Network Security 2. Module 4 Configure Siteto-Site. Shared Keys

Similar documents
Lab Configure a PIX Firewall VPN

Packet Tracer Configuring VPNs (Optional)

Triple DES Encryption for IPSec

Cisco 1841 MyDigitalShield BYOG Integration Guide

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

IPSec Network Security Commands

Deploying IPSec VPN in the Enterprise

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and SDM

Configuring Remote Access IPSec VPNs

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Module 6 Configure Remote Access VPN

Virtual Private Network (VPN)

Most Common DMVPN Troubleshooting Solutions

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Network Security 2. Module 6 Configure Remote Access VPN

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Cisco to Juniper point-to-multipoint IPsec solution - spoke devices migration.

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Configuring IPsec VPN Fragmentation and MTU

Introduction to Security and PIX Firewall

REMOTE ACCESS VPN NETWORK DIAGRAM


Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

GregSowell.com. Mikrotik VPN

VPN SECURITY POLICIES

iementor CCIE Service Provider Workbook v1.0 Lab13 Solutions: Layer 2 VPN II

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Configuring Internet Key Exchange Security Protocol

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Lab a Configure Remote Access Using Cisco Easy VPN

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

2.0 HOW-TO GUIDELINES

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

LAN-Cell to Cisco Tunneling

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

IPsec VPN Application Guide REV:

CCNA Security 1.1 Instructional Resource

An Introduction to IP Security (IPSec) Encryption

Troubleshooting IPSec Design and Implementation

Interconnection between the Windows Azure

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Network Data Encryption Commands

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

How To Industrial Networking

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Troubleshooting Cisco IOS and PIX Firewall-Based IPSec Implementations

IINS Implementing Cisco IOS Network Security Exam.

Application Note 25. Configure an IPsec VPN tunnel between a Digi Transport router and a Cisco router using Certificates and SCEP

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Understanding the Cisco VPN Client

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

VPN Configuration Guide. Cisco ASA 5500 Series

IPSEC VPN CISCO DRAYTEK ADSL Kurulum Dökümanı

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

FortiOS Handbook - IPsec VPN VERSION 5.2.4

Chapter 4 Virtual Private Networking

Configuring L2TP over IPsec

Lab Configure Remote Access Using Cisco Easy VPN

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Point-to-Point GRE over IPsec Design and Implementation

Interoperability Guide

Realities of IPv6 IPsec Deployment APNIC 26 Christchurch, New Zealand August Merike Kaeo

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Configuring L2TP over IPSec

Internet. SonicWALL IP SEV IP IP IP Network Mask

Controlling Access to a Virtual Terminal Line

IPSec. User Guide Rev 2.2

SingTel VPN as a Service. Quick Start Guide

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Case Study for Layer 3 Authentication and Encryption

IPSec and SSL Virtual Private Networks

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

How To Design An Ipsec Vpn Network Connection

IPsec Details 1 / 43. IPsec Details

Dynamic routing protocols over IPSec tunnels between Palo Alto Networks and Cisco routers

TABLE OF CONTENTS NETWORK SECURITY 2...1

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

FortiOS Handbook IPsec VPN for FortiOS 5.0

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

The BANDIT Products in Virtual Private Networks

Using IPSec in Windows 2000 and XP, Part 2

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Transcription:

Network Security 2 Module 4 Configure Siteto-Site VPN Using Pre- Shared Keys

Learning Objectives 4.1 Prepare a Router for Site-to-Site VPN using Pre-shared Keys 4.2 Configure a Router for IKE Using Preshared Keys 4.3 Configure a Router with IPSec Using Preshared Keys 4.4 Test and Verify the IPSec Configuration of the Router

Module 4 Configure Site-to-Site VN using Pre-Shared Keys 4.1 Prepare a Router for Site-to- Site VPN using Pre-shared Keys

IKE Phase 1 Policy Parameters Parameter Strong Stronger Encryption algorithm DES 3DES or AES Hash algorithm Authentication method Key exchange IKE SA lifetime MD5 Pre-shared DH Group 1 86,400 seconds SHA-1 RSA encryption RSA signature DH Group 2 DH Group 5 Less than 86,400 seconds

IPSec Transforms Supported in Cisco IOS Software Cisco IOS software supports the following IPSec transforms: RouterA(config)# crypto ipsec transform-set transform-set-name? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP compression using LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth

Step 3 Check Current Configuration Site 1 Site 2 Router A Router B Internet 10.0.1.3 10.0.2.3 172.30.1.2 172.30.2.2 router# show running-config View router configuration for existing IPSec policies router# show crypto isakmp policy A View default and any configured IKE Phase 1 policies RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit B

View Configured Crypto Maps Site 1 Site 2 Router A Router B Internet 10.0.1.3 10.0.2.3 172.30.1.2 172.30.2.2 router# show crypto map View any configured crypto maps A RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, } B

View Configured Transform Sets Site 1 Site 2 Router A Router B Internet 10.0.1.3 10.0.2.3 172.30.1.2 172.30.2.2 router# A show crypto ipsec transform-set View any configured transform sets RouterA# show crypto ipsec transform-set mine Transform set mine: { esp-des } will negotiate = { Tunnel, }, B

Module 4 Configure Site-to-Site VN using Pre-Shared Keys 4.2 Configure a Router for IKE Using Pre-Shared Keys

Enable or Disable ISAKP

Create IKE Policy

ISAKMP Policy Negotiation

Configure ISAKMP Identity

Configure Pre-Shared Keys

Verify the ISAKMP Configuration

Module 4 Configure Site-to-Site VN using Pre-Shared Keys 4.3 Configure a Router with IPSec Using Pre-Shared Keys

Configure Transform Sets Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 Mine esp-des tunnel router(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] router(cfg-crypto-trans)# RouterA(config)# crypto ipsec transform-set MINE esp-des esp-md5-hmac A transform set is a combination of IPSec transforms that enact a security policy for traffic. Sets are limited to up to one AH and up to two ESP transforms. B

Transform Set Negotiation Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 B transform-set 10 esp-3des tunnel transform-set 20 esp-des, esp-md5-hmac tunnel transform-set 30 esp-3des, esp-sha-hmac tunnel Match transform-set 40 esp-des tunnel transform-set 50 esp-des, ah-sha-hmac tunnel transform-set 60 esp-3des, esp-sha-hmac tunnel Transform sets are negotiated during IKE Phase 2.

crypto ipsec security-association lifetime Command Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 router(config)# crypto ipsec security-association lifetime {seconds seconds kilobytes kilobytes} RouterA(config)# crypto ipsec security-association lifetime seconds 86400 Configures global IPSec SA lifetime values used when negotiating IPSec security associations. IPSec SA lifetimes are negotiated during IKE Phase 2. You can optionally configure interface specific IPSec SA lifetimes in crypto maps. IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes. B

Purpose of Crypto ACLs Site 1 Router A A Internet Outbound traffic Encrypt Bypass (clear text) Permit Bypass (clear text) Inbound traffic Outbound Indicate the data flow to be protected by IPSec Inbound Filter out and discard traffic that should have been protected by IPSec

Extended IP ACLs for Crypto ACLs Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 10.0.1.0 Encrypt 10.0.2.0 router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] RouterA(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 Define which IP traffic will be protected by crypto Permit = encrypt, deny = do not encrypt B

Configure Symmetrical Peer Crypto ACLs Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 RouterA(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 B RouterB(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 Mirror-image ACLs must be configured on each peer.

Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including: Which traffic should be protected by IPSec, as defined in a crypto ACL The peer where IPSec-protected traffic should be sent The local address to be used for the IPSec traffic Which IPSec type should be applied to this traffic Whether SAs are established, either manually or using IKE Other parameters needed to define an IPSec SA

Configure IPSec Crypto Maps Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 B router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] RouterA(config)# crypto map MYMAP 110 ipsec-isakmp Use a different sequence number for each peer. Multiple peers can be specified in a single crypto map for redundancy. One crypto map per interface.

Example Crypto Map Commands Site 1 Site 2 Router A Router B A 10.0.1.3 10.0.2.3 Internet 172.30.2.2 B Router C 172.30.3.2 RouterA(config)# crypto map MYMAP 110 ipsec-isakmp RouterA(config-crypto-map)# match address 110 RouterA(config-crypto-map)# set peer 172.30.2.2 RouterA(config-crypto-map)# set peer 172.30.3.2 RouterA(config-crypto-map)# set pfs group1 RouterA(config-crypto-map)# set transform-set MINE RouterA(config-crypto-map)# set security-association lifetime seconds 86400 Multiple peers can be specified for redundancy. B

Applying Crypto Maps to Interfaces Site 1 Site 2 Router A Internet Router B A 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 MYMAP B router(config-if)# crypto map map-name RouterA(config)# interface ethernet0/1 RouterA(config-if)# crypto map MYMAP Apply the crypto map to outgoing interface Activates the IPSec policy

Module 4 Configure Site-to-Site VN using Pre-Shared Keys 4.4 Test and Verify the IPSec Configuration of the Router

Test and Verify IPSec Display the configured ISAKMP policies. show crypto isakmp policy Display the configured transform sets. show crypto ipsec transform-set Display the current state of the IPSec SAs. show crypto ipsec sa

Test and Verify IPSec (Cont.) Display the configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp

show crypto isakmp policy Command Site 1 Site 2 Router A router# show crypto isakmp policy A Internet Router B 10.0.1.3 10.0.2.3 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Encryption Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit B

show crypto ipsec transform-set Command Site 1 Site 2 Router A Router B Internet A 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 B router# show crypto ipsec transform-set RouterA# show crypto ipsec transform-set Transform set MINE: { esp-des esp-md5-hmac } will negotiate = { Tunnel, }, View the currently defined transform sets

show crypto ipsec sa Command Site 1 Site 2 Router A 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 router# show crypto ipsec sa A Internet Router B RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: MYMAP, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2 path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C B

show crypto map Command Site 1 Site 2 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 router# show crypto map Router A View the currently configured crypto maps A Internet Router B RouterA# show crypto map Crypto Map MYMAP" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, } B

debug crypto Commands router# debug crypto ipsec Displays debug messages about all IPSec actions router# debug crypto isakmp Displays debug messages about all ISAKMP actions

Crypto System Error Messages for ISAKMP %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! ISAKMP SA with the remote peer was not authenticated. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information