2 IPSec Site to Site VPN using Pre shared Key explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right last class we saw how VPN can be established between two endpoints how channel can be created between two endpoints when we have public network in the middle so we penis a secured communication it uses IPSec protocol Internet Protocol security IPSec Internet Protocol security for encrypting for transforming your data it uses is a KMP for negotiating the key and for generating and negotiating the key ball we call it as i ke and is a k MP is also called as i key face one IPSec transform set is also called as i ke phase two and we also discuss that there are two different type of authentication one is pre shared key and another one is using RSA signature or certification authority but we didn't go deep into certification authority but we were using pre shared key in our example today is also again you know the same pre shared key you know how to implement IPSec VPN using pre shared key how to implement IPSec VPN using Prashant keys for today's topic so mostly now it will be the same thing that we saw in the previous class but it's going to give you more clear picture of what we have done in the previous class configuring static URLs or configuring a site-to-site VPN using a pre-shared key site-to-site VPN you can read in side to side means you know it's a static it's a it's a static VPN it's a fixed VPN that's why the side to side first of all we need to prepare an ISA KMP and IPSec how my configuring IPSec sorry is a campaign is a campy we have to enable the mode called pre shared key for authentication and then we have to configure a TransAm set which is phase two so this is phase one this is phase two after that what we do is we write an ACL and we say which traffic can be tunnel des which traffic can get encrypted not every every traffic need to be encrypted when we try going online to reach some public network those traffic will not be encrypted only when we talk to our remote office only when you talk to other site we want the traffic to be encrypted so we have to write an ACL saying traffic going from this particular source to that destination need to get encrypted for that we write in ace Hil and we call it under a crypto map that's why we call descriptive ECL a CL for cryptography Reysol for encryption we need to call a CL and transform set and a crypto map the reason is we cannot write directly ACL and trance on set for VPN on an interface so we call it a letter crypto map and then we call the crypto map under the interface that's what applying the crypto map to the interface after that we tested we tested by pinging it is by pinging and then by typing some show commands like show crypto IPSec security Association show crypto is a KMP security Association will show you this one whether it has come up or not if that is up then you can also go and type in see show crypto IPSec security Association where you can find phase two tunnel established and you can also see the number of packets encrypted and decrypted so this is what we also did in the previous class and we are seeing it again to understand more clearly these are the where if you get some verification comments these two comments just now I wrote so before you before you ping personally before you enable site-to-site VPN just ping and see whether you are reaching from this corner to this corner from side one to side - that is what preparing for IPSec means and when you say show crypto IPSec policy show crypto is aka policy will you won't say anything because initially you have not configured anything this before and fearing IPSec preparing for IPSec so you won't see anything when you type in this but is a can be you have something which is default the default is des for encryption for hashing sha and for authentication it is RSA meaning using a certification authority instead of pre shared key and default different group group that provides integrity on the path is one and lifetime is one day this is default so default thing we will see when we strain you type show crypto is I came to policy this will show you default policy now if your if your if your requirement if your need in your office is like three days md5 pre shared key they fail man group - this is like 5 minutes 5 into 60 unit you can we need to configure it if you if it if you want to go with the default then leave it but we will not be using desk this is not a strong encryption you go with 3 days or AES and Shah is stronger than md5 but still it takes lot of processor so we know we may not be happy with sha and CA certification Authority is commonly used in the real world pre shared key is also used pre shared key doesn't need a third party to authenticate whereas RSA key which is C Authority needs a third party called C and diffie-hellman group one is very light we always go with 2 which is bit stronger for providing integrity and lifetime also we won't be just leaving one full day for rekeying what is Rikki it regenerates the key and then re-establishes the neighbor we don't we don't wait for really one day that's not really secured if our if our EP n is getting compromised in within an hour then another 23 minute 23 hours someone will be misusing our network so what we do is we every key every five minutes in case our if our VPN get compromised only for five minutes it will be under attack later it can be mitigated so yet yes sir very good question very good question Tunnel will be there it will be a seamless change it will be a seamless change tunnel will be there but still there will be a reeking there will be renegotiation happening behind the screen tower tunnel will not get torn down it will be there tunnel will be there correct welcome sir now next connects command to verify issue control map that will show you what Pierre is being set what rats on said and what ACL is binded to it show crypto IP sector