Next, let's discuss configuring IPSec on a PIX firewall. This example shows you how to configure a site-to-site VPN using pre-shared keys. The four main tasks you perform when setting up the VPN connection are
The following sections discuss each task in detail. Preparing for IPSecIn any implementation of IPSec, the preparation phase is a key element of a successful installation. This task enables you to document and plan all the settings that will be needed to configure IPSec. If any policies or transform sets don't match, your IPSec connection can fail. The steps needed to complete this task include the following:
Your goal is to configure a site-to-site VPN from the Portland firewall to the Salem firewall. All traffic from the internal Portland LAN 192.168.1.0/24 will be protected by the VPN tunnel only if it's traveling to the Salem LAN of 10.0.0.0/8. Figure 12.10 shows an overview of the phase 1 settings. Note that these are just the parameters needed in phase 1 and loosely related to the actual commands you will use later to configure this phase. Figure 12.10. Phase 1 settings.
Figure 12.11 shows the phase 2 information for creating a crypto map called MapPtoS. The crypto map is a composite of access lists, global lifetimes, transform sets, and peers that are allowed to create a secure VPN connection. As you can see in Figure 12.11, the crypto maps take information for other areas and join them together. You'll use the actual command to create this in the step that configures IPSec. Figure 12.11. Phase 2 settings.
Both of the diagrams in Figures 12.10 and 12.11 are referenced again in the following sections. They are basically your map to constructing a VPN between Portland and Salem. Configuring IKENow that you have prepared your firewall in the previous step, let's now begin the configuration stage. The basic steps to configuring IKE, which is also known by the CLI as ISAKMP, are as follows :
The commands needed to configure these steps are shown in Listings 12.112.3 and are described in the following sections. The command sequence you will need to configure your IKE configuration, as per Figure 12.6, is shown in Listing 12.1. Listing 12.1 Portland Firewallportland(config)# isakmp enable outside portland(config)# isakmp policy 10 authentication pre-share portland(config)# isakmp policy 10 encryption des portland(config)# isakmp policy 10 hash md5 portland(config)# isakmp policy 10 group 1 portland(config)# isakmp policy 10 lifetime 86400 portland(config)# isakmp identity address portland(config)# isakmp key dog address 169.254.1.25 netmask 255.255.255.255 Listing 12.2 displays the Salem firewall settings for its ISAKMP policy. Listing 12.2 Salem Firewallsalem(config)# isakmp enable outside salem(config)# isakmp policy 10 authentication pre-share salem(config)# isakmp policy 10 encryption des salem(config)# isakmp policy 10 hash md5 salem(config)# isakmp policy 10 group 1 salem(config)# isakmp policy 10 lifetime 86400 salem(config)# isakmp identity address salem(config)# isakmp key dog address 169.254.8.1 netmask 255.255.255.255 The isakmp enable CommandThe first and most basic step is to enable IKE/ISAKMP. IKE can be enabled for all interfaces or on a per-interface basis. The command syntax is shown here: pixfirewall(config)# isakmp enable <if_name> Table 12.1 displays the isakmp enable options. Table 12.1. isakmp enable Options
The isakmp policy CommandThe isakmp policy command enables you to define a group of settings under one priority number. You can create several policies on the PIX firewall if needed; you simply give each group of settings a different priority number. When two peers connect, the lowest policy priority numbers are tried first. So, make your most desired policy the smallest number. The syntax of the isakmp policy command is shown in Listing 12.3. Listing 12.3 The isakmp policy Commandpixfirewall(config)# isakmp policy <priority> authen <pre-sharersa-sig> pixfirewall(config)# isakmp policy <priority> encrypt <des3des> pixfirewall(config)# isakmp policy <priority> hash <md5sha> pixfirewall(config)# isakmp policy <priority> group <12> pixfirewall(config)# isakmp policy <priority> lifetime <seconds> Table 12.2 displays the available options for the isakmp policy command. Table 12.2. isakmp policy Options
