Encryption access list configuration on Router A.

20 Mar

Listing 5.24: Encryption access list configuration on Router A.
Router−A#config t
access−list 100 permit ip 192.168.10.0 0.0.0.255 −
192.168.11.0 0.0.0.255
access−list 100 permit icmp 192.168.10.0 0.0.0.255 −
192.168.11.0 0.0.0.255
access−list 100 deny ip 192.168.10.0 0.0.0.255 any
!

Listing 5.25: Encryption access list configuration on Router B.

Router−B#config t
access−list 100 permit ip 192.168.11.0 0.0.0.255 −
192.168.10.0 0.0.0.255
access−list 100 permit icmp 192.168.11.0 0.0.0.255 −
192.168.10.0 0.0.0.255
access−list 100 deny ip 192.168.11.0 0.0.0.255 any
!

The configurations in Listing 5.24 and Listing 5.25 define on each router an access list in which the rules state that any IP or ICMP traffic between the router with a source address local to the router and a destination address of behind the peer encrypting router should be protected by encryption. The third match rule of each access list is a deny statement, and it can be interpreted as any packet with a source address local to the router that as a destination address of any address, does not provide encryption for the packet and forward the packet as usual. At first, the access list rules might not seem correct because a packet with a source address local to the router and with any
destination could be a packet that is local to the router with a destination address that is local to the peer encrypting router. However, access list rules are read in sequential order by the router, and once a packet matches a rule within the access list, the router breaks out of the access list comparison. A packet that matches one of the first two configured rules on Router A or Router B will never be compared against the third rule of the access list and will always be encrypted.

To display the access list configuration of each router, issue the show access−list command. The result of issuing the show access−lists command on Router can be seen in Listing 5.26, and in Listing 5.27 shows the result of issuing it on Router B.

Listing 5.26: Access list configuration of Router A.

Router−A#show access−lists
Extended IP access list 100
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
permit icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 any
Router−A#

Listing 5.27: Access list configuration of Router B.

Router−B#show access−lists
Extended IP access list 101
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
permit icmp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.11.0 0.0.0.255 any
Router−B#

The next major step in the configuration of Cisco Encryption Technology is to define crypto maps on each router. Crypto maps define a control policy for Cisco Encryption Technology by linking the traffic selection criteria of the access lists, defines the peer routers and defines the DES algorithm to use. To define a crypto map on Router A and Router B, you must use the crypto map command and define a name and a sequence number. After the crypto map is defined, the Cisco IOS command parser will move you into crypto map configuration mode. In crypto map configuration mode, you will need to define the peer router that encryption is to take place between, define the access list that will be used for determining which packets are to be encrypted, and define the encryption algorithm to use.

Listing 5.28 shows an example of defining a crypto map and the parameters of the crypto map on Router A, and Listing 5.29 shows an example for Router B.

Listing 5.28: Crypto map configuration of Router A.

Router−A#config t
Router−A(config)#crypto map routeramap 10 cisco
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router−A(config−crypto−map)#set peer routerb
Router−A(config−crypto−map)#match address 100
Router−A(config−crypto−map)#set algorithm des
Router−A(config−crypto−map)#end
Router−A#

Listing 5.29: Crypto map configuration of Router B.

Router−B#config t
Router−B(config)#crypto map routerbmap 10 cisco
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Router−B(config−crypto−map)#set peer routera
Router−B(config−crypto−map)#match address 101
Router−B(config−crypto−map)#set algorithm des
Router−B(config−crypto−map)#end
Router−B#

After configuring each router’s crypto map, use the show crypto map command to view the parameters of the crypto map. Verifying the crypto map configuration on each router is crucial to the operation of encryption because no encryption session can be established between peer routers if the encryption policy that is configured on each router is different from the other peer. Listing 5.30 displays the output of issuing the show crypto map command on Router A. Listing 5.31 shows the output on Router B.

Listing 5.30: Viewing the crypto map configuration of Router A.

Router−A#sh crypto map
Crypto Map “routeramap” 10 cisco
Peer = routerb
PE = 192.168.10.0
UPE = 192.168.11.0
Extended IP access list 100
access−list 100 permit ip 192.168.10.0 0.0.0.255 −
192.168.11.0 0.0.0.255
access−list 100 permit icmp 192.168.10.0 0.0.0.255 −
192.168.11.0 0.0.0.255
access−list 100 deny ip 192.168.10.0 0.0.0.255 any
Connection Id = UNSET (0 established, 0 failed)
Interfaces using crypto map routeramap:
Router−A#

Listing 5.31: Viewing the crypto map configuration of Router B.

Router−B#sh crypto map
Crypto Map “routerbmap” 10 cisco
Peer = routera
PE = 192.168.11.0
UPE = 192.168.10.0
Extended IP access list 101
access−list 101 permit ip 192.168.11.0 0.0.0.255 −
192.168.10.0 0.0.0.255
access−list 101 permit icmp 192.168.11.0 0.0.0.255 −
192.168.10.0 0.0.0.255
access−list 101 deny ip 192.168.11.0 0.0.0.255 any
Connection Id = UNSET (0 established, 0 failed)
Interfaces using crypto map routerbmap:
Router−B#

After configuring the crypto map and verifying that the parameters of the crypto map are correct between each peer, the final step in the configuration of Cisco Encryption Technology is to apply the crypto map to an encryption−terminating interface. To do so, use the crypto map command in interface configuration mode. Only one crypto map set can be applied to an interface. If multiple crypto map entries have the same crypto map name but have different sequence numbers, they are considered part of the same crypto set and each one is sequentially assigned to the interface.

