© 1999, Cisco Systems, Inc Configuring Cisco IOS IPSec Chapter 12

© 1999, Cisco Systems, Inc. MCNS Objectives Upon completion of this chapter, you will be able to: Identify Cisco IOS commands used to configure and test IPSec in Cisco routers Configure IPSec between Cisco routers to create a secure communication environment based on a case study network design

© 1999, Cisco Systems, Inc. MCNS Cisco IOS IPSec and the XYZ Network CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup R2 NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Dialup Client Sales Bastion Host R1 Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring IPSec Overview

© 1999, Cisco Systems, Inc. MCNS Determine network design details Configure ISAKMP for IPSec Define transform sets Define crypto policies Create crypto access lists Create crypto map entries Apply crypto map sets to interfaces Test and verify IPSec Configuring IPSec Encryption Tasks

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Determining Network Design Details

© 1999, Cisco Systems, Inc. MCNS Planning includes: Defining overall security needs and strategy based on network security policy Plan for ISAKMP Identifying IPSec peer router details; must identify all peer routers Determining IP address and applications of hosts to be protected Goal: Minimize misconfiguration Planning for Encryption

© 1999, Cisco Systems, Inc. MCNS Defining a Security Policy for Protecting Traffic Peer Routers Name Encryption Policy IP Address of Hosts Traffic (Packet) Type to be Encrypted Site 1 RouterA TCP Site 2 RouterB TCP AH-MD5, ESP-DES Interfaces Rekeying Policy Serial 0 Pre-shared s Site 1Site 2 s A B RouterA RouterB Internet

© 1999, Cisco Systems, Inc. MCNS Ensure Access Lists are Compatible With IPSec !Example for RouterA applied to serial 0: access-list 102 permit ahp host access-list 102 permit esp host access-list 102 permit udp host eq isakmp !Example for RouterA applied to serial 0: access-list 102 permit ahp host access-list 102 permit esp host access-list 102 permit udp host eq isakmp ISAKMP AH ESP ISAKMP AH ESP Ensure protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by IPSec s Site 1Site 2 s A B RouterA RouterB Internet

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring ISAKMP Overview

© 1999, Cisco Systems, Inc. MCNS Configuring ISAKMP Tasks 1. Prepare for ISAKMP 2. Configure ISAKMP policies 3. Configure ISAKMP keys –Pre-shared keys –RSA signatures (CA support) 4. Configure IPSec policy to use ISAKMP 5. Apply IPSec policy to interface 6. Test and Verify ISAKMP

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Preparing for ISAKMP

© 1999, Cisco Systems, Inc. MCNS Planning includes: Determining key distribution methods Determining ISAKMP policies for peers Identifying IPSec peer router IP addresses and hostnames Goal: Minimize misconfiguration Planning for ISAKMP

© 1999, Cisco Systems, Inc. MCNS Enabling or Disabling ISAKMP Router(config)#no crypto isakmp enable Router(config)#crypto isakmp enable Router(config)#no crypto isakmp enable Router(config)#crypto isakmp enable Globally enables or disables ISAKMP at your peer router ISAKMP is enabled by default Is enabled globally for all interfaces at the router

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring ISAKMP Policies

© 1999, Cisco Systems, Inc. MCNS Creating ISAKMP Policies with the crypto isakmp Command Router(config)#crypto isakmp policy priority Router(config-isakmp)#? ISAKMP commands: authentication {rsa-sig | rsa-encr | pre-share} default encryption {des} exit group hash {md5 | sha} lifetime seconds no Router(config)#crypto isakmp policy priority Router(config-isakmp)#? ISAKMP commands: authentication {rsa-sig | rsa-encr | pre-share} default encryption {des} exit group hash {md5 | sha} lifetime seconds no Defines an ISAKMP policy, a set of parameters used during ISAKMP negotiation Invokes the (config-isakmp) command mode

© 1999, Cisco Systems, Inc. MCNS Example ISAKMP Policy Configuration crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 300 authentication rsa-encr lifetime crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 300 authentication rsa-encr lifetime First two policies could be successfully negotiated Last policies are different RouterA(config)# RouterB(config)# crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 300 authentication rsa-sig lifetime crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp policy 200 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 300 authentication rsa-sig lifetime 10000

