IPSec-Part1

IPSEC is a suite of protocols to secure the data plane by using some encryption techniques.

IPSec tunnel setup happens in two phases.

PHASE 1 -->negotiates the parameters to setup a tunnel for PHASE2

PHASE 2 --->Creates SA and establishes a tunnel for data flow

PHASE 1 ISAKMP Configuration:

Create  a ISAKMP policy which defines the following parameters

• ·        authentication
• ·        encryption
• ·        hash
• ·        DH group

The two routers must agree upon a policy to establish the tunnel.

The policy with lower value will have higher priority.

Define ISAKMP policy

We need to define a pre-shared key for authentication with peer

R2(config)#crypto isakmp key 0 APPLE address 10.1.34.4 In case if the ip address of the other end is not known, R2(config)#crypto isakmp key 0 APPLE address 0.0.0.0 whoever wants to establish the ipsec tunnel with R2 should use APPLE as the pre-shared authentication key

R2(config)#crypto isakmp policy 30 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#hash md5 R2(config-isakmp)#encryption 3des R2(config-isakmp)#group 20

 

Phase1 negotiation will fail if the authentication key is different or any of the parameters is different.

Once the phase1 negotiation is completed successfully, the state for the peer will be QM_IDLE.
Any other state means phase1 negotiation failed.

The following show command can be used for verifying the phase1 result,

R2#sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst             src             state          conn-id status 4.4.4.4         2.2.2.2         QM_IDLE           1003 ACTIVE

 

Phase 1 negotiation happens in two modes

Main Mode: TBU

Aggressive Mode:TBU

Phase 2 IPSEC Configuration:

Phase2 kicks in once the phase1 negotiation is done and secure tunnel is formed.

In phase2, the routers will exchange the symmetric keys for the session and establishes SA.

For phase2 configuration, we need to setup the following

• ·        Create extended access-list- to match the interesting traffic. IPsec tunnel setup will trigger when the traffic that matching the acl is seen.
• ·        Create IPSec transform set –this defines the encryption and hashing methods to be used
• ·        Create Crypto Map- this connects the access-list, transform set and the peer to which the tunnel must be established.
• ·        Apply the crypto map to an interface—always outbound

Create extended access-list as

R2(config)#ip access-list extended 111 R2(config-ext-nacl)#permit ip 1.1.1.1 0.0.0.0 5.5.5.5 0.0.0.0

 

Create IPSec transform set as

R2(config)#crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

 

Esp-3desàencryption

Esp-sha-hmacàhashing

Create Crypto map connecting the peer, transform set and acl as

R2(config)#crypto map MAP9 90 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer         and a valid access list have been configured. R2(config-crypto-map)#set peer 10.1.34.4 R2(config-crypto-map)#match address 111 R2(config-crypto-map)#set transform-set 3DES-SHA

 

Apply the crypto map to an interface

R2(config)#int s1/0 R2(config-if)#crypto map MAP9

 

If we do a ping from R1 to R5,ipsec tunnel will not be created because the acl wont match the traffic.

If we do a ping from loopback of R1 to loopback of R5,ipsec tunnel will get established as this matches the acl 111.

As only the traffic that matches the acl gets encrypted and the rest is forwarded without security, this way of setting up the ipsec tunnel comes

under policy based ipsec vpn.

Some show commands to verify the ipsec tunnel creation

R4#sh crypto isakmp sa    --> gives phase1 negotiation result IPv4 Crypto ISAKMP SA dst             src             state          conn-id status 10.1.34.4      10.1.23.2       QM_IDLE           1001 ACTIVE IPv6 Crypto ISAKMP SA R4#sh crypto ipsec sa    -->gives phase2 negotiation result interface: Serial1/0     Crypto map tag: MAP2, local addr 10.1.34.4    protected vrf: (none)    local  ident (addr/mask/prot/port): (5.5.5.5/255.255.255.255/0/0)    remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)    current_peer 10.1.23.2 port 500      PERMIT, flags={origin_is_acl,}     #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4  -->These counters should go on increasing     #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4     #pkts compressed: 0, #pkts decompressed: 0     #pkts not compressed: 0, #pkts compr. failed: 0     #pkts not decompressed: 0, #pkts decompress failed: 0     #send errors 0, #recv errors 0      local crypto endpt.: 10.1.34.4, remote crypto endpt.: 10.1.23.2      path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0      current outbound spi: 0x10E1542D(283202605)      PFS (Y/N): N, DH group: none      inbound esp sas:       spi: 0x396B966C(963352172)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: MAP2         sa timing: remaining key lifetime (k/sec): (4259623/3582)         IV size: 8 bytes         replay detection support: Y         Status: ACTIVE(ACTIVE)      inbound ah sas:      inbound pcp sas:      outbound esp sas:       spi: 0x10E1542D(283202605)         transform: esp-3des esp-md5-hmac ,         in use settings ={Tunnel, }         conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: MAP2         sa timing: remaining key lifetime (k/sec): (4259623/3582)         IV size: 8 bytes         replay detection support: Y         Status: ACTIVE(ACTIVE)      outbound ah sas:      outbound pcp sas: R4#

 

If we want to set the tunnel using the loopback interfaces,

Change the pre-shared key IP association Change the peer address in the crypto map and add the following command R4(config)#crypto map MAP9 local-address loopback 0

 

Misc: