Configuring IOS to IOS IPSec Using AES Encryption

Similar documents
Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Invalid Security Parameter Index Recovery

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Invalid Security Parameter Index Recovery

Configuration Example of ASA VPN with Overlapping Scenarios Contents

Configuring Router to Router IPsec (Pre shared Keys) on GRE Tunnel with IOS Firewall and NAT

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default)

RFC 430x IPsec Support

co Configuring PIX to Router Dynamic to Static IPSec with

Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS

VPN Connection through Zone based Firewall Router Configuration Example

How to Configure the Cisco VPN Client to PIX with AES

IPsec Anti-Replay Window Expanding and Disabling

Sharing IPsec with Tunnel Protection

Cisco - VPN Load Balancing on the CSM in Dispatched Mode Configuration Example

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Abstract. Avaya Solution & Interoperability Test Lab

L2TP IPsec Support for NAT and PAT Windows Clients

LAN to LAN IPsec Tunnel Between Two Routers Configuration Example

HOME-SYD-RTR02 GETVPN Configuration

IPsec Data Plane Configuration Guide

IPsec Anti-Replay Window Expanding and Disabling

Applying the Tunnel Template on the Home Agent

Quick Note 060. Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Lab 4.5.5a Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel Using CLI

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA

Dynamic Site to Site IKEv2 VPN Tunnel Between Two ASAs Configuration Example

IKEv2 with Windows 7 IKEv2 Agile VPN Client and Certificate Authentication on FlexVPN

Syslog "%CRYPTO 4 RECVD_PKT_MAC_ERR:" Error Message with Ping Loss Over IPsec Tunnel Troubleshooting

Implementing Traffic Filters and Firewalls for IPv6 Security

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

Lab 9: VPNs IPSec Remote Access VPN

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example

IPsec Management Configuration Guide Cisco IOS Release 12.4T

IPsec Anti-Replay Window: Expanding and Disabling

Configuring Internet Key Exchange (IKE) Features Using the IPSec VPN SPA

Secure ACS Database Replication Configuration Example

Network Security CSN11111

Configuring a Cisco 827 Router Using PPPoA With CHAP and PAP

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

CONFIGURATION DU SWITCH

Three interface Router without NAT Cisco IOS Firewall Configuration

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

ASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

Configuring Dynamic Multipoint VPN (DMVPN) using GRE over IPSec between Multiple Routers

Implementing Dynamic Multipoint VPN for IPv6

Configuring Redundant Routing on the VPN 3000 Concentrator

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example

How to configure MB5000 Serial Port Bridge mode

Using NAT in Overlapping Networks

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Configuring the VSA. Overview. Configuration Tasks CHAPTER

Configuring Security for VPNs with IPsec

IPsec Dead Peer Detection Periodic Message Option

Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code

Large Branch Multilink PPP

Lab 8.5.2: Troubleshooting Enterprise Networks 2

DMVPN to Group Encrypted Transport VPN Migration

Sample Business Ready Branch Configuration Listings

Configuring NAC with IPSec Dynamic Virtual Tunnel Interface

Lab Configure a Router with the IOS Intrusion Prevention System

Related Documents. Description. Encryption. Decryption. Software Package Management

cable modem dhcp proxy nat on Cisco Cable Modems

FlexVPN Between a Router and an ASA with Next Generation Encryption Configuration Example

ASA/PIX 8.x: Radius Authorization (ACS 4.x) for VPN Access using Downloadable ACL with CLI and ASDM Configuration Example

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Table of Contents. Cisco NAT Order of Operation

Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x

RR> RR> RR>en RR# RR# RR# RR# *Oct 2 04:57:03.684: %AMDP2_FE-6-EXCESSCOLL: Ethernet0/2 TDR=0, TRC=0 RR#

IPsec Dead Peer Detection Periodic Message Option

Cisco IOS Firewall Authentication Proxy

IPsec Dead Peer Detection PeriodicMessage Option

IPsec Dead Peer Detection Periodic Message Option

Contents. Introduction. Prerequisites. Background Information

Configuring a Terminal/Comm Server

Demystifying DMVPN. Ranjana Jwalaniah (CCIE # 10246) BRKSEC-3052

Site-to-Site VPN. VPN Basics

Lab Configuring Dynamic and Static NAT (Solution)

