Scribd
Upload
27 views

1.2 1. LAN - To - LAN VPN Using Crypto Maps

Uploaded by

minhtut.aws
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views

1.2 1. LAN - To - LAN VPN Using Crypto Maps

Uploaded by

minhtut.aws
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

c

LAN – To – LAN VPN


using Crypto Maps
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Outline
Overview
Encryption Overview
IPSec Overview c

IPSec LAN – To – LAN Tunnel – Policy Based


Encryption - Basic

c
Manual Encryption Key
A Common Key, which exists on both sides, is used to encrypt and decrypt
data.
If the same key is used to send a lotc of data, the intruder in the middle can
collect the data and run it against the Brute Force Dictionary Attack to
reverse engineer the key by match the combination of the characters with
words in the dictionary.
Dynamic Key Generation
To counter this, you need to frequently change the key for encryption and
decryption.
This potentially can be done manually, but it is very cumbersome to do.
c
A mechanism was developed to generate the Key on a frequent basis
automatically.
This mechanism is known as Diffie Hellman.
The purpose of DH is to generate a Key for Data Encryption on a frequent
basis. The default on a Cisco Router is every 3600 seconds. [ 1 hours ].
Each device generates its own key.
Key Exchange Tunnel
The keys generated by DH need to be exchanged between the 2 entities. Entity A requires Entity
B's key to decrypt data from B to A and vice versa.
A Secure tunnel is required to encrypt the key exchange.
An Secure tunnel requires 3 components:
c
o A Key – This key will be used to encrypt the Key generated by Diffie Hellman. It is known as the
Pre-shared Key. This key is configured manually on both sides. It needs to match.
o Encryption mechanism [DES,3DES,AES] - Data Confidentiality
o Hash mechanism [MD5,SHA] - Data Integrity

To exchange the Keys that are going to be used for Data Encryption and Decryption, a protocol
was developed.

The protocol is called ISAKMP / IKE [UDP/500]. The purpose of this protocol is to securely
exchange the Keys.
Data Encryption Tunnel
Once the Keys are generated and exchanged, you are ready for the Data
Tunnel. The first tunnel now goes into IDLE state.

A new tunnel needs to be setup for the Data Tunnel.


c
This tunnel also requires the 3 Parameters [Key, Encryption, Hash].

The Key used for this tunnel is the dynamically generated key that was
exchanged in the first tunnel.

You need to define the Encryption and Hash parameters for this tunnel as
well.

The protocol used for this tunnel is ESP [IP Protocol 50].
IPSec Tunnels

c
IPSec LAN – To – LAN Tunnels
Policy Based tunnels are tunnels that are configured by specifying the
Interesting traffic [Traffic that needs to be encrypted] by using a Policy
[ACL].
c

If the traffic match the Policy [ACL] it is encapsulated within the ESP
header. The Outer header will have the Public IP Addresses of the Tunnel
Endpoints.

The Drawback is that every time a new network is added, the ACL needs
to be modified on both ends.
IPSec LAN – To – LAN Tunnel

Configure an IPSec LAN – To – LAN VPN to encrypt the traffic between the internal private
networks.
L2L IPSec VPN – Step # 1
Step 1. Configure Phase I Parameters

R1

Crypto isakmp policy 10 c


authentication pre-share
hash md5
encryption 3des
group 2
Crypto isakmp key cisco123 address 200.1.1.1

R2

Crypto isakmp policy 10


authentication pre-share
hash md5
encryption 3des
group 2
Crypto isakmp key cisco123 address 199.1.1.1
L2L IPSec VPN – Step # 2
Step 2. Configure Phase II Parameters

R1
c
Crypto ipsec transform-set TSET esp-3des esp-sha-hmac

R2

Crypto ipsec transform-set TSET esp-3des esp-sha-hmac


L2L IPSec VPN – Step # 3
Step 3. Configure the Interesting Traffic ACL, also known as the “Crypto ACL”

R1
c
Access-list 101 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
R2

Access-list 101 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255


L2L IPSec VPN – Step # 4
Step 4. Link the Above Parameters to each other using a Crypto Map.

R1

Crypto map CMAP 10 ipsec-isakmp c


match address 101
set peer 200.1.1.1
set transform-set TSET

R2

Crypto map CMAP 10 ipsec-isakmp


match address 101
set peer 199.1.1.1
set transform-set TSET
L2L IPSec VPN – Step # 5
Step 5. Apply the ACL to the Outgoing Interface

R1

Interface E 0/0 c
crypto map CMAP

R2

Interface E 0/0
crypto map CMAP
Whiteboard

You might also like