L2L connections
- Land to land (site to site) connections are best suited for routers since they can do multiple dynamic site VNP
- Extension of a classical WAN design
- Configurations steps
- Handle design and policy
- Verify connectivity without IPSec (ping)
- Create extended ACL to allow IPSec traffic into the router
- Configure ISAKMP/IKE Phase 1 policies
- Create extended ACL that defines which traffic is to be protected for the tunnel
- Create transform sets
- Create a crypto map that binds together the peer’s protection information
- Activate crypto map on the interface
- Test IPSec tunnel
Information to determine
- Types of L2L solutions:
- Classic method (small number of peers or non-Cisco router, or ASA/PIX)
- GRE tunnels (medium number of Cisco peers)
- DMVPN (large number of Cisco peers)
- Authentication methods:
- Pre-shared keys
- RSA nounces (signatures)
- Certificates (Certificate Authority)
- Name/IP address of remote IPSec peer
- Traffic to be protected
- Encryption algorithm: DES, 3DES or AES
- Hashing function to use: 1, 2 or 5
- Life time of the tunnel
- On which interface the traffic is leaving for the public network
- Allow traffic:
rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask eq isakmp|500 rt(config)# access-list ACL_ID permit ahp|51 dst_IP wild_mask src_IP wild_mask rt(config)# access-list ACL_ID permit esp|50 dst_IP wild_mask src_IP wild_mask rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask eq non-isakmp|4500 rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask eq 10000 rt(config)# access-list ACL_ID permit tcp dst_IP wild_mask src_IP wild_mask eq 10000
- Almost all router global IPSec commands begin with crypto
- ISAKMP enabled by default
- Can use host names or IP addresses to identify peers
- Better set host names statically to avoid DNS spoofing
rt(config)# crypto isakmp identity address | hostname rt(config)# ip host hostname IP_addr_1 [IP_addre_2] […]
- Management connection policy
- Phase 1 policies must match or tunnel will fail, except the lifetime (with some vendor it is compulsory too). In Cisco shortest lifetime used. Default 14800 seconds
- priority_# uniquely identifies the policy
- The smaller the number, the higher the priority
- Most secure to be placed on top
rt(config)# crypto isakmp policy priority_# rt(config-isakmp)# authentication rsa-sign | rsa-encr | pre-share rt(config-isakmp)# encryption des|3des|aes|aes 192|aes 256 rt(config-isakmp)# group 1|2|5 rt(config-isakmp)# hash md5|sha rt(config-isakmp)# lifetime #_of_seconds rt# show crypto isakmp policy
- Phase 1 authentication
rt(config)# crypto key generate rsa rt(config)# crypto isakmp key 0 key address IP_address [no xauth] (or) rt(config)# crypto isakmp key 0 key hostname host [no xauth] rt(config)# crypto pki trustpoint Cert_Authority rt(config)# enrollment url rt(config)# revocation check none rt(config)# crypto pki crl request rt(config)# crypto pki authenticate Cert_Authority
- Phase 2 authentication
rt(config)# crypto ipsec security-association lifetime seconds #_seconds rt(config)# crypto ipsec security-association lifetime kilobytes #_kbytes rt(config)# access-list ACL permit proto local_addr local_mask rem_addr rem_mask rt(config)# crypto ipsec transform-set tsname ts_1 [ts2 [ts3]] rt(config)# mode tunnel|transport rt# show crypto ipsec transform-set
- Crypto Map
- Ties together all ISAKMP/IKE components to form the data SA
- Static
- Connecting to IPSec device
- When we know information from the remote peer
- We must know upfront: address, ACL, transform set
rt(config)# crypto map map_name sequence_# ipsec-isakmp|ipsec-manual rt(config)# match address ACL rt(config)# local address interface rt(config)# set peer hostname | IP rt(config)# set pfs group1|group2|group3 rt(config)# set transform-set tsname ts_1 [ts2 [ts3]] rt(config)# set security-association lifetime … rt(config)# interface type number rt(config-if)# crypto map map_name rt# show crypto map
- Dynamic
- We don’t know the remote peer, or dialup/DHCP
- Remote must initiate the connection
- One side static crypto map, other side dynamic
- Router create a temporary static entry when the SA is formed
rt(config)# crypto dynamic-map map_name sequence_# rt(config-crypto-map)# etc.…
- Dynamic maps are embedded as entry into a static tunnel (Cisco syntax)
rt(config)# crypto map static_map_name sequence_# ipsec-isakmp dynamic dyn_map_name rt(config)# interface int_ID rt(config-if)# crypto map static_map_name - AAA and static crypto maps
rt(config)# crypto map static_map client authentication list aaa_list rt(config)# crypto map static_map client isakmp authorization list aaa_list rt(config)# crypto map static_map client configuration address initiate|respond
