Site-to-site VPN provides a secure transmission of data, voice or video traffics between two locations over a public internet. This can be achieved by applying proper encryption algorithms to ensure confidentiality of all traffic transmitted.
IPSec can be configured in tunnel mode or transport mode. IPSec tunnel mode can be used as an alternative to a GRE tunnel, or in conjunction with a GRE tunnel. In IPSec tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. Tunnel mode protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the packets passing through the tunnel, even if they are the same as the tunnel endpoints. .
In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantage of adding only a few bytes to each packet. It also allows devices on the public network to see the final source and destination of the packet. With this capability, you can enable special processing in the intermediate network based on the information in the IP header. However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately, by passing the IP header in the clear, transport mode allows an attacker to perform some traffic analysis.
On this blog, I have emulated a two distant offices through GNS3 . Below is the network topology for this laboratory exercises.
ISAKMP or the Internet Security and Key Management Protocol and IPSec protocol build and encrypts the VPN tunnel. Generally, the ISAKMP offers the negotiations protocols for the two different routers in building security associations. ISAKMP or also know as Internet Key Exchange negotiations consist of Phase 1 and Phase 2.
Phase 1: The basic purpose of IKE phase one is to authenticate the IPSec peers and to set up a secure tunnel between the peers to enable IKE exchanges.. Functions of IKE Phase 1:
- Authenticates and protects the identities of the IPSec peers
- Negotiates a matching IKE SA policy between peers to protect the IKE exchange
- Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys
- Sets up a secure tunnel to negotiate IKE phase two parameters
NOTE:
Configure Policy, Encryption, Hashing Algorithm, Authentications, Group and Lifetime for Phase 1. Phenomics is PEHAGLK or associations can help to retained the informations.
P – Hidayat ( As PM he sets the policy)
E – Maylene ( Mylene is Encrypting)
H – Catherine ( She is holding the hashing algorithm)
A – Faisal ( as he is doing SAP)
G – Harris ( as he was the last to joined the IT group
L – Qian Wen’s lifetime is set 86400
K – I’m holding the key
Phase 2: The purpose of IKE phase two is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase two
performs the following functions:
- Negotiates IPSec SA parameters protected by an existing IKE SA
- Establishes IPSec security associations
- Periodically renegotiates IPSec SAs to ensure security
- Optionally performs an additional Diffie-Hellman exchange
NOTE: Configure Access-list, IPSec Transform-set, Crypto map, Interface. Pnemonics is ATCI
Configuring the Loopback Interface and WAN Interface:
R1(config)#int fa0/1
R1(config-if)#ip add 100.100.100.1 255.255.255.0
R1(config-if)#no shut
R1(config)#int s2/0
R1(config-if)#ip add 12.12.12.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
R2(config)#int fa0/1
R2(config-if)#ip add 200.200.200.1 255.255.255.0
R2(config-if)#no shut
R2(config-if)#
R2(config)#int s2/0
R2(config-if)#ip add 12.12.12.2 255.255.255.0
R2(config-if)#no shut
R2#ping 12.12.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/56/128 ms
R2#
Pinging PC1 from R1:
R1#ping 100.100.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/48/124 ms
R1#
Pinging PC2 from R2.
R2#ping 200.200.200.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/60/204 ms
R2#
Configuring the reachability of Subnets 100.100.100.0/24 and 200.200.200.0/24 via BGP.
BGP Configurations on Router 1:
R1#sh run | sec router bgp
router bgp 1
no synchronization
bgp log-neighbor-changes
network 100.100.100.0 mask 255.255.255.0
neighbor 12.12.12.2 remote-as 2
no auto-summary
BGP Configurations on Router 2:
R2#sh run | sec router bgp
router bgp 2
no synchronization
bgp log-neighbor-changes
network 200.200.200.0
neighbor 12.12.12.1 remote-as 1
no auto-summary
Check the installed BGP routing table on both R1 and R2:
R2#sh ip bgp
BGP table version is 3, local router ID is 200.200.200.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 100.100.100.0/24 12.12.12.1 0 0 1 i
*> 200.200.200.0 0.0.0.0 0 32768 i
R1#sh ip bgp
BGP table version is 3, local router ID is 100.100.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*> 100.100.100.0/24 0.0.0.0 0 32768 i
*> 200.200.200.0 12.12.12.2 0 0 2 i
To test the reachability between R2 and R1:
R2#ping 100.100.100.1 source 200.200.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
Packet sent with a source address of 200.200.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 164/212/292 ms
Router 1 Phase 1 Configurations:
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy ?
Priority of protection suite
R1(config)#crypto isakmp policy 100
R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES – Advanced Encryption Standard.
des DES – Data Encryption Standard (56 bit keys).
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash ?
md5 Message Digest 5
sha Secure Hash Standard
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication ?
