© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec VPN Operations

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Five Steps of IPsec

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 1: Interesting Traffic

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 2: IKE Phase 1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Policy Negotiates matching IKE transform sets to protect IKE exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Diffie-Hellman Key Exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Authenticate Peer Identity Peer authentication methods: Preshared keys RSA signatures RSA encrypted nonces

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 3: IKE Phase 2 Negotiates IPsec security parameters, IPsec transform sets Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie-Hellman exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Transform Sets A transform set is a combination of algorithms and protocols that enact a security policy for traffic.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Security Associations SA database: –Destination IP address –SPI –Protocol (ESP or AH) Security policy database: –Encryption algorithm –Authentication algorithm –Mode –Key lifetime

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SA Lifetime Data transmitted-based Time-based

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 4: IPsec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 5: Tunnel Termination A tunnel is terminated by one of the following: –By an SA lifetime timeout –If the packet counter is exceeded IPsec SA is removed

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring IPsec

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuration Steps for Site-to-Site IPsec VPN 1. Establish ISAKMP policy 2. Configure IPsec transform set 3. Configure crypto ACL 4. Configure crypto map 5. Apply crypto map to the interface 6. Configure interface ACL

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 2

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 2

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Apply VPN Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Apply VPN Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Interface ACL

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Interface ACL When filtering at the edge, there is not much to see: IKE: UDP port 500 ESP and AH: IP protocol numbers 50 and 51, respectively NAT transparency enabled: –UDP port 4500 –TCP (port number has to be configured)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Router1#show access-lists access-list 102 permit ahp host host access-list 102 permit esp host host access-list 102 permit udp host host eq isakmp Site-to-Site IPsec Configuration: Interface ACL (Cont.) Ensure that protocols 50 and 51 and UDP port 500 traffic is not blocked on interfaces used by IPsec.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary IPsec operation includes these steps: Initiation by interesting traffic of the IPsec process, IKE Phase 1, IKE Phase 2, data transfer, and IPsec tunnel termination. To configure a site-to-site IPsec VPN: Configure the ISAKMP policy, define the IPsec transform set, create a crypto ACL, create a crypto map, apply crypto map, and configure ACL. To define an IKE policy, use the crypto isakmp policy global configuration command. To define an acceptable combination of security protocols and algorithms used for IPsec, use the crypto ipsec transform- set global configuration command. To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. Configure an ACL to enable the IPsec protocols (protocol 50 for ESP or 51 for AH) and IKE protocol (UDP/500).

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v