思科網(wǎng)絡(luò)安全-第八部分講述

CCNASecurityChapter8ImplementingVirtualPrivateNetworksLessonPlanningThislessonshouldtake3-4hourstopresentThelessonshouldincludelecture,demonstrations,discussionsandassessmentsThelessoncanbetaughtinpersonorusingremoteinstructionMajorConceptsDescribethepurposeandoperationofVPNtypesDescribethepurposeandoperationofGREVPNsDescribethecomponentsandoperationsofIPsecVPNsConfigureandverifyasite-to-siteIPsecVPNwithpre-sharedkeyauthenticationusingCLIConfigureandverifyasite-to-siteIPsecVPNwithpre-sharedkeyauthenticationusingSDMConfigureandverifyaRemoteAccessVPNContents8.1VPNs8.2GREVPNs8.3IPSecVPNComponentsandOperation8.4ImplementingSite-to-SiteIPSecVPNs8.5ImplementingSite-to-SiteIPSecVPNsUsingSDM8.6ImplementingARemoteAccessVPN8.1VPNsVPNsVPNOverviewVPNTechnologiesVPNSolutionsVPNOverviewWhatisaVPN?Layer3VPNsConventionalPrivateNetworksVirtualPrivateNetworksWhatisaVPN?Virtual:

Informationwithinaprivatenetworkistransportedoverapublicnetwork.Private:

Thetrafficisencryptedtokeepthedataconfidential.VPNVPNFirewallCSARegionalbranchwithaVPNenabledCiscoISRrouterSOHOwithaCiscoDSLRouterVPNMobileWorkerwithaCiscoVPNClientBusinessPartnerwithaCiscoRouterCorporateNetworkWANInternetAVirtualPrivateNetwork(VPN)providesthesamenetworkconnectivityforremoteusersoverapublicinfrastructureastheywouldhaveoveraprivatenetwork.VPNservicesfornetworkconnectivityinclude:AuthenticationDataintegrityConfidentialityVPNsCharacteristicsofVPNsAsecureVPNisacombinationofconcepts:VPNConceptsVPNPacketEncapsulationVPNPacketEncapsulationLayer3VPNGenericRoutingEncapsulation(GRE)MultiprotocolLabelSwitching(MPLS)IPSecSOHOwithaCiscoDSLRouterVPNInternetIPSecIPSecVPNTechnologiesTypesofVPNNetworksSite-to-SiteVPNRemote-AccessVPNVPNClientSoftwareCiscoIOSSSLVPNSite-to-SiteVPNs:IntranetVPNsconnectcorporateheadquarters,remoteoffices,andbranchofficesoverapublicinfrastructure.ExtranetVPNslinkcustomers,suppliers,partners,orcommunitiesofinteresttoacorporateIntranetoverapublicinfrastructure.RemoteAccessVPNs:Whichsecurelyconnectremoteusers,suchasmobileusersandtelecommuters,totheenterprise.TwoTypesofVPNsSite-to-SiteVPNsSite-to-SiteVPNsRemoteAccessVPNsVPNClientSoftwareR1R1-“R1”Inaremote-accessVPN,eachhost

typicallyhasCiscoVPNClientsoftwareCiscoIOSSSLVPNProvidesremote-accessconnectivityfromanyInternet-enabledhostUsesawebbrowserandSSLencryptionDeliverstwomodesofaccess:ClientlessThinclientVPNSolutionsCiscoVPNProductFamilyCiscoVPN-OptimizedRoutersCiscoASA5500SeriesAdaptiveSecurityAppliancesIPSecClientsHardwareAccelerationModulesCiscoVPNProductFamilyProductChoiceRemote-AccessVPNSite-to-SiteVPNCiscoVPN-EnabledRouterSecondaryrolePrimaryroleCiscoPIX500SeriesSecurityAppliancesSecondaryrolePrimaryroleCiscoASA5500SeriesAdaptiveSecurityAppliancesPrimaryroleSecondaryroleCiscoVPN

