© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.

Slides:



Advertisements
Similar presentations
Internet Security CSCE 813 IPsec
Advertisements

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Building IPSEC VPNS Using Cisco Routers
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
K. Salah1 Security Protocols in the Internet IPSec.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
RE © 2003, Cisco Systems, Inc. All rights reserved.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Chapter 8: Implementing Virtual Private Networks
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
21 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
Virtual Private Network Configuration
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 18 IP Security  IP Security (IPSec)
CSE 4905 IPsec II.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Presentation transcript:

© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec

© 2012 Cisco and/or its affiliates. All rights reserved. 2 A “framework” of open standards developed by the IETF to create a secure tunnel at the network (IP) layer. –It spells out the rules for secure communications. –RFC RFC 2412 IPsec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPsec allows newer and better algorithms to be implemented without patching the existing IPsec standards.

© 2012 Cisco and/or its affiliates. All rights reserved. 3 AH ESP ESP + AH DES 3 DES AESSEAL MD5SHA PSK RSA DH1DH2DH5DH7

© 2012 Cisco and/or its affiliates. All rights reserved. 4

5

6

7

8 AH ESP ESP + AH DES 3 DES AESSEAL MD5SHA PSK RSA DH1DH2DH5DH7 768 bits 1024 bits 1536 bits Used by DES and 3DES Used by AES

© 2012 Cisco and/or its affiliates. All rights reserved. 9 IPsec uses two main protocols to create a security framework: –AH: Authentication Header –ESP: Encapsulating Security Payload

© 2012 Cisco and/or its affiliates. All rights reserved. 10 AH provides authentication and optional replay-detection services. –It authenticates the sender of the data. –AH operates on protocol number 51. –AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms.

© 2012 Cisco and/or its affiliates. All rights reserved. 11 AH does not provide confidentiality (encryption). –It is appropriate to use when confidentiality is not required or permitted. –All text is transported unencrypted. It only ensures the origin of the data and verifies that the data has not been modified during transit. If the AH protocol is used alone, it provides weak protection. AH can have problems if the environment uses NAT.

© 2012 Cisco and/or its affiliates. All rights reserved. 12 ESP provides the same security services as AH (authentication and integrity) AND encryption service. –It encapsulates the data to be protected. –It operates on protocol number 50.

© 2012 Cisco and/or its affiliates. All rights reserved. 13 ESP can also provide integrity and authentication. –First, the payload is encrypted using DES (default), 3DES, AES, or SEAL. –Next, the encrypted payload is hashed to provide authentication and data integrity using HMAC-MD5 or HMAC-SHA-1.

© 2012 Cisco and/or its affiliates. All rights reserved. 14 ESP and AH can be applied to IP packets in two different modes.

© 2012 Cisco and/or its affiliates. All rights reserved. 15 Security is provided only for the Transport Layer and above. –It protects the payload but leaves the original IP address in plaintext. ESP transport mode is used between hosts. Transport mode works well with GRE, because GRE hides the addresses of the end devices by adding its own IP.

© 2012 Cisco and/or its affiliates. All rights reserved. 16 Tunnel mode provides security for the complete original IP packet. –The original IP packet is encrypted and then it is encapsulated in another IP packet (IP-in-IP encryption). ESP tunnel mode is used in remote access and site-to-site implementations.

© 2012 Cisco and/or its affiliates. All rights reserved. 17 Key Exchange

© 2012 Cisco and/or its affiliates. All rights reserved. 18 The IPsec VPN solution: –Negotiates key exchange parameters (IKE). –Establishes a shared key (DH). –Authenticates the peer. –Negotiates the encryption parameters. The negotiated parameters between two devices are known as a security association (SA).

© 2012 Cisco and/or its affiliates. All rights reserved. 19 SAs represent a policy contract between two peers or hosts, and describe how the peers will use IPsec security services to protect network traffic. SAs contain all the security parameters needed to securely transport packets between the peers or hosts, and practically define the security policy used in IPsec.

© 2012 Cisco and/or its affiliates. All rights reserved. 20

© 2012 Cisco and/or its affiliates. All rights reserved. 21 IKE helps IPsec securely exchange cryptographic keys between distant devices. –Combination of the ISAKMP and the Oakley Key Exchange Protocol. Key Management can be preconfigured with IKE (ISAKMP) or with a manual key configuration. –IKE and ISAKMP are often used interchangeably. The IKE tunnel protects the SA negotiations. –After the SAs are in place, IPsec protects the data that Alice and Bob exchange.

