Routers that will participate on a VPN Site to Site Tunnel will form 2 IKE Tunnels, that is the IKE Phase 1 Tunnel and the IKE Phase 2/IPSec Tunnel.
In order for them to ensure they form such tunnels they need to make sure that all the hashing, Encryption, Lifetime of the tunnels and other parameters that we will be configuring are all set the same on both routers.
IKE PHASE 1 Tunnel Negotiation (Hagle):
In order for them to ensure they form such tunnels they need to make sure that all the hashing, Encryption, Lifetime of the tunnels and other parameters that we will be configuring are all set the same on both routers.
IKE PHASE 1 Tunnel Negotiation (Hagle):
Hashing : MD5, SHA 1
Authentication: PSK, RSA Keys
Group (DH): 1,2,5
Lifetime: # Seconds
Encryption: DES,3DES, AES
IKE PHASE 2 Tunnel Negotiation:
Transform Set
Lifetime: # Seconds
Encryption: DES,3DES, AES
Transform Set
Lifetime: # Seconds
Encryption: DES,3DES, AES
Configuring IKE Phase 1
1. Configuring IKE Phase 1 on the R1 and R2.
//R1
//R1
R1(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#hash sha
R1(config-isakmp)#end
//R2
R2(config)#crypto isakmp enable
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#hash sha
R2(config-isakmp)#group 2
R2(config-isakmp)#encryption aes 128
2. Create an Identity that will be
used to identify the router when communicating with the other Router
NOTE: Use the hostname if the ip address is changing let say
the ISP Provides random IP addresses for Security Purposes but if it is static, you can use the IP
address.
//R1
R1(config)#crypto isakmp identity address
//R2
R2(config)#crypto isakmp identity address
3. Create the Key that will be used
to identify/Authenticate both Routers:
//R1
R1(config)#crypto isakmp key 0 kisamokey address 23.0.0.2
//R2
R2(config)#crypto isakmp key 0 kisamokey address 192.168.1.1
IKE Phase 1 already Configured
Configuring IPSec Phase 2 Tunnel/IPSec Tunnel:
1. Creating a Transform Set on Router 1 and Router
2 :
//R1
R1(config)#crypto ipsec transform-set KISAMOVPN esp-aes 128
esp-sha-hmac
//R2
R2(config)#crypto ipsec transform-set KISAMOVPN esp-aes 128
esp-sha-hmac
2. Configure the IKE Phase 2 Tunnel Life Cycle on Router 1 and Router 2:
//R1
R1(config)#crypto ipsec security-association lifetime
seconds 86400
//R2
R2(config)#crypto ipsec security-association lifetime
seconds 86400
3. Create a Mirrored ACL to permit traffic to be transported encrypted and to be received Encrypted both on Router 1 and Router 2:
3. Create a Mirrored ACL to permit traffic to be transported encrypted and to be received Encrypted both on Router 1 and Router 2:
//R1
R1(config)#ip access-list extended
S2S-VPN-TRAFFIC
R1(config-ext-nacl)#permit ip 192.168.2.0
0.0.0.255 192.168.3.0 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#
//R2
R2(config)#ip access-list extended
S2S-VPN-TRAFFIC
R2(config-ext-nacl)#permit ip 192.168.3.0
0.0.0.255 192.168.2.0 0.0.0.255
R2(config-ext-nacl)#
4. Create a Crypto Map for the IKE Phase 2 Tunnel
/Ipsec Tunnel
//RI
R1(config)#crypto map S2S-VPN 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a
peer
and a valid
access list have been configured.
R1(config-crypto-map)#match address S2S-VPN-TRAFFIC
R1(config-crypto-map)#set peer 23.0.0.2
R1(config-crypto-map)#set pfs group2
R1(config-crypto-map)#set transform-set KISAMOVPN
//R2
R2(config)#crypto map S2S-VPN 100 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a
peer
and a valid
access list have been configured.
R2(config-crypto-map)#match address S2S-VPN-TRAFFIC
R2(config-crypto-map)#set peer 192.168.1.1
R2(config-crypto-map)#set pfs group2
R2(config-crypto-map)#set transform-set KISAMOVPN
5. Apply the Crypto Map to the Respective interface
//R1
R1(config)# interface serial 0
R1(config-if)#crypto map S2S-VPN
R1(config-if)#exit
//R2
R2(config)# interface serial 1
R2(config-if)#crypto map S2S-VPN
R2(config-if)#exit
5. Verification Commands
R2#show crypto map
R2#show crypto ipsec transform-set
R2# show crypto isakmp sa
R#shiow crypto ipsec sa
No comments:
Post a Comment