LANE, CES, and VBR PVCs in Shaped VP Tunnels

Transcription:

Configuring IOS to IOS IPSec Using AES Encryption Document ID: 43069 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Configurations Verify Troubleshoot Troubleshooting Commands Related Information Introduction This document provides a sample configuration for an IOS to IOS IPSec tunnel using Advanced Encryption Standard (AES) encryption. Prerequisites Requirements AES encryption support has been introduced in Cisco IOS 12.2(13)T. Components Used The information in this document is based on these software and hardware versions: Cisco IOS Software Release 12.3(10) Cisco 1721 routers The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions For more information on document conventions, refer to Cisco Technical Tips Conventions. Configure In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only). Configurations This document uses the configurations shown here. Router 1721 A Router 1721 B R 1721 A#show run Building configuration... Router 1721 A Current configuration : 1706 bytes Last configuration change at 00:46:32 UTC Fri Sep 10 2004 NVRAM config last updated at 00:45:48 UTC Fri Sep 10 2004 version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password encryption hostname R 1721 A boot start marker boot end marker memory size iomem 15 mmi polling interval 60 no mmi auto configure no mmi pvc mmi snmp timeout 180 no aaa new model ip subnet zero ip cef ip audit po max events 100 no ip domain lookup no ftp server write enable Define Internet Key Exchange (IKE) policy. crypto isakmp policy 10 Specify the 256 bit AES as the encryption algorithm within an IKE policy. encr aes 256 Specify that pre shared key authentication is used. authentication pre share

Specify the shared secret. crypto isakmp key cisco123 address 10.48.66.146 Define the IPSec transform set. crypto ipsec transform set aesset esp aes 256 esp sha hmac Define crypto map entry name "aesmap" that will use IKE to establish the security associations (SA). crypto map aesmap 10 ipsec isakmp Specify remote IPSec peer. set peer 10.48.66.146 Specify which transform sets are allowed for this crypto map entry. set transform set aesset Name the access list that determines which traffic should be protected by IPSec. match address acl_vpn interface ATM0 no ip address shutdown no atm ilmi keepalive dsl equipment type CPE dsl operating mode GSHDSL symmetric annex A dsl linerate AUTO interface Ethernet0 ip address 192.168.100.1 255.255.255.0 ip nat inside half duplex interface FastEthernet0 ip address 10.48.66.147 255.255.254.0 ip nat outside speed auto Apply crypto map to the interface. crypto map aesmap ip nat inside source list acl_nat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.48.66.1 ip route 192.168.200.0 255.255.255.0 FastEthernet0 no ip http server no ip http secure server ip access list extended acl_nat

Exclude protected traffic from being NAT'ed. deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any Access list that defines traffic protected by IPSec. ip access list extended acl_vpn permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 line con 0 exec timeout 0 0 line aux 0 line vty 0 4 end R 1721 A# R 1721 B#show run Building configuration... Router 1721 B Current configuration : 1492 bytes Last configuration change at 14:11:41 UTC Wed Sep 8 2004 version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password encryption hostname R 1721 B boot start marker boot end marker memory size iomem 15 mmi polling interval 60 no mmi auto configure no mmi pvc mmi snmp timeout 180 no aaa new model ip subnet zero ip cef ip audit po max events 100 no ip domain lookup no ftp server write enable Define IKE policy. crypto isakmp policy 10

Specify the 256 bit AES as the encryption algorithm within an IKE policy. encr aes 256 Specify that pre shared key authentication is used. authentication pre share Specify the shared secret. crypto isakmp key cisco123 address 10.48.66.147 Define the IPSec transform set. crypto ipsec transform set aesset esp aes 256 esp sha hmac Define crypto map entry name "aesmap" that uses IKE to establish the SA. crypto map aesmap 10 ipsec isakmp Specify remote IPSec peer. set peer 10.48.66.147 Specify which transform sets are allowed for this crypto map entry. set transform set aesset Name the access list that determines which traffic should be protected by IPSec. match address acl_vpn interface Ethernet0 ip address 192.168.200.1 255.255.255.0 ip nat inside half duplex interface FastEthernet0 ip address 10.48.66.146 255.255.254.0 ip nat outside speed auto Apply crypto map to the interface. crypto map aesmap ip nat inside source list acl_nat interface FastEthernet0 overload ip classless ip route 0.0.0.0 0.0.0.0 10.48.66.1 ip route 192.168.100.0 255.255.255.0 FastEthernet0 no ip http server no ip http secure server ip access list extended acl_nat

Exclude protected traffic from being NAT'ed. deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.200.0 0.0.0.255 any Access list that defines traffic protected by IPSec. ip access list extended acl_vpn permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 line con 0 exec timeout 0 0 line aux 0 line vty 0 4 end R 1721 B# Verify This section provides information you can use to confirm your configuration is working properly. Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output. show crypto isakmp sadisplays the state for the Internet Security Association and Key Management Protocol (ISAKMP) SA. Router 1721 A R 1721 A#show crypto isakmp sa dst src state conn id slot 10.48.66.147 10.48.66.146 QM_IDLE 1 0 Router 1721 B R 1721 B#show crypto isakmp sa dst src state conn id slot 10.48.66.147 10.48.66.146 QM_IDLE 1 0 show crypto ipsec sadisplays the statistics on the active tunnels. R 1721 A#show crypto ipsec sa Router 1721 A interface: FastEthernet0 Crypto map tag: aesmap, local addr. 10.48.66.147 protected vrf: local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) current_peer: 10.48.66.146:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.48.66.147, remote crypto endpt.: 10.48.66.146 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 2EB0BA1A inbound esp sas: spi: 0xFECA28BC(4274661564) transform: esp 256 aes esp sha hmac, in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4554237/2895) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2EB0BA1A(783333914) transform: esp 256 aes esp sha hmac, in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4554237/2894) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: R 1721 A# R 1721 B#show crypto ipsec sa Router 1721 B interface: FastEthernet0 Crypto map tag: aesmap, local addr. 10.48.66.146 protected vrf: local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) current_peer: 10.48.66.147:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30 #pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 5, #recv errors 0 local crypto endpt.: 10.48.66.146, remote crypto endpt.: 10.48.66.147 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: FECA28BC inbound esp sas: spi: 0x2EB0BA1A(783333914) transform: esp 256 aes esp sha hmac, in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4583188/2762) IV size: 16 bytes replay detection support: Y

inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xFECA28BC(4274661564) transform: esp 256 aes esp sha hmac, in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: aesmap sa timing: remaining key lifetime (k/sec): (4583188/2761) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: R 1721 B# show crypto engine connections activedisplays the total encrypts/decrypts per SA. Router 1721 A R 1721 A#show crypto engine connections active ID Interface IP Address State Algorithm Encrypt Decrypt 1 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 0 30 2001 FastEthernet0 10.48.66.147 set HMAC_SHA+AES_256_C 30 0 Router 1721 B R 1721 B#show crypto engine connections active ID Interface IP Address State Algorithm Encrypt Decrypt 1 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 0 0 2000 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 0 30 2001 FastEthernet0 10.48.66.146 set HMAC_SHA+AES_256_C 30 0 Troubleshoot This section provides information you can use to troubleshoot your configuration. Troubleshooting Commands Note: Before issuing debug commands, please see Important Information on Debug Commands. debug crypto ipsecdisplays IPSec events. debug crypto isakmpdisplays messages about IKE events. debug crypto enginedisplays information from the crypto engine. Additional information on troubleshooting IPSec can be found at IP Security Troubleshooting Understanding and Using debug commands. Related Information Cisco IOS Software Releases 12.2T Advanced Encryption Standard (AES) Configuring IPSec Network Security IPSec Support Page

Technical Support Cisco Systems Contacts & Feedback Help Site Map 2013 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Feb 02, 2006 Document ID: 43069

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback