Thursday, 29 October 2015

IPSEC Configuration (CLI)


R4---R1(gi0/0)----(gi0/0)R2----R3---R5

Tunnel between R1 and R3


Crypto-Map:
=========
*Crypto-Map is a data-plane filter
*Traffic is matched using ACLs
            They define proxy IDs for IPSEC phase 2
            What should be encrypted

Applying Crypto-Maps:
----------------------------

*They are applied to physical interfaces
            - Only one crypto map per interface
            - Always outbound with respect to traffic direction

*One crypto map can apply to multiple interfaces
            -Entries processes top-down until ACL match occurs
            -Order is important
* Tunnel source defaults to interface ip
-Can be changed using command “crypto map MAP crypto-map local-address lo0”
* Applied to link level
            - Interface closest to destination
            -Multiple routes means multiple interfaces

Crypto-Map Order of Operations:
-----------------------------------------
*Encryption applies after routing
*Encryption applies after NAT.
*crypto, routing and NAT are independent of each other.

High Level Configuration Steps:
=======================

>> Define Phase 1 ISAKMP Policy
            crypto isakmp policy 10
>> Define Phase 2 IPsec Policy
>> Apply Crypto Map
>> Generate Interesting Traffic

Phase 1:
---------

*Define Phase 1 ISAKMP Policy
            crypto isakmp policy 10

->Authentication
            authentication pre-share
->Encryption
            encr aes 192
->Hash
            hash sha384
->DH group
            group 5
->Lifetime

*Applying isakmp peer and pre-shared key is done using :
            crypto isakmp key <pw> address <peer address>

*Policy is processes top-down until a match occurs by the responder
            -Based on policy priority (Lower value higher precedence)


Phase 2 & Applying Cryptomap:
----------------------------------------

* Define Phase 2 IPsec Policy
            crypto map MAP1 10 ipsec-isakmp
-> Who – Define peer address, hostname
            set peer 20.1.1.2
-> What – Define Proxy-ACL
            match address R1
-> How – Define Transform set
            set transform-set ESP_AES_192_SHA1

Defining Transform-set :

crypto ipsec transform-set ESP_AES_192_SHA1 esp-aes 192 esp-sha-hmac
 mode tunnel

Generate Interesting Traffic:
----------------------------------
ip access-list extended R1
 permit ip 5.1.1.0 0.0.0.255 25.1.1.0 0.0.0.255

Default Policies:
--------------------

*IOS includes default fallback policies
*It has both default isakmp and ipsec policies.
*Can be disabled using “no crypto isakmp default policy” and “no crypto ipsec      transform-set default”
*Both are active until user configured values are applied


Full Configuration:
===============

=============================
crypto isakmp policy 10
 encr aes 192
 hash sha384                                                                                     **PHASE 1**
 authentication pre-share
 group 5
crypto isakmp key cisco address 20.1.1.2    
==================================== 
crypto map MAP1 10 ipsec-isakmp
 set peer 20.1.1.2
 set transform-set ESP_AES_192_SHA1                                           **PHASE 2**
 match address R1
crypto ipsec transform-set ESP_AES_192_SHA1 esp-aes 192 esp-sha-hmac
 mode tunnel

ip access-list extended R1
 permit ip 5.1.1.0 0.0.0.255 25.1.1.0 0.0.0.255
====================================
interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 crypto map MAP1
end


SHOW Commands:
===============


* show crypto isakmp sa  --- result of phase 1 negotiation
* debug crypto isakmp sa --- step-by-step phase 1 negotiation
* show crypto ipsec sa --- result of phase 2 negotiation
* debug crypto ipsec --- step-by-step phase 2 negotiation
* show crypto isakmp policy
* show crypto isakmp key
* show crypto ipsec transform-set
* show crypto debug-condition

* show crypto map interface


GRE With IPSEC:
=============

crypto isakmp policy 10
 encr aes 192
 hash sha384
 authentication pre-share
 group 5
crypto isakmp key cisco address 3.3.3.3      
!
!
crypto ipsec transform-set ESP_SA esp-aes 192
 mode tunnel
!
!
!
crypto map MAP1 local-address Loopback0
crypto map MAP1 10 ipsec-isakmp
 set peer 3.3.3.3
 set transform-set ESP_SA

 match address GRE

interface Tunnel0
 ip address 13.1.1.1 255.255.255.0
 ip mtu 1416
 tunnel source Loopback0
 tunnel destination 3.3.3.3

interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip ospf 1 area 0
 crypto map MAP1

ip access-list extended GRE
 permit gre any any

IPSEC VTI:
========

crypto isakmp policy 10
 encr aes 192
 hash sha384
 authentication pre-share
 group 5
crypto isakmp key cisco address 3.3.3.3

crypto ipsec profile PFI
 set transform-set ESP_SA

crypto map MAP1 local-address Loopback0

interface Tunnel0
 ip address 13.1.1.1 255.255.255.0
 tunnel source Loopback0
 tunnel mode ipsec ipv4
 tunnel destination 3.3.3.3
 tunnel protection ipsec profile PFI
!

interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip ospf 1 area 0
 media-type gbic
 speed 1000
 duplex full
 negotiation auto
end


No comments:

Post a Comment