R4---R1(gi0/0)----(gi0/0)R2----R3---R5
Tunnel between R1 and R3
Crypto-Map:
=========
*Crypto-Map is a data-plane filter
*Traffic is matched using ACLs
They
define proxy IDs for IPSEC phase 2
What
should be encrypted
Applying Crypto-Maps:
----------------------------
*They are applied to physical interfaces
-
Only one crypto map per interface
-
Always outbound with respect to traffic direction
*One crypto map can apply to multiple
interfaces
-Entries
processes top-down until ACL match occurs
-Order
is important
* Tunnel source defaults to interface ip
-Can be changed
using command “crypto map MAP crypto-map local-address lo0”
* Applied to link level
-
Interface closest to destination
-Multiple
routes means multiple interfaces
Crypto-Map Order of Operations:
-----------------------------------------
*Encryption applies after routing
*Encryption applies after NAT.
*crypto, routing and NAT are independent of
each other.
High Level Configuration Steps:
=======================
>> Define Phase 1 ISAKMP Policy
crypto
isakmp policy 10
>> Define Phase 2 IPsec Policy
>> Apply Crypto Map
>> Generate Interesting Traffic
Phase 1:
---------
*Define Phase 1 ISAKMP Policy
crypto
isakmp policy 10
->Authentication
authentication
pre-share
->Encryption
encr
aes 192
->Hash
hash
sha384
->DH group
group
5
->Lifetime
*Applying isakmp peer and pre-shared key is
done using :
crypto
isakmp key <pw> address <peer address>
*Policy is processes top-down until a match
occurs by the responder
-Based
on policy priority (Lower value higher precedence)
Phase 2 & Applying Cryptomap:
----------------------------------------
* Define Phase 2 IPsec Policy
crypto map MAP1 10 ipsec-isakmp
-> Who – Define peer address, hostname
set
peer 20.1.1.2
-> What – Define Proxy-ACL
match
address R1
-> How – Define Transform set
set
transform-set ESP_AES_192_SHA1
Defining Transform-set :
crypto ipsec transform-set ESP_AES_192_SHA1
esp-aes 192 esp-sha-hmac
mode
tunnel
Generate Interesting Traffic:
----------------------------------
ip access-list extended R1
permit ip 5.1.1.0 0.0.0.255 25.1.1.0 0.0.0.255
Default Policies:
--------------------
*IOS includes default fallback policies
*It has both default isakmp and ipsec
policies.
*Can be disabled using “no crypto isakmp
default policy” and “no crypto ipsec
transform-set default”
*Both are active until user configured
values are applied
Full Configuration:
===============
=============================
crypto isakmp policy 10
encr
aes 192
hash
sha384 **PHASE
1**
authentication pre-share
group 5
crypto isakmp key cisco address
20.1.1.2
====================================
crypto map MAP1 10 ipsec-isakmp
set
peer 20.1.1.2
set
transform-set ESP_AES_192_SHA1 **PHASE
2**
match address R1
crypto ipsec transform-set ESP_AES_192_SHA1
esp-aes 192 esp-sha-hmac
mode
tunnel
ip access-list extended R1
permit ip 5.1.1.0 0.0.0.255 25.1.1.0 0.0.0.255
====================================
interface GigabitEthernet0/0
ip
address 10.1.1.1 255.255.255.0
crypto map MAP1
end
SHOW Commands:
===============
* show crypto isakmp sa --- result of phase 1 negotiation
* debug crypto isakmp sa --- step-by-step
phase 1 negotiation
* show crypto ipsec sa --- result of phase
2 negotiation
* debug crypto ipsec --- step-by-step phase
2 negotiation
* show crypto isakmp policy
* show crypto isakmp key
* show crypto ipsec transform-set
* show crypto debug-condition
* show crypto map interface
GRE With IPSEC:
=============
crypto isakmp policy 10
encr aes 192
hash sha384
authentication pre-share
group 5
crypto isakmp key cisco address 3.3.3.3
!
!
crypto ipsec transform-set ESP_SA esp-aes 192
mode tunnel
!
!
!
crypto map MAP1 local-address Loopback0
crypto map MAP1 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set ESP_SA
match address GRE
interface Tunnel0
ip address 13.1.1.1 255.255.255.0
ip mtu 1416
tunnel source Loopback0
tunnel destination 3.3.3.3
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf 1 area 0
crypto map MAP1
ip access-list extended GRE
permit gre any any
GRE With IPSEC:
=============
crypto isakmp policy 10
encr aes 192
hash sha384
authentication pre-share
group 5
crypto isakmp key cisco address 3.3.3.3
!
!
crypto ipsec transform-set ESP_SA esp-aes 192
mode tunnel
!
!
!
crypto map MAP1 local-address Loopback0
crypto map MAP1 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set ESP_SA
match address GRE
interface Tunnel0
ip address 13.1.1.1 255.255.255.0
ip mtu 1416
tunnel source Loopback0
tunnel destination 3.3.3.3
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf 1 area 0
crypto map MAP1
ip access-list extended GRE
permit gre any any
IPSEC VTI:
========
crypto isakmp policy 10
encr aes 192
hash sha384
authentication pre-share
group 5
crypto isakmp key cisco address 3.3.3.3
crypto ipsec profile PFI
set transform-set ESP_SA
crypto map MAP1 local-address Loopback0
interface Tunnel0
ip address 13.1.1.1 255.255.255.0
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel destination 3.3.3.3
tunnel protection ipsec profile PFI
!
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf 1 area 0
media-type gbic
speed 1000
duplex full
negotiation auto
end
========
crypto isakmp policy 10
encr aes 192
hash sha384
authentication pre-share
group 5
crypto isakmp key cisco address 3.3.3.3
crypto ipsec profile PFI
set transform-set ESP_SA
crypto map MAP1 local-address Loopback0
interface Tunnel0
ip address 13.1.1.1 255.255.255.0
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel destination 3.3.3.3
tunnel protection ipsec profile PFI
!
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip ospf 1 area 0
media-type gbic
speed 1000
duplex full
negotiation auto
end
No comments:
Post a Comment