IKE (Internet Key Exchange) Phase 1
The main reason for IKE phase 1 is to establish a secure for IKE phase 2 or IPsec.
let understand Phase 1 in steps
- The first step is Negotiation between future neighbors
or peers have traffic to be
Step 1: Negotiation
the neighbor (peer) which having traffic and want to
protect will initiate the initiate INK phase 1 negotiation. Peers will
negotiate about the following:
- Hashing: peers will use a hashing algorithm to verifying the integrity
and use MD5 or SHA.
- Authentication: peers have to show their identity to prove who he is.
Peers use shared keys or digital certificates.
- DH (Diffie Hellman) group
: DH group determines how strong the key is and it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
- Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each the vendor uses a different lifetime; a default value is 86400 seconds (1
day).
- Encryption: algorithm we use for encryption DES, 3DES, or AES.
Step 2: DH Key Exchange
Step 3: Authentication
in the previous step, both peers authenticate each other using
authenticate method in which they agreed on in the negotiation process. Once
the authentication is successful it’s mean we that both peers can send and receive
on this tunnel (the tunnel is completed).
The three steps above
can be completed using two different modes:
- Main mode
- Aggressive mode
IKE Phase 2
IPSec tunnel or IKE
phase 2 is used to protect user data. In the IKE phase 2 tunnel, there is only
one mode for building the IPSec tunnel is called Quick mode.
As peers negotiate in IKE
phase 1, our IKE phase 2 (IPSec) peers will be negotiated.
- IPsec Protocol: AH or ESP
- Encapsulation Mode: transport or tunnel mode.
- Encryption: what encryption algorithm DES, 3DES, or AES.
- Authentication: what authentication algorithm is MD5 or SHA.
- Lifetime: how long is the IKE phase 2 tunnel valid? When the tunnel is about to expire, we will refresh the keying material.
(Optional)
DH exchange: used for PFS (Perfect Forward Secrecy).
IPsec Protocols
AH, and ESP is the two
protocols that we use to protect user data. Both of them can be used in
transport or tunnel mode, let’s see all the possible options.
Authentication Header Protocol
AH offers authentication
and integrity which is good but it doesn’t provide any encryption. AH protects
IP packet by calculating a hash value over almost all fields in the IP header.
The fields it excludes are the ones that can be changed in transit (TTL and
header checksum).
Transport Mode
Transport mode is very simple,
it just adds an AH header just after the IP header. Here’s an example of
an IP packet that carries some TCP traffic:
Tunnel Mode
In tunnel mode, we add a new IP header on top of the original IP packet. So this could be useful when you are using private IP addresses and you need to tunnel your traffic over the Internet. Yes we can use AH but it doesn’t provide encryption
In simple words, IPsec uses three main protocols to create a security framework
- ESP Encapsulation security payload is used for providing encryption, authentication, and sharing data.
- AH, Authentication Header use provides a framework for authentication and sharing data.
- IKE Internet Key Exchange offers a framework for negotiating security parameters and establishing authenticating keys.
Let's take a look at our topology:
- configure a site-to-site VPN
- configure IPSec VPN on router 1 and router 2
- enable IKE policy on both the routers
- verify site-to-site IPSec VPN
- Test IPSec VPN.
- configure an authentication type pre-shared keys
- use AES 256 encryption, SHA Hash algorithm, and DH group 3 key exchange
- configure lifetime of one hour
R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#interface fastethernet 0/0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#no keepalive
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R2(config-if)#interface serial 4/1
R2(config-if)#ip address 3.3.3.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#interface serial 4/2
R2(config-if)#ip address 4.4.4.1 255.0.0.0
R2(config-if)#no shutdown
R1#ping 30.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/92/156 ms
R3#ping 10.0.0.0
Type escape sequence to
abort.
Sending 5, 100-byte ICMP
Echos to 10.0.0.0, timeout is 2 seconds:
!!!!!
Success rate is 100
percent (5/5), round-trip min/avg/max = 52/56/60 ms
R1(config)#access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R1(config)#crypto isakmp enable
R2(config)#crypto isakmp enable
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#hash sha
R1(config-isakmp)# group 3
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#end
R3(config)#crypto isakmp
enable
R3(config)#crypto isakmp
policy 10
R3(config-isakmp)#authentication
pre-share
R3(config-isakmp)#encryption
aes ?
128 128 bit
keys.
192 192 bit
keys.
256 256 bit
keys.
<cr>
R3(config-isakmp)#encryption
aes 256
R3(config-isakmp)#hash
sha?
sha sha256
sha384 sha512
R3(config-isakmp)#hash
sha
R3(config-isakmp)#group 3
R3(config-isakmp)#lifetime 3600
R3(config-isakmp)#do
show crypto isakmp policy
Global IKE policy
Protection suite of
priority 10
encryption algorithm: AES - Advanced Encryption Standard
(256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #3 (1536 bit)
lifetime: 3600
seconds, no volume limit
R1(config)#crypto isakmp key 0 cisco123 address 2.2.2.2
R3(config-isakmp)#crypto
isakmp key 0 cisco123 address 1.1.1.1
R1(config)#crypto ipsec transform-set ip_set esp-aes 256 esp-sha-hmac
R3(config)#crypto ipsec
transform-set ip_set esp-aes 256 esp-sha-hmac
R3(cfg-crypto-trans)#exit
R1(config)#crypto map CRMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#match address 100
R1(config-crypto-map)#set peer 2.2.2.2
R1(config-crypto-map)#set transform-set ip_set
R1(config-crypto-map)#exit
R1(config)#interface serial 4/0
R1(config-if)#crypto map CRMAP
*Jul 30 14:16:13.923: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#END
R3(config)#crypto map
CRMAP 10 ipsec-isakmp
% NOTE: This new crypto
map will remain disabled until a peer
and a valid access list have been configured.
R3(config-crypto-map)#match
address 100
R3(config-crypto-map)#set peer 1.1.1.1
R3(config-crypto-map)#set
transform-set ip_set
R3(config-crypto-map)#end
R3(config)#interface
serial 4/1
R3(config-if)#crypto map
CRMAP
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set ip_set: { esp-256-aes esp-sha-hmac }
will negotiate = { Tunnel, },
R3(config)#do show
crypto ipsec transform-set
Transform set default: {
esp-aes esp-sha-hmac }
will
negotiate = { Transport, },
Transform set ip_set: {
esp-256-aes esp-sha-hmac }
will
negotiate = { Tunnel, },
R1#show crypto map
Crypto Map IPv4 "CRMAP" 10 ipsec-isakmp
Peer = 2.2.2.2
Extended IP access list 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
Current peer: 2.2.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
ip_set: { esp-256-aes esp-sha-hmac } ,
}
Interfaces using crypto map CRMAP:
Serial4/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/109/208 ms
R1#ping 192.168.30.1 so
R1#ping 192.168.30.1 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/68/88 ms
0 comments:
Post a Comment