1 / 32

Configuring Site-to-Site VPN with Pre-shared Keys

Learn how to configure a PIX Security Appliance for a Site-to-Site VPN using Pre-shared Keys and IPsec encryption.

rhard
Download Presentation

Configuring Site-to-Site VPN with Pre-shared Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys

  2. Module 4: Configuring Site to Site VPN with Pre-shared keys Lesson 4.5 Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys

  3. IPsec Configuration Tasks

  4. Configuring IPsec Encryption • Task 1: Prepare to configure VPN support. • Task 2: Configure IKE parameters. • Task 3: Configure IPsec parameters. • Task 4: Test and verify VPN configuration.

  5. Task 1:Prepare to Configure VPN Support

  6. Task 1: Prepare for IKE and IPsec • Step 1: Determine the IKE (IKE Phase 1) policy. • Step 2: Determine the IPsec (IKE Phase 2) policy. • Step 3: Ensure that the network works without encryption. • Step 4: (Optional) Implicitly permit IPsec packets to bypass security appliance ACLs and access groups.

  7. Determine IKE Phase 1 Policy Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2

  8. Determine IPsec (IKE Phase 2) Policy Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2

  9. Task: Configure IKE Parameters

  10. Task 2: Configure IKE • Step 1: Enable or disable IKE. • Step 2: Configure IKE Phase 1 policy. • Step 3: Configure a tunnel group. • Step 4: Configure the tunnel group attributes pre-shared key. • Step 5: Verify IKE Phase 1 policy.

  11. Enable or Disable IKE • Enables or disables IKE on the security appliance interfaces • Disables IKE on interfaces not used for IPsec Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 ciscoasa(config)# isakmp enable interface-name asa1(config)# isakmp enable outside

  12. Configure IKE Phase 1 Policy Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 asa1#(Config)# isakmp policy 10 asa1#(Config-isakmp-policy)# encryption des asa1#(Config-isakmp-policy)# hash sha asa1#(Config-isakmp-policy)# authentication pre-share asa1#(Config-isakmp-policy)# group 1 asa1#(Config-isakmp-policy)# lifetime 86400 • Creates a policy suite grouped by priority number • Creates policy suites that match peers • Can use default values

  13. Configure a tunnel group  • Set of records that contain tunnel connection policies • Can be configured to identify AAA servers, specify connection parameters, and define a default group policy. • Two default tunnel groups on the PIX. • DefaultRAGroup, is the default IPSec remote-access tunnel group • DefaultL2Lgroup, is the default IPSec LAN-to-LAN tunnel group • Default Groups can be changed but not deleted. • Used for default tunnel parameters for remote access and LAN-to-LAN tunnel groups when there is no specific tunnel group

  14. Names the tunnel group Defines the type of VPN connection that is to be established IPsec IPsec Configure a Tunnel Group Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 Tunnel Group 192.168.1.2 LAN-to-LAN Tunnel Group 192.168.6.2 LAN-to-LAN ciscoasa(config)# tunnel-group name type type asa1(config)# tunnel-group 192.168.2.2 type ipsec-l2l

  15. IPsec IPsec Configuring Tunnel Groups: General Attributes Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 Tunnel Group 192.168.1.2 L2L Tunnel Group 192.168.6.2 L2L ciscoasa(config)# tunnel-group name general-attributes • Places you in tunnel group general attribute configuration mode asa1(config)# tunnel-group 192.168.2.2 general-attributes asa1(config-tunnel-general)# default-group-policy OURPOLICY • Sets the default group policy

  16. Configuring Tunnel Groups: IPsec Attributes Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 Tunnel Group 192.168.6.2 L2L Tunnel Group 192.168.1.2 L2L isakmp key cisco123 isakmp key cisco123 ciscoasa(config)# tunnel-group name ipsec-attributes • Places you in tunnel group IPsec attribute configuration mode asa1(config)# tunnel-group 192.168.2.2 ipsec-attributes asa1(config-tunnel-ipsec)# pre-shared-key cisco123 asa2(config)# tunnel-group 192.168.1.2 ipsec-attributes asa2(config-tunnel-ipsec)# pre-shared-key cisco123 • Associates a pre-shared keys with the connection policy

