Scribd
Upload
15 views16 pages

IPSec Configuration Guide for VPNs

IPsec is a framework that secures IP traffic at the network layer by providing confidentiality, integrity, authentication, and anti-replay features. It consists of protocols such as Authentication Header (AH) and Encapsulating Security Protocol (ESP), which work together to encrypt and authenticate data packets. The configuration of IPsec involves setting up ISAKMP for key exchange, defining interesting traffic, and applying a crypto map to the desired interface.

Uploaded by

arahimhstu7
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views16 pages

IPSec Configuration Guide for VPNs

IPsec is a framework that secures IP traffic at the network layer by providing confidentiality, integrity, authentication, and anti-replay features. It consists of protocols such as Authentication Header (AH) and Encapsulating Security Protocol (ESP), which work together to encrypt and authenticate data packets. The configuration of IPsec involves setting up ISAKMP for key exchange, defining interesting traffic, and applying a crypto map to the desired interface.

Uploaded by

arahimhstu7
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

IPSec Basics and Configuration

IPsec Fundamental

IPsec (Internet Protocol Security) is an open standard/architecture framework with


protocol suites those helps us to protect IP traffic on the network layer. As the IP protocol
itself doesn’t have any security features at all, through IPsec we can achieve the
following security objectives:

• Confidentiality: by encrypting our data, nobody except the sender and receiver will be
able to read our data.

• Integrity: we want to make sure that nobody changes the data in our packets. By
calculating a hash value, the sender and receiver will be able to check if changes have
been made to the packet.

• Authentication: the sender and receiver will authenticate each other to make sure that
we are really talking with the device we intend to.

• Anti-replay: even if a packet is encrypted and authenticated, an attacker could try to


capture these packets and send them again. By using sequence numbers, IPsec will not
transmit any duplicate packets.
IPsec Illustration

The following protocols make up the IPsec suite:

Authentication Header (AH): The AH protocol ensures that data packets are from a trusted
source and that the data has not been tampered with, like a tamper-proof seal on a
consumer product. These headers do not provide any encryption; they do not help conceal
the data from attackers.

Encapsulating Security Protocol (ESP): ESP encrypts the IP header and the payload for
each packet — unless transport mode is used, in which case it only encrypts the payload.
ESP adds its own header and a trailer to each data packet.

Security Association (SA): SA refers to a number of protocols used for negotiating


encryption keys and algorithms. One of the most common SA protocols is Internet Key
Exchange (IKE).
IPsec: Meeting the Security Objectives
To establish an IPsec tunnel, we use a protocol
Integrity
called IKE (Internet Key Exchange).
AH

Authentication There are two phases to build an IPsec tunnel:


IPsec
• IKE phase 1
Anti-reply
• IKE phase 2
ESP

Confidentiality In IKE phase 1, two peers will negotiate about the


encryption, authentication, hashing and other
protocols that they want to use and some other
Before we can protect any IP packets, we parameters that are required. In this phase, an
need two IPsec peers that build the IPsec ISAKMP (Internet Security Association and Key
tunnel. Management Protocol) session is established.
The IKE phase 1 tunnel is only used for This is also called the ISAKMP tunnel or IKE phase
management traffic. We use this tunnel 1 tunnel.
as a secure method to establish the
second tunnel called the IKE phase 2
tunnel or IPsec tunnel and for
management traffic like keepalives.
IPsec: Protocols

To establish an IPsec tunnel and to achieve the IPsec


IPsec
objectives the following protocols are used:

Authentication Header (AH): The AH protocol ensures


Tunnel Transport
Mode Mode
that data packets are from a trusted source and that the
data has not been tampered with, like a tamper-proof
seal on a consumer product. These headers do not
provide any encryption; they do not help conceal the
AH ESP AH ESP
data from attackers.

Encapsulating Security Protocol (ESP): ESP encrypts the


IP header and the payload for each packet — unless
transport mode is used, in which case it only encrypts
the payload. ESP adds its own header and a trailer to
each data packet.

Security Association (SA): SA refers to several protocols


used for negotiating encryption keys and algorithms.
One of the most common SA protocols is Internet Key
Exchange (IKE).
IPsec: Service vs Mode

Tunnel Mode + AH

Data TCP Header IP Header Original Packet

Data TCP Header AH Header IP Header AH in transport Mode

New IP
Data TCP Header IP Header AH Header AH in Tunnel Mode
Header
IPsec: Service vs Mode

Tunnel Mode + ESP


ESP in transport Mode

Data TCP Header IP Header Original Packet

ESP Auth ESP Trailer Data TCP Header ESP Header IP Header

New IP
Data TCP Header IP Header AH Header ESP in Tunnel Mode
Header
IPSec Configuration Task List
1. Crypto is the main tool to configure VPN
2. Need to configure phase-1 known as isakmp policy
▪ Encryption
▪ Hash
▪ Authentication
▪ DH Group
▪ Lifetime
3. Define interesting traffic
▪ Define an extended access-list name
▪ Define access-list
4. Define Pre-shared key for authentication
5. Define phase-2 IPSec transform set
▪ Define esp or AH with Encryption and Hashing
6. Define mapping with a name
▪ Map Peer Address
▪ Map Transform set
▪ Match Address through Access-list name
7. Apply the crypto map into the desired interface
▪ Go to interface
▪ Map the crypto map name
IPSec Configuration Task List

To help make this an easy-to-follow exercise, we have split it into two


steps that are required to get the Site-to-Site IPSec VPN Tunnel to work.

These steps are:


1. Configure ISAKMP (ISAKMP Phase 1)
2. Configure IPSec (ISAKMP Phase 2)

Our example setup is between two branches of a small company, these


are Site 1 and Site 2. Both the branch routers connect to the Internet and
have a static IP Address assigned by their ISP as shown on the diagram:
IPSec Configuration Task List

Site 1 is configured with an internal network of [Link]/24, while Site 2 is


configured with network [Link]/24.

The goal is to securely connect both LAN networks and allow full
communication between them, without any restrictions.
IPSec Configuration Task List
IPSec Configuration Task List

The peer’s pre shared key is set to firewallcx and its public IP
Address is [Link]. Every time R1 tries to establish a VPN tunnel with R2
([Link]), this pre shared key will be used.

We should note that ISAKMP Phase 1 policy is defined globally. This


means that if we have five different remote sites and configured five
different ISAKMP Phase 1 policies (one for each remote router), when
our router tries to negotiate a VPN tunnel with each site it will send
all five policies and use the first match that is accepted by both
ends
IPSec Configuration Task List

To configure IPSec we need to setup the following in order:

• Create extended ACL


• Create IPSec Transform
• Create Crypto Map
• Apply crypto map to the public interface
IPSec Configuration Task List

• Create extended ACL


• Create IPSec
Transform
• Create Crypto Map
• Apply crypto map to
the public interface
IPSec Configuration Task List
• Create extended ACL
• Create IPSec
Transform
• Create Crypto Map
• Apply crypto map to
the public interface
IPSec Configuration Task List (Site-2)

You might also like