© 2012 Cisco and/or its affiliates. All rights reserved Outbound packet is sent from Alice to Bob. No IPsec SA. 4.Packet is sent from Alice to Bob protected by IPsec SA. IPsec

© 2012 Cisco and/or its affiliates. All rights reserved. 23 There are two phases in every IKE negotiation –Phase 1 (Authentication) –Phase 2 (Key Exchange) IKE negotiation can also occur in: –Main Mode –Aggressive mode The difference between the two is that Main mode requires the exchange of 6 messages while Aggressive mode requires only 3 exchanges.

© 2012 Cisco and/or its affiliates. All rights reserved. 24 IKE Phase One: –Negotiates an IKE protection suite. –Exchanges keying material to protect the IKE session (DH). –Authenticates each other. –Establishes the IKE SA. –Main Mode requires the exchange of 6 messages while Aggressive mode only uses 3 messages. IKE Phase Two: –Negotiates IPsec security parameters, known as IPsec transform sets. –Establishes IPsec SAs. –Periodically renegotiates IPsec SAs to ensure security. –Optionally performs an additional DH exchange.

© 2012 Cisco and/or its affiliates. All rights reserved. 25

© 2012 Cisco and/or its affiliates. All rights reserved. 26 IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure communications channel for negotiating IPsec SAs in Phase 2. Host A sends interesting traffic destined for Host B. IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the peers to protect data and messages exchanged between endpoints. Data transfer occurs between IPsec peers based on the IPsec parameters and keys stored in the SA database. IPsec tunnel termination occurs by SAs through deletion or by timing out. Step 1 Step 2 Step 3 Step 4 Step 5

© 2012 Cisco and/or its affiliates. All rights reserved. 27

© 2012 Cisco and/or its affiliates. All rights reserved. 28 IKE Policy Negotiation

© 2012 Cisco and/or its affiliates. All rights reserved. 29 DH Key Exchange RouterB hashes the received string together with the pre-shared secret and yields a hash value. RouterA randomly chooses a string and sends it to RouterB. RouterB sends the result of hashing back to RouterA. RouterA calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterB knows the pre-shared secret, and is considered authenticated.

© 2012 Cisco and/or its affiliates. All rights reserved. 30 DH Key Exchange Now RouterB randomly chooses a different random string and sends it to RouterA. RouterA also hashes the received string together with the pre-shared secret and yields a hash value. RouterA sends the result of hashing back to RouterB. RouterB calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterA knows the pre-shared secret, and is considered authenticated.

© 2012 Cisco and/or its affiliates. All rights reserved. 31 Peer Authentication

© 2012 Cisco and/or its affiliates. All rights reserved. 32 IPsec Negotiation

© 2012 Cisco and/or its affiliates. All rights reserved. 33 Transform Set Negotiation

© 2012 Cisco and/or its affiliates. All rights reserved. 34 Security Associations

© 2012 Cisco and/or its affiliates. All rights reserved. 35 IPsec Session

© 2012 Cisco and/or its affiliates. All rights reserved. 36 Tunnel Termination

© 2012 Cisco and/or its affiliates. All rights reserved. 37 IPsec Tasks

© 2012 Cisco and/or its affiliates. All rights reserved Ensure that ACLs configured on the interface are compatible with IPsec configuration. 2. Create an IKE policy to determine the parameters that will be used to establish the tunnel. 3. Configure the IPsec transform set which defines the parameters that the IPsec tunnel uses. –The set can include the encryption and integrity algorithms. 4. Create a crypto ACL. –The crypto ACL defines which traffic is sent through the IPsec tunnel and protected by the IPsec process. 5. Create and apply a crypto map. –The crypto map groups the previously configured parameters together and defines the IPsec peer devices. –The crypto map is applied to the outgoing interface of the VPN device.