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Configuring ISAKMP Keys–Pre-shared

© 1999, Cisco Systems, Inc. MCNS Configuration Tasks for Pre-shared Keys 1. Set ISAKMP Identity 2. Configure ISAKMP Policy 3. Configure Pre-shared Keys

© 1999, Cisco Systems, Inc. MCNS Setting ISAKMP Identity Set ISAKMP identity as either address-based or hostname-based All ISAKMP policies must use the identity configured with this command You should use the same identity method on all ISAKMP peers Router(config)# crypto isakmp identity {address | hostname} s Site 1Site 2 s A B RouterA RouterB Internet

© 1999, Cisco Systems, Inc. MCNS Configuring Pre-shared Keys crypto isakmp key keystring address peer-address or crypto isakmp key keystring hostname peer-hostname crypto isakmp key keystring address peer-address or crypto isakmp key keystring hostname peer-hostname Pre-shared key must be identical at both peers Use any combination of alphanumeric characters up to 128 bytes for keystring Easy to configure, yet is not scalable Router(config)#

© 1999, Cisco Systems, Inc. MCNS Configuring ISAKMP Policy for Pre-shared Keys crypto isakmp policy 100 authentication pre-share crypto isakmp policy 100 authentication pre-share The authentication pre-share argument sets ISAKMP to use pre-shared keys crypto isakmp policy 100 authentication pre-share crypto isakmp policy 100 authentication pre-share RouterA(config)# RouterB(config)# s Site 1Site 2 s A B RouterA RouterB Internet

© 1999, Cisco Systems, Inc. MCNS Example of Configuring Pre- shared Keys RouterA(config)# crypto isakmp key WhatLighT address crypto isakmp policy 100 hash md5 authentication pre-share RouterA(config)# crypto isakmp key WhatLighT address crypto isakmp policy 100 hash md5 authentication pre-share Note that the keystrings must match between peers The hash could have been SHA-1 (the default) RouterB(config)# crypto isakmp key WhatLighT address crypto isakmp policy 100 hash md5 authentication pre-share RouterB(config)# crypto isakmp key WhatLighT address crypto isakmp policy 100 hash md5 authentication pre-share

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Defining Transform Sets

© 1999, Cisco Systems, Inc. MCNS Transforming IPSec Policies Define the IPsec policies in transform sets: – Mechanism for payload authentication: AH transform – Mechanism for payload encryption: ESP transform – IPsec mode (transport vs. tunnel) Transform set = AH transform + ESP transform + mode

© 1999, Cisco Systems, Inc. MCNS Configuring Transform Sets Router(config)#crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] default exit mode transport | tunnel no Router(config)#crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] default exit mode transport | tunnel no Enters interactive configuration mode Sets limited to up to one AH and up to two ESP transforms Default mode is tunnel

© 1999, Cisco Systems, Inc. MCNS Available IPSec Transforms Router(config)#crypto ipsec transform-set RouterAset ? ah-md5-hmac AH-HMAC-MD5 transform ah-rfc1828 AH-MD5 transform (RFC1828) ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-rfc1829 ESP-DES-CBC transform (RFC1829) esp-sha-hmac ESP transform using HMAC-SHA auth Router(config)#crypto ipsec transform-set RouterAset ? ah-md5-hmac AH-HMAC-MD5 transform ah-rfc1828 AH-MD5 transform (RFC1828) ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-rfc1829 ESP-DES-CBC transform (RFC1829) esp-sha-hmac ESP transform using HMAC-SHA auth

© 1999, Cisco Systems, Inc. MCNS Example Transform Sets crypto ipsec transform-set SECURE ah-md5-hmac esp-des ! crypto ipsec transform-set noAH esp-md5-hmac esp-des ! crypto ipsec transform-set CPUeater ah-sha-hmac esp-sha-hmac esp-des ! crypto ipsec transform-set AUTH ah-sha-hmac crypto ipsec transform-set SECURE ah-md5-hmac esp-des ! crypto ipsec transform-set noAH esp-md5-hmac esp-des ! crypto ipsec transform-set CPUeater ah-sha-hmac esp-sha-hmac esp-des ! crypto ipsec transform-set AUTH ah-sha-hmac

