| A site-to-site virtual private network (VPN) allows | | | | key exchange. This process uses ISAKMP to |
| you to maintain a secure "always-on" connection | | | | identify the hashing algorithm and authentication |
| between two physically separate sites using an | | | | method. It is also one of two places where you |
| existing non-secure network such as the public | | | | must identify the peer at the opposite end of the |
| Internet. Traffic between the two sites is | | | | tunnel. In this example, we chose SHA as the |
| transmitted over an encrypted tunnel to prevent | | | | hashing algorithm due to its more robust nature, |
| snooping or other types of data attacks. | | | | including its 160-bit key. The key "vpnkey" must |
| This configuration requires an IOS software image | | | | be identical on both ends of the tunnel. The |
| that supports cryptography. The one used in the | | | | address "192.168.16.105" is the outside interface of |
| examples is | | | | the router at the opposite end of the tunnel. |
| c870-advipservicesk9-mz.124-15.T6.bin. | | | | Sample phase one |
| There are several protocols used in creating the | | | | configuration:tukwila(config)#crypto isakmp policy |
| VPN including protocols used for a key exchange | | | | 10tukwila(config-isakmp)#hash |
| between the peers, those used to encrypt the | | | | shatukwila(config-isakmp)#authentication |
| tunnel, and hashing technologies which produce | | | | pre-sharetukwila(config-isakmp)#crypto isakmp |
| message digests. | | | | key vpnkey address 192.168.16.105 |
| VPN Protocols | | | | Phase Two configuration involves configuring the |
| IPSec: Internet Protocol Security (IPSec) is a suite | | | | encrypted tunnel. In Phase Two configuration, you |
| of protocols that are used to secure IP | | | | create and name a transform set which identifies |
| communications. IPSec involves both key | | | | the encrypting protocols used to create the |
| exchanges and tunnel encryption. You can think of | | | | secure tunnel. You must also create a crypto map |
| IPSec as a framework for implementing security. | | | | in which you identify the peer at the opposite end |
| When creating an IPSec VPN, you can choose | | | | of the tunnel, specify the transform-set to be |
| from a variety of security technologies to | | | | used, and specify which access control list will |
| implement the tunnel. | | | | identify permitted traffic flows. In this example, |
| ISAKMP (IKE): Internet Security Association and | | | | we chose AES due to its heightened security and |
| Key Management Protocol (ISAKMP) provides a | | | | enhanced performance. The statement "set peer |
| means for authenticating the peers in a secure | | | | 192.168.16.25" identifies the outside interface of |
| communication. It typically uses Internet Key | | | | the router at the opposite end of the tunnel. The |
| Exchange (IKE), but other technologies can also | | | | statement "set transform-set vpnset" tells the |
| be used. Public keys or a pre-shared key are used | | | | router to use the parameters specified in the |
| to authenticate the parties to the communication. | | | | transform-set vpnset in this tunnel. The "match |
| MD5: Message-Digest algorithm 5 (MD5) is an | | | | address 100" statement is used to associate the |
| often used, but partially insecure cryptographic | | | | tunnel with access-list 100 which will be defined |
| hash function with a 128-bit hash value. A | | | | later. |
| cryptographic hash function is a way of taking an | | | | Sample phase two |
| arbitrary block of data and returning a fixed-size | | | | configuration:tukwila(config)#crypto ipsec |
| bit string, the hash value based on the original | | | | transform-set vpnset esp-aes |
| block of data. The hashing process is designed so | | | | config)#crypto map vpnset 10 ipsec-isakmp |
| that a change to the data will also change the | | | | % NOTE: This new crypto map will remain |
| hash value. The hash value is also called the | | | | disabled until a peerand a valid access list have |
| message digest. | | | | been configured.tukwila(config-crypto-map)#set |
| SHA: Secure Hash Algorithm (SHA) is a set of | | | | peer 192.168.16.105tukwila(config-crypto-map)#set |
| cryptographic hash functions designed by the | | | | transform-set |
| National Security Agency (NSA). The three SHA | | | | vpnsettukwila(config-crypto-map)#match address |
| algorithms are structured differently and are | | | | 100 |
| distinguished as SHA-0,SHA-1, and SHA-2. SHA-1 is | | | | The crypto map must be applied to your outside |
| a commonly used hashing algorithm with a | | | | interface (in this example, interface FastEthernet |
| standard key length of 160 bits. | | | | 4):tukwila(config)#int f4tukwila(config-if)#crypto |
| ESP: Encapsulating Security Payload (ESP) is a | | | | map vpnset |
| member of the IPsec protocol suite that provides | | | | You must create an access control list to explicitly |
| origin authenticity, integrity, and confidentiality | | | | allow traffic from the router's inside LAN across |
| protection of packets. ESP also supports | | | | the tunnel to the other router's inside LAN (in this |
| encryption-only and authentication-only | | | | example, the router tukwila's inside LAN network |
| configurations, but using encryption without | | | | address is 10.10.10.0/24 and the other router's |
| authentication is strongly discouraged because it is | | | | inside LAN network address is 10.20.0.0 |
| insecure. Unlike the other IPsec protocol, | | | | 24):tukwila(config)#access-list 100 permit ip |
| Authentication Header (AH), ESP does not protect | | | | 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255 |
| the IP packet header. This difference makes ESP | | | | (For more information about the syntax of |
| preferred for use in a Network Address | | | | access-control lists, see my other articles on |
| Translation configuration. ESP operates directly on | | | | creating and managing Cisco router access-control |
| top of IP, using IP protocol number 50. | | | | lists.) |
| DES: The Data Encryption Standard (DES) | | | | You must also create a default gateway (also |
| provides 56-bit encryption. It is no longer | | | | known as the "gateway of last resort"). In this |
| considered a secure protocol because its short | | | | example, the default gateway is at |
| key-length makes it vulnerable to brute-force | | | | 192.168.16.1:tukwila(config)#ip route 0.0.0.0 0.0.0.0 |
| attacks. | | | | 192.168.16.1 |
| 3DES: Three DES was designed to overcome the | | | | Verifying VPN Connections |
| limitations and weaknesses of DES by using three | | | | The following two commands can be used to |
| different 56-bit keys in a encrypting, decrypting, | | | | verify VPN connections: |
| and re-encrypting operation. 3DES keys are 168 | | | | Router#show crypto ipsec sa |
| bits in length. When using 3DES, the data is first | | | | This command displays the settings used by the |
| encrypted with one 56-bit key, then decrypted | | | | current Security Associations (SAs). |
| with a different 56-bit key, the output of which is | | | | Router#show crypto isakmp sa |
| then re-encrypted with a third 56-bit key. | | | | This command displays current IKE Security |
| AES: The Advanced Encryption Standard (AES) | | | | Associations. |
| was designed as a replacement for DES and | | | | Troubleshooting VPN Connections |
| 3DES. It is available in varying key lengths and is | | | | After confirming physical connectivity, audit both |
| generally considered to be about six times faster | | | | ends of the VPN connection to ensure they |
| than 3DES. | | | | mirror each other. |
| HMAC: The Hashing Message Authentication Code | | | | Use debugging to analyze VPN connection |
| (HMAC) is a type of message authentication code | | | | difficulties: |
| (MAC). HMAC is calculated using a specific | | | | Router#debug crypto isakmp |
| algorithm involving a cryptographic hash function in | | | | This command allows you to observe Phase 1 |
| combination with a secret key. | | | | ISAKMP negotiations. |
| Configuring a Site-to-Site VPN | | | | Router#debug crypto ipsec |
| The process of configuring a site-to-site VPN | | | | This command allows you to observe Phase 2 |
| involves several steps: | | | | IPSec negotiations. |
| Phase One configuration involves configuring the | | | | Copyright (c) 2008 Don R. |