© 2012 Cisco and/or its affiliates. All rights reserved

© 2012 Cisco and/or its affiliates. All rights reserved. 40

© 2012 Cisco and/or its affiliates. All rights reserved. 41 ESP50AH51ISAKMP500 ESP = protocol # 50, AH = protocol # 51, ISAKMP = UDP port 500

© 2012 Cisco and/or its affiliates. All rights reserved. 42 Creating a plan in advance is mandatory to configure IPsec encryption correctly to minimize misconfiguration. Determine the following policy details: –Key distribution method –Authentication method –IPsec peer IP addresses and hostnames –IKE phase 1 policies for all peers –Encryption algorithm, Hash algorithm, IKE SA lifetime Goal: Minimize misconfiguration.

© 2012 Cisco and/or its affiliates. All rights reserved. 43 or AES or D-H 5

© 2012 Cisco and/or its affiliates. All rights reserved. 44

© 2012 Cisco and/or its affiliates. All rights reserved. 45

© 2012 Cisco and/or its affiliates. All rights reserved. 46

© 2012 Cisco and/or its affiliates. All rights reserved. 47 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

© 2012 Cisco and/or its affiliates. All rights reserved. 48

© 2012 Cisco and/or its affiliates. All rights reserved. 49

© 2012 Cisco and/or its affiliates. All rights reserved. 50

© 2012 Cisco and/or its affiliates. All rights reserved. 51 By default, the ISAKMP identity is set to use the IP address.

© 2012 Cisco and/or its affiliates. All rights reserved. 52

© 2012 Cisco and/or its affiliates. All rights reserved. 53 To use the hostname parameter, configure the crypto isakmp identity hostname global configuration mode command. –In addition, DNS must be accessible to resolve the hostname.

© 2012 Cisco and/or its affiliates. All rights reserved. 54 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

© 2012 Cisco and/or its affiliates. All rights reserved. 55 Determine the following policy details: –IPsec algorithms and parameters for optimal security and performance –Transforms sets –IPsec peer details –IP address and applications of hosts to be protected –Manual or IKE-initiated SAs Goal: Minimize misconfiguration.

© 2012 Cisco and/or its affiliates. All rights reserved. 56 Cisco IOS software supports the following IPsec transforms: CentralA(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher CentralA(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher Note: esp-md5-hmac and esp-sha-hmac provide more data integrity. They are compatible with NAT/PAT and are used more frequently than ah-md5-hmac and ah-sha-hmac.

© 2012 Cisco and/or its affiliates. All rights reserved. 57

© 2012 Cisco and/or its affiliates. All rights reserved. 58 RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: seconds, no volume limit RouterA# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MY-SET, } RouterA# show crypto ipsec transform-set MY-SET Transform set MY-SET: { esp-des } will negotiate = { Tunnel, },

© 2012 Cisco and/or its affiliates. All rights reserved. 59

© 2012 Cisco and/or its affiliates. All rights reserved. 60

© 2012 Cisco and/or its affiliates. All rights reserved. 61

© 2012 Cisco and/or its affiliates. All rights reserved. 62 Configures global IPsec lifetime values used when negotiating IPsec security associations. IPsec SA lifetimes are negotiated during IKE phase 2.

© 2012 Cisco and/or its affiliates. All rights reserved. 63 tcp

© 2012 Cisco and/or its affiliates. All rights reserved. 64 access-list 110 permit tcp RouterA#(config) access-list 110 permit tcp RouterB#(config)

© 2012 Cisco and/or its affiliates. All rights reserved. 65

© 2012 Cisco and/or its affiliates. All rights reserved. 66

© 2012 Cisco and/or its affiliates. All rights reserved. 67

© 2012 Cisco and/or its affiliates. All rights reserved. 68

© 2012 Cisco and/or its affiliates. All rights reserved. 69 RouterA(config)# crypto map MYMAP 110 ipsec-isakmp RouterA(config-crypto-map)# match address 110 RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set peer RouterA(config-crypto-map)# set transform-set MINE RouterA(config-crypto-map)# set security-association lifetime 86400

© 2012 Cisco and/or its affiliates. All rights reserved. 70

© 2012 Cisco and/or its affiliates. All rights reserved. 71

© 2012 Cisco and/or its affiliates. All rights reserved. 72

© 2012 Cisco and/or its affiliates. All rights reserved. 73 Clears IPsec Security Associations in the router database. clear crypto sa clear crypto sa peer clear crypto sa map clear crypto sa entry clear crypto sa clear crypto sa peer clear crypto sa map clear crypto sa entry Router#