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Creating Crypto Access Lists

© 1999, Cisco Systems, Inc. MCNS Using Extended IP Access Lists for Crypto Access Lists Use extended IP access lists for identifying protected traffic flows: permit indicates the data flow to be protected by a new security association permit = traffic is encrypted deny = traffic is sent in the clear, routed normally permit = reject traffic that should have been encrypted by IPSec but was not

© 1999, Cisco Systems, Inc. MCNS RouterA(config)# access-list 110 permit tcp RouterB(config)# access-list 101 permit tcp Configuring Symmetrical Peer Crypto Access Lists s Site 1Site 2 s A B RouterA RouterB Internet

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Creating Crypto Maps

© 1999, Cisco Systems, Inc. MCNS Purpose of Crypto Maps Which traffic should be protected by IPSec The granularity of the traffic to be protected a set of SAs Where IPSec-protected traffic should be sent The local address to be used for the IPSec traffic What IPSec security type should be applied to this traffic How security associations established (manually or via ISAKMP) Other parameters needed to define an IPSec SA Crypto maps pull together the various parts configured for IPSec, including:

© 1999, Cisco Systems, Inc. MCNS Load Sharing A single crypto map entry can support flows to multiple IPSec peers for redundancy Router can have simultaneous SAs to different peers for the same data flow. Current peer is the last peer for which traffic was received for that data flow (either data traffic or SA establishment)

© 1999, Cisco Systems, Inc. MCNS How Many Crypto Maps Should You Create? Crypto maps can include a mixture of CET and IPSec crypto map entries Separate entries can support multiple flows to the same IPSec peer, with different policies

© 1999, Cisco Systems, Inc. MCNS Crypto Map Command Router(config)# crypto map [dynamic dynamic-map-name] Creates a crypto map Ties together configuration to enact an IPsec policy and SAs defines the key management method: (ipsec-manual, ipsec-isakmp, cisco) [dynamic dynamic-map-name] associates a dynamic crypto map to a static crypto map set

© 1999, Cisco Systems, Inc. MCNS Crypto Map Configuration Mode match address [access-list-id | name] peer [hostname | ip-address] transform-set [set_name(s)] security-association [inbound|outbound] set no exit match address [access-list-id | name] peer [hostname | ip-address] transform-set [set_name(s)] security-association [inbound|outbound] set no exit set match address specifies the crypto access list set peer specifies the IPSec peer set security-association sets manual AH and ESP keys set transform-set selects the transform set(s) Delete entries with the no command Router(config-crypto-map)#?

© 1999, Cisco Systems, Inc. MCNS Setting Manual Keys with security-association Commands Router(config-crypto-map)# set security-association inbound|outbound ah spi hex-key-string Router(config-crypto-map)#set security-association inbound|outbound esp spi cipher hex-key-string [authenticator hex-key-string] Specifies inbound or outbound SA Sets SPI for SA Sets manual AH and ESP keys –ESP key length is 56 bits with DES, 168 with 3DES –AH HMAC key length is 128 bits with MD5, 160 bits with SHA SPIs should be reciprocal for IPsec peer

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Applying Crypto Map Sets to Interfaces

© 1999, Cisco Systems, Inc. MCNS Applying Crypto Map Sets to Interfaces s Site 1Site 2 s A B RouterA RouterB RouterA(config)# crypto map RouterAmap 10 ipsec-manual set peer set transform-set RouterAset match address 101 ! interface serial 0 crypto map RouterAMap RouterA(config)# crypto map RouterAmap 10 ipsec-manual set peer set transform-set RouterAset match address 101 ! interface serial 0 crypto map RouterAMap Apply crypto map to outgoing portion of an interface SAs are initialized when you apply the crypto maps Internet

© 1999, Cisco Systems, Inc. MCNS Example ISAKMP Configuration for RouterA RouterA# crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp key WhatLighT address ! crypto ipsec transform-set RouterAset esp-des esp-md5-hmac ! crypto map RouterAmap 100 ipsec-isakmp set peer set transform-set RouterAset match address 101 ! interface Serial0 ip address ip access-group 102 in crypto map RouterAmap ! access-list 101 permit ip access-list 102 permit ahp host access-list 102 permit esp host access-list 102 permit udp host eq isakmp crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp key WhatLighT address ! crypto ipsec transform-set RouterAset esp-des esp-md5-hmac ! crypto map RouterAmap 100 ipsec-isakmp set peer set transform-set RouterAset match address 101 ! interface Serial0 ip address ip access-group 102 in crypto map RouterAmap ! access-list 101 permit ip access-list 102 permit ahp host access-list 102 permit esp host access-list 102 permit udp host eq isakmp

