Site-to-Site IPsec VPN Configuration Example

Site-to-Site IPsec VPN Configuration:

Router PE1:
PE1(config)#ip route 172.16.2.0 255.255.255.252 192.168.1.2
PE1(config)#ip route 2.2.2.2 255.255.255.255 192.168.1.2
PE1(config)#ip route 4.4.4.4 255.255.255.255 192.168.1.2
PE1(config)#ip route 3.3.3.3 255.255.255.255 172.16.1.2

Router PE2:
PE2(config)#ip route 172.16.1.0 255.255.255.252 192.168.1.1
PE2(config)#ip route 1.1.1.1 255.255.255.255 192.168.1.1
PE2(config)#ip route 3.3.3.3 255.255.255.255 192.168.1.1
PE2(config)#ip route 4.4.4.4 255.255.255.255 172.16.2.2

Router CE1:
CE1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1

Step 1 :

CE1(config)# crypto isakmp policy 10
CE1(config-isakmp)# encryption 3des
CE1(config-isakmp)# group 2
CE1(config-isakmp)# hash sha
CE1(config-isakmp)# authentication pre-share
CE1(config-isakmp)# lifetime 3600
CE1(config-isakmp)# exit

CE1(config)# crypto isakmp key hadi address 172.16.2.2

Step 2 :

CE1(config)# crypto ipsec transform-set CE2 esp-3des esp-sha-hmac
CE1(cfg-crypto-trans)# mode tunnel
CE1(cfg-crypto-trans)# exit

CE1(config)# crypto ipsec security-association lifetime seconds 1200

Step 3 :

CE1(config)# ip access-list extended control
CE1(config-ext-nacl) # permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
CE1(config-ext-nacl) # exit

Step 4 :

CE1(config)# crypto map vpn70 10 ipsec-isakmp
CE1(config-cryto-map)# set peer 172.16.2.2
CE1(config-cryto-map)# set transform-set CE2
CE1(config-cryto-map)# match address control
CE1(config-cryto-map)#exit

Step 5 :

CE1(config)# interface fastethernet 0/0
CE1(config-if)# crypto map vpn70
CE1(config-if)# exit

Step 6 :

In this example I skipped this step. If you want you can apply this.

Router CE2:

CE2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1

Step 1 :

CE2(config)# crypto isakmp policy 10
CE2(config-isakmp)# encryption 3des
CE2(config-isakmp)# group 2
CE2(config-isakmp)# hash sha
CE2(config-isakmp)# authentication pre-share

CE2(config-isakmp)# lifetime 3600
CE2(config-isakmp)# exit

CE2(config)# crypto isakmp key hadi address 172.16.1.2

Step 2 :

CE2(config)# crypto ipsec transform-set CE1 esp-3des esp-sha-hmac
CE2(cfg-crypto-trans)# mode tunnel
CE2(cfg-crypto-trans)# exit
CE2(config)# crypto ipsec security-association lifetime seconds 1200

Step 3 :

CE2(config)# ip access-list extended controlA
CE2(config-ext-nacl) # permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
CE2(config-ext-nacl) # exit

Step 4 :

CE2(config)# crypto map vpn90 10 ipsec-isakmp
CE2(config-cryto-map)# set peer 172.16.1.2
CE2(config-cryto-map)# set transform-set CE1
CE2(config-cryto-map)# match address controlA
CE2(config-cryto-map)#exit

Step 5 :

CE2(config)# interface fastethernet 0/0
CE2(config-if)# crypto map vpn90
CE2(config-if)# exit

Step 6 :

In this example I skipped this step. If you want you can apply this.

Verify the VPN Service :

To verify the VPN Service use following command in CE1 or CE2 Router.

show crypto ipsec sa
show crypto isakmp sa
show crypto session
show crypto map
debug crypto ipsec
debug crypto isakmp

and ping from WKS-1 to WKS-2 and WKS-2 to WKS-1.

Site-to-Site IPSec VPN

Site-to-Site IPSec VPN

The Five Steps in the life of an IPSec VPN are as follows:

Step 1 : Specify Interesting traffic. [An extended access control list (ACL) is used to specify interesting traffic.]

