With the importance of internet security
being at the forefront of everyone’s mind these days, importance of keeping
data safe while in transit is vital. There are of course a number of different
technologies that are available to keep data safe including IP Security
(IPSec), Generic Routing Encapsulation (GRE), Secure Sockets Layer (SSL) VPNs,
and more. One of the major issues that many people have with IPSec is that it
does not directly support IP multicast (required for many routing protocols) or
protocols other than IP; this is often why a mix of different technologies are
used to provide a solution that is optimal for each situation.
For now, let's take a look at just IPSec --
specifically, IPSec direct encapsulation on Cisco devices.
Transport or Tunnel? Tackling IPSec
Modes
The first thing to recognize is that IPSec
itself is not a protocol but a collection of protocols that are used
collectively to create a secure connection between endpoints. While IPSec is an
open standard, among the most used features are the Internet Security
Association and Key Management Protocol (ISAKMP), which is used to establish a
Security Association (SA) between endpoints. This includes a common encryption
protocol (for ISAKMP) and authentication method and parameters. Authentication
Header (AH) provides the ability for a connection to have integrity protection
and data origin authentication, while Encapsulating Security Payload (ESP)
provides the ability for a connection to have integrity protection and data
origin authentication as well as the ability to have data confidentiality using
encryption. IPSec offers two modes of operation: transport and tunnel. The
Authentication Header and ESP operate differently depending on the mode being
used.
Now that I've thrown a mess of acronyms at
you, let's tackle the modes of operation. Intransport mode, AH
inserts an IPSec header after the main IP header and is able to protect the
contents of all IP header fields. In tunnel mode, AH authenticates
the original header, encapsulates it and creates a new IP header which it then
protects the same as in transport mode. Because of the way that AH monitors the
whole IP header it is not compatible with NAT as NAT changes the source and
destination IP address fields.
In transport mode, ESP encrypts the IP
payload and inserts an IPSec header after the original header; it does not
alter the original IP header and does not authenticate the IP header itself. In
tunnel mode, however, ESP inserts the IPSec header after the original IP
header, and it encapsulates and encrypts (that is, if configured) the whole IP
packet. A new IP header is then put onto the encapsulated packet (this new IP
header is not authenticated).
IPSec Direct Encapsulation Configuration
There are a number of commands that are
used to set up IPSec. Below, table 1 shows the commands that are required and
their options. Obviously, this is certainly a long list of commands to follow.
The simplest way to learn it is to set up two routers (or emulated routers) and
configure them with these steps.
|
1
|
Enter privileged EXEC mode
|
router>enable
|
|
2
|
Enter device configuration mode
|
router#configure terminal
|
|
3
|
Create and enter ISAKMP policy
configuration mode
|
router(config)#crypto isakmp
policy policy-priority
|
|
4
|
Configure an ISAKMP encryption standard
|
router(config-isakmp)#encryption [3des |aes | des]
|
|
5
|
Configure ISAKMP authentication type
|
router(config-isakmp)#authentication [pre-share | rsa-encr | rsa-sig]
|
|
6
|
Configure a Diffie-Hellman group
|
router(config-isamkp)#group [1 | 2 | 5 | 14 |15 | 16]
|
|
7
|
Exit ISAKMP policy configuration mode
|
router(config-isakmp)#exit
|
|
8
|
Configure ISAKMP pre-shared key. This is
just one method -- other Public Key Infrastructure options can also be used
|
router(config)#crypto isakmp key key[address ip-address | hostname hostname]
|
|
9
|
Configure Dead Peer Detection (DPD) keep
alive messages. While this is not required, it provides a mechanism to know
when an IKE peer goes down.
|
router(config)#crypto isakmp keepaliveseconds
|
|
10
|
Create a IPSec transform set. This is a
combination of security protocols and algorithms used. There are severaltransforms available;
check the Cisco command reference for a complete list.
|
router(config)#crypto ipsec
transform-settransform-set-name transform1 [transform2]
[transform3] [transform4]
|
|
11
|
Configure the source IPSec interface to
be used
|
router(config)#crypto map map-name local-address interface
|
|
12
|
Create and enter Crypto map configuration
mode
|
router(config)#crypto map map-name
sequence-number ipsec-isakmp
|
|
13
|
Configure the IPSec peer
|
router(config-crypto-map)#set
peer [peer-ip-address | peer-hostname]
|
|
14
|
Configure the IPSec transform set to be
used
|
router(config-crypto-map)#set
transform-set transform-set-name
|
|
15
|
Configure the ACL to be used for
interesting traffic. "Interesting traffic" is the traffic that will
be acted upon by IPSec
|
router(config-crypto-map)#match
addressacl-number
|
|
16
|
Exit Crypto map configuration mode
|
router(config-crypto-map)#exit
|
|
17
|
Create an ACL for interesting traffic.
This is typically an extended ACL that is used to specify the traffic that
will be handled by IPSec.
|
router(config)#access-list acl-numberpermit
ip source-network source-inverse-mask destination-network
destination-inverse-mask
|
|
18
|
Enter interface configuration mode. This
is the source interface for IPSec
|
router(config)#interface interface
|
|
19
|
Configure the interface to use a specific
crypto map
|
router(config-if)#crypto map map-name
|
Far away from the End…
When it comes to IP Security, there are
certainly a large number of options and methods of using both IPSec direct
encapsulation by itself and in conjunction with other security
technologies. Hopefully this article helped make you feel less mired in your understanding
of general IPSec concepts, and you've learned a bit about how to how to
configure direct IPSec encapsulation without the use of any other technologies.
---Original reference from http://www.petri.co.il/ipsec-direct-encapsulation.htm
Need
More Related Tips and Tutorials?
More Cisco and Networking News, Resources,
Tips and Tutorials you can visit router-switch.com’s blog
No comments:
Post a Comment