Scribd Logo
Upload

Welcome to Scribd!

  • VPN Suri

    Uploaded by

    naveenvarmain
    46 views7 pages
    The document outlines a 4-step process to configure a VPN: 1) Prepare hosts and policies, 2) Configure IKE Phase 1 with authentication, encryption, DH groups and hashes, 3) Configure IPSec Phase 2 with transforms, ACLs and crypto maps, 4) Allow IPSec traffic. An example configuration for 2 firewalls with matching policies is also provided.

    Original Description:

    vpn

    Original Title

    VPN_Suri

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines a 4-step process to configure a VPN: 1) Prepare hosts and policies, 2) Configure IKE Phase 1 with authentication, encryption, DH groups and hashes, 3) Configure IPSec Phase 2 with transforms, ACLs and crypto maps, 4) Allow IPSec traffic. An example configuration for 2 firewalls with matching policies is also provided.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    46 views7 pages

    VPN Suri

    Uploaded by

    naveenvarmain
    The document outlines a 4-step process to configure a VPN: 1) Prepare hosts and policies, 2) Configure IKE Phase 1 with authentication, encryption, DH groups and hashes, 3) Configure IPSec Phase 2 with transforms, ACLs and crypto maps, 4) Allow IPSec traffic. An example configuration for 2 firewalls with matching policies is also provided.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    VPN Configuration

    The configuration can be completed in FOUR steps:


    Step 1: Preparing to the VPN
    Step 2: Configuring IKE
    Step 3: Configuring IPSec
    Step 4: Allowing IPSec traffic.
    Step 1: Preparing to the VPN
    Its a very simple step. We have to think about
    I.
    Which hosts will be in VPN?
    II.
    How many peers we have.
    III.
    What IKE policies to use in the configuration part.
    Step 2: Configuring IKE (Phase-1)
    The parameters configured at one end must match with the other end for VPN to
    work.

    I.

    Specify the authentication method.


    There are two types of authentication methods
    i.
    Pre-shared --- This requires a key to be manually configured.
    ii.
    RSA-signature --- It is by default in the PIX
    RSA Rivest Shamer Adleman algorithm
    It is a patent free algorithm since the year 2000. It supports
    encryption and digital signatures.

    Syntax:
    FW(config-t)# isakmp policy <policy number>authentication <preshared/RSASignature>
    II.

    Specify the encryption algorithm.


    The encryption algorithm is used to protect user data transmitted
    between the peers.
    There are three types of encryption algorithms
    I.
    DES Data Encryption Standard. It is by default.
    II.
    3DES Triple Data Encryption Standard
    III.
    AES Advanced encryption Standard.

    Syntax:
    FW(config-t)# isakmp policy <policy number> encryption <DES/3DES/AES>

    III.

    Specify the Deffie-Hellman (DH) Group.


    The KEY exchange is done by deffie-Hellman algorithm only.
    There are three types of groups.
    I.
    DH group 1 --- 768-bit ---- Requires Less CPU time and
    unsecured.
    II.
    DH group 2 --- 1024-bit --- Secured
    III.
    DH group 5 --- 1536-bit --- Function same as group 1 and 2.
    Requires high CPU
    time and highly secured.
    Syntax:
    FW(config-t)# isakmp policy <policy number> group <1/2/5>

    IV.

    Specify the Hash Algorithm


    Hash Algorithm is used to ensure data integrity.
    There are two types of hash Algorithms.
    I.
    SHA-1 --- Secure Hash Algorithm
    II.
    MD5 ---- Message digest 5
    For example, When we download or receive the file, we can use
    MD5 or SHA-1 to guarantee that you have the correct, unaltered file
    by comparing its hash with the originally i.e. it is verifying the file
    integrity nothing but the data integrity.
    Both SHA-1 and MD5 algorithms are for computing a condensed
    representation of a message or a data file. The condensed
    representation is of fixed length and is known as message digest.
    There is an attack against SHA-1 and MD5. Anyhow, the HMAC
    variant is used to prevent this.
    HMAC Hash Message Authentication Code.
    HMAC is a type of Message Authentication code calculated by using
    the algorithm involving the hash function in combination with a
    secret key. Any Hash function such as SHA-1 and MD5 may be used
    in the calculation of HMAC, the resulting algorithm is termed as
    SHA-1-HMAC and MD5- HMAC

    Syntax:
    FW(config-t)# isakmp policy <policy number> hash <SHA-1HMAC/MD5-HMAC>
    V.

    Enable ISAKMP
    ISAKMP Internet Security and Key Management Protocol

    It defines the procedures for authenticating the per, creation and


    management of security associations, key generation techniques
    and the threat mitigation.
    Syntax:
    FW(config-t)# isakmp enable outside
    VI.

