A site-to-site virtual secret network (Vpn) allows you to voice a derive "always-on" association in the middle of two physically cut off sites using an existing non-secure network such as the collective Internet. Traffic in the middle of the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data attacks.
This configuration requires an Ios software image that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
Cisco Router
There are several protocols used in creating the Vpn along with protocols used for a key replacement in the middle of the peers, those used to encrypt the tunnel, and hashing technologies which furnish message digests.
Vpn Protocols
Ipsec: Internet Protocol security (Ipsec) is a suite of protocols that are used to derive Ip communications. Ipsec involves both key exchanges and tunnel encryption. You can think of Ipsec as a framework for implementing security. When creating an Ipsec Vpn, you can select from a variety of security technologies to implement the tunnel.
Isakmp (Ike): Internet security association and Key supervision Protocol (Isakmp) provides a means for authenticating the peers in a derive communication. It typically uses Internet Key replacement (Ike), but other technologies can also be used. collective keys or a pre-shared key are used to authenticate the parties to the communication.
Md5: Message-Digest algorithm 5 (Md5) is an often used, but partially insecure cryptographic hash function with a 128-bit hash value. A cryptographic hash function is a way of taking an arbitrary block of data and returning a fixed-size bit string, the hash value based on the original block of data. The hashing process is designed so that a change to the data will also change the hash value. The hash value is also called the message digest.
Sha: derive Hash Algorithm (Sha) is a set of cryptographic hash functions designed by the National security agency (Nsa). The three Sha algorithms are structured differently and are remarkable as Sha-0,Sha-1, and Sha-2. Sha-1 is a commonly used hashing algorithm with a proper key length of 160 bits.
Esp: Encapsulating security Payload (Esp) is a member of the Ipsec protocol suite that provides origin authenticity, integrity, and confidentiality security of packets. Esp also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the other Ipsec protocol, Authentication Header (Ah), Esp does not protect the Ip packet header. This divergence makes Esp preferred for use in a Network Address Translation configuration. Esp operates directly on top of Ip, using Ip protocol whole 50.
Des: The Data Encryption proper (Des) provides 56-bit encryption. It is no longer thought about a derive protocol because its short key-length makes it vulnerable to brute-force attacks.
3Des: Three Des was designed to overcome the limitations and weaknesses of Des by using three distinct 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3Des keys are 168 bits in length. When using 3Des, the data is first encrypted with one 56-bit key, then decrypted with a distinct 56-bit key, the yield of which is then re-encrypted with a third 56-bit key.
Aes: The industrialized Encryption proper (Aes) was designed as a replacement for Des and 3Des. It is available in varying key lengths and is commonly thought about to be about six times faster than 3Des.
Hmac: The Hashing Message Authentication Code (Hmac) is a type of message authentication code (Mac). Hmac is calculated using a exact algorithm intriguing a cryptographic hash function in mixture with a secret key.
Configuring a Site-to-Site Vpn
The process of configuring a site-to-site Vpn involves several steps:
Phase One configuration involves configuring the key exchange. This process uses Isakmp to recognize the hashing algorithm and authentication method. It is also one of two places where you must recognize the peer at the opposite end of the tunnel. In this example, we chose Sha as the hashing algorithm due to its more robust nature, along with its 160-bit key. The key "vpnkey" must be selfsame on both ends of the tunnel. The address "192.168.16.105" is the covering interface of the router at the opposite end of the tunnel.
Sample phase one configuration:
tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105
Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and name a transform set which identifies the encrypting protocols used to create the derive tunnel. You must also create a crypto map in which you recognize the peer at the opposite end of the tunnel, specify the transform-set to be used, and specify which access operate list will recognize permitted traffic flows. In this example, we chose Aes due to its heightened security and enhanced performance. The statement "set peer 192.168.16.25" identifies the covering interface of the router at the opposite end of the tunnel. The statement "set transform-set vpnset" tells the router to use the parameters specified in the transform-set vpnset in this tunnel. The "match address 100" statement is used to associate the tunnel with access-list 100 which will be defined later.
Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% Note: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100
The crypto map must be applied to your covering interface (in this example, interface FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You must create an access operate list to explicitly allow traffic from the router's inside Lan across the tunnel to the other router's inside Lan (in this example, the router tukwila's inside Lan network address is 10.10.10.0/24 and the other router's inside Lan network address is 10.20.0.0/24):
tukwila(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
(For more facts about the syntax of access-control lists, see my other articles on creating and managing Cisco router access-control lists.)
You must also create a default gateway (also known as the "gateway of last resort"). In this example, the default gateway is at 192.168.16.1:
tukwila(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.1
Verifying Vpn Connections
The following two commands can be used to verify Vpn connections:
Router#show crypto ipsec sa
This command displays the settings used by the current security Associations (Sas).
Router#show crypto isakmp sa
This command displays current Ike security Associations.
Troubleshooting Vpn Connections
After confirming physical connectivity, audit both ends of the Vpn association to ensure they mirror each other.
Use debugging to analyze Vpn association difficulties:
Router#debug crypto isakmp
This command allows you to examine Phase 1 Isakmp negotiations.
Router#debug crypto ipsec
This command allows you to examine Phase 2 Ipsec negotiations.
Copyright (c) 2008 Don R. Crawley
Configuring a Site-to-Site Vpn in the middle of Two Cisco Routers
No comments:
Post a Comment