Learn the accomplish for configuring a defended site-to-site Basic Clandestine Arrangement (VPN) with Cisco routers.
Copyright (c) 2008 Don R. Crawley
A site-to-site basic clandestine arrangement (VPN) allows you to advance a defended "always-on" affiliation amid two physically abstracted sites application an absolute non-secure arrangement such as the accessible Internet. Cartage amid the two sites is transmitted over an encrypted adit to anticipate concern or added types of abstracts attacks.
This agreement requires an IOS software angel that supports cryptography. The one acclimated in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
There are several protocols acclimated in creating the VPN including protocols acclimated for a key barter amid the peers, those acclimated to encrypt the tunnel, and hashing technologies which aftermath bulletin digests.
VPN Protocols
IPSec: Internet Agreement Aegis (IPSec) is a apartment of protocols that are acclimated to defended IP communications. IPSec involves both key exchanges and adit encryption. You can anticipate of IPSec as a framework for implementing security. When creating an IPSec VPN, you can accept from a array of aegis technologies to apparatus the tunnel.
ISAKMP (IKE): Internet Aegis Association and Key Management Agreement (ISAKMP) provides a agency for acceptance the aeon in a defended communication. It about uses Internet Key Barter (IKE), but added technologies can aswell be used. Accessible keys or a pre-shared key are acclimated to accredit the parties to the communication.
MD5: Message-Digest algorithm 5 (MD5) is an about used, but partially afraid cryptographic assortment action with a 128-bit assortment value. A cryptographic assortment action is a way of demography an approximate block of abstracts and abiding a fixed-size bit string, the assortment amount based on the aboriginal block of data. The hashing action is advised so that a change to the abstracts will aswell change the assortment value. The assortment amount is aswell alleged the bulletin digest.
SHA: Defended Assortment Algorithm (SHA) is a set of cryptographic assortment functions advised by the National Aegis Agency (NSA). The three SHA algorithms are structured abnormally and are acclaimed as SHA-0,SHA-1, and SHA-2. SHA-1 is a frequently acclimated hashing algorithm with a accepted key breadth of 160 bits.
ESP: Encapsulating Aegis Payload (ESP) is a affiliate of the IPsec agreement apartment that provides agent authenticity, integrity, and acquaintance aegis of packets. ESP aswell supports encryption-only and authentication-only configurations, but application encryption after affidavit is acerb beat because it is insecure. Unlike the added IPsec protocol, Affidavit Attack (AH), ESP does not assure the IP packet header. This aberration makes ESP adopted for use in a Arrangement Abode Translation configuration. ESP operates anon on top of IP, application IP agreement amount 50.
DES: The Abstracts Encryption Accepted (DES) provides 56-bit encryption. It is no best advised a defended agreement because its abbreviate key-length makes it accessible to brute-force attacks.
3DES: Three DES was advised to affected the limitations and weaknesses of DES by application three altered 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3DES keys are 168 $.25 in length. When application 3DES, the abstracts is aboriginal encrypted with one 56-bit key, again decrypted with a altered 56-bit key, the achievement of which is again re-encrypted with a third 56-bit key.
AES: The Advanced Encryption Accepted (AES) was advised as a backup for DES and 3DES. It is accessible in capricious key lengths and is about advised to be about six times faster than 3DES.
HMAC: The Hashing Bulletin Affidavit Cipher (HMAC) is a blazon of bulletin affidavit cipher (MAC). HMAC is affected application a specific algorithm involving a cryptographic assortment action in aggregate with a abstruse key.
Configuring a Site-to-Site VPN
The action of configuring a site-to-site VPN involves several steps:
Phase One agreement involves configuring the key exchange. This action uses ISAKMP to assay the hashing algorithm and affidavit method. It is aswell one of two places area you accept to assay the accessory at the adverse end of the tunnel. In this example, we chose SHA as the hashing algorithm due to its added able-bodied nature, including its 160-bit key. The key "vpnkey" accept to be identical on both ends of the tunnel. The abode "192.168.16.105" is the alfresco interface of the router at the adverse end of the tunnel.
Sample appearance one configuration:
tukwila(config)#crypto isakmp action 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey abode 192.168.16.105
Phase Two agreement involves configuring the encrypted tunnel. In Appearance Two configuration, you actualize and name a transform set which identifies the encrypting protocols acclimated to actualize the defended tunnel. You accept to aswell actualize a crypto map in which you assay the accessory at the adverse end of the tunnel, specify the transform-set to be used, and specify which admission ascendancy account will assay acceptable cartage flows. In this example, we chose AES due to its acute aegis and added performance. The account "set accessory 192.168.16.25" identifies the alfresco interface of the router at the adverse end of the tunnel. The account "set transform-set vpnset" tells the router to use the ambit authentic in the transform-set vpnset in this tunnel. The "match abode 100" account is acclimated to accessory the adit with access-list 100 which will be authentic later.
Sample appearance two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% NOTE: This new crypto map will abide disabled until a peer
and a accurate admission account accept been configured.
tukwila(config-crypto-map)#set accessory 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match abode 100
The crypto map accept to be activated to your alfresco interface (in this example, interface FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You accept to actualize an admission ascendancy account to absolutely acquiesce cartage from the router's central LAN beyond the adit to the added router's central LAN (in this example, the router tukwila's central LAN arrangement abode is 10.10.10.0/24 and the added router's central LAN arrangement abode is 10.20.0.0/24):
tukwila(config)#access-list 100 admittance ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
(For added advice about the syntax of access-control lists, see my added online writing on creating and managing Cisco router access-control lists.)
You accept to aswell actualize a absence aperture (also accepted as the "gateway of endure resort"). In this example, the absence aperture is at 192.168.16.1:
tukwila(config)#ip avenue 0.0.0.0 0.0.0.0 192.168.16.1
Verifying VPN Connections
The afterward two commands can be acclimated to verify VPN connections:
Router#show crypto ipsec sa
This command displays the settings acclimated by the accepted Aegis Associations (SAs).
Router#show crypto isakmp sa
This command displays accepted IKE Aegis Associations.
Troubleshooting VPN Connections
After acknowledging concrete connectivityHealth Fitness Articles, analysis both ends of the VPN affiliation to ensure they mirror anniversary other.
Use debugging to assay VPN affiliation difficulties:
Router#debug crypto isakmp
This command allows you to beam Appearance 1 ISAKMP negotiations.
Router#debug crypto ipsec
This command allows you to beam Appearance 2 IPSec negotiations.
0 comments:
Post a Comment