Implementing IPsec on a Site-to-Site VPN Using Cisco SDM
Configuring a site-to-site VPN with the SDM should be fairly straightforward, now that we have examined the fundamentals of how IPsec VPNs work and grounded the theory by configuring a site-to-site IPsec VPN with the CLI.
When using the SDM to configure a site-to-site IPsec VPN, you can either manually configure the VPN or employ the Cisco SDM VPN Wizard. We will choose the wizard and see that the wizard will give us a choice of the following:
- Quick setup. Uses pre-built settings (useful for a brand-new VPN configuration with another Cisco IOS router that is being configured with the quick setup versus the step-by-step wizard).
- Step-by-step wizard. For more granular, detailed configuration control. Let’s look at these two wizards, one at a time.
Site-to-Site VPN Wizard Using Quick Setup
To launch the Site-to-Site VPN Wizard and enter Quick Setup, complete the following steps:
- Navigate to Configure->VPN in the SDM.
- Select Site-to-Site VPN from the left navigation pane.
- Make sure that the Create Site to Site VPN tab is selected in the main navigation window.
- Check the Create a Site to Site VPN radio button, as indicated in Figure 7.9.
- Press the Launch the selected task button. The Site-to-Site VPN Wizard window appears.
- Note the choices indicated in Figure 7.10. You can choose either Quick setup or Step by step wizard. Press the Quick setup radio button; then click Next. A window appears in which you can enter some basic information about the VPN. Note that it doesn’t ask you what encryption algorithms, hashes, or DH groups you want to use.
- The VPN Connection Information window pops up, as indicated in Figure 7.11. Look at this window while referring to the reference network diagram in Figure 7.8. We know exactly what to fill in. From top to bottom:
VPN Connection Information:- Select the interface for this VPN connection: FastEthernet4.
- Select the type of peer(s) used for this VPN connection: Peer with static IP address.
- Enter the IP address of the remote peer: 172.16.32.1.
Authentication: - Pre-Shared Keys or Digital Certificates radio button: Press the
Pre-shared keys radio button. Fill in the pre-shared key in the preshared key and Re-enter key fields.
Traffic to Encrypt: - Source: Choose Vlan1 as the source interface in the drop-down list. This is the interface that the net A’ to net B’ traffic will arrive on.
- Destination: Enter 10.0.20.0 in the IP Address field and 255.255.255.0 in the Subnet Mask field. (Alternatively, you can put the number of bits (24) in the “or” field.)
- Click Finish. The Summary of the Configuration window appears. It will look something like Figure 7.12.
If you don’t like the IKE policies and IPsec transform sets that are created for you, then Quick Setup is not a good choice. Chances are good that 3DES for a cipher for both Phase I and Phase II will not match the organization’s comprehensive network security policy. Here are the parameters selected by the SDM when using Quick Setup:
IKE Policy Set (HAGLE):
H = SHA-1
A = PSK
G = DH2
L = 86,400 (default, since doesn’t appear)
E = 3DES
IPsecTransform Set:
Transport = ESP
Tunnel Mode
Encryption = 3DES
Hash = SHA-1 - If you like what you see, click on Finish to deliver the commands to the router. You might have noticed the Test VPN connectivity after configuring check box. We examine this feature when we (next) configure the VPN with the SDM Site-to-Site VPN Wizard, but choosing step-by-step this time.
Site-to-Site VPN Wizard Using Step-by-Step Setup
The five tasks of the wizard using Step-by-Step setup are as follows:
Task 1: Define Connection Settings:
- Outside interface
- Peer address
- Authentication credentials
Task 2: Define IKE Proposals:
- Priority
- Encryption algorithm
- HMAC
- Mode of operation (AM, MM)
Task 3: Define IPsec Transform Sets:
- Encryption algorithm
- HMAC
- Mode of operation (tunnel, transport)
- Compression
Task 4: Define Traffic to Protect (Crypto ACL):
- Single source and destination subnets or
- Create ACL (can use existing if already created)
Task 5: Review and Complete the Configuration
To begin the step-by-step setup of the Cisco SDM Site-to-Site VPN Wizard:
- Navigate to Configure->VPN and select Site-to-Site VPN in the list box on the left side.
- Ensure the Create Site to Site VPN tab is selected and push the Create a Site to Site VPN radio button.
- Click the Launch the selected task button. The Site-to-Site VPN Wizard window appears, as indicated in Figure 7.13.
- Push the Step by step wizard radio button and click the Next button. A window appears, prompting you to define the connection settings.
