Network Security v1.0 - Module 19

Module 19: Implement
Site-to-Site IPsec VPNs

with CLI
Networking Security v1.0
(NETSEC)
Module Objectives
Module Title: Implement Site-to-Site IPsec VPNs with CLI
Module Objective: Configure a site-to-site IPsec VPN, with pre-shared key authentication, using CLI.
Topic Title Topic Objective

Configure a Site-to-Site IPsec VPN Describe IPsec negotiation and the five steps of IPsec configuration.
ISAKMP Policy Use the correct commands to configure an ISAKMP policy.
IPsec Policy Use the correct commands to configure the IPsec policy.
Crypto Map Use the correct command to configure and apply a Crypto map.
IPsec VPN Configure the IPsec VPN.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
19.1 Configure a Site-to-Site
IPsec VPN
Configure a Site-to-Site IPsec VPN
IPsec Negotiation
IPsec negotiation to establish a VPN involves five steps, which include IKE Phase 1 and Phase
2:
1. An ISAKMP tunnel is initiated when host A sends “interesting” traffic to host B. Traffic is
considered interesting when it travels between the peers and meets the criteria that are
defined in an ACL.
2. IKE Phase 1 begins. The peers negotiate the ISAKMP SA policy. When the peers agree on
the policy and are authenticated, a secure tunnel is created.
3. IKE Phase 2 begins. The IPsec peers use the authenticated secure tunnel to negotiate the
IPsec SA policy. The negotiation of the shared policy determines how the IPsec tunnel is
established.
4. The IPsec tunnel is created, and data is transferred between the IPsec peers based on the
IPsec SAs.
5. The IPsec tunnel terminates when the IPsec SAs are manually deleted, or when their
lifetime expires.
Site-to-Site IPsec VPN Topology
Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and
Phase 2. In the phase 1 configuration, the two sites are configured with the necessary
ISAKMP security associations to ensure that an ISAKMP tunnel can be created. In the
phase 2 configuration, the two sites are configured with the IPsec security associations to
ensure that an IPsec tunnel is created within the ISAKMP tunnel. Both tunnels will be
created only when interesting traffic is detected.
The topology in the figure for XYZCORP will be used in this section to demonstrate a site-to-
site IPsec VPN implementation.
Site-to-Site IPsec VPN Topology (Cont.)
Both routers are configured with IP addressing and static routing. An extended ping on R1 verifies that
routing between the LANs is operational.
IPsec VPN Configuration Tasks
Security Policy Requirements Configuration Tasks:
All XYZCORP VPNs should be The configuration tasks required to meet this
implemented using the following policy are:
security policy:
Task 1: Configure the ISAKMP Policy for IKE
• Encrypt traffic with AES 256 and Phase 1
SHA. Task 2: Configure the IPsec Policy for IPsec
• Authenticate with PSK. Phase 2
• Exchange keys with DH group 14. Task 3: Configure a Crypto Map for the IPsec
• ISAKMP tunnel lifetime is 1 hour. Policy
• IPsec tunnel uses ESP with a 15- Task 4: Apply the IPsec Policy
minute lifetime. Task 5: Verify that the IPsec Tunnel is
Operational
Existing ACL Configurations
Prior to implementing a site-to-site IPsec VPN, ensure that the existing ACLs do not block traffic
necessary for IPsec negotiations. The ACL command syntax to permit ISAKMP, ESP, and AH
traffic is shown here.
Handling Broadcast and Multicast Traffic
The XYZCORP topology uses static

