· Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users. Each secure connection is called a tunnel.
· The security appliance uses the ISAKMP and IPsec tunneling standards to build and manage tunnels.
· The security appliance functions as a bidirectional tunnel endpoint. It can receive plain packets from the DeFi Crypto private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination.
· It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
· IPsec provides authentication and encryption services to prevent unauthorized viewing or modification of data within your network or as it travels over an unprotected network, such as the public Internet.
· Two types of connections supported by IPSEC: LAN to LAN vpn, CLIENT to LAN vpn.
· During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption, encapsulation, and key management.
· These negotiations involve two phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
· A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN connections, the security appliance can function as initiator or responder.
· In IPsec client-to-LAN connections, the security appliance functions only as responder.
· Initiator (Router or client) propose SAs (Router); responders accept, reject, or make counter-proposals-all in accordance with configured SA parameters. To establish a connection, both entities must agree on the SAs.( Security associations)
· Our first task is specifying an Internet Key Exchange (IKE) policy.
· IKE relies on ISAKMP to establish an initial secure channel/tunnel over which the IPsec tunnel can be negotiated.
· An IKE policy controls the attributes of the ISAKMP session, including the encryption type and hashing methods.
· We need to manually define in this case the authentication method, I.e preshared keys.
R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication preshare
R1# sh crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES – Data Encryption Standard (56 bit keys).
(Purpose: Scramble, unscramble data)
hash algorithm: Secure Hash Standard (Purpose: provide data integrity)
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit) (Purpose: determine the strength of the key used in the key exchange process. Higher group numbers (Diffie-Hellman 2, Diffie-Hellman 5, Diffie-Hellman 14 etc.) are more secure, but require additional time to compute the key.)
lifetime is 86400 seconds, no volume limit
· As mentioned, we’ll need to define a preshared key (versus implementing stronger but more complex public keying). The key is a string of text used to initialize the IKE tunnel, configured identically on both routers. In our example, the string CISCO is used; in practice, I would obviously suggest a much stronger key.
· The IP address which follows the key definition specifies the host for which the key should be used.
R1(config)# crypto isakmp key 0 CISCO address 172.16.0.6
· Make sure to reflect this configuration on the opposite end of the tunnel at R3 (use 172.16.0.1 instead of.6).
R3(config)# crypto isakmp key 0 CISCO address 172.16.0.1
· Once our IKE policy has been setup we can move on to defining an IPsec transform set.
· The transform set defines the parameters which will carry the actual data.
· Unlike defining an IKE policy, which provides a default for all attributes, we must explicitly state the encryption and hash type we want to use with our transform set. Our example will implement ESP encapsulation with 3DES encryption and SHA-1 authentication.
· Within transform set configuration, we have the option to select IPSEC MODE (tunnel or transport mode), however tunnel mode is the default mode.