Conceptually, the crypto map is a virtual IPsec tunnel interface. The crypto ACL that was created in Step 4 defines the traffic that will flow into this inter- face toward Peer B. Here are all the elements that go into a crypto map:
. Crypto ACL to be used
. Address or hostname of remote VPN peer(s) . Transform set
. Key management method (remember, this is optional in IKE Phase II) . SA lifetime
Heads up! There can be only one crypto map on a router interface. This one crypto map must support as many VPN peers, both remote-access and site-to- site as you may have to that interface. Priority numbers (just like with IKE Phase I policy sets) will group the elements together and dictate their relative priority.
The lower the number, the higher the priority. Use the crypto mapglobal con- figuration command to create and modify the crypto map. First, you must cre- ate the crypto map. In the following example, a crypto map called “multipur- pose” is created and sequence number 999 is attached to it. Note the output from the following command, indicating that the crypto map is disabled until a peer and ACL are assigned to it:
CiscoISR-A(config)#crypto map multipurpose 999 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.
CiscoISR-A(config-crypto-map)#
Let’s add some parameters to sequence 999. Certainly we will want to add the transform set that we created in Step 3 and the crypto ACL that we created in
Step 4. We will also want to identify the IP address or hostname of Peer B. We’ll look at an example, and then talk about some of the other parameters we can add:
CiscoISR-A(config-crypto-map)#set peer 172.16.32.1
CiscoISR-A(config-crypto-map)#set transform-set CantHackMe CiscoISR-A(config-crypto-map)#match address 102
CiscoISR-A(config-crypto-map)#set security-association lifetime seconds 86400
CiscoISR-A(config-crypto-map)#set security-association lifetime kilobyte 4000000
CiscoISR-A(config-crypto-map)#set pfs group2
At this point, we have created the crypto map, but we must also apply it to a router interface—FastEthernet 4, in this example. Use the crypto mapinterface configuration mode command to do this:
CiscoISR-A(config)#interface fa4
CiscoISR-A(config-if)#crypto map multipurpose
You can verify the completeness of the crypto map and that it has been applied to the correct interface with the show crypto mapCLI command:
CiscoISR-A#show crypto map
Crypto Map “multipurpose” 999 ipsec-isakmp Peer = 172.16.32.1
Extended IP access list 102
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.40.0 0.0.0.255 Current peer: 172.16.32.1
Security association lifetime: 4000000 kilobytes/86400 seconds PFS (Y/N): Y
DH group: group2 Transform sets={
CantHackMe, }
Interfaces using crypto map multipurpose:
FastEthernet4
Verifying and Troubleshooting the IPsec VPN Using the CLI
The commands in Table 7.6 can be used to verify and troubleshoot the IPsec VPN. We have already looked at the first two while configuring the site-to-site IPsec VPN during Step 2 and Step 5, respectively.
TABLE 7.6 IPsec VPN Troubleshooting Commands
Command Description
show crypto isakmp policy Displays configured and default IKE policies.
show crypto map Displays configured crypto maps.
show crypto ipsec transform-set Displays configured IPsec transform sets.
show crypto ipsec sa Displays established IKE Phase II SAs (IPsec tunnels).
show crypto isakmp sa Displays established IKE Phase I SAs (ISAKMP) tunnels.
debug crypto isakmp Debugs IKE Phase I events. (This command creates a lot of output, and you will not be responsible for analyz- ing the output on the exam, so this command will not be explained further.)
debug crypto ipsec Debugs IKE Phase II (IPsec) events. (This command creates a lot of output, and you will not be responsible for analyzing the output on the exam, so this command will not be explained further.)
show access-list Displays matches for packets that have been assigned to the VPN by the crypto ACL.
The following sections look at the output of the commands in Table 7.6 not yet examined. Look at the output and verify that it matches the reference network diagram in Figure 7.8.
