ipsec - gns3
DESCRIPTION
IPsec - GNS3TRANSCRIPT
-
5/23/2018 IPsec - GNS3
1/9
IPsec, and IPsec over GRE Tunnel
Intro
Most of enterprise today move to IPsec over GRE tunnel to save cost, but I'm not saying thatthis technology already rule out MPLS, lease line, etc It depend on that site, ho! critical it is,
ho! stable the internet connection is "sually small office li#e sales that only have fe!
!or#ers use this to connect to corporate L$%
IPsec and GRE &unnel is different thing, !e'll go !ith IPsec first, then brief about GRE
then I'll give you an e(ample of IPsec over GRE tunnel
IPsec
&he three main point of IPsec is
$uthentication
)ata Integrity
*onfidentiality
Authentication
to ma#e sure you communicating or tal#ing to the right person
Data Integrity
to ma#e sure !hat you sending is received at the destination !ith the same shape, mean no
modification happen along the !ay
confidentiality
to ma#e sure !hat send not able to be seen by third party
What build an IPsec ?
+asically, IPsec is a combo of a fe! protocol
%egotiation I-E
Security $., ESP, ESP/$.
Encryption )ES 0)ES, $ES
$uthentication M)S, S.$
Protection )., )., ).1, ).2
2 ode of co!!unication
Trans"ort ode
&his mode is used !hen data need to be secure !ithin the L$%, maybe super important and
high confidentiality #ind of data
-
5/23/2018 IPsec - GNS3
2/9
from the picture above, the encryption3protection only apply to layer 4 and above, this is
because this pac#et only travel !ithin the L$%, so there's no point to protect the ip pac#et
Secure communication happen bet!een t!o point, other party can't read the pac#et from
layer4 and above only, they still can read the IP layer
Tunnel ode
&his mode is used !hen pac#et need to travel across a public net!or#, !here it's dangerous
to let other to see the private3internal IP information
In this mode, encryption is done starting from IP header5layer06 and above to protect the
internal IP information, ne! public IP header then !ill be added so this pac#et can be routedin public net!or#
http://2.bp.blogspot.com/_bklsWYp6a_s/SwoRhBmN2NI/AAAAAAAAAFQ/PJOMv27mWrY/s1600/ipsec_3.png -
5/23/2018 IPsec - GNS3
3/9
The t#o ty"e of encry"tion $eys
Symmetric each use same #ey to encrypt and decrypt data 5shared #ey6
$symmetric public #ey to encrypt, private #ey to decrypt
Data Integrity
)ata integrity is to ma#e sure data is7untouched along the !ay to the destination &o ma#e
sure this, first data !ill be calculated using a formula to produce a value, then it'll be hashed
and send ed 8hen received in the other site, it'll be re7calculated again, if the value is same
as value that produced before, it's mean that the data is clean from any modification
&he phase to ma#e communication happen
I-E phase 9
:rom e(ample above, R9 !ant to initiate a connection, so R9 gonna !ith sending message 9
Message 9 negotiate a matching I-E S$ policy bet!een peer to protect I-E e(change
Message e(change ). #eyMesagge 0 Ma#e sure they are !ho they are 5authentication6
+asically this phase is to setup a secure management channel for I-E phase
I%E "hase 2
%egotiate and e(change IPSec Parameter protecting by e(isting e(isting I-E S$
Periodically renegotiate IPsec S$s to ensure security
)ata transfer also happen in this stage
E(ample Step by step ho! to configure a secure IPsec
-
5/23/2018 IPsec - GNS3
4/9
&' (etu" I(A%P "olicy )I%E Phase &*, the !anage!ent "hase
png(config)#crypto isakmp policy 50 // give policy number, the lower the higher priority
png(config-isakmp)#authentication pre-share // pre-share, both site much share the same key
png(config-isakmp)#encryption des
png(config-isakmp)#group // select group for !" key to use
png(config-isakmp)#hash sha
png(config)#crypto isakmp key cisco$ add %&0'&5&$ // define the pre-share key here,set address for the peer
2' (etu" IPsec transfor! set )I%E Phase 2*, basically this is #here #e define the set of
encry"tion and hash for the data to use
png(config)#crypto ipsec transform-set *++. esp-des esp-sha-hmac
+' Define interesting traffic using accesslist co!!and, here is #here #here #e define
#hich subnet or address that need to be for#arded to the IPsec channel
png(config)#ip access-list etended *12344*
png(config-et-nacl)#permit ip %&$&0&0 0&0&55&55 '&6&&0 0&0&55&55
-' (etu" cry"to !a"
png(config)#crypto map 781938 0 ipsec-isakmp // give a name to the map
png(config-crypto-map)#set peer %&0'&5&$ // set the it:s peer
png(config-crypto-map)#match add *12344* //set interest traffic
png(config-crypto-map)#set transform-set *++. //set transform group
.' A""ly to the interface
png(config)#int fa 0/
png(config-if)#crypto map 781938
GRE Tunnel over IPsec
GRE tunnel is a standard tunneling method today, it's a logical interface and it's completely
non7secure +y combining GRE &unnel and IPsec !e can build a super secure lin# !ith a
simple and easy setup configuration $lso can for!ard routing update
I'll go straight to the e(ample GRE over IPsec !ith EIGRP
http://1.bp.blogspot.com/_bklsWYp6a_s/SwvjlGpPGtI/AAAAAAAAAFo/jugv8DAvjuk/s1600/ipsec_6.png -
5/23/2018 IPsec - GNS3
5/9
&o create a tunnel, ma#e sure you have t!o public IP address that ping7able to each other In
this e(ample i ;ust assume 92999, 9299 and 929 is three public IP address
Sample *onf for png
>
ipsec7isa#mp
set peer 929set transform7set strong
http://2.bp.blogspot.com/_bklsWYp6a_s/Swv-2rkCDkI/AAAAAAAAAFw/_x8GOAYVsZg/s1600/ipsec_7.png -
5/23/2018 IPsec - GNS3
6/9
match address 9>
tunnel source :astEthernet>3>
tunnel destination 9299crypto map vpn
tunnel source :astEthernet>3>
tunnel destination 929
crypto map vpn
3>
ip address 92999 1111>>
crypto map vpnduple( auto
speed auto
crypto map vpn
39
no ip address
shutdo!n
duple( auto
speed auto
net!or# 9?9@A>> >>1111
auto7summary
no eigrp log7neighbor7changes
line vty > 4
login
end
Sample *onf for cyb
>>>>3>
tunnel destination 92999
crypto map vpn
3>
ip address 9299 1111>>
duple( auto
speed auto
crypto map vpn
39
no ip address
shutdo!n
duple( auto
speed auto
net!or# 9?9@A>> >>1111
auto7summary
no eigrp log7neighbor7changes
tunnel destination 92999
crypto map vpn
3>
ip address 929 1111>>duple( auto
speed auto
crypto map vpn
39
no ip address
shutdo!n
duple( auto
speed auto
net!or# 9?9@A>> >>1111
auto7summary
no eigrp log7neighbor7changes