and some set will show us the phase to transform set that we created we might be said of saying H with the md5 a H with sha H Mac those phase two if you want to check only phase to think you type in this you want to see the crypto map type in this command to see phase 1 parameters type in this command same phase 2 again here it will show you IPSec this and run some said more or less it will show the same thing right this is the EDD preparation for IPSec initially before enabling any is a kmb policy now the ACL okay this this ACL is different insurer ACS are compatible with IPSec meaning right from this source to this destination this four things should not be blocked anywhere pub no in public definitely ISP will not block anything they they are there to provide service so they won't block if in case we will have a firewall here we need to make sure that this thing these these port numbers and these protocols are allowed we know what 50 means and 51 means 51 means eh ESP and 500 means I say KMP and then 4500 we have not seen it 4500 means natty we called as NAT translation NAT tea NAT tree or non 500 is a competes in is a came be but non 500 is a came we also called as natty NAT translation the port number for NAT translation is UDP fighter 4500 so reserved port number for this purpose so we need to make sure that these things are not blocked or these things are allowed in our firewalls when we have firewalls on our edge routers planning for Ike a policy determine the following policy DeeDee details key distribution method we are using pre Schottky key distribution method pre shared key authentication what is the difference between authentication and appreciate key sudden key distribution method ok key distribution method is like manual or auto manually you want to disturb manually want to distribute the key are automatic we always use automatic which is there by default and authentication method is pre shared key and then IPSec peer IP address and the host name for authentication but this is what the command we used to type like this up crypto is a KMP key and then the address we built other key will type let's say key is 1 2 3 and then we used to type the IP errors of the peer let's say 100 dot 0 dot 0 dot 25 that's the peer address and optionally you can give hostname hostname is not mandatory and then I as I came to policy for all the peers encryption algorithm - three days he has hash algorithm like char md5 and lifetime is optional by default it is one day you can change it as five minutes or one hour now this table explains us the strong and stronger algorithm encryption dices strong and AES and three days is more stronger likewise md5 is strong hashing sha-1 is more stronger pre-shared key strong using RSA key RSS signature is more stronger if a Hellman is also strong in exchanging the key which provides integrity two and five defilement is more stronger lifetime one day is okay but less than that it would be more okay so these are the faithful parameters so on both the sides faison parameter should match if you have more than one side now you may you may you may need you know let's say I have side three side three you may need another policy on-site one if you are not going to use the same policy see here you want to use a desk on site one and side two but between site one and side three you want to have three days so what we can do is we can create two policies on site one one with one with policy number ten another one with policy number 20 so ten will get matched with side two and twenty match with site three so you can have any number of policies in one router the smallest policy number will be matched against the sides if that doesn't match it will try to match with this again policy so policy numbers also matters you know smaller the number first it gets executed first it gets it tries to get matched with the remote sites if that doesn't match us then it goes to this next smallest number smallest policy number so you can have any number of policies in the router so that you can have different sites with different policy but between two sides if you want to have security association the policy should match both the side if it is empty why it should be both the side and if appreciate key development time and Pierre does anyway it will not match you know that need not to be in same subnet it can be different subnet let's say it is 24 24 okay here it is a mistake actually it is 6.2 here it is written as 1.2 yeah planning for IPSec policy determine the following policy details IPSec algorithms and parameters for optimal security and performance so when we choose you know the parameters like eh md5 and aah three days eh Meg what I'm trying to trying to tell my router is for face to turn on I know need to encrypt I don't want encryption just encapsulation is okay so optimal security no I'm going with you know some reasons need not to be encrypted it is already negotiated with the neighbor tunnel phase one has been established I really do not want to encrypt and then send so encapsulation is okay I do not want to put more pressure on my router so I go with hate something like this you know or you know most of it most of the time these things will be given in your documentation you are in your office in the document it will mention or the client will mention this is what we want EHR ESP ESP is more stronger it does encryption as well as encapsulation which may need more processor transforms if necessary transform set we always use transform set and then we said peer details and the crypto map again and then they also write in a CL now this phase 2 can be manually initiated or it can be initiated through Ikey internet key exchange which we always use automatic initiated by I K so this also you have seen face to transform set we say crypto IPSec transom set and we pick any two of this one for encryption and another for hashing so when I