© 1999, Cisco Systems, Inc. MCNS Example ISAKMP Configuration for RouterB RouterB# crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp key WhatLighT address ! crypto ipsec transform-set RouterBset esp-des esp-md5-hmac ! crypto map RouterBmap 100 ipsec-isakmp set peer set transform-set RouterBset match address 101 ! interface Serial0 ip address ip access-group 102 in crypto map RouterBmap ! access-list 101 permit ip access-list 102 permit ahp host access-list 102 permit esp host access-list 102 permit udp host eq isakmp crypto isakmp policy 100 hash md5 authentication pre-share crypto isakmp key WhatLighT address ! crypto ipsec transform-set RouterBset esp-des esp-md5-hmac ! crypto map RouterBmap 100 ipsec-isakmp set peer set transform-set RouterBset match address 101 ! interface Serial0 ip address ip access-group 102 in crypto map RouterBmap ! access-list 101 permit ip access-list 102 permit ahp host access-list 102 permit esp host access-list 102 permit udp host eq isakmp

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Testing and Verifying IPSec

© 1999, Cisco Systems, Inc. MCNS IPSec Show Commands Router#show crypto ipsec transform-set View the configured transform sets. Router#show crypto map [interface interface | tag map-name] View the settings used by current security associations Contains useful packet counters

© 1999, Cisco Systems, Inc. MCNS IPSec Show Commands, cont. Router#show crypto ipsec sa [map map-name|address |identity] [detail] View the settings used by current security associations Contains useful packet counters Router#show crypto ipsec security-association lifetime View the lifetime of current security associations

© 1999, Cisco Systems, Inc. MCNS IPSec debug and clear Commands Router# debug crypto ipsec Displays debug messages about all IPSec actions Router#debug ip security Displays IP security option processing Router# clear crypto sa Deletes SAs from the SA database

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Testing and Verifying ISAKMP

© 1999, Cisco Systems, Inc. MCNS ISAKMP show Commands Router#show crypto isakmp policy View existing ISAKMP connections View the parameters for each configured ISAKMP policy. Router#show crypto isakmp sa View all current ISAKMP security associations.

© 1999, Cisco Systems, Inc. MCNS ISAKMP clear and debug Commands Router#debug crypto isakmp Displays debug messages about ISAKMP events Router#debug crypto key-exchange Displays messages about the DH/RSA process Router#clear crypto isakmp [connection-id] Clears active ISAKMP connections

© 1999, Cisco Systems, Inc. MCNS %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! ISAKMP security association with the remote peer was not authenticated %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP Crypto System Error Messages for ISAKMP

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Lab Exercise Configuring Cisco IOS IPSec

© 1999, Cisco Systems, Inc. MCNS Lab Objectives Upon completion of this lab, you will be able to: Configure basic IPSec encryption between Cisco routers to create a secure communication environment based on a case study network design Configure Cisco routers for IPSec encryption: –Determine network design details –Configure transform sets –Configure crypto isakmp policies –Configure crypto maps and apply them to interfaces –Test and verify IPSec encryption on Cisco routers

© 1999, Cisco Systems, Inc. MCNS PIXX Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NASX IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 PerimeterX Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Summary

© 1999, Cisco Systems, Inc. MCNS Summary Define the detailed crypto security policy before beginning configuration Ensure router access lists permit IPSec traffic Transform sets determine IPSec transform and mode Crypto access lists determine traffic to be encrypted Permit = encrypt Crypto access lists should mirror each other

© 1999, Cisco Systems, Inc. MCNS Summary (cont.) SPIs are manually selected and should be reciprocal on the other peer The crypto map protocol is ipsec-manual for manual keying ESP keys are manually entered (64 bits for DES) AH HMAC key length is 128 bits with MD5, 160 bits with SHA Crypto maps pull together all IPSec details and are applied to interfaces Use show and debug commands to test and troubleshoot Manual keying does not scale well and is often insecure due to difficulty in manually creating secure keying material

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Review Questions

© 1999, Cisco Systems, Inc. MCNS Place the following configuration steps into the order in which they should be performed: 1. Exchange DSS public key 2. Generate routers DSS public/private keys 3. Configure per-session encryption policy 4. Define global encryption policy Review Questions

© 1999, Cisco Systems, Inc. MCNS Which command defines and controls per session encryption policy? A.crypto gen-signature-keys B.crypto key-exchange C.crypto map D.access-list Review Questions (cont.)

