CCNP ISCW Notes

1 Apr 2008

Chapter 13: Site-to-Site VPN Operations

Life cycle of an IPsec VPN

Step 1: Specify interesting traffic

An ACL is use to specify which types of traffic are to be placed into the VPN tunnel.

If the VPN tunnel has not yet been established, the first packet of interesting traffic will trigger its setup.

Step 2: IKE phase 1

IKE phase 1 is performed in either main mode or aggressive mode.

IKE transform set negotiation, Diffie-Hellman public key exchange, and peer authentication take place in this step.

IKE transform sets are composed of the following parameters:

IKE encryption algorithm (DES, 3DES, or AES)
IKE authentication algorithm (MD5 or SHA-1)
IKE key (preshared, RSA signatures, or nonces)
Diffie-Hellman version (1, 2, or 5)
IKE tunnel lifetime (time and/or byte count)

Candidate transform sets are selected by lowest policy number.

Step 3: IKE phase 2

IKE quick mode is used to negotiate IPsec transform sets and establish unidirectional IPsec security associations (SAs) in both directions.

IKE also monitors and reestablishes SAs as needed.

Optionally, IKE quick mode can also perform additional Diffie-Hellman key exchanges when active keys expire.

IPsec transform sets (similar to IKE transform sets) include the following parameters:

IPsec protocol (ESP or AH)
IPsec encryption type (DES, 3DES, or AES)
IPsec authentication (MD5 or SHA-1)
IPsec mode (tunnel or transport)
IPsec SA lifetime (seconds or kilobytes)

The Security Association Database (SAD) maps SAs to peers by their Security Parameter Index (SPI).

The Security Policy Database (SPD) contains the security parameters (transform set) that were agreed upon for each SA.

Step 4: Secure Data Transfer

Interesting traffic is encrypted and/or authenticated through the IPsec tunnel.

Step 5: IPsec tunnel termination

If the SA key has expired, the SA is torn down and a new one is established if more traffic needs to be passed.

Tunnels can also be manually deleted by an administrator.

Upon tunnel termination, all SA information for that tunnel is removed from the SAD and SPD.

IPsec Configuration

Step 1: Configure the ISAKMP policy

Define an IKE transform set:

crypto isakmp policy 10
 encryption des
 hash md5
 authentication pre-share
 group 1
 lifetime 3600
!
crypto isakmp key 0 <secret key> address 192.168.100.1

Step 2: Configure the IPsec transform sets

An example defining ESP with 256-bit AES encryption and SHA-1 authentication in tunnel mode:

crypto ipsec transform-set Foo esp-aes 256 esp-sha-mac
 mode tunnel

Optionally, a lifetime for the SA can be configured:

crypto ipsec security-association lifetime seconds 1800

Step 3: Configure the crypto ACL

An extended ACL is configured to match interesting traffic.

access-list 123 172.16.0.0 0.0.0.255 10.0.0.0 0.0.255.255

Step 4: Configure the crypto map

crypto map Tyler 10 ipsec-isakmp
 match address 123
 set peer 1.2.3.4
 set transform-set Foo

Step 5: Apply the crypto map to an interface

interface Serial 0/0
 ip address 192.168.200.1
 crypto map Tyler

Step 6: Configure the interface ACL

Optionally configure ACLs on public-facing interfaces to only accept IPsec traffic from expected sources.