how-to block ads
|
| | | Suggested prerequisite reading
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections
Introduction
Setting up site-to-site IPSec VPN connection in general involves two phases. Phase 1 is called ISAKMP SA (Security Association) establishment and Phase 2 is called IPSec SA establishment.
Phase 1
In general, Phase 1 deals with confirmation among sites that are about to establish secure connection across unsecure network. This process is to verify that each site is authorized to establish such connection. Following is further description.
Phase 1 is to establish the ISAKMP key matching with remote site. One popular technique of this ISAKMP key matching is to use preshared key. This key is basically a string (combination of alphabets, numbers, and characters) that both sites agree to use. The key is then stored (and encrypted) within each VPN device configuration.
Phase 1 in IPSec VPN connection establishment is also involving the remote VPN device IP address (peer). A popular technique is to specifically set the remote peer IP address (for security purposes); known as static configuration. With this specific static configuration, both preshared key and remote IP address are statically configured into the VPN device.
During the Phase 1 VPN tunnel establishment using the static configuration of both preshared key and remote IP address, the two VPN peer IP addresses (the local and the remote) must match. If the two VPN peer IP addresses match, then the next step is to match the preshared key between the two VPN devices.
This preshared key matching process is done within an encapsulated secure (encrypted) tunnel. The encapsulation type and method used is the encryption specified for the Phase 1. In other word, Phase 1 VPN tunnel establishment in this case involves matching process of three factors where all the three are statically configured into both VPN devices. If there is a change needed to the either one of the three, manual adjustment is needed.
The three factors are VPN peer IP addresses, preshared key, and encryption type and method. In this specific example, those three factors are the key of how Phase 1 process take place to verify security association establishment between sites that are about to setup secure connection over untrusted network.
Phase 2
Once Phase 1 is passed successfully, then the setup process moves to the Phase 2. In general, Phase 2 deals with traffic management of the actual data communication between sites. There will be mechanism to determine which data goes where, encrypted or not.
In Cisco security device, one mechanism factor is to use access list. An access list is used to specify or regulate which data (source and destination IP addresses or subnets) need to be encrypted or decrypted (going through the VPN tunnel).
Similar to the Phase 1, there is also specific remote VPN peer IP addresses and IPSec VPN tunnel type and method only for the Phase 2. All the access list, remote VPN peer IP addresses, and the Phase 2 IPSec VPN tunnel type and method are statically configured into both VPN devices. The actual data passing (that are encrypted before leaving local VPN device to go to the remote VPN device; and are decrypted when arriving at local VPN device from the remote VPN device) are encapsulated within the Phase 2 IPSec VPN tunnel.
In other word, the access list, VPN peer IP addresses, and IPSec VPN tunnel type and method are the key to establish the Phase 2. Once Phase 2 is established, the actual data between sites will be passing.
Between Phase 1 and Phase 2
Note that only the Phase 2 involves the IPSec protocol, either ESP (Protocol 50) or AH (Protocol 51). Both Phase 1 (ISAKMP) and Phase 2 (IPSec) use specific encryption type (i.e. AES, 3DES, DES) and hash (MD5 or SHA). Specifically for Phase 1, there is the Diffie-Hellman group type (Group 1, 2, or 5) and the ISAKMP SA (Security Association) timeout or lifetime.
Cisco Configuration Guide
An Introduction to IP Security (IPSec) Encryption
Virtual Private Networks with the Cisco PIX Firewall - Introduction and Implementation
Illustration
Let's review the following PIX IPSec VPN tunnel configuration
To understand the complete picture, please review the PIX-to-PIX IPSec Fully Meshed Sample Configuration.
Side Note:
Further understanding regarding each PIX command and technology behind it, check out the following Cisco link:
Cisco PIX Firewall Command Reference Version 6.3
Note that from VPN connection perspective, the actual data can only be passing between two sites when followings are met (in addition of other basic interconnectivity requirement)
* Phase 1 is established: matching VPN peer IP address, preshared key, Phase 1 encryption type and method
* Phase 2 is established: matching VPN peer IP address, access list, Phase 2 IPSec type and method
* Proper IP Routing is in place: either by static routes or by dynamic routing protocol
In other words, configuration between two VPN devices must match.
Sample Configurations
Following is sample configuration of site-to-site IPSec VPN tunnel between two sites. As to full mesh (or partially mesh) site-to-site VPN involving three or more sites, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on.
Specifically in setting up IPSec tunnel on Cisco router, PIX, or ASA in hub and spoke, partially mesh, or fully mesh setup that involve three or more sites; you need to use different sequence number of "crypto map" command for each remote VPN IP address and specific access list that regulate the encrypted traffic. The PIX-to-PIX sample configuration illustrates that.
PIX to PIX
Configuring PIX to PIX to PIX IPSec Fully Meshed
Router to Router
1. Basic Configuration
Configuring Router-to-Router IPSec Using AES Encryption
Configuring IPSec Between Three Routers Using Split Tunneling
Configuring IPSec Router-to-Router Hub and Spoke
Configuring IPSec Router-to-Router Hub and Spoke with Communication Between the Spokes
Configuring IPSec Router-to-Router Fully Meshed
2. Extended Configuration
Configuring an IPSec Tunnel through a Firewall with NAT
Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network
Configuring a Router-to-Router LAN-to-LAN Tunnel with a Router Initiating IKE Aggressive Mode
Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients
Router to VPN 3000 Concentrator
Configuring the Cisco VPN 3000 Concentrator to a Cisco Router
EZ VPN
PIX to Router
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
PIX to VPN 3000 Concentrator
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml
PIX to Checkpoint 4.1 Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml
PIX to Checkpoint NG Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml
PIX to Juniper Netscreen Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml
PIX to Sonicwall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml
PIX to Zywall
»Cisco Forum FAQ »How do I configure a Zywall/PIX IPSec VPN
Various Cisco Devices to Microsoft Windows server
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml
Some discussions
»[Config] Configuring More Than 1 VPN Tunnel (871w)
Basic Troubleshooting
1. Phase 2 (IPSec - the actual data passing)
* Make sure the data source and destination IP addresses or subnets match the regulating access list
* Check the data passing process between the two sites. In Cisco equipment, you can issue the show crypto ipsec sa command or feature which will show the SA (Security Association) between encrypted traffic (outgoing data) and decrypted traffic (incoming data)
2. Phase 1 (ISAKMP - the key)
* Assuming you use preshared key, make sure the remote VPN peer IP address and key match between two VPN device configuration
* Check the Phase 1 VPN tunnel up/down status between two sites. In Cisco equipment, you can issue the show crypto isakmp sa command or feature which will show the up/down tunnel status between local VPN peer IP address and remote VPN peer IP address.
* Issue simple connection test to the remote site (the remote VPN peer IP address) such as ICMP ping and traceroute (whenever possible)
* Reboot one or both VPN devices sometime might solve VPN connectivity issue
Further Reading:
VPN Tunnel To Support Non-IP traffic and/or Dynamic Routing Protocols: GRE over IPSec
»Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
 feedback form
 feedback form
by aryoba 
last modified: 2009-04-07 16:38:53 |
|
