Cisco CCIE Security 350-701 – Site to Site IPSEC VPN Part 2

4. Step-3 – IKE Phase 2

Now the next step is phase two. The phase two the actual IPC is applied or the actual your traffic is secured. In the phase two we can say. Now in order to do that, it has to decide which protocol will be used for securing your data. Like there are two major protocols supported in the phase two. Like I phase two protocols we can say and these two protocols are responsible for encapsulating your packet with some encapsulating a packet, adding some Ipsic information into the packet here. So we can either use ESP Encapsulating Security Payload or Authentication header.

These are the two protocols supported in general. Now, the basic difference between these two is like authentication header uses protocol port number 51, it provides authentication, authentication of the piece and also provides some integrity by using some hashings, also provide anti antiplay detection, but it will not provide confidentiality means. There’s no encryption support here. So which means if you want to secure your data without any encryption, then when you see that encryption is not really important for you, in that case, you can use authentication header because it offers you the other benefits apart from encryption. And also it is lesser over it because it actually not encrypting your packets because all data will go in a clear text. So technically you want to secure the information. It has to be confidential. So encryption is also important. In that case you can actually use ESP.

So ESP uses protocol number 50, provides authentication integrity and replay as well as provide some encryption slightly overhead because it supports some encryption slightly overhead compared to the authentication header. So the first thing when you want to apply IPsec, we need to decide which encapsulation protocol you want to use and the basic differences in the headers. Like if you are using ESP. Now ESP is going to add some ESP trailer and some authentication ESP header, it’s going to encrypt your IP header and data and this will be authenticated but whereas here it will be authenticated but there is no encryption of your data so it goes in a clear text. So we need to decide which protocol you want to use, whether you want to use ESP or authentication header.

And then based on the protocol you select, again we need to decide which algorithm you are going to use, like you want to authenticate of course authentication and then you need to decide what is the hashing algorithm you want to use. Which means I need to decide whether I want to use Mdfire algorithm and what is the encryption algorithm I want to use here. So whether you want to use Desk, Triple, Des or AES, whatever the combination of algorithms. Now if you’re using authentication header then we can define authentication header supports hashing.

Now we can use either Mdfire Shaw algorithms. So we need to define a combination of algorithms we are going to use. And this combination combination is just like, let’s say I want to encrypt my data, so for encryption I must use ESP. So again I can use either authentication, I can use either Triple Des or Des or AES, any one we have to select. Now I also want to make sure that your data is not modified support hashing. Now hashing is supported by both ESP and authentication header. And maybe I’m using MDFI or Shaw. MDFI or Shaw with either authentication header or ESP. So technically you can use ESP for both.

Like I can say the encryption should be done with ESP as well as hashing also should be done with ESP. That is one combination. Or you can use, you can say that for ESP I’ll use for encryption and I’ll use Authentication Header for hashing. So it all depends upon what combination we use and this combination has to be defined by using some transform sets. So now in the transform set we need to define it’s like the combination of algorithm you want to use and the protocols that makes a security policy for the traffic. Let me just show you on the command line here, let me just go to the command line and on the router the concentration will start something like this. If I say crypto IPsec transform set. So any name for the transform set we can use.

And then if you use Cushion Mark, you can see the options here. Now I can select Authentication Header and I can use any of this algorithm supported in my iOS for hashing. So I got five options, I have to select any one. And when it comes to encryption, I got ESP supported with all these encryption algorithms. So ESP supporting triple des like that, these are all options. So we need to select any one of the algorithm combinations. So let’s say if I’m using Authentication header, let me just use ESP, sorry, this is, this MDF, this is actually for hashing, actually. So these are the hashing algorithms, MDF and Sha. This is the hashing algorithm supported with ESP or Authentication Header. So let’s say I’m using ESP sha HMAC. For hashing with ESP. And for encryption, I’m using ESP AES.

So we need to define this option inside the transform set. So mainly in the phase two, we need to define the interest in traffic so which we did already in the phase one. And then we need to decide what is the encapsulating protocol you are going to use. Like you want to use ESP or authentication header. So of course you have to use ESP for encryption, for hashing, I can use any one of these options. So these are the parameters we need to define and these parameters we define inside the transform set by using some transform sets. And once you create a transform set, then finally we’ll combine all these parameters into one single step. That’s like crypto maps.

