Configuring an IPSec Site-to-Site Connection


Next, let's discuss configuring IPSec on a PIX firewall. This example shows you how to configure a site-to-site VPN using pre-shared keys. The four main tasks you perform when setting up the VPN connection are

  • Preparing for IPSec Involves gathering IPSec parameter details.

  • Configure IKE Phase 1 parameters are configured.

  • Configure IPSec Phase 2 parameters are configured.

  • Testing and troubleshooting This is when configuration and current security associations are displayed.

The following sections discuss each task in detail.

Preparing for IPSec

In any implementation of IPSec, the preparation phase is a key element of a successful installation. This task enables you to document and plan all the settings that will be needed to configure IPSec. If any policies or transform sets don't match, your IPSec connection can fail. The steps needed to complete this task include the following:

  1. Define the IKE phase 1 policies between peers.

  2. Define the IKE phase 2 policies, transform sets, peer IP address or hostnames, and lifetime settings.

  3. Verify the current PIX configuration for any previous access control list (ACL), ISAKMP policies, or crypto maps that might conflict with the new settings.

  4. Perform a basic ping test to ensure you can actually reach the other peer before attempting to create a VPN.

  5. Verify that perimeter routers will allow IPSec traffic using protocol 50, 51, and IKE UDP port 500 to pass through.

Your goal is to configure a site-to-site VPN from the Portland firewall to the Salem firewall. All traffic from the internal Portland LAN 192.168.1.0/24 will be protected by the VPN tunnel only if it's traveling to the Salem LAN of 10.0.0.0/8. Figure 12.10 shows an overview of the phase 1 settings. Note that these are just the parameters needed in phase 1 and loosely related to the actual commands you will use later to configure this phase.

Figure 12.10. Phase 1 settings.

graphics/12fig10.gif

Figure 12.11 shows the phase 2 information for creating a crypto map called MapPtoS. The crypto map is a composite of access lists, global lifetimes, transform sets, and peers that are allowed to create a secure VPN connection. As you can see in Figure 12.11, the crypto maps take information for other areas and join them together. You'll use the actual command to create this in the step that configures IPSec.

Figure 12.11. Phase 2 settings.

graphics/12fig11.jpg

Both of the diagrams in Figures 12.10 and 12.11 are referenced again in the following sections. They are basically your map to constructing a VPN between Portland and Salem.

Configuring IKE

Now that you have prepared your firewall in the previous step, let's now begin the configuration stage. The basic steps to configuring IKE, which is also known by the CLI as ISAKMP, are as follows :

  1. Enable IKE/ISAKMP.

  2. Create an ISAKMP policy.

  3. Configure the pre-shared key.

The commands needed to configure these steps are shown in Listings 12.112.3 and are described in the following sections. The command sequence you will need to configure your IKE configuration, as per Figure 12.6, is shown in Listing 12.1.

Listing 12.1 Portland Firewall
 portland(config)# isakmp enable outside portland(config)# isakmp policy 10 authentication pre-share portland(config)# isakmp policy 10 encryption des portland(config)# isakmp policy 10 hash md5 portland(config)# isakmp policy 10 group 1 portland(config)# isakmp policy 10 lifetime 86400 portland(config)# isakmp identity address portland(config)# isakmp key dog address 169.254.1.25                netmask 255.255.255.255 

Listing 12.2 displays the Salem firewall settings for its ISAKMP policy.

Listing 12.2 Salem Firewall
 salem(config)# isakmp enable outside salem(config)# isakmp policy 10 authentication pre-share salem(config)# isakmp policy 10 encryption des salem(config)# isakmp policy 10 hash md5 salem(config)# isakmp policy 10 group 1 salem(config)# isakmp policy 10 lifetime 86400 salem(config)# isakmp identity address salem(config)# isakmp key dog address 169.254.8.1 netmask 255.255.255.255 
The isakmp enable Command

The first and most basic step is to enable IKE/ISAKMP. IKE can be enabled for all interfaces or on a per-interface basis. The command syntax is shown here:

 pixfirewall(config)# isakmp enable <if_name> 

Table 12.1 displays the isakmp enable options.

Table 12.1. isakmp enable Options

Option

Function

if_name

This enables you to specify which interfaces have ISAKMP enabled.

The isakmp policy Command

The isakmp policy command enables you to define a group of settings under one priority number. You can create several policies on the PIX firewall if needed; you simply give each group of settings a different priority number. When two peers connect, the lowest policy priority numbers are tried first. So, make your most desired policy the smallest number. The syntax of the isakmp policy command is shown in Listing 12.3.

Listing 12.3 The isakmp policy Command
 pixfirewall(config)# isakmp policy <priority> authen <pre-sharersa-sig> pixfirewall(config)# isakmp policy <priority> encrypt <des3des> pixfirewall(config)# isakmp policy <priority> hash <md5sha> pixfirewall(config)# isakmp policy <priority> group <12> pixfirewall(config)# isakmp policy <priority> lifetime <seconds> 

Table 12.2 displays the available options for the isakmp policy command.

Table 12.2. isakmp policy Options

Option

Function

priority

This uniquely identifies IKE policy settings to a single group/priority number. You can use numbers between 1 and 65,534.

authen

This defines where to use pre-shared keys or RSA signatures.

encrypt

This defines which encryption algorithm to use in the IKE policy (DES or 3DES).

hash

This defines which hashing algorithm should be used in the IKE policy (MD5 or SHA-1).

group

This defines which Diffie-Hellman group to use: group1 or group2.

lifetime

This specifies how many seconds each SA should exist before new keys are generated. Values are read in seconds and can be between 60 and 86,400 seconds (1 day).

The isakmp identity Command

When IKE does pre-shared authentication, it needs to associate a preshared key with an identity. The peers can identify themselves with either an IP address or a hostname. IP addresses work best in most cases; however, if your peer's address changes often, you should use a hostname instead. The command syntax is as follows:

 pixfirewall(config)# isakmp identity <addresshostname> 

Table 12.3 displays the isakmp identity options available.

Table 12.3. isakmp identity Options

Option

Function

address

Indicates that the identity being used is an IP address

hostname

Indicates that the identity being used is a hostname

The isakmp key Command

The isakmp key command creates a pre-shared key and links it to a specific identity. You can have different pre-shared keys per peer if you want by just adding them. If the key is "dog" on one side, it has to be "dog" on the other side because authentication will fail otherwise . The command syntax is shown here:

 isakmp key <key-string> address <ip> [netmask <mask>] 

Table 12.4 displays the isakmp key options.

Table 12.4. isakmp key Options

Option

Function

key-string

Specifies the pre-shared key used with an identity. It must match on both ends. The key-string can be up to 128 characters .

ip

Specifies the remote peer's IP address.

netmask

Specifies the remote peer's subnet mask.

Configuring IPSec

Now that the management connection parameters are set (phase 1), you are ready to set phase 2 parameters. Phase 2 requires several settings combined to create a crypto map . This map, as shown in Figure 12.7, uses an ACL named "VPNTraffic", global SA lifetime settings (optional), and a transform set named "TranPtoS". These settings are bundled together and attached to an interface. When the two peers negotiate phase 2, they integrate through crypto maps looking for a matching set on both sides. If no match is found, IPSec communication fails. If a match is found, an SA is created and all traffic that matched the ACL in the crypto map is forwarded through the tunnel. The following is an overview of the required tasks:

  1. Enable IPSec to enter the firewall.

  2. Create a crypto access list.

  3. Set the global SA lifetime.

  4. Create a transform set.

  5. Create a crypto map.

  6. Attach the crypto map to an interface.

The commands needed to configure Figure 12.11 are shown in Listing 12.4 and Listing 12.5.

Listing 12.4 Portland Firewall Crypto Map Settings
 portland(config)# sysopt connection permit-ipsec portland(config)# portland(config)# access-list VPNTraffic permit ip 192.168.1.0                255.255.255.0 10.0.0.0 255.0.0.0 portland(config)# crypto ipsec security-association lifetime seconds                28800 kilobytes 4608000 portland(config)# crypto ipsec transform-set TranPtoS ah-sha-hmac esp-des portland(config)# crypto map MapPtoS 20 ipsec-isakmp portland(config)# crypto map MapPtoS 20 match address VPNTraffic portland(config)# crypto map MapPtoS 20 set peer 169.254.1.25 portland(config)# crypto map MapPtoS 20 set transform-set TranPtoS portland(config)# crypto map MapPtoS interface outside portland(config)# access-list NONAT permit IP 192.168.1.0                255.255.255.0 10.0.0.0 255.0.0.0 portland(config)# nat (inside) 0 access-list NONAT 
Listing 12.5 Salem Firewall Crypto Map Settings
 salem(config)# sysopt connection permit-ipsec salem(config)# salem(config)# access-list VPNTraffic permit ip 10.0.0.0 255.0.0.0                192.168.1.0 255.255.255.0 salem(config)# crypto ipsec security-association lifetime seconds                28800 kilobytes 4608000 salem(config)# crypto ipsec transform-set TranPtoS ah-sha-hmac esp-des salem(config)# crypto map MapPtoS 20 ipsec-isakmp salem(config)# crypto map MapPtoS 20 match address VPNTraffic salem(config)# crypto map MapPtoS 20 set peer 169.254.8.1 salem(config)# crypto map MapPtoS 20 set transform-set TranPtoS salem(config)# crypto map MapPtoS interface outside salem(config)# access-list NONAT permit IP 10.0.0.0 255.0.0.0                192.168.1.0 255.255.255.0 salem(config)# nat (inside) 0 access-list NONAT 
The sysopt connection permit-ipsec Command

To allow IPSec traffic into the firewall, you need to either create several ACL entries permitting protocols 5051 and port 500 (IKE) or use the sysopt command. The ACL option enables you to be granular in specifying which interface will allow IPSec traffic in. However, the sysopt connection permit-ipsec command is easier to implement and allows IPSec and L2TP protocol connections on all interfaces. The command syntax is

 pixfirewall(config)# sysopt connection permit-ipsec 
The crypto access-list Command

Crypto ACL defines which IP traffic should or shouldn't be forwarded through the tunnel. The crypto access-list command looks exactly like any other access list but performs in a slightly different way. If traffic matches the permit statement in the ACL, it's forwarded and protected by the tunnel. Conversely, if the traffic doesn't match or is denied , the traffic is not dropped but is allowed to travel outside the tunnel. Here is an example:

 portland(config)# access-list VPNTraffic permit ip 192.168.1.0           255.255.255.0 10.0.0.0 255.0.0.0 

This access list states that any source traffic from 192.168.1.0/24 going to destination 10.0.0.0/8 is permitted. Therefore, it is protected by the tunnel.

Note that the only difference between this and other ACLs is that it's used in the crypto map command's match parameter, making it a crypto ACL.

The crypto ipsec security-association lifetime Command

This command is used to set a global SA lifetime value for all crypto maps created. The lifetime value is used to define for how long hash and encryption keys are valid. When the lifetime is up, IPSec and IKE generate new keys. Although this is a global command, it can be overridden with a similar command within the crypto map commands. The following is the command syntax:

 pixfirewall(config)# crypto ipsec security-association lifetime seconds                28800 kilobytes 4608000 

Table 12.5 displays the command options for the crypto ipsec security-association command.

Table 12.5. security-association lifetime Options

Option

Function

seconds

This defines the amount of time in seconds for which keys are valid. The default is 28,800 seconds (8 hours).

kilobytes

This defines the amount of data that can pass before the keys are regenerated. The default is 4,608,000KB (10Mbps).

graphics/alert_icon.gif

If two peers have different security association values, the lowest value is used. Also, to manually clear all current security associations, the clear ipsec sa command can be used.


The transform-set Command

Transform sets define how user data is protected with AH, ESP, or both. A set can contain a maximum of three transforms: one AH for authentication, one ESP for encryption, and one ESP authentication. The transform-set command also defines which mode to usetunnel or transport mode. The command syntax is as follows:

 pixfirewall(config)# crypto ipsec transform-set <trans-name> [ transform1 ]             [ transform2 ] [ transform3 ] pixfirewall(config)# crypto ipsec transform-set <trans-name> mode transport 

Table 12.6 displays the command options for the crypto ipsec transform-set command.

Table 12.6. transform-set Options

Option

Function

trans-name

Defines the name of the transform set.

transform1

The first transform (see Table 12.7).

transform2

The second optional transform (see Table 12.7).

transform3

The third optional transform (see Table 12.7).

mode transport

Sets the transform set to transport mode. To make the set tunnel mode, just use the [no] option to turn off transport mode. By default, the mode transport is tunnel mode.

Table 12.7 displays the possible transforms and their uses.

Table 12.7. Transform Options

Transform

Description

Ah-md5-hmac

Used for authentication

Ah-sha-hmac

Used for stronger authentication

Esp-md5-hmac

Used with ESP-DES or ESP-3DES for additional integrity

Esp-sha-hmac

Used with ESP-DES or ESP-3DES for additional integrity

Esp-des

Used to encrypt with DES (56 bit)

Esp-3des

Used to encrypt with 3DES (168 bit)

Following are two examples of using the transform-set command:

 pixfirewall(config)# crypto ipsec transform-set TranData ah-sha-hmac 

This example shows a transform set named TranData being created with two transforms, using AH with SHA-1 and no encryption.

Here's the second example:

 pixfirewall(config)# crypto ipsec transform-set                TranData2 ah-sha-hmac esp-des 

This example shows a transform set named TranData2 being created with two transforms, using AH with SHA-1 and ESP with DES encryption.

graphics/alert_icon.gif

The crypto ipsec transform-set command can have only three transforms.


The crypto map Command

crypto map is the command that brings everything together for phase 2. Access lists, lifetimes, transform sets, and peers are all bundled together and given a name and sequence number in a crypto map. Then the map is attached to an interface or multiple interfaces. However, an interface can have only one crypto map assigned to it. Some of the functions the crypto map command performs are listed here:

  • Defines what traffic is to be protected by IPSec ( crypto acl and match command)

  • Designates where the protected traffic should be sent (the remote peer)

  • Determines how traffic should be protected (transform set)

  • Sets the IPSec security association lifetime (lifetime)

  • Specifies the local interface to use for IPSec traffic

crypto map commands contain a sequence number that enables you to create multiple entries in a map, which are then iterated from lowest sequence number to highest. Listing 12.6 displays the crypto map commands.

Listing 12.6 crypto map Commands
 pixfirewall(config)# crypto map <name> <seq_num> ipsec-isakmpipsec-manual pixfirewall(config)# crypto map <name> <seq_num>                match address <access_list> pixfirewall(config)# crypto map <name> <seq_num> set peer <IP_address> pixfirewall(config)# crypto map <name> <seq_num>                set transform-set <tran_name> pixfirewall(config)# crypto map <name> <seq_num> set pfs [group1group2] pixfirewall(config)# crypto map <name> <seq_num>                set security-association lifetime 

Table 12.8 displays the command options for the crypto map command.

Table 12.8. crypto map Command Options

Option

Function

name

This is the name of the crypto map you are creating.

seq_num

This is the sequence number of the option you are defining. The lowest number is tried first.

ipsec-isakmp ipsec-manual

These define whether the IPSec SA is defined by IKE ( isakmp ) or manually ( manual ).

match address access_list

This specifies which addresses or crypto ACL address should be protected by the tunnel.

peer <ip_address>

This defines the remote peer with which you generating an IPSec tunnel.

tran_name

This defines the transform set to use with the crypt map.

security-association lifetime

This specifies the lifetime for which the keys are valid, and it overrides the global command crypto ipsec security-association lifetime.

The crypto map interface Command

Now that you have created a crypto map for all your phase 2 IPSec parameters, you need to attach the map to an interface. The crypto map interface command can be used to accomplish this, and its syntax is as follows:

 pixfirewall(config)# crypto map <name> interface <if_name> 

Table 12.9 displays the options for the crypto map inteface command.

Table 12.9. crypto map interface Options

Option

Function

name

This is the name of the crypto map you want to attach.

if_name

Is the name of the interface to which the crypto map is attached.

graphics/alert_icon.gif

An interface can have only one crypto map assigned to it, but a crypto map can be used on several interfaces.


The nat 0 Command

Finally, the last command needed is the nat 0 command. This command enables traffic from the Portland internal site to travel to the Salem internal site without being NAT translated. The command shown here repeats what is shown in the original commands for the Portland configuration:

 portland(config)# Access-list NONAT permit IP 192.168.1.0 255.255.255.0                10.0.0.0 255.0.0.0 portland(config)# Nat (inside) 0 access-list NONAT 


CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net