  17. Displays configured and default IKE protection suites Verify IKE Phase 1 Policy Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 asa1# show run crypto isakmp isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400

  18. Task 3: Configure IPsec Parameters

  19. Task 3: Configure IPsec • Step 1: Configure interesting traffic: NAT 0 and ACL. • access-list 101 permit • nat 0 • Step 2: Configure IPsec transform set suites. • crypto ipsec transform-set • Step 3: Configure the crypto map. • crypto map • Step 4: Apply the crypto map. • crypto map map-name interface interface-name

  20. Configuring Interesting Traffic: Crypto ACLs Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 10.0.1.X Encrypt 10.0.2.X Security Appliance 1 (asa1) asa1(config)# access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 Security Appliance 6 (asa6) asa6(config)#access-list 101 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 • Lists are symmetrical or mirrors of each other. • permit = encrypt • deny = do not encrypt

  21. NAT 0 and Interesting Traffic Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 10.0.1.11 Do Not Translate 10.0.2.11 Do Not Translate asa1(config)# nat (inside) 0 access-list 101

  22. Configure an IPsec Transform Set • Sets are limited to two transforms • Default mode is Tunnel • Configures matching sets between IPsec peers Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 ciscoasa(config)# crypto ipsec transform-set transform-set-name transform1 [transform2] asa1(config)# crypto ipsec transform-set ASA2 esp-des esp-md5-hmac

  23. Available IPsec Transforms Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-aes ESP transform using AES-128 cipher esp-aes-192 ESP transform using AES-192 cipher esp-aes-256 ESP transform using AES-256 cipher esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-none ESP no authentication esp-null ESP null encryption

  24. Configure the Crypto Map • Specifies IPsec (IKE Phase 2) parameters • Maps names and sequence numbers of group entries into a policy Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 asa1(config)# crypto map ASA1MAP 10 match address 101 asa1(config)# crypto map ASA1MAP 10 set peer 192.168.2.2 asa1(config)# crypto map ASA1MAP 10 set transform-set ASA2 asa1(config)# crypto map ASA1MAP 10 set security-association lifetime seconds 28800

  25. Apply the Crypto Map to an Interface • Applies the crypto map to an interface • Activates IPsec policy Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 ciscoasa(config)# crypto map map-name interface interface-name asa1(config)# crypto map ASA1MAP interface outside

  26. Example: Crypto Map for Security Appliance 1 Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 Security Appliance 1 (asa1) asa1# show run crypto map crypto map ASA1MAP 10 match address 101 crypto map ASA1MAP 10 set peer 192.168.2.2 crypto map ASA1MAP 10 set transform-set ASA2 crypto map ASA1MAP interface outside

  27. Example: Crypto Map for Security Appliance 2 Security Appliance 2 Security Appliance 1 Site 1 Site 2 Internet 10.0.2.11 Gig0/0 192.168.1.1 10.0.1.11 Gig0/0 192.168.2.2 Security Appliance 2 (asa2) asa2# show run crypto map crypto map ASA1MAP 10 match address 101 crypto map ASA1MAP 10 set peer 192.168.1.2 crypto map ASA1MAP 10 set transform-set ASA1 crypto map ASA1MAP interface outside

  28. Task 4: Test and Verify VPN Configuration

  29. Task 4: Test and Verify VPN Configuration • Verify ACLs and interesting traffic. • show run access-list • Verify correct IKE configuration. • show run isakmp • show run tunnel-group • Verify correct IPsec configuration. • show run ipsec • Verify IPsec and ISAKMP SAs • show crypto ipsec sa • show crypto isakmp sa

  30. Task 4: Test and Verify VPN Configuration (Cont.) • Verify correct crypto map configuration. • show run crypto map • Clear IPsec SA. • clear crypto ipsec sa • Clear IKE SA. • clear crypto isakmp sa • Debug IKE and IPsec traffic through the security appliance. • debug crypto ipsec • debug crypto isakmp

  31. Q and A

More Related