IPsec is not a protocol, it's a framework for securing unicast traffic.It conssists of 3 protocols: ESP, AH(obsolete) and IKE. For multicast and broadcast GRE should be used. For negotiations(IKE) UDP port 500 is used. Encapsulating Security Payload uses IP protocol 50, Authentication Header uses IP protocol 51. IKE Phase 1 can be established via main mode(6 messages) or aggressive mode(3 messages). During this phase peers authenticate each other, using pre-shared keys(PSK) or RSA signatures(PKI). There is only one mode - quick in Phase 2, 3 packets.
Below you can find short description of configuring IPSec in tunnel mode on router, to configure another router you just need to change the ip addresses, everything rest is the same.
IPSec configuration consist of the following steps:
Here we configure policy priority, encryption, authentication, Diffie-Hellman group(it defines the size of DH modulus, that is how random will be the key, group 2 is usually used)
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
Configure ISAKMP key - this key is used only for authentication, not encryption.
Configure transform set
Here we configure transform set name, encryption and authentication.
R1(config)#crypto ipsec transform-set myset2 esp-aes 256 esp-sha-hmac
Configure access list
Configure crypto map
Here we combine transform set, access list and peer
Apply crypto map to the interface
Check that everything works
NAT with IPSec
First NAT is processed on the outbound traffic and only then IPSec, so the traffic will not match the specified ACL. On the inbound traffic the situation is vice versa.
Multiple crypto maps
If it is required to establish connection with more than one host, we will need multiple crypto maps. Actually, one crypto map will be used but with multiple sequence numbers, because we can apply only one crypto map to the Interface. Also we will create new access list and a new key.
IPSec configuration types
Above you can see an example of establishing IPSec tunnel using crypto maps. This the oldest but not the only one method. There are also the following types:
Below you can find short description of configuring IPSec in tunnel mode on router, to configure another router you just need to change the ip addresses, everything rest is the same.
IPSec configuration consist of the following steps:
- Configure ISAKMP(IKE phase 1) protocol
- Configure transform set, IKE protocol phase 2
- Configure access list which determines what traffic to encrypt
- Create crypto map
- Apply crypto map to an interface
Here we configure policy priority, encryption, authentication, Diffie-Hellman group(it defines the size of DH modulus, that is how random will be the key, group 2 is usually used)
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#group 2
R1(config-isakmp)#exit
Configure ISAKMP key - this key is used only for authentication, not encryption.
R1(config)#crypto isakmp key test address 10.10.0.2 Configure transform set
Here we configure transform set name, encryption and authentication.
R1(config)#crypto ipsec transform-set myset2 esp-aes 256 esp-sha-hmac
Configure access list
access-list 102 permit ip any 1.1.1.0 0.0.0.255 Configure crypto map
Here we combine transform set, access list and peer
R1(config)#crypto map map2 10 ipsec-isakmp
R1(config-crypto-map)#set peer 10.10.0.2
R1(config-crypto-map)#set transform-set myset2
R1(config-crypto-map)# match address 102Apply crypto map to the interface
R1(config)#interface fastEthernet 1/1
R1(config-if)#crypto map map2Check that everything works
R1#show crypto isakmp sa - check the state of Phase 1R1#show crypto engine connections active
R1#show crypto session
R1#show crypto isakmp policy
R1#show crypto ipsec sa
R1#debug crypto isakmp
R1#debug crypto ipsecNAT with IPSec
First NAT is processed on the outbound traffic and only then IPSec, so the traffic will not match the specified ACL. On the inbound traffic the situation is vice versa.
Multiple crypto maps
If it is required to establish connection with more than one host, we will need multiple crypto maps. Actually, one crypto map will be used but with multiple sequence numbers, because we can apply only one crypto map to the Interface. Also we will create new access list and a new key.
IPSec configuration types
Above you can see an example of establishing IPSec tunnel using crypto maps. This the oldest but not the only one method. There are also the following types:
- VTI
- GRE over IPSec
