Saturday, June 25, 2011

Cisco IOS to ASA (8.4) - Basic IPSec Site-to-Site VPN

R1 - 

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ipexpert address 10.1.1.2

crypto ipsec transform-set oscar esp-3des esp-md5-hmac 

crypto map shelby 1 ipsec-isakmp 
 set peer 10.1.1.2
 set transform-set oscar 
 match address 100

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1

interface FastEthernet0/0
 ip address 10.1.1.25 255.255.255.0
 duplex auto
 speed auto
 crypto map shelby

****************************
ASA -

crypto ipsec ikev1 transform-set oscar esp-3des esp-md5-hmac 

crypto map shelby 1 match address abby
crypto map shelby 1 set peer 10.1.1.25 
crypto map shelby 1 set ikev1 transform-set oscar
crypto map shelby interface outside

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

tunnel-group adrian type ipsec-l2l
tunnel-group 10.1.1.25 type ipsec-l2l
tunnel-group 10.1.1.25 ipsec-attributes
ikev1 pre-shared-key *****

access-list abby extended permit ip host 2.2.2.2 host 1.1.1.1 
access-list abby extended permit ip host 1.1.1.1 host 2.2.2.2 
  


Posted by at No comments:

Monday, June 20, 2011

Cisco IOS - Basic IPSec Site-to-Site VPN

This is the basic configuration needed to bring up an IPSec tunnel between (2) IOS routers (This was done on a pair of 2801's)

Please keep in mind that the names used do not have to match on both side's.

R1


crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key c1sco address 10.1.12.2

crypto ipsec transform-set shelby esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
 set peer 10.1.12.2
 set transform-set shelby
 match address 100

interface Serial0/3/0
 ip address 10.1.12.1 255.255.255.0
 clock rate 64000
 crypto map CMAP



interface Loopback0
 ip address 1.1.1.1 255.255.255.255


ip route 2.2.2.0 255.255.255.0 10.1.12.2

access-list 100 permit ip host 1.1.1.1 host 2.2.2.2

r1#ping 2.2.2.2 source lo0

Packet sent with a source address of 1.1.1.1
!!!!!

r1#show crypto session  
     
Crypto session current status

Interface: Serial0/3/0
Session status: UP-ACTIVE  
Peer: 10.1.12.2 port 500
  IKE SA: local 10.1.12.1/500 remote 10.1.12.2/500 Active
  IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2
        Active SAs: 2, origin: crypto map

*************

R2

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key c1sco address 10.1.12.1

crypto ipsec transform-set shelby esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
 set peer 10.1.12.1
 set transform-set shelby
 match address 100

interface Loopback0
 ip address 2.2.2.2 255.255.255.255

interface Serial0/3/0
 ip address 10.1.12.2 255.255.255.0
 crypto map CMAP

ip route 1.1.1.0 255.255.255.0 10.1.12.1

access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
Posted by at 1 comment:

Tuesday, June 14, 2011

IPSEC - ISAKMP Perfect Forwarding Secrecy / Diffie-Hellman

Diffie-Hellman (DH)

Diffie-Hellman (DH) is a public-key cryptography protocol that allows two devices to establish a shared secret over an unsecure communications channel (ISAKMP Phase 1 / IPSec Phase 2)

Diffie-Hellman Group 1 — 768-bit DH Group.


Diffie-Hellman Group 2 — 1024-bit DH Group. 


Diffie-Hellman Group 5 — 1536-bit DH Group. 

________________________

Perfect Forward Secrecy (PFS)

The PFS determines the length (complexity) of the IPSec "Session keys" (used in the encryption and decryption of data in the IPSec tunnel (IPSEC Security Association (SA) )), and is derived from the public and private keys.

PFS has four groups:

Group1: Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group2: Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group5: Specifies that IPSec should use the 1536-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.

Group7: Specifies that IPSec should use group7 (ECC) where the elliptical curve field size is 163-bits, for example, with the movianVPN client.

The crypto map set pfs command sets IPSec to ask for Perfect Forward Secrecy (PFS) when new security associations are requested for this crypto map entry. Alternatively, it asks that IPSec requires PFS when requests are received for new security associations.

To specify that IPSec not request PFS, issue the no crypto map set pfs command. This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
Note: By default, PFS is not requested.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised. During negotiation, the no crypto map set PFS command causes IPSec to request PFS when new security associations are requested for the crypto map entry.

The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the peer must perform a PFS exchange or the negotiation fails.

If the local configuration does not specify a group, a default of group1 is assumed and an offer of either group1 or group2 is accepted. If the local configuration specifies group2, that group must be part of the peer offer or the negotiation fails.


Posted by at 1 comment:
Subscribe to: Comments (Atom)