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime ?
lifetime in seconds
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#
In Summary:
- Create the ISAKMP policy
- Set the encryption
- Set the Hashing algorithm
- Set the Authentication type
- Set the DH group
- Set the Lifetime
- Set the secret key
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 100
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 6 secretkey address 12.12.12.2
Configuring the same for Router 2:
R2(config)#crypto isakmp policy 100
R2(config-isakmp)#encryption 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#
R2(config)#crypto isakmp key 6 secretkey address 12.12.12.1
Phase 2. IPSEC Configurations
To configure IPSec we need to setup the following in order:
– Create extended ACL
– Create IPSec Transform
– Create Crypto Map
– Apply crypto map to the public interface
Router 1 Configurations:
Define the interesting traffic via access-list:
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#1 permit ip 100.100.100.0 0.0.0.255 200.200.200.0 0.0.0.255
Create the IPSEC Transform-set (ISAKMP Phase 2 Policy)
R1(config)#crypto ipsec transform-set VPN-TS esp-3des esp-md5-hmac
R1(cfg-crypto-trans)#
Create the Crypto-MAP:
R1(config)#crypto map VPN-MAP 100 ipsec-isakmp
R1(config-crypto-map)#set peer 12.12.12.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#
Apply the Crypto-Map to the Interface facing the internet.
R1(config)#int s2/0
R1(config-if)#crypto map VPN-MAP
R1(config-if)#
Router 2 Configurations:
R2(config)#ip access-list extended 100
R2(config-ext-nacl)#1 permit ip 200.200.200.0 0.0.0.255 100.100.100.0 0.0.0.255
R2(config)#crypto ipsec transform-set VPN-TS esp-3des esp-md5-hmac
R2(config)#crypto map VPN-MAP 100 ipsec-isakmp
R2(config-crypto-map)#set peer 12.12.12.1
R2(config-crypto-map)#set transform-set VPN-TS
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#
R2(config)#int s2/0
R2(config-if)#crypto map VPN-MAP
R2(config-if)#
VERFICATIONS:
R1#show crypto session
Crypto session current status
Interface: Serial2/0
Session status: DOWN
Peer: 12.12.12.2 port 500
IPSEC FLOW: permit ip 100.100.100.0/255.255.255.0 200.200.200.0/255.255.255.0
Active SAs: 0, origin: crypto map
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
Generating interesting traffic will set the VPN Tunnel into up status,
R1#ping 200.200.200.20 source fastEthernet 0/1 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 200.200.200.20, timeout is 2 seconds:
Packet sent with a source address of 100.100.100.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (662/666), round-trip min/avg/max = 8/121/1252 ms
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
12.12.12.2 12.12.12.1 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
To further check the interestinng traffic , the current encapsulated packets is 835.
R1#sh crypto ipsec sa
interface: Serial2/0
Crypto map tag: VPN-MAP, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (200.200.200.0/255.255.255.0/0/0)
current_peer 12.12.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 835, #pkts encrypt: 835, #pkts digest: 835
#pkts decaps: 835, #pkts decrypt: 835, #pkts verify: 835
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 12.12.12.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0x78E4E547(2028266823)
inbound esp sas:
spi: 0x4C01FDC1(1275198913)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: VPN-MAP
sa timing: remaining key lifetime (k/sec): (4431877/2028)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x78E4E547(2028266823)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: VPN-MAP
sa timing: remaining key lifetime (k/sec): (4431877/2028)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Ping from PC1 to PC2:
PC1> ping 200.200.200.20
84 bytes from 200.200.200.20 icmp_seq=1 ttl=62 time=177.010 ms
84 bytes from 200.200.200.20 icmp_seq=2 ttl=62 time=142.009 ms
84 bytes from 200.200.200.20 icmp_seq=3 ttl=62 time=159.009 ms
84 bytes from 200.200.200.20 icmp_seq=4 ttl=62 time=222.013 ms
84 bytes from 200.200.200.20 icmp_seq=5 ttl=62 time=215.012 ms
As observed from R1 , the encapsulated packet have increased to 840.
R1#sh crypto ipsec sa
interface: Serial2/0
Crypto map tag: VPN-MAP, local addr 12.12.12.1
protected vrf: (none)
local ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (200.200.200.0/255.255.255.0/0/0)
current_peer 12.12.12.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 840, #pkts encrypt: 840, #pkts digest: 840
#pkts decaps: 840, #pkts decrypt: 840, #pkts verify: 840
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 12.12.12.1, remote crypto endpt.: 12.12.12.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial2/0
current outbound spi: 0x78E4E547(2028266823)
inbound esp sas:
spi: 0x4C01FDC1(1275198913)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: VPN-MAP
sa timing: remaining key lifetime (k/sec): (4431876/2004)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x78E4E547(2028266823)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: VPN-MAP
sa timing: remaining key lifetime (k/sec): (4431876/2004)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
NETWORK LESSON 
Leave a comment