Labs / practices are continuesly going will the new challanges and new approaches, while going through the labs of the CCIE Security, so far preparation is going smoothly and a little slowely while being engaged with different project and work goals, here i come with a easy and much required lab to be understood / practiced for all CCIE Security candidates!
Scenario is the we will configure Site-To-Site IPSec VPN on Cisco IOS using the Main Mode:
Ineternet Security Association and Key Management Protocol which is defined on RFC 2408 as Framwork for authentication of peer, creation and managemnet of Security Assoications , techniques of Key generation and threat mitigation. within ISAKMP Cisco uses Oakley protocol for key management which enables selection among differnet DH (Diffie-Helman) groups.
ISAKMP and Oakley create an authenticated, secure tunnel between two entities, and then negotiate the SA for IPSec. ISAKMP has two modes which are Main Mode and Aggressive Mode.
Internet Key Exchange is a hybrid protocol which establishes a shared security policy and authenticated keys for services that requires keys, such as a IPSec. IKE and ISAKMP are both used interchangeably, however these two items are somewhat different.
We have 2 Phases for IKE:
Phase 1: Two ISAKMP peers establish a secure, authenticated channel, whch is known as the ISAKMP SA (Security Associations).
Phase 2: SAs are negotiated on behalf of services such as IPSec that needs keying material which is also called Quick Mode.
ISAKMP (IKE Phase 1) can be configured in two methods, which are :
1. Using Pre-Shared Key:
2. Using PKI (Public Key Infrastructure):
IPSec (IKE Phase 1) can be configured onward as below:
1. Creation of Extended Access List
2. Creation of IPSec Transform-Set
3. Creation of crypto-map for binding of all parameters
4. And apply crypto map to engress interface
Below is the Topology which we will use during this lab:
We have Cisco devices connected as Point to Point thorugh GigEthernet Ports and they are configured as Point to Point address.
IOS Version which are used in this lab are Dynamips 3750.. So let’s start with configuration:
PS: We will focus on S2S IPSec VPN configuation only, and routers are already pre-configured with interface ip addresses and static route toward loopbacks pointing to the next-hop.
R1 (config) #crypto isakmp policy 10
R1 (config-isakmp) #encryption 3des
R1 (config-isakmp) #authentication pre-share
R1 (config-isakmp) #hash md5
R1 (config-isakmp) #group 2
R1 (config) #crypto isakmp key cisco address 10.1.12.2
R1 (config) #crypto ipsec transform-set R1-R2 esp-3des esp-md5-hmac
R1 (config) #crypto map C-MAP 10 ipsec-isakmp
R1 (config-crypto-map) #set peer 10.1.12.2
R1 (config-crypto-map) #set transform-set R1-R2
R1 (config-crypto-map) #match address 100
R1 (config) #access-list 100 permit ip host 126.96.36.199 host 188.8.131.52
R1 (config) #interface gigethernet0/0
R1 (config-if) #crypto map C-MAP
R2 (config) #crypto isakmp policy 10
R2 (config-isakmp) #encryption 3des
R2 (config-isakmp) #authentication pre-share
R2 (config-isakmp) #hash md5
R2 (config-isakmp) #group 2
R2 (config) #crypto isakmp key cisco address 10.1.12.1
R2 (config) #crypto ipsec transform-set R1-R2 esp-3des esp-md5-hmac
R2 (config) #crypto map C-MAP 10 ipsec-isakmp
R2 (config-crypto-map) #set peer 10.1.12.1
R2 (config-crypto-map) #set transform-set R1-R2
R2 (config-crypto-map) #match address 100
R2 (config) #access-list 100 permit ip host 184.108.40.206 host 220.127.116.11
R2 (config) #interface gigethernet0/0
R2 (config-if) #crypto map C-MAP
You can first initiate loopback to loopback test by sending icmp packets:
R1#ping 18.104.22.168 source lo0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds:Packet sent with a source address of 126.96.36.199.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 msR1#
Note that first packet drops because we have IKE Phase 1 negoitated and parameters are exchanged, you can view the messages through the following command:
R1# debug crypto isakmp
R1# debug crypto ipsec
once debugging are enabled you can view the 6 messages exchanged between the pairs on IKE Phase 1 and 3 messages exchanged on Phase 2 for parameters negotiation, authenticating peers, exchange of ISAKMP parameters, and other.
More commands to verify:
R1# show crypto isakmp sa
R1# show crypto isakmp sa detail
R1# show crypto ipsec sa
R1# show crypto ipsec sa identity
R1# show crypto ipsec sa address
R1# show crypto engine connections active
R1# show crypto engine connections dh
Hope you guys well-briefed !