In most real world situation Site to Site VPN Tunnels are usually created between a pair Firewalls, however that is not the only way to achieve secure Site to Site encryption. For that matter one method is just as good as the other. It all depends on your situation and environment. In this example I’m not using a Tunnel interface for the overlay such as GRE. Instead I’m just using the raw interfaces and adding the encryptions. At the end of the day it’s still a tunnel, but without the overlay.  

ISAKMP

Internet Security Agreement Key Management Protocol or ISAKMP provides a way for Routers or Firewalls to agree on a set of security settings and the ability to exchange predefined keys. With the Phase one ISAKMP agreement in place the Routers or Firewalls can begin the process of Phase 2 exchanging the Security Association or SA’s. The SA’s contain all the information necessary for secure communication. The SA’s contains the policy agreement security information such as the key lengths.

Cisco IPSEC Key Terms and Technology

Configuration Tasks

  • Define and create ISAKMP Policy and define authentication
  • Define and create ACL’s for interesting traffic
  • Define and create the Transform Sets
  • Define and create the Crypto Maps and associate Transform Sets
  • Apply the Crypto Maps to public interfaces

In a real world scenario the Service Provider’s routing would be handled dynamicaly, but for the sake of this examlpe I’ll be confiuring the Service Provider’s routing manually.

Lets start off by getting the Service Provider’s Router SP up and running

SP#configure terminal
SP(config)#interface s0/0
SP(config-if)#ip address 23.80.0.1 255.255.255.252
SP(config-if)#no shutdown
SP(config-if)#interface s0/1
SP(config-if)#ip address 23.90.0.1 255.255.255.252
SP(config-if)#no shutdown
SP(config-if)#exit
SP(config)#ip route 172.16.0.0 255.255.0.0 23.80.0.2
SP(config)#ip route 172.17.0.0 255.255.0.0 23.90.0.2
SP(config)#

RFC 1918

Lets make sure the Service Provider’s not forwarding any private addresses across the Internet. A common task preformed by the Service provider would be to BLOCK the entire private address range in accordance with RFC 1918. We can create a single ACL that will conform to RFC 1918, and apply it to the public facing interfaces on the Service Providers router.

SP(config)#ip access-list extended 1918
SP(config-ext-nacl)#deny ip 10.0.0.0 0.255.255.255
SP(config-ext-nacl)#deny ip 172.16.0.0 0.15.255.255
SP(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255
SP(config-ext-nacl)#permit ip any any
SP(config-ext-nacl)#exit
SP(config)#interface s0/0
SP(config-if)#ip access-group 1918 in
SP(config-if)#interface s0/1
SP(config-if)#ip access-group 1918 in
SP(config-if)#end
SP#

Now we can move onto the configuration of R1A’s public facing interface along with the static route

R1A#configure terminal
R1A(config)#interface s0/0
R1A(config-if)#ip address 23.80.0.2 255.255.255.252
R1A(config-if)#no shutdown
R1A(config-if)#exit
R1A(config)#ip route 0.0.0.0 0.0.0.0 28.80.0.1
R1A(config)#end
R1A#

Lets basically do the inverse configuration on Router R2A along with the static route

R2A#configure terminal
R2A(config)#interface s0/0
R2A(config-if)#ip address 23.90.0.2 255.255.255.252
R2A(config-if)#no shutdown
R2A(config-if)#exit
R2A(config)#ip route 0.0.0.0 0.0.0.0 23.90.0.1
R2A(config)#end
R2A#

At this point we have the basic configuration in place for routing traffic across the public interfaces between Router R1A, and Router R2A, however any traffic sourced between the 6 networks is currently not encrypted..! This is a major problem so lets make sure the traffic sourced from 172.16.0.0 – 172.16.3.0 is encrypted. Lets start out by configuring the IPSEC Phase 1 negotiation.

R1A#configure terminal
R1A(config)#crypto isakamp policy 1
R1A(config-isakmp)#authentication pre-share
R1A(config-isakmp)#exit
R1A(config)#crypto isakmp key B2B address 23.90.0.2
R1A(config)#

Now lets do the same thing for IPSEC Phase 1 on Router R1B. This is a really easy place to make a common mistake when your configuring the Phase one negotiation. For example if I happened to configure the wrong ISAKMP Key address lets say 23.80.0.1 as opposed to 23.80.0.2 the Tunnel wouldn’t come up. 

R2A#configure terminal
R2A(config)#crypto isakamp policy 1
R2A(config-isakmp)#authentication pre-share
R2A(config-isakmp)#exit
R2A(config)#crypto isakmp key B2B address 23.80.0.2
R2A(config)#

The next thing we need to do is define the interesting traffic that’s allow to traverse the tunnel

R1A(config)#ip access-list extended 100
R1A(config-ext-nacl)#permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
R1A(config-ext-nacl)#exit
R1A(config)#

Now we need to the inverse of the above ACL on Router R1A

R2A(config)#ip access-list extended 100
R2A(config-ext-nacl)#permit ip 172.17.0.0 0.0.255.255 172.17.0.0 0.0.255.255
R2A(config-ext-nacl)#exit
R2A(config)#

Now that we have our ACL’s in place on both sides lets move onto to the task of creating the IPSEC Transform Set

R1A(config)#crypto ipsec transfrom-set B2B esp-sha-hmac esp-aes

Now lets do the vary same thing with the Transform Set on the other side on Router R1B

R1B(config)#crypto ipsec transfrom-set B2B esp-sha-hmac esp-aes

Now we need to put all the components together within the Crypto Map

R1A(config)#crypto map B2B 1 ipsec-isakmp
R1A(config-crypto-map)#set transfrom-set B2B
R1A(config-crypto-map)#set peet 23.90.0.2
R1A(config-crypto-map)#match address 100
R1A(config-crypto-map)#exit
R1A(config)#

Now lets configure the same Crypto Map on Router R1B

R2A(config)#crypto map B2B 1 ipsec-isakmp
R2A(config-crypto-map)#set transfrom-set B2B
R2A(config-crypto-map)#set peet 23.90.0.2
R2A(config-crypto-map)#match address 100
R2A(config-crypto-map)#exit
R2A(config)#

Now lets apply the Crypto Map B2B to outside public interface on R1A

R1A(config)#interface s0/0
R1A(config-if)#crypto map B2B
R1A(config-if)#exit
R1A#

Now lets apply the Crypto Map on the others side on Router B2B’s public interface

R2A(config)#interface s0/0
R2A(config-if)#crypto map B2B
R2A(config-if)#exit
R2A#

Now lets initiate some interesting ICMP traffic from Router R1A toward Router R1B.

R1A#ping 172.17.0.1 source 172.16.0.1 repeat 3
Sending 3, 100-byte ICMP Echos to 172.17.0.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 16/33/48 ms
R1A#

Based on the above output we have successfully initiated interesting traffic that conforms to the ACL we created early in the configuration. Now we can take a look at the security associations that were built between Router R1A, and Router R2A.

R1A#show crypto ipsec sa

interface: Serial1/0
 Crypto map tag: B2B, local addr 23.80.0.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
   current_peer 23.90.0.2 port 500
   PERMIT, flags={origin_is_acl,}
   #pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
   #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

   local crypto endpt.: 23.80.0.2, remote crypto endpt.: 23.90.0.2
   path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0
   current outbound spi: 0xE186513C(3783676220)
   PFS (Y/N): N, DH group: none

   inbound esp sas:
    spi: 0x4F346(324422)
     transform: esp-aes esp-sha-hmac ,
     in use settings ={Tunnel, }
     conn id: 1, flow_id: 1, sibling_flags 80004040, crypto map: B2B
     sa timing: remaining key lifetime (k/sec): (4340270/2593)
     IV size: 16 bytes
     replay detection support: Y
     Status: ACTIVE(ACTIVE)

 inbound ah sas:

 inbound pcp sas:

   outbound esp sas:
    spi: 0xE186513C(3783676220)
     transform: esp-aes esp-sha-hmac ,
     in use settings ={Tunnel, }
     conn id: 2, flow_id: 2, sibling_flags 80004040, crypto map: B2B
     sa timing: remaining key lifetime (k/sec): (4340269/2593)
     IV size: 16 bytes
     replay detection support: Y
     Status: ACTIVE(ACTIVE)

 outbound ah sas:

 outbound pcp sas:
R1A#  

I hope you found this post on IPSEC Tunneling helpful and informative. Be sure to let me know what you think by leaving your suggestions, and feedback in the comments section below. You can find out more about these and other articles be checking out recent posts and archives. To learn more about myself be sure to check out the About page. And as always thanks again for visiting The Packet.