3000SeriesConcentratorsPrimaryroleSecondaryroleHomeRoutersPrimaryrole?CiscoVPN-OptimizedRoutersRemoteOffice

CiscoRouterRegionalOffice

CiscoRouterSOHO

CiscoRouterMainOffice

CiscoRouterInternetVPNFeatures:VoiceandvideoenabledVPN(V3PN)IPSecstatefulfailoverDMVPNIPSecandMultiprotocolLabelSwitching

(MPLS)integrationCiscoEasyVPNCiscoASA5500SeriesAdaptive

SecurityAppliancesFlexibleplatformResilientclusteringCiscoEasyVPNAutomaticCiscoVPNClientupdatesCiscoIOSSSLVPNVPNinfrastructureforcontemporaryapplicationsIntegratedweb-basedmanagementExtranet

Business-to-BusinessIntranetRemoteUserRemoteSiteCentralSiteInternetIPSecClientsSmallOfficeInternetCiscoAnyConnectVPNClientCerticomPDAIPsec

VPNClientInternetCiscoVPN

SoftwareClientRouterwith

Firewalland

VPNClientAwirelessclientthatisloadedonapdaSoftwareloadedonaPCAnetworkappliancethatconnectsSOHOLANstotheVPNProvidesremoteuserswithsecureVPNconnectionsHardwareAccelerationModulesAIMCiscoIPSecVPNSharedPortAdapter(SPA)CiscoPIXVPNAcceleratorCard+(VAC+)EnhancedScalableEncryptionProcessing(SEP-E)CiscoIPsecVPNSPA8.2GREVPNsGREVPNsOverviewEncapsulationConfiguringaGRETunnelUsingGREThereare2popularsite-to-sitetunnelingprotocols:CiscoGenericRoutingEncapsulation(GRE)IPSecurityProtocol(IPsec)WhenshouldyouuseGREand/orIPsec?Layer3TunnelingUserTrafficNoYesNoYesGREcanencapsulatealmostanyothertypeofpacket.UsesIPtocreateavirtualpoint-to-pointlinkbetweenCiscoroutersSupportsmultiprotocol(IP,CLNS,…)andIPmulticasttunneling(andthereforeroutingprotocols)Bestsuitedforsite-to-sitemultiprotocolVPNsRFC1702andRFC2784GenericRoutingEncapsulation(GRE)GREheaderadds24bytesofadditionaloverheadGREcanoptionallycontainanyoneormoreofthesefields:TunnelchecksumTunnelkeyTunnelpacketsequencenumberGREkeepalivescanbeusedtotracktunnelpathstatus.OptionalGREExtensionsGREdoesnotprovideencryption!Itcanbemonitoredwithaprotocolanalyzer.However,GREandIPseccanbeusedtogether.IPsecdoesnotsupportmulticast/broadcastandthereforedoesnotforwardroutingprotocolpackets.HoweverIPseccanencapsulateaGREpacketthatencapsulatesroutingtraffic(GREoverIPsec).GenericRoutingEncapsulation(GRE)Createatunnelinterface:

interfacetunnel0AssignthetunnelanIPaddress.Identifythesourcetunnelinterface:tunnelsourceIdentifythetunneldestination:

tunnel

destination(Optional)IdentifytheprotocoltoencapsulateintheGREtunnel:

