Netmetric CCNP Security Workbook 2.

Site-to-Site IPSec VPN

LAB - 1 Making Site to Site IPSec Virtual Private Network

Points to Remember:
Majorly we used VPN technology is IPsec (Internet Protocol Security) IPsec is a protocol suite which is designed to provide the solution for remote connectivity over an insecure network IPsec Provides Confidentiality and Integrity to the ip packets traversing over internet An another supporting protocols which is always associated with IPsec is ISAKMP (Internet security Association Key Management Protocol) ISAKMP is purely dedicated to transfer the security keys from one device to another ISAKMP works on UDP port no.500

For making of site to site VPN using IPSec technology, it requires Devices which support VPN services and are licensed for it A Static IP Address on both ends which is routable

Netmetric CCNP Security Workbook 2.0

Site-to-Site IPSec VPN

LAB Topology

In Above topology Router R1 & R3 are acting as border routers of two sites Site A & Site B Respectively and R2 is acting as Internet Loopbacks here demonstrates Local LAN Interface Configuration on Router Device R1 R1 R2 R2 R3 R3 Interface F0/0 loopback F0/0 F0/1 F0/0 loopback Ip Address 1.1.1.1 11.11.11.11 1.1.1.2 2.2.2.1 2.2.2.2 33.33.33.33 Subnet 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0 255.0.0.0

*Configure a default route pointing towards Internet (i.e. Router R2) on Both Devices R1 & R3 Verification for routing R1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/68/140 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 29/54/149 ms

Netmetric CCNP Security Workbook 2.0

Site-to-Site IPSec VPN

Task 1 : Configure a IPSec site-to-site vpn between R1 and R3 to make the secure connection between LAN of R1 (11.11.11.11) and R3(33.33.33.33) Process of making an IPSec VPN can be simplified by following the sequence of configuration. o o o o o Define ISAKMP Credentials, the credentials which are to be used for Key Exchange Define IPSec Credentials, which are used in data Exchange Define interesting traffic using an access-list Map all the credentials of VPN in a crypto map Apply the Map on Interface Defining ISAKMP Policy which is also called as phase 1 parameters of VPN R1(config)#crypto isakmp enable R1(config)#crypto isakmp policy 10 R1(config-isakmp)#encryption 3des R1(config-isakmp)#authentication pre-share R1(config-isakmp)#group 2 R1(config-isakmp)#hash md5 As part of device authentication we need to define a shared secret key on both side in this lab scenario netmetric is the shared key R1(config)#crypto isakmp key netmetric address 2.2.2.2 This Concludes Phase 1 Configuration Defining IPSec Credentials which are commonly known as Phase 2 Parameters Of VPN R1(config)#crypto ipsec transform-set t-set-1 esp-3des esp-md5-hmac R1(cfg-crypto-trans)#exit

As per task our interesting traffic is sourced from 11.11.11.11 and destinies at 33.33.33.33 definition of it can be done by an simple extended access-list

R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33

Netmetric CCNP Security Workbook 2.0 Binding credentials using crypto map R1(config)#crypto map vpn-map 10 ipsec-isakmp R1(config-crypto-map)#set peer 2.2.2.2 R1(config-crypto-map)#set transform-set t-set-1 R1(config-crypto-map)#match address 101

Site-to-Site IPSec VPN

A crypto map binds the interesting traffic and peer with a specific transform set Application of this crypto map over as interface R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map

Over other side we need to define exactly the same credentials of phase 1 & 2 without any change but difference in names of policies and transform-set is negligible. R3(config)#crypto isakmp enable R3(config)#crypto isakmp policy 10 R3(config-isakmp)#encryption 3des R3(config-isakmp)#authentication pre-share R3(config-isakmp)#group 2 R3(config-isakmp)#hash md5 R3(config)#crypto isakmp key netmetric address 1.1.1.1

R3(config)#crypto ipsec transform-set t-set-2 esp-3des esp-md5-hmac R1(config)#access-list 101 permit ip host 11.11.11.11 host 33.33.33.33 R3(config)#crypto map vpn-map-2 10 ipsec-isakmp R3(config-crypto-map)#set peer 1.1.1.1 R3(config-crypto-map)#set transform-set t-set-2 R3(config-crypto-map)#match address 101 R1(config)#int f 0/0 R1(config-if)#crypto map vpn-map-2

Netmetric CCNP Security Workbook 2.0 Verification Generating Interesting Traffic R1#ping 33.33.33.33 source 11.11.11.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 20.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 232/314/380 ms As soon as VPN starts the traffic between two local LAN starts Transactions. R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: vpn-net, local addr 1.1.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (33.33.33.33/255.255.255.255/0/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pktsencaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pktsdecaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pktscompr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtuidb FastEthernet0/0 current outbound spi: 0x0(0)

Site-to-Site IPSec VPN

R1#sh crypto session Crypto session current status Interface: FastEthernet0/0 Session status: UP-ACTIVE Peer: 2.2.2.2 port 500 IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active IPSEC FLOW: permit ip 11.11.11.11/255.255.255.255,33.33.33.33/255.255.255.255

Netmetric CCNP Security Workbook 2.0

Site-to-Site IPSec VPN

Task 2 : Modify Existing VPN connection to secure the telnet access between two peers An IPSec VPN Always catch interesting traffic based on crypto ACL (Access-list matched in crypto map is termed as crypto ACL) , Whatever traffic is supposed to pass through VPN it need to added into ACL Modifying Access-list of Router R1 R1(config)#access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet

Modifying Access-list of Router R3 R3(config)#access-list 101 permit tcp host 2.2.2.2 host 1.1.1.1 eq telnet

Task 3 : Imagine there is one more Peer by name Site C (R4) at ip address 3.3.3.3 with loopback ip address 55.55.55.55, Secure the Access between Loopbacks of R1 and R4. Create a new Access-list for catching traffic between Loopbacks R1(config)#access-list 102 permit ip host 11.11.11.11 host 55.55.55.55 Create a Crypto map with same name but different ID ( No Need to Add a Different named VPN Map as you can not apply more than one Map on an interface) R3(config)#crypto map vpn-map 11 ipsec-isakmp R3(config-crypto-map)#set peer 3.3.3.3 R3(config-crypto-map)#set transform-set t-set-1 R3(config-crypto-map)#match address 102