In this exercise, we will be configuring a site-to-site IPsec Virtual Private Network (VPN) between R1 and R3 according to the topology shown above. The table below it shows all the interface used in the topology and their respective IP addresses. It is worth noticing that the three PCs in the topology live on different subnets networks based on their IP address and so do the router interfaces. For this exercise, we will be creating IPsec tunnels using pre-shared ISAKMP keys
An IPsec tunnel has the following features: it hashes the data passed within to ensure data accuracy, it includes support for pre-shared keys or digital signatures which enhances security, it encrypts the data sent through the tunnel and it also provides anti-replay protection by applying serial numbers to the packets sent. There are two main modes that IPsec tunnels operate on, tunnel mode and transport mode. Transport mode will only encapsulate the payload or the packet, and uses the original packet headers during transit. Tunnel mode on the other hand encapsulates the entire packet. In order to use IPsec, we need to use pre-shared keys that are set-up using an Internet Key Exchange (IKE) and Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is used when there is router to router VPN tunnels and IKE will not be required, like in our topology above. IKE is used when a router also has to support a client to site peering.
This is what we will be covering in this exercise: Enabling required security features, Configuring IPsec parameters on R1 and R3, Verifying our connection and encapsulation.
Part 1: Enabling Security Features
I made use of Cisco 4321 routers in my topology and since it did not come with any serial interfaces, I had to add a NIM-2T module on the routers which gave me 2 serial interfaces to work with. After which I laid out the switches and PCs and connected them with the appropriate cables. Be mindful of the clock end of the serial cables, as this gave me issues during my configuration. To see what security packages are installed and their current status on the router, issue the command show version on the R1’s CLI in EXEC mode. Look for a section as shown below:
We are interested in the security of the router. In my router securityk9 came enabled by default. To enable it in your router, issue the following commands
· configure terminal
· license boot module c4300 technology-package securityk9 — where c4300 is the cisco router series
· end
· copy running-config startup-config
· reload
Repeat the steps for R3 after completing the on R1.
Part 2: Configuring IPSec Parameters
Ensure you have assigned IP addresses to all the necessary interfaces on all the devices. Refer to the table provided at the beginning of this document for a breakdown of the IP addresses to assign. Once the Ips have been assigned, it is good practice to try performing a ping from one end point to the rest. This will ensure there is connectivity between the subnets. However, you will notice that the devices cannot send packets to other subnets, they are being dropped at the router. This means that the router does not have knowledge of the other subnets that live on the interfaces of other routers. Switches perform this operation automatically since they have MAC address tables. Routers however need to learn routes and neighbours. I got around this by setting up Open Shortest Path First (OSPF) for the routers. I picked OSFP because I have knowledge of it and I had a cheat sheet that helped me with the commands to use. OSPF works using areas such that one router has a map of a specific pre-configured area and it can then share this information with its OSPF neighbours. Thus, I came up with three areas for the three networks and R2 was the Area Border Router for the tree areas. Once this was configured, the PCs were able to ping each other, allowing me to move to the next step. Setting up OSPF however, is not in the scope of this article.
We not configure with an Access Control List which allows it to know when to use the IPsec tunnel. This is needed because we not plan on using an IPsec tunnel when communicating with PC-B, but only using one when communicating with PC-C. Use these commands to configure and ACL on R1:
-R1(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
We now configure the ISAKMP policy and IPsec tunnel that will make use of this ACL. Refer to the image below to know what parameters are to be set on R1 and R3.
Configure ISAKMP Phase 1 properties on R1:
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 2
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco address 10.2.2.2
Configure ISAKMP Phase 2 properties on R1:
R1(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R1(config)# crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3
R1(config-crypto-map)# set peer 10.2.2.2
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# exit
We make use of the ACL when configuring phase 2, with the match command followed by the ACL number. We then need to bind the map we created as VPN-MAP to the appropriate serial interface.
R1(config)# interface S0/1/0
R1(config-if)# crypto map VPN-MAP
Part 3: Configure IPsec Parameters on R3
The configuration is a near mirror of that on R1, the only details that change are the IP address orders in the ACL and that of the R3’s peer during the IPsec tunnel formation.
Create the access control list on R3.
R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Configure Phase 1 of ISAKMP policy.
R3(config)# crypto isakmp policy 10
R3(config-isakmp)# encryption aes
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# exit
R3(config)# crypto isakmp key cisco address 10.1.1.2
Configure Phase 2 of ISAKMP policy.
R3(config)# crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
R3(config)# crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)# description VPN connection to R1
R3(config-crypto-map)# set peer 10.1.1.2
R3(config-crypto-map)# set transform-set VPN-SET
R3(config-crypto-map)# match address 110
R3(config-crypto-map)# exit
Bind the VPN map to the correct serial interface.
R3(config)# interface S0/0/1
R3(config-if)# crypto map VPN-MAP
Part 4: Verify the IPsec VPN
Issue the command show crypto ipsec sa on R1’s CLI in EXEC mode to see the details on the connection we created. Initially, the packets going through the tunnel will be 0, since we haven’t sent a communication through the network.
If we now send a ping from PC-A to PC-C, we will see an increase in the number of packets in the encapsulated; encrypted and decapsulated; decrypted section of the IPsec tunnel details. This can be seen in the image below.
If we now send a ping from PC-A to PC-B and monitor the number of packets that have gone through the tunnel, they wont change since we have not set up the tunnel to PC-B.
I hope you have learnt something in this exercise. This lab was set up for me thanks to to Cisco and CyberShujaa.
