the data and then closing the connection:
- Data Transfer:
After IKE Phase 2 is complete
and quick mode has established IPsec SAs, traffic is exchanged
between Host A and Host B via a secure tunnel as shown in
Figure . Interesting traffic is encrypted and decrypted
according to the security services that are specified in the
IPsec SA. - IPsec Tunnel Termination:
IPsec
SAs terminate through deletion or by timing out. An SA can time
out when a specified number of seconds has elapsed or when a
specified number of bytes have passed through the tunnel. When
the SAs terminate, the keys are also discarded. When subsequent
IPsec SAs are needed for a flow, IKE performs a new Phase 2,
and, if necessary, a new Phase 1 negotiation. A successful
negotiation results in creating new SAs and new keys. New SAs
are usually established before the existing SAs expire so that
a given flow can continue uninterrupted. Figure shows the
tunnel termination process.
Content
3.3 Implementing Site-to-Site IPsec
VPN Operations 3.3.5 Configuring a Site-to-Site
IPsec VPN Figure lists the required steps to configure a
site-to-site IPsec VPN: Step 1 Configure the ISAKMP
policy that is required to establish an IKE tunnel. Step
2 Define the IPsec transform set. The definition of the
transform set defines the parameters for the IPsec tunnel, such
as encryption and integrity algorithms. Step 3 Create a
crypto access control list (ACL). The crypto ACL identifies the
traffic to be forwarded through the IPsec tunnel. Step
4 Create a crypto map. The crypto map combines the
previously configured parameters together and defines the IPsec
peer device. Step 5 Apply the crypto map to the
outgoing interface of the VPN device. Step 6
Configure an ACL and apply the list to the interface.
Typically, edge routers are configured with restrictive ACLs
that could inadvertently block the IKE or IPsec protocols.
Step 1: Establish an IKE Policy
The first step to
configuring a site-to-site IPsec VPN is establishing an ISAKMP
policy. Various IKE policies can be configured including key
distribution method, encryption algorithm, hash algorithm,
authentication method, key exchange, and IKE security
association lifetime value. Figure displays a sample
configuration of the ISAKMP parameters. In the example, key
parameters that are configured include pre-shared
authentication, SHA hashing, AES encryption and DH group 2.
Also, the ISAKMP key “SeCrEt” has been configured and
associated with the IPsec peer. Note
Only values
other than the default must be configured. Default and
configured values can be verified using the show crypto
isakmp policy command. Steps 2, 3, and 4: Define a
Crypto Map
Figure displays the next steps three steps.
These steps include configuring an IPsec transform set, a
crypto access list, and a crypto map. The configuration defines
the crypto ACL. This ACL states a “permit” entry for the
traffic that should be sent into the IPsec tunnel. If packets
are not matching, the packets are not encrypted but are not
dropped. Note
Traffic that does not match or is not
interesting and should not be sent through the IPsec tunnel is
not simply dropped. This traffic will be forwarded as per
normal routing policy. The transform set AES-SHA configures the
IPsec parameters. Crypto map entries that are created for IPsec
amalgamate the various parts that are used to set up IPsec SAs,
including the following: - Which traffic should be
protected by IPsec (per a crypto ACL)
- The granularity
of the flow to be protected by a set of SAs
- Where
IPsec-protected traffic should be sent (who the remote IPsec
peer is)
- The local address to use for the IPsec
traffic (optional)
- What IPsec security should be
applied to this traffic (selecting from a list of one or more
transform sets)
After the parameters are defined,
they are combined together with the crypto map configuration.
The crypto map (for example, VPN_To_R2) maps the configured ACL
101 with the transform set (AES-SHA). Additionally, the map
defines the IP address of the IPsec peer. Crypto map entries
with the same crypto map name (but different map sequence
numbers) are grouped into a crypto map set. Step 5: Apply
the Crypto Map to the Interface
Apply the crypto map on
the outgoing interface of the VPN tunnel. All IP traffic that
passes through the interface where the crypto map is applied is
evaluated against the applied crypto map set. If a crypto map
entry identifies outbound IP traffic that should be protected
and the crypto map specifies the use of IKE, an SA is
negotiated with the remote peer according to the parameters
that are listed in the crypto map entry. The example also
includes a static route configuration for packets that are to
be sent into the tunnel. Step 6: Apply an ACL to the
Interface
As previously mentioned, edge routers are
configured with restrictive ACLs and usually permit only VPN
traffic into the internal network. Therefore, all other traffic
is usually denied. Figure lists VPN-related ports to consider
when building an ACL for the outgoing interface. To block
traffic, you can define an ACL and apply the ACL to all
incoming packets on your IPsec interface. In this case you only
have to enable the IPsec protocols (protocol 50 for ESP and /
or protocol 51 for Authentication Header [AH]) and IKE (User
Datagram Protocol [UDP] port 500). The example in Figure
displays part of ACL 102 that only permits the AH, ESP, and
ISAKMP protocols. The protocol keyword of esp equals the
ESP protocol (number 50), the keyword of ahp equals the
AH protocol (number 51), and the isakmp keyword equals
UDP port 500. If there is any dynamic routing done on the
interface, ensure that you permit the routing traffic. Also if
other types of traffic are allowed incoming on the interface,
then the ACL will require the appropriate statements. The IPsec
Network Address Translation Traversal (NAT-T) feature is
required for passing the IPsec traffic through devices using
NAT or Port Address Translation (PAT). Including the NAT-T
feature is accomplished by wrapping (encapsulating) the IPsec
packet with a UDP header. Additional ACL entries are required
when using NAT-T. Use the following steps to add additional
entries to support NAT-T: Step 1 Examine the current
ACL configuration at the perimeter router to determine that the
ACL will block IPsec traffic. Step 2 Add ACL entries to
permit IPsec traffic. To do this, copy the existing ACL
configuration and paste the entry into a text editor, complete
the revisions, and put the ACL back into the configuration.
Content 3.4 Configuring IPsec Site-to-Site VPN
Using SDM 3.4.1 Cisco SDM Features Cisco
Router and Security Device Manager (SDM) is an easy-to-use
Internet browser-based device management tool. SDM simplifies
router and security configuration by using intelligent wizards
to enable customers and partners to quickly and easily deploy,
configure, and monitor a Cisco access router. SDM meets the
needs of resellers and network administrators of small and
medium businesses that are proficient in LAN fundamentals and
basic network design but have little or no experience with the
Cisco IOS command-line interface (CLI) or may not be security
experts. SDM also assists advanced users. SDM contains several
timesaving tools and wizards, including an access control list
(ACL) editor, VPN crypto map editor, Cisco IOS CLI preview, and
many more features. SDM has a unique Security Audit wizard that
provides a comprehensive router security audit. SDM uses Cisco
Technical Assistance Center (TAC)- and Internet Computer
Security Association (ICSA)-recommended security configurations
as the basis for comparisons and default settings. Other
intelligent Cisco wizards are available in SDM for these three
tasks: - Autodetecting misconfigurations and proposing