Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance - page 136

Summary

Cisco ASA in conjunction with the AIP-SSM modules delivers a new generation of highly accurate and intelligent inline prevention services. This provides security administrators an Adaptive Threat Defense (ATD) across their business networks and applications. This chapter provided an overview of the Cisco IPS 5.x software architecture that runs in the AIP-SSM to provide IPS services. It included an introduction to the CLI, user administration, and maintenance tasks, and explained in depth advanced configuration tasks such as custom signatures and blocking.

Part IV: Virtual Private Network (VPN) Solution

Chapter 15 Site-to-Site IPSec VPNs

Chapter 16 Remote Access VPNs

Chapter 17 Public Key Infrastructure (PKI)

Chapter 15. Site-to-Site IPSec VPNs

This chapter covers the following topics:

Preconfiguration checklist
Configuration steps
Advanced features
Optional commands
Deployment scenarios
Monitoring and troubleshooting

Corporations continuously expand their operations by adding remote offices. These offices need network connectivity back to the corporate network for data transfer. Network administrators must evaluate the requirements and create the design to meet them. This includes selecting the network hardware platforms and the WAN technology to interconnect the branch and small offices. Some point-to-point WAN technologies include Frame Relay, Integrated Services Digital Network (ISDN), and Asynchronous Transfer Mode (ATM). Though these technologies do provide connectivity between locations, they are not very cost effective. Corporations look for ways to cut costs, for increased profitability.

Network professionals can reduce the high maintenance cost of point-to-point WAN links by using the IPSec VPN tunnel in site-to-site mode. They can use broadband connections, including digital subscriber line (DSL) or cable modem, to achieve Internet connectivity at a considerably cheaper rate, and they can deploy IPSec VPN on top of that to connect the remote locations to the central site. This allows them to accomplish both goals in a cost-effective manner:

Internet access for clear-text traffic
Intranet connectivity over the VPN tunnel

This chapter focuses on configuring and troubleshooting site-to-site IPSec tunnels on the Cisco Adaptive Security Appliances. It discusses a preconfiguration checklist, configuration steps, and different design scenarios. This chapter also discusses how to monitor the IPSec site-to-site tunnel to make sure that the traffic is flowing flawlessly. If the IPSec VPN is having connectivity issues, the chapter provides extensive troubleshooting help later in this chapter.

Preconfiguration Checklist

As discussed in the VPN section of Chapter 1, "Introduction to Network Security," IPSec can use Internet Key Exchange (IKE) for key management and tunnel negotiation. IKE uses a combination of different Phase 1 and Phase 2 attributes that are negotiated between the peers. If any one of the attributes is misconfigured, the IPSec tunnel will fail to establish. It is therefore highly recommended that security professionals understand the importance of a preconfiguration checklist and discuss it with other network administrators in case the far end of the VPN tunnel is managed by a different organization.

Table 15-1 lists all the possible values of Phase 1 attributes that are supported by Cisco ASA. It also includes the default values for each attribute. Highlighting the options and parameters that will be configured on the other end of the VPN tunnel is recommended.

Table 15-1. ISAKMP Attributes

Attribute	Possible Values	Default Value
Encryption	DES 56-bit 3DES 168-bit AES 128-bit AES 192-bit AES 256-bit	3DES 168-bit or DES 56-bit, if 3DES feature is not active
Hashing	MD5 or SHA	SHA
Authentication method	Preshared keys RSA signature DSA signature	Preshared keys
DH group	Group 1 768-bit field Group 2 1024-bit field Group 5 1536-bit field Group 7 ECC 163-bit field	Group 2 1024-bit field
Lifetime	120-2,147,483,647 seconds	86,400 seconds

Note

DH group 7 is used only for telecommuters who use VPN clients on PDAs.

For 3DES and AES encryption, you must have a VPN-3DES-AES feature set enabled license key.

In addition to the IKE parameters, the two IPSec devices also negotiate the mode of operation. Cisco ASA uses main mode as the default mode for the site-to-site tunnels but it can use aggressive mode if set up for it. After discussing Phase 1 attributes, it is important to highlight Phase 2 attributes for the VPN connection. The Phase 2 security associations (SAs) are used to encrypt and decrypt the actual data traffic. These SAs are also referred as the IPSec SAs. Table 15-2 lists all the possible Phase 2 attributes and their default values, offered by Cisco ASA.

Table 15-2. IPSec Attributes

Attribute	Possible Values	Default Values
Encryption	None DES 56-bit 3DES 168-bit AES 128-bit AES 192-bit AES 256-bit	3DES 168-bit or DES 56-bit, if 3DES feature is not active
Hashing	MD5, SHA or None	None
Identity information	Network protocol and/or port number	No default parameter
Lifetime	120-2,147,483,647 seconds 10-2,147,483,647 KB	28800 seconds 4,608,000 KB
Mode	Tunnel or transport	Tunnel
PFS group	None Group 1 768-bit DH prime modulus Group 2 1024-bit DH prime modulus Group 5 1536-bit DH prime modulus Group 7 ECC 163-bit field	None

Once you determine which Phase 1 and Phase 2 attributes to use, the next step is to configure the site-to-site tunnel.

Note

Advanced Encryption Standard (AES) is a new standard developed by two Belgian cryptographers—Joan Daemen and Vincent Rijmen. AES is expected to replace the aging Data Encryption Standard (DES), which is commonly implemented by the IPSec vendors .

It is a best practice to use AES encryption over DES for enhanced security. Make sure that both IPSec devices support AES, because it is a fairly new standard.