Scenario

In this example we have two SOHO offices.

>        A VPN needs to be created between the two sites so that they can communicate with each other without the fear of eavesdropping.

>        For simplicity, neither site is site wants to invest in a CA certificate service or RSA infrastructure. They prefer to use pre-shared keys.

>        The network administrators at both sites are aware that permanent site � to � site VPNs require fixed Internet IP addresses and have upgraded from their basic DHCP services originally provided by their ISPs.


Site1

o        uses a private network of 192.168.1.0

o        has a router with an external Internet IP address of 97.158.253.25

o        uses a Cisco DSL router with a built in DSL modem like the Cisco 800 series of routers.

 

Site2

o        uses a private network of 192.168.2.0

o        uses a Cisco router with an external DSL modem or a PIX firewall.

o        uses a router (Scenario A) or firewall (Scenario B) with an external Internet IP address of 6.25.232.1

Other Information

The administrator at Site 1 wants to be able to access all the protected servers at site 2 by using their real IP addresses and vice versa. For example; Site 1 will refer to Site 2 servers with their 192.168.2.X IP addresses, not the Internet NAT addresses on the 6.25.232.X network.

 

 


Site 1 – Router VPN Configuration Steps

There are a number of steps that need to be done to create the VPN.

 IKE

Phase 1 of the creation of a VPN tunnel first requires an exchange of the encryption capabilities of the VPN devices at both ends of the tunnel. The second phase involves encrypting the data by either using either:

o        Pre-shared keys known to both VPN devices (This is what we’ll be using in all the examples below) or

o        Keys generated via the RSA methodology or

o        Keys obtained from Certification Authorities (CAs)

Cisco router / firewall devices usually require you to configure each of the various combinations of key encryption capabilities available. The device will then send all of the combinations to the remote VPN as part of the negotiation to decide which one to use.

 

o        Create an IKE key policy. The policy number “9” identifies it from all other IKE policies that may be configured. This policy requires a pre-shared key.

 

 crypto isakmp policy 9

  hash md5

  authentication pre-share

 

I’ve chosen only one combination for the sake of simplicity, but you could add more like this. If your device is licensed appropriately, and you intend to establish a connection with a Linux VPN device, then you should consider a 3DES option which Linux FreeS/WAN prefers. Here is a snippet that includes 3DES and may other policy capabilities.

 

 crypto isakmp policy 1

  encr 3des

  authentication pre-share

 !

 crypto isakmp policy 4

  encr 3des

  authentication pre-share

  group 2

 !

 crypto isakmp policy 5

  encr 3des

  hash md5

  authentication pre-share

  group 2

 !

 crypto isakmp policy 10

  authentication pre-share

  group 2

 !

 crypto isakmp policy 12

  authentication pre-share

 !

 crypto isakmp policy 20

  hash md5

  authentication pre-share

  group 2

 !

 crypto isakmp policy 23

  encr 3des

  hash md5

  authentication pre-share

 

o        You’ll then need to configure a VPN shared key that can be used between this site and the VPN site at 6.25.232.1

 

 crypto isakmp key VPNsecretPASSWORD address 6.25.232.1

 

IPSec

o        Set a lifetime for the IPSec Security Associations. A security association is the equivalent of a site � to � site VPN relationship.

 

 crypto ipsec security-association lifetime seconds 86400

 

o        Configure an access list to define the valid traffic to be directed through the VPN from 192.168.1.0 to 192.168.2.0

  

 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

 

o        Define which encryption transformations will be used to shield the VPN traffic as it passes over the Internet with the “crypto ipsec transform-set” command. Each “single line” set can be given its own name. In this case we’ve chosen set s1s2trans to use one of the most common combinations, esp-des and esp-md5-hmac.

 

 crypto ipsec transform-set s1s2trans esp-des esp-md5-hmac

 

If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one:

  

 crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac

  

You can create multiple transform sets depending on your security requirements. For example; you could create a transform set named “weak” with regular DES encryption and another named “strong” using the better 3DES method.

 

o        Create a crypto-map to match the valid traffic defined by the ACL with the transform set we want to use with VPN peer router/firewall at the other site. This example is creating a map entry of priority “10”.

 

 crypto map to-site2 10 ipsec-isakmp

  set peer 6.25.232.1

  set transform-set s1s2trans

  match address 101

 

You can add additional map entries to correspond with tunnels to other remote sites with additional priorities. Just remember to create the appropriate access control lists and pre-shared keys. Here is an example of additional map entries using two different transform sets:

 

 crypto map to-site2  150 ipsec-isakmp

  set peer 108.112.44.95

  set transform-set s1s2trans

  match address 101

 crypto map to-site2  153 ipsec-isakmp

  set peer 4.21.116.23

  set transform-set s1s2trans-strong

  match address 102

 crypto map to-site2  158 ipsec-isakmp

  set peer 223.52.37.25

  set transform-set s1s2trans-strong

  set pfs group2

  match address 103

 

 

o        Bind the crypto-map to the external interface of the router.

  

 interface BVI1

 �crypto map to-site2

This example assumes you are using a router with a built in DSL modem. In such a case, the external Internet facing interface would most likely be called BVI1 with a “sister” interface ATM0. Make sure both are configured correctly.

If you are using a router with an external DSL / Cable modem, then there will only be one Internet facing interface to configure. This interface would be usually named either Ethernet0 or Ethernet1 depending on the type of router. The Site 2 configuration uses an external DSL / Cable modem.

Site 1 � Configuration Example

Our SOHO Router (Site #1)

Current Configuration:

!

version 12.1

service timestamps debug   uptime

service timestamps log   uptime

!

hostname soho1

!

ip subnet-zero

no ip domain-lookup

!

bridge irb

 

!

! * �Configure   IKE properties

!

crypto   isakmp policy 9

 authentication   pre-share

 hash   md5

crypto   isakmp key VPNsecretPASSWORD address 6.25.232.1

 

!

! * �Configure IPSec   properties
!

crypto   ipsec security-association lifetime seconds 86400

crypto   ipsec transform-set s1s2trans esp-des esp-md5-hmac

 

!

! * If the remote   site prefers to use 3DES, (Linux FreeS/WAN only does 3DES) then you may want   to

! * replace the   above statement with this one:

!

!  crypto ipsec   transform-set s1s2trans esp-3des esp-md5-hmac

!

 

!

! * �Define the   Site1 to Site2 traffic to be encrypted
!

crypto   map to-site2 10 ipsec-isakmp

 set   peer 6.25.232.1

 set   transform-set s1s2trans

 match   address 101

 

!

! * �Give the   protected interface an IP address and

! * �and let it   know that it should do NAT as a protected

! * �”inside”   interface

!

interface Ethernet0

�ip address 192.168.1.1   255.255.255.0

�ip nat inside

 

 

interface ATM0

�no ip address

�no atm ilmi-keepalive

�pvc 0/35

�encapsulation aal5snap

�bundle-enable

�dsl operating-mode auto

�bridge-group 1

 

 

! * �Encryption   will be done on interface BVI1 according to

! * �the crypto   map statement

 

interface BVI1
 ip address 97.158.253.25 255.255.255.248

�ip nat outside

 crypto   map to-site2

 ip   mtu 1412

 

 

! * �Tells the   router to NAT all traffic that passes through it:

! * �1) From the   inside to the outside,

! * �2) And whose   IP address matches those in route map “nonat”

! * �3) Must get   an outside “public” address that is the same as

! *     interface   BVI1

! *

! * �Replaces the   following command used on the basic DSL router page

! *

! * �ip nat   inside source list 1 interface BVI1 overload

 

ip nat inside source route-map   nonat interface BVI1 overload

 

! * �This   statement performs the static address translation

! * �for   the Web server.

! * �With this   statement, users trying to reach 97.158.253.26

! * ��will   be automatically redirected to 192.168.1.100

! * �which   in this case is the Web server.

!

ip nat inside source static   192.168.1.100 97.158.253.26

 

 

! * �Set your   default gateway as provided by your ISP

! * �Set a route   to Site2 via the Tunnel IP of the

! * �router   at Site2

!

ip classless

ip route 0.0.0.0 0.0.0.0   97.158.253.30

 

! * �Encrypt all traffic passing over   the tunnel

! * �interface between the two sites

!

access-list   101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0   0.0.0.255

!