tunnelmodegreipBydefault,GREistunneledinanIPpacket.FiveStepstoConfiguringaGRETunnelConfiguringaGRETunnelR1(config)#interfacetunnel0R1(config–if)#ipaddress52R1(config–if)#tunnelsourceserial0/0R1(config–if)#tunneldestinationR1(config–if)#tunnelmodegreipR1(config–if)#R2(config)#interfacetunnel0R2(config–if)#ipaddress52R2(config–if)#tunnelsourceserial0/0R2(config–if)#tunneldestinationR2(config–if)#tunnelmodegreipR2(config–if)#GRETunnelExampleUsingGREUserTrafficIPOnly?UseGRETunnelNoYesNoYesUnicastOnly?UseIPsecVPNGREdoesnotprovideencryption8.3IPSecVPNComponentsandOperationIPSecVPNComponentsandOperationIntroducingIPSecIPSecSecurityProtocolsInternetKeyExchange(IKE)IntroducingIPSecIPSecTopologyIPSecFrameworkConfidentialityIntegrityAuthenticationPre-SharedKeyRSASignatureSecureKeyExchangeAsystemtoaccomplishtheencryption/decryption,userauthentication,hashing,andkey-exchangeprocesses.Acryptosystemmayuseoneofseveraldifferentmethods,dependingonthepolicyintendedforvarioususertrafficsituations.CryptosystemEncryptiontransformsinformation(cleartext)intociphertextwhichisnotreadablebyunauthorizedusers.Decryptiontransformsciphertextbackintocleartextmakingitreadablebyauthorizedusers.Popularencryptionalgorithmsinclude:DES3DESAESEncryption/DecryptionGuaranteesmessageintegritybyusinganalgorithmtoconvertavariablelengthmessageandsharedsecretkeyintoasinglefixed-lengthstring.Popularhashingmethodsinclude:SHA(Ciscodefault)MD5Authentication/HashingIstheabilitytoproveatransactionoccurred.Similartoasignedpackagereceivedfromashippingcompany.Thisisveryimportantinfinancialtransactionsandsimilardatatransactions.Non-repudiationHowdotheencryptinganddecryptingdevicesgetthesharedsecretkey?TheeasiestmethodisDiffie-Hellmanpublickeyexchange.Usedtocreateasharedsecretkeywithoutpriorknowledge.Thissecretkeyisrequiredby:Theencryptionalgorithm(DES,3DES,AES)Theauthenticationmethod(MD5andSHA-1)Diffie-HellmanKeyExchangeIdentifiesacommunicatingpartyduringaphase1IKEnegotiation.Thekeymustbepre-sharedwithanotherpartybeforethepeersrouterscancommunicate.Pre-SharedKeyA“framework”ofopenstandardsdevelopedbytheIETFtocreateasecuretunnelatthenetwork(IP)layer.Itspellsouttherulesforsecurecommunications.RFC2401-RFC2412IPsecisnotboundtoanyspecificencryptionorauthenticationalgorithms,keyingtechnology,orsecurityalgorithms.IPsecallowsnewerandbetteralgorithmstobeimplementedwithoutpatchingtheexistingIPsecstandards.IPsec-InternetProtocolSecurityIPsecProtocolFrameworkAHESPESP+AHDES3DESAESSEALMD5SHAPSKRSADH1DH2DH5DH7IPsecProtocolFrameworkConfidentialityIntegrityAuthenticationDH7Diffie-HellmanPre-sharedKey(PSK)

[JG1]It?Atthelocaldevice,theauthenticationkeyandtheidentityinformation(device-specificinformation)aresentthroughahashalgorithmtoformhash_I.One-wayauthenticationisestablishedbysendinghash_Itotheremotedevice.Iftheremotedevicecanindependentlycreatethesamehash,thelocaldeviceisauthenticated.Theauthenticationprocesscontinuesintheoppositedirection.Theremotedevicecombinesitsidentityinformationwiththepreshared-basedauthenticationkeyandsendsitthroughthehashalgorithmtoformhash_R.hash_Rissenttothelocaldevice.Ifthelocaldevicecanindependentlycreatethesamehash,theremotedeviceisauthenticated.

