Contents

Introduction
IKE (Internet Key Exchange)
  Phase 1
  Phase 2
Configuration
  Step 1: Define Interesting Traffic
  Step 2: IKE Phase 1 Parameters
  Step 3: IKE Phase 2 Parameters
  Step 4: Pre-share Key
  Step 5: Crypto Map
Testing

Introduction

Lots of companies start to use IPSEC to establish Site to Site VPN through public Internet since the price is very low compared to dedicated dataline. And the configuration is not complicated. IPSEC VPN uses IKE (Internet Key Exchange) to exchange parameters and build connection. It is necessary to know the operation of IKE before we go.

IKE (Internet Key Exchange)

IKE has two phase, Phase 1 and Phase 2. How they help to establish a VPN connection?

Phase 1

The main task of IKE Phase 1 is to authenticate each other. For example, I am Site A Router and you said you are Site B Router and want to establish VPN connection with me. How I confirm you are really Site B? A very easy and common method is to use a Share Secret. Site A and Site B Router know the same password to authenticate each other. Also, Phase 1 creates a Key by using Diffie-Hellman. The key will be used for encryption in Phase 2. We can say that the job of Phase 1 is to create an encrypted channel for Phase 2 to exchange information.

Phase 2

Phase 2 creates the IPSEC VPN channel to exchange information. Phase 2 builds on top of Phase 1, so Phase 1 must be established before starting Phase 2.

Configuration

Now, try to configure Site to Site IPSEC VPN for Site A and Site B.

ipsec

Here are the original setting of the routers,

hostname R1
!
interface Ethernet0/0
 ip address 192.168.13.1 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.10.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.13.3
hostname R2
!
interface Ethernet0/0
 ip address 192.168.23.2 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.20.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.23.3
hostname R3
!
interface Ethernet0/0
 ip address 192.168.13.3 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.23.3 255.255.255.0

So, R1 can ping 192.168.23.2. However, R1 cannot ping 192.168.20.1. Assume 192.168.10.0 / 24 and 192.168.20.0 / 24 are Internal IPs.

R1#ping 192.168.23.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/49/92 ms
R1#
R1#ping 192.168.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Step 1: Define Interesting Traffic

Interesting Traffic is the traffic that need to go through VPN. In this example, the Interesting Traffic of R1 is from 192.168.10.0 / 24 to 192.168.20.0 / 24. Oppositely, the Interesting Traffic of R2 is from 192.168.20.0 / 24 to 192.168.10.0 / 24. Use Access List to define the traffic.

R1(config)#ip access-list extended VPN-Traffic
R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
R1(config-ext-nacl)#exit
R2(config)#ip access-list extended VPN-Traffic
R2(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R2(config-ext-nacl)#exit

Step 2: IKE Phase 1 Parameters

R1(config)#crypto isakmp policy 1
!encryption: use DES, 3DES or AES, AES has the best security
R1(config-isakmp)#encryption aes
!hash: use SHA or MD5, SHA has better security
R1(config-isakmp)#hash md5
!use Pre Share Key to authenticate
R1(config-isakmp)#authentication pre-share
!DH Group is used to generate Symmetric Key, Group 2 is commonly used
R1(config-isakmp)#group 2
!The Lifetime of the channel, default 86400 seconds
R1(config-isakmp)#lifetime 30000
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#encryption aes
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 30000

Step 3: IKE Phase 2 Parameters

We may choose one from AH Transform, choose one from ESP Cipher, and choose one from ESP Auth. If we use all three options, good security but more resource is used. At last, choose whether do Compression or not. So, 4 options are available to us. Two peers must be same.

R1(config)#crypto ipsec transform-set TS ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set TS esp-3des ah-sha-hmac
R2(config)#crypto ipsec transform-set TS esp-3des ah-sha-hmac

Step 4: Pre-share Key

Use ccie as Pre-share Key.

R1(config)#crypto isakmp key 6 ccie address 192.168.23.2
R2(config)#crypto isakmp key 6 ccie address 192.168.13.1

Step 5: Crypto Map

Put all the things into Crypto Map. And put the Crypto Map into the Interface.

R1(config)#crypto map CMAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R1(config-crypto-map)#set peer 192.168.23.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#match address VPN-Traffic
R1(config-crypto-map)#exit
R1(config)#interface ethernet 0/0
R1(config-if)#crypto map CMAP
R2(config)#crypto map CMAP 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R2(config-crypto-map)#set peer 192.168.13.1
R2(config-crypto-map)#set transform-set TS
R2(config-crypto-map)#match address VPN-Traffic
R2(config-crypto-map)#exit
R2(config)#interface ethernet 0/0
R2(config-if)#crypto map CMAP

Testing

Ping from 192.168.10.1 to Ping 192.168.20.1 on R1, success!

R1#ping 192.168.20.1 source 192.168.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/72/96 ms

R1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.23.2    192.168.13.1    QM_IDLE              1    0 ACTIVE

R1#show crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: CMAP, local addr 192.168.13.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   current_peer 192.168.23.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.13.1, remote crypto endpt.: 192.168.23.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xD2E73BB1(3538369457)

     inbound esp sas:
      spi: 0x80CE4FB7(2161004471)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4531862/3488)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:
      spi: 0x490FFB61(1225784161)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4531862/3481)
        replay detection support: Y
        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD2E73BB1(3538369457)
        transform: esp-3des ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4531862/3481)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
      spi: 0x4F72667D(1332897405)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4531862/3479)
        replay detection support: Y
        Status: ACTIVE

     outbound pcp sas: