I have seen some discussion regarding IPSEC VPN's on Cisco devices. Below is a quick tutorial on Cisco IPSEC VPN's. This tutorial is written for 12.4 versions of the IOS.
When creating these connections, you must consider:
- Crypto settings
- ACL's
- Outside interfaces
You can have many SA (security associations) for a crypto map, and inside of a specific SA you can have multiple peers in the list. The VPN engine will process the peers in the order they are listed. This is useful when you are using tracking objects for failover and therefore may have the remote peer coming from multiple IP addresses.
ACL's will be used to control which traffic will be forwarded through the IPSec connection. This will read as "allow all traffic on my local side to send to any local ip address at the remote side". This can be adjusted as you see fit. Assume that I am connection two class C networks via an IPSec VPN. My access list may read as:
- 10 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
I am sure there is a way to connect when both subnets are the same using NAT; however I feel that this is bad form. In those cases where I have found that both ranges are the same, I will change one of the ranges. This can be a pain in the ass, but in the long run is a best practice.
As you can see from the sample configurations, this is a peer relationship. Regardless of speed or hardware, there is not Master or Secondary. Cisco calls these configurations Mirrors. The configurations are the same with certain variables reversed.
I cannot recommend enough; DO NOT use the SDM for this. Unless you enjoy 400 line ACL's, you will have a much more pleasurable experience creating these manually. The process is simple and very quick once you get used to it.
I hope this helps you. Please let me know if you spot any typos or mistakes that I made during the creation of this.
LEGEND
- our_key = a key which will be used on both sides. This can be any string of characters.
- Side_A_IP = the public IP address of Side A. This will be the ip address for the interface which has the crypto map attached to it.
- Side_B_IP = the public IP address of Side B. This will be the ip address for the interface which has the crypto map attached to it.
- Crypto_map_name = this is the name of the crypto map. It can be any string of characters.
- Crypto_integer = this is an integer which attaches an ipsec connection to the crypto map.
- ACL_To_Site_B = this is an ACL which will exist at site A to connect to site B.
- ACL_Tp_Site_A = this is an ACL which will exist at site B to connect to site A.
- Public_Interface = this is the public interface which the VPN will be connecting through.
- Site_A_Internal_IP_Range = this is the internal ip range at site A. In the config i am assuming a class C.
- Site_B_Internal_IP_Range = this is the internal ip range at site B. In the config i am assuming a class C.
EXAMPLE Side A
Crypto isakmp policy 1 encr 3des authentication pre-share
group 2 Crypto isakmp key our_key address Side_B_IP no-xauth
crypto ipsec transform-set trans esp-3des esp-sha-hmac
Crypto map crypto_map_name crypto_integer ipsec-isakmp
set peer Side_B_IP
set transform set trans match address ACL_To_Site_B
Interface Public_Interface
crypto map crypto_map_name
ip access-list extended ACL_To_Site_B
10 permit ip Site_A_Internal_
IP_Range 0.0.0.255 Site_B_Internal_IP_Range 0.0.0.255
EXAMPLE Side B Crypto isakmp policy 1 encr 3des
authentication pre-share group 2
Crypto isakmp key our_key address Side_A_IP no-xauth
crypto ipsec transform-set trans esp-3des esp-sha-hmac
Crypto map crypto_map_name crypto_integer ipsec-isakmp
set peer Side_A_IP set transform set trans
match address ACL_To_Site_A
Interface Public_Interface crypto map crypto_map_name
ip access-list extended ACL_To_Site_A
10 permit ip Site_B_Internal_IP_Range 0.0.0.255
Site_A_Internal_IP_Range 0.0.0.255
Posts
No comments:
Post a Comment