Verify the IPsec Transform Set(s)
This command verifies the configured IPsec transform sets. Recall that previ- ously we created an IPsec transform set called CantHackMe with an AES 128- bit for the encryption algorithm and SHA for the HMAC:
CiscoISR-A#show crypto ipsec transform-set
Transform set CantHackMe: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, },
Verify/Display the Established IKE Phase II SAs (IPsec Tunnels)
The show crypto ipsec sacommand is used to verify the operation of the IKE Phase II data tunnels. The following command output is from Peer A’s perspec- tive. Among other things, it can verify the following:
. The inbound and outbound Security Parameter Indices (SPIs) in Peer A’s Security Association Database (SAD).
. The type of IKE Phase II SAs created (ESP, AH, or other).
Refer to the following command output. The shaded output indicates the fol- lowing things that we can observe:
. The IKE Phase II SAs are formed between local peer, Peer A (192.168.99.218), and remote peer, Peer B (172.16.32.1).
. The transform set applied to both the outbound and inbound IKE Phase II IPsec VPN SAs is the contains esp-aes and esp-sha-hmac as the encryption algorithm and HMAC, respectively.
. The IKE Phase II SAs are being encrypted and decrypted using onboard hardware acceleration (Motorola processor on this Cisco 871 ISR).
. Both inbound and outbound IKE Phase II IPsec VPN SAs are active.
. All traffic between 192.168.0.0/24 and 10.0.20.0/24 is being protected in the VPN.
CiscoISR-A#show crypto ipsec sa interface: FastEthernet4
Crypto map tag: multipurpose, local addr 192.168.99.218 protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.20.0/255.255.255.0/0/0) current_peer 172.16.32.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
NOTE
The following output was captured from a Cisco ISR that was behind a NAT router and connecting to a Cisco ASA 5505 security appliance with a public IP address and that was not behind a NAT router. The two VPN devices negotiated RFC-compliant NAT Traversal (NAT-T), which wraps IKE Phase II’s ESP inside a UDP port 4500 wrapper so that it will traverse what might be a Port Address Translation (PAT) router. This is because PAT can- not tolerate stateless, portless ESP without a bit of help! This will not be on the exam, but it helps explain some of the parameters you see in the output. For example, the inbound SA’s in use settings include this pearl:
in use settings ={Tunnel UDP-Encaps, }
This indicates that the peers have negotiated tunnel mode (versus transport mode) for IKE Phase II but inside a UDP wrapper.
#send errors 13, #recv errors 0
local crypto endpt.: 192.168.99.218, remote crypto endpt.:
172.16.32.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4 current outbound spi: 0xBB1E0DBD(3139308989)
inbound esp sas:
spi: 0x9D5D2EC7(2640129735)
transform: esp-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: multipurpose sa timing: remaining key lifetime (k/sec): (3843604/27899) IV size: 16 bytes
replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBB1E0DBD(3139308989)
transform: esp-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: multipurpose sa timing: remaining key lifetime (k/sec): (3843604/27896) IV size: 16 bytes
replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Verify/Display Established IKE Phase I SAs (ISAKMP) Tunnels
Look at the output of the show crypto isakmpsacommand. Note that the tun- nel is in a state QM_IDLEindicating that quick mode (QM) completed success- fully and is currently in an idle state.
CiscoISR-A#show crypto isakmp sa IPv4 Crypto ISAKMP SA
dst src state conn-id slot status 172.16.32.1 192.168.99.218 QM_IDLE 2005 0 ACTIVE IPv6 Crypto ISAKMP SA
Verify/Display the Crypto ACL
ACL 102 defines the traffic that is supposed to be in the IPsec VPN. Note that there are 19 matches, indicating that traffic is flowing into the VPN subject to the policy defined in the ACL.
