Cisco CCIE Security 350-701 – Site to Site IPSEC VPN

1. How IPsec VPN Works

Now the next thing we’ll try to understand how the IPsec VPN works. So here I’m going to quickly give an overview of how the IPsec VPN works. Probably we’ll see more in detail about each and every, each and every step. So overall the IPsec VPN goes in five steps. Now the first step is we need to configure something like interesting traffic. Interesting traffic means like take an example. I want, want to secure the traffic which is going from one network, let’s say 190 to 168, one dot network.

So going to this network, two dot network. Now the entire communication between these two, I want to apply IPsec. So there’s something I want to secure, so nothing but I want to apply IPsec. Now if you’re establishing connectivity between over Internet or any other transport network, there is another type of traffic, like anything going from one dot network and destined to two dot network is my interesting traffic. So technically we call it as interesting traffic nothing, but that is the traffic you want to protect.

But whereas if you’re trying to send a traffic which is coming from the same source, might be going to some Yahoo server or maybe going to some internet or maybe going to any other remote networks which you don’t want to secure. So there are two types of traffic. One is interesting traffic which you want to protect, whereas other traffic is anything other than what you, what you did not define in general. So that’s the first step. We need to define the interesting traffic.

And once the router receives a traffic which matches the specific ACL or the interesting traffic, what we define and it will establish something called phase one and phase two options. Now the basic difference is like a phase one is negotiated first. Now the phase one, it’s going to authenticate the peers because you are establishing a VPN between these two endpoints. So it’s going to authenticate the peer. That’s the first thing.

And based on that, once it authenticates, it’s going to establish a secure channel. So in the phase one it has to build a secure channel. That is the main thing. And to do that it uses some specific algorithms and other things. Probably I’ll talk about that more in detail in a separate video. But the first one we need to establish a secure channel and it is going to do that by using some authenticating the remote field and then using some algorithms for encryption or integrity or what case they use. What is the defining algorithm to use, something like that. So we call them as parameters, or phase one parameters.

Now once the phase one is successfully negotiated, once it builds a secure channel, now the actual IPsec is applied in the phase two. Now the purpose of the phase two is to negotiate the IPsec Security Association’s SS. It’s nothing but setting up an actual tunnel for securing your data. So the actual protection is actually done in the phase two. But the phase one is going to build a secure channel between the endpoints. So just like phase one builds a secure channel, and once the secure channel is built, then it is going to protect your data in the phase two.

And then once it set up an IP tunnel, IPsec tunnel between the two endpoints for protecting your data, then your actual data transfer happens. That is your fourth step. In the fourth step, after the two phases established, packets are actually encrypted and decrypted using a specific algorithms mentioned in the phase two. So in the phase two, we’ll define some algorithms. And using those algorithms, your data is encrypted and decrypted on the endpoints. And finally the tunnel termination means the tunnel will be, will be removed. IP six tunnel will be torn down.

And this totally depends upon timeout, whether you specify something like number of seconds, and once it reaches the time, once the time expires, it’s going to toe down the tunnel and it will try to renegotiate again. Or maybe you can also define in terms of bytes of information passed through the tunnel. Or maybe you manually delete that. Okay, so that can be some through manual deletion. So this is how Ibsec VPN works. So these are the steps. In fact, it uses many, many other things, like algorithms and other things. But technically we can divide the IPsec process completely into five steps.

2. Step-1 – Interesting Traffic

Now we are ready to configure the IPsec VPN between the two sides. So in the previous sections we discussed the five steps of IPsec VPN configuration in that we are going to do the basic first step configuration in this in this video. Now, I do have a preconfigured topology as I discussed in the previous video, I do have reach ability between these two endpoints. That is the first thing we need to check from the autobahn for try to ping to 25 or two. I do have reachable D.

So my requirement is to configure the interesting traffic. Now, interesting traffic refers to what traffic you want to apply IPsec. Like in this scenario, I want the communication between router one land to router one land should be secured and that is considered as my interesting traffic. And any traffic which is going to any other sites or maybe going to internet. And that is not my interesting traffic and that is something I may not want to secure. So whenever you decide to configure the IPsec VPNs, you need to decide the interesting traffic also. So that can be done with the help of some access list.

So I’ll be using some extended Access list recommended to use some name ratios so that we can modify if needed in the future scenarios. So we are going to say permit all the traffic which is going from 192 1681 dot network to 181 six eight two dot network. So I’m going to say permit IP from one dot network going to 192-1682 network. So likewise the same thing, I need to do it on the router two as well. So I’m going to copy paste the exact commands.