The isakmp identity CommandWhen IKE does pre-shared authentication, it needs to associate a preshared key with an identity. The peers can identify themselves with either an IP address or a hostname. IP addresses work best in most cases; however, if your peer's address changes often, you should use a hostname instead. The command syntax is as follows: pixfirewall(config)# isakmp identity <addresshostname> Table 12.3 displays the isakmp identity options available. Table 12.3. isakmp identity Options
The isakmp key CommandThe isakmp key command creates a pre-shared key and links it to a specific identity. You can have different pre-shared keys per peer if you want by just adding them. If the key is "dog" on one side, it has to be "dog" on the other side because authentication will fail otherwise . The command syntax is shown here: isakmp key <key-string> address <ip> [netmask <mask>] Table 12.4 displays the isakmp key options. Table 12.4. isakmp key Options
Configuring IPSecNow that the management connection parameters are set (phase 1), you are ready to set phase 2 parameters. Phase 2 requires several settings combined to create a crypto map . This map, as shown in Figure 12.7, uses an ACL named "VPNTraffic", global SA lifetime settings (optional), and a transform set named "TranPtoS". These settings are bundled together and attached to an interface. When the two peers negotiate phase 2, they integrate through crypto maps looking for a matching set on both sides. If no match is found, IPSec communication fails. If a match is found, an SA is created and all traffic that matched the ACL in the crypto map is forwarded through the tunnel. The following is an overview of the required tasks:
The commands needed to configure Figure 12.11 are shown in Listing 12.4 and Listing 12.5. Listing 12.4 Portland Firewall Crypto Map Settingsportland(config)# sysopt connection permit-ipsec portland(config)# portland(config)# access-list VPNTraffic permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 portland(config)# crypto ipsec security-association lifetime seconds 28800 kilobytes 4608000 portland(config)# crypto ipsec transform-set TranPtoS ah-sha-hmac esp-des portland(config)# crypto map MapPtoS 20 ipsec-isakmp portland(config)# crypto map MapPtoS 20 match address VPNTraffic portland(config)# crypto map MapPtoS 20 set peer 169.254.1.25 portland(config)# crypto map MapPtoS 20 set transform-set TranPtoS portland(config)# crypto map MapPtoS interface outside portland(config)# access-list NONAT permit IP 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 portland(config)# nat (inside) 0 access-list NONAT Listing 12.5 Salem Firewall Crypto Map Settingssalem(config)# sysopt connection permit-ipsec salem(config)# salem(config)# access-list VPNTraffic permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 salem(config)# crypto ipsec security-association lifetime seconds 28800 kilobytes 4608000 salem(config)# crypto ipsec transform-set TranPtoS ah-sha-hmac esp-des salem(config)# crypto map MapPtoS 20 ipsec-isakmp salem(config)# crypto map MapPtoS 20 match address VPNTraffic salem(config)# crypto map MapPtoS 20 set peer 169.254.8.1 salem(config)# crypto map MapPtoS 20 set transform-set TranPtoS salem(config)# crypto map MapPtoS interface outside salem(config)# access-list NONAT permit IP 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 salem(config)# nat (inside) 0 access-list NONAT The sysopt connection permit-ipsec CommandTo allow IPSec traffic into the firewall, you need to either create several ACL entries permitting protocols 5051 and port 500 (IKE) or use the sysopt command. The ACL option enables you to be granular in specifying which interface will allow IPSec traffic in. However, the sysopt connection permit-ipsec command is easier to implement and allows IPSec and L2TP protocol connections on all interfaces. The command syntax is pixfirewall(config)# sysopt connection permit-ipsec The crypto access-list CommandCrypto ACL defines which IP traffic should or shouldn't be forwarded through the tunnel. The crypto access-list command looks exactly like any other access list but performs in a slightly different way. If traffic matches the permit statement in the ACL, it's forwarded and protected by the tunnel. Conversely, if the traffic doesn't match or is denied , the traffic is not dropped but is allowed to travel outside the tunnel. Here is an example: portland(config)# access-list