IPSEC …baiscs and configuration/troubleshooting lab

As we know that IPSEC is one of the most common technology for VPNs today. Its powerful security techniques and efficiency makes it very powerful that all its supported across all the vendors. Basically IPSEC is like a security template where you put your security components eg. encryption techniques, hashing techniques, authentication techniques etc …basically when you want to send your data over public network you need to ensure below things.

Authentication : The device at the other end of cloud, to whom you are sending the data is the legitimate device you want to talk. Or its a hacker who is posing as a familiar device and seeing all your critical data….!!!

Integrity : Suppose you are doing a bank transaction of 1 million and at the other end of the cloud there were few more zeroes added to the amount  🙂 …this is called integrity of the data.

Confidentiality : As you are sending the data over the cloud, there is always a risk that somebody has a sniffer somewhere and seeing your data . However there are encryption techniques which ensures that nobody would be able to read the original data even they manage to get it. This is called confidentiality.

IPsec provides all of the above features by below techniques:

Authentication : IPsec uses authentication keys (pre-shared and rsa) .    // this post will include the pre-shared method if you want to read about RSA authentication please refer the Cisco link.

Integrity :  For integrity hashing algorithms are used. Hash is basically one way mathematical function which give one output for one given data. For example if the data is changed in the transit then the its hash value would also change. And hence the data would be discarded at the other end of the IPsec tunnel.

Confidentiality :  For this there are many encryption algorithm available like aes, des , 3des etc

Steps to configure IPsec on Cisco device :

Suppose this is the two site topology :

cisco Ipsec site to site vpn gns3 lab
Site to Site VPN

Please ignore the issue written over the topology for now as we would address this in next post after this basic configuration post.

So the topology has two site connected via ISP(in this case ISP is just one L2 switch, you may consider this as L2 point to point connection via ISP. This topology was just to keep it easy and simple, keep in mind that Ipsec is supported over all kind of ISP clouds). Below is the step to configure.

Step 1 : You need to ensure that the ISP facing interfaces or OUT interfaces over both the sites are reachable.

Step 2  :  Once the connectivity is fine, we need to create ISAKMP policy which will help us in negotiating the authentication,encryption,hashing parameters and also would create the management tunnel. Below is the configuration.

 

On Router R1

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 12.12.12.2                                  // 12.12.12.2 is the peer at the other end
 

!

 

Step 3 :  Creating a transformation set. In easy words a transformation set would include the encryption and hashing algorithms to be used for actual data transfer. This is for data tunnel.

 

!
 crypto ipsec transform-set IPSEC esp-aes esp-sha-hmac
 !

 

Step 4: Defining intrested traffic, this is the traffic which we need to send across the tunnel.

 

!

 ip access-list extended IPSEC
 permit ip any any              // Just for clarity purpose I have done any to any here, you may use any network prefix.

!

 

Step 5: We need to create IPsec map which will bind all the components we have created above.

 

!

crypto map IPSEC 10 ipsec-isakmp
  set peer 12.12.12.2
  set transform-set IPSEC
  match address IPSEC

!

 

Step 6 : Enabling the crypto on the outgoing interface and assigning the crypto map to the interface.

!

interface FastEthernet1/0
  ip address 12.12.12.1 255.255.255.248
  crypto map IPSEC
 end

!

At the other Site that means on route R2 in this scenario, we need to do the same configuration just the peer IP address needs to different i.e. 12.12.12.1 on the router R2.

Now lets see the wireshark packet exchange while the security association is coming up ….

Site to Site ipsec vpn wireshark

 

explanation of main mode, quick mode and other packet details would come in upcoming posts…till then thanks for reading and happy learning!!


Leave a Reply