Floating FB sharing byReview Results

Site-to-Site IPsec VPN using CLI

Site-to-Site vs Remote access

Site-to-site VPNs connect entire networks to each other -- for example, connecting a branch office network to a company headquarters network.

Remote access VPNs connect individual hosts to private networks -- for example, travelers and teleworkers who need to access their company's network securely over the Internet. In a remote access VPN, every host must have VPN client software.The VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receipt, that VPN gateway behaves as described above for site-to-site VPNs. If the target host inside the private network returns a response, the VPN gateway performs the reverse process to send an encrypted response back to the VPN client over the Internet.

Site-to-Site VPN. Configuring IPsec part

Configiring AL that marks "interesting" traffic:

R1(config)# access-list 110 permit ip

ISAKMP - Internet Security Association and Key Management Protocol(Phase 1)

R1(config)# crypto isakmp policy 10 R1(config-isakmp)# encryption aes R1(config-isakmp)# authentication pre-share R1(config-isakmp)# group 2 R1(config-isakmp)# exit R1(config)# crypto isakmp key vpnpa55 address

map keyword is needed when creating Crypto ACLs, which are used to define the traffic that is protected by IPSec; ISAKMP is enabled by default

R1(config)#crypto ? dynamic-map Specify a dynamic crypto map template ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations map Enter a crypto map R1(config)#crypto isakmp ? client Set client configuration policy enable Enable ISAKMP key Set pre-shared key for remote peer policy Set policy for an ISAKMP protection suite R1(config)#crypto isakmp policy ? <1-10000> Priority of protection suite R1(config)#crypto isakmp policy 10

Choosing key type and length for encryprion, key length is needed only for AES and is 128 by default

R1(config-isakmp)#? authentication Set authentication method for protection suite encryption Set encryption algorithm for protection suite exit Exit from ISAKMP protection suite configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults R1(config-isakmp)#encryp ? 3des Three key triple DES aes AES - Advanced Encryption Standard des DES - Data Encryption Standard (56 bit keys) R1(config-isakmp)#encryp aes ? 128 128 bit keys. 192 192 bit keys. 256 256 bit keys. R1(config-isakmp)#encryp aes

Encryption part

Configuring pre-shared keys is the easiest. With pre-shared keys, the same key (symmetric) is used on both peers to perform the device authentication.
Pre-shared keys, symmetric or asymmetric, commonly are used when you have a small number of devices with which you need to establish IPsec tunnels, however, pre-shared keys scale poorly and thus digital certificates are used to solve the device authentication scalability issues. The one advantage that pre-shared keys have over certificates, especially symmetric pre-shared keys, is that they are simple to set up on the two IPsec peers.


Cisco routers support three methods of authenticating IPsec devices (peers): Pre-shared keys, RSA encrypted nonces, and RSA signatures (digital certificates).

Authentication part

Router(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key.

Both peers in a VPN exchange must use the same DH group, which is negotiated during Phase 1 of the IPSec negotiation process.

R1(config-isakmp)#group ? 1 Diffie-Hellman group 1 2 Diffie-Hellman group 2 5 Diffie-Hellman group 5 R1(config-isakmp)#group 2

PSK and peer IP address, IP address is peers's IP , bypassing router R2 in our case

R1(config)#crypto isakmp key ? WORD The UNENCRYPTED (cleartext) user password R1(config)#crypto isakmp key MyVPNPassword ? address define shared key with IP address R1(config)#crypto isakmp key MyVPNPassword address ? A.B.C.D Peer IP address R1(config)#crypto isakmp key MyVPNPassword address ? A.B.C.D Peer IP subnet mask R1(config)#crypto isakmp key MyVPNPassword address

Configuring the ISAKMP Phase 2 properties

Configuring an IKE Phase 2 Tunnel

Router(config)#crypt ipsec ? client Configure a client df-bit Handling of encapsulated DF bit. fragmentation Handling of fragmentation of near-MTU sized packets nat-transparency IPsec NAT transparency model optional Enable optional encryption for IPSec profile Configure an ipsec policy profile security-association Security association parameters transform-set Define transform and settings

Define transform sets, for the IPsec encryption, hashing, and other choices.

Router(config)#crypt ipsec transform-set ? WORD Transform set tag

AH-MD5-HMAC - Authentication Header with the MD5 (HMAC variant)
HMAC - Hash-based Message Authentication Code
SHA - Secure Hashing Algorithm
COMP-LZS - IP compression algorithm
ESP - Encapsulating Security Payload. An IPSec protocol that provides both data integrity and confidentiality
SEAL - Software Encryption Algorithm

specifying the encryption algorithm

ESP-NULL - ESP transform that provides no encryption and no confidentiality.

Router(config)#crypt ipsec transform-set MySet ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth

specifying the hashing algorithm

Router(config)#crypt ipsec transform-set MySet esp-3des ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth R1(config)# crypto ipsec transform-set MySet esp-3des esp-sha-hmac

now we bind already created MySet to some map (MyMap)

Router(config)#crypto map MyMap 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. Router(config-crypto-map)#se Router(config-crypto-map)#set transform-set kkk ERROR: transform set with tag "kkk" does not exist. Router(config-crypto-map)#set transform-set MySet

defining other options, 101 - is an predefined ACL number

R1(config-crypto-map)# description VPN connection to R3 R1(config-crypto-map)# set peer R1(config-crypto-map)# match address 110 R1(config-crypto-map)# exit

binding the VPN-MAP crypto map to the outgoing Serial 0/0/0 interface

R1(config)# interface S0/0/0 R1(config-if)# crypto map VPN-MAP

checking with sh crypto map command:

Router#sh crypto map Crypto Map "MyMap" 10 ipsec-isakmp Peer = Extended IP access list 110 access-list 110 permit ip 5 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MySet, } Interfaces using crypto map MyMap: Crypto Map "VPN-MAP" 10 ipsec-isakmp WARNING: This crypto map is in an incomplete state! (missing peer or access-list definitions) No matching address list set. Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MySet, } Interfaces using crypto map VPN-MAP: Router#