Exam Essentials 281
Summary
Do you feel as though you’ve run a marathon? Has your sanity been compromised by this gauntlet? Do you now have weird little twitches or find yourself staring at absolutely nothing for untold periods of time? No worries; it’ll pass, I promise—really! Yup, this chapter was a long puppy, packed with tons of stuff to remember.
It is imperative that you can configure IPSec, starting with how to configure IPSec utilizing pre-shared keys. In addition, you need to know how to create IKE policies and configure preshared keys. Configuring IPSec without IKE is created using the IPSec-manual crypto map. Manually configuring IPSec requires you to specify the inbound and outbound keys used for establishing IPSec peers.
In addition to IPSec with IKE, you can use RSA-encrypted nonces with IPSec. These require you to manually generate RSA keys and then manually input the public key into all the devices you intend to peer with. However, don’t try this with large networks!
Configuring IPSec can also be accomplished using CA—the most scalable of all the implementation types. CAs allow a device to request a certificate from a CA server and use that certificate in all of its peering attempts.
Yes, indeed. You certainly covered a tremendous amount of material in this chapter, so don’t feel bad if you didn’t get it all on your first read through. Go ahead—take however much time you need to go back and review any areas you feel a bit shaky about. But not yet—you’ve accomplished a ton—it’s reward time. Take a break, have that party, and go to Vegas—whatever—you truly deserve it! Congratulations! Chapter 9, “Cisco IOS Remote Access Using Cisco Easy VPN,” will be ready and waiting when you can think and form coherent sentences again. The best news about Chapter 9 is that it is short and sweet and it covers Easy VPN. Sounds nice, doesn’t it? Oh, and did I mention it’s the last chapter in this book? Sweet.
Exam Essentials
Understand the tasks required for IPSec utilizing pre-shared keys. Configuring IPSec with pre-shared keys requires the following four tasks, in this order:
1.Prepare for IKE and IPSec.
2.Configure IKE.
3.Configure IPSec.
4.Test and verify IPSec.
You must be able to perform each of these four tasks.
Implement an IKE policy. Given the need for IKE, you must be able to create an IKE policy. Once the IKE policy is created, you must be able to implement it on the devices you wish to peer.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
282 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Implement IPSec with IKE. You must be able to implement IPSec once you have configured IKE. This requires you to configure global IPSec SA lifetimes, transform sets, extended access lists, crypto maps, and then apply the crypto map to an interface.
Implement IPSec without IKE. You must be able to implement IPSec without the use of IKE. This requires you to manually configure the appropriate inbound and outbound session keys.
Implement RSA-encrypted nonces. Given a scenario that requires the use of RSA-encrypted nonces, you must be able to implement it. This requires generating RSA public/private keys, manually entering the public key on devices you wish to peer with, configuring IKE using RSAencrypted nonces, and configuring IPSec.
Understand the tasks required for IPSec with CA. Configuring IPSec with CA requires the following five tasks:
1.Prepare for IKE and IPSec.
2.Configure CA support.
3.Configure IKE.
4.Configure IPSec.
5.Test and verify IPSec.
You must be able to perform each of these five tasks.
Implement IPSec with CA. Given a scenario that requires the use of CA servers, you must be able to implement it. This requires you to generate RSA public/private keys, declare a CA server, configure trusted root servers, authenticate the CA servers, request a certificate, configure IKE using RSA signatures, and configure IPSec.
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
certificate revocation lists (CRL) |
IPSec SA lifetime |
crypto map set |
registration authority (RA) |
general-usage keys |
Simple Certificate Enrollment Protocol (SCEP) |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Commands Used in This Chapter 283
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command
(config-pubkey-chain)#addressed-key key-address {encryption | signature}
(config-isakmp)#authentication
{rsa-sig | rsa-encr | pre-share}
#clear crypto isakmp conn-id
#clear crypto isakmp *
#clear crypto sa
#clear crypto sa peer {ip-address | peer-name}
#clear crypto sa map map-name
#clear crypto sa entry destinationaddress protocol spi
#clear crypto sa counters
Purpose
Specifies that the entered RSA public key is an addressed key.
Configures the authentication method for an IKE policy.
Used to reset an IKE SA.
Used to reset all IKE SAs on a device.
Resets all IPSec SAs on a device.
Resets the IPSec SA for the specified peer.
Resets the IPSec SA for the specified crypto map.
Resets the IPSec SA for the specified address, protocol, and SPI.
Resets the IPSec traffic counters for all IPSec SAs on the device.
(ca-identity)#crl optional |
Allows a device to accept IPSec peering |
|
without the use of a CRL. |
(ca-identity)#crl query ldap-url |
Specifies that a device use LDAP when |
|
querying for CRLs. |
<config>#crypto ca authenticate name |
Used to authenticate a CA server. |
<config>#crypto ca certificate query |
Disables the local storing of certificates on a |
|
device. |
<config>#crypto ca enroll name |
Used to request a certificate from the CA |
|
server. |
<config>#crypto ca identity name |
Specifies a name for referring to a CA server. |
<config>#crypto ca trusted-root name |
Specifies a name for referring to a trusted root |
|
CA server. |
<config>#crypto key pubkey-chain rsa |
Places a device in public key chain |
|
configuration mode. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
284 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Command |
Purpose |
<config>#crypto ipsec security- |
A global lifetime command that specifies the |
association lifetime seconds seconds |
number of seconds an IPSec SA will remain |
|
active before it expires. |
<config>#crypto ipsec securityassociation lifetime kilobytes kilobytes
<config>#crypto ipsec transform-set transform-set-name {[transform1] [transform2] [transform3]}
A global lifetime command that specifies the number of kilobytes an IPSec SA can transmit before it expires.