say ESP three days and ESP MD for hitch Mac this three days and this amplify need not to match with phase one in phase one also we pick three days for encryption and MD Phi for hashing that is only for phase one this is for our data encryption so these two need not to match with phase one if in phase one if you use des very well you can use three days here not a problem an md5 you use it use on phase one you can also use empty Phi here or you can use different thing that's not a problem so here is the example for Phase two even phase two parameter should match with the other side so if one side is ESP days the other side also should be ESP days if one side is tunnel mode the other side also need to be tunnel mode which is default tunnel tunnel mode is default we discussed tunnel mode and transport mode in the previous class and then the pier hostname is this this that will not match anyway peer IP address also will not match even again here also mistake heat is six here no it's correct it's correct here only the six okay so and the IP address we are encapsulating traffic between this and this so host to be encrypted is 1.12 and here sixth at all traffic to be encapsulated sorry encrypted it is TCP it's an optional one when you write an ACL you can say IP or TCP whichever we want to encrypt so security Association establishment by using IPSec and I is a KMP this we mentioned when you write the crypto map right now identifying ipsec peers now there are there are various ways in which the IPSec pierson are identified see there is a remote user there is a roaming user so roaming user will use a VPN client software in his laptop he will have a VPN client software he just double clicks this play and software that we mostly use this in office but actually there is meant for remote users you double click the client software you provide the group name you provide the user ID means the password then you provide the IP address some time it may be there as a profile you just click the profile and then say connect that is know for remote users and then there are Cisco routers where we right side aside to site VPN just now we saw that and then there are firewalls from where we establish VPN firewalls like a SN fix we will be doing in a VPN on a si when we even we are in a essay topic means we are under a sa still we have not started a so when we when we when we finish a C then we will get into VPN on vs VPN on a si that is oh there was also a device called VPN concentrator from where VPN tunnel can be established and there is also other vendor other than Scott there are also other vendor software client software through which weeping can be established so using these devices IPSec pier can be identified a router a VPN client software or other vendor peer software aasa Peaks Cisco concentrator VPN concentrator configuring is a KMP first of all we need to enable is a KMP but this is not for our routers for our routers when we say crypto is a KMP policy and when we write the policy and when we call this policy under the interface you know when we have interface binded with the crypto map it starts negotiating by using this policy automatically which means I as a camp is enabled by default on routers we no need a special command to enable it it it gets enabled automatically when the policy starts negotiating we need not to enable isakmp by default it is waived sorry it is enabled by default you no need to enable isakmp but on a says we have to enable it on Asus we need to enable isakmp before we start configuring on routers if you want you can disable it which is enabled by default if you want to disable you can discipline create the ISA kmb policy by configuring the authentication method and the prescient key or RSS signature and then verify the ISA KMP configuration what is the command to verify the is a game P configuration do you remember okay that is one command the other command which we saw in the second slide No Faceman goody so cryptic every policy that's a policy I say KMP policy right that will show you let me show you the command want more see she'll group though is I came isakmp policy yeah like this for phase two you got IP sick policy and what you said is also correct or if the if this thing is up you're the VP knees up then you can you can use that IPSec security Association ICMP security Association all right next to enable or disable is aka this is the command I told you by default it is enabled you can disable by putting this command and if you want to bring it up back you can type this command see it is enabled by default on routers but on fire words we have to mod on a AC we have to enable it manually so it's a global configuration command it is enabled globally or disable globally it is enabled by default I say camp is enable globally for all interface on the router use node to cancel it an ACL can be used to block is a KMP on a particular interface so if you want if you don't want is a campy to run on a particular interface then you can write an ACL and you can block it port number UDP 500 create is a kmb policy so this number matters when we have more number of policies smaller the policy number first that gets executed if match is not found that goes to the next smallest define the set of is ekv policies which is a set of parameters used during the phase for negotiation I gave his own negotiation so this command invokes the configure is a KMP command mode so we will get inside the isakmp mode when we type this mode when you take this command so this is what the ISA can be mode and we type in the parameters three six zero zero zero ten hours we can optionally say this you so I say came before listen negotiation here here it is clearly shown that you know they they check everything first it will try to match with this for this policy 1 1 0 is matched against all this 3 if match is found then it won't go to the next one if match is not found