Standard [3DES], Advanced Encryption Standard
[AES], or Software Encryption Algorithm [SEAL]), Hashed Message
Authentication Code (HMAC) (Secure Hash Algorithm 1 [SHA-1] or
Message Digest 5 [MD5]), IKE authentication method (pre-shared
secret keys or digital certificates), DH group (1, 2, or 5),
and IKE lifetime IPsec transform sets:
Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or
MD5), mode of operation (tunnel or transport), and
compression Traffic to protect: Defining single
source and destination subnets or an ACL for more complex
VPNs
Content 3.4 Configuring IPsec
Site-to-Site VPN Using SDM 3.4.5 Using the
Step-by-Step Wizard Configuring Connection
Settings
Figure shows the first task in
the step-by-step setup, configuring connection settings:
Step 1 Choose the outside interface that will be used for
traffic going to the IPsec peer over the untrusted network.
Step 2 Specify the IP address of the peer. This is the
reachable next-hop address and not the address of the internal
LAN interface. Step 3 Choose the authentication method
(either Pre-shared keys or Digital Certificates)
and specify the credentials. Use long and random pre-shared
keys to prevent brute-force and dictionary attacks against
IKE. Step 4 Click the Next button to proceed to
the next task. Configuring IKE Proposals
The second
task in the step-by-step setup is to configure IKE proposals
using the screen shown in Figure : Step 1 SDM
predefines a default IKE proposal. You can use this IKE
proposal (and skip Step 2) or add new proposals. Step
2 If you want to use a custom IKE proposal, create one by
clicking the Add button and specifying the required
parameters: - IKE proposal priority
- Encryption
algorithm
- HMAC
- IKE authentication
method
- DH group
- IKE lifetime
Step 3 When you finish adding IKE policies, click the
Next button to proceed to the next task. Configuring
the Transform Set
The third task in the step-by-step
setup is configuring a transform set using the screen shown in
Figure : Step 1 There is a default IPsec transform set
that is predefined by SDM. You can use this transform set (and
skip Step 2) or add new transform sets. Step 2 If you
want to use a custom IPsec transform set, create one by
clicking the Add button and specifying these
parameters: - Transform set name
- Encryption
algorithm
- HMAC
- Mode of operation
-
Optional compression
Step 3 When finished,
click the Next button to proceed to the next task.
Identifying the Traffic to Protect
There are two
options available to define the traffic that you want to
protect. You can use the simple mode, allowing protection of
traffic between one pair of IP subnets, or you can use an ACL.
Option 1: Simple Mode (Single Source and Destination
Subnet)
To protect traffic between a particular pair of
IP subnets, follow these steps as shown in Figure : Step
1 Click the Protect all traffic between the following
subnets radio button. Step 2 Under Local
Network, enter the IP address and subnet mask of the local
network where IPsec traffic originates. Step 3 Under
Remote Network, enter the IP address and subnet mask of
the remote network where IPsec traffic is sent. Option 2:
Using an ACL
Alternatively, you can use an ACL to
define a more complex set of proxy identities to protect
traffic, as shown in Figure . To specify an IPsec rule that
defines the traffic types to protect, follow these steps:
Step 1 Click the Create/Select an access-list for IPSec
traffic radio button. Step 2 Click the ...
button on the right side of the ACL field to choose an existing
ACL or create a new one. Step 3 If the ACL that you
want to use already exists, choose Select an existing rule
(ACL) option. If you want to create a new ACL, choose the
Create a new rule (ACL) and select option. When creating
a new ACL to define traffic that needs protection, use the
Add a Rule window shown in Figure and follow these
steps: Step 1 Give the access rule a name and
description in the appropriate fields. Step 2 Click the
Add button to start adding rule entries. The Add an
Extended Rule Entry window appears. Figure shows the screen
you will use to configure a new rule entry: Step 1
Under Action, select an action from the drop-down menu
and write a description of the rule entry in the
Description field. Step 2 Each rule entry
defines one pair of source and destination addresses or
networks. Enter the type, IP address, and wildcard mask for
each network under the Source Host/Network and
Destination Host/Network sections. Note
You
must use wildcard bits instead of subnet masks. Step 3
Optionally, you can provide protection for individual Open
Systems Interconnection (OSI) Layer 4 protocols by selecting
the required protocol radio button (TCP or UDP) and the
required port numbers under Protocol and Service. If the
rule applies to all IP traffic, leave the default radio button
setting (IP). Again, a summary of the configuration is
displayed – . If necessary, click the Back button to go
back and modify or correct the configuration. Click the
Finish button to complete the configuration.
Content 3.4 Configuring IPsec Site-to-Site VPN Using
SDM 3.4.6 Test, Monitor, and Troubleshoot
Tunnel Configuration and Operation After the site-to-site
tunnel has been created, you can immediately see the tunnel’s
status by clicking the Edit Site to Site VPN tab on the
Configure page of the Site to Site VPN wizard.
The screen shown in Figure appears. You can click the Test
Tunnel button to run a test to determine whether the tunnel
configuration is correct. Clicking the Generate Mirror
button generates a mirroring configuration that you can use to
configure the router on the other end of the tunnel. This is
useful if the router on the other end of the tunnel does not
have Cisco SDM and you have to use the CLI to configure the
tunnel. Monitor Tunnel Operation
The monitoring
page, shown in Figure , displays the status of the tunnel. To
see all IPsec tunnels, their parameters, and status, follow
this procedure: Step 1 Click the Monitor icon in
the top navigation bar. Step 2 Click the VPN
Status icon in the left vertical navigation bar. Step
3 Click the IPSec Tunnels tab. Test and Monitor
Tunnel Configuration and Operation
Use the show
commands to determine the status of IPsec VPN connections.
Figure shows the sample output from the show crypto isakmp
sa command after IKE negotiations have been successfully
completed between two peers: Figure shows the sample output for
the show crypto ipsec sa command:
Troubleshooting
Use a terminal to connect to the
Cisco IOS router if you want to use debugging commands to
troubleshoot VPN connectivity. The debug crypto isakmp
EXEC command displays detailed information about the IKE Phase
1 and Phase 2 negotiation processes.
Content
3.5 Configuring GRE Tunnels over IPsec
3.5.1 Generic Routing Encapsulation Generic
routing encapsulation (GRE) is a tunneling protocol developed
by Cisco Systems that can encapsulate a wide variety of
protocol packet types inside IP tunnels, creating a virtual
point-to-point link to Cisco routers at remote points over an
IP internetwork. By connecting multiprotocol subnetworks in a
single-protocol backbone environment, IP tunneling using GRE
allows network expansion across a single-protocol backbone
environment. Routing protocols that are used across the tunnel