routing, so there is no multicast or
broadcast traffic that needs to be
routed through the tunnel. But what if
XYZCORP decided to implement
EIGRP or OSPF? To enable routing
protocol traffic, the peers in a site-to-
site IPsec VPN implementation would
need to be configured with a Generic
Routing Encapsulation (GRE) tunnel
for the multicast traffic.
19.2 ISAKMP Policy
ISAKMP Policy
The Default ISAKMP Policies
The Cisco IOS comes with default ISAKMP policies already in place. To view the default policies,
enter the show crypto isakmp default policy command.
R1 has seven default ISAKMP policies ranging from the most secure (policy 65507) to the least
secure (policy 65514). If no other policy has been defined by the administrator, R1 will attempt to
use the most secure default policy. If R2 has a matching policy, then R1 and R2 can successfully
negotiate the IKE Phase 1 ISAKMP tunnel without any configuration by the administrator.
ISAKMP Policy
The Default ISAKMP Policies (Cont.)
In this example, none of the default policies match the security policy for XYZCORP. A new ISAKMP policy will
have to be configured.
ISAKMP Policy
Syntax to Configure a New ISAKMP Policy
To configure a new ISAKMP policy, use the
crypto isakmp policy command. The only
argument for the command is to set a priority for
the policy (from 1 to 10000). Peers will attempt to
negotiate using the policy with the lowest number
(highest priority).
When in ISAKMP policy configuration mode, the
SAs for the IKE Phase 1 tunnel can be
configured. Use the mnemonic HAGLE to
remember the five SAs to configure:
• Hash
• Authentication
• Group
• Lifetime
• Encryption
ISAKMP Policy
ISAKMP Policy Configuration
To meet the security policy requirements

for XYZCORP, configure the ISAKMP
policy with the following SAs:
• Hash is SHA
• Authentication is pre-shared key
• Group is 14
• Lifetime is 3600 seconds
• Encryption is AES
ISAKMP Policy
Configuring a Pre-Shared Key
The pre-shared key command syntax is as follows:
XYZCORP uses the key phrase cisco12345 and the IP address of the peer:
19.3 IPsec Policy
IPsec Policy
Define Interesting Traffic
Although the ISAKMP policy for the IKE

Phase 1 tunnel is configured, the tunnel
does not yet exist. This is verified with the
show crypto isakmp sa command.
To define interesting traffic, configure each router with an ACL to permit traffic from the local LAN to
the remote LAN. The ACL will be used in the crypto map configuration to specify what traffic will
trigger the start of IKE Phase 1.
IPsec Policy
Configure IPsec Transform Set
The next step is to configure the transform set, a set of
encryption and hashing algorithms that will be used to
transform the data sent through the IPsec tunnel.
Configure a transform set using the crypto ipsec

transform-set command. First, specify a name for the
transform set (R1-R2, in the example). The encryption and
hashing algorithm can then be configured in either order.
19.4 Crypto Map
Crypto Map
Syntax to Configure a Crypto Map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is time to bind those
configurations with the rest of the IPsec policy in a crypto map. The available configurations for a crypto map
entry when you are in crypto map configuration mode are shown below. Although the ipsec-manual option is
shown, its use is beyond the scope of this course.
Parameter Description
map-name Identifies the crypto map set.
seq-num Sequence number you assign to the crypto map entry. Use the crypto
map map-name seq-num command without any keyword to modify the
existing crypto map entry or profile.
ipsec-isakmp Indicates that IKE will be used to establish the IPsec for protecting the
traffic specified by this crypto map entry.
ipsec-manual Indicates that IKE will not be used to establish the IPsec SAs for
protecting the traffic specified by this crypto map entry.
Crypto Map
Syntax to Configure a Crypto Map (Cont.)
The available configurations for a crypto map entry when you are in crypto map configuration
mode are shown below. The map name is R1-R2_MAP, and the sequence number is 10.
Crypto Map
Crypto Map Configuration
To finish the configuration to meet

the IPsec security policy for
XYZCORP, complete the following:
Step 1. Bind the ACL and the

transform set to the map.
Step 2. Specify the peer’s IP
address.
Step 3. Configure the DH group.
Step 4. Configure the IPsec tunnel
lifetime.
Crypto Map
Crypto Map Configuration (Cont.)
Use the show crypto map command to verify the crypto map configuration, as shown in here.
All the required SAs should be in place.
Crypto Map
Apply and Verify the Crypto Map
To apply the crypto map, Use

the crypto map map-name
interface configuration
command to apply the crypto
map.
Use the show crypto map to

verify the crypto map is not
applied to the interface.
19.5 IPsec VPN
IPsec VPN
Send Interesting Traffic
Traffic from the LAN interface on R1 destined for the LAN interface on R2 is considered
interesting traffic because it matches the ACLs configured on both routers. An extended ping
from R1 will effectively test the VPN configuration.
IPsec VPN
Verify the ISAKMP and IPsec Tunnels
To verify that tunnels have been established, use the show crypto isakmp sa and show
crypto ipsec sa (next slide) commands.
IPsec VPN
Verify the ISAKMP and IPsec
Tunnels (Cont.)
The output for the ISAKMP tunnel is
shown below. Notice that the tunnel is
active between the two peers,
172.30.2.1 and 172.30.2.2.
IPsec VPN
Video - Site-to-Site IPsec VPN Configuration
This video will demonstrate configuring a Site-to Site IPsec VPN Tunnel.
IPsec VPN
Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN
In this Packet Tracer, you will complete the following objectives:
• Verify connectivity throughout the network

