Wednesday, May 18, 2011

IPsec Configuration

Sample IPsec-Based VPN Network

IPsec configuration on RT1:
hostname RT1
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key CISCO-1234 address 10.10.10.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP-Site2 1 ipsec-isakmp
 description *** IPsec Tunnel to RT2 ***
 set peer 10.10.10.2
 set transform-set ESP-3DES-SHA
 match address 102
!
interface Serial1/0
 crypto map CMAP-Site2
!
ip route 172.16.2.0 255.255.255.0 10.10.10.2
!
access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

IPsec configuration starts with configuring the ISAKMP protection suite. The crypto isakmp policy global configuration command first defines an ISAKMP policy. It is possible to define multiple policies; the priorities of the policies determine the sequence of the policies during the IKE negotiation phase (IKE Phase 1).

The authentication pre-share ISAKMP subcommand tells IKE to use the manual key configured with the crypto isakmp key global configuration command for authentication.
Note: The other 2 options beside the pre-share keyword are rsa-encr and rsa-sig, which configures RSA Encryption and RSA Signature respectively. These keywords are used when configuring ISAKMP using a CA (Certification Authority) instead of pre-shared keys.
Note: CA is a 3rd-party entity which is responsible for issuing and revoking digital certificates. Each device that has its own certificate and public key of the CA can authenticate other devices within a particular CA domain.

The group {Diffie-Hellman group} ISAKMP subcommand defines the size of the modulus to use for Diffie-Hellman calculation. Group 1 is 768-bit long, group 2 is 1024-bit long, and group 5 is 1536-bit long. The higher-number groups are significantly more CPU intensive but are more secure than other lower-number groups. The default is group 1.

It is possible to specify up to 6 transform sets for a particular crypto map and allow the peers to negotiate a mutually agreed transform.
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP-Site2 1 ipsec-isakmp
 description *** IPsec Tunnel to RT2 ***
 set peer 10.10.10.2
 set transform-set ESP-DES-MD5 ESP-3DES-SHA
 match address 102
!

No comments:

Post a Comment