Site-to-site IPSec VPN using Static Crypto-maps
Site-to-site IPSec VPN using Static Crypto-maps
Network topology:
There are 5 steps in the life-cycle of an IPSec VPN-
Step 1: Specifying interesting traffic using access-list:
Here, the interesting traffic means traffic that will be encrypted; rest of the traffic goes unencrypted. From Site1's perspective, all the traffic with source address from internal network 10.1.1.0/24 and destination network 10.2.2.0/24 will be regarded as interesting traffic, and vice versa from Site2's perspective.
Step 1: Interesting traffic
Site1:
ip access-list extended Traffic_1to2
permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!
Site2:
ip access-list extended Traffic_2to1
permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
The IKE (Internet Key Exchange) protocol is a means to dynamically exchange IPSec parameters and keys. IKE helps to automatically establish security associations (SA) between two IPSec endpoints. An SA is an agreement of IPSec parameters between two endpoints. IKE uses two protocols for peer authentication and key-generation-
(a) ISAKMP- The Internet Security Association and Key Management Protocol defines procedures on how to establish, negotiate, modify and delete SA. The ISAKMP performs peer authentication but does not involve key exchange.
(b) Oakley- The Oakley protocol uses Diffie-Hellman (DH) algorithm to manage key exchanges over IPSec SA. DH is a cryptographic protocol that permits the two endpoints to exchange shared-secret key over insecure channel.
The IKE Phases are broken into two phases which create a secure communication channel between two IPSec endpoints.
Step 2: IKE Phase 1:
IKE Phase 1 is the manadatory phase. A bidirectional SA is established between IPSec peers in phase 1. Data sent between the devices uses the same key material. Phase 1 may also perform peer authentication to validate the identity of the IPSec endpoint. Phase 1 consists of following exchanges-
The first two exchanges negotiate the security parameters used to establish the IKE tunnel. The two endpoints exchange proposals in the form of transform-sets (using IKE policies).
The second pair of packets exchange the DH public-keys needed to create the secure IKE tunnel. This tunnel is later used to exchange keys for IPSec SA.
The final pair of packets perform peer authentication.
Step 2: IKE Phase 1
Site1:
crypto isakmp policy 10
authentication pre-share
encryption des
! by default, set to DES
hash md5
group 2 ! Diffie-Hellman group 2, by default is set to 1.
!
Site 2:
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
!
! The policy number is not required to match on endpoints, however, the corresponding parameters should match.
Step 3: IKE Phase 2:
The actual IPSec tunnel is established in IKE Phase 2. IKE Phase 1 creates a secure communication channel (its own SA) so that IPSec tunnels (SAs) can be created for data encryption and transport.
The following functions are performed in IKE Phase 2-
(a) Negotiation of IPSec security parameters via IPSec transform-set
(b) Establish IPSec SA (unidirectional IPSec tunnel)
(c) Periodic renegotiation of IPSec SAs to ensure security
(d) An additional DH exchange (optional)
Step 3: IKE Phase 2
Site1:
crypto isakmp key MY_K3Y address 123.1.1.2
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
set peer 123.1.1.2
set transform-set TS
match address Traffic_1to2
!
interface serial 0/0
crypto map CRYPTO
!
Site2:
crypto isakmp key MY_K3Y address 92.1.1.1
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto map CRYPTO 10 ipsec-isakmp
set peer 92.1.1.1
set transform-set TS
match address Traffic_2to1
!
interface serial 0/0
crypto map CRYPTO
!
Step 4: Secure data transfer:
After IKE Phase 2 is successfully completed, all the interesting traffic will flow through IPSec tunnel, meaning the interesting traffic will be sent encrypted to the endpoint.
When PING from Site1 router's Loopback 0 interface is sent to Site2 router's Loopback 0 interface, the Site1 router starts the IKE Phase 1 and once that is successful, it initiates IKE Phase 2. After successful IKE Phase 2, traffic is sent through the IPSec tunnel.
The show crypto isakmp sa command shows the current IKE SAs. "Active" status means ISAKMP SA is in active state. The Source IP address indicates which endpoint initiated the IKE negotiation. The QM_IDLE mode indicates Quick Mode exchange (there is also Aggressive Mode exchange), meaning the IPSec SA remains authenticated and can be used for several quick mode exchanges.
Site1# show crypto isakmp sa
dst src state conn-id slot status
123.1.1.2 92.1.1.1 QM_IDLE 1 0 ACTIVE
The show crypto ipsec sa command is used to show current SA settings.
Site1# show crypto ipsec sa
interface: Serial0/0
Crypto map tag: CRYPTO, local addr 92.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 123.1.1.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 92.1.1.1, remote crypto endpt.: 123.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x7FAD546D(2142065773)
inbound esp sas:
spi: 0xBDD4C094(3184836756)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: CRYPTO
sa timing: remaining key lifetime (k/sec): (4596305/3586)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7FAD546D(2142065773)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: CRYPTO
sa timing: remaining key lifetime (k/sec): (4596305/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Step 5: IPSec tunnel termination:
There are two events which can terminate an IPSec tunnel.
(a) It is possible to manually delete an IPSec tunnel.
(b) If the SA Lifetime timer expires, the tunnel is torn down. However, if traffic transfer is still required, new pair of SA is created before old SA is retired.
The SA Lifetime can be viewed using show crypto ipsec security-association lifetime command.