понедельник, 19 августа 2013 г.
воскресенье, 11 августа 2013 г.
Cisco VPN (ISAKMP + IPSec)
Yesterday I have found a great channel on youtube: CBTvideochannel. There are a lot of video about Cisco CCNA espetially about security.
Youtube playlist: http://www.youtube.com/playlist?list=PL6ED021B0FA97EFB1
CBT Nuggets official website: http://www.cbtnuggets.com/
Here is a checklist to make Site-to-Site VPN using IPSec (c) CBTNuggets:
• Hashing: SHA‐1
• Authentication: pre‐shared
• Key exchange: Diffie‐Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
• Encryption algorithm: esp‐aes 128
• Authentication: esp‐sha‐hmac
• Router(config)#crypto isakmp enable
2. Create ISAKMP Policy :
• Router(config)#crypto isakmp policy <1-10000>
• Router(config)#crypto isakmp policy 100
• Router(config-isakmp)#encryption aes 128
• Router(config-isakmp)#authentication pre-share
• Router(config-isakmp)#group 2
• Router(config-isakmp)#hash sha
• Router(config-isakmp)#exit
3. Configure ISAKMP Identity:
• Router(config)#crypto isakmp identity <address/hostname>
• Router(config)#crypto isakmp identity address
4. Configure ISAKMP Key:
• Router(config)#crypto isakmp key 0 <Pre-Shared-Key> address <remote IP address>
• Router(config)#crypto isakmp key 0 SUPERSECRETKEY address
• Router(config)#crypto ipsec transform-set <name> <methods>
• Router(config)#crypto ipsec transform-set SET-NAME esp-aes 128 esp-sha-hmac
• Router(cfg-crypto-trans)#mode tunnel
• Router(cfg-crypto-trans)#exit
2. (optional) Configure IPSec lifetime :
• Router(config)#crypto ipsec security-association lifetime <seconds/kilobytes> <value>
• Router(config)#crypto ipsec security-association lifetime seconds 86400
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received
encrypted.
• Router(config)#ip access-list extended <name>, Router(config)#permit ip <source network | wildcard> <destination network | wildcard>
• Router(config)#ip access-list extended S2S-VPN-TRAFFIC
• Router(config-ext-nacl)#permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255
• Router(config-ext-nacl)#exit
4. Set up IPSec crypto‐map : Router(config)#crypto map <name> <seq> ipsec-iskmp
• Router(config)#crypto map S2S-VPN 100 ipsec-isakmp
o Router(config-crypto-map)#match address S2S-VPN-TRAFFIC
o Router(config-crypto-map)#set peer 1.1.1.2 <remote IP>
o Router(config-crypto-map)#set pfs group2 <group1/2/5 optional>
o Router(config-crypto-map)#set transform-set SET-NAME <set>
• Router(config)#int fa4
• Router(config-int)#crypto map S2S-VPN
Verify:
2. Show and debug commands (QM_IDLE is good)
• Router#show crypto isakmp sa
• Router#show crypto ipsec sa
• Router#debug crypto isakmp
• Router#debug crypto ipsec
• Router#show crypto map
• Router#show crypto isakmp policy
• Router#show crypto ipsec transform-set
• Router#clear crypto sa
Youtube playlist: http://www.youtube.com/playlist?list=PL6ED021B0FA97EFB1
CBT Nuggets official website: http://www.cbtnuggets.com/
Here is a checklist to make Site-to-Site VPN using IPSec (c) CBTNuggets:
Creating Site‐to‐Site VPNs with Pre‐Shared Keys
Documentation:
1. Document your IKE Phase 1 negotiation criteria (example below)• Hashing: SHA‐1
• Authentication: pre‐shared
• Key exchange: Diffie‐Hellman Group 2
2. Document your IPSec (IKE Phase 2) negotiation criteria (example below)
• Encryption algorithm: esp‐aes 128
• Authentication: esp‐sha‐hmac
Configuring IKE Phase 1:
1. Enable ISAKMP• Router(config)#crypto isakmp enable
2. Create ISAKMP Policy :
• Router(config)#crypto isakmp policy <1-10000>
• Router(config)#crypto isakmp policy 100
• Router(config-isakmp)#encryption aes 128
• Router(config-isakmp)#authentication pre-share
• Router(config-isakmp)#group 2
• Router(config-isakmp)#hash sha
• Router(config-isakmp)#exit
3. Configure ISAKMP Identity:
• Router(config)#crypto isakmp identity <address/hostname>
• Router(config)#crypto isakmp identity address
4. Configure ISAKMP Key:
• Router(config)#crypto isakmp key 0 <Pre-Shared-Key> address <remote IP address>
• Router(config)#crypto isakmp key 0 SUPERSECRETKEY address
Configuring IKE Phase 2:
1. Create transform sets:• Router(config)#crypto ipsec transform-set <name> <methods>
• Router(config)#crypto ipsec transform-set SET-NAME esp-aes 128 esp-sha-hmac
• Router(cfg-crypto-trans)#mode tunnel
• Router(cfg-crypto-trans)#exit
2. (optional) Configure IPSec lifetime :
• Router(config)#crypto ipsec security-association lifetime <seconds/kilobytes> <value>
• Router(config)#crypto ipsec security-association lifetime seconds 86400
3. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received
encrypted.
• Router(config)#ip access-list extended <name>, Router(config)#permit ip <source network | wildcard> <destination network | wildcard>
• Router(config)#ip access-list extended S2S-VPN-TRAFFIC
• Router(config-ext-nacl)#permit ip 172.30.2.0 0.0.0.255 192.168.1.0 0.0.0.255
• Router(config-ext-nacl)#exit
4. Set up IPSec crypto‐map : Router(config)#crypto map <name> <seq> ipsec-iskmp
• Router(config)#crypto map S2S-VPN 100 ipsec-isakmp
o Router(config-crypto-map)#match address S2S-VPN-TRAFFIC
o Router(config-crypto-map)#set peer 1.1.1.2 <remote IP>
o Router(config-crypto-map)#set pfs group2 <group1/2/5 optional>
o Router(config-crypto-map)#set transform-set SET-NAME <set>
Apply to Interface:
1. Apply crypto‐map to interface• Router(config)#int fa4
• Router(config-int)#crypto map S2S-VPN
Create Interesting Traffic:
1. Ping from source network to destination network.Verify:
2. Show and debug commands (QM_IDLE is good)
• Router#show crypto isakmp sa
• Router#show crypto ipsec sa
• Router#debug crypto isakmp
• Router#debug crypto ipsec
• Router#show crypto map
• Router#show crypto isakmp policy
• Router#show crypto ipsec transform-set
• Router#clear crypto sa
Подписаться на:
Сообщения (Atom)