    Selecting the pre-shared Key.

    Syntax:
    FW(config-t)# isakmp identify address (If we use RSA-Signature in
    Authentication)
    FW(config-t)# isakmp key <pre-shared key> <ip address>
    netmask<Netmask>
    IP Address : outside Ip adreess of the other end.
    Verify the configuration with
    Show isakmp
    Show isakmp policy
    Step 3: Configuring IPSec(phase-2)
    I.

    Create access list to define which traffic to encrypt.

    Syntax:
    FW(config-t)# access-list <access-list number> permit ip
    <ipaddress1>
    <Netmask1> <ipaddress2> <Netmask2>
    ipaddress1 Lan segment from our side
    Netmask1 Netmask of ipaddress1
    ipaddress2 - Lan segment of the other side
    Netmask2 - Netmask of ipaddress2
    II.

    Configure the transform set


    ---- Combination of encryption algorithms.

    Syntax:
    FW(config-t)# crypto IPSec transform-set <set-name> <espdes/3des/aes> {esp<md5/sha-1>-hmac}
    III.

    Configure IPSec SA life time


    Syntax:

    FW(config-t)# crypto IPSec security-association lifetime seconds


    <Seconds>
    IV.

    Creating a crypto map entry.

    Syntax:
    FW(config-t)# crypto map <Number> ipsec-isakmp
    Number The policy number which we have given in step 2
    FW(config-t)# crypto map <Number> match address <Access list
    number>
    Access list number the number is step 3.1
    FW(config-t)# crypto map <Number> transform-set <set-name>
    set-name the name given in step 3.2
    FW(config-t)# crypto map <Number> set peer <Ip address>
    Ip address outside IP address of the end.
    V.
    Apply crypto map set to outside interface.
    Syntax:
    FW(config-t)# crypto map interface outside.
    VI.

    Exclude VPN traffic from NAT


    Syntax:
    FW(config-t)# nat (inside) 0 access-list <Access-list number>
    Access list number the number is step 3.1

    Step 4: Allowing IPSec traffic


    Syntax:
    FW(config-t)# sysopt connection permit-ipsec.

    Example :
    Inside -

    FW
    1

    Outside

    Inter
    net

    Outside -

    FW
    2

    Inside 10.5.6.1
    LAN 2
    10.5.6.0/2

    FW1:
    # isakmp policy 123 authentication pre-share
    # isakmp policy 123 encryption 3des
    # isakmp policy 123 group 2
    # isakmp policy 123 hash md5-hmac
    # isakmp enable outside
    # isakmp key ABCDEFG 14.15.16.17 255.255.255.0

    LAN1
    172.23.9.0/

    # access-list 111 permit ip 172.23.9.0 255.255.255.0 10.5.6.0 255.255.255.0


    # crypto ipsec transform-set Suri esp-3des esp-md5-hmac
    # crypto ipsec security-association lifetime seconds 1000
    # crypto map 123 ipsec-isakmp
    # crypto map 123 match address 111
    # crypto map 123 transform-set Suri
    # crypto map 123 set peer 14.15.16.17
    # crypto map interface outside
    # nat(inside) 0 access-list 111
    # sysopt connection permit-ipsec
    FW2:
    # isakmp policy 321 authentication pre-share
    # isakmp policy 321 encryption 3des
    # isakmp policy 321 group 2
    # isakmp policy 321 hash md5-hmac
    # isakmp enable outside
    # isakmp key ABCDEFG 22.23.24.25 255.255.255.0
    # access-list 222 permit ip 10.5.6.0 255.255.255.0 172.23.9.0 255.255.255.0
    # crypto ipsec transform-set Suriims esp-3des esp-md5-hmac
    # crypto ipsec security-association lifetime seconds 1000
    # crypto map 321 ipsec-isakmp
    # crypto map 321 match address 222
    # crypto map 321 transform-set Suriims
    # crypto map 321 set peer 22.23.24.25
    # crypto map interface outside

    # nat(inside) 0 access-list 222


    # sysopt connection permit-ipsec

    C:\>ping 10.128.6.100

    Pinging 10.128.6.100 with 32 bytes of data:

    Reply from 10.128.6.100: bytes=32 time=340ms TTL=249


    Reply from 10.128.6.100: bytes=32 time=314ms TTL=249
    Reply from 10.128.6.100: bytes=32 time=314ms TTL=249
    Reply from 10.128.6.100: bytes=32 time=315ms TTL=249

    Ping statistics for 10.128.6.100:


    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 314ms, Maximum = 340ms, Average = 320ms

    alarms to check , reset the modem, which alarm light , which led off and on
    can be local contact.

    You might also like