IPSec Example

IPsec Example
by Priscilla Oppenheimer This example annotates the configuration of two Cisco routers configured to send encrypted traffic across an IPsec tunnel. Following the annotations are some explanations of Cisco show commands that are useful when troubleshooting IPsec. The two routers are connected via Frame Relay. Each router also has a Fast Ethernet interface where end nodes reside, as shown in the following figure. The end nodes' traffic will be encrypted when traversing the IPsec tunnel.

R1 Annotated Configuration
R1's configuration is shown below. Annotations start with !---- and are in blue. R1#show run Building configuration... Current configuration : 1907 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model !
http://www.priscilla.com/ipsecexample.htm (1 of 8)03/01/2012 12:07:05

IPSec Example

ip cef ! !---- The IPsec configuration starts with configuring the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is a framework for authentication and key exchange. Cisco uses Internet Key Exchange (IKE) which is derived from ISAKMP. IKE establishes a shared security policy and authenticated keys for IPsec to use. First we create Policy 1. Then we say that we'll use MD5 to hash the IKE exchange, though we could use SHA (the Cisco default). We'll use DES to encrypt IKE, though we could use AES. (Because DES is the default it doesn't show in the configuration.) We could use a Certificate Authority (CA) for authentication, but for our example we will manually enter a preshared key into each router. We will use "MyKey" for the key. We also provide the address of our peer, 10.102.0.2. ----! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key MyKey address 10.102.0.2 ! !---- Next, we create an IPsec transform set that we call MySet. We specify the authentication protocol for the IPsec Authentication Header (AH) and we specify the encryption protocol for the IPsec Encapsulating Security Payload (ESP). These don't have to be the same proocols that IKE uses. In fact, we'll use SHA for authentication and AES256 for encryption.----! crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256 ! !---- You can't expect Cisco to make anything easy! So next we create a crypto map, called MyMap, with sequence number 1. (A crypto map can be a collection of entries, each with a different sequence number, though we'll just use one entry.) The ipsec-isakmp argument tells the router that this map is an IPsec map. We tell the router about its peer (10.102.0.2) yet again and we set the security-association (SA) lifetime. We will use 190 seconds for the SA lifetime because Cisco examples use 190. It seems too short but there's a tradeoff. If you make it too long you risk attackers being more successful. If you make it too short, the routers have to do more work to renegotiate the SA more often. The default is based on a global command that affects all maps and is 3600 seconds (one hour). Our crypto map points to our MySet transform set. It also references access-list 101, which is later in the configuration and specifies which traffic will be encrypted. ----! crypto map MyMap 1 ipsec-isakmp set peer 10.102.0.2 set security-association lifetime seconds 190
http://www.priscilla.com/ipsecexample.htm (2 of 8)03/01/2012 12:07:05

IPSec Example

set transform-set MySet match address 101 ! interface FastEthernet0/0 ip address 10.1.0.1 255.255.0.0 ! interface Serial1/0 no ip address encapsulation frame-relay serial restart-delay 0 ! !---- Here we apply our crypto map to the interface that will be sending the encrypted traffic. The interface is a Frame Relay sub-interface with DLCI 102 that connects to our peer at the other end. Our address is 10.102.0.1. (Our peer is 10.102.0.2 as we've already seen.) ----! interface Serial1/0.102 point-to-point ip address 10.102.0.1 255.255.0.0 frame-relay interface-dlci 102 crypto map MyMap ! router ospf 100 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! no ip http server no ip http secure-server ! !---- Access list 101 specifies which traffic will use IPsec. Note that access-list 101 is referenced in the crypto map statement for MyMap above. ----! access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ! line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! end R1#

R2 Annotated Configuration

http://www.priscilla.com/ipsecexample.htm (3 of 8)03/01/2012 12:07:05

IPSec Example

R2's configuration is shown below. Annotations start with !---- and are in blue. Notice that R2 needs fewer annotations. It needs to match R1 so they will act like nice peers and not fight with each other. R2#show run Building configuration... Current configuration : 1894 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no aaa new-model ! ip cef ! !---- Here we configure ISAKMP (IKE) as we did on R1. Note that for R2, we use 10.102.0.1 (R1) for our peer. ----! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key MyKey address 10.102.0.1 ! !---- Next, we create an IPsec transform like we did on R1. ----! crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256 ! !---- Here's our map that points to our peer (R1) and references access list 101. ----! crypto map MyMap 1 ipsec-isakmp set peer 10.102.0.1 set security-association lifetime seconds 190 set transform-set MySet match address 101 ! interface FastEthernet0/0 ip address 10.2.0.1 255.255.0.0 ! interface Serial1/0

