Objectives:
– Know the basic concepts associated with VPN: IPSec, encryption,
authentication, VPN tunnel, secure associations (SA), …
– Configure the parameters of a VPN tunnel in a router
– Configure the parameters of a remote client PC with windows XP
First, a configured example is provided that the group of practices
will have to adapt according to the list of tasks
Scenario:
F0
192.168.138.1
Router
1720
S0
192.168.137.2
S1
192.168.137.1
Frame relay [19659002] Router
2514
192.168.136.11
192.168.136.0
E0
192.168.136.1
Video server
192.168.138.11
A secure tunnel will be configured VPN in the network of the figure between the XP client and the
router serial interface 1720. The interface The 1720 ethernet is connected to a server
Windows 2000 called videoserver that allows remote connections of a user
User01 with password pepe1492.
Preconceptions:
IKE, "Internet Key Exchange" is a protocol that defines the exchange method
of keys over IP in a first secure negotiation phase. It is formed by a
authentication header, AH or Authentication Header, which in our case we will not
use, or an authentication header plus encryption that is known as
Encapsulating Security Payload or ESP)
It is important to understand that IPSec offers two modes of operation as used by AH
ESP to protect data over IP. They are known as "transport mode" (se
uses AH) or "tunnel mode" (ESP is used). In practice we will use this
second mode.
SA, or Security Associations: These are sets of parameters that are used to define
the security requirements of a communication in a particular address
(incoming or outgoing) An SA may use AH or ESP but not both
Steps for configuration:
1. Prepare the network for IPSEC and IKE (this step is prior to configuration)
a. In this task you have to configure a basic connection between the two
routers, and verify that there is connectivity between the ends of the network. In
this case, the link between the routers is frame relay with the
following configurations:
Router 1720
interface Serial0
ip address 192.168.137.2 255.255.255.0
encapsulation frame- relay IETF
bandwidth 64
frame-relay lmi-type ansi
frame-relay inverse-arp ip 16
frame-relay map ip 192.168.137.1 25 broadcast IETF
frame-relay switching
frame-relay intf-type dce
clockrate 2000000
Router 2514
interface Serial1
ip address 192.168.137.1 255.255.255.0
encapsulation frame-relay IETF
bandwidth 64
] frame-relay lmi-type ansi
frame-relay inverse-arp ip 16
frame-relay map ip 192.168.137.2 25 broadcast IETF
b. Define what are the encryption and authentication algorithms (in this case
case DES and SHA are going to be used respectively in the router
as well as in the PC)
c. Define ACLS, check that they are adequate (in this case it goes to
allow all IP traffic between W2000 server and XP destination and go to
deny IP traffic originating in the W2000 server and any other
] destiny)
2. Create access lists on router 1720
Access lists are used to filter inbound or outbound traffic based on
on some criteria. Only those packages that "fit" into the
specific rules are allowed.
Command:
Router (config) # access-list access-list-number {deny | permit} protocol source-
address source-wildcard destination-address destination-wildcard [eqport-
number] [log]
the following
In our example configure
router (config) # )
Router (config) # access-list 110 allow ip 192.168.138.0 0.0.0.255 192.168.136.0
0.0.0.255
Router (config) # access-list 110 deny ip 192.168.138.0 0.0.0.255 any
access lists (in
3. Configure the Transform Set
The transform set defines the security policies that will be applied to the traffic that
enters or leaves the interface, the IPSec standard specifies the Use of Security
Associations to determine which security policies apply to the desired traffic
The transform-sets are defined through crypto-maps.
3.1 Definition of the transform-set protocol
This command selects whether AH or ESP is used
Command
Router (config) # crypto ipsec transform-set transform-set-name transform1
[transform2 [transform3]]
Our example (in this case, the encryption protocol is chosen as the esp encryption protocol
). as an authentication protocol the variant may of the algorithm
sha. It is important that this protocol matches the one configured in the
XP end of the tunnel for connectivity)
Router (config) # crypto ipsec transform-set rtpset esp-des esp-sha-hmac
3.2. Specifying the Mode of the transform-set
This command specifies the mode in which IPSec operates (transport mode or mode
tunnel]
Command:
Router (cfg-crypto-tran) # mode [tunnel | transport]
] Our example:
Router (cfg-crypto-tran) # mode tunnel
4. Configure the crypto-map with IKE
4.1 Create the crypto-map with IKE
A crypto-map is created by specifying the name of the map, the sequence number
of the map and the type of key management that it will be used between the two extremes.
