IPSec Site to Site VPN tunnels

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

our objective of this demo is really really simple is to build a virtual private network between two sites of a set of the same company so here we have r2 which is the edge router for Acme Incorporated maybe this is the Las Vegas office and then we have our four which is the edge router for Acme Inc in Des Moines Iowa and we're using private address space so if we wanted to get to the Internet how would we do that well we've used network address translation and I have lots of other great YouTube videos on network address translation but here I'd like to focus on connectivity between this portion of our network in Las Vegas and this portion of our network out here in Des Moines Iowa we're gonna do that by something called IPSec it's really pretty straightforward check this out we train our two we just give them some that we whisper in its ear and say hey dear mr. r2 anytime you see packets if they are sourced from the 10 Network and they're destined for the 192 168 1 Network here's what I want you to do I want you to take that packet and instead of just trying to forward it to your default gateway I want you to take the packet encrypt it make it all top secret and then encapsulate it inside of another packet and send it over to our 4 so the Internet all they're gonna see is a packet that is sourced from 23 0.12 Artoo's global address and destined to 56.2 dot 11.2 they never saw the private IP address ranges on the internet because it's all encapsulated inside of IPSec packets our floor when he gets a packet he's going to decrypt it and then he'll forward it on to the final destination that's what the game is all about with IPSec so there's actually two tunnels they're gonna be built to do this game of IPSec one is called the ike phase 1 tunnel between R 4 and r2 and you can kind of think of it like the cone of silence from the good old days with Get Smart or the chief and agent 99 our agent 86 we're gonna be talking to each other and they had a personal private party line that's what the ike phase one tunnel is all about if r2 and r4 need to talk to each other 30 that private party laying the IKE phase one tunnel they're also going to use that Ike phase one tunnel to build the IPSec tunnel itself that's the tunnel that the user from PC ones packets are going to be used to encrypt upon as they're being sent between our two and our four so there are several moving parts but primarily we're building an Ike phase one tunnel so that r2 and r4 can negotiate secret keys and talk to each other and then we're also building an IPSec tunnel which r2 and r4 will use on behalf of packets they need to encrypt send over and then decrypt and forward on their way to make this even more interesting what I like to do is just verify that PC one can't get to the 192 168 1 Network at the moment we'll just do a ping of one ninety two dot one sixty eight dot one dot four and all that's gonna do for us is pcs PC one thing it to his default gateway our ones routing it to our to our twos trying to use the default gateway of the service provider who is then killing it so we've captured all that and we'll take a look at the protocol analysis as well but that those unreachable messages are the service provider telling us that yep I killed the packet that service provider is at 2301 three by the way so let's build our IPSec tunnel the very first thing we're gonna do is go to r2 and on our - need to specify the policy for the Ike phase one tunnel so we'll go over at r2 and the way we do that it's really simple in configuration mode we're gonna say crypto ISO camp policy 1 and we're gonna say we're gonna use authentication of pre-shared keys there's two primary methods for making two devices prove who they are to each other one is to use RSA signatures which is like a digital driver's license and the second is to use a pre shared key that they both have that they can both use to help verify that there's the party on the other side is who they say they are so we're going to that on r2 and r4 so that's what we're doing right here all the other defaults for Ike phase one we are going to accept and there are several others including the hashing type and including the diffie-hellman group and a few others but we're gonna take all the defaults except for the authentication method we're going to specify we're gonna use pre-shared keys what's the next thing we'd want to do well the next thing we'd want to do is say if we are using pre-shared keys I need to specify what that pre-shared key is with our four so crypto iso camp key cisco is my key that's not a very good key for production but for testing it will work and I'm saying I'm gonna use this key with a peer at 56.2 dot 11.2 I know another thing we got to really do is make sure that r2 has reach ability to that other IP address let's do a real quick ping because I don't want to set ourselves up and nav us not successfully build a tunnel because we don't have reach ability to that other global address 56.2 dot 11.2 so we're just pinging this IP address right here okay that's good news so we've set up our ike phase one policy to use pre-shared keys we've specified that we want to use the key of Cisco with the peer at 56.2 dot 11.2 what's next well the next thing we need to do is we need to identify interesting traffic one of the fun things in IC and D that I get to talk about with students is the purpose of an access list we can use an access list for so many different things we can use an access list for filtering we can apply it in bound or outbound on an interface we can use it for NAT to identify who may be translated and we can also use it to identify what traffic should be sent in the VPN tunnel so