Tag: DES

IPSec Site-to-Site VPN

 

In this post, I will show you how to setup a site-to-site VPN using IPSec. I read up on IPSec and its two tunnels IKE Phase 1 (Management) and IKE Phase 2 (Data) and thought the best way to understand this is to create a lab.

Lab Topology

screenshot

Above is the lab that I set up. A few things to know.

I am using BGP between R1-R2-R3. R1 is Site1 and R3 is Site2. R2 is the Internet. I’m not going to through setting up the eBGP peerings but the main thing once configured is that you can ping from Site1’s public IP address to Sites2’s public IP address. If you would like the configuration files for the basic setup including eBGP let me know and I will share them with you.

Lab Objectives:

  1. Setup IKE Phase 1 Tunnel using the following parameters:
  • Hashing= SHA
  • Authentication= pre-shared key
  • DH Group= 5
  • Lifetime= Default
  • Encryption= AES-128

2. Setup IKE Phase 2 Tunnel using the following parameters:

  • Create a transform set using esp-des and esp-md5-hmac
  • Create a crypto map with the peer address, reference the transform set and access-list
  • Create an access-list to identify interesting traffic to encrypt using the IPSec tunnel

Lab Configuration

With connectivity already in place, we should be able to ping each sites public IP address across the Internet.

Site 1:

Site1#ping 96.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 96.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

Site 2:

Site2#ping 86.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 86.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/40 ms

Also, we should try and ping each LAN PC. This is to show that at the moment we have no way of reaching each sites LAN but when we setup IPSec our data will be encapsulated and encrypted using the public addresses.

PC1 (Site 1)

No dice as expected!

PC1> ping 196.168.1.2
196.168.1.2 icmp_seq=1 timeout
196.168.1.2 icmp_seq=2 timeout
196.168.1.2 icmp_seq=3 timeout
196.168.1.2 icmp_seq=4 timeout
196.168.1.2 icmp_seq=5 timeout

PC2 (Site 2)

Same result!

PC2> ping 172.16.0.2
172.16.0.2 icmp_seq=1 timeout
172.16.0.2 icmp_seq=2 timeout
172.16.0.2 icmp_seq=3 timeout
172.16.0.2 icmp_seq=4 timeout
172.16.0.2 icmp_seq=5 timeout

IKE Phase 1

Keeping in mind the Lab Objectives lets set up each of the IKE Phase 1 requirements.

First, we need to setup a isakmp policy.

Site1(config)#crypto isakmp policy 1

A good way to remember what parameters can be set in IKE Phase 1 is the word HAGLE.

H=Hash

A=Authenication

G=DH Group

L=Lifetime

E=Encryption
Site1(config-isakmp)#hash sha
Site1(config-isakmp)#authentication pre-share
Site1(config-isakmp)#group 5
Site1(config-isakmp)#encryption aes 128

I left the lifetime of the tunnel to the default here for this lab. Note that the parameters need to match on each site for the IKE Phase 1 tunnel to come up.

Next step is to set the pre shared key that will be used between the two sites. Lets use mrrobot.

Site1(config)#crypto isakmp key mrrobot address 96.1.1.1

Here we have entered the shared key to use and also the peer address we want to use it within our case Site 2.

IKE Phase 2

This tunnel is the IPSec tunnel which will be used to encrypt user data.

Site1(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac

Here we are using a transform-set with the name myset given to it and we are using esp-des for encryption (weak very weak but it will do for the lab)  and esp-md5-hmas for hashing and integrity.

Next, we will set up a crypto map

Site1(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Site1(config-crypto-map)#set peer 96.1.1.1
Site1(config-crypto-map)#set transform-set myset
Site1(config-crypto-map)#match address 100
Site1(config-crypto-map)#exit

Here we are telling the crypto map called mymap what peer to setup the tunnel with, the transform set to use and what interesting traffic to match.

Next setup the access-list that the crypto map is using.

Site1(config)#access-list 100 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

With this access-list we are telling it to match traffic from Site 1 LAN with a destination of Site 2 LAN any other traffic that does not match this access list will be sent unencrypted.

Lastly we need to apply the crypto map to the public facing interface.

Site1(config)#int fa0/0
Site1(config-if)#crypto map mymap
*Mar 1 01:12:06.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Ok that is everything we need to configure on Site 1 for IPSec. I am not going to go through the same for Site 2 as it is pretty much the same but in reverse.

Testing

So lets test this out to see if it works if it does traffic that we tried to send earlier from Site 1’s LAN should now be successful.

Ping from PC1 to PC2

PC1> ping 192.168.0.2
192.168.0.2 icmp_seq=1 timeout
192.168.0.2 icmp_seq=2 timeout
84 bytes from 192.168.0.2 icmp_seq=3 ttl=62 time=36.000 ms
84 bytes from 192.168.0.2 icmp_seq=4 ttl=62 time=39.000 ms
84 bytes from 192.168.0.2 icmp_seq=5 ttl=62 time=43.000 ms

Success ! The first two packets that failed could be due to ARP and/or the time it took for the two Tunnels to be built.

And just to show the other side is also working.

PC2> ping 172.16.0.2
84 bytes from 172.16.0.2 icmp_seq=1 ttl=62 time=36.000 ms
84 bytes from 172.16.0.2 icmp_seq=2 ttl=62 time=42.000 ms
84 bytes from 172.16.0.2 icmp_seq=3 ttl=62 time=50.000 ms
84 bytes from 172.16.0.2 icmp_seq=4 ttl=62 time=49.000 ms
84 bytes from 172.16.0.2 icmp_seq=5 ttl=62 time=46.000 ms

Show commands

IKE Phase 1 Tunnel

Site1#show crypto isakmp sa

dst          src                     state               conn-id    slot         status
86.1.1.1  96.1.1.1             QM_IDLE      1                  0             ACTIVE

Here we see that we have an IKE Phase Tunnel Active.

IKE Phase 2 Tunnel

Site1#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: mymap, local addr 86.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 96.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 86.1.1.1, remote crypto endpt.: 96.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD796A48B(3616973963)

A lot more information in the IPSec output. We can see what interface the crypto map is on. What is the local and remote addresses that are getting encrypted? The current peer. The number of packets sent and the number encrypted.

eBGP Configuration

As requested from by Muadiv here is the BGP configuration on each router for this lab.

Site 1:

router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor 86.1.1.2 remote-as 2
no auto-summary

Internet Router:

router bgp 2
no synchronization
bgp log-neighbor-changes
network 86.1.1.0 mask 255.255.255.0
network 96.1.1.0 mask 255.255.255.0
neighbor 86.1.1.1 remote-as 1
neighbor 96.1.1.1 remote-as 3
no auto-summary

Site 2:

router bgp 3
no synchronization
bgp log-neighbor-changes
neighbor 96.1.1.2 remote-as 2
no auto-summary