 

! * �ACL used by   route map “nonat” to exclude traffic

! * �between   Site1 and Site2 from NAT process as this

! * �will pass   through the VPN tunnel

!

access-list   150 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list   150 permit ip 192.168.1.0 0.0.0.255 any

 

! * �Use a route map to define which traffic from the private

! * �network should be included in the NAT process:

 

route-map   nonat permit 10

�match ip   address 150

 

 


Site 2 – Router VPN Configuration Steps (Scenario A)

IKE

o        Create an IKE key policy. The policy number “9” identifies it from all other IKE policies that may be configured. This policy requires a pre-shared key

 

 crypto isakmp policy 9

  hash md5

  authentication pre-share

 

o        Configure a VPN shared key that can be used between this site and the VPN site at 97.158.253.25

 

 crypto isakmp key VPNsecretPASSWORD address 97.158.253.25

 

IPSec

o        Set a lifetime for the IPSec Security Associations

 

 crypto ipsec security-association lifetime seconds 86400

 

o        Configure an access list to define the valid traffic to be directed through the VPN from 192.168.1.0 to 192.168.2.0

 

 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

 

o        Define which transformations will be used to shield the VPN traffic with the “crypto ipsec transform-set” command. Each set can be given its own name.

  

 crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac

 

If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one:

  

 crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac

 

o        Create a crypto-map to match the valid traffic, the transform set, the security-association lifetime with the VPN peer router/firewall at the other site

 

 crypto map to-site1 10 ipsec-isakmp

  set peer 6.25.232.1

  set transform-set s1s2trans

  match address 101

 

o        Bind the crypto-map to the external interface of the router

 

 interface Ethernet1

 �crypto map to-site1

 

 

Site 2 � Configuration Example (Scenario A)

Their SOHO Router   (Site #2)

Current   Configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
!
hostname soho2
!
ip subnet-zero
no ip domain-lookup

 

! * �Configure   IKE properties
!

crypto   isakmp policy 9

 authentication   pre-share

 hash   md5

crypto   isakmp key VPNsecretPASSWORD address 97.158.253.25

 

!

! * �Configure IPSec   properties
!

crypto   ipsec security-association lifetime seconds 86400

crypto   ipsec transform-set s2s1trans esp-des esp-md5-hmac

 

!

! * If the remote   site prefers to use 3DES, (Linux FreeS/WAN only does 3DES) then you may want   to

! * replace the   above statement with this one:

! *

! * crypto ipsec   transform-set s2s1trans esp-3des esp-md5-hmac

!

 

!

! * �Define the Site1 to Site2 traffic to be encrypted
!

crypto   map to-site1 10 ipsec-isakmp

 set   peer 97.158.253.25

 set   transform-set s2s1trans

 match   address 101

 

!

! * �Encryption   will be done according to the crypto

! * �map   statement

!

interface   Ethernet1

 ip   address 6.25.232.1 255.255.255.248

�ip nat outside

 crypto   map to-site1

 

!

! * �Give the   protected interface an IP address and

! * �and let it   know that it should do NAT as a protected

! * �”inside”   interface

!

 

interface Ethernet0

�ip address 192.168.1.1   255.255.255.0

�ip nat inside

 

!

! * �Tells the   router to NAT all traffic that passes through it:

! * �1) From the   inside to the outside,

! * �2) And whose   IP address matches those in route map “nonat”

! * �3) Must get   an outside “public” address that is the same as

! *     interface   ethernet1

! *

! * �Replaces the   following command used on the basic DSL router page

! *

! * �ip nat   inside source list 1 interface ethernet1 overload

!

ip nat inside source route-map   nonat interface ethernet1 overload

 

 

!

! * �Set your   default gateway as provided by your ISP

! * �Set a route   to Site2 via the Tunnel IP of the router

! * �at   Site2

!

ip classless

ip route 0.0.0.0 0.0.0.0   6.25.232.6

 

!

! �* �Encrypt all traffic passing over the tunnel interface

! * �between the two   sites

!

access-list   101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

!

! * �ACL used by   route map “nonat” to exclude traffic between

! * �Site1   and Site2

! * �from NAT   process as this will pass through the VPN tunnel

!

access-list 150 deny   ip   192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 150 permit ip   192.168.2.0 0.0.0.255 any

 

!