RSASignaturesAtthelocaldevice,theauthenticationkeyandidentityinformation(device-specificinformation)aresentthroughthehashalgorithmforminghash_I.hash_Iisencryptedusingthelocaldevice'sprivateencryptionkeycreatingadigitalsignature.Thedigitalsignatureandadigitalcertificateareforwardedtotheremotedevice.Thepublicencryptionkeyfordecryptingthesignatureisincludedinthedigitalcertificate.Theremotedeviceverifiesthedigitalsignaturebydecryptingitusingthepublicencryptionkey.Theresultishash_I.Next,theremotedeviceindependentlycreateshash_Ifromstoredinformation.Ifthecalculatedhash_Iequalsthedecryptedhash_I,thelocaldeviceisauthenticated.Aftertheremotedeviceauthenticatesthelocaldevice,theauthenticationprocessbeginsintheoppositedirectionandallstepsarerepeatedfromtheremotedevicetothelocaldevice.RSASignaturesEncryptionalgorithmHash_IDecryptionalgorithmHash_IPrivatekeyPublickeyLocalRemoteHash=+IDInformationHashAuth.keyDigitalsignatureDigitalsignature+IDInformationHashAuth.key12Digitalcert+DigitalcertInternetAHESPESP+AHDES3DESAESSEALMD5SHAPSKRSADH1DH2DH5DH7768bits1024bits1536bitsUsedbyDESand3DESUsedbyAESSecureKeyExchangeIPSecSecurityProtocolsIPSecFrameworkProtocolsAuthenticationHeaderESPFunctionofESPModeTypesIPsecusestwomainprotocolstocreateasecurityframework:AH:AuthenticationHeaderESP:EncapsulatingSecurityPayloadIPsecFrameworkProtocolsIPSecFrameworkProtocolsAlldataisinplaintext.R1R2Datapayloadisencrypted.R1R2AuthenticationHeaderEncapsulatingSecurityPayloadAHprovidesthefollowing:AuthenticationIntegrityESPprovidesthefollowing:EncryptionAuthenticationIntegrityAHprovidesauthenticationandoptionalreplay-detectionservices.Itauthenticatesthesenderofthedata.AHoperatesonprotocolnumber51.AHsupportstheHMAC-MD5andHMAC-SHA-1algorithms.AuthenticationHeader(AH)AHdoesnotprovideconfidentiality(encryption).Itisappropriatetousewhenconfidentialityisnotrequiredorpermitted.Alltextistransportedunencrypted.Itonlyensurestheoriginofthedataandverifiesthatthedatahasnotbeenmodifiedduringtransit.IftheAHprotocolisusedalone,itprovidesweakprotection.AHcanhaveproblemsiftheenvironmentusesNAT.AuthenticationHeader(AH)AuthenticationHeaderAuthenticationData(00ABCDEF)IPHeader+Data+KeyR1R2HashRecomputedHash(00ABCDEF)IPHeader+Data+KeyHashReceivedHash(00ABCDEF)=DataAHIPHDRDataAHIPHDRInternet1.TheIPHeaderanddatapayloadarehashed2.ThehashbuildsanewAH headerwhichisprepended

totheoriginalpacket3.Thenewpacketis

transmittedtothe

IPSecpeerrouter4.ThepeerrouterhashestheIP

headeranddatapayload,extracts

thetransmittedhashandcomparesESPprovidesthesamesecurityservicesasAH(authenticationandintegrity)ANDencryptionservice.Itencapsulatesthedatatobeprotected.Itoperatesonprotocolnumber50.EncapsulatingSecurityPayload(ESP)ESPcanalsoprovideintegrityandauthentication.First,thepayloadisencryptedusingDES(default),3DES,AES,orSEAL.Next,theencryptedpayloadishashedtoprovideauthenticationanddataintegrityusingHMAC-MD5orHMAC-SHA-1.EncapsulatingSecurityPayload(ESP)FunctionofESPESPTrailerESPAuthProvidesconfidentialitywithencryptionProvidesintegritywithauthenticationRouterRouterIPHDRDataESPHDRNewIPHDRIPHDRDataAuthenticatedIPHDRDataInternetEncryptedIPHDRESPHDRDataESPHDRIPHDRNewIPHDRDataTunnelModeTransportModeESPTrailerESPAuthESPTrailerESPAuthAuthenticatedAuthenticatedIPHDRDataEncryptedEncryptedOriginaldatapriortoselectionofIPSecprotocolmodeModeTypesSecurityisprovidedonlyfortheTransportLayerandabove.ItprotectsthepayloadbutleavestheoriginalIPaddressinplaintext.ESPtransportmodeisusedbetweenhosts.TransportmodeworkswellwithGRE,becauseGREhidestheaddressesoftheenddevicesbyaddingitsownIP.TransportModeTunnelmodeprovidessecurityforthecompleteoriginalIPpacket.TheoriginalIPpacketisencryptedandthenitisencapsulatedinanotherIPpacket(IP-in-IPencryption).ESPtunnelmodeisusedinremoteaccessandsite-to-siteimplementations.TunnelModeGRE

over

IPsec

傳輸模式

隧道模式傳輸模式：不改變?cè)械腎P包頭，通常用于主機(jī)與主機(jī)之間。

隧道模式：增加新的IP頭，通常用于私網(wǎng)與私網(wǎng)之間通過(guò)公網(wǎng)進(jìn)行通信。

評(píng)論這張

IPSec與NATAH模式無(wú)法與NAT一起運(yùn)行

AH對(duì)包括IP地址在內(nèi)的整個(gè)IP包進(jìn)行hash運(yùn)算，而NAT會(huì)改變IP地址，從而破壞AH的hash值。ESP模式下：◆只進(jìn)行地址映射時(shí)，ESP可與NAT一起工作。

◆進(jìn)行端口映射時(shí)，需要修改端口，而ESP已經(jīng)對(duì)端口號(hào)進(jìn)行了加密和/或hash，所以將無(wú)法進(jìn)行?！魡⒂肐PSecNAT穿越后，會(huì)在ESP頭前增加一個(gè)UDP頭，就可以進(jìn)行端口映射。

InternetKeyExchange(IKE)SecurityAssociationsIKEPhasesIKEPhase1–ThreeExchangesIKEPhase1–AggressiveModeIKEPhase2TheIPsecVPNsolution:Negotiateskeyexchangeparameters(IKE).Establishesasharedkey(DH).Authenticatesthepeer.Negotiatestheencryptionparameters.Thenegotiatedparametersbetweentwodevicesareknownasasecurityassociation(SA).KeyExchangeSAsrepresentapolicycontractbetweentwopeersorhosts,anddescribehowthepeerswilluseIPsecsecurityservicestoprotectnetworktraffic.SAscontainallthesecurityparametersneededtosecurelytransportpacketsbetweenthepeersorhosts,andpracticallydefinethesecuritypolicyusedinIPsec.SecurityAssociations(SAs)SASecurityParametersIKEhelpsIPsecsecurelyexchangecryptographickeysbetweendistantdevices.CombinationoftheISAKMPandtheOakleyKeyExchangeProtocol.KeyManagementcanbepreconfiguredwithIKE(ISAKMP)orwithamanualkeyconfiguration.IKEandISAKMPareoftenusedinterchangeably.TheIKEtunnelprotectstheSAnegotiations.AftertheSAsareinplace,IPsecprotectsthedatathatAliceandBobexchange.IKE-InternetKeyExchangeHowIPsecusesIKEOutboundpacketissentfromAlicetoBob.NoIPsecSA.PacketissentfromAlicetoBobprotectedbyIPsecSA.IPsecIPsecTherearetwophasesineveryIKEnegotiationPhase1(Authentication)Phase2(KeyExchange)IKEnegotiationcanalsooccurin:MainModeAggressivemodeThedifferencebetweenthetwoisthatMainmoderequirestheexchangeof6messageswhileAggressivemoderequiresonly3exchanges.IKE-InternetKeyExchangeIKEPhaseOne:NegotiatesanIKEprotectionsuite.ExchangeskeyingmaterialtoprotecttheIKEsession(DH).Authenticateseachother.EstablishestheIKESA.MainModerequirestheexchangeof6messageswhileAggressivemodeonlyuses3messages.IKEPhaseTwo:NegotiatesIPsecsecurityparameters,knownasIPsectransformsets.EstablishesIPsecSAs.PeriodicallyrenegotiatesIPsecSAstoensuresecurity.OptionallyperformsanadditionalDHexchange.IKEMainModePhasesIKEPhasesFiveStepsofIPsecIKEPhase1authenticatesIPsecpeersandnegotiatesIKESAstocreateasecurecommunicationschannelfornegotiatingIPsecSAsinPhase2.HostAsendsinterestingtrafficdestinedforHostB.IKEPhase2negotiatesIPsecSAparametersandcreatesmatchingIPsecSAsinthepeerstoprotectdataandmessagesexchangedbetweenendpoints.DatatransferoccursbetweenIPsecpeersbasedontheIPsecparametersandkeysstoredintheSAdatabase.IPsectunnelterminationoccursbySAsthroughdeletionorbytimingout.Step1Step2Step3Step4Step5Step1–InterestingTrafficIKEPolicyNegotiationStep2–IKEPhase1HostAHostBR1R2IKEPhase1AggressiveModeExchangeSendIKEpolicysetandR1’sDHkeyCalculatesharedsecret,verifypeeridentify,andconfirmwithpeerIKEPhase2ExchangeNegotiateIPsecpolicyNegotiateIPsecpolicyPolicy15DESMD5pre-shareDH1lifetimePolicy10DESMD5pre-shareDH1lifetimeConfirmIKEpolicyset,calculatesharedsecretandsendR2’sDHkeyAuthenticatepeerandbeginPhase2.IKEPhase1–AggressiveModeIKEPhase1–SecondExchange(YB)

modp=K (YA)

modp=K

XB

XAPrivatevalue,XAPublicvalue,YAPrivatevalue,XBPublicvalue,YBAliceBobYAYBYB

=g

modpXBYA=g

modpXAADHexchangeisperformedtoestablishkeyingmaterial.EstablishDHKeyDHKeyExchangeStep2–IKEPhase1RouterBhashesthereceivedstringtogetherwiththepre-sharedsecretandyieldsahashvalue.RouterArandomlychoosesastringandsendsittoRouterB.RouterBsendstheresultofhashingbacktoRouterA.RouterAcalculatesitsownhashoftherandomstring,togetherwiththepre-sharedsecret,andmatchesitwiththereceivedresultfromtheotherpeer.Iftheymatch,RouterBknowsthepre-sharedsecret,andisconsideredauthenticated.DHKeyExchangeStep2–IKEPhase1NowRouterBrandomlychoosesadifferentrandomstringandsendsittoRouterA.RouterAalsohashesthereceivedstringtogetherwiththepre-sharedsecretandyieldsahashvalue.RouterAsendstheresultofhashingbacktoRouterB.RouterBcalculatesitsownhashoftherandomstring,togetherwiththepre-sharedsecret,andmatchesitwiththereceivedresultfromtheotherpeer.Iftheymatch,RouterAknowsthepre-sharedsecret,andisconsideredauthenticated.PeerAuthenticationStep2–IKEPhase1IPsecNegotiationStep3–IKEPhase2TransformSetNegotiationStep3–IKEPhase2SecurityAssociationsStep3–IKEPhase2IPsecSessionStep4TunnelTerminationStep58.4ImplementingSite-to-SiteIPSecVPNsImplementingSite-to-SiteIPSecVPNsConfiguringSite-to-SiteIPSecVPNsTask1–ConfigureCompatibleACLsTask2–ConfigureIKETask3–ConfiguretheTransformSetTask4–ConfiguretheCryptoACLsTask5–ApplytheCryptoMapVerifyandTroubleshoottheIPSecConfigurationConfiguringSite-to-SiteIPSecVPNIPSecVPNNegotiationSummaryofTasksIKEPhase1IKEPhase2IKESAIKESAIPsecSAIPsecSAHostAsendsinterestingtraffictoHostB.R1andR2negotiateanIKEPhase1session.R1andR2negotiateanIKEPhase2session.InformationisexchangedviaIPsectunnel.TheIPsectunnelisterminated.R1R2IPsecTunnelIPSecVPNNegotiationEnsurethatACLsconfiguredontheinterfacearecompatiblewithIPsecconfiguration.CreateanIKEpolicytodeterminetheparametersthatwillbeusedtoestablishthetunnel.ConfiguretheIPsectransformsetwhichdefinestheparametersthattheIPsectunneluses.Thesetcanincludetheencryptionandintegrityalgorithms.CreateacryptoACL.ThecryptoACLdefineswhichtrafficissentthroughtheIPsectunnelandprotectedbytheIPsecprocess.Createandapplyacryptomap.ThecryptomapgroupsthepreviouslyconfiguredparameterstogetheranddefinestheIPsecpeerdevices.ThecryptomapisappliedtotheoutgoinginterfaceoftheVPNdevice.IPsecTasksIKEandIPsecFlowchart123Task1

