IPsec Process & Implementation
IPSec Process:
The most important protocol used by IPsec-VPN is Internet Key Exchange (IKE) protocol. It is use for negotiation and establishment of secure site-to-site or remote access VPN tunnels.
IKE version 2 (IKEv2) is used.
To have successfully IPsec tunnel, two IKE phases could be completed successfully.
IKE Phase I - Management Tunnel
IPSec Implementation:
Firewall to Firewall & Router to Router VPN configuration is slightly different. Using Cisco Packet Tracer
As per the Figure 1, configuration is between HQ -- Branch 1 with Firewall.
IKE Phase I Configuration: (both peers should have same policy)
!
crypto ikev1 policy 1 //policies to match with the peers
encr aes //Encryption aglorithm
hash md5 //Hash aglorithm
authentication pre-share // Authentication method
group 5 // Diffie-Hellman (DH) group
lifetime 3600 //Lifetime
!
object network Branch1_network
subnet 192.168.2.0 255.255.255.0
object network HQ_network
subnet 192.168.1.0 255.255.255.0
!
access-list out_crypto extended permit object HQ_network object Branch1_network
!
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes //key for authentication
ikev1 pre-shared-key 12345
!
[ More information on Phase I states - https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/ ]
IKE Phase II Configuration:
!
crypto ipsec ikev1 transform-set HQ esp-aes 256 esp-sha-hmac
!
crypto map out_map 1 match address out_crypto //access-list
crypto map out_map 1 set peer 200.200.200.2 //peer ip address
crypto map out_map 1 set ikev1 transform-set HQ // ipsec
crypto map out_map interface outside //interface applied
crypto ikev1 enable outside
!
★CT21
Reference: CCNA Security 210-260 Official Cert Guide
The most important protocol used by IPsec-VPN is Internet Key Exchange (IKE) protocol. It is use for negotiation and establishment of secure site-to-site or remote access VPN tunnels.
IKE version 2 (IKEv2) is used.
To have successfully IPsec tunnel, two IKE phases could be completed successfully.
IKE Phase I - Management Tunnel
- This phase mainly focus on negotiations and authentication.
- Protect management traffic, not users packets.
- Keepalive packets are used.
- Successful negotiation of phase is possible only if both ends have same Hash algorithm, Encryption algorithm, Diffie-Hellman (DH) group, Authentication method and Lifetime. This is also called as IKE phase 1 policies.
IKE Phase II - IPsec Tunnel
- Users packets are encrypted across untrusted networks between the VPN peers.
- Hashing and encryption algorithm is used to protect the user's packet, also called IKE Phase 2 policy.
- Using to modes - Tunnel mode and Transport mode [ For better understanding - http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html ]
 |
| Figure 1 |
Firewall to Firewall & Router to Router VPN configuration is slightly different. Using Cisco Packet Tracer
As per the Figure 1, configuration is between HQ -- Branch 1 with Firewall.
IKE Phase I Configuration: (both peers should have same policy)
!
crypto ikev1 policy 1 //policies to match with the peers
encr aes //Encryption aglorithm
hash md5 //Hash aglorithm
authentication pre-share // Authentication method
group 5 // Diffie-Hellman (DH) group
lifetime 3600 //Lifetime
!
object network Branch1_network
subnet 192.168.2.0 255.255.255.0
object network HQ_network
subnet 192.168.1.0 255.255.255.0
!
access-list out_crypto extended permit object HQ_network object Branch1_network
!
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes //key for authentication
ikev1 pre-shared-key 12345
!
 |
| Negotiation between HQ -- Branch 1 |
 |
| Phase I - Establishment |
[ More information on Phase I states - https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/ ]
IKE Phase II Configuration:
!
crypto ipsec ikev1 transform-set HQ esp-aes 256 esp-sha-hmac
!
crypto map out_map 1 match address out_crypto //access-list
crypto map out_map 1 set peer 200.200.200.2 //peer ip address
crypto map out_map 1 set ikev1 transform-set HQ // ipsec
crypto map out_map interface outside //interface applied
crypto ikev1 enable outside
!
 |
| Phase II state |
 |
| Inbound & Outbound packet |
 |
| Outbound packet details |
 |
| IPSEC Information |
 |
| Returning Packet |
Download configuration & .pkt file:
https://drive.google.com/drive/folders/0B2GFOLI0vuLxRnFYWmRBX253aWc?usp=sharing
Video:
https://www.youtube.com/watch?v=Uigljo7AbVI&feature=youtu.be
Video:
https://www.youtube.com/watch?v=Uigljo7AbVI&feature=youtu.be
★CT21
Reference: CCNA Security 210-260 Official Cert Guide
No comments:
Post a Comment