Site-to-site IPSec VPN using Static Crypto-maps

Network topology:



There are 5 steps in the life-cycle of an IPSec VPN-

Step 1: Specifying interesting traffic using access-list:

Here, the interesting traffic means traffic that will be encrypted; rest of the traffic goes unencrypted. From Site1's perspective, all the traffic with source address from internal network 10.1.1.0/24 and destination network 10.2.2.0/24 will be regarded as interesting traffic, and vice versa from Site2's perspective.

Step 1: Interesting traffic

Site1:

ip access-list extended Traffic_1to2
 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!

Site2:

ip access-list extended Traffic_2to1
 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!


The IKE (Internet Key Exchange) protocol is a means to dynamically exchange IPSec parameters and keys. IKE helps to automatically establish security associations (SA) between two IPSec endpoints. An SA is an agreement of IPSec parameters between two endpoints. IKE uses two protocols for peer authentication and key-generation-

    (a) ISAKMP- The Internet Security Association and Key Management Protocol defines procedures on how to establish, negotiate, modify  and delete SA. The ISAKMP performs peer authentication but does not involve key exchange.

    (b) Oakley- The Oakley protocol uses Diffie-Hellman (DH) algorithm to manage key exchanges over IPSec SA. DH is a cryptographic protocol that permits the two endpoints to exchange shared-secret key over insecure channel.

The IKE Phases are broken into two phases which create a secure communication channel between two IPSec endpoints.

Step 2: IKE Phase 1:

IKE Phase 1 is the manadatory phase. A bidirectional SA is established between IPSec peers in phase 1. Data sent between the devices uses the same key material. Phase 1 may also perform peer authentication to validate the identity of the IPSec endpoint. Phase 1 consists of following exchanges-

    The first two exchanges negotiate the security parameters used to establish the IKE tunnel. The two endpoints exchange proposals in the form of transform-sets (using IKE policies).

    The second pair of packets exchange the DH public-keys needed to create the secure IKE tunnel. This tunnel is later used to exchange keys for IPSec SA.

    The final pair of packets perform peer authentication.

Step 2: IKE Phase 1

Site1:

crypto isakmp policy 10
 authentication pre-share
 encryption des                     ! by default, set to DES
 hash md5
 group 2                            ! Diffie-Hellman group 2, by default is set to 1.
!

Site 2:

crypto isakmp policy 30       
 authentication pre-share
 encryption des
 hash md5
 group 2
!

! The policy number is not required to match on endpoints, however, the corresponding parameters should match.


Step 3: IKE Phase 2:

The actual IPSec tunnel is established in IKE Phase 2. IKE Phase 1 creates a secure communication channel (its own SA) so that IPSec tunnels (SAs) can be created for data encryption and transport.

The following functions are performed in IKE Phase 2-

    (a) Negotiation of IPSec security parameters via IPSec transform-set
    (b) Establish IPSec SA (unidirectional IPSec tunnel)
    (c) Periodic renegotiation of IPSec SAs to ensure security
    (d) An additional DH exchange (optional)

Step 3: IKE Phase 2

Site1:

crypto isakmp key MY_K3Y address 123.1.1.2
!
crypto ipsec transform-set TS esp-des esp-md5-hmac

!
crypto map CRYPTO 10 ipsec-isakmp
 set peer 123.1.1.2
 set transform-set TS
 match address Traffic_1to2
!
interface serial 0/0
 crypto map CRYPTO
!

Site2:

crypto isakmp key MY_K3Y address 92.1.1.1
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
 set peer 92.1.1.1
 set transform-set TS
 match address Traffic_2to1
!
interface serial 0/0
 crypto map CRYPTO
!


Step 4: Secure data transfer:

After IKE Phase 2 is successfully completed, all the interesting traffic will flow through IPSec tunnel, meaning the interesting traffic will be sent encrypted to the endpoint.

When PING from Site1 router's Loopback 0 interface is sent to Site2 router's Loopback 0 interface, the Site1 router starts the IKE Phase 1 and once that is successful, it initiates IKE Phase 2. After successful IKE Phase 2, traffic is sent through the IPSec tunnel.

The show crypto isakmp sa command shows the current IKE SAs. "Active" status means ISAKMP SA is in active state. The Source IP address indicates which endpoint initiated the IKE negotiation. The QM_IDLE mode indicates Quick Mode exchange (there is also Aggressive Mode exchange), meaning the IPSec SA remains authenticated and can be used for several quick mode exchanges.

Site1# show crypto isakmp sa
dst             src             state          conn-id slot status
123.1.1.2       92.1.1.1        QM_IDLE              1    0 ACTIVE



The show crypto ipsec sa command is used to show current SA settings.

Site1# show crypto ipsec sa

interface: Serial0/0
    Crypto map tag: CRYPTO, local addr 92.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 123.1.1.2 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 92.1.1.1, remote crypto endpt.: 123.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0x7FAD546D(2142065773)

     inbound esp sas:
      spi: 0xBDD4C094(3184836756)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: CRYPTO
        sa timing: remaining key lifetime (k/sec): (4596305/3586)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7FAD546D(2142065773)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: CRYPTO
        sa timing: remaining key lifetime (k/sec): (4596305/3584)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Step 5: IPSec tunnel termination:

There are two events which can terminate an IPSec tunnel.

    (a) It is possible to manually delete an IPSec tunnel.
    (b) If the SA Lifetime timer expires, the tunnel is torn down. However, if traffic transfer is still required, new pair of SA is created before old SA is retired.

The SA Lifetime can be viewed using show crypto ipsec security-association lifetime command.