Cisco Labs – Network Security (3) – Site to site VPN using pre-shared keys on Router


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul4 4.4.7 IOS task definition

Goal

  • Site to site VPN tunnel using pre-share keys will be initialized on Router.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-4.4.7_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Routers

1) interface settings + OSPF:

Router1(config)#interface INT2
Router1(conf-if)#ip address 172.16.1.1 255.255.255.0
Router1(conf-if)#no shutdown

Router1(config)#interface INT1
Router1(conf-if)#ip address 192.168.0.1 255.255.255.0
Router1(conf-if)#no shutdown

Router1(config)#router ospf 1								;configure OSPF so, that you can see all other networks in scheme
Router1(rout)#network 192.168.0.0 0.0.0.255 area 0
Router1(rout)#network 172.16.1.0 0.0.0.255 area 0
Router2(config)#interface INT3
Router2(conf-if)#ip address 172.16.0.1 255.255.255.0
Router2(conf-if)#no shutdown

Router2(config)#interface INT4
Router2(conf-if)#ip address 10.0.0.1 255.255.255.0
Router2(conf-if)#no shutdown

Router2(config)#router ospf 1
Router2(rout)#network 172.16.0.0 0.0.0.255 area 0
Router2(rout)#network 10.0.0.0 0.0.0.255 area 0
Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown
Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

2a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

Router1(config)#crypto isakmp policy 10							;set isakmp policy priority 10
Router1(isakmp)#encryption 3des 							;set encryprtion algorithm
Router1(isakmp)#hash md5 								;set hash type
Router1(isakmp)#group 1									;set encryption key length
Router1(isakmp)#authentication pre-share						;specify the authentication method within an IKE policy
Router1(isakmp)#lifetime 200 								;set timeout for first phase (tunnel initialisation) 

    
Router2(config)#crypto isakmp policy 10
Router2(isakmp)#encryption 3des 
Router2(isakmp)#hash md5 
Router2(isakmp)#group 1
Router2(isakmp)#authentication pre-share 
Router2(isakmp)#lifetime 200
    

2b) VPN tunnel settings phase 2 IPSEC:

Router1(config)#crypto ipsec transform-set TRSETRH esp-des esp-md5-hmac			;Define a transform set - acceptable combination of security protocols and algorithms
Router1(config)#access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255	;create access list in which tunnel traffic rules are defined
Router1(config)#crypto isakmp key HESLO address 172.16.0.1				;set pre-share key and far end of the tunnel
Router1(config)#crypto map LOKALNIMAPARH 10 ipsec-isakmp 				;define local policy, used within crypto map, which we defined
Router1(cr-m)#set peer 172.16.0.1							;set far end of the VPN tunnel
Router1(cr-m)#match address 111								;apply access list 111
Router1(cr-m)#set transform-set TRSETRH							;apply transform set to crypto map	
Router1(config)#interface INT2
Router1(conf-if)# crypto map LOKALNIMAPARH						;apply crypto map to an interface

    

Apply analogical settings to other side of the tunnel.

    Router2(config)#crypto ipsec transform-set TRSETRI esp-des esp-md5-hmac
Router2(config)#access-list 122 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Router2(config)#crypto isakmp key HESLO address 172.16.1.1
Router2(config)#crypto map LOKALNIMAPARI 10 ipsec-isakmp 
Router2(cr-m)#set peer 172.16.1.1
Router2(cr-m)#match address 122
Router2(cr-m)#set transform-set TRSETRI
Router2(config)#interface INT3
Router2(conf-if)# crypto map LOKALNIMAPARI
    

3) Access list on Router3 to enable only needed traffic:

Router3(config)#access-list 101 permit ospf any any					;enable OSPF routing traffic
Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1		;enable tunnel initialisation thru ESP
Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp	;enable tunnel traffic thru UDP
Router3(config)#interface INT5
Router3(conf-if)#ip access-group 101 in							;apply access list to an interface

Function test

debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)check IKE/IPSEC router configuration:

Router1#sh crypto isakmp policy 							;display first part of tunnel configuration. 
Router1#sh crypto ipsec sa								;display send/receive packet statistics

Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.

F2)initialize tunnel:

Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

Syntax

Router1#sh crypto isakmp sa
dst             src             state          conn-id slot
172.16.0.1      172.16.1.1      QM_IDLE             14    0

Syntax

Router1#sh crypto ipsec sa
    

Picture displays existing tunnel and sent packages number.

NS2-4.4.7_IOS_DIAGNOSE

F3)delete tunnel

Router1#clear crypto isakmp 								;clear tunnel initialisation configuration
Router1#clear crypto sa									;clear existing tunnels

Picture displays cleared tunnel.

NS2-4.4.7_IOS_DIAGNOSE2

F4)reinitialize tunnel from other side

Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which router a tunnel was initialized.

If error occurs, please use command line as inserted in picture. This will help to synchronize Security Parameter Index.

NS2-4.4.7_IOS_DIAGNOSE3

Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router to topology and create another tunnel to this router.

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s