Lecture CCNA security partner - Chapter 14: Site-to-Site IPsec VPNs with Cisco IOS Routers
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.01 MB, 28 trang )
Chapter 14. Site-to-Site IPsec VPNs
with Cisco IOS Routers
© 2012 Cisco and/or its affiliates. All rights reserved.
1
Contents
This chapter teaches you how to configure a site-to-site IPsec VPN with
preshared keys, using Cisco Configuration Professional. This ability
includes being able to meet these objectives:
• Evaluate the requirements and configuration of site-to-site IPsec VPNs
• Use Cisco Configuration Professional to configure site-to-site IPsec
VPNs
• Use CLI commands and Cisco Configuration Professional monitoring
options to validate the VPN configuration
• Use CLI commands and Cisco Configuration Professional monitoring
options to monitor and troubleshoot the VPN configuration
© 2012 Cisco and/or its affiliates. All rights reserved.
2
Site-to-Site IPsec VPN Operations
IPsec VPN negotiation can be broken down into five steps,including
Phase 1 and Phase 2 of Internet Key Exchange (IKE):
Step 1. An IPsec tunnel is initiated when Host A sends “interesting” traffic
to Host B. Traffic is considered interesting when it travels between the
IPsec peers and meets the criteria that is defined in the crypto access
control list (ACL).
Step 2. In IKE Phase 1, the IPsec peers (routers A and B) negotiate the
established IKE SA policy. Once the peers are authenticated, a secure
tunnel is created using ISAKMP.
Step 3. In IKE Phase 2, the IPsec peers use the authenticated and secure
tunnel to negotiate IPsec SA transforms. The negotiation of the shared
policy determines how the IPsec tunnel is established.
Step 4. The IPsec tunnel is created and data is transferred between the
IPsec peers based on the IPsec parameters configured in the IPsec
transform sets.
Step 5. The IPsec tunnel terminates when the IPsec SAs are deleted or
when their lifetime expires.
© 2012 Cisco and/or its affiliates. All rights reserved.
3
Site-to-Site IPsec VPN
© 2012 Cisco and/or its affiliates. All rights reserved.
4
Planning and Preparation Checklist
• Verify connectivity between peers
• Define interesting traffic
• Determine the cipher suite requirements
• Manage monitoring, troubleshooting, and change
© 2012 Cisco and/or its affiliates. All rights reserved.
5
Interesting Traffic and Crypto ACLs
Interesting traffic is defined by crypto ACLs in site-to-site IPsec VPN
configurations. Crypto ACLs perform these functions
• Outbound: For outbound traffic, the crypto ACL defines the flows that
IPsec should protect. Traffic that is not selected is sent in plaintext.
• Inbound: The same ACL is processed for inbound traffic. The ACL
defines traffic that should have been protected by IPsec, and discards
packets if they are selected but arrive unprotected (unencrypted).
© 2012 Cisco and/or its affiliates. All rights reserved.
6
Outbound and Inbound Access Control
Lists
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Mirrored Crypto ACLs
© 2012 Cisco and/or its affiliates. All rights reserved.
8
Example of Cipher Suite Selection
Decision
© 2012 Cisco and/or its affiliates. All rights reserved.
9
Crypto Map
Crypto map entries that you create for IPsec combine the needed
configuration parameters of IPsec SAs, including the following
parameters:
• Which traffic should be protected by IPsec using a crypto ACL
• The granularity of the flow to be protected by a set of SAs
• Who the remote IPsec peer is, which determines where the IPsecprotected traffic is sent
• The local address that is to be used for the IPsec traffic (optional)
• Which IPsec security should be applied to this traffic, choosing from a list
of one or more transform sets
© 2012 Cisco and/or its affiliates. All rights reserved.
10
Crypto Map and Its Role
© 2012 Cisco and/or its affiliates. All rights reserved.
11
Configuring a Site-to-Site IPsec VPN
Using CCP
Scenario for Configuring a Site-to-Site IPsec VPN with Preshared Keys Using
CCP VPN Wizard
© 2012 Cisco and/or its affiliates. All rights reserved.
12
Initiating the VPN Wizard
Configure > Security > VPN > Site-to-Site VPN.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
Wizard Gives a Choice Between Quick
Setup or Step-by-Step Approach
© 2012 Cisco and/or its affiliates. All rights reserved.
14
VPN Connection Information Page
© 2012 Cisco and/or its affiliates. All rights reserved.
15
First Component of VPN Connection
Information Page: Interface Selection
© 2012 Cisco and/or its affiliates. All rights reserved.
16
Second Component of VPN Connection
Information Page: Peer Identity
© 2012 Cisco and/or its affiliates. All rights reserved.
17
Third Component of VPN Connection
Information Page: Authentication
© 2012 Cisco and/or its affiliates. All rights reserved.
18
IKE Proposals Configured Through the
VPN Wizard
© 2012 Cisco and/or its affiliates. All rights reserved.
19
Transform Set Configured Through the
VPN Wizard
© 2012 Cisco and/or its affiliates. All rights reserved.
20
Protecting Traffic Through the VPN
Wizard
© 2012 Cisco and/or its affiliates. All rights reserved.
21
Summary of the Site-to-Site VPN Wizard
Configuration
© 2012 Cisco and/or its affiliates. All rights reserved.
22
Verifying IPsec Configuration Using CLI
IOS-FW# show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
© 2012 Cisco and/or its affiliates. All rights reserved.
23
Monitoring Established IPsec VPN
Connections
© 2012 Cisco and/or its affiliates. All rights reserved.
24
IKE Policy Negotiation
© 2012 Cisco and/or its affiliates. All rights reserved.
25
