This chapter explains how to configure site-to-site virtual private networks (VPN) using Cisco IOS routers. You will learn how to use both CLI commands and Cisco Configuration Professional to configure, validate, and monitor the VPN configuration. You will also learn site-to-site VPN troubleshooting techniques.
Trang 1© 2012 Cisco and/or its affiliates All rights reserved 1
Chapter 14 Site-to-Site IPsec VPNs
with Cisco IOS Routers
Trang 2© 2012 Cisco and/or its affiliates All rights reserved 2
This chapter teaches you how to configure a site-to-site IPsec VPN with
preshared keys, using Cisco Configuration Professional This ability
includes being able to meet these objectives:
• Evaluate the requirements and configuration of site-to-site IPsec VPNs
• Use Cisco Configuration Professional to configure site-to-site IPsec
VPNs
• Use CLI commands and Cisco Configuration Professional monitoring
options to validate the VPN configuration
• Use CLI commands and Cisco Configuration Professional monitoring
options to monitor and troubleshoot the VPN configuration
Contents
Trang 3© 2012 Cisco and/or its affiliates All rights reserved 3
IPsec VPN negotiation can be broken down into five steps,including
Phase 1 and Phase 2 of Internet Key Exchange (IKE):
Step 1 An IPsec tunnel is initiated when Host A sends “interesting” traffic
to Host B Traffic is considered interesting when it travels between the
IPsec peers and meets the criteria that is defined in the crypto access
control list (ACL)
Step 2 In IKE Phase 1, the IPsec peers (routers A and B) negotiate the
established IKE SA policy Once the peers are authenticated, a secure
tunnel is created using ISAKMP
Step 3 In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms The negotiation of the shared
policy determines how the IPsec tunnel is established
Step 4 The IPsec tunnel is created and data is transferred between the
IPsec peers based on the IPsec parameters configured in the IPsec
transform sets
Step 5 The IPsec tunnel terminates when the IPsec SAs are deleted or
when their lifetime expires
Site-to-Site IPsec VPN Operations
Trang 4© 2012 Cisco and/or its affiliates All rights reserved 4
Site-to-Site IPsec VPN
Trang 5© 2012 Cisco and/or its affiliates All rights reserved 5
• Verify connectivity between peers
• Define interesting traffic
• Determine the cipher suite requirements
• Manage monitoring, troubleshooting, and change
Planning and Preparation Checklist
Trang 6© 2012 Cisco and/or its affiliates All rights reserved 6
Interesting traffic is defined by crypto ACLs in site-to-site IPsec VPN
configurations Crypto ACLs perform these functions
• Outbound: For outbound traffic, the crypto ACL defines the flows that
IPsec should protect Traffic that is not selected is sent in plaintext
• Inbound: The same ACL is processed for inbound traffic The ACL
defines traffic that should have been protected by IPsec, and discards
packets if they are selected but arrive unprotected (unencrypted)
Interesting Traffic and Crypto ACLs
Trang 7© 2012 Cisco and/or its affiliates All rights reserved 7
Outbound and Inbound Access Control
Lists
Trang 8© 2012 Cisco and/or its affiliates All rights reserved 8
Mirrored Crypto ACLs
Trang 9© 2012 Cisco and/or its affiliates All rights reserved 9
Example of Cipher Suite Selection
Decision
Trang 10© 2012 Cisco and/or its affiliates All rights reserved 10
Crypto map entries that you create for IPsec combine the needed
configuration parameters of IPsec SAs, including the following
parameters:
• Which traffic should be protected by IPsec using a crypto ACL
• The granularity of the flow to be protected by a set of SAs
• Who the remote IPsec peer is, which determines where the
IPsec-protected traffic is sent
• The local address that is to be used for the IPsec traffic (optional)
• Which IPsec security should be applied to this traffic, choosing from a list
of one or more transform sets
Crypto Map
Trang 11© 2012 Cisco and/or its affiliates All rights reserved 11
Crypto Map and Its Role
Trang 12© 2012 Cisco and/or its affiliates All rights reserved 12
Configuring a Site-to-Site IPsec VPN
Using CCP
Scenario for Configuring a Site-to-Site IPsec VPN with Preshared Keys Using
CCP VPN Wizard
Trang 13© 2012 Cisco and/or its affiliates All rights reserved 13
Configure > Security > VPN > Site-to-Site VPN.
Initiating the VPN Wizard
Trang 14© 2012 Cisco and/or its affiliates All rights reserved 14
Wizard Gives a Choice Between Quick
Setup or Step-by-Step Approach
Trang 15© 2012 Cisco and/or its affiliates All rights reserved 15
VPN Connection Information Page
Trang 16© 2012 Cisco and/or its affiliates All rights reserved 16
First Component of VPN Connection
Information Page: Interface Selection
Trang 17© 2012 Cisco and/or its affiliates All rights reserved 17
Second Component of VPN Connection
Information Page: Peer Identity
Trang 18© 2012 Cisco and/or its affiliates All rights reserved 18
Third Component of VPN Connection
Information Page: Authentication
Trang 19© 2012 Cisco and/or its affiliates All rights reserved 19
IKE Proposals Configured Through the
VPN Wizard
Trang 20© 2012 Cisco and/or its affiliates All rights reserved 20
Transform Set Configured Through the
VPN Wizard
Trang 21© 2012 Cisco and/or its affiliates All rights reserved 21
Protecting Traffic Through the VPN
Wizard
Trang 22© 2012 Cisco and/or its affiliates All rights reserved 22
Summary of the Site-to-Site VPN Wizard Configuration
Trang 23© 2012 Cisco and/or its affiliates All rights reserved 23
IOS-FW# show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Verifying IPsec Configuration Using CLI
Trang 24© 2012 Cisco and/or its affiliates All rights reserved 24
Monitoring Established IPsec VPN
Connections
Trang 25© 2012 Cisco and/or its affiliates All rights reserved 25
IKE Policy Negotiation
Trang 26© 2012 Cisco and/or its affiliates All rights reserved 26
VPN Troubleshooting Status Window
Trang 27© 2012 Cisco and/or its affiliates All rights reserved 27
Monitoring IKE Security Association
Trang 28© 2012 Cisco and/or its affiliates All rights reserved.
© 2012 Cisco and/or its affiliates All rights reserved.