Cisco IOS VPN Configuration
Scenario 1: Gateway-to-gateway with preshared secrets
The following is a nothing out of the ordinary gateway-to-gateway VPN so as to uses a preshared
Secret on behalf of confirmation.
10.5.6.0/24 172.23.9.0/24
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| Gateway A |=====| Internet |=====| Gateway B |-----|
| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |
--| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |--
| |
Gateway A connects the home LAN 10.5.6.0/24 to the Internet. Gateway A's
LAN interface has the direct 10.5.6.1, and its WAN (Internet) interface has
The direct 14.15.16.17.
Gateway B connects the home LAN 172.23.9.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the direct 22.23.24.25. Gateway B's LAN
Interface direct, 172.23.9.1, can be used on behalf of tough IPsec but is not
Desirable on behalf of configuring Gateway A.
The IKE Phase 1 parameters used in Scenario 1 are:
* Main mode
* TripleDES
* SHA-1
* MODP troupe 2 (1024 bits)
* pre-shared secret of "hr5xb84l6aa9r6"
* SA time of 28800 seconds (eight hours) with nix kbytes rekeying
The IKE Phase 2 parameters used in Scenario 1 are:
* TripleDES
* SHA-1
* feeling tunnel mode
* MODP troupe 2 (1024 bits)
* Perfect frontward secrecy on behalf of rekeying
* SA time of 3600 seconds (one hour) with nix kbytes rekeying
* Selectors on behalf of all IP protocols, all ports, sandwiched between 10.5.6.0/24 and
172.23.9.0/24, using IPv4 subnets
To harden up Gateway A on behalf of this scenario, depletion the following steps:
Cisco IOS includes IPSec support, inauguration with beforehand versions of IOS
Version 12; however the commands tolerate untouched throughout the evolution of IOS
Version 12 end releases. The following exemplar uses the current free
Version, Cisco IOS Version 12.2(8)T4.
This exemplar uses a Cisco 1700 chain router, which has single ethernet docks
And single consecutive docks. The ethernet docks, FastEthernet0, will be the outside,
Or Internet-facing interface. The consecutive docks, Serial0, will be the inside
Interface. (This is scarcely an exemplar. Your interfaces possibly will be distinct.)
All configuration changes are unpredictable, and immediate, until the "write"
Authority is executed, as soon as the configuration is saved to speed and will be
Reloaded subsequently a reboot. At several moment, you possibly will examine the running
Configuration with the authority "show running-configuration", or inspection the
Saved configuration with the authority "show config". Most commands can be
Abbreviated. Use a ? By the side of the punctual or in a authority to perceive options.
Configure IP on the interfaces:
Router# config duration
Enter configuration commands, single for each line. End with CNTL/Z.
Router(config)# int fa0
Router(config-if)# ip direct 14.15.16.17 255.255.255.0
Router(config-if)# promptness sports car
Router(config-if)# ^Z
Router# config duration
Enter configuration commands, single for each line. End with CNTL/Z.
Router(config)# int ser0
Router(config-if)# ip direct 10.5.6.1 255.255.255.0
Router(config-if)# nix shutdown
Router(config-if)# ^Z
Router#
Define the default route:
Router# config duration
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit
Cisco wires no more than single IKE document for each router, so you duty design single which
Is acceptable to all systems you are free to interoperate with. Assign it
An ordering quantity of 5. If you wanted to tolerate more than single proposal in
The document, the proposals would be specified in order defined by this document
Order quantity. Configure the IKE Policy:
Router# config duration
Router(config)# crypto isakmp document 5
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# troupe 2
Router(config-isakmp)# hash sha
Router(config-isakmp)# time 28800
Router(config-isakmp)# confirmation pre-share
Router(config-isakmp)# exit
Since multiple peers will share the same IKE document, you duty match every
Peer with its pre-shared secret:
Router# config duration
Router(config)# crypto isakmp basic hr5xb84l6aa9r6 direct 22.23.24.25
Router(config-isakmp)# exit
The IPSEC transform will be combined presently with the relaxation of the IPSEC document
In a crypto plan authority. Fashionable this authority, "STRONG" is scarcely a label. Labels
Are CASE-SENSITIVE. Define the IPSEC transform:
Router# config duration
Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
Router(config-isakmp)# exit
Cisco IOS uses access lists on behalf of SPD entries. Many skin texture of access lists
(.E.G. TCP flag checking) don't labor in IPSEC. This kind of access make a list
MUST be labelled with a 3-digit quantity. The netmask in Cisco access lists
Are inverted. Nobody knows why, they scarcely are. This make a list says "all traffic
From 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create the
IPSEC access make a list:
Router# config duration
Enter configuration commands, single for each line. End with CNTL/Z.
Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1
Router(config)# exit
Because IOS is a router head and an IPSEC gateway moment, we tolerate to tell
IOS which interface to send off packets on if the default route is not a sufficient amount.
Fashionable this scenario we don't need it, but in other situations you might need to
Delineate a route on behalf of the remote protected interact:
Router# config duration
Enter configuration commands, single for each line. End with CNTL/Z.
Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17
Router(config)# exit
A crypto plan binds all the assorted crypto parameters with a limited remote
Gateway. Several crypto maps bound to distinct remote gateways can be
Grouped concurrently in single crypto plan SET which is at that time bound to an outgoing
Interface. The quantity following the crypto plan harden character is the ordering of
The plan in the harden. Bind the document concurrently with a crypto plan, and go it
The label CISCO:
Router# config duration
Router(config)# crypto plan CISCO 10 ipsec-isakmp
% NOTE: This latest crypto plan will hang about disabled until a peer
And a authenticate access make a list tolerate been configured.