So finally we’ll combine everything in one statement called crypto map where we need to tell what is my interesting traffic like I think I used interesting traffic named ACL which means I’m saying if the traffic matches this source, if it is going to this destination so apply the IPsec. But in to tell what algorithms should I use. Now we defined already that inside the transform set in the transform set I have defined that we should use this ESP Shah HMAC algorithm for hashing and ESP AES 56 bit for encryption. So apply the Ipsic. Apply the IPsec.

And if it is going to this peer so we also need to tell what is a remote peer address. If the traffic is pointing towards the peer, that is 25 two, this is going to be the next hop address or the peer. We need to set the peer also. And then finally we’ll use this crypto map. We’ll apply the scripture map on the interface which is leaving towards the internet on this interface. So let me just quickly configure this and show you this.

5. IKE Phase 2 – Configuration/ Verification

Now in the phase two, the configuration wise, the first step is to configure the interesting traffic and that is something we already did in the in the previous steps. Like if you verify show IP access list. So any traffic coming from one to two, that is my interesting traffic. So the next step we need to create a transform set. Now, crypto IPsec transform set, the transform set will define and what is the combination of algorithms you will be using for securing your data. So we can use either ESP or authentication header protocols. So in my case, I’ll be using ESP AES for encryption and I’m using ESP MD for sha MDSP shah. HMAC? For hashing here. So this is for encryption and hashing for both. I’m using ESP protocol. So you need to use the same thing, same algorithms on other sides. So copy paste on the router too. I think I confirmed already in the previous video. And the next thing is once we confirm the transform said, we need to create something like cryptomap.

Crypto map is just like combining all the parameters of the phase two in one single statement. So the sequence number sequence number is more commonly used when you are confirming some advanced VPNs. With multi Hubbins poke scenarios we can confirm multiple map statements in one single crypto map in general. So let’s say sequence number is ten and we need to select IPsec ICECAM. This is like a manual negotiation, this is like dynamic negotiation, sorry, so we need to say IPsec ICECAM negotiation and then we need to tell what is my interesting traffic. So interesting traffic, we need to send match address and my ACL I have used interesting traffic and then we need to tell the peer address 25 two and then apply the transform set.

So in this statement I’m saying if the traffic matches this ACL, if it is going from one to two dot network and set the peer, the pair should be 240 zero two and apply the transform set or apply PSEC with the algorithms defined inside the transform set. And then finally we need to apply this under the interface crypto map cr underscore map the same thing on the router two on the router two. Also we need to create a crypto map, any name. So I’m using crypto map ten, we need to say match address. My interesting traffic ACL name is Inttr and they need to set the peer. Peer is going to be 15 one as per my topology here. And then we need to apply the transform set tr underscore set and then apply this crypto map under the interface. Now, once I do this, this is like we are done with the configuration of IPsec IPsec VPN here I can see it enables the IPsec VPN. Now for verifying we can use some specific commands like we need to go to router one and on the router one there are some verification commands like showcrypto ice cream, SA.

So currently this is like if you want to verify the phase one, we use this command and if you want the Ipsic to initiate, we need to generate some traffic which matches the interesting traffic. So try to generate some traffic from router one to router two, land to land. Let’s say I’m repeating 100 packets. Initially you see the communication, it doesn’t go initially because it will start applying the IPsec, but later on you can see the ping works. So if you are able to see the ping replies coming between one to two, it’s like a confirmation that the IPsec is negotiated. So if you want to verify the phase one, we say show crypto icecamp SM, I can see the phase one is established and if you want to verify the phase two parameters, we say show crypto IPsec SM.

You will see some more options here, like you can see the packets which are encapsulated and encrypted because we have sent some 98 pings to get dropped during the initial establishment, 98. You can see the packet increases and you can see there is an inbound connection based on this transform set and there’s an outbound connection here. So I got some additional commands for verification, like if you want to verify the phase one, this is a command which I have shown you just now and any other parameters. Like if you want to see if I say show crypto session details, it will show you the phase one and phase two status. The session is up and active and you can see the inbound packets and outbound packets and how many KB’s of information.

And if you want to specifically verify phase one, the commands will be showcpto icecamp so we can say SA, or if you say detail, you’ll see some more detailed information. Or if you want to verify the key, the preshade key, we can say show crypto iskim key. And if you want to verify the phase two parameters, like you want to verify the transform set, we can say show crypto IPsec transform set. So at the end, when you try to initiate a traffic between the router one and the router two, which matches the interesting traffic, you must be getting a reply. So that is more like a confirmation that both the endpoints are able to communicate from land to land without any kind of routing and your traffic is actually protected. And for that I generally use this term and IPsec essay and you see some increments in the packets.