Chapter 14: Site-To-Site IPsec VPNs with Cisco IOS Routers

Chapter 14. Site-to-Site IPsec VPNs with Cisco IOS RoutersThis chapter teaches you how to configure a site-to-site IPsec VPN with preshared keys, using Cisco Configuration Professional. This ability includes being able to meet these objectives:• Evaluate the requirements and configuration of site-to-site IPsec VPNs• Use Cisco Configuration Professional to configure site-to-site IPsec VPNs• Use CLI commands and Cisco Configuration Professional monitoring options to validate the VPN configuration• Use CLI commands and Cisco Configuration Professional monitoring options to monitor and troubleshoot the VPN configurationContentsIPsec VPN negotiation can be broken down into five steps,including Phase 1 and Phase 2 of Internet Key Exchange (IKE):Step 1. An IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B. Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto access control list (ACL).Step 2. In IKE Phase 1, the IPsec peers (routers A and B) negotiate the established IKE SA policy. Once the peers are authenticated, a secure tunnel is created using ISAKMP.Step 3. In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.Step 4. The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets.Step 5. The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.Site-to-Site IPsec VPN OperationsSite-to-Site IPsec VPNVerify connectivity between peersDefine interesting trafficDetermine the cipher suite requirementsManage monitoring, troubleshooting, and changePlanning and Preparation ChecklistInteresting traffic is defined by crypto ACLs in site-to-site IPsec VPN configurations. Crypto ACLs perform these functions• Outbound: For outbound traffic, the crypto ACL defines the flows that IPsec should protect. Traffic that is not selected is sent in plaintext.• Inbound: The same ACL is processed for inbound traffic. The ACL defines traffic that should have been protected by IPsec, and discards packets if they are selected but arrive unprotected (unencrypted).Interesting Traffic and Crypto ACLsOutbound and Inbound Access Control ListsMirrored Crypto ACLsExample of Cipher Suite Selection DecisionCrypto map entries that you create for IPsec combine the needed configuration parameters of IPsec SAs, including the following parameters:• Which traffic should be protected by IPsec using a crypto ACL• The granularity of the flow to be protected by a set of SAs• Who the remote IPsec peer is, which determines where the IPsec-protected traffic is sent• The local address that is to be used for the IPsec traffic (optional)• Which IPsec security should be applied to this traffic, choosing from a list of one or more transform setsCrypto MapCrypto Map and Its RoleConfiguring a Site-to-Site IPsec VPN Using CCPScenario for Configuring a Site-to-Site IPsec VPN with Preshared Keys Using CCP VPN WizardConfigure > Security > VPN > Site-to-Site VPN.Initiating the VPN WizardWizard Gives a Choice Between Quick Setup or Step-by-Step ApproachVPN Connection Information PageFirst Component of VPN Connection Information Page: Interface SelectionSecond Component of VPN Connection Information Page: Peer IdentityThird Component of VPN Connection Information Page: AuthenticationIKE Proposals Configured Through the VPN WizardTransform Set Configured Through the VPN WizardProtecting Traffic Through the VPN WizardSummary of the Site-to-Site VPN Wizard ConfigurationIOS-FW# show crypto isakmp policyGlobal IKE policyProtection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limitVerifying IPsec Configuration Using CLIMonitoring Established IPsec VPN ConnectionsIKE Policy NegotiationVPN Troubleshooting Status WindowMonitoring IKE Security Association