Step 2 : IKE phase 1.
Step 3 : IKE phase 2.
Step 4 : Secure data transfer.
Step 5 : IPsec tunnel termination.

There are five parameters that must be coordinated during IKE phase 1:

i) IKE encryption algorithm (DES, 3DES, or AES)

ii) IKE authentication algorithm (MD5 or SHA-1)

iii) IKE key (preshare, RSA signatures, nonces)

iv) Diffie-Hellman version (1,2, or 5)

v) IKE tunnel lifetime (time and/or byte count)

There are Five parameters must be coordinated during quick mode between IPsec peers : (Phase 2) :

i) IPsec protocol (ESP or AH)

ii) IPsec encryption type (DES, 3DES, or AES)

iii) IPsec authentication (MD5 or SHA-1)

iv) IPsec mode (tunnel or transport)

v) IPsec SA lifetime (seconds or kilobytes)

Site-to-Site IPsec Configuration Steps :

Step 1 : Configure the ISAKMP policy (IKE phase 1).
Step 2 : Configure the IPsec transform sets (IKE phase 2, tunnel termination).
Step 3 : Configure the crypto ACL (interesting traffic, secure data transfer).
Step 4 : Configure the crypto map (IKE phase 2).
Step 5 : Apply the crypto map to interface (IKE phase 2).
Step 6 : Configure the interface ACL.

Virtual Private Network (VPN)

Virtual Private Network (VPN)

Definition :

A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks, such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS).

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network

It encapsulates data transfers between two or more networked devices not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks.

Types:

Types of VPNs are named based upon the role they play in a business. There are three different categories of VPNs.

1. Remote Access VPNs
2. Site-to-Site VPNs (or intranet VPNs)
3. Extranet VPNs.

Remote Access VPNs : Allow Remote Users like telecommuters to securely access the corporate network wherever and whenever they need to.

Site-to-Site VPNs : Allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like Frame Relay.

Extranet VPNs : Allow an organization’s suppliers, partners and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.

To creating VPN the first approach uses IPSec to create authentication and encryption services between endpoints on an IP network. The Second way is via tunneling protocols, allowing you to establish a tunnel between endpoints on a network. Tunnel itself is a means for data or protocols to be encapsulated inside another protocol.

Here is some most Common tunneling protocol:

1. Layer 2 Forwarding (L2F)
2. Point-to-Point Tunneling Protocol (PPTP)
3. Layer 2 Tunneling Protocol (L2TP)
4. Generic Routing Encapsulation (GRE)

IPSec (Internet Protocol Security) :

IPSec is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network that functions at the layer 3 network layer of the OSI Model. IPSec can protect only the IP layer and up (transport layer and user data). IPSec can’t be used to encrypt non-IP traffic. If you need to encrypt non-IP traffic, you’ll need to create a GRE tunnel for it and then use IPSec to encrypt that tunnel.

IPSec Features:

1. Data Confidentiality
2. Data Integrity
3. Data origin authentication
4. Anti-replay

IPSec Protocols :

The three main protocols that are used by IPSec are as follows:

1. Internet Key Exchange (IKE)
2. Encapsulating Security Payload (ESP)
   [ The following encryption methods are available to IPSec ESP.

• Data Encryption Standard (DES)
• Triple Data Encryption Standard (3DES)
• Advanced Encryption Standard (AES)
  ]

3. Authentication Header (AH)

Both AH and ESP use a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check. HMAC hash algorithms in IPSec :

1. Message Digest 5 (MD5) [Input=variable, Output=128 bits, Used by IPsec=128 bits]

2. Secure Hash Algorithm (SHA-1) [Input=variable, Output=160 bits, Used by IPsec=First 96 bits].

IPSec Modes :

1. Tunnel Mode
2. Transport Mode

IKE Protocols :

1. ISAKMP (Internet Security Association Key Management Protocol)
2. Oakley.

IKE Phases :

1. IKE Phase 1 [Mandatory]
[ has two modes (i) Main Mode (ii) Aggressive ]

3. IKE Phase 1.5 [Optional]
4. IKE Phase 2 [Mandatory]
   [IKE Quick Mode is used by this Phase ]