VPNTraffic permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 This access list states that any source traffic from 192.168.1.0/24 going to destination 10.0.0.0/8 is permitted. Therefore, it is protected by the tunnel. Note that the only difference between this and other ACLs is that it's used in the crypto map command's match parameter, making it a crypto ACL. The crypto ipsec security-association lifetime CommandThis command is used to set a global SA lifetime value for all crypto maps created. The lifetime value is used to define for how long hash and encryption keys are valid. When the lifetime is up, IPSec and IKE generate new keys. Although this is a global command, it can be overridden with a similar command within the crypto map commands. The following is the command syntax: pixfirewall(config)# crypto ipsec security-association lifetime seconds 28800 kilobytes 4608000 Table 12.5 displays the command options for the crypto ipsec security-association command. Table 12.5. security-association lifetime Options
The transform-set CommandTransform sets define how user data is protected with AH, ESP, or both. A set can contain a maximum of three transforms: one AH for authentication, one ESP for encryption, and one ESP authentication. The transform-set command also defines which mode to usetunnel or transport mode. The command syntax is as follows: pixfirewall(config)# crypto ipsec transform-set <trans-name> [ transform1 ] [ transform2 ] [ transform3 ] pixfirewall(config)# crypto ipsec transform-set <trans-name> mode transport Table 12.6 displays the command options for the crypto ipsec transform-set command. Table 12.6. transform-set Options
Table 12.7 displays the possible transforms and their uses. Table 12.7. Transform Options
Following are two examples of using the transform-set command: pixfirewall(config)# crypto ipsec transform-set TranData ah-sha-hmac This example shows a transform set named TranData being created with two transforms, using AH with SHA-1 and no encryption. Here's the second example: pixfirewall(config)# crypto ipsec transform-set TranData2 ah-sha-hmac esp-des This example shows a transform set named TranData2 being created with two transforms, using AH with SHA-1 and ESP with DES encryption.
The crypto map Commandcrypto map is the command that brings everything together for phase 2. Access lists, lifetimes, transform sets, and peers are all bundled together and given a name and sequence number in a crypto map. Then the map is attached to an interface or multiple interfaces. However, an interface can have only one crypto map assigned to it. Some of the functions the crypto map command performs are listed here:
crypto map commands contain a sequence number that enables you to create multiple entries in a map, which are then iterated from lowest sequence number to highest. Listing 12.6 displays the crypto map commands. Listing 12.6 crypto map Commandspixfirewall(config)# crypto map <name> <seq_num> ipsec-isakmpipsec-manual pixfirewall(config)# crypto map <name> <seq_num> match address <access_list> pixfirewall(config)# crypto map <name> <seq_num> set peer <IP_address> pixfirewall(config)# crypto map <name> <seq_num> set transform-set <tran_name> pixfirewall(config)# crypto map <name> <seq_num> set pfs [group1group2] pixfirewall(config)# crypto map <name> <seq_num> set security-association lifetime Table 12.8 displays the command options for the crypto map command. Table 12.8. crypto map Command Options
The crypto map interface CommandNow that you have created a crypto map for all your phase 2 IPSec parameters, you need to attach the map to an interface. The crypto map interface command can be used to accomplish this, and its syntax is as follows: pixfirewall(config)# crypto map <name> interface <if_name> Table 12.9 displays the options for the crypto map inteface command. Table 12.9. crypto map interface Options
The nat 0 CommandFinally, the last command needed is the nat 0 command. This command enables traffic from the Portland internal site to travel to the Salem internal site without being NAT translated. The command shown here repeats what is shown in the original commands for the Portland configuration: portland(config)# Access-list NONAT permit IP 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 portland(config)# Nat (inside) 0 access-list NONAT |