Listing 5.32 displays an example of applying the defined crypto map on Router A to its serial interface. Listing 5.33 displays an example of applying the defined crypto map on Router B to its serial interface.

Listing 5.32: Applying the crypto map to Router A.

Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#int serial0/0
Router−A(config−if)#crypto map routeramap
Router−A(config−if)#end
Router−A#

Listing 5.33: Applying the crypto map to Router B.

Router−B#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−B(config)#int serial0/0
Router−B(config−if)#crypto map routerbmap
Router−B(config−if)#end
Router−B#

To test the configurations of Router A and Router B, an extended ping will be used on Router A to ping local Ethernet interface of Router B. An extended ping is used so that the source address of the IP packet can be specified. In this case the source of the packet will be Router A’s local Ethernet interface. Although the ping command is running, the debug crypto sessmgmt command is issued to display the connection setup messages. Listing 5.34 displays the output of the ping command.

Listing 5.34: The ping command issued on Router A.

Router−A#debug crypto sessmgmt
Crypto Session Management debugging is on
Router−A#
Router−A#ping ip
Target IP address: 192.168.11.1
Repeat count [5]: 30
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 30, 100−byte ICMP Echos to 192.168.11.1, timeout is 2 −
seconds:

After the ping has started, the output listed in Listing 5.35 is displayed on the console of Router A.

Listing 5.35: DEBUG output from the ping command on Router A.

CRYPTO−SDU: get_pet: PET node created
CRYPTO−SDU:Adding new CIB for ACL: 100
CRYPTO−SDU: get_cot: New COT node allocated
CRYPTO: Pending connection = −1
CRYPTO: Dequeued a message: Inititate_Connection
CRYPTO: Allocated conn_id 1 slot 0, swidb 0×0,
CRYPTO: Next connection id = 1
CRYPTO: DH gen phase 1 status for conn_id 1 slot 0:OK
CRYPTO: Sign done. Status=OK
CRYPTO_SM: sending CET message to FastEthernet0/0:192.168.11.1
CRYPTO: ICMP message sent: s=192.168.10.1, d=192.168.11.1
CRYPTO−SDU: send_nnc_req: NNC Echo Request sent
CRYPTO: Sign done. Status=OK
CRYPTO: Retransmitting a connection message
CRYPTO: ICMP message sent: s=192.168.10.1, d=192.168.11.1
CRYPTO: Dequeued a message: CRM
CRYPTO: CRM from 192.168.10.0 to 192.168.11.0
CRYPTO: Peer has serial number: 0615EC60
CRYPTO: DH gen phase 2 status for conn_id 1 slot 0:OK
CRYPTO: Syndrome gen status for conn_id 1 slot 0:OK
CRYPTO: Verify done. Status=OK
CRYPTO: Sign done. Status=OK
CRYPTO: ICMP message sent: s=192.168.12.1, d=192.168.12.2
CRYPTO−SDU: recv_nnc_rpy: NNC Echo Confirm sent.
CRYPTO: Create encryption key for conn_id 1 slot 0:OK
CRYPTO: Replacing −1 in crypto maps with 1 (slot 0)
CRYPTO:old_conn_id=−1, new_conn_id=1, orig_conn_id=1
CRYPTO: Crypto Engine clear dh conn_id 1 slot 0: OK

Notice the final highlighted line in the output of Listing 5.35. This line states that the encryption keys are being created because each of the other highlighted lines returned a status message of OK.

At this point, the status of the connections can be viewed on Router A by using the commands show crypto cisco connections and show crypto engine connections active. Listing 5.36 displays the output of the show commands.

Listing 5.36: Output of show commands on Router A.

Router−A#show crypto engine connections active
ID Interface IP−Address State Algorithm Encrypt Decrypt
1 Serial0/0 192.168.12.1 set DES_56_CFB64 358 312
!
Router−A#show crypto cisco connections
Connection Table
PE UPE Conn_id New_id Algorithm
192.168.10.0 192.168.11.0 1 0 DES_56_CFB64
flags: TIME_KEYS ACL: 100
Router−A#

The show crypto engine connections active command is used to view the current active encrypted session connections for all crypto engines. The ID field identifies a connection by using a connection ID value, which is 1 in Listing 5.36. The interface field identifies the interface involved in the encrypted session connection, and the IP address field identifies the IP address of the interface. The state field is the most important field in the output of the show crypto engine connections active command in Listing 5.36; it specifies the current state of the connection, and a set state indicates an established session. The algorithm field indicates the DES algorithm that is used to encrypt and decrypt packets. The final two fields display the number of packets that have been encrypted and decrypted by connection ID number 1.

The show crypto cisco connections command displays the connection ID value that is assigned by the Cisco IOS when a new connection is initiated. In Listing 5.36, the connection ID is 1. The PE field represents a protected entity and displays a source IP address as specified in the crypto map’s encryption access list, which is access list 100. The UPE field represents an unprotected entity and displays a destination IP address as specified in the crypto map’s encryption access list, which again is access list 100. The flag field can display one of five different status messages. Table 5.1 includes each of the flag messages and provides a description of each.

Because the flag field in Listing 5.36 displays TIME_KEYS, you can assume that the session is established. The ACL field in Listing 5.36 indicates that the session is using access list 100 for the duration of the connection in order to determine what should and should not be encrypted. The final configurations for Router A and Router B can be seen by issuing the show running−config command; they are displayed in Listings 5.37 and Listing 5.38.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.