· Through the use of tunneling, it is possible to establish secure connections between remote users over a public TCP/IP network, such as the Internet. A tunnel is the name given to every safe connection.
· For the purpose of creating and managing tunnels, the security appliance employs the ISAKMP and IPsec tunneling standards.
· As a two-way tunnel endpoint, the security appliance performs its job. It can take plain packets from the private network, encapsulate them, build a tunnel, and then send the tunnel’s other end, where the packets are unencapsulated and sent to their destination.
· It can also take encapsulated packets from the public network, decapsulate them, and then send them on to the private network.
· In order to prevent unauthorized access to your network or data traveling over an unprotected network, like the open Internet, IPsec offers authentication and encryption services.
· IPSEC supports LAN to LAN VPN and CLIENT to LAN VPN as its two connection types.
· The two peers negotiate security associations that control key management, encapsulation, authentication, and encryption during tunnel establishment.
· There are two stages to these negotiations: the IKE SA, which establishes the tunnel, and the IPsec SA, which regulates traffic inside the tunnel.
· Different geographic locations can be connected by LAN-to-LAN VPNs. The security appliance can act as either an initiator or responder in IPsec LAN-to-LAN connections.
· The security appliance only serves as a responder in IPsec client-to-LAN connections.
· Responders accept, reject, or make counterproposals in accordance with the SA parameters that have been configured. The initiator (the router or the client) proposes SAs (the router). The SAs must be agreed upon by both parties in order to establish a connection.( Security associations)
· An Internet Key Exchange (IKE) policy specification is our first task.
· The initial secure channel/tunnel that IKE uses for the IPsec tunnel negotiation is established by ISAKMP.
· The characteristics of the ISAKMP session, including the hashing algorithms and encryption type, are governed by an IKE policy.
· In this situation, the authentication method—preshared keys—needs to be manually defined.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication preshare
R1(config-isakmp)# ^Z
R1# sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: Data Encryption Standard (DES) (keys of 56 bits).
(Purpose: Scramble, unscramble data)
hash algorithm: Secure Hash Standard (Purpose: provide data integrity)
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit) (Intended use: evaluating the security of the key used in the key exchange procedure. The Diffie-Hellman 2, Diffie-Hellman 5, Diffie-Hellman 14, etc.) are more secure, but require additional time to compute the key.)
lifetime is 86400 seconds, no volume limit
· As previously stated, rather than using more complicated but stronger public keying, we’ll need to define a preshared key. The key, which is identically set up on both routers, is a string of text that is used to launch the IKE tunnel. Although the word “CISCO” is used in our example, a much more powerful key would be recommended in practice.
· It is specified which host the key should be used for by the IP address that comes after the key definition.
R1(config)# crypto isakmp key 0 CISCO address 172.16.0.6
· Use 172.16.0.1 in place of 6. Be sure to reflect this configuration at the tunnel’s other end, R3.
R3(config)# crypto isakmp key 0 CISCO address 172.16.0.1
· We can define an IPsec transform set after our IKE policy has been configured.
· The parameters carrying the actual data are specified in the transform set.
· We must specifically state the encryption and hash type we want to use with our transform set, unlike when defining an IKE policy, which offers default values for all attributes. We’ll use 3DES encryption and SHA-1 authentication to implement ESP encapsulation in our example.
· We can choose IPSEC MODE (tunnel or transport mode) within the transform set configuration, but tunnel mode is the default.
We can inspect our newly created transform set with show crypto ipsec transform-set:
R1(config)# crypto ipsec transform-set MyTransformSet esp-3des esp-sha-hmac
R1(cfg-crypto-trans)# ^Z
R1# show crypto ipsec transform-set
Transform set MyTransformSet: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
· Now that we have our IPsec transform set created, we give reference to it from an IPsec profile to be applied to a tunnel interface:
R1(config)# crypto ipsec profile MyProfile
R1(ipsec-profile)# set transform-set MyTransformSet
R1(ipsec-profile)# ^Z
R1# show crypto ipsec profile
IPSEC profile MyProfile
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
MyTransformSet,
}
· Our last step is to configure the tunnel interfaces on routers 1 and router 3 for IPsec operation
R1(config)# interface tun0
R1(config-if)# tunnel mode ipsec ipv4
R1(config-if)# tunnel protection ipsec profile MyProfile
Final Configurations
R1
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 172.16.0.6 (configuring preshared key)
!
crypto ipsec transform-set MyTransformSet esp-3des esp-sha-hmac (Creating transform set along with encryption and hash type we want to use)
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet (reference for transform set from an IPsec profile to be applied on tunnel interface)
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source 172.16.0.1
tunnel destination 172.16.0.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.252
R3
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 172.16.0.1
!
crypto ipsec transform-set MyTransformSet esp-3des esp-sha-hmac
!
crypto ipsec profile MyProfile
set transform-set MyTransformSet
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source 172.16.0.6
tunnel destination 172.16.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 172.16.0.6 255.255.255.252