in this case we're gonna create an access list of 100 and I'm gonna identify any traffic source from the 10 network that's also destined for the 192 168 1 subnet or actually should say network and that's it so I'm not going to apply this access list to an interface I'm gonna use this as part of my VPN cryptography policy to tell it what traffic to encrypt and what traffic not to encrypt the next thing I'm going to do is specify exactly what type of IPSec policy to use for the IPSec tunnel and we do that by creating what's called a transform set and the syntax is crypto IPSec transform set I'm going to call it my set and then I know specify we're going to use sha for hashing and we're gonna use AES for encryption and that's it so check this out we created an access list that says what traffic will be or what traffic should be identified for cryptography we created a transform set but check this out we have not applied any of this yet it's just in the global config it's sitting there maybe drinking some you know soft drink having a good time we haven't put it to use yet here's how we bind it all together we are going to create something called a crypto map a crypto map simply is the the master list that says I want to include all these ingredients so let me walk you through exactly how to do that crypto map I'm going to call it my map sequence number one I want to use icy camp I'm gonna say I want to the transform set to be my set I want the pier to be our fours address and I want to match on address list access list 100 all this is saying is that if traffic matches access list 100 which is traffic from the 10 network to the 192 168 then I want to set my pier to be good ol R for his global IP address and by the way go ahead and use the transform set my set as far as what you're willing to negotiate for the IPSec tunnel so we're gonna negotiate the AES encryption and sha hashing RH Mac for that IPSec tunnel now the last thing to do is actually turn on the policy we've got all the ingredients here but we haven't actually turned it on we need to tell our to to apply this crypto map that we just created right here called my map apply it to FA 0 0 and we don't have to specify a direction it's just gonna look for a traffic that's trying to go out that interface and it's going to apply the crypto map for it so we go to interface FA 0 0 and say crypto map and the name of the crypto map and then we should get a little console message there it is saying that the Isaac camp is now turned on that's the internet security association key management protocol not not too important to memorize what that means just for that IPSec so now r2 is willing if packets come from the 10 Network going to the 192 168 Network it going to try to build an IPSec tunnel with our four who's not configured yet but we'll be in a moment and once that builds that tunnel it'll then go ahead and start encrypting traffic and setting them over the internet so let's just do a quick verification show crypto map and that shows you the entire story from the IPSec IP specs IPSec perspective easy for me to say there's our peer or who it will be there's the access list and we are using the transform set called my set the crypto map called my map is applied to FA 0 0 right here so now we go to our 4 and do virtually the exact same config what's the biggest difference here well on our 4 as we go out there the biggest difference is is that our peer is going to be our two's IP address and the interesting traffic is gonna be traffic from 192 168 going to the 10 network so this is simply gonna be flipped from our fours perspective we're gonna identify the traffic outbound that needs to be encrypted so we create access lists 100 to identify any traffic from 192 168 1 dot anything going to 10 anything we then create our transform set and the transform set should match what r2 is willing to do because if they don't agree they won't be too happy will create a crypto map on our 4 we can name it whatever we'd like but the ingredients are we want to specify the transform set to use who our peer is going to be and also the ACL that we want to match on it also knows that earlier we created the actual key for the peer and the key matches on both sides so now that this is on and enabled let's see if it's gonna work now I have a the trace still running on this segment right here I'm doing a wire capture of all the traffic let's go back to our PC and on our PC that a moment ago couldn't do a ping let's go and do the ping now pretty exciting normally we'd lose a period our timeout of one packet due to an ARP resolution and that could have been the case but it's also likely to just a moment for r2 and r4 to negotiate the iock phase one Tunnel to negotiate the IPSec tunnel to encapsulate the packets and send them over if we do the ping again it should work like a champ so now that we've done that how do we verify this here's some commands we can use to verify we'll go over to r2 we already did the show crypto map which is great we can take a look at the show crypto IPSec si which is an acronym for security Association and it will show us here's the command right here it'll show us how many packets have been encrypted and decrypted so the first one didn't make it the first IP ping packet from pc1 out to our 4s network didn't make it and that was probably due - it could have been a local ARP very well could have been but it's also very likely due to IPSec being set up so we have here's our interesting traffic traffic from the 10 network going to the 192 168 1 Network these zeros represent the fact that all IP protocols I anything we aren't looking for just ICMP or just TCP all traffic is going to be encrypted it matches that and there's our remote our here's our local endpoint