Router(config-crypto-map)# harden security-association life seconds 3600
Router(config-crypto-map)# harden transform-set STRONG
Router(config-crypto-map)# harden pfs group2
Router(config-crypto-map)# harden peer 22.23.24.25
Router(config-crypto-map)# match direct 101
Router(config-crypto-map)# exit
Because Ciscos possibly will tolerate many interfaces, you tolerate to combine the SPD to the
Outgoing interface:
Router# config duration
Router(config)# interface fa0
Router(config-if)# crypto plan CISCO
Router(config-if)# ^Z
If you had multiple tunnels to multiple gateways, you would need to create a
Distinct access make a list on behalf of every tunnel, add an isakmp basic entrance on behalf of every
Gateway, and perhaps create a distinct ipsec transform if your security
Document is distinct. For exemplar, let's say you tolerate a new remote peer by the side of
23.23.24.25, on behalf of which you tolerate fashioned access-list 102. You possibly will at that time add
A crypto plan to the harden fashioned over:
Router# config duration
Router(config)# crypto plan CISCO 20 ipsec-isakmp
% NOTE: This latest crypto plan will hang about disabled until a peer
And a authenticate access make a list tolerate been configured.
Router(config-crypto-map)# harden security-association life seconds 3600
Router(config-crypto-map)# harden transform-set STRONG
Router(config-crypto-map)# harden pfs group2
Router(config-crypto-map)# harden peer 23.23.24.25
Router(config-crypto-map)# match direct 102
Router(config-crypto-map)# exit
Now the outgoing interface FastEthernet0 has both crypto maps, and it will
Compare traffic to every plan in order to determine if the traffic requires
Encryption.
Save the configuration:
Router# get in touch with
Building configuration...
[OK]
Here is the accomplished IPSEC part of the Cisco configuration:
Router# event config
!
Crypto isakmp document 5
Encr 3des
Confirmation pre-share
Troupe 2
Time 28800
Crypto isakmp basic hr5xb84l6aa9r6 direct 22.23.24.25
!
Crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
Crypto plan CISCO 101 ipsec-isakmp
Harden peer 22.23.24.25
Harden transform-set STRONG
Harden pfs group2
Match direct 101
!
Interface FastEthernet0
Ip direct 14.15.16.17 255.255.255.0
Promptness sports car
Crypto plan CISCO
!
Interface Serial0
Ip direct 10.5.6.1 255.255.255.0
!
Access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255
!
Now, bring up a tunnel! The IOS chink authority extensions will allow you to
Exclusive the source interface, and thus IP direct, of the chink:
Router# chink
Protocol [ip]:
Target IP direct: 172.23.9.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: Y
Source direct or interface: Serial0
Type of service [0]:
Set DF spot in IP title? [no]:
Validate rejoinder data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type avoidance sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Hmmmm ... Pardon? Possibly will be incorrect? Let's check particular basics:
Router# event ip int instruct
Interface IP-Address OK? Method Status Protocol
FastEthernet0 14.15.16.17 YES guidebook up up
Serial0 10.5.6.1 YES guidebook down down
Ah, the consecutive interface is down. I tolerate to truly tie it up to something
To bring the interface up. Now, the chink mechanism and brings up the SAs.
Show the SAs with these commands:
Router# event crypto isakmp sa
Dst src state conn-id slot
14.15.16.17 22.23.24.25 QM_IDLE 1 0
Router# event crypto ipsec sa
Interface: FastEthernet0
Crypto plan tag: CISCO, regional addr. 14.15.16.17
Regional ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0)
Remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0)
Current_peer: 22.23.24.25
PERMIT, flags={origin_is_acl,}
# pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12
# pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23
# pkts compressed: 0, # pkts decompressed: 0
# pkts not compressed: 0, # pkts compr. Abortive: 0, # pkts decompress abortive: 0
# send off errors 0, # recv errors 0
Regional crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25
Path mtu 1500, media mtu 1500
Current outbound spi: 3C39A800
Inbound esp sas:
Spi: 0xD7228E4B(3609366091)
Transform: Esp-3des esp-sha-hmac ,
In depletion settings ={Tunnel, }
Slot: 0, conn id: 2000, flow_id: 1, crypto plan: CISCO
Sa timing: Outstanding basic time (k/sec): (4607999/3574)
IV size: 8 bytes
Replay detection support: Y
Inbound ah sas:
Inbound pcp sas:
Outbound esp sas:
Spi: 0x3C39A800(1010411520)
Transform: Esp-3des esp-sha-hmac ,
In depletion settings ={Tunnel, }
Slot: 0, conn id: 2001, flow_id: 2, crypto plan: CISCO
Sa timing: Outstanding basic time (k/sec): (4607999/3574)
IV size: 8 bytes
Replay detection support: Y
Outbound ah sas:
Outbound pcp sas:
The easiest way to gain SAs from a Cisco IOS practice varies with version, but
Single of these two will normally labor:
RouterRouter# gain crypto isakmp
RouterRouter# gain crypto sa
To enable debugging in IOS, you duty outing on the debug as well as outing on the
Debug observe, which is normally the terminal you are logged in on:
Router# debug crypto verbose
Router# debug crypto isakmp
Router# duration observe
To disable debugging:
Router# nodebug all
Router# duration nix observe