Command:
Router (config) # crypto map map-name seq-num ipsec-isakmp
Our example:
Router (config) # crypto map rtp 1 ipsec-isakmp
4.2 Specify data traffic
Specifies the traffic to be encrypted. It is that traffic that has been defined
in access lists
Command:
Router (config-crypto-map) # match address access-list-number
Our example:
Router ( config-crypto-map) # match address 110
4.3 Specify the destination end of the VPN tunnel
The IP address of the destination host is given (in our case the XP PC)
Command:
Router ( config-crypto-map) # set peer {host name | ip-address}
Our example:
Router (config-crypto-map) # set peer 192.168.136.11
4.4 Specify the transform-set to be used
Of the transform-sets that have been defined is specified which is applied in this tunnel
Command:
Router (config-crypto-map) # set transform-set transform-set-name
Our example:
Router (config-crypto-map ) # set transform-set rtpset
4.5 Activate PFS (Perfect Forward Security)
By default it is a command that is deactivated. As it is going to be used in the
extreme XP it is necessary to activate it.
Command:
Router (config-crypto-map) # set pfs {group 1 | group2}
Our example:
Router (config-crypto-map) # set pfs
4.6 Configure IKE
This involves three steps:
4.6.1 Enable IKE
Command:
Router (config) # crypto isakmp enable
4.6.2 Create an IKE policy (IKE encryption policy)
4.6.2.1 Define the priority
This priority is used to order the application of the policies of
encryption when there are several
Command:
Router (config) # crypto isakmp policy priority
Our example:
Router (config) # crypto isakmp policy 1
4.6.2.2 Specify the encryption algorithm used in IKE
Command:
Router (config-isakmp) # encryption {des | 3des}
Our example:
DES by default and not configured
4.6 .2.3 Specifying the hash algorithm
Cisco allows using SHA or MD5
Command:
R outer (config-isakmp) # hash {sha | md5}
Our example:
SHA by default and not configured
4.6.2.4 Specify the authentication method
Authentication method for the exchange of keys It can be RSA, RSA
encrypted and pre-configured keys (the first two need a server
of authority)
Command:
Router (config-isakmp) # authentication {rsa-sig | rsa-encr | pre-share}
Our example:
Router (config-isakmp) # authentication pre-share
4.6.2.5 Specify the group identifier of the Diffie Hellman algorithm
Command:
Router ( config-isakmp) # group {1 | 2}
Our example:
Not used
4.6.2.6 Specify the associated security time
Maximum time at which a security policy is used without need
to negotiate again
Command:
Router (config-isakmp) # lifetime seconds
Our example:
Router (config-isakmp) # lifetime 28800
4.6.3 Define a key (key)
As we have chosen to use pre-configured keys that are exchanged in the
initial negotiation it is necessary to configure it at each end
Command:
Router (config) # crypto isakmp key address key peer-address
Our example:
Router (config) # crypto isakmp key cisco123 a ddress 192.168.136.11
5. Apply the crypto-map to the end interface of the VPN tunnel
In our case, the defined crypto-map must be applied to the serial port of the router
1720.
Command:
Router (config-if) # crypto map map-name
Our example:
Router (config-if) # crypto map rtp
6. Configure the VPN connection on the PC with Windows XP by following
the following steps of the script "Configuring IPSec between to
Microsoft Windows XP professional (1NIC) and the VPN
router" that can be found on the web page of the
subject.
From the specified script, only those
windows that in the example of the script do not match the configuration example
of this practice are included below considering that Windows XP is the opposite end of the router
1720 of the VPN tunnel.
End of WIN XP to VPN
End of VPN to WIN XP
TASK SHEET
From the following network scheme:
F0
192.168.138.1
] Router
1720
S0
192.168.137.2
Video server
192.168.138.11
S1
192.168.137.1
Frame relay
Router
2514
192.168.14X.2
E0
192.168.14X.1
1.- Define the subnetworks of the scheme according to the group number
2.- Physically connect the equipment
] 3.- Configure the frame relay link according to the parameters provided in the
example and the IP addresses defined in section 1
4.- Configure the VPN between the int
from Nettech Post http://bit.ly/2LIXFqw
No hay comentarios:
Publicar un comentario