By: Don R. Crawley
Copyright (c) 2008 Don R. Crawley
A site-to-site virtual private network (VPN) allows you to maintain a secure "always-on" connection between two physically separate sites using an existing non-secure network such as the public Internet. Traffic between the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data attacks.
This configuration requires an IOS software image that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
There are several protocols used in creating the VPN including protocols used for a key exchange between the peers, those used to encrypt the tunnel, and hashing technologies which produce message digests.
VPN Protocols
IPSec: Internet Protocol Security (IPSec) is a suite of protocols that are used to secure IP communications. IPSec involves both key exchanges and tunnel encryption. You can think of IPSec as a framework for implementing security. When creating an IPSec VPN, you can choose from a variety of security technologies to implement the tunnel.
ISAKMP (IKE): Internet Security Association and Key Management Protocol (ISAKMP) provides a means for authenticating the peers in a secure communication. It typically uses Internet Key Exchange (IKE), but other technologies can also be used. Public keys or a pre-shared key are used to authenticate the parties to the communication.
MD5: Message-Digest algorithm 5 (MD5) is an often used, but partially insecure cryptographic hash function with a 128-bit hash value. A cryptographic hash function is a way of taking an arbitrary block of data and returning a fixed-size bit string, the hash value based on the original block of data. The hashing process is designed so that a change to the data will also change the hash value. The hash value is also called the message digest.
SHA: Secure Hash Algorithm (SHA) is a set of cryptographic hash functions designed by the National Security Agency (NSA). The three SHA algorithms are structured differently and are distinguished as SHA-0,SHA-1, and SHA-2. SHA-1 is a commonly used hashing algorithm with a standard key length of 160 bits.
ESP: Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite that provides origin authenticity, integrity, and confidentiality protection of packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the other IPsec protocol, Authentication Header (AH), ESP does not protect the IP packet header. This difference makes ESP preferred for use in a Network Address Translation configuration. ESP operates directly on top of IP, using IP protocol number 50.
DES: The Data Encryption Standard (DES) provides 56-bit encryption. It is no longer considered a secure protocol because its short key-length makes it vulnerable to brute-force attacks.
3DES: Three DES was designed to overcome the limitations and weaknesses of DES by using three different 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3DES keys are 168 bits in length. When using 3DES, the data is first encrypted with one 56-bit key, then decrypted with a different 56-bit key, the output of which is then re-encrypted with a third 56-bit key.
AES: The Advanced Encryption Standard (AES) was designed as a replacement for DES and 3DES. It is available in varying key lengths and is generally considered to be about six times faster than 3DES.
HMAC: The Hashing Message Authentication Code (HMAC) is a type of message authentication code (MAC). HMAC is calculated using a specific algorithm involving a cryptographic hash function in combination with a secret key.
Configuring a Site-to-Site VPN
The process of configuring a site-to-site VPN involves several steps:
Phase One configuration involves configuring the key exchange. This process uses ISAKMP to identify the hashing algorithm and authentication method. It is also one of two places where you must identify the peer at the opposite end of the tunnel. In this example, we chose SHA as the hashing algorithm due to its more robust nature, including its 160-bit key. The key "vpnkey" must be identical on both ends of the tunnel. The address "192.168.16.105" is the outside interface of the router at the opposite end of the tunnel.
Sample phase one configuration:
tukwila(config)#crypto isakmp policy 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105
Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you create and name a transform set which identifies the encrypting protocols used to create the secure tunnel. You must also create a crypto map in which you identify the peer at the opposite end of the tunnel, specify the transform-set to be used, and specify which access control list will identify permitted traffic flows. In this example, we chose AES due to its heightened security and enhanced performance. The statement "set peer 192.168.16.25" identifies the outside interface of the router at the opposite end of the tunnel. The statement "set transform-set vpnset" tells the router to use the parameters specified in the transform-set vpnset in this tunnel. The "match address 100" statement is used to associate the tunnel with access-list 100 which will be defined later.
Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100
The crypto map must be applied to your outside interface (in this example, interface FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You must create an access control list to explicitly allow traffic from the router's inside LAN across the tunnel to the other router's inside LAN (in this example, the router tukwila's inside LAN network address is 10.10.10.0/24 and the other router's inside LAN network address is 10.20.0.0/24):
tukwila(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
(For more information about the syntax of access-control lists, see my other articles on creating and managing Cisco router access-control lists.)
You must also create a default gateway (also known as the "gateway of last resort"). In this example, the default gateway is at 192.168.16.1:
tukwila(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.1
Verifying VPN Connections
The following two commands can be used to verify VPN connections:
Router#show crypto ipsec sa
This command displays the settings used by the current Security Associations (SAs).
Router#show crypto isakmp sa
This command displays current IKE Security Associations.
Troubleshooting VPN Connections
After confirming physical connectivity, audit both ends of the VPN connection to ensure they mirror each other.
Use debugging to analyze VPN connection difficulties:
Router#debug crypto isakmp
This command allows you to observe Phase 1 ISAKMP negotiations.
Router#debug crypto ipsec
This command allows you to observe Phase 2 IPSec negotiations.
About the Author
Don R. Crawley, Linux+ and CCNA-certified, is president and chief technologist at soundtraining.net, the Seattle training firm specializing in accelerated, task-oriented training for IT professionals. He works with IT pros to enhance their work, lives, and careers. For more information about learning opportunities with soundtraining.net, visit here.
