Professional Documents
Culture Documents
Attempt pinging across from Laptop0 to Laptop1. This should fail as R_02 does
not know how to route this traffic
Ensure that you have the security license enabled on R_01 and R_03.
A security license must be installed to enable hardware based crypto support.
These licenses limit all encrypted tunnel counts to 225 tunnels maximum for IP
Security (IPsec). If the securityk9 technology-package is not installed, the
crypto related functions will not work.
(config)show version
(config)license boot module c1900 technology-package
securityk9
copy run start
reload
show version
!R_01
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.16.3.0
0.0.0.255
!R_03
access-list 100 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
Once ISAKMP is enabled, there are five policy parameters that need to be
defined to each policy entry. If no policy is defined, a policy using all of the
defaults will be used. When creating a policy, if no explicit policy parameter is
defined, the default parameter will be used. The policy parameters and default
values are:
The next step is to define the ISAKMP hash algorithm. The IOS supports two
hash protocols: Message-Digest algorithm 5 and Secure Hash Algorithm.
Message-Digest algorithm 5 (MD5) is a single-pass hash algorithm that
generates a 128-bit hash. Ex. #hash sha
Here in the below code we have used the pre shared key for the
authentication.
Next we define what Diffie-Hellman (DH) modulus will be used. The original
RFC defined two; DH Group 1 uses a 768-bit modulus and DH Group 2 uses
a 1024-bit modulus. The larger the value, the more random the key and the
more secure the key is. IOS supports Group 1, Group 2 and Group 5. DH
Group 5 uses a 1536-bit modulus. Common practice is to use Group 2,
because Group 5 is not supported on all IOS versions and is not supported by
the Cisco VPN client.
!R_01
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
!
crypto isakmp key Secret-2020 address
100.100.200.1
!R_03
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
!
crypto isakmp key Secret-2020 address 100.100.100.1
IPSec Transforms
An IPSec transform specifies a single IPSec security protocol (either AH or ESP)
with its corresponding security algorithms and mode. Example transforms
include the following:
The AH protocol with the HMAC with MD5 authentication algorithm in tunnel
mode is used for authentication.
The ESP protocol with the triple DES (3DES) encryption algorithm in transport
mode is used for confidentiality of data.
The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with
SHA-1 authentication algorithm in tunnel mode is used for authentication and
confidentiality.
Transform Sets
A transform set is a combination of individual IPSec transforms designed to
enact a specific security policy for traffic. During the ISAKMP IPSec security
association negotiation that occurs in IKE phase 2 quick mode, the peers agree
to use a particular transform set for protecting a particular data flow.
Transform sets combine the following IPSec factors:
IPsec Transform-set
! R_01
crypto ipsec transform-set R_01-R_03 esp-aes 256 esp-sha-hmac
! R_03
crypto ipsec transform-set R_03-R_01 esp-aes 256 esp-sha-hmac
A crypto map is a software configuration entity that performs two primary
functions:
• Selects data flows that need security processing.
• Defines the policy for these flows and the crypto peer to which that traffic
needs to go.
A crypto map is applied to an interface
create a crypto map that glues all the policies together. Also, specify the IP address
of the remote peer.
!R_01
crypto map IPSEC-CRYPTOMAP 100 ipsec-isakmp
set peer 100.100.200.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set R_01-R_03
match address 100
!R_03
crypto map IPSEC-CRYPTOMAP 100 ipsec-isakmp
set peer 100.100.100.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set R_03-R_01
match address 100 // Specifies an extended access list for a crypto
map entry.
Activate IPSec on the outbound interface by applying the crypto map to the
interface
!R_01
interface GigabitEthernet0/0
crypto map IPSEC-CRYPTOMAP
!R_03
interface GigabitEthernet0/0
crypto map IPSEC-CRYPTOMAP
!Laptop0
ping 172.16.3.100
!Laptop1
ping 172.16.1.100
!R_01
show crypto ipsec sa
!R_03
show crypto ipsec sa