250 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

Sweet—everything looks great! Now that you’ve verified that your IKE policies are actually configured on each device, you’re ready to move on and configure IPSec.

Configuring IPSec

Just like pre-shared keys, there are important steps that you should keep in mind when configuring IPSec on your routers. Configuring IPSec on each device is a five-step process:

1.Create the transform set.

2.Set the IPSec SA lifetime.

3.Create the access list that specifies the traffic to encrypt.

4.Create the crypto map.

5.Apply the crypto map to an interface.

Creating the Transform Set

A transform set is your tool for protecting the data flow. It’s made up of payload authentication, payload encryption, and an IPSec mode. For devices to peer, the transform set must match on each device, except (obviously) for their names. Also, in order for a transform set to be valid, it must have a unique name on the device and at least one transform. To configure a transform set, enter the following command in global configuration mode:

crypto ipsec transform-set transform-set-name {[transform1] [transform2]

[transform3]}

The variables for the preceding command are as follows:

transform-set-name: This should be a unique name for the transform set.

transform1: This can be ah-md5-hmac or ah-sha-hmac.

transform2: This can be esp-des, esp-3des, or esp-null.

transform3: This can be esp-md5-hmac or esp-sha-hmac.

After you’ve issued the preceding command, the device enters transform set configuration mode, in which the IPSec mode for the transform set can be configured. The default IPSec mode is tunnel. To change the IPSec mode, enter the following command:

mode {tunnel | transport}

When you’re configuring transform sets, it’s really important to make sure that both the transforms and the IPSec mode are the same on the device you want to peer.

Setting the IPSec SA Lifetime

To make sure you’re clear on this, an IPSec SA lifetime is what you use to determine how long IPSec SAs remain valid until they need to be renegotiated. There are two ways in which you can configure the IPSec SA. The first is globally, and the second is per crypto map sequence. When you go with the configured-globally option, the IPSec SA lifetime is applied to each and every crypto map that exists on the device. And it’s important to know that a global IPSec SA lifetime can be overridden by configuring a crypto map–specific IPSec SA lifetime. For now, I’m going to stick with global IPSec SA lifetimes. You’ll learn about the crypto map–specific IPSec SA lifetimes later in this chapter.

There are two types of global IPSec SA lifetimes that exist on a device: seconds and kilobytes. The seconds global IPSec SA lifetime specifies the number of seconds that an IPSec SA remains active before it expires. The kilobytes global IPSec SA lifetime specifies the amount of traffic that can be transmitted between peers for a given IPSec SA before the SA expires.

To change the seconds global IPSec SA from its default of 3600 seconds, enter the following command in global configuration mode, where seconds is a value between 120 and 86,400:

crypto ipsec security-association lifetime seconds seconds

To change the kilobytes global IPSec SA from its default of 4,608,000 kilobytes, enter the following command, where kilobytes represents a value between 2560 and 4,608,000:

crypto ipsec security-association lifetime kilobytes kilobytes

Remember that both the kilobytes and seconds global IPSec SA lifetimes exist on a device at the same time.

252 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

Creating the Access List

So far you’ve created the transform set and set the global IPSec lifetimes. But what good is IPSec if you haven’t specified any traffic to protect? That’s where access lists come into play.

IPSec uses extended access lists to perform the following tasks:

Choose the outbound traffic to protect.

Process inbound traffic for selecting IPSec traffic.

Process inbound traffic for filtering out traffic that should have been protected.

When processing IKE negotiations, they determine whether to accept requests for IPSec SAs.

I’m not going to explain how to create extended access lists here. If you need more information on extended access lists, they’re covered in detail in the CCNA Study Guide (Sybex, 2002).

Cisco recommends using symmetrical access lists for IPSec because doing so causes both outbound and inbound traffic to be compared against the same access list.

Creating the Crypto Map

IPSec SAs are established through the use of a crypto map, which is basically a combination of one or more sequences where each sequence represents an IPSec SA.

Each crypto map sequence specifies the following:

What traffic to protect

The remote peer the protected traffic should be sent to

The transforms to use to protect the traffic

Whether the IPSec SA will be established via IKE or manually

Other parameters such as a description and a crypto map IPSec SA lifetime

All sequences of a crypto map are tied together by the name of the respective crypto map. Each sequence can be one of the following types:

Cisco This sequence specifies that Cisco Encryption Technology will be used to protect traffic instead of IPSec.

IPSec-manual The IPSec-manual sequence specifies that IKE will not be used to establish IPSec SA. This type of sequence is discussed in more detail later in this chapter.

IPSec-isakmp This sequence specifies that IKE will be used to establish IPSec SAs.

Dynamic The dynamic sequence specifies that this sequence references a pre-existing crypto map. This book does not cover dynamic crypto maps because they are beyond the scope of the SECUR exam.

To create a crypto map sequence that utilizes IKE, enter the following command in global configuration mode, where map-name is the name of the crypto map and seq-num is the sequence number of the crypto map sequence, which is a value between 1 and 65,535:

crypto map map-name seq-num ipsec-isakmp

Logically, the sequence number is what you use to specify the order that traffic is compared to the crypto map; the lowest sequence number is compared first. So it’s a very good idea to give the sequences that will be matched most often a lower sequence number—they’ll process through more quickly that way.

When Would You Need More Than One Sequence?

Because an interface can have only one crypto map applied to it, you can run into a bit of trouble when you need more than one IPSec tunnel to form over an interface. The following graphic illustrates a network that would need two IPSec tunnels over the same interface:

HQ

SO/O

Internet

Company XYZ is made up of three sites: HQ, Site_1, and Site_2. All of the sites are connected to the Internet for WAN connectivity. The HQ site needs to have one IPSec tunnel connection to Site_1 and one IPSec tunnel connection to Site_2. How do you do this when you already know that an interface can have only one crypto map applied to it? All you need to do is create a crypto map with two sequences—one for the connection to Site_1 and the other for the connection to Site_2.