© 1999, Cisco Systems, Inc. MCNS What is the correct command to test an encrypted connection between routers? A.test crypto initiate-session 4. What is the correct command to verify which packets are being encrypted? A.show crypto engine connections active Review Questions (cont.)

© 1999, Cisco Systems, Inc. MCNS © 1999, Cisco Systems, Inc Addendum A ISAKMP Modes and Policies

© 1999, Cisco Systems, Inc. MCNS Phase One: Main Mode Negotiates ISAKMP policy Performs authenticated Diffie-Hellman exchange Provides protection of identities of ISAKMP peersidentities are encrypted Accomplished in six messages Establishes ISAKMP security association

© 1999, Cisco Systems, Inc. MCNS Phase One: Main Mode Negotiates ISAKMP policy by offering and accepting protection suites AliceBob Bob, Id lISAKMP to do: 3DES, SHA, signatures, group 1; or IDEA, MD5, encrypted nonces, group 1; or CAST, SHA, pre-shared keys, group 1 OK Alice, lets do: IDEA, MD5, encrypted nonces, group 1

© 1999, Cisco Systems, Inc. MCNS Phase One: Main Mode Policy negotiation Diffie-Hellman and nonce exchange Authentication of exchange and peer InitiatorResponder hdr, SA hdr, Ke_i, Ne_i hdr, Ke_r, Ne_r hdr, ID, auth hdr, IDr, auth encrypted

© 1999, Cisco Systems, Inc. MCNS Phase One: Aggressive Mode Negotiates ISAKMP policy and does Diffie- Hellman and nonce exchange together Establishes ISAKMP security association in only three messages Does not provide identity protection-- IDs passed in clear

© 1999, Cisco Systems, Inc. MCNS Phase Two: Quick Mode Negotiates IPSec SAs Protected by existing ISAKMP SA Optionally performs additional Diffie-Hellman exchange Optionally includes information on endpoint identities

© 1999, Cisco Systems, Inc. MCNS Phase Two: Quick Mode IPSec SAs are negotiated Hash payloads authenticate each message Final message confirms exchange InitiatorResponder hdr, hash, SA, Ni [, KE] [, IDi2, IDr2] hdr, hash, SA, Nr [, KE] [, IDi2, IDr2] hdr, hash

© 1999, Cisco Systems, Inc. MCNS Informational Exchange Protected by existing ISAKMP SA Used to transmit error, delete, and notification messages to peer Unidirectional-- not acknowledged! InitiatorResponder hdr, hash, notify

© 1999, Cisco Systems, Inc. MCNS ISAKMP Policy Definition ISAKMP policies define: ISAKMP message encryption algorithm ISAKMP message integrity (hash) algorithm ISAKMP peer authentication method ISAKMP key exchange (DH group identifier) ISAKMP-established SA lifetime

© 1999, Cisco Systems, Inc. MCNS ISAKMP Policy Negotiation DES, SHA, and Pre-share or DES, SHA and RSA Signatures DES, MD5, and RSA Signatures or DES, SHA, and Pre-share or DES, SHA, and RSA Encryption ISAKMP session RouterA RouterB Policy Suite ISAKMP peers negotiate to find matching policy in policy suite If no match is found, IPSec SAs are not established

© 1999, Cisco Systems, Inc. MCNS Defining IKE Policy Details s Site 1Site 2 s AB Internet RouterA RouterB IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm Site seconds DES MD5 Site 2 DES MD5 Pre-share Policy 768-bit D-HKey Exchange Pre-share 768-bit D-H seconds

© 1999, Cisco Systems, Inc. MCNS Blank for pagination