http://www.priscilla.com/ipsecexample.htm (4 of 8)03/01/2012 12:07:05

IPSec Example

no ip address encapsulation frame-relay serial restart-delay 0 frame-relay lmi-type ansi ! !---- Add the crypto map to the interface that connects back to R1. ----! interface Serial1/0.201 point-to-point ip address 10.102.0.2 255.255.0.0 frame-relay interface-dlci 201 crypto map MyMap ! router ospf 100 log-adjacency-changes network 10.0.0.0 0.255.255.255 area 0 ! no ip http server no ip http secure-server ! !---- As we did on R1, we define an access list to specify which traffic will use IPsec. The access-list is referenced in the crypto map statement for MyMap above. ----! access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 ! line con 0 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end R2#

R2 Show Commands
Once you have configured the router peers, a variety of show commands will help you verify that the security associations are live and the traffic is being encrypted. !---- The show crypto session command lets us verify that the IKE session is active. Notice that we're talking to our peer via UDP port 500, the port for IKE. ----! R2#show crypto session
http://www.priscilla.com/ipsecexample.htm (5 of 8)03/01/2012 12:07:05

IPSec Example

Crypto session current status Interface: Serial1/0.201 Session status: UP-ACTIVE Peer: 10.102.0.1 port 500 IKE SA: local 10.102.0.2/500 remote 10.102.0.1/500 Active IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0 Active SAs: 4, origin: crypto map !---- The show crypto isakmp policy command tells us more than we ever wanted to know about our IKE session. ----! R2#show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit !---- The show crypto map verifies our IPsec status. We aren't using Perfect Forward Secrecy (PFS) as we don't need that extra protection from evil-doers. ----! R2#show crypto map Crypto Map "MyMap" 1 ipsec-isakmp Peer = 10.102.0.1 Extended IP access list 101 access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 Current peer: 10.102.0.1 Security association lifetime: 4608000 kilobytes/190 seconds PFS (Y/N): N Transform sets={ MySet, } Interfaces using crypto map MyMap: Serial1/0.201 !---- The show crypto ipsec transform-set verifies our IPsec status and shows that we're using tunnel mode (rather than transport mode). Tunnel mode is appropriate for a router-to-router configuration as opposed to an end node talking to another end node. ----! R2#show crypto ipsec transform-set
http://www.priscilla.com/ipsecexample.htm (6 of 8)03/01/2012 12:07:05

IPSec Example

Transform set MySet: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-256-aes } will negotiate = { Tunnel, }, !---- The show crypto ipsec sa command shows identity information and packet counts and then displays information about all our security associations (SAs) . Notice that there's an inbound SA and an outbound SA for both authentication (AH) and encryption (ESP). The inbound and outbound Payload Compression Protocol (PCP) SAs aren't active, but the others are. They became active because a PC connected to R1's Fast Ethernet interface pinged a PC connected to R2's Fast Ethernet interface. Each SA is identified by a unique security parameter index (SPI). ----! R2#show crypto ipsec sa interface: Serial1/0.201 Crypto map tag: MyMap, local addr 10.102.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) current_peer 10.102.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13 #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 2, #recv errors 0 local crypto endpt.: 10.102.0.2, remote crypto endpt.: 10.102.0.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0.201 current outbound spi: 0x8590D11F(2240860447) inbound esp sas: spi: 0xFDC7B87B(4257724539) transform: esp-256-aes , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: MyMap sa timing: remaining key lifetime (k/sec): (4565647/146) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: spi: 0x11B79D1C(297245980) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: MyMap sa timing: remaining key lifetime (k/sec): (4565647/140) replay detection support: Y Status: ACTIVE
http://www.priscilla.com/ipsecexample.htm (7 of 8)03/01/2012 12:07:05

IPSec Example

inbound pcp sas: outbound esp sas: spi: 0x8590D11F(2240860447) transform: esp-256-aes , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: MyMap sa timing: remaining key lifetime (k/sec): (4565647/134) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: spi: 0xECA2A6B8(3970082488) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2003, flow_id: SW:3, crypto map: MyMap sa timing: remaining key lifetime (k/sec): (4565647/132) replay detection support: Y Status: ACTIVE outbound pcp sas:

http://www.priscilla.com/ipsecexample.htm (8 of 8)03/01/2012 12:07:05