in our destination and point for that VPN tunnel and we had nine packets so if we do one more ping let's do surround it out let's do a repeat of one there's one more ping from this PC or device acting as that PC will go back to r2 and do a show crypto IPSec si ain't notice it increased to 10 so it's working we have our connectivity let's take a moment and take a look at the wire capture for all the activity that just occurred let's take a look at the capture of everything that just occurred we first tried a ping from PC one which has the source IP address on the 10 network going to the 192 Network and it didn't make it it was killed by 23 0 dot 1.3 that's the IP address of our service provider who sent an ICMP unreachable message back to the initiator of that packet which is PC 1 saying sorry I killed that packet if we looked at the details of that packet it would also include information describing the packet that was killed so it's an ICMP message that tells us that it was killed it also happened to be an ICMP packet that was killed in the process so that failed we got three messages back from our the service provider fantastic the next thing we did we verified whether or not our - from its global address could ping r4 - its global address and it was successful so we have five successful pings and responses that are right here then we'd go down to this guy right here now we configured Ike phase one and Ike phase two IPSec on r2 and r4 the Ike phase one refers to the crypto ISO camp policy where we said use pre-shared keys and we specified it we took everything else as the defaults so when the packet from PC one was going through the outs the e00 fa 0 0 interface of r2 I'll show you that real quick so as the packet from pc1 went out this interface the crypto map was there an hour to said whoa this packet is from let's do a quick show show crypto map he said this traffic is from the 10 network it's going to the 192 168 1 sub network that matches I better encrypt this traffic the problem was there was no Tunnel built already between our two and our four so r2 started going into what's called main mode main mode is one of the methods that can be used in IPSec to negotiate the Ike phase one tunnel with a remote peer so these six packets involve quite a bit of detail including negotiating what I craze won't policies they're both acceptable to running something called diffie-hellman to generate shared secret king material and also to authenticate with each other so that's what these six packets are the next thing they did r2 and r4 said oK we've got an IKE phase 1 tunnel it's great but we need an IKE phase 2 tunnel or an IPSec tunnel to encapsulate the packet from pc1 so how do we do that they then go into something called quick mode and these three packets quick mode is negotiating the transform set that they're going to use for the actual IPSec tunnel and negotiate it and set it up then once it's set up then they start encrypting the traffic so the traffic was really this the traffic was a ping packet from pc1 sourced from 10.1 0.25 destined to 192 168 1.4 one hour - got it it encrypted it wrapped it up into an ESP packet which is protocol 50 we'll take a look at that in a moment and shipped it over the internet from its IP address to the global IP address of our for our four decrypted that packet and then forwarded on to whoever was at dot four on that local network so PC one and the PC on this subnet have no clue that IPSec even happened as it went over the Internet they're just grateful that the packet made it all the way through so let's take a look at IPSec here for a moment IPSec the protocol for it let's take a look Ethernet hands it up to IP and IP is gonna hand it up in this case up to protocol let me bring my screen up a little bit here up to protocol that protocol 32 that's in hexadecimal so 316 s plus 2 more is 50 so in decimal it would be a layer 4 protocol called ESP the encapsulating security payload and it is protocol 50 in decimal so please excuse my hexadecimal interpretation of this Wireshark analyzer and then it also shows us the payload so once I peahens it up to ESP layer 4 protocol we have no idea what's literally inside of it because the contents however big it is is going to be all encrypted so somebody eavesdropping on the internet they wouldn't know what the real source IP address was what the destination IP address was and they wouldn't know the contents they wouldn't know if it's a telnet session or an SSH session or an HTTP session or a ping request or anything else because the contents of the payload between the edge of r2 and r4 is completely encrypted and only r2 and r4 can encrypt and decrypt that data so that's how it operates and we should have if we look at this we should have 10 of these guys we should have 10 requests and 10 responses so let me bring this all the way down let's count and real quick to make sure we got all the packets didn't miss a single one okay this is the bottom of the trace so I've got 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 perfect because we sent 10 requests and we got 10 responses 9 initially from the first ping and the second ping and then we did one more to round it out to a 10 so that's an overview of how IPSec can be used to build a site-to-site tunnel between site a this Las Vegas site of Acme Incorporated and site B using the Internet as the backbone if you will or the carrier for our transmissions I appreciate you participating and watching have a great great rest of the day you

Info

Channel: Keith Barker

Views: 418,457

Rating: 4.9284263 out of 5

Keywords: IPSec, site-to-site, tunnel, cisco, ccna, ccent, security

Id: C_B9k0l6kEs

Channel Id: undefined

Length: 18min 44sec (1124 seconds)

Published: Mon Apr 04 2011