© 2007 cisco systems, inc. all rights reserved.iscw-mod3_l4 1 implementing secure converged wide...

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1

Implementing Secure Converged Wide Area Networks (ISCW)


Module 3 – Lesson 4

Configuring IPsec VPN using SDM


Module Introduction

Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet

Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation

This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods


Objectives

At the completion of this fourth lesson, you will be able to:

Describe how to configure a VPN using SDM on a Cisco router

Successfully configure a site to site VPN using SDM on Cisco routers


What is SDM?

The Cisco Router and Security Device Manager (SDM) is an easy-to-use, Java based, device management tool designed for configuring LAN, WAN, and security features on a router

SDM can reside in router memory or on your PC

SDM simplifies router and security configuration by using intelligent wizards to enable users to quickly and easily deploy, configure, and monitor a Cisco access router

SDM meets the needs of persons that are proficient in LAN fundamentals and basic network design but have little or no experience with the IOS CLI or may not be security experts


What is SDM (continued)

SDM can also assist more advanced users

SDM contains several other timesaving tools and wizards, including

An access control list (ACL) editor,

A VPN crypto map editor,

A Cisco IOS CLI preview

SDM has a unique Security Audit wizard that provides a comprehensive router security audit. This uses Cisco Technical Assistance Centre (TAC) and Internet Computer Security Association (ICSA) recommended security configurations as the basis for comparisons and default settings


SDM ‘Wizards’

Other intelligent Cisco wizards are available in SDM for these three tasks:

Autodetecting misconfigurations and proposing fixes

Providing strong security and verifying configuration entries

Using device and interface-specific defaults

Examples of SDM wizards include:

Startup wizard for initial router configuration

One-step router lockdown wizard to harden the router

Policy-based firewall and access-list management to easily configure firewall settings based on policy rules

One-step site-to-site VPN wizard


SDM Installation and Use

Use the SDM wizards to provide quick deployment

A suggested workflow is given in the lower part of each wizard screen to guide untrained users through the process

Begin with configuring LAN, WAN, firewall, intrusion prevention system (IPS), and VPN, and finish with performing a security audit

SDM is embedded and factory-installed within the Cisco IOS 800–3800 Series routers and available for download for select router platforms (see next)

NB: This course focuses specifically on SDM version 2.2a. Due to the nature of the software, changes must be expected with new revisions. Although the features and screens may vary between versions of SDM, the general concepts shown here are applicable to all versions.


SDM Supported Platforms


SDM Home Page

About your router

Configuration overview

‘Configure’ icon


VPN Configuration

To select and start a VPN wizard, follow this procedure:

1. Click the Configure icon in the top horizontal navigation bar of the Cisco SDM main page (previous) to enter the configuration page

2. Click VPN icon in the left vertical navigation bar to open the VPN page.

3. Choose one of the available VPN wizards from the list.

The example on the next slide shows the screen that appears when you choose the Site to Site VPN wizard from the list.

Here you can create two types of site-to-site VPNs: classic and generic routing encapsulation (GRE) over IPsec


VPN Configuration Page

2.

1.3.

Wizards for IPsecsolutions

Individual IPseccomponents


Site-to-Site VPN Components

VPN wizards use two sources to create a VPN connection:

User input during the step-by-step wizard process

Preconfigured VPN components

SDM provides some default VPN components:

Two IKE policies

IPsec transform set for Quick Setup wizard

Other components are created by the VPN wizards.

Some components (for example, PKI) must be configured before the wizards can be used.


Site-to-Site VPN Components (Continued)

Two main components:

IPsec

IKE

Two optional components:

Group Policies for Easy VPN Server functionality

Public Key Infrastructure for IKE authentication using digital certificates

Individual IPseccomponents usedto build VPNs


Starting SDM

SDM can be started on a router by entering the IP address of the router in a browser

If SDM has been installed on the PC, start it by double-clicking the SDM shortcut or by choosing it from the program menu (Start > Programs > Cisco Systems > Cisco SDM) and enter the IP address of the router.

SDM Launcher

SDM Launch Page


SDM Home Page


Launching Site-to-Site VPN Wizard – Step 1

1.


Selecting the Quick Setup or Step-by-Step Configuration Wizard – Step 2

2a.

2b.

3.


Quick Setup


Quick Setup Configuration Summary


Step-by-Step Setup

Multiple steps are required to configure the VPN connection:

Defining connection settings: Outside interface, peer address, authentication credentials

Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime

Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression

Defining traffic to protect: Single source and destination subnets, ACL

Reviewing and completing the configuration


Configuring Connection Settings

1.

2.

3.

4.


Configuring IKE Proposals

1.

2.

3.


Configuring the Transform Set

1.

2.

3.


Defining What Traffic to Protect: Simple Mode (Single Source and Destination Subnet)

1.

2. 3.


Defining What Traffic to Protect: Using an ACL

1. 2.

3.


Adding Rules to ACLs

1.

2.


Configuring a New ACL Rule Entry

2.

3.

1.


Review the Generated Configuration


Review the Generated Configuration (Cont.)


Test Tunnel Configuration and Operation

~~ ~~


Monitor Tunnel Operation

1.

2.

3.


Test, Monitor, and Troubleshoot Tunnel Configuration and Operation

show crypto isakmp sa

router#

To display all current IKE security associations (SAs), use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA.

show crypto ipsec sa

router#

To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA (see next slide)


Encryption and Decryption Statistics

Router2#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: mikesmap, local addr. 172.30.2.2

protected vrf:

local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

current_peer: 172.30.1.2:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 15, #pkts encrypt: 15, #pkts digest 0

#pkts decaps: 15, #pkts decrypt: 15, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.30.2.2, remote crypto endpt.: 172.30.1.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 938FF981 etc etc etc………..

From a working tunnel!


Troubleshooting

debug crypto isakmp

router#

• Debugs IKE communication

• Advanced troubleshooting uses the Cisco IOS CLI

• Requires knowledge of Cisco IOS CLI commands

© 2007 cisco systems, inc. all rights reserved.iscw-mod3_l4 1 implementing secure converged wide...

Documents