CiscoISR-A#show access-list 102 Extended IP access list 102
10 permit ip 192.168.0.0 0.0.0.255 10.0.20.0 0.0.0.255 (19 matches)
Implementing IPsec on a Site-to-Site VPN Using Cisco SDM
Configuring a site-to-site VPN with the SDM should be fairly straightforward, now that we have examined the fundamentals of how IPsec VPNs work and grounded the theory by configuring a site-to-site IPsec VPN with the CLI.
When using the SDM to configure a site-to-site IPsec VPN, you can either manually configure the VPN or employ the Cisco SDM VPN Wizard. We will choose the wizard and see that the wizard will give us a choice of the following:
. Quick setup.Uses pre-built settings (useful for a brand-new VPN con- figuration with another Cisco IOS router that is being configured with the quick setup versus the step-by-step wizard).
. Step-by-step wizard.For more granular, detailed configuration control.
Let’s look at these two wizards, one at a time.
Site-to-Site VPN Wizard Using Quick Setup
To launch the Site-to-Site VPN Wizard and enter Quick Setup, complete the following steps:
1. Navigate to Configure->VPNin the SDM.
2. Select Site-to-Site VPNfrom the left navigation pane.
3. Make sure that the Create Site to Site VPNtab is selected in the main navigation window.
4. Check the Create a Site to Site VPNradio button, as indicated in Figure 7.9.
FIGURE 7.9 Launching the Site-to-Site VPN Wizard.
5. Press the Launch the selected taskbutton. The Site-to-Site VPN Wizard window appears.
6. Note the choices indicated in Figure 7.10. You can choose either Quick setupor Step by step wizard. Press the Quick setupradio button;
then click Next. A window appears in which you can enter some basic information about the VPN. Note that it doesn’t ask you what encryp- tion algorithms, hashes, or DH groups you want to use.
7. The VPN Connection Information window pops up, as indicated in Figure 7.11. Look at this window while referring to the reference network diagram in Figure 7.8. We know exactly what to fill in. From top to bottom:
VPN Connection Information:
. Select the interface for this VPN connection: FastEthernet4.
. Select the type of peer(s) used for this VPN connection: Peer with static IP address.
. Enter the IP address of the remote peer: 172.16.32.1.
Authentication:
. Pre-Shared Keys or Digital Certificates radio button: Press the Pre-shared keys radio button. Fill in the pre-shared key in the pre- shared key and Re-enter key fields.
2
1
3
4
5
FIGURE 7.10 Launching Quick Setup.
Traffic to Encrypt:
. Source: Choose Vlan1 as the source interface in the drop-down list.
This is the interface that the net A’ to net B’ traffic will arrive on.
. Destination: Enter 10.0.20.0 in the IP Address field and
255.255.255.0 in the Subnet Mask field. (Alternatively, you can put the number of bits (24) in the “or” field.)
FIGURE 7.11 Quick Setup dialog of the SDM Site-to-Site VPN Wizard.
8. Click Finish. The Summary of the Configuration window appears. It will look something like Figure 7.12.
FIGURE 7.12 Summary of the Configuration window in the SDM Site-to-Site VPN Wizard.
If you don’t like the IKE policies and IPsec transform sets that are creat- ed for you, then Quick Setup is not a good choice. Chances are good that 3DES for a cipher for both Phase I and Phase II will not match the organization’s comprehensive network security policy. Here are the parameters selected by the SDM when using Quick Setup:
IKE Policy Set (HAGLE):
H = SHA-1 A = PSK G = DH2
L = 86,400 (default, since doesn’t appear) E = 3DES
IPsecTransform Set:
Transport = ESP Tunnel Mode Encryption = 3DES Hash = SHA-1
9. If you like what you see, click on Finishto deliver the commands to the router. You might have noticed the Test VPN connectivity after configuring check box. We examine this feature when we (next) configure the VPN with the SDM Site-to-Site VPN Wizard, but choosing step-by-step this time.
Site-to-Site VPN Wizard Using Step-by-Step Setup
The five tasks of the wizard using Step-by-Step setup are as follows: