Chapter 14 Site-to-Site IPsec VPNs with Cisco IOS Routers © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter teaches you how to configure a site-to-site IPsec VPN with preshared keys, using Cisco Configuration Professional This ability includes being able to meet these objectives: • Evaluate the requirements and configuration of site-to-site IPsec VPNs • Use Cisco Configuration Professional to configure site-to-site IPsec VPNs • Use CLI commands and Cisco Configuration Professional monitoring options to validate the VPN configuration • Use CLI commands and Cisco Configuration Professional monitoring options to monitor and troubleshoot the VPN configuration © 2012 Cisco and/or its affiliates All rights reserved Site-to-Site IPsec VPN Operations IPsec VPN negotiation can be broken down into five steps,including Phase and Phase of Internet Key Exchange (IKE): Step An IPsec tunnel is initiated when Host A sends “interesting” traffic to Host B Traffic is considered interesting when it travels between the IPsec peers and meets the criteria that is defined in the crypto access control list (ACL) Step In IKE Phase 1, the IPsec peers (routers A and B) negotiate the established IKE SA policy Once the peers are authenticated, a secure tunnel is created using ISAKMP Step In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms The negotiation of the shared policy determines how the IPsec tunnel is established Step The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets Step The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires © 2012 Cisco and/or its affiliates All rights reserved Site-to-Site IPsec VPN © 2012 Cisco and/or its affiliates All rights reserved Planning and Preparation Checklist • Verify connectivity between peers • Define interesting traffic • Determine the cipher suite requirements ã Manage monitoring, troubleshooting, and change â 2012 Cisco and/or its affiliates All rights reserved Interesting Traffic and Crypto ACLs Interesting traffic is defined by crypto ACLs in site-to-site IPsec VPN configurations Crypto ACLs perform these functions • Outbound: For outbound traffic, the crypto ACL defines the flows that IPsec should protect Traffic that is not selected is sent in plaintext • Inbound: The same ACL is processed for inbound traffic The ACL defines traffic that should have been protected by IPsec, and discards packets if they are selected but arrive unprotected (unencrypted) © 2012 Cisco and/or its affiliates All rights reserved Outbound and Inbound Access Control Lists © 2012 Cisco and/or its affiliates All rights reserved Mirrored Crypto ACLs © 2012 Cisco and/or its affiliates All rights reserved Example of Cipher Suite Selection Decision © 2012 Cisco and/or its affiliates All rights reserved Crypto Map Crypto map entries that you create for IPsec combine the needed configuration parameters of IPsec SAs, including the following parameters: • Which traffic should be protected by IPsec using a crypto ACL • The granularity of the flow to be protected by a set of SAs • Who the remote IPsec peer is, which determines where the IPsec-protected traffic is sent • The local address that is to be used for the IPsec traffic (optional) • Which IPsec security should be applied to this traffic, choosing from a list of one or more transform sets © 2012 Cisco and/or its affiliates All rights reserved 10 Wizard Gives a Choice Between Quick Setup or Step-by-Step Approach © 2012 Cisco and/or its affiliates All rights reserved 14 VPN Connection Information Page © 2012 Cisco and/or its affiliates All rights reserved 15 First Component of VPN Connection Information Page: Interface Selection © 2012 Cisco and/or its affiliates All rights reserved 16 Second Component of VPN Connection Information Page: Peer Identity © 2012 Cisco and/or its affiliates All rights reserved 17 Third Component of VPN Connection Information Page: Authentication © 2012 Cisco and/or its affiliates All rights reserved 18 IKE Proposals Configured Through the VPN Wizard © 2012 Cisco and/or its affiliates All rights reserved 19 Transform Set Configured Through the VPN Wizard © 2012 Cisco and/or its affiliates All rights reserved 20 Protecting Traffic Through the VPN Wizard © 2012 Cisco and/or its affiliates All rights reserved 21 Summary of the Site-to-Site VPN Wizard Configuration © 2012 Cisco and/or its affiliates All rights reserved 22 Verifying IPsec Configuration Using CLI IOS-FW# show crypto isakmp policy Global IKE policy Protection suite of priority encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit © 2012 Cisco and/or its affiliates All rights reserved 23 Monitoring Established IPsec VPN Connections © 2012 Cisco and/or its affiliates All rights reserved 24 IKE Policy Negotiation © 2012 Cisco and/or its affiliates All rights reserved 25 VPN Troubleshooting Status Window © 2012 Cisco and/or its affiliates All rights reserved 26 Monitoring IKE Security Association © 2012 Cisco and/or its affiliates All rights reserved 27 © 2012 Cisco and/or its affiliates All rights reserved 28 ... configuration of site- to -site IPsec VPNs • Use Cisco Configuration Professional to configure site- to -site IPsec VPNs • Use CLI commands and Cisco Configuration Professional monitoring options to validate... rights reserved 11 Configuring a Site- to -Site IPsec VPN Using CCP Scenario for Configuring a Site- to -Site IPsec VPN with Preshared Keys Using CCP VPN Wizard © 2012 Cisco and/or its affiliates All... commands and Cisco Configuration Professional monitoring options to monitor and troubleshoot the VPN configuration © 2012 Cisco and/or its affiliates All rights reserved Site- to -Site IPsec VPN Operations