0/1 R3(config-if)#crypto map CCNP R3(config-if)# *Mar 1 04:10:12.591: IPSEC(initialize_sas): . (key eng. keysize= 0. keysize= 0.12. R1(config)#crypto map CCNP 100 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. remote= 172.12. spi= 0x91791CF(152539599).2 R1(config-crypto-map)#set transform-set R1_TRANSFORM_SET R1(config-crypto-map)#interface serial 0/1 R1(config-if)#crypto map CCNP R1(config-if)# *Apr 1 17:27:04.123.12.1.12.12.12.12.12.

1 172.595: IPSec: Flow_switching Allocated flow for sibling 80000002 *Jun 6 23:51:17.1 Security association lifetime: 4608000 kilobytes/1800 seconds PFS (Y/N): N Transform sets={ R2_TRANSFORM_SET.12.12.123. lifedur= 1800s and 4608000kb.12.) OUTBOUND local= 172. flags= 0xA *Jun 6 23:51:17.12.123.12.12. dest 172.12. sa_proto= 51.12.3 dst addr : 172.595: IPSEC(policy_db_add_ident): src 172. you're right! This indicates a fundamental problem with Phase I. R2#show crypto isakmp sa dst src 172. (sa) sa_dest= 172.599: IPSEC(create_sa): sa created.1 *Jun 6 23:51:17. along with a quick explanation of each courtesy of Cisco's website. spi= 0x945FCBB6(2489306038).12.3. most likely a mismatch of attributes between peers.12. and if you think that sounds bad. sa_proto= 51. we can see that the SA is in place and is active.123.12.12.12. conn_id= 0. R2#show crypto map Crypto Map "CCNP" 100 ipsec-isakmp Peer = 172. remote= 172.1. sa_trans= ah-md5-hmac .12. here are a few other potential messages we don't want to see.1 Current peer: 172.595: Crypto mapdb : proxy_match src addr : 172.2 host 172.599: IPSEC(create_sa): sa created. msg. sa_conn_id= 2001 *Jun 6 23:51:17. transform= ah-md5-hmac (Tunnel).12.12.2 state QM_IDLE conn-id 1 slot 0 status ACTIVE QM_IDLE is what we do want to see.3. (sa) sa_dest= 172.12.595: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 172.3.12. sa_sp i= 0x91791CF(152539599). A common error message is MM_NO_STATE.12.12. protocol= AH.12. sa_conn_id= 2002 By running show crypto isakmp sa.(key eng. keysize= 0.123.12. Two other excellent IPSec troubleshooting commands are show crypto map and show crypto ipsec transform-set.1 Extended IP access list 123 access-list 123 permit ip host 172. sa_spi= 0x945FCBB6(2489306038). MM_KEY_EXCH can indicate a misconfiguration of the peer's IP address. sa_trans= ah-md5-hmac .1 protocol : 0 src port : 0 dst port : 0 *Jun 6 23:51:17. dest_port 0 *Jun 6 23:51:17.1.123. 12. and this message can also be generated by a misconfigured pre-shared key.1.12. } Interfaces using crypto map CCNP: Serial0/1 .123.

074: IPSEC(key_engine_delete_sas): rec'd delete notify from ISA KMP *Jun 7 00:50:10. }. sa_trans= ah-md5-hmac .270: reached.R2#show crypto ipsec transform-set Transform set R3_TRANSFORM_SET: { ah-md5-hmac will negotiate = { Tunnel. } } To let you see what the IPSec process looks like when the SA expires.1. sa_trans= ah-md5-hmac .12. sa_conn_id= 2003. here's the process we used to create this site-to-site IPSec VPN: Created the ISAKMP policy Created the IPSec transform set Defined interesting traffic with the crypto access-list Created the crypto map . sa_spi= 0xF8BA8F2(260810994).086: IPSEC(delete_sa): deleting SA sa_spi= 0x877193DD(2272367581). you're going to have to be very careful with your access lists.086: IPSEC(delete_sa): deleting SA. remote= 172.090: IPSec: Flow_switching Deallocated flow for sibling 8000000 A Warning About ACLs And IPSec As you work with more complex combinations of Cisco technologies. (identity) local= 172.074: IPSEC(key_engine): got a queue event with 1 kei messages *Jun 7 00:50:10. *Jun 7 00:48:18. This is particularly true with IPSec. You should especially be careful with port ranges in ACLs. *Jun 7 00:50:10.078: IPSEC(key_engine_delete_sas): delete SA with spi 0x877193D *Jun 7 00:50:10. To review.12. }.123. UDP port 500 Make sure your network's ACLs are not inadvertently blocking these ports and protocol numbers anywhere you have IPSec running. because you can always block ports that are needed by network services or applications. protocol number 51 IKE. Transform set R2_TRANSFORM_SET: { ah-md5-hmac will negotiate = { Tunnel. exp iring in 111 seconds IPSEC(lifetime_expiry): SA lifetime threshold *Jun 7 00:50:10. sa_conn_id= 2004. *Jun 7 00:50:10.AND applied it to the proper interface Made sure our ACLs allowed the appropriate port numbers . I left the debug running until the one we built in this chapter expired. protocol number 50 AH.2.123. because three primary IPSec protocols use ports that must not be blocked by ACLs: ESP.

and vice versa. but it does have drawbacks.2(4)T. by IPSec. IPSec couldn't carry multicast traffic. and then that encapsulation is encapsulated again. commonly called GRE over IPSec. In effect.we've got to run a combination of IPSec and GRE. The latest IOS versions can't handle all multicast traffic. we have a GRE tunnel inside an IPSec tunnel. and there are plenty of routers out there running an earlier IOS. which IPSec does not offer Why call it "GRE over IPSec" rather than "IPSec over GRE"? Because the GRE encapsulation happens first. that's enough talking about GRE over IPSec. Multicast traffic generated by OSPF and EIGRP can't be carried by basic IPSec . GRE was pretty much dead for quite a while. the crypto ACL indicates the traffic to be encrypted GRE over IPSec allows the transmission of dynamic routing protocol multicast traffic Whether you use the CLI or SDM. Originally. Let's configure it with SDM! Configuring A GRE Tunnel Over IPSec Via SDM (PDQ) As always. however. By combining GRE and IPSec. Cisco's website recommends the use of transport mode over tunnel mode with GRE over IPSec. and we're all in favor of that! To review Just as with a site-to-site VPN. each protocol helps to compensate for the other's limitation: IPSec adds data integrity and confidentiality that GRE does not offer GRE offers the ability to carry routing protocol traffic. and you may still run into some trouble with that in the field . since GRE can do things that IPSec can't do. and from there choose VPN. Using transport mode results in less total overhead.the first IOS release that allowed IPSec to carry multicast traffic was 12.The Return Of GRE The Generic Routing Encapsulation (GRE) tunneling has actually made a comeback. we'll start by clicking the Configure button. IPSec is very secure. Our old friends tunnel mode and transport mode are still around as well. but that's not as important to us in today's networks as it once was. Interestingly enough. We used to love GRE's multiprotocol capabilities. Combined with a lack of strong security features. always make sure to apply the crypto map to the interface! Hey. .

good review material for your exam. too! .From the main VPN window. we'll select Site-to-Site VPN. this illustration is shown. After clicking Launch the selected task. we're given some reminders of why we're using GRE . The Site-toSite VPN window gives us two main choices: When I choose the GRE over IPSec option.

. but if we did. where the only option for destination is the IP address. it's good information to have in mind for the tunnel config. We don't have any of these features on this interface. we can specify either the interface or the IP address.The next screen asks us for some required GRE-over-IPSec information. namely the tunnel source and destination and the address of the tunnel itself. Did you notice the Details button in the previous screen? Clicking that gives you quite a bit of information regarding that interface. Note that for the source.

but the next screen gives us the option to do so. and we'll accept the . The next window prompts us for the pre-shared key or to indicate the use of digital certificates.Now back to the config! We're not going to create a backup tunnel. The next window is the IKE Proposal selection area.

I'd suggest working with the delay option rather than the other metrics as it's easier to get the result you want. and we'll accept the default there as well. If you're running a routing protocol over the tunnels. We're then prompted to identify the routing protocol that will run over the tunnel. For EIGRP. we had the opportunity to create a backup tunnel. The next window is the Transform Set selection area. for example. you may need to alter some metrics so that one tunnel is preferred over the other. Earlier in this section. With static .default IKE policy.

As always. we're presented with a Summary of the configuration we've chosen. We now have the option of tunneling all traffic. you could alter the AD of the routes with the distance option.0 /8 to use the tunnel. At this point. since we haven't configured the other side of it! . the VPN is down.0. We'll enable ST here and configure traffic destined for 10.0. using Split Tunneling with NAT and PAT on the same router can cause problems. Real-world note: By default. or using Split Tunneling to send select traffic through the tunnel. should you run into that problem in the real world.routing. Cisco's website offers several solutions to this issue.

1.31.1 exit crypto map SDM_CMAP_1 1 ipsec-isakmp description Apply the crypto map on the peer router's interface having IP address 10. Here's the mirror configuration: crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit crypto isakmp key secretkey address 172.31.the Generate Mirror button! Real-world note: If you can't find something in SDM.1.to place on the downstream router.2. I'm going to do just what they told me not to do. SDM has a great tool to create this mirror at the verrrrrry bottom of the screen .1.1. After clicking Generate Mirror. and save this config and then paste it into the downstream router.31.1 .2 host 172.1 crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des mode tunnel exit ip access-list extended SDM_1 remark SDM_ACL Category=4 permit gre host 10.We need an exact reverse of this configuration .1.2. along with warnings about how this config should be used only as a guide and should not be pasted into the remote router. we get that mirror configuration. always look at the very bottom of the screen. Since we're in a lab environment. set transform-set ESP-3DES-SHA set peer 172.2 that connects to this router.a mirror image .

the Clients have the most up-to-date policies without the network admins .match address SDM_1 set security-association lifetime seconds 3600 set security-association lifetime kilobytes 4608000 exit After copying that config to the downstream router.255. remember that "Remote" and "Client" refer to the same device.2. or VPN concentrator as well. I will not list each here. The basics of the VPN construction will look familiar at this point! First.3600. PIX.0 ip mtu 1420 tunnel source FastEthernet0/1 tunnel destination 10. and the Server responds with the acceptance of a matching proposal. As a result. the Client will send ISAKMP proposals to the Server.1700 routers w/ 12.255. the real benefit of Easy VPN is that security policies written at the Server level can then be pushed out to Clients. What's So "Easy" About Easy VPN? Easy VPN consists of the following: Easy VPN Server Easy VPN Remote Sounds easy enough! Seriously.2 255.2(8)T IOS Many Cisco 800 series routers running 12.7100. the Edit Site-to-Site VPN screen shows the VPN is now up. Quite a few different Cisco devices can act as Easy VPN Servers.1 Going back to the original router. but here are the more common ones: VPN 3000 concentrators Cisco 7500.having to visit them individually. I applied that crypto map to the physical interface and created a tunnel interface manually: interface Tunnel0 ip address 10. . After the policy acceptance.2600.2(8)T or later The Easy VPN Remote device can be a Cisco router. "Easy VPN Remote" devices are often referred to as "Easy VPN Clients". For your exam and when reading Cisco documentation. and that's how I'll refer to them for the rest of this video.1. the ISAKMP SA is in place.1.that's you and me .1.7200.

This information can include: IP address information (required) internal DNS and WINS server addresses split tunneling configuration information Split tunneling allows the Client to have a secure tunnel to the Server and simultaneous non-secure connections to other networks.The next step is a little different from what we've seen in other VPNs. The Server will now send a challenge to the Client. According to Cisco's website. the Client requests the necessary configuration details from the Server. We can use several methods to set up this authentication: Local (using the username/password command) RADIUS TACACS Xauth (Extended Authentication) We'll take a closer look at RADIUS and TACACS in another section. the process enters Mode configuration. At this stage. "Reverse route injection (RRI) is the . the Reverse Route Injection stage begins. but keep in mind that we can use these security protocols in addition to local authentication. Once the Client has successfully authenticated. Once Mode configuration is completed. prompting the Client to send a username and password to the Server.

The description screen shows the following. After RRI. You'll see a list of topics under "VPN". we're almost there! IPSec Quick Mode then negotiates the IPSec SA. . Configuring Easy VPN Server In SDM We'll start our Easy VPN server config by clicking the VPN button in the Configure section of SDM.ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint". Note the prerequisite task. and we're all set. and we'll select Easy VPN Server.

we're presented with this message: We do want to enable AAA.There's a link to enable AAA on that screen. After clicking the enable AAA link. so I'll click that. so we'll click Yes and move on. Note that the Enable Easy VPN button is grayed out since AAA is not yet enabled. .