! * �Use a route   map to define which traffic from the private

! * �network   should be included in the NAT process:

!

route-map nonat permit 10

�match ip address 150

 

 


Site 2 � PIX Firewall VPN Config. Steps (Scenario B)

IKE

o        Plan on creating an IPSec policy with a unique identifier number. The PIX will check each set of configured numbered policies for IKE till it achieves success. In this case we’ll only use one policy “20”.

o        Define the type of encryption to be used (DES or 3DES)

 

 isakmp policy 20 encryption des

 

o        Define the hashing method for authentication (SHA or MD5)

 

 isakmp policy 20 hash md5

 

o        Define the overall authentication method (Pre-shared key or rsa-sig). We’ll use the simpler pre-shared method.

 

 isakmp policy 20 authentication pre-share

 

o        Define the shared key to be used.

 

 isakmp key VPNsecretPASSWORD address 97.158.253.25 netmask 255.255.255.255

 

o        Specify how the hosts will identify themselves to one another (By address or hostname). The same method should be used on both ends.

 

 isakmp identity address

 

o        Enable ISAKMP on the external interface of the PIX

 

 isakmp enable outside

IPSec

o        Configure an access list to define the valid traffic to be directed through the VPN from 192.168.2.0 to 192.168.1.0

 

 access-list ipsec permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

 

o        Define which transformations will be used to shield the VPN traffic with the “crypto ipsec transform-set” command. Each set can be given its own name, in this case “s2s1trans”.

 

 crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac

  

If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one:

  

 crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac

 

 

o        Create a crypto map to match the valid traffic, the transform set, the security-association lifetime with the VPN peer router/firewall at the other site.

 

 crypto map s2s1ipsec 10 match address ipsec
crypto map s2s1ipsec 10 set peer 97.158.253.25
crypto map s2s1ipsec 10 set transform-set s2s1trans

 crypto map s2s1ipsec 10 set security-association lifetime seconds 86400

 

In this case the crypto map is named “s2s1ipsec” and each statement has a sequence number or “ranking” of “10”. Statements with lower “sequence numbers” are considered before those with higher values.

Just like the routers, you can add more statements for tunnels to other remote VPN devices. You just have to remember to make sure that:

 

+        the crypto map statements referring to each remote site uses a unique sequence number,

+        that the shared secrets match and

+        that corresponding ACLs are created.

 

o        Bind the crypto-map to the external interface on which VPN traffic will originate

 

 crypto map s2s1ipsec interface outside

 

o        Let the PIX’s ASA always implicitly allow IPSec traffic through

 

 sysopt connection permit-ipsec


Site 2 � Configuration Example (Scenario B)

Here is a sample configuration for Site 2 when using a PIX firewall. There are a number of fully commented sample PIX configurations in the appendix in which each line is explained.

 

Our SOHO PIX (Site #2)

PIX Version 6.2(2)

nameif ethernet0 outside   security0

nameif ethernet1 inside   security100

enable password   uR0ZSMuMGz09CMpz encrypted

passwd uR0ZSMuMGz09CMpz   encrypted

hostname ciscopix

domain-name   stcla1.sfba.home.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225   1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

 

!

! * �Allow IPSec traffic from Site2’s private

! * �network to Site1’s private network

!

access-list   ipsec permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

 

!

! * �Do not Network Address Translate (NAT) traffic

! * �originating on Site2’s private network destined

! * �to Site1’s private network. This ACL is the first

! * �step.

!

access-list nonat permit ip   192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

 

pager lines 25

logging on

logging timestamp

logging trap warnings

logging history warnings

logging facility 22

logging host inside   192.168.2.237

interface ethernet0 10baset

interface ethernet1 10full

icmp deny any outside

mtu outside 1500

mtu inside 1500

 

! * �Setup the IP addresses of the interfaces

 

ip address outside   6.25.232.1 255.255.255.248

ip address inside   192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational   100

pdm history enable

arp timeout 14400

global (outside) 1 interface

 

!