© 2012 Cisco and/or its affiliates. All rights reserved. 74 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: pre-share Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: pre-share Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

© 2012 Cisco and/or its affiliates. All rights reserved. 75 E0/ E0/ A RouterA# show crypto ipsec transform-set MY-SET Transform set MY-SET: { esp-des } will negotiate = { Tunnel, },

© 2012 Cisco and/or its affiliates. All rights reserved. 76 QM_IDLE (quiescent state) indicates that an ISAKMP SA exists but is idle. The router will remain authenticated with its peer and may be used for subsequent quick mode (QM) exchanges. RouterA# show crypto isakmp sa dstsrcstateconn-idslot QM_IDLE475 RouterA# show crypto isakmp sa dstsrcstateconn-idslot QM_IDLE475 E0/ E0/ A

© 2012 Cisco and/or its affiliates. All rights reserved. 77 RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: MYMAP, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: MYMAP, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C E0/ E0/ A

© 2012 Cisco and/or its affiliates. All rights reserved. 78 RouterA# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, } RouterA# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 102 access-list 102 permit ip host host Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, } E0/ E0/ A

© 2012 Cisco and/or its affiliates. All rights reserved. 79 To display debug messages about all IPsec actions, use the global command debug crypto ipsec. To display debug messages about all ISAKMP actions, use the global command debug crypto isakmp.

© 2012 Cisco and/or its affiliates. All rights reserved. 80 ISAKMP SA with the remote peer was not authenticated. ISAKMP peers failed protection suite negotiation for ISAKMP. %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed

© 2012 Cisco and/or its affiliates. All rights reserved. 81 This is an example of the Main Mode error message. The failure of Main Mode suggests that the Phase I policy does not match on both sides. Verify that the Phase I policy is on both peers and ensure that all the attributes match. –Encryption: DES or 3DES –Hash: MD5 or SHA –Diffie-Hellman: Group 1 or 2 –Authentication: rsa-sig, rsa-encr or pre-share 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at

© 2012 Cisco and/or its affiliates. All rights reserved. 82 VPN Lab

© 2012 Cisco and/or its affiliates. All rights reserved. 83 Configuring a Site-to-Site IPsec VPN Using Pre-Shared Keys

© 2012 Cisco and/or its affiliates. All rights reserved. 84 hostname R1 ! interface Serial0/0 ip address encapsulation frame-relay ! interface Serial0/1 ip address ! ip route ip route

© 2012 Cisco and/or its affiliates. All rights reserved. 85 hostname R2 ! crypto isakmp policy 100 authentication pre-share crypto isakmp key CISCO1234 address ! crypto ipsec transform-set MYSET esp-des ! crypto map MYMAP 110 ipsec-isakmp set peer set transform-set MYSET match address 120 ! interface Serial0/0 ip address encapsulation frame-relay crypto map MYMAP ip route ! access-list 120 permit ip

© 2012 Cisco and/or its affiliates. All rights reserved. 86 hostname R3 ! crypto isakmp policy 100 authentication pre-share crypto isakmp key CISCO1234 address ! crypto ipsec transform-set MYSET esp-des ! crypto map MYMAP 110 ipsec-isakmp set peer set transform-set MYSET match address 120 interface Serial0/1 ip address clockrate crypto map MYMAP ! ip route ! access-list 120 permit ip

© 2012 Cisco and/or its affiliates. All rights reserved. 87 Clear the crypto security associations. – R2# clear crypto sa – R2# clear crypto isakmp

© 2012 Cisco and/or its affiliates. All rights reserved. 88 Verify that the IPSEC SAs have been cleared. R2# sho crypto ipsec sa interface: Serial0/0 Crypto map tag: MYMAP, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: 0

© 2012 Cisco and/or its affiliates. All rights reserved. 89 Initiate an extended ping from each respective LAN, to test the VPN configuration. ping R2# ping Protocol [ip]: Target IP address: Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: y Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 132/135/136 ms

© 2012 Cisco and/or its affiliates. All rights reserved. 90 After the extended ping, verify IPSEC SAs. R2# sho crypto ipsec sa interface: Serial0/0 Crypto map tag: MYMAP, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 0 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, media mtu 1500 current outbound spi: DC

© 2011 Cisco and/or its affiliates. All rights reserved. 91

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.