But I do need to change data sets. So save name, it’s okay, but it should be from two to one. So if you want we can verify which show IP access list. It will show you I’m using some name as interesting traffic. So probably this ACL will be using in IC Phase Two because even though this interesting traffic is a part of the phase II configurations, but as per the steps what we discussed and how IPsec works, I generally consider this as a first step. But we’ll be using this ACL when we, when we try to configure Phase two, we by using some kind of crypto maps and other statements.

3. Step-2 IKE Phase-1

Now the second step in the IC IPsec VPN is the IC phase one. Now phase one is responsible for authenticating the remote piece and building up a secret channel between the two endpoints. And then IC phase two will occur where actual encryption or the actual protection of your data occurs. So the phase one has to be successful for the phase two to apply. So in order to build a secure channel now, the IC will use some parameters. Like we need to define what authentication method we’ll be using, whether you’ll be using some preschool key or some signatures, or for providing encryption which algorithms you are going to use, any one you need to mention, and probably for secure action of the keys. What is the defihami algorithm we’ll be using like DH algorithms. And then finally you need to also define some integrity like hashing algorithms, which algorithm you are going to use. So both the end points has to negotiate the matching policies. Now matching policies means both the sides, they must be using the common policy, like, let’s say on the router one. If I’m using these algorithms, these are the algorithms, and I have configured two different algorithms combinations. Typically we combine this and define them as an ice cream policy or IP policies.

So we can create multiple policies like policy Ten, policy 20, policy 30, which uses different combinations so they both will negotiate what is the correct combination used. So in order for the phase one to be successful, you must be using same algorithm on both the sides. Okay? So that’s the first step, that’s the phase one step. Now either I can configure my own policies by using some numbers, or you can also use some predefined policies which are present in some iOS versions. Like if you just try to go and check on my router, I’m using subscription iOS versions. If I say show crypto is chem policy, you can see there are some predefined policies or the combination of the policies which are there with some priority values.

Again, if you’re using some kind of some older iOS versions, you may not see some default policies. So we can either use any of these default security policies or we can define our own ice cream policies. So let me just quickly define our own policy. So to do this we need to say crypto ice cream policy sequence number. Now this number will decide what is the priority. Like on this router I can create some ice cream policy with 10, 20, 30 like this.

So by default it will try to match with the remote pair the first policy and if this doesn’t match, it will try to match the next policy and lower the number that is more preferable or more priority. We can say so these are the default predefined policies, what are present? We can say default policies. So I’m going to define my own with some policy terms. Now you can use question mark to figure out what are the options we need to define what is the authentication method you want to use, what is the encryption algorithm you want to use or what is a grouping definition group you want to use and what is the hashing algorithm you want to use.

So these are the four parameters we need to define. Let’s say I’m going to say authentication and again you can see there are multiple authentication methods supported. In this basic example we’ll be using some preshade key authentication and the preshade key authentication what we’ll do is we’ll configure some passwords on both the sites, the pre conference passwords and the password has to match on both the ends. So basically it’s not a secure method. In some production scenarios or in advanced scenarios we use some digital certificates, certificates generally for authentication we can also use that option. So at this point of time we just use a simple authentication method with appreciate key and then we need to tell what is the encryption algorithm you want to use. Again. Multiple supported AES. I’m using AES. Let’s say again you have to define how many pit keys you want to use. The higher the number, the more secure. So let me just use 108 and then you need to define what is a defiant group you want to use. Of course many supported here.

So let’s say I’m using five and then we need to define what is a hashing algorithm you want to use. Let’s say I’m using Shaw algorithm. So you need to make sure that you use the same parameters on other side. So on the router two also I’m going to copy paste so make sure that you are using the same combinations. These parameters has to match on both the sites. Of course policy number can be any number, so this number can be any number, it doesn’t matter, but these four parameters has to match the next thing. We will also configure authentication because we configured authentication should be appreciate key. We did not configure any preserved key.

So if you want to configure the preschool key, we say Crypto ICECAM key. We can use a key name, any password, let’s say one, two, three I’m using and the address of the remote page is 250 zero two. Now mostly if you are going with a command line, most of the commands like starts with crypto and if you are doing any specific configurations relating to phase one, most of the commands will go as Crypto ICECAM and you can use iOS help to figure out the next options depending upon the configurations. This is for phase one and any phase two commands. Generally the commands will go like the Crypto IPsec and use iOS help for all the phase two configurations.

So likewise I need to use the same configuration on other side, same password on the router too. But the peer address is going to be the IP address of the remote pal. So we need to define the IP address of the remote pairs. So this is your phase one configuration. So in the phase one, we need to build a secure channel in order to do that, we need to negotiate some parameters. We can say item policies and we must be using the same combination of algorithms on both the sides. So for a successful phase one to establish to build a secure channel between these two endpoints, you need to make sure that you are using the same combination of algorithms policy number no need to match.