This is what Cisco says about IPsec VPNs. "When a growing organization expands to multiple locations, one of the
challenges it faces is how to interconnect remote sites to the
corporate network. As network security risks increase and regulatory
compliance becomes essential, it is important to address these critical
needs.
You can dramatically increase the reach of your network without significantly expanding your infrastructure by using Cisco IOS IPsec VPNs. IPsec is a robust, standards-based encryption technology that enables your organization to securely connect branch offices and remote users and provides significant cost savings compared to traditional WAN access such as Frame Relay or ATM. One of the most widely deployed network security technologies today, IPsec VPNs provide high levels of security through encryption and authentication, protecting data from unauthorized access". Now let us set our typology.
In this scenario company A has its headquaters located in London and a branch office located in Banjul. The easiest and cheapeast way of connecting two sites one in Europe and the other in Africa is by using the Internet. In this case, we will use the Internet but one big issue about the Internet is that it is less secure than private networks. This is where the Cisco IOS IPsec VPNs can help us. With the IPsec VPNs we form two secure tunnels through the Internet. First IKE Phase 1 forms the tunnel to share the secret key information. Once this is done the second tunnel is created in IKE pahse 2 to securely transport the data between the sites.
==============================================================
Let us build the basic network without the IPsec first and examine it.
R1
==
ena
conf t
hostname R1
int fastEthernet 0/0
ip add 192.168.1.1 255.255.255.0
no shut
exit
int serial 1/0
ip add 192.168.12.1 255.255.255.252
no shut
exit
router ospf 1
network 192.168.12.1 0.0.0.0 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.12.2
==========================================
R2
==
ena
conf t
hostname R2
int serial 1/0
ip add 192.168.12.2 255.255.255.252
no shut
exit
int serial 1/1
ip add 192.168.23.2 255.255.255.252
no shut
exit
router ospf 1
network 192.168.12.2 0.0.0.0 area 0
network 192.168.23.2 0.0.0.0 area 0
========================================
R3
==
ena
conf t
hostname R3
int fastEthernet 0/0
ip add 10.1.1.1 255.255.255.0
no shut
exit
int serial 1/1
ip add 192.168.23.1 255.255.255.252
no shut
exit
router ospf 1
network 192.168.23.1 0.0.0.0 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.23.2
=============================================
Let us verify that London HQ (R1) cannot reach Banjul Branch by making an extended ping sourcing it from the FastEthernet 0/0 on London to the FastEthernet 0/0 of Banjul.
The output has clearly shown that the two sites, local networks cannot reach each other.
With IPsec, we can buld the tunnels between the two sites using the Internet. All that you need is that, there is reachibility between R1 and R3 through the Internet. We can verify this, by making an extended ping, sourcing it from the serial 1/0 on London to the serial 1/1 of Banjul. This path is what we are simulating as the Internet.
The ping was successul, meaning that there is reachibility through the Internet. We can now build the IPsec tunnels to connect the two sites. To build a tunnel between two points there must be reachibility between the points where the tunnel is going to be built.
Step 1: ISAKMP policy – This where we configure the parameters that will be used for the IKE phase 1 tunnel.
At R1
====
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
lifetime 36000
exit
crypto isakmp key cisco address 192.168.23.1
==============================================
At R3
====
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
lifetime 36000
exit
crypto isakmp key cisco address 192.168.12.1
===============================================
Crypto isakmp enable -- This enable isakmp, however it is good to note that it is enabled by default.
crypto isakmp policy 10 -- When a router tries to negotiates IKE phase 1 tunnel if configured with multiple policies it sends all the policies to the remote peer. The remote peer will then compare the policy priority numbers it received to its configured isakmp polices starting with the smallest then work up in order until a match is met.
encryption aes 256 -- This configures aes as the encryption use for the IKE phase 1 tunnel.
hash sha -- This configures sha as the hashing algorithm.
========================================================
Step 3 -- ACL This where we create an extended ACL to define what traffic often called the interesting traffic will be sent over the VPN.
R1
==
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R3
==
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
====================================================
The acls allows the traffic coming from R1's and R3's loopback over the tunnel
Step 4 -- Crypto map -- This is where we bind the two tunnel configuration together.
R1
==
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.1
set transform-set MYTRANSFORM
set pfs group5
match address 100
exit
=======================
R3
==
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set MYTRANSFORM
set pfs group5
match address 100
exit
=========================
Step 5 -- Apply the crypto map to the specific interfaces.
R1
==
int serial 1/0
ip add 192.168.12.1 255.255.255.252
crypto map MYMAP
no shut
exit
===========================
R3
==
int serial 1/1
ip add 192.168.23.1 255.255.255.252
crypto map MYMAP
no shut
exit
===========================
Let us test the IPsec VPN by trying the ping that was denied previousely.
From the ping we can see that 19 packets out of the 20 have been sent. The lost packet might be lost due to arp or the time it takes to established the tunnels.
With the show crypto ipsec sa we can see that all the 19 packets have bee encrypted!!!