Configures a transform set on a device.
<config>#crypto isakmp enable |
Enables IKE. |
<config>#crypto isakmp identity |
Specifies whether IKE will use an IP address or |
{address | hostname} |
the device’s hostname as its IKE identity. |
<config>#crypto isakmp key keystring |
Creates a pre-shared key on a device. |
{address peer-address | hostname |
|
peer-hostname} |
|
<config-if>#crypto map map-name |
Applies a crypto map to an interface. |
<config>#crypto map map-name |
Used to specify the identifying interface for a |
local-address local-id |
crypto map. |
<config>#crypto map map-name |
Creates a crypto map sequence that utilizes IKE. |
seq-num ipsec-isakmp |
|
<config>#crypto map map-name |
Creates a crypto map sequence that doesn’t |
seq-num ipsec-manual |
use IKE. |
<config>#crypto isakmp policy priority |
Creates an IKE policy. |
#debug crypto ipsec |
Provides detailed information about the |
|
current operation of IPSec. |
#debug crypto isakmp |
Provides detailed information about the |
|
current operation of IKE. |
(config-crypto-map)#description text |
An optional command for configuring |
|
manual IPSec and IPSec with IKE that can be |
|
used to provide a description for a crypto map |
|
sequence. |
(config-isakmp)#encryption {des | 3des} |
Configures the message-encryption algorithm |
|
for an IKE policy. |
(ca-identity)#enrollment mode ra |
Enables a device for RA support. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Commands Used in This Chapter 285
Command |
Purpose |
(ca-identity)#enrollment retry count |
Specifies the maximum number of times a |
number |
device will attempt to request a certificate. |
(ca-identity)#enrollment retry period |
Specifies the amount of a time a device will |
minutes |
wait in between sending certificate requests. |
(ca-identity)#enrollment url url |
Specifies the URL for a device to send |
|
certificate queries to. |
<config>#crypto key generate rsa |
Generates the RSA public/private key pairs. |
[usage-keys] |
|
(config-isakmp)#group {1 | 2} |
Configures the Diffie-Hellman group for an |
|
IKE policy. |
(config-isakmp)#hash {sha | md5} |
Configures the message hash for an IKE policy. |
<config>#hostname hostname |
Specifies the hostname of a device. |
<config>#ip domain-name domain-name |
Specifies the domain name of a device. |
<config>#ip host name [tcp-port- |
Creates a static IP address-to-hostname |
number] address1 [address2…address8] |
mapping. |
(config-pubkey-key)#key-string |
Allows you to enter the public key of a remote |
|
device into your local device. |
(config-isakmp)#lifetime seconds |
Configures the IKE SA lifetime for an IKE |
|
policy. |
(config-crypto-map)#match address |
A mandatory command for configuring |
{access-list-number | name} |
manual IPSec and IPSec with IKE that specifies |
|
the extended access list to use for defining the |
|
traffic to protect. |
(cfg-crypto-trans)#mode |
Configures the IPSec mode to be used. |
{tunnel | transport} |
|
(config-pubkey-chain)#named-key |
Specifies that the entered RSA public key is a |
key-name {encryption | signature} |
named key. |
#no crypto isakmp enable |
Disables IKE. |
(ca-identity)#query url url |
Specifies an LDAP URL to query for certificates. |
(ca-identity)#root CEP url |
Specifies that SCEP will be used for querying a |
|
trusted root CA server. |
(ca-identity)#root TFTP url |
Specifies that TFTP will be used for querying |
|
a trusted root CA server. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
286 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
Command |
Purpose |
(ca-identity)#root PROXY url |
Specifies the URL of the HTTP proxy server |
|
the trusted root is using. |
(config-crypto-map)#set peer |
A mandatory command for configuring |
{peer-address | peer-hostname} |
manual IPSec and IPSec with IKE that |
|
specifies the IPSec peer. |
(config-crypto-map)#set transformset transform-set-name [transform- set-name2…transform-set-name6]
A mandatory command for configuring manual IPSec and IPSec with IKE that specifies a list of transform sets, in order of priority, to use for protecting traffic.
(config-crypto-map)#set security- |
An optional command for configuring |
association lifetime seconds seconds |
manual IPSec and IPSec with IKE that can be |
|
used to override the seconds global IPSec SA |
|
lifetime for the sequence. |
(config-crypto-map)#set securityassociation lifetime kilobytes kilobytes
(config-crypto-map)#set pfs
{group1 | group2}
(config-crypto-map)#set securityassociation level per-host
(config-crypto-map)#set session-key inbound ah spi hex-key-string
(config-crypto-map)#set session-key outbound ah spi hex-key-string
An optional command for configuring manual IPSec and IPSec with IKE that can be used to override the kilobytes global IPSec SA lifetime for the sequence.
An optional command for configuring manual IPSec and IPSec with IKE that can be used to specify the Diffie-Hellman group to use when requesting new SAs for this sequence.
An optional command for configuring manual IPSec and IPSec with IKE that can be used
to specify that separate IPSec SAs should be requested for each source/destination host pair.
A mandatory command for configuring manual IPSec that specifies the inbound key to use for AH.
A mandatory command for configuring manual IPSec that specifies the outbound key to use for AH.
(config-crypto-map)#set session-key inbound esp spi cipher hex-key-string
[authenticator hex-key-string]
(config-crypto-map)#set session-key outbound esp spi cipher hex-key- string [authenticator hex-key-string]
A mandatory command for configuring manual IPSec that specifies the inbound key to use for ESP.
A mandatory command for configuring manual IPSec that specifies the outbound key to use for ESP.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |