Configuring a VPN
Creating a VPN has several parts. Some are optional depending on how you configure your firewall. The two main components are phase 1 and phase 2.
Phase 1 (isakmp)
Is to create a secure foundation to start phase 2.
Phase 2 (ipsec)
This is the secure tunnel used for the actual data transfer.
Set up phase 1
Enable isakmp
crypto isakmp enable
Create isakmp polices
crypto isakmp polocy 10
encryption aes 128
hashing sha
group 2
authentication pre-share
lifetime 28800
Isakmp policies are your phase 1 policies. You will need to connect to several 3rd parties. They won't all use the same phase 1 settings. You will need to create several phase 1 policies to accommodate all of your VPNs. When attempting to build a VPN your fw will go through the list of policies from top to bottom until it finds a policy that matches exactly. If it doesn't find one the VPN will not come up. The lifetime is how long the phase1 tunnel will stay up before it is torn down, new keys are are generated and the phase 1 tunnel is created again. 28800 is 8 hours.
Set up the pre-shared key
crypto isakmp key 0 P@55w0rd
The other side needs that password, exchange it over the phone. It should be a good password. Common cause of VPNs not coming up is a pre-shared key mismatch, someone has made a typo.
Configure the isakmp identity (optional)
This is not required unless you are using hostnames. Only useful if your public IP changes.
crypto isakmp identity 200.50.200.230
Set up Phase 2
Create your ipsec transform set
crypto ipsec transform-set esp-aes-esp-sha
esp-aes 128
esp-sha-hmac
security-association lifetime kilobytes 20000
Much like the isakmp policies. You will have to set up several transform sets for use with different VPNs. You can set the lifetime in seconds or data. When the limit is reached the phase 2 tunnel will be rebuilt.
Match traffic to be encrypted (ACL)
To do this you need to create an access list. You may need to create mirrored ACLs to allow the traffic back from the other side.
ip access-list extended traffic_to_encrypt_over_vpn1
permit ip source 192.168.10.0 0.0.0.255 destination 10.50.1.0 0.0.0.255
Create the crypto map
This puts your phase 1 and phase 2 configurations together
crypto map VPN1_Map 10 ipsec-isakmp match address traffic_to_encrypt_over_vpn1
set peer 200.50.50.73
no set pfs
set transform-set esp-aes-esp-sha
crypto map [map_name] [secuence_number] [vpn_type]
The peer address is the IP of the other firewalls outside interface
PFS is more secure but adds overhead
Apply the crypto map to the outside interface
interface gi0/1
crypto map VPN1_Map
Don't forget the nonat statement
There are two main approaches here. You can create nat and nonat ACLs and use those. Alternatively you can just create a nat ACL and add a deny where you don't want an address to be NAT'd
deny 192.168.10.0 0.0.0.255 10.50.1.0 0.0.0.255
This deny's that network from being NAT'd when attempting to connect to the network on the other side of the VPN. Remember you need to nonat networks attempt to return pings etc. Think about this if you have mirrored ACLs on either side.
NAT traversal
If both firewalls are behind a NAT you will need to enable NAT-T.
crypto isakmp nat-traversal 20
NAT traversal
If both firewalls are behind a NAT you will need to enable NAT-T.
crypto isakmp nat-traversal 20
Testing
Display active phase 1 security associations
sh crypto isakmp sa
QM_IDLE is good, its done negotiating phase 1
Display active phase 2 security associations
sh crypto ipsec sa
There is a lot more information here
Check local and remote addresses are correct
You want to see encaps and decaps increasing
You don't want to see send/receive errors increasing
Force VPNs to be rebuilt
clear crypto isakmp
new firewalls let you select which VPN, older ones just rebuild them all
Creating VPNs with the Cisco SDM
Due to their complexity a lot of users use the SDM wizard to create VPNs. However the SDM adds junk and gives entry names that will be hard to understand when reading back later. This will make troubleshooting much harder. If you are going to use the SDM at least use it in this way. There is a button in the SDM where you can create your VPN with a wizard but instead of installing it on the firewall you can view the commands the SDM was going to run. Here you can go in and change names to something sensible, use the description command. Copy the commands and run them on the firewall manually yourself. This way your config won't get messed up and you can become familiar with the commands required.
Working with 3rd parties
Most of the time you will be setting up a VPN with a third party. You won't have any control over their firewall. In these cases its a good idea to create a VPN template with the settings you use, your peer address, your contact details etc. Send the template to the 3rd party get them to fill it in and send it back. Exchange the pre-shared key over the phone. You can go ahead and set up the VPN with the settings provided. It should come up, if not you should have each other contact details for troubleshooting.
The first thing is to attempt to bring up a VPN that allows any service and a weak pre-shared key like 1234567890. Confirm phase 1 settings, confirm phase 2 settings. Get them to send screen shots. Once you get the VPN up you can work on restricting access and don't forget to install a strong pre shared key.
The first thing is to attempt to bring up a VPN that allows any service and a weak pre-shared key like 1234567890. Confirm phase 1 settings, confirm phase 2 settings. Get them to send screen shots. Once you get the VPN up you can work on restricting access and don't forget to install a strong pre shared key.
No comments:
Post a Comment