IPsec VPNs

IPsec Components and IPsec VPN Features

IPsec Overview

What Is IPsec?
IPsec is an IETF standard that employs cryptographic mechanisms on the network layer: Authentication of every IP packet Verification of data integrity for each packet Confidentiality of packet payload Consists of open standards for securing private communications

Scales from small to very large networks

Is available in Cisco IOS software version 11.3(T) and later Is included in PIX Firewall version 5.0 and later

IPsec Security Features

IPsec is the only standard Layer 3 technology that provides:

Confidentiality Data integrity Authentication Replay detection

IPsec Protocols
IPsec uses three main protocols to create a security framework:
Internet Key Exchange (IKE):

Provides framework for negotiation of security parameters

Establishment of authenticated keys Encapsulating Security Payload (ESP): Provides framework for encrypting, authenticating, and securing of data Authentication Header (AH): Provides framework for authenticating and securing of data

IPsec Headers

IPsec ESP provides the following:

Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP Confidentiality (DES, 3DES, or AES) only with ESP

Peer Authentication

Peer authentication methods:

Username and password
OTP (Pin/Tan) Biometric Preshared keys Digital certificates

IPsec VPNs

Site-to-Site IPsec VPN Operation

Site-to-Site IPsec VPN Operations

Five Steps of IPsec

Step 1: Interesting Traffic

Step 2: IKE Phase 1

IKE Policy

Negotiates matching IKE transform sets to protect IKE exchange

Authenticate Peer Identity

Peer authentication methods:

Preshared keys RSA signatures RSA encrypted nonces

Step 3: IKE Phase 2

Negotiates IPsec security parameters, IPsec transform sets Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie-Hellman exchange

IPsec Transform Sets

A transform set is a combination of algorithms and protocols that enact a security policy for traffic.

Security Associations
SA database: Destination IP address SPI Protocol (ESP or AH) Security policy database:

Encryption algorithm
Authentication algorithm Mode

Key lifetime

Configuring IPsec

Site-to-Site IPsec Configuration: Phase 1

Site-to-Site IPsec Configuration: Phase 1

Site-to-Site IPsec Configuration: Phase 2

Site-to-Site IPsec Configuration: Phase 2

Site-to-Site IPsec Configuration: Apply VPN Configuration

Site-to-Site IPsec Configuration: Apply VPN Configuration

Site-to-Site IPsec Configuration: Interface ACL

Site-to-Site IPsec Configuration: Interface ACL

When filtering at the edge, there is not much to see:
IKE: UDP port 500 ESP and AH: IP protocol numbers 50 and 51, respectively

NAT transparency enabled:

UDP port 4500 TCP (port number has to be configured)

Site-to-Site IPsec Configuration: Interface ACL (Cont.)

Router1#show access-lists access-list 102 permit ahp host 172.16.172.10 host 172.16.171.20 access-list 102 permit esp host 172.16.172.10 host 172.16.171.20 access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp

Ensure that protocols 50 and 51 and UDP port 500 traffic is not blocked on interfaces used by IPsec.

Summary
IPsec operation includes these steps: Initiation by interesting traffic of the IPsec process, IKE Phase 1, IKE Phase 2, data transfer, and IPsec tunnel termination. To configure a site-to-site IPsec VPN: Configure the ISAKMP policy, define the IPsec transform set, create a crypto ACL, create a crypto map, apply crypto map, and configure ACL. To define an IKE policy, use the crypto isakmp policy global configuration command. To define an acceptable combination of security protocols and algorithms used for IPsec, use the crypto ipsec transformset global configuration command. To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. Configure an ACL to enable the IPsec protocols (protocol 50 for ESP or 51 for AH) and IKE protocol (UDP/500).

IPsec VPNs

Configuring IPsec Site-to-Site VPN Using SDM

Introducing the SDM VPN Wizard Interface

Cisco Router and SDM

What Is Cisco SDM?

SDM is an embedded web-based management tool. Provides intelligent wizards to enable quicker and easier deployments, and does not require knowledge of Cisco IOS CLI or security expertise. Contains tools for more advanced users: ACL editor VPN crypto map editor Cisco IOS CLI preview

Introducing the SDM VPN Wizard Interface

1. 3.
Wizards for IPsec solutions Individual IPsec components

2.

Site-to-Site VPN Components (Cont.)

Two main components: IPsec IKE Two optional components: Group Policies for Easy VPN server functionality Public Key Infrastructure for IKE authentication using digital certificates
Individual IPsec components used to build VPNs

Launching the Site-to-Site VPN Wizard

Launching the Site-to-Site VPN Wizard

1.

Launching the Site-to-Site VPN Wizard (Cont.)

2a.

2b.

3.

Quick Setup

Quick Setup (Cont.)

Step-by-Step Setup
Multiple steps are used to configure the VPN connection:
Defining connection settings: Outside interface, peer address, authentication credentials Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression Defining traffic to protect: Single source and destination subnets, ACL Reviewing and completing the configuration

Connection Settings

Connection Settings
1.

2.

3.

4.

IKE Proposals

IKE Proposals

1.

2.

3.

Transform Set

Transform Set

1.

2. 3.

Defining What Traffic to Protect

Option 1: Single Source and Destination Subnet

1.

2.

3.

Option 2: Using an ACL

1. 3.

2.

Option 2: Using an ACL (Cont.)

1.

2.

Option 2: Using an ACL (Cont.)

1. 2.

3.

Completing the Configuration

Review the Generated Configuration

Review the Generated Configuration (Cont.)

Test Tunnel Configuration and Operation

~ ~

~ ~

Monitor Tunnel Operation

1.

3.

2.