Tuesday, May 29, 2012

IPSec VPN Configuration


FACT SHEET – VPN IPSEC (Cisco based)


  1. Understanding VPN components – IPSec and encryption (data integrity)
    1. Defining a VPN
    2. Understanding the need for encryption
    3. Types of encryption
  2. VPN benefits
    1. Cheaper connections
    2. Available anywhere
    3. Heavily encrypted and secure
    4. Many to many connection
  3. The world of IPSec
    1. Authentication
    2. Data Integrity
    3. Confidentiality
    4. Anti-Replay
  4. IPSec components
    1. Negotiation protocol – AH, ESP
    2. Encryption – DES, 3DES, AES
    3. Authentication – MD5, SHA-1
    4. Protection – DH1, 2,5,7
  5. IPSec modes of communication
    1. Transport mode
    2. Tunnel mode
  6. Two types of encryption keys
    1. Symmetric and asymmetric keys.
    2. Security over public network.
    3. Mixed approach.
    4. Encryption algorithms used today.
                                          i.    DES(64/56), 3DES(168), AES(128,192,256), RSA(512, 768, 1024) and DH(768, 1024, 1536).
  1. Key IPSec negotiation protocol
    1. AH – Authentication, data integrity
    2. ESP – Encryption, authentication, data integrity.
  2. IPSec Negotiation process
    1. Interesting traffic triggers VPN
    2. IKE phase1
    3. IKE phase2
    4. Data transfer
    5. VPN teardown
  3. Interesting traffic decision
    1. Encrypt using IPSec
    2. Send in clear text
    3. Discard.
  4. IKE Phase1
    1. Exchange the negotiation policy (Policy list [pres, dh, aes…])
    2. Exchange DH keys
    3. Identity verification
  5. IKE phase2
    1. IPSec transform set and encryption keys negotiated and exchanged.
    2. Lifetime.
  6. Designing IKE phase1 (IKE phase 1 focuses on establishing authentication and a secure tunnel for IKE phase2 exchange)
    1. Required elements
                                          i.    Remote peer IP or hostname
                                         ii.    Key distribution method
                                        iii.    Authentication method
                                        iv.    Encryption algorithm
                                         v.    Hash algorithm
                                        vi.    Lifetime
Side A IKE1 Parameters

Side B IKE1 Parameters

Encryption
AES-128
Encryption
AES-128
Hashing
SHA-1
Hashing
SHA-1
Authentication
Pre-Shared
Authentication
Pre-Shared
DH Level
2
DH Level
2
Lifetime
86400
Lifetime
86400

  1. Designing IKE Phase2 policy (IKE2 focuses on establishing secure IPSec tunnel for data transfer).
    1. Required elements
                                          i.    Transform set
                                         ii.    Interesting traffic designation.
                                        iii.    IPSec crypto-map
Side A IKE2 Parameters

Side B IKE2 Parameters

Encryption
ESP-AES
Encryption
ESP-AES
Hashing
ESP-SHA-HMAC
Hashing
ESP-SHA-HMAC
  1. IKE1 configurations.
    1. Enable ISAKMP: Router(config)#crypto isakmp enable
    2. Create ISAKMP Policy: Router(config)#crypto isakmp policy <1-10000>
    3. Router(config)#crypto isakmp policy 100
                                          i.    Router(config-isakmp)#encryption aes 128
                                         ii.    Router(config-isakmp)#authentication pre-share
                                        iii.    Router(config-isakmp)#group 2
                                        iv.    Router(config-isakmp)#hash sha
    1. Configure ISAKMP Identity: Router(config)#crypto isakmp identity <address/hostname>
    2. Configure pre-shared keys: Router(config)#crypto isakmp key <key> address <remote_ip>
  1. IKE2 Configurations.
    1. Create transform sets: Router(config)#crypto ipsec transform-set <name> <methods>
                                          i.    Router(config)#crypto ipsec transform-set TEST esp-aes 128 esp-sha-hmac
    1. (optional) Configure IPSec lifetime: : Router(config)#crypto ipsec <seconds/kilobytes> <value>
    2. Create mirrored ACLs defining traffic to be encrypted and the traffic expected to be received encrypted
    3. Set up IPSec crypto-map: Router(config)#crypto isakmp map <name> <seq> ipsec-isakmp
                                          i.    Router(config)#crypto map TESTING 100 ipsec-isakmp
1.     Router(config-crypto-map)#match address <acl>
2.     Router(config-crypto-map)#set peer <remote_ip>
3.     Router(config-crypto-map)#set pfs <group1/2/5>
4.     Router(config-crypto-map)#set transform-set <set>
  1. Verification commands
    1. show crypto isakmp policy
    2. show crypto ipsec transform-set
    3. show crypto ipsec sa
    4. show crypto map
    5. debug crypto isakmp
    6. debug crypto ipsec
Posted by at

5 comments:

  1. bestbvsMay 29, 2012 at 3:07 PM

    Thanks for sharing this IPSec VPN Configuration process i really appreciate your work i share this link to digg as well as facebook and twitter because this information help to everyone.

    Torrent VPN

    ReplyDelete
  2. UnknownMay 30, 2012 at 2:06 PM

    Thanks,

    ReplyDelete
  3. Anna SmithMay 30, 2012 at 4:02 PM

    Great sharing

    ReplyDelete
  4. alfred03whiteJuly 13, 2017 at 12:35 PM

    This guide is really valuable. It will help people to do IPSec VPN Configuration. Well, recently I have been struggling to find list of the best vpn 2017 for personal use. Do you know any good service that works on both windows and android OS?

    ReplyDelete
  5. UnknownSeptember 5, 2017 at 1:56 PM

    I need to do some research on this, not on top of my mind

    ReplyDelete

Subscribe to: Post Comments (Atom)