ConfigureCompatibleACLsOverviewPermittingTrafficOverviewEnsurethatprotocols50(ESP),51(AH)andUDPport500(ISAKMP)trafficarenotblockedbyincomingACLsoninterfacesusedbyIPsec.AHESPIKESite1Site2R1R2InternetS0/0/0

S0/0/0

/24/24ESP=protocol#50,AH

=protocol#51,ISAKMP=UDPport500Task1:EnsureACLsareCompatibleTask2

ConfigureIKEOverviewISAKMPParametersMultiplePoliciesPolicyNegotiationsCryptoISAKMPKeySampleConfigurationCreatingaplaninadvanceismandatorytoconfigureIPsecencryptioncorrectlytominimizemisconfiguration.Determinethefollowingpolicydetails:KeydistributionmethodAuthenticationmethodIPsecpeerIPaddressesandhostnamesIKEphase1policiesforallpeersEncryptionalgorithm,Hashalgorithm,IKESAlifetimeGoal:Minimizemisconfiguration.Task2:ConfigureIKEIKEPhase1PolicyParametersorAESorD-H5EnableIKECreateanIKEPolicyDefaultISAKMPSettingsDefaultISAKMPSettingsRouterA#showcryptoisakmppolicyProtectionsuiteofpriority110encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).hashalgorithm:MessageDigest5authenticationmethod:Pre-SharedKeyDiffie-Hellmangroup:#1(768bit)lifetime:86400seconds,novolumelimitDefaultprotectionsuiteencryptionalgorithm:DES-DataEncryptionStandard(56bitkeys).hashalgorithm:SecureHashStandardauthenticationmethod:Rivest-Shamir-AdlemanSignatureDiffie-Hellmangroup:#1(768bit)lifetime:86400seconds,novolumelimitCreateanIKEPolicyMultiplePoliciescryptoisakmppolicy100hashmd5authenticationpre-share!cryptoisakmppolicy200hashshaauthenticationrsa-sig!cryptoisakmppolicy300hashmd5authenticationrsa-sigcryptoisakmppolicy100hashmd5authenticationpre-share!cryptoisakmppolicy200hashshaauthenticationrsa-sig!cryptoisakmppolicy300hashmd5authenticationpre-shareR1(config)#R2(config)#Site1Site2R1R2Internet/24/24ISAKMPPolicyNegotiationR1(config)#cryptoisakmppolicy110R1(config–isakmp)#authenticationpre-shareR1(config–isakmp)#encryption3desR1(config–isakmp)#group2R1(config–isakmp)#hashshaR1(config–isakmp)#lifetime43200Policy110Preshare

3DES

SHADH243200R2(config)#cryptoisakmppolicy100R2(config–isakmp)#authenticationpre-shareR2(config–isakmp)#encryption3desR2(config–isakmp)#group2R2(config–isakmp)#hashshaR2(config–isakmp)#lifetime43200R2musthaveanISAKMPpolicyconfiguredwiththesameparameters.TunnelSite1Site2R1R2Internet/24/24R1attemptstoestablishaVPNtunnelwith

R2andsendsitsIKEpolicyparametersPolicyNegotiationsCryptoISAKMPKeyThepeer-addressorpeer-hostnamecanbeused,butmustbeusedconsistentlybetweenpeers.Ifthepeer-hostnameisused,thenthecryptoisakmpidentityhostname

commandmustalsobeconfigured.cryptoisakmpkeykeystringaddresspeer-addressrouter(config)#cryptoisakmpkeykeystringhostnamehostnamerouter(config)#ParameterDescriptionkeystringThisparameterspecifiesthePSK.Useanycombinationofalphanumericcharactersupto128bytes.ThisPSKmustbeidenticalonbothpeers.peer-addressThisparameterspecifiestheIPaddressoftheremotepeer.hostnameThisparameterspecifiesthehostnameoftheremotepeer.Thisisthepeerhostnameconcatenatedwithitsdomainname(forexample,).ConfigurePre-SharedKeysTousethehostnameparameter,configurethecryptoisakmpidentityhostname

globalconfigurationmodecommand.Inaddition,DNSmustbeaccessibletoresolvethehostname.ConfigureISAKMPIdentityTask3

ConfiguretheTransformSetOverviewTransformSetsSampleConfigurationDeterminethefollowingpolicydetails:IPsecalgorithmsandparametersforoptimalsecurityandperformanceTransformssetsIPsecpeerdetailsIPaddressandapplicationsofhoststobeprotectedManualorIKE-initiatedSAsGoal:Minimizemisconfiguration.Task3:ConfiguretheTransformSetsCiscoIOSsoftwaresupportsthefollowingIPsectransforms:IPsecTransformsSupportedinIOSCentralA(config)#cryptoipsectransform-settransform-set-name?ah-md5-hmacAH-HMAC-MD5transformah-sha-hmacAH-HMAC-SHAtransformesp-3desESPtransformusing3DES(EDE)cipher(168bits)esp-desESPtransformusingDEScipher(56bits)esp-md5-hmacESPtransformusingHMAC-MD5authesp-sha-hmacESPtransformusingHMAC-SHAauthesp-nullESPtransformw/ocipherNote:esp-md5-hmacandesp-sha-hmacprovidemoredataintegrity.TheyarecompatiblewithNAT/PATandareusedmorefrequentlythanah-md5-hmacandah-sha-hmac.IPsecPolicyExampleSpecificIPsec

show

CommandsRouterA#showcryptoisakmppolicy

Defaultprotectionsuite

encryptionalgorithm:DES-DataEncryptionStandard(56bitkeys)

hashalgorithm:SecureHashStandard

authenticationmethod:Rivest-Shamir-AdlemanSignature

Diffie-HellmanGroup:#1(768bit)

lifetime:86400seconds,novolumelimitRouterA#showcryptomap

CryptoMap“MYMAP"10ipsec-isakmp

Peer=

ExtendedIPaccesslist102

access-list102permitiphosthost

Currentpeer:

Securityassociationlifetime:4608000kilobytes/3600seconds

PFS(Y/N):N

Transformsets={MY-SET,}RouterA#showcryptoipsectransform-setMY-SET

TransformsetMY-SET:{esp-des}

willnegotiate={Tunnel,},ConfigureTransformSetsTransformSetNegotiationTransformSetNegotiationConfiguresglobalIPseclifetimevaluesusedwhennegotiatingIPsecsecurityassociations.IPsecSAlifetimesarenegotiatedduringIKEphase2.ConfigureSecurityAssociationLifetimesTask4

ConfiguretheCryptoACLsOverviewCommandSyntaxSymmetricCryptoACLsOverviewOutboundindicatesthedataflowtobeprotectedbyIPsec.Inboundfiltersanddiscardstrafficthatshouldhavebeen

protectedbyIPsec.HostAR1InternetOutbound

TrafficInbound

TrafficEncryptBypass(Plaintext)PermitBypassDiscard(Plaintext)R1R2Internetrouter(config)#access-listaccess-lis