Welcome to the Easy VPN Server Wizard! Good exam review material on this screen as well! Here's the next window: . we can enable Easy VPN Server.Once the AAA commands are delivered.

We'll use pre-shared keys as well. so I'll choose that in the drop-down box. but here we'll use the default.The interface facing the workstation is Fast 0/0. After making those selections. the next window asks us for the IKE proposal. or both. The Transform Set selection window is next. but you see that we can use key. . and we'll accept the default there as well. digital certificates. We could create custom policies by clicking Add.

Actually. .The next window prompts us for the group authorization method. and we'll use local authentication only. I like the summary description here. we'll indicate local authentication for users. if you don't have a RADIUS or TACACS server in your network. the local database is the only option you have! In the next window.

The Add Group Policy window opens to the following tab. and you can see the information I entered for yourself. . we'll click Add since a group has not yet been created. Note the pre-shared key appears as a series of asterisks.In the next window.

255.255.We'll enable Split Tunneling.0 network with a wildcard mask of 0. I'll click Add and enter the 10.0. the Enter the protected subnets selection window enabled. When I clicked that check box. .0.255. which is disabled by default.

After clicking Finish at the bottom of that screen. note that you can specify an idle timer for the tunnel.The policy has been added. and the Easy VPN Server side of the configuration is complete! Configuring The Easy VPN Client . the commands are delivered to the router. we're presented with the Summary window. Finally. At the bottom of this screen.

We're not going to configure Mutual Group Authentication. and we'll be prompted for a username / password combination that I configured before the lab began. I'll click Connect. Now the HQ connection appears under Connection Entry. The connection is then completed! Note that a lock now appears next to .Now to the workstation! I'll launch the Cisco VPN Client and click New. along with the group name and password (which again appears only as a series of asterisks). I'll enter the IP address of the Easy VPN Server. we'd need to import a valid root certificate. Group Authentication is selected by default. but if we chose that option.

and you'll get check marks when all is well.. You can also test the connection from the Server side.. select Test Easy VPN Server. and at the very bottom of the screen. This is the first place I check when a VPN configuration isn't working correctly..the HQ connection. Go to the Edit Easy VPN Server screen. you'll get some great information on the issue here. Click Start in the Troubleshooting VPN screen. . and the overall connection time appears in the bottom right of the window.. If something isn't well. . the message Connected to HQ appears in the bottom left of the window.

. and you're there. Naturally. we'll select VPN Status. Just click the Monitor button at the top of SDM. This screen has buttons on the left-hand side as well.the Monitor screen.You'll also receive the following confirmation that all is well. Let's look at an SDM screen we haven't visited yet .

The IPSec Tunnels tab verifies that the tunnel is up. along with the number of encrypted and decrypted packets. The IKE SA tab shows the SA is in QM_IDLE mode. which is just what we want! . The Easy VPN Server tab verifies it as well.

According to Cisco documentation. Why? That gateway is likely running NAT and/or PAT. Client will autoconfigure the necessary NAT and PAT commands and access-lists. A Note About NAT Easy VPN Client does support NAT and PAT. but with a twist. Copyright © 2011 The Bryant Advantage. you'll see an option for transparent tunneling. So what's the catch? Actually. access to local network files. you can see them with the show access-list and show ip nat statistics commands. Thankfully. . and access-list commands will not appear in the starting and running configurations. and that can be a problem for Easy VPN. If this is enabled on both the Server and Client. you'll want to enable this option. When you have a router serving as a firewall that also happens to be between the Easy VPN Client and Server. printers. and other resources is allowed without going through the tunnel. Enabling transparent tunneling enables us to work around potential issues with NAT and PAT. You must remove any pre-existing NAT and PAT configuration before configuring Easy VPN Remote. you'll see an option to Allow Local LAN Access. On the same tab in SDM.Other Easy VPN Options In the Easy VPN Client software. the admin only needs to configure our old friends ip nat inside and ip nat outside. All Rights Reserved. there are two of them: The autoconfigured NAT. PAT.

Sign up to vote on this title
UsefulNot useful