! * �Do not NAT traffic that matches access list “nonat”,

! * �NAT everything else

!

nat   (inside) 0 access-list nonat

nat (inside) 1 192.168.2.0   255.255.255.255 0 0

 

route outside 0.0.0.0 0.0.0.0   6.25.232.6 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol   radius

aaa-server LOCAL protocol   local

filter java 80 0.0.0.0 0.0.0.0   0.0.0.0 0.0.0.0

filter activex 80 0.0.0.0 0.0.0.0   0.0.0.0 0.0.0.0

filter java 80 0.0.0.0 0.0.0.0   0.0.0.0 0.0.0.0

filter activex 80 0.0.0.0 0.0.0.0   0.0.0.0 0.0.0.0

ntp server 192.168.2.237   source inside

http server enable

http 192.168.2.0   255.255.255.0 inside

snmp-server host inside   192.168.2.237

no snmp-server location

no snmp-server contact

snmp-server community passwdboo

snmp-server enable traps

tftp-server inside   192.168.2.237 /ciscopix-confg

floodguard enable

no sysopt route dnat

telnet 192.168.2.0   255.255.255.0 inside

telnet timeout 15

ssh 192.168.2.0 255.255.255.0   inside

ssh timeout 15

dhcpd address 192.168.2.20-192.168.2.30   inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

 

!

! * �IPSec policies:

!

sysopt connection permit-ipsec

crypto   ipsec transform-set s2s1trans esp-des esp-md5-hmac

 

!

! * If the remote   site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does   3DES)

! * then you may   want to replace the above statement with this one:

!

! * crypto ipsec   transform-set s2s1trans esp-3des esp-md5-hmac

!

 

 

crypto   map s2s1ipsec 10 set security-association lifetime seconds 86400

crypto   map s2s1ipsec 10 ipsec-isakmp

crypto   map s2s1ipsec 10 match address ipsec

crypto   map s2s1ipsec 10 set peer 97.158.253.25

crypto   map s2s1ipsec 10 set transform-set s2s1trans

crypto   map s2s1ipsec interface outside

 

!

! * �IKE policies:

!

 

isakmp   enable outside

isakmp   key VPNsecretPASSWORD address 97.158.253.25 netmask 255.255.255.255

isakmp   identity address

isakmp   policy 20 authentication pre-share

isakmp   policy 20 encryption des

isakmp   policy 20 hash md5

isakmp   policy 20 group 1

 

terminal width 80

Cryptochecksum:3af43873d35d6f0651f8c999180c2342

: end

 


Troubleshooting Cisco VPNs

Cisco provides a number of commands to test the status of your site � to � site VPN tunnel. If your tunnel fails to be created you’ll need to ensure that all the parameters are set up correctly. The most common failure I’ve seen is having mismatched isakmp transform sets.

Displaying the Key Exchange Status

The “show crypto isakmp sa” command works on both routers and PIX firewalls and is used to determine whether the first phase of the VPN tunnel establishment (isakmp key exchange) was successful. In the example below Site 1 & 2 have a working tunnel with the status output showing the Internet IP addresses of the VPN devices at both ends of the tunnels.

 

soho1# show crypto isakmp sa

Total     : 1

Embryonic : 0

        dst               src      state     pending  � created

�6.25.232.1       97.158.253.25    QM_IDLE         0           0

soho1#

Displaying the IPSec Tunnel Status

The “show crypto ipsec sa” command works on both routers and PIX firewalls and is used to determine whether the second phase of the VPN tunnel establishment (IPSec) was successful. In the example below Site 1 & 2 have a working tunnel with the status output showing the Internet IP addresses of the VPN devices at both ends of the tunnels.

 

soho1# sh crypto ipsec sa

 

 

interface: BVI1

    Crypto map tag: to-site2, local addr. 6.25.232.1

 

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

   current_peer: 97.158.253.25:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 871118, #pkts encrypt: 871118, #pkts digest 871118

    #pkts decaps: 917581, #pkts decrypt: 917581, #pkts verify 917581

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 99, #recv errors 0

 

     local crypto endpt.: 6.25.232.1, remote crypto endpt.: 97.158.253.25

     path mtu 1500, ipsec overhead 56, media mtu 1500

     current outbound spi: 95992f5

 

     inbound esp sas:

      spi: 0xe43e931d(3829306141)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 6, crypto map: to-site2

        sa timing: remaining key lifetime (k/sec): (4601836/22657)

        IV size: 8 bytes

        replay detection support: Y

 

     …

     …

 

     outbound esp sas:

      spi: 0x95992f5(156865269)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 5, crypto map: to-site2

        sa timing: remaining key lifetime (k/sec): (4605007/22656)

        IV size: 8 bytes

        replay detection support: Y

     …

     …

 

soho1#

Debugging

Cisco has the very useful debug set of commands which you can use to follow the sequence of events that occur during the establishment of the VPN tunnel. Unfortunately the use of the debug command is beyond the scope of this book.

Leave a Reply