(ArticlesBase SC #677948)
Article Source: http://www.articlesbase.com/ - Configuring a Site-to-site Vpn Between Two Cisco Routers
Related Articles:
Building A Facility To Check The Distance Between Two Uk Postcodes In Ms Access
The ability to calculate the distance between two postcodes is of an enormous benefit in many software applications. There are online companies who can offer automated access to their distance check software but not only will this cost, but will rely on internet access as well. Here we will show you the code used to give you this facility...
Looking for a Secure Migration for Cisco SSL VPN Remote Access
One of the vexing issues facing enterprises today €“ is how to realize the administrative cost savings and increase user functionality of Cisco€™s ASA SSL VPN offering. Many CIO's have trouble with the implementation of a migration solution. Ensuring secure remote access with user and enterprise friendly solutions can be a difficult challenge indeed...
CCNA Certification Training Configuring Static Routes On A Cisco Router
The great thing about CCNA certification training is that the skills you learn will truly come in handy when working with Cisco routers and switches in production networks. That's particularly true of static route configuration. While most networks use dynamic routing protocols such as RIP, EIGRP, and OSPF to build routing tables, static routes still come in handy sometimes - especially if a routing protocol configuration goes awry...
Cisco CCNP BCMSN Exam Tutorial Configuring CGMP On Routers amp Switches
If a Layer Two switch doesn't have the capabilities to run IGMP Snooping, it will be able to run CGMP - Cisco Group Membership Protocol. CGMP allows the multicast router to work with the Layer Two switch to eliminate unnecessary multicast forwarding.If a Layer Two switch doesn't have the capabilities to run IGMP Snooping, it will be able to run CGMP - Cisco Group Membership Protocol...
WEAR A TALE OF TWO SIDES
WEAR A TALE OF TWO SIDES WITH FIND ME A GIFT€™S REVERSIBLE TIES!Find Me A Gift lets you wear your humour around your neck.WEAR A TALE OF TWO SIDES WITH FIND ME A GIFT€™S REVERSIBLE TIES!Findmeagift.com is a Midlands based online gift company...
Configuring Windows XP as a NTP Network Time Server
Time synchronisation in modern computer networks is essential, all computers need to know the time as many applications, from sending an email to storing information are reliant on the PC knowing when the event took place.Time synchronisation in modern computer networks is essential, all computers need to know the time as many applications, from sending an email to storing information are reliant on the PC knowing when the event took place.Microsoft Windows XP has a time synchronisation utility built into the operating system called Windows Time (w32time...
Configuring a Simple Ntp Time Server
NTP, or Network Time Protocol, is a standard protocol for synchronising time on computers and network equipment. NTP allows client computers to synchronise with a reference NTP server over a computer network. The protocol was originally developed for the Linux operating system...
Understanding the Difference Between a Free Web Hosting Service and a Paid Web Hosting Service
There are basically two forms of web hosting service. One is the free web hosting service and the other one is the paid web hosting service. Today, you can easily come across so many free web hosting services on the internet...
Two Reasons To Locate An Emailer With A Reverse Email Look Up
There are many reasons why people need to use email tracing to find out who is sending emails to them. This article will tell you about 2 reasons to locate an emailer that most people don't know about.There are many reasons why people need to use email tracing to find out who is sending emails to them...
Many Useful Ways To Use A Two Way Radio
There are many uses for a two way radio, and many cool things you can do with them. Some of the uses are just plain fun, some helpful, and others could be life-changing.There are many uses for a two way radio, and many cool things you can do with them...
Most Recent News
More Related Articles
What Is A Two Way Radio What You Should Know
When I first heard about two way radios, I was like €what is that?€ I figured it was a radio, as in FM/AM, something you listen to music on. That is not the case. A two way radio is simply another word for a CB radio or a walkie-talkie...
What Is A Two Way Radio The Basics
A two way radio is both a receiver and transmitter (also called a transceiver). A two way radio is different from a normal radio which is only used to receive broadcasts and does not transmit anything.A two way radio is both a receiver and transmitter (also called a transceiver)...
Difference Between a web designer and web developer
Believe me, I come across a lot of clients who have come to me after having been through many web designers and developers and are totally disillusioned with my industry. It's not an easy place to be after having been let down, cheated, ripped off, or manipulated. Often they sit in my office and look at me through skeptical eyes and understandably so! Most have spent thousands of dollars already in web development with not much to show for it or with a website that is not what they wanted...
What are the 4 Big Differences Between a Paid Version of a Virus Removal Program and a Free Version Virus Removal Program
Choosing Between a PC laptop or Mac laptop
Almost everybody is aware of the heated feud between PC laptops and Macintosh laptops. Just type « Mac vs PC » in your favorite search engine and you will see a truckloads of results, ranging from the technical to the personal to the full on geek talk. A good amount of stereotypes exist on both sides of the fence...
A Thing Or Two About Computers
Computers are to be carefully taken care of if you want them to last. Firstly, if you have lots of data, get a "zip drive" device that stores data on cartridges that hold more than a CD or disk. Tip #1 -- Back up your computer's data no less than once a month...
How to Configure Ssh secure Shell for Remote Login on a Cisco Router
Copyright (c) 2008 Don R. CrawleyCopyright (c) 2008 Don R. CrawleyPrior to the introduction of SSH in the Cisco IOS, the only remote login protocol was Telnet...
Choosing PDAs Torn between a Blackberry and a Palm OS
PDAs are handheld computers originally designed as a type of personal organizer. PDA stands for Personal Digital Assistants. They are sometimes regarded as palmtops or pocket computers...
Posts
No comments:
Post a Comment