Lab 14.6.6 Configure a Secure VPN gateway Using IPSec between ...

Lab 14.6.6 Configure a Secure VPN gateway Using IPSec between Two PIX FirewallsObjectiveScenarioEstimated Time: 45 minutesNumber of Team Members: Two teams with four students per teamIn this lab exercise, students will complete the following tasks:• Prepare to configure VPN support.• Configure IKE parameters.• Configure IPSec parameters.• Test and verify IPSec configuration.In this lab, students will configure two Cisco Secure PIX Firewalls to run a virtual private network(VPN) tunnel from PIX to PIX over the network using IP Security (IPSec). IPSec is a combination ofopen standards that provides data confidentiality, data integrity, and data origin authenticationbetween IPSec peers.IPSec negotiation can be broken down into five steps, including two Internet Key Exchange (IKE)phases.An IPSec tunnel is initiated by interesting traffic. Traffic is considered interesting when it is travelingbetween the IPSec peers.In IKE Phase 1, the IPSec peers negotiate the established IKE Security Association (SA) policy.Once the peers are authenticated, a secure tunnel is created using Internet Security Association andKey Management Protocol (ISAKMP).In IKE Phase 2, the IPSec peers use the authenticated and secure tunnel to negotiate IPSec SAtransforms. The negotiation of the shared policy determines how the IPSec tunnel will beestablished.The IPSec tunnel is created and data is transferred between the IPSec peers based on the IPSecparameters configured in the IPSec transform sets.The IPSec tunnel terminates when the IPSec SAs are deleted or when their lifetime expires.Note: IPSec negotiation between the two PIXs will fail if the SAs on both of the IKE phasesdo not match on the peers.1 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.

access-list ACLIN permit tcp any object-group ALLSERVERS eq wwwaccess-list ACLIN permit tcp any host 192.168.P.11 eq www (hitcnt=0)access-list ACLIN permit tcp any host 192.168.P.10 eq www (hitcnt=2)access-list ACLIN permit tcp any host 192.168.P.6 eq www (hitcnt=0)access-list ACLIN permit tcp any host 192.168.P.7 eq www (hitcnt=0)access-list ACLIN permit icmp any any object-group PINGaccess-list ACLIN permit icmp any any echo (hitcnt=12)access-list ACLIN permit icmp any any echo-reply (hitcnt=4)access-list ACLIN permit icmp any any unreachable (hitcnt=0)access-list ACLIN deny ip any any (hitcnt=3)access-list ACLDMZ; 3 elementsaccess-list ACLDMZ permit icmp any any object-group PINGaccess-list ACLDMZ permit icmp any any echo (hitcnt=0)access-list ACLDMZ permit icmp any any echo-reply (hitcnt=8)access-list ACLDMZ permit icmp any any unreachable (hitcnt=0)access-list 101; 1 elementsaccess-list 101 permit ip host 192.168.P.10 host 192.168.Q.10(hitcnt=0)(where P = pod number, and Q = peer pod number)c. Configure an IPSec transform set (IKE phase two parameters) to use ESP and DES. Use atransform-set-name of pixQ.PixP(config)# crypto ipsec transform-set pixQ esp-des(where Q = peer pod number)1. What are some other IPSec security protocol combinations that can be used?_____________________________________________________________________________d. Create a crypto map by completing the following sub-steps:i. Create a crypto map entry. Use a map-name of peer Q.PixP(config)# crypto map peerQ 10 ipsec-isakmp(where Q = peer pod number)ii. Look at the crypto map and observe the defaults:PixP(config)# show crypto mapCrypto Map “peerQ” 10 ipsec-isakmpNo matching address list set.Current peer: 0.0.0.0Security association lifetime: 4608000 kilobytes/28800 secondsPFS (Y/N): NTransform sets={ }6 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.

iii. Assign the ACL to the crypto map:PixP(config)# crypto map peerQ 10 match address 101(where Q = peer pod number)iv. Define the peer. The peer IP address should be set to the peer’s outside interface IPaddress:PixP(config)# crypto map peerQ 10 set peer 192.168.Q.2(where Q = peer pod number)v. Specify the transform set used to reach the peer. Use the transform set name configured insub-step 2.PixP(config)# crypto map peerQ 10 set transform-set pixQ(where Q = peer pod number)vi. Apply the crypto map set to the outside interface:PixP(config)# crypto map peerQ interface outside(where Q = peer pod number)Step 4 Test and Verify VPN ConfigurationComplete the following steps to test and verify VPN configuration:a. Verify the IKE policy. Note the default values.PixP(config)# show isakmpisakmp enable outsideLab 13-6 Cisco Secure PIX Firewall Advanced 3.0 Copyright 2002, CiscoSystems, Inc.isakmp key ******** address 192.168.Q.2 netmask 255.255.255.255isakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash shaisakmp policy 10 group 1isakmp policy 10 lifetime 86400(where Q = peer pod number)b. Examine the IKE policies in the PIX Firewall:PixP(config)# show isakmp policyProtection suite of priority 10encryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman Signature7 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.

Diffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limitc. Verify the crypto ACL:PixP(config)# show access-list 101access-list 101; 1 elementsaccess-list 101 permit ip host 192.168.P.10 host 192.168.Q.10(hitcnt=0)(where P = pod number, and Q = peer pod number)d. Verify that the IPSec parameters (IKE phase two) are correct:PixP(config)# show crypto ipsec transform-setTransform set pixQ: { esp-des }will negotiate = { Tunnel, },(where Q = peer pod number)e. Verify that the crypto map configuration is correct:PixP(config)# show crypto mapCrypto Map: “peerQ” interfaces: { outside }Crypto Map “peerQ” 10 ipsec-isakmpPeer = 192.168.Q.2access-list 101; 1 elementsaccess-list 101 permit ip host 192.168.P.10 host 192.168.Q.10(hitcnt=0)Current peer: 192.168.Q.2Security association lifetime: 4608000 kilobytes/28800 secondsPFS (Y/N): NTransform sets={ pixQ, }(where P = pod number, and Q = peer pod number)f. Turn on debugging for IPSec and ISAKMP:PixP(config)# debug crypto ipsecPixP(config)# debug crypto isakmpg. Clear the IPSec SA by using the following command:PixP(config)# clear crypto ipsec sah. Initiate a web session from the student PC to the peer pod’s student PC. Observe the debugoutput and verify that the web session was established. The debug should state the followingstatus indicating that IPSec was successful:return status is IKMP_NO_ERRORi. Ensure that traffic between peers is being encrypted by completing the following sub-steps:i. Examine the IPSec SAs. Note the number of packets encrypted and decrypted.PixP(config)# show crypto ipsec sainterface: outsideCrypto map tag: peerQ, local addr. 192.168.P.28 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.

local ident (addr/mask/prot/port):(192.168.P.10/255.255.255.255/0/0)remote ident (addr/mask/prot/port):(192.168.Q.10/255.255.255.255/0/0)current_peer: 192.168.Q.2PERMIT, flags={origin_is_acl,}#pkts encaps: 11, #pkts encrypt: 11, #pkts digest 0#pkts decaps: 6, #pkts decrypt: 6, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompressfailed: 0#send errors 7, #recv errors 0local crypto endpt.: 192.168.P.2, remote crypto endpt.: 192.168.Q.2path mtu 1500, ipsec overhead 44, media mtu 1500current outbound spi: be1be99einbound esp sas:spi: 0x839aa69(137996905)transform: esp-des ,in use settings ={Tunnel, }slot: 0, conn id: 2, crypto map: peer1sa timing: remaining key lifetime (k/sec): (4607999/28604)IV size: 8 bytesreplay detection support: Ninbound ah sas:inbound pcp sas:outbound esp sas:spi: 0xbe1be99e(3189500318)transform: esp-des ,in use settings ={Tunnel, }slot: 0, conn id: 1, crypto map: peer1sa timing: remaining key lifetime (k/sec): (4607998/28595)IV size: 8 bytesreplay detection support: Noutbound ah sas:outbound pcp sas:(where P = pod number, and Q = peer pod number)ii. Generate additional traffic by clicking the Reload button of the web browser.iii. Examine the IPSec SAs again. Note that the packet counters have increased incrementally.PixP(config)# show crypto ipsec sainterface: outside9 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.

Crypto map tag: peerQ, local addr. 192.168.P.2local ident (addr/mask/prot/port):(192.168.P.10/255.255.255.255/0/0)remote ident (addr/mask/prot/port):(192.168.Q.10/255.255.255.255/0/0)current_peer: 192.168.Q.2PERMIT, flags={origin_is_acl,}#pkts encaps: 35, #pkts encrypt: 35, #pkts digest 0#pkts decaps: 20, #pkts decrypt: 20, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompressfailed: 0#send errors 7, #recv errors 0local crypto endpt.: 192.168.P.2, remote crypto endpt.: 192.168.Q.2path mtu 1500, ipsec overhead 44, media mtu 1500current outbound spi: be1be99einbound esp sas:spi: 0x839aa69(137996905)transform: esp-des ,in use settings ={Tunnel, }slot: 0, conn id: 2, crypto map: peerQsa timing: remaining key lifetime (k/sec): (4607996/28469)IV size: 8 bytesreplay detection support: Ninbound ah sas:inbound pcp sas:outbound esp sas:spi: 0xbe1be99e(3189500318)transform: esp-des ,in use settings ={Tunnel, }slot: 0, conn id: 1, crypto map: peer1sa timing: remaining key lifetime (k/sec): (4607993/28460)IV size: 8 bytesreplay detection support: Noutbound ah sas:outbound pcp sas:(where P = pod number, and Q = peer pod number)j. Clear the IPSec SAs with the clear crypto sa command:PixP(config)# clear crypto sa10 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.

k. Remove all isakmp command statements from the configuration with the clear isakmpcommand:PixP(config)# clear isakmpl. Remove all parameters entered through the crypto map command with the clear crypto mapcommand:PixP(config)# clear crypto mapm. Remove the sysopt command statements from the configuration with the clear sysopt command:PixP(config)# clear sysoptn. Remove ACL 101 from the configuration:PixP(config)# clear access-list 10111 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.