254 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

Once you’ve created the sequence with the crypto map command, the device enters crypto map configuration mode. This is where you get to configure the specific parameters of the sequence. Table 8.1 lists the commands you can enter in crypto map configuration mode for a sequence using IKE.

T A B L E 8 . 1 Crypto Map Configuration Mode Commands

You can configure multiple peers for each sequence—very cool when you want to set a backup path for the IPSec tunnel in case the primary path goes down. When multiple peers are set for a sequence, the device begins with the first one entered and proceeds down the list until an IPSec SA is set up.

Once you’ve created your crypto map, you need to apply it to an interface.

Applying the Crypto Map

When you create IPSec tunnels without using GRE tunnels, the crypto map has to be applied to the outgoing interface. If you use GRE tunnels instead, you need to apply the crypto map to both the tunnel interface and the egress interfaces. The egress interfaces are any that may be used to form the GRE tunnel. You can have more than one GRE interface.

To apply a crypto map to an interface, enter the following command in interface configuration mode, where map-name is the name of the crypto map being applied to the interface:

crypto map map-name

For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows:

Each interface will have its own piece of the security association database.

The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface.

If you decide to apply the same crypto map set to multiple interfaces, you need to specify an identifying interface. Doing this causes the following:

The per-interface portion of the IPSec security association database (SAD) will be established one time and shared for traffic through all the interfaces that share the same crypto map.

The IP address of the identifying interface will be used as the local address for IPSec traffic originating from or destined to those interfaces sharing the same crypto map set.

To designate the identifying interface, enter the following command in global configuration mode, where map-name is the name of the crypto map and local-id is the IP address of the identifying interface:

crypto map map-name local-address local-id

You must use this crypto map command if you are applying a crypto map to a GRE tunnel because the crypto map will be applied to both the tunnel interface and the egress interface.

When you specify an identifying interface, you must use the IP address of that interface whenever you configure the peer statements on the remote peers.

Before you move on to the final step in the process of configuring IPSec for pre-shared keys— testing and verifying IPSec—let’s run through a sample IPSec configuration.

256 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

In Exercise 8.2, you’ll build upon the configuration you began in the IKE section of this chapter. For a refresher, the following graphic illustrates the network you began configuring:

But before you jump into configuring IPSec, let’s take another look at how the devices have been configured so far:

Lab_A#conf t

Enter configuration commands, one per line. End with CNTL/Z. Lab_A(config)#crypto isakmp enable

Lab_A(config)#crypto isakmp policy 2

Lab_A(config-isakmp)#encryption 3des

Lab_A(config-isakmp)#hash md5

Lab_A(config-isakmp)#authentication pre-share

Lab_A(config-isakmp)#exit

Lab_A(config)#crypto isakmp key cisco address 10.1.1.2

Lab_A(config)#^Z

Lab_A#

Lab_B#conf t

Enter configuration commands, one per line. End with CNTL/Z. Lab_B(config)#crypto isakmp enable

Lab_B(config)#crypto isakmp policy 2

Lab_B(config-isakmp)#encryption 3des

Lab_B(config-isakmp)#hash md5

Lab_B(config-isakmp)#authentication pre-share

Lab_B(config-isakmp)#exit

Lab_B(config)#crypto isakmp key cisco address 10.1.1.1

Lab_B(config)#^Z

Lab_B#

E X E R C I S E 8 . 2

Configuring IPSec on Our Sample Corporate Network

Now you’re ready to configure IPSec. You need to add IPSec to your currently configured network with IKE using the following steps:

1.Create a transform set on each device named test using esp-des and tunnel mode.

2.Leave the global IPSec SA lifetimes set to their defaults.

3.Create a symmetrical extended access list on each device that will permit traffic from networks 172.16.2.0 /24 and 172.16.1.0 /24.

4.Create a crypto map on each device using the name test1 and sequence number 100. Each sequence should use the transform set test and the extended access list just created, and set the peer to the IP address of the outgoing interface of the remote device.

5.Apply the crypto map to each device’s outgoing interface.

6.Use the following commands to configure the Lab_A router:

Lab_A#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Lab_A(config)#crypto ipsec tramsform-set test esp-des

Lab_A(cfg-crypto-trans)#exit

Lab_A(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

258 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support

E X E R C I S E 8 . 2 ( c o n t i n u e d )

Lab_A(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Lab_A(config)#cryto map test1 100 ipsec-isakmp

Lab_A(config-crypto-map)#match address 100

Lab_A(config-crypto-map)#set transform-set test

Lab_A(config-crypto-map)#set peer 10.1.1.2

Lab_A(config-crypto-map)#exit

Lab_A(config)#interface s0/0

Lab_A(config-if)#crypto map test1

Lab_A(config-if)#^Z

Lab_A#

Lab_B#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Lab_B(config)#crypto ipsec tramsform-set test esp-des

Lab_B(cfg-crypto-trans)#exit

Lab_B(config)#access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

Lab_B(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Lab_B(config)#cryto map test1 100 ipsec-isakmp

Lab_B(config-crypto-map)#match address 100

Lab_B(config-crypto-map)#set transform-set test

Lab_B(config-crypto-map)#set peer 10.1.1.1

Lab_B(config-crypto-map)#exit

Lab_B(config)#interface s1/0

Lab_B(config-if)#crypto map test1

Lab_B(config-if)#^Z

Lab_B#