then 2 1 0 is matched with all this 3 say this number need not to match policy number need not to match but what is there inside the policy need to match if 2 and 0 is not matching then 3 1 0 is matched against all this 3 if there is no match no security Association anyone of this need to match with the other side so we can have more than one policy Krypto ICMP identity address this is for manual phase one not automatic automatically to negotiate we no need this command if you want to statically enable if you want to manually enable phase one this is the command crypto is a KMP identity address now this is for authentication pre shared key authentication yes yeah okay no I understand I understand understand right thanks fixer now r1 r1 authenticates the neighbor the other peer by using this command we say crypto is a kmb key and then this key should match with the neighbor and this should be the neighbor such as this is not the address of the neighbors host this is not the address of the traffic source or traffic destination this is the address of the tunnel endpoint the traffic source and destination is 10.0.0.0 21.1 so we should not write that address here the traffic may originate from somewhere inside network but from where you start the tunnel we start the tunnel between the edge router - edge router so this should be always the edge routers address the edge in outer centers this is where you know sometimes we get confused should we write 10 dot 0.62 - L or 172 dot 30.6 tor - it is always it's actually this address the place where we start the channel and we terminate the tunnel next phase to configure transform said and then configure global IPSec security Association lifetime this is the this is the way that we write the transform set based based on these your data's are going to be transformed changed and sent over the public network there are a lot of options we saw so they have their PD ESP days and ESP days for encryption and for hashing ESP M D Phi H Meg a transform set is a combination of IPSec transforms that enact a security policy for the traffic sets are limited up to one a hedge and two ESP transform set that we saw that you know when we when we put customer can see that here we see age and then ESP for ESP where we have - three days a yes amplify shower - - we have and for age something is missing three days and this is missing for age now it will not be there because we do not encrypt we are encrypted that's what that's what they were saying set of sets are limited up to one eh and two ESP transforms it let's see an example here transform set negotiation so here this is also again you know the priority based smaller the transit transform said 10 you can have many turns some sets like this but we have we have not used transform set numbers like this you can have many transform set and first this will be checked against these three if match is found okay if not it really to check this with the other three this with other three and match is found then it stops and tries to form a security Association so this is during the phase through negotiation transform set so the lifetime for security Association we can set anything less than one day is good 10 minutes or 15 minutes whenever it's good so lifetime can be also set like this reestablish or said do again security association once this much of whites been transferred this much of kilobytes have been transferred through VPN once this much has been reached then you read do the association we can say in seconds we can also say in kilobytes this is very important without interrupting and this is for Phase two and what we saw before is for phase one phase one is for rekeying reiki and key authentication three they authenticate this is for Phase two Association for Phase two you can use even kilobits kilobytes you so why do we write crypto a CL so that when we try to use internet cisco.com we don't form tunnel between Cisco and r1 so if I use tunnel I cannot reach Cisco I cannot use tunnel to reach Cisco so I need to say only when this source going to this destination get encrypted otherwise get bypassed so whoever needs to get encrypted I might put them in a CL and I called it a CL under the PL group sorry under the phase 2 crypto map so crypto a CL is to determine which traffic need to be encrypted and what is outbound traffic the traffic that is going out inbound traffic that is coming from outside outbound indicates the data flow to be protected by IPSec inbound filters out and discards the traffic that should have been protected by IPSec it's the same story when the traffic comes from the tunnel it gets thicker at that traffic that is not coming through the tunnel or via the tunnel or just bypassed from in decryption it is going to be a clear text so here they're using a named ACL you can use named ACL or numbered ACL it appears like a number days'll but it is not numbered ACL it is a named ACL instead of giving a name they have given a number but what they have written is the named ACL you see ipsec nacl named ACL now so here it says which traffic need to be protected or encrypted traffic going from ten dot one dot zero to ten dot 0 dot 6.0 to be encrypted permit encrypt who were not permitted we know implicit in eyes there in ACF so rest all traffic will be going without using tunnel right so when we write in a CL we can also write like this we can permit only one particular protocol only TCP traffic will use tunnel normal pinging from here to here we'll be going without encryption and what is the symmetric pyramids we know this meaning you know this is not really needed slide whatever is source here that becomes a destination here whatever is destination here that is source here that's what they mean symmetrical piers this is an r1 r6 obviously it will be a mirror copy mirror image when we write a scene on this and this it will be mirror whatever his source for our one that becomes a destination for our six whatever is destination for ours our one that became source for our six why do we need crypto map it pulls together the various parts of configuration of IPSec because we cannot put everything you know the small small parts into interface we put all together in a crypto map and we call the crypto map under the interface it pulls together various part of configuration for IPSec including which traffic should be protected by IPSec how we say this we say this by typing the command match address and we call the access list number under crypto map where IPSec protected traffic should be sent how we do this we said set pier and we type the remote I remote routers address the local address to be used for IPSec this is optionally you can say local address otherwise it will take the exit interface address we don't usually say this which IPSec type should be applied to the traffic which IPSec type to be that is what you know we call the transform set parameters set transforms it whether security associations are enabled manually or Ikey we always use i ke manually or is also possible and then other parameters like time after how long it should reestablish or has to do security association again or after how many kilobytes so those things can be also mentioned under crypto map and all these are put together in one name by using group to map and we call that name under the interface this thing's just now we discussed crypto mob defends the following the ACL that need to be used remote VPN peer transform said key management method and the lifetime all this put together in one name like this we don't go with manual if you want to go with manual you use X command if we want to use phase one is a kmp4a keying then this is the command we use this one later when another day we will try to use manual also or a crippled map map name and then ID for crypto map and we say Auto means IPSec is a game be the access list number the pier address that transforms it name the lifetime and then we apply the crypto mapper we call the crypto map on the interface we applied to the interface we call it on the interface this is the name of the crypto map now here it is not matching actually they use crypto map with my map and it should be my map here you know this is an example we call the crypto map so applying the crypto map to outside activates the IPSec policy so the moment you type this one you can see no isakmp turned on when you try pinging from here to here the negotiation will start so when you try pinging only it get initiated the ACL should get matched so it kick-starts the isakmp once the negotiation is over it kick-starts the IPSec once the transform set negotiation is over you will see pinging with encryption and decompression and when you way if you feel snip of sniffer packet in the middle you will not see and you sniff a packet in the middle you will not see I say KMP sorry ICMP see actually are pinging from here to here ICMP is used but when you when you sniff a packet in the middle and see it is not going as an ISA I am sorry ICMP it will go as ESP packets because it is getting encrypted and sent here it gets decrypted by sinister they go as ESP packet you can do anything you can send you can use a V FTP you can do HTTP all will be encrypted and going as ESP so in the middle no one has a clue what sort of service is going on HTTP or ICMP echo completely hidden from the public encrypted so here is the sample configuration between R 2 and R 1 and R 6 three days three days this number need not to match right okay next M defy on both the side pressure key group to lifetime this must match the key and they should be the address of the peer router not the final destination this is the address of the peer router transform set only for encryption it is mentioned hashing they do not want crypto map this number need not to match and this number and this number can be different this is just to identify the crypto map the pier address this address and this address will be the same the transform set and the ACL that we wrote there is a mistake in ACL it is not 1 0 1 so it is 1 0 2 again a CL number need not to match with the neighbors if it is 1 0 2 year-old 0 2 here I can have 1 0 3 here 1 0 3 and then calling the crypto map under the interface very simple testing and verifying so we can display our is a KMP my typing show crypto I say Kb policy transform set show crypto IPSec or you can also say transform set current status if you want to say show crypto IPSec security Association and I say campy security Association D works we can use D box will show you the negotiation that is happening between two routers initially debug crypto is a KMP debug crypto IPSec so these are all the verification commands this is all the verifications that we need to do once we finish our VPN configuration say show crypto is IP is a KB policy shows the face and parameters that is configured this is default and this is what we configure default is des we configure three T's default is sha you configure an md5 default is RSA we configure pre shared key default is 1 defilement group you can figure to default is 1 day here we have configured is 1 hour show crypto I basic transform said shows you transform set parameters there is only one for encryption and the mode is tunnel mode and when we tape show crypto map for interface so and so we see everything we see here the crypto map name the profile select a map number it is not it is automatic it is not manual the peer is this a CL is this this is the ACL Pierre lifetime everything TransAm said show crypto I say KMP security Association it shows the status QM Idol means it is good it is established that's why it is in idle state active good you should not see deleted here so crypto eyes IPSec security Association will show you phase to status so for this very packet have been encrypted and this many packet have been decamped and traffic is going from this to this the pier face one so in case a VPN is not coming up how you will troubleshoot it yes sir yep you're right you're right you're right when we have several tunnels that would be too much of I know too many pages we have to go then we can we can type in after security Association we can type in the particular address the peer address and we can see only that or we can use some filter command pipe symbol and put filter command and see only that particular if you simply say show crypto IPSec security Association if you have too many static tunnels you will see all neighbor and it will be many pages similar yep yeah it should be a peer IP address but I have not done that one is my assumption there should be an option but when we have more tunnels we will see lot of pages I used to use pipe symbol to filter it anyway you can use pipe symbol but there should be an option to see a particular peer we will test it today will now if the VPN tunnel is not coming what are we going to do first we need to check whether there is a reach ability so what we do is we remove the crypto map and see whether we are able to ping if you're pinging then problem is not with IP path problem is with the VPN configuration so what we do is we compare the configuration on both the side cut and paste into a notepad to notepad whatever we configured on our one copy from the running configuration to the notepad on our one notepad from our word open another notepad copy from our six compared face one is it matching phase two is it matching is a peer address correct compared symmetry simultaneously no you can see both if you have two different notepad and still if it is not working everything is matching still it is not working debug and see where the traffic get struck first debug I see is a KMP check whether it is getting cleared and check whether you are able to see IPSec negotiation if this is not clear IPSec negotiation will not stop start so sometimes this will pass and this will not happen you can see errors IPSec trying something again and again then you can go and check only IPSec section right and generate interesting traffic meaning you know ping and see from actual source and destination so if you have some error message on debug if you don't understand the error message what why the error message what sort of error message what it coming to say initially you know as a beginner we can we can just place the error in Google and try to get the explanation of it so that when it comes the second time you can you can easily fix the issue mostly you know if if we know the logic how VPN is getting formed we our self can get the solution in case if you are not able to provide the solution but you see some error message or debug cut and paste in Google if we give you why that error message then you can easily go and fix it and check the ACL also when you type show IP access list you should see some hits if there is no heat in the ACL then the problem is not with VPN configuration it's the problem with access list if there will be a hit in easier then there is a problem with your VPN if there is no heat in the ACL meaning ACL is not getting matched with the traffic but that aesol is binded to VPN if you a cell itself is not matching then how the traffic we get encrypted so we need to check the ACL sometimes wildcard mask we might have written wrong so ACL should match with the traffic that's very important and then we can use these show commands this show commands this is to clear this is to clear the crypto to refresh clear means not clearing all your configuration configuration will be there so refresh the crypto refreshing the security Association refreshing only face one these debugs we can use when I type in a debug crypto IPSec and if I don't see anything which is which means phase one is not complete so first you type this one and see whether you get some D bugs if you get some D bugs and if you are not getting debug for IPSec then problem is with only IPSec phase two not with phase one so some error messages they have put in here if you get this error message see it's clearly said not authenticated check with the passwords and when we get when we get this one so this is related to what is this crypto secret Association not offered we would pier 15 responded with attribute character not of not of what or changes of some some parameters inside the face one is not matching that's why we give this may be one side days other side three days like that so in this chap what we saw is no recap of what we saw in the previous class in previous class I quickly configured in last five minutes and that we had VPN but what all I configured is explained here why or why I did that why those commands I came you know but today I want to do it again because I want to check this one I want to check whether we can we can see one particular neighbors Association by after this or let me check whether we have the command if we have the command that it is possible and you can try it by your own I'll just grab one router and check whether the command is available and then I leave it to you you try one more time today by using the previous video that I gave you and then we go with the next class you all right the comment that I want to check his show crypto is IPSec security Association yes I think we have and no no no um standby pier appears we have Pierre Pierre Pierre sir we have now it said we have and yep yep so this is more granular filtering we nearly to see many pages we just type in one particular period resume can see all right then we'll stop here today our next class will be

Info

Channel: Jayachandran

Views: 17,600

Rating: 4.6981134 out of 5

Keywords: Virtual Private Network (Software Genre), Pre-shared Key, IPsec (Internet Protocol)

Id: nTWm7suXnTc

Channel Id: undefined

Length: 64min 55sec (3895 seconds)

Published: Wed Aug 20 2014