You can dramatically increase the reach of your network without significantly expanding your infrastructure by using Cisco IOS IPsec VPNs. IPsec is a robust, standards-based encryption technology that enables your organization to securely connect branch offices and remote users and provides significant cost savings compared to traditional WAN access such as Frame Relay or ATM. One of the most widely deployed network security technologies today, IPsec VPNs provide high levels of security through encryption and authentication, protecting data from unauthorized access". Now let us set our typology.
In this scenario company A has its headquaters located in London and a branch office located in Banjul. The easiest and cheapeast way of connecting two sites one in Europe and the other in Africa is by using the Internet. In this case, we will use the Internet but one big issue about the Internet is that it is less secure than private networks. This is where the Cisco IOS IPsec VPNs can help us. With the IPsec VPNs we form two secure tunnels through the Internet. First IKE Phase 1 forms the tunnel to share the secret key information. Once this is done the second tunnel is created in IKE pahse 2 to securely transport the data between the sites.
==============================================================
Let us build the basic network without the IPsec first and examine it.
R1
==
ena
conf t
hostname R1
int fastEthernet 0/0
ip add 192.168.1.1 255.255.255.0
no shut
exit
int serial 1/0
ip add 192.168.12.1 255.255.255.252
no shut
exit
router ospf 1
network 192.168.12.1 0.0.0.0 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.12.2
==========================================
R2
==
ena
conf t
hostname R2
int serial 1/0
ip add 192.168.12.2 255.255.255.252
no shut
exit
int serial 1/1
ip add 192.168.23.2 255.255.255.252
no shut
exit
router ospf 1
network 192.168.12.2 0.0.0.0 area 0
network 192.168.23.2 0.0.0.0 area 0
========================================
R3
==
ena
conf t
hostname R3
int fastEthernet 0/0
ip add 10.1.1.1 255.255.255.0
no shut
exit
int serial 1/1
ip add 192.168.23.1 255.255.255.252
no shut
exit
router ospf 1
network 192.168.23.1 0.0.0.0 area 0
exit
ip route 0.0.0.0 0.0.0.0 192.168.23.2
=============================================
Let us verify that London HQ (R1) cannot reach Banjul Branch by making an extended ping sourcing it from the FastEthernet 0/0 on London to the FastEthernet 0/0 of Banjul.
The output has clearly shown that the two sites, local networks cannot reach each other.
With IPsec, we can buld the tunnels between the two sites using the Internet. All that you need is that, there is reachibility between R1 and R3 through the Internet. We can verify this, by making an extended ping, sourcing it from the serial 1/0 on London to the serial 1/1 of Banjul. This path is what we are simulating as the Internet.
The ping was successul, meaning that there is reachibility through the Internet. We can now build the IPsec tunnels to connect the two sites. To build a tunnel between two points there must be reachibility between the points where the tunnel is going to be built.
Step 1: ISAKMP policy – This where we configure the parameters that will be used for the IKE phase 1 tunnel.
At R1
====
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
lifetime 36000
exit
crypto isakmp key cisco address 192.168.23.1
==============================================
At R3
====
crypto isakmp enable
crypto isakmp policy 10
authentication pre-share
encryption aes 256
hash sha
lifetime 36000
exit
crypto isakmp key cisco address 192.168.12.1
===============================================
Crypto isakmp enable -- This enable isakmp, however it is good to note that it is enabled by default.
crypto isakmp policy 10 -- When a router tries to negotiates IKE phase 1 tunnel if configured with multiple policies it sends all the policies to the remote peer. The remote peer will then compare the policy priority numbers it received to its configured isakmp polices starting with the smallest then work up in order until a match is met.
encryption aes 256 -- This configures aes as the encryption use for the IKE phase 1 tunnel.
hash sha -- This configures sha as the hashing algorithm.
===================================================
Step 2: Transform Set -- This where we configure the parameters that will be used for the IKE phase 2 tunnel (the IPSEC tunnel).
R1
==
crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac
R3
==
crypto ipsec transform-set MYTRANSFORM esp-aes 256 esp-sha-hmac
========================================================
The transform set command defines the following:
- ESP-AES - Encryption method
- Esp-sha-hmac - Hashing algorithm
=======================================================Step 3 -- ACL This where we create an extended ACL to define what traffic often called the interesting traffic will be sent over the VPN.
R1
==
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
R3
==
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
====================================================
The acls allows the traffic coming from R1's and R3's loopback over the tunnel
Step 4 -- Crypto map -- This is where we bind the two tunnel configuration together.
R1
==
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.1
set transform-set MYTRANSFORM
set pfs group5
match address 100
exit
=======================
R3
==
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set MYTRANSFORM
set pfs group5
match address 100
exit
=========================
Step 5 -- Apply the crypto map to the specific interfaces.
R1
==
int serial 1/0
ip add 192.168.12.1 255.255.255.252
crypto map MYMAP
no shut
exit
===========================
R3
==
int serial 1/1
ip add 192.168.23.1 255.255.255.252
crypto map MYMAP
no shut
exit
===========================
Let us test the IPsec VPN by trying the ping that was denied previousely.
From the ping we can see that 19 packets out of the 20 have been sent. The lost packet might be lost due to arp or the time it takes to established the tunnels.
With the show crypto ipsec sa we can see that all the 19 packets have bee encrypted!!!
