Creating Site‐to‐Site VPNs with Pre‐Shared Keys @ Cisco Router

Documentation:

     1. Document your IKE Phase 1 negotiation criteria (example below)
         • Hashing: SHA‐1
          • Authentication: pre‐shared
          • Key exchange: Diffie‐Hellman Group 2

     2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
          • Encryption algorithm: esp‐aes 128
          • Authentication: esp‐sha‐hmac

Configuring IKE Phase 1:
     1. Enable ISAKMP
          • Router(config)#crypto isakmp enable
     2. Create ISAKMP Policy : Router(config)#crypto isakmp policy <1-10000>
          • Router(config)#crypto isakmp policy 100
          • Router(config-isakmp)#encryption aes 128
          • Router(config-isakmp)#authentication pre-share
          • Router(config-isakmp)#group 2
          • Router(config-isakmp)#hash sha
          • Router(config-isakmp)#exit
     3. Configure ISAKMP Identity: Router(config)#crypto isakmp identity <address/hostname>
          • Router(config)#crypto isakmp identity address
     4. Configure ISAKMP Key: Router(config)#crypto isakmp key 0 <Pre-Shared-Key> address <remote IP address>
          • Router(config)#crypto isakmp key 0 SUPERSECRETKEY address 1.1.1.2

Configuring IKE Phase 2:
     1. Create transform sets: Router(config)#crypto ipsec transform-set <name> <methods>
          • Router(config)#crypto ipsec transform-set SET-NAME esp-aes128 esp-sha-hmac
          • Router(cfg-crypto-trans)#mode tunnel
          • Router(cfg-crypto-trans)#exit
     2. (optional) Configure IPSec lifetime : Router(config)#crypto ipsec securityassociation lifetime <seconds/kilobytes> <value>
          • Router(config)#crypto ipsec security-association lifetime seconds 86400
     3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted. Router(config)#ip access-list extended           <name>,
Router(config)#permit ip <source network | wildcard> <destination network | wildcard>
          • Router(config)#ip access-list extended S2S-VPN-TRAFFIC
          • Router(config-ext-nacl)#permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255
          • Router(config-ext-nacl)#exit
     4. Set up IPSec crypto‐map : Router(config)#crypto map <name> <seq> ipseciskmp
          • Router(config)#crypto map S2S-VPN 100 ipsec-isakmp
               o Router(config-crypto-map)#match address S2S-VPNTRAFFIC
               o Router(config-crypto-map)#set peer 1.1.1.2 <remote IP>
               o Router(config-crypto-map)#set pfs group2 <group1/2/5optional>
               o Router(config-crypto-map)#set transform-set SET-NAME<set>

Apply to Interface:
     1. Apply crypto‐map to interface
          • Router(config)#int fa4
          • Router(config-int)#crypto map S2S-VPN


Create Interesting Traffic:
     1. Ping from source network to destination network.

Verify:
     2. Show and debug commands (QM_IDLE is good)
          • Router#show crypto isakmp sa
          • Router#show crypto ipsec sa
          • Router#debug crypto isakmp
          • Router#debug crypto ipsec
          • Router#show crypto map
          • Router#show crypto isakmp policy
          • Router#show crypto ipsec transform-set
          • Router#clear crypto sa

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)