• Configure router R1 to support to site-to-site IPsec VPN with R3
IPsec VPN
Lab - Configuring a Site-to-Site VPN
In this lab, you will complete the following objectives:
• Configure basic device settings.

• Configure a site-to-site VPN using Cisco IOS.
19.6 Implement Site-to-Site
IPsec VPNs with CLI Summary
Implement Site-to-Site IPsec VPNs with CLI Summary
What Did I Learn in this Module?
• IPsec negotiation to establish a VPN involves five steps, which include IKE Phase 1 and Phase 2.
• An ISAKMP tunnel is initiated when host A sends “interesting” traffic, defined by an ACL, to host B.
• IKE Phase 1 then begins and the peers negotiate the ISAKMP SA policy.
• IKE Phase 2 begins and the IPsec peers use the authenticated secure tunnel to negotiate the
IPsec SA policy.
• The IPsec tunnel is created, and data is transferred between the IPsec peers based on the IPsec
SAs.
• Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and Phase 2.
• To enable multicast routing protocol traffic, the peers would need to be configured with a GRE
tunnel.
• The ISAKMP policy lists the SAs that the router is willing to use to establish the IKE Phase 1
tunnel.
• Use the show crypto isakmp default policy command to view the default policies.
Implement Site-to-Site IPsec VPNs with CLI Summary
What Did I Learn in this Module?
• To configure a new ISAKMP policy, use the crypto isakmp policy command. The five SAs to configure
are hash, authentication, group, lifetime, and encryption (HAGLE).
• Configure an ACL to define interesting traffic.
• Use the crypto ipsec transform-set command to configure the set of encryption and hashing
algorithms that will be used to transform the data that is sent through the IPsec tunnel.
• To finish the configuration to meet the IPsec security policy you must bind the ACL and the transform
set to the map, specify the peer’s IP address, configure the DH group, and configure the IPsec tunnel
lifetime.
• Use the show crypto map command to verify the crypto map configuration.
• To apply the crypto map, enter interface configuration mode for the outbound interface and configure
the crypto map map-name command.
• Test the two tunnels by sending interesting traffic across the link.
• To verify that tunnels have been established, use the show crypto isakmp sa and show crypto ipsec
sa commands.
Implement Site-to-Site IPsec VPNs with CLI
New Terms and Commands
• ip access-list extended name
• permit udp source wildcard destination wildcard eq isakmp
• permit esp source wildcard destination wildcard
• permit ahp source wildcard destination wildcard
• show crypto isakmp default policy
• crypto isakmp policy priority
• encryption encryption-type
• hash hash-algorithm
• authentication auth-type
• group 24 dh-group
• lifetime seconds
• crypto isakmp key keystring address peer-address
• crypto isakmp key keystring hostname peer-hostname
• show crypto isakmp sa
Implement Site-to-Site IPsec VPNs with CLI
New Terms and Commands (Cont.)
• crypto ipsec transform-set name encryption algorithm
• crypto map map-name seq-num { ipsec-isakmp | ipsec-manual }
• show crypto map
• interface if-name
• crypto map map-name
• show crypto ipsec sa

Network Security v1.0 - Module 19

Uploaded by

Copyright:

Available Formats

Network Security v1.0 - Module 19

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security v1.0 - Module 19

Uploaded by

Copyright:

Available Formats

Module 19: Implement

Site-to-Site IPsec VPNs

Topic Title Topic Objective

The XYZCORP topology uses static

To meet the security policy requirements

Although the ISAKMP policy for the IKE

Configure a transform set using the crypto ipsec

To finish the configuration to meet

Step 1. Bind the ACL and the

To apply the crypto map, Use

Use the show crypto map to

In this Packet Tracer, you will complete the following objectives:

• Verify connectivity throughout the network

In this lab, you will complete the following objectives:

• Configure basic device settings.

You might also like