Network Security v1.0 - Module 19 (Implement Site-to-Site IPsec VPNs with CLI)

Module 19: Implement Site-to-Site IPsec VPNs with CLI

Site-to-Site IPsec VPN Configuration:

• IPsec Negotiation Steps:

  1. Phase 1 (ISAKMP Tunnel): Both peers authenticate and agree on security policies.

  2. Phase 2 (IPsec Tunnel): Establishes encryption and integrity policies for data traffic.

  3. Interesting Traffic: VPN negotiation is triggered by traffic that matches the defined ACL.

Configuration Tasks:

1. Configure ISAKMP Policy for IKE Phase 1:

   • Defines parameters such as encryption, hash, and authentication methods.

2. Configure IPsec Policy for Phase 2:

   • Specifies the protocols (ESP), encryption algorithms, and key exchange mechanisms.

3. Crypto Map:

   • Binds ACL, IPsec policies, and defines the peer address.

4. Apply IPsec Policy:

   • Apply the policy to the outbound interface and verify with the show crypto map command.

ISAKMP Policy Configuration:

• The ISAKMP policy defines the security associations (SAs) used to establish the tunnel.

• Key Elements (HAGLE):

  • H: Hash (SHA)

  • A: Authentication (pre-shared key)

  • G: Group (Diffie-Hellman group 5

  • L: Lifetime (3600 seconds)

  • E: Encryption (AES)

Crypto Map Configuration:

• Binding ACLs: Define traffic that will trigger the tunnel setup (interesting traffic).

• Configure Peer Address and IPsec Parameters:

  • Include peer’s IP, DH group, and tunnel lifetime.

  • Verify the configuration using show crypto map.

Verification:

• Use show crypto isakmp sa and show crypto ipsec sa to verify the status of ISAKMP and IPsec tunnels.

• Ping Test: Send traffic that matches the ACLs to verify the VPN tunnel is operational.

Handling Routing Protocol Traffic:

• If multicast or broadcast traffic (like OSPF or EIGRP) needs to be routed through the tunnel, consider implementing a GRE tunnel for encapsulation.