Basic network using IPSec

20 Mar

Figure 6.6: Basic network using IPSec.

Listing 6.1 displays the configuration of Router A, and Listing 6.2 displays the configuration of Router B.

Listing 6.1: IPSec configuration of Router A.

hostname Router−A
!
username ipsec privilege 15 password 0 ipsec
memory−size iomem 10
ip subnet−zero ip tcp synwait−time 10
no ip domain−lookup
!
crypto isakmp policy 11
hash md5
encryption des
group 2
authentication pre−share
!
crypto isakmp key ouripseckey address 10.0.30.201
!
crypto ipsec transform−set remote esp−des esp−md5−hmac
!
crypto map encrypt 11 ipsec−isakmp
set peer 10.0.30.201
set transform−set remote
match address 120
!
interface Ethernet0/0
description Internet Connection
ip address 10.0.30.200 255.255.255.0
no ip directed−broadcast
ip nat outside
no ip route−cache
no ip mroute−cache
crypto map encrypt
!
interface Ethernet0/1
ip address 192.168.10.1 255.255.255.0
no ip directed−broadcast
ip nat inside
!
ip nat pool pat 10.0.30.203 10.0.30.203 network 255.255.255.0
ip nat inside source route−map donotnat pool pat overload
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
access−list 120 permit ip 192.168.10.0 0.0.0.255 −
192.168.11.0 0.0.255.255
access−list 130 deny ip 192.168.10.0 0.0.0.255 −
192.168.11.0 0.0.255.255
access−list 130 permit ip 192.168.10.0 0.0.0.255 any
!
route−map donotnat permit 10
match ip address 130
!

Listing 6.2: IPSec configuration of Router B.

hostname Router−B
!
username ipsec privilege 15 password 0 ipsec
memory−size iomem 10
ip subnet−zero
ip tcp synwait−time 10
no ip domain−lookup
!
crypto isakmp policy 10
hash md5
encryption des
group 2

authentication pre−share
!
crypto isakmp key ouripseckey address 10.0.30.200
!
crypto ipsec transform−set remote esp−des esp−md5−hmac
!
crypto map encrypt 10 ipsec−isakmp
set peer 10.0.30.200
set transform−set remote
match address 120
!
interface Ethernet1/0
description Internet Connection
ip address 10.0.30.201 255.255.255.0
no ip directed−broadcast
ip nat outside
crypto map encrypt
!
interface Ethernet0/1
ip address 192.168.11.1 255.255.255.0
no ip directed−broadcast
ip nat inside
!
ip nat pool pat 10.0.30.204 10.0.30.204 network 255.255.255.0
ip nat inside source route−map donotnat pool pat overload
!
ip classless ip route 0.0.0.0 0.0.0.0 Ethernet1/0 !
access−list 120 permit ip 192.168.11.0 0.0.0.255 −
192.168.10.0 0.0.255.255
access−list 130 deny ip 192.168.11.0 0.0.0.255 −
192.168.10.0 0.0.255.255
access−list 130 permit ip 192.168.11.0 0.0.0.255 any
!
route−map donotnat permit 10
match ip address 130
!

The configurations in Listing 6.1 and Listing 6.2 configure each router to use the benefits of IPSec, but the configurations utilize the services of PAT.

PAT (NAT could have been configured in place of PAT) makes use of a route map within this configuration. The route map is needed to discriminate between packets that have a destination address that matches an address within the enterprise’s IP address space or packets that could be destined to the Internet. Each router has been configured with an IKE policy using the crypto isakmp policy command. Within each IKE policy, the encryption algorithm is set at the default 56−bit DES.

Note Default commands used for configuring IPSec and IKE are not displayed in the configuration output of the show running command. The default commands used to configure IPSec and IKE are listed in this chapter for completeness.

Each router’s Diffie−Hellman group has been changed from the default 768−bit group 1 to the stronger 1024−bit group 2, and the IKE authentication method has been defined to use pre−shared keys. Each router is then configured with the pre−shared key used for authentication; the pre−shared key is specified by using the crypto isakmp key command. In Listing 6.1 and Listing 6.2, the key is defined as ouripeckey. This concludes the configuration of IKE on Router A and Router B.

Next, IPSec support must be configured on Router A and Router B. The first step used in Listing 6.1 and Listing 6.2 to configure IPSec support is to define a transform set that defines the security protocols and algorithms used between the two peers; this was done using the crypto ipsec transform−set command, which is named remote.

A crypto map is then defined that indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry, using the ipsec−isakmp parameter. The IPSec peer is identified and the transform set is defined for communication between the peers. An access list is defined, which specifies whether or not IPSec should provide encryption services for packets that are matched by access list entry.

To begin testing the configurations of Router A and Router B, an extended Ping will be issued with the packet sourced from the Ethernet0/1 interface of Router B; the packet’s destination is the Ethernet0/1 interface of Router A. On Router B, I have issued the debug crypto ipsec, debug crypto isakmp, and debug crypto engine commands. Each of these commands can be used to view event messages for IPSec and IKE. The packets from the Ping request will match the access list entry and require the encryption services of IPSec. Listing 6.3 displays the Ping request and the debug commands.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.