IPsec Site to Site VPN

ipsec1

Este post me lo dedico a mi mismo. Es como un recordatorio.

Para este laboratorio necesitamos.

2 routers 2620XM con IOS c2600-adventerprisek9_ivs-mz.124-25b.bin
1 cable serial DTE/DCE
Y en mi caso la Guía Oficial de CCNA SECURITY 640-553 de Kevin Wallace. Me encanta este libro. Son estos libros “antiguos” que compras por ebay a muy buen precio, y están tan llenos de sabiduría como un maestro Jedi.

Configuración R1 – parámetros ISAKMP – FASE 1

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#no ip domain-lookup
R1(config)#line console 0
R1(config-line)#loggin synchronous
R1(config-line)#exec-timeout 0 0
R1(config-line)#end
R1#
R1#configure terminal
R1(config)#interface s0/0
R1(config-if)#ip address 172.16.0.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#end
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface loopback0
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#end

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash md5
R1(config-isakmp)#encryption ?
3des Three key triple DES
aes AES – Advanced Encryption Standard.
des DES – Data Encryption Standard (56 bit keys).
R1(config-isakmp)#encryption aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
<cr>

R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#exit
R1(config)#crypto isakmp key cisco123 address 172.16.0.2
R1(config)#end
R1#

Configurando R2 – parámetros ISAKMP – FASE 1

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#line console 0
R2(config-line)#loggin synchronous
R2(config-line)#exec-timeout 0 0
R2(config-line)#end

R2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
Serial0/0 172.16.0.2 YES manual up up
Serial0/1 unassigned YES unset administratively down down
Loopback0 2.2.2.2 YES manual up up
R2#

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#hash md5
R2(config-isakmp)#encryption aes 128
R2(config-isakmp)#group 2
R2(config-isakmp)#lifetime 86400
R2(config-isakmp)#exit
R2(config)#crypto isakmp key cisco123 address 172.16.0.1
R2(config)#exit
R2#

IKE FASE 2 – Configurando R1

R1#
R1#configure terminal
R1(config)#crypto ipsec transform-set SET esp-aes esp-md5-hmac
R1(cfg-crypto-trans)#exit
R1(config)#access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
R1(config)#crypto map MAP1 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 172.16.0.2
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set transform-set SET
R1(config-crypto-map)#exit
R1(config)#exit
R1#

R1#configure terminal
R1(config)#interface serial0/0
R1(config-if)#crypto map MAP1
R1(config-if)#end
R1#configure terminal
R1(config)#ip route 2.2.2.0 255.255.255.0 172.16.0.2
R1(config)#end

IKE FASE 2 – Configurando R2

R2#
R2#configure terminal
R2(config)#crypto ipsec transform-set SET esp-aes esp-md5-hmac
R2(cfg-crypto-trans)#exit
R2(config)#access-list 101 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
R2(config)#crypto map MAP2 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 172.16.0.1
R2(config-crypto-map)#match address 101
R2(config-crypto-map)#set transform-set SET
R2(config-crypto-map)#end
R2#

R2#configure terminal
R2(config)#interface serial0/0
R2(config-if)#crypto map MAP2
R2(config-if)#exit
R2(config)#ip route 1.1.1.0 255.255.255.0 172.16.0.1
R2(config)#end

TESTEAMOS con un PING EXTENDIDO

R1#debug crypto isakmp
Crypto ISAKMP debugging is on

R1#ping
Protocol [ip]:
Target IP address: 2.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1

*Mar 1 05:33:44.939: ISAKMP: received ke message (1/1)
*Mar 1 05:33:44.939: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar 1 05:33:44.939: ISAKMP: Created a peer struct for 172.16.0.2, peer port 500
*Mar 1 05:33:44.939: ISAKMP: New peer created peer = 0x84FD0BBC peer_handle = 0x80000002
*Mar 1 05:33:44.943: ISAKMP: Locking peer struct 0x84FD0BBC, IKE refcount 1 for isakmp_initiator
*Mar 1 05:33:44.943: ISAKMP: local port 500, remote port 500
*Mar 1 05:33:44.943: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 05:33:44.943: insert sa successfully sa = 84FD04A8
*Mar 1 05:33:44.943: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar 1 05:33:44.943: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 172.16.0.2
*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar 1 05:33:44.947: ISAKMP:(0:0:N/A:0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 05:33:45.187: ISAKMP (0:0): received packet from 172.16.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 05:33:45.191: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 05:33:45.191: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Mar 1 05:33:45.195: ISAKMP:(0:0:N/A:0): .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/49/52 ms
R1#processing SA payload. message ID = 0
*Mar 1 05:33:45.195: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar 1 05:33:45.195: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Mar 1 05:33:45.195: ISAKMP (0:0): vendor ID is NAT-T v7
*Mar 1 05:33:45.195: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 172.16.0.2
*Mar 1 05:33:45.195: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar 1 05:33:45.199: ISAKMP : Scanning profiles for xauth …
*Mar 1 05:33:45.199: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 05:33:45.199: ISAKMP: encryption AES-CBC
*Mar 1 05:33:45.199: ISAKMP: keylength of 128
*Mar 1 05:33:45.199: ISAKMP: hash MD5
*Mar 1 05:33:45.199: ISAKMP: default group 2
*Mar 1 05:33:45.199: ISAKMP: auth pre-share
*Mar 1 05:33:45.199: ISAKMP: life type in seconds
*Mar 1 05:33:45.199: ISAKMP: life duration (VPI) of 0x0 0x1 0x51

….

R1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial0/0 172.16.0.1 set HMAC_MD5+AES_CBC 0 0
2001 Serial0/0 172.16.0.1 set AES+MD5 0 4
2002 Serial0/0 172.16.0.1 set AES+MD5 4 0

R1#show crypto session
Crypto session current status

Interface: Serial0/0
Session status: UP-ACTIVE
Peer: 172.16.0.2 port 500
IKE SA: local 172.16.0.1/500 remote 172.16.0.2/500 Active
IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0
Active SAs: 2, origin: crypto map

R1#show crypto isakmp sa
dst             src             state          conn-id slot status
172.16.0.2      172.16.0.1      QM_IDLE              1    0 ACTIVE

R1#show crypto ipsec sa

interface: Serial0/0
Crypto map tag: MAP1, local addr 172.16.0.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer 172.16.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.16.0.1, remote crypto endpt.: 172.16.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xA7B6A9AC(2813766060)

inbound esp sas:
spi: 0xF84A1B75(4165606261)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4449054/1657)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA7B6A9AC(2813766060)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4449054/1652)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
R1#

R1#show crypto map
Crypto Map “MAP1” 10 ipsec-isakmp
Peer = 172.16.0.2
Extended IP access list 101
access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
Current peer: 172.16.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
SET,
}
Interfaces using crypto map MAP1:
Serial0/0

R1#

R1#show crypto ipsec transform-set
Transform set SET: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },

Aquí hay una maravillosa explicación de todo esto en español:

link de Eugenio Duarte

Otro link ya en inglés donde también se explica muy bien:
Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers

Y otros links de interés:

configuraciones de túneles VPN de la página oficial de Cisco.

Comments are closed.