To establish an Ipsec tunnel, we use a protocol called IKE (Internet Key Exchange). There are two phases to build an IPsec tunnel.
IKE PHASE 1(ISAKMP tunnel)
The IKE phase 1 is only used for management traffic
. In this phase, peers are going to negotiate all the parameters for the tunnel such as hashing(md5 or sha), authentication (PSK or Digital Certificate), DH group (the strength of the key that used in key exchange process), encrption (AES,DES,3DES) and lifetime.
The phase 1 is not used to encrypt or protect the user’s packets. To acheive this purpose, they decide to build a second tunnel. IKE phase 1 has 2 modes: main mode
and aggressive mode
which takes fewer packets and less secure.
IKE PHASE 2(IPsec tunnel)
This phase has only one mode, quick mode
. This is where we build the actual tunnel.
I will jump into details about it. R1 will use the tunnel 2 and encrypt the packet as well encapulate the encrypted data with a new IP header (source ip: R1, destination ip: R2). The Layer 4 protocol would show as being Encapsulating Security Payload (ESP). The oppsite behavior of R2, de-encapsulate and de-encrypt the original packet and forward that plaintext to the server.
These tunnel sometimes are referred as secruity agreements between two VPN peers. Many times, their name is SA. Each SA has a unique number for tracking.
IPsec negotiation steps
- ISAKMP: IKE Phase 1 between two peers. The peers negotiate established security association policy. Once the peers are authenticated, a secured tunnel is created.
- Ipsec tunnel: IKE Phase 2
Okay, lets jump into some real configurations. 1.define the traffic you wanna pass and be encrypted.
R1 or R2 access-list 100 permit ip x.x.x.0 0.0.0.255 x.x.x.0 0.0.0.255
2.ISAKMP Policy Parameters
R2(config)#crypto isakmp policy 10
R2(config-isakmp)#auteh
R2(config-isakmp)#authe
R2(config-isakmp)#authentication pre
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#hash md5
You can also just take the default setting. show crypto iskamp policy
Here, you also need to point out the pre-share key crypto isakmp key mm address 209.165.200.225
3.Configure transform set: combinations of hash and encryption algorithms for users traffic.
R1(config)#crypto ipsec transform-set myset(name) esp-des esp-md5-hmac
4.Crypto Map: What to protect(traffic), How to protect (transform set) and Where to send (peer).
R2(config)#crypto map mymap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R2(config-crypto-map)#set peer 209.165.200.225
R2(config-crypto-map)#set tran
R2(config-crypto-map)#set transform-set myset
R2(config-crypto-map)#match address 100
R2(config-crypto-map)#int f0/0
R2(config-if)#crypto map mymap
When I finished all the configurations, I did clear crypto sa
,debug crypto isakmp
,debug crypto ipsec
. After all this, ping the peer I set and you can how isakmp Phase 1 and Phase 2 build.
Besides, you can also use sh crypto isakmp sa
to see the Phase 1 and ‘sh crypto ipsec sa` to verify Phase 2.
Thats all you need to know about Ipsec vpn, if you want to see the advanced version, click here. ORyou can check CISCO official site