Task 1: Define Connection Settings Follow these steps to define basic connection settings:
- Fill in the information per the reference diagram in Figure 7.8. If this was the real world, you would have all this information at your fingertips as part of a well-executed security policy.
- Click Next. A window appears, as indicated in Figure 7.14, prompting you to define an IKE proposal for the site-to-site VPN.
Task 2: Define IKE Proposals
The next step is to define the IKE proposals to be used. You can use either the built-in, default proposal or create your own. Follow these steps to define the IKE proposal:
- The list of IKE proposals will have at least the SDM default (look under the Type column). Click Add and the Add IKE Policy window appears.
- Fill in the information for the IKE proposal using the HAGLE values that you have already determined. In this example, we are creating an IKE proposal with these parameters:
- Priority: 99
- Authentication: PRE_SHARE
- Encryption: AES_128
- D-H Group: group5
- Hash: SHA_1
- Lifetime: 24:00:00 (HH:MM:SS)
- Click OK when finished. The IKE proposal appears highlighted in the list of IKE proposals. Leave it selected and click Next. A window appears, as indicated in Figure 7.15, prompting you to define an IPsec transform set for the site-to-site VPN.
Task 3: Define IPsec Transform Sets
Follow these steps to define an IPsec transform set for use in the site-to-site VPN:
- The list of IPsec transform sets will have at least the SDM default (selected in the Select Transform Set drop-down list). Click Add, and the Add Transform Set window appears. Click the Show Advanced button to reveal advanced options.
- Fill in the information for the IPsec transform set. Because we have selected the advanced options, we can verify that:
- The Tunnel radio button is selected in the Mode section of the advanced options.
- The Data and address integrity without encryption (AH) box is unchecked.
- The IP Compression (COMP-LZS) box is unchecked.
We will fill in the following parameters: - Name: CantHackMe
- Data Integrity with encryption (ESP): checked
- Integrity Algorithm: ESP_SHA_HMAC
- Encryption Algorithm: ESP_AES_128
- Click OK. The transform set we just added appears highlighted in the Transform Set window. Leave it selected; then click Next. A new window appears, as indicated in Figure 7.16, prompting you to define the traffic to protect in the site-to-site VPN.
Task 4: Define Traffic to Protect (Crypto ACL)
Follow these steps to define the traffic that will be protected by the VPN. These steps create a crypto ACL:
- Fill out the IP address and subnet mask of the local and remote networks that will be protected by the site-to-site VPN. Alternatively, if you already have an ACL created or want to create an ACL for this purpose, you can press the Create/Select an access-list for IPSec traffic radio button and follow the prompts. In this example, we press the Protect all traffic between the following subnets radio button and fill out the following information:
Local Network:- IP Address: 192.168.0.0
- Subnet Mask: 255.255.255.0
Remote Network: - IP Address: 10.0.20.0
- Subnet Mask: 255.255.255.0
- Click Next. The Summary of the Configuration window appears, as indicated in Figure 7.17.
Task 5: Review and Complete the Configuration
Follow these steps to review and complete the configuration:
- We’re almost done. Review the information in the Summary of the Configuration window. Note that this VPN peer will propose two IKE policy sets: the SDM default, and the one we created earlier in the wizard. For IKE Phase II, it will propose only the IPsec transform set that we created in task 3.
- Check the Test VPN connectivity after configuring box because we will want to test the VPN when we are finished.
- Click Finish. The commands are delivered to the router.
- Click OK. Because we indicated that we wanted to test the VPN, the VPN Troubleshooting window appears, as shown in Figure 7.18. Verify under Tunnel Details at the top of this window that the interface that we are using to connect to our VPN peer appears beside the Interface section.
5. Click Start to initiate the test.
Don’t be surprised if the tunnel doesn’t come up during the test because there is no rea son for the tunnel to be constructed unless traffic is generated from the A’ to B’ networks. This is indicated in Figure 7.18, where the first step, “Checking the tunnel status…” fails. If this occurs, the SDM will prompt you to allow either the SDM or you to generate traffic to attempt to bring up the VPN. Figure 7.19 shows this dialog preceded by a warning (that we have to click through) written by Cisco’s lawyers that indicates that generating the traf fic may create router performance issues.
If the VPN fails and you have generated traffic to bring up the VPN as a troubleshooting step (see the previous note), then the VPN should come up as indicated in Figure 7.20.
For more advanced troubleshooting, Cisco recommends using the CLI commands covered in the section, “Implementing IPsec on a Site-to-Site VPN Using the CLI.” They are found in Table 7.6