mercoledì, Marzo 29, 2023

SNRS – IPSec site-to-site

Trentatre anni, perito informatico, professionista da dieci nel mondo ICT, possiede varie certificazioni - nel mondo Cisco è CCNA da Dicembre. Lavora nel mondo Unix, Cisco ed Oracle per una delle maggiori telco a Düsseldorf (Germania) come deployment leader e responsabile della sicurezza. E' generalmente entusiasta di condividere le sue conoscenze e la sua visione del mondo con altri tecnici.

L2L connections

  • Land to land (site to site) connections are best suited for routers since they can do multiple dynamic site VNP
  • Extension of a classical WAN design
  • Configurations steps
    • Handle design and policy
    • Verify connectivity without IPSec (ping)
    • Create extended ACL to allow IPSec traffic into the router
    • Configure ISAKMP/IKE Phase 1 policies
    • Create extended ACL that defines which traffic is to be protected for the tunnel
    • Create transform sets
    • Create a crypto map that binds together the peer’s protection information
    • Activate crypto map on the interface
    • Test IPSec tunnel

Information to determine

  • Types of L2L solutions:
    • Classic method (small number of peers or non-Cisco router, or ASA/PIX)
    • GRE tunnels (medium number of Cisco peers)
    • DMVPN (large number of Cisco peers)
  • Authentication methods:
    • Pre-shared keys
    • RSA nounces (signatures)
    • Certificates (Certificate Authority)
  • Name/IP address of remote IPSec peer
  • Traffic to be protected
  • Encryption algorithm: DES, 3DES or AES
  • Hashing function to use: 1, 2 or 5
  • Life time of the tunnel
  • On which interface the traffic is leaving for the public network
  • Allow traffic:
  • rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask
    			eq isakmp|500
    rt(config)# access-list ACL_ID permit ahp|51 dst_IP wild_mask src_IP wild_mask
    rt(config)# access-list ACL_ID permit esp|50 dst_IP wild_mask src_IP wild_mask
    rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask
    eq non-isakmp|4500
    rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask
    eq 10000
    rt(config)# access-list ACL_ID permit tcp dst_IP wild_mask src_IP wild_mask
    eq 10000
  • Enabling IPSec
    • Almost all router global IPSec commands begin with crypto
    • ISAKMP enabled by default
    • Can use host names or IP addresses to identify peers
    • Better set host names statically to avoid DNS spoofing
      rt(config)# crypto isakmp identity address | hostname
      rt(config)# ip host hostname IP_addr_1 [IP_addre_2] […]
    • Management connection policy
    • Phase 1 policies must match or tunnel will fail, except the lifetime (with some vendor it is compulsory too). In Cisco shortest lifetime used. Default 14800 seconds
    • priority_# uniquely identifies the policy
    • The smaller the number, the higher the priority
    • Most secure to be placed on top
      rt(config)# crypto isakmp policy priority_#
      rt(config-isakmp)# authentication rsa-sign | rsa-encr | pre-share
      rt(config-isakmp)# encryption des|3des|aes|aes 192|aes 256
      rt(config-isakmp)# group 1|2|5
      rt(config-isakmp)# hash md5|sha
      rt(config-isakmp)# lifetime #_of_seconds
      rt# show crypto isakmp policy
    • Phase 1 authentication
      rt(config)#	crypto key generate rsa
      rt(config)#	crypto isakmp key 0 key address IP_address [no xauth]
      rt(config)#	crypto isakmp key 0 key hostname host [no xauth]
      rt(config)#	crypto pki trustpoint Cert_Authority
      rt(config)#		enrollment url 
      rt(config)#		revocation check none
      rt(config)#	crypto pki crl request
      rt(config)#	crypto pki authenticate Cert_Authority
    • Phase 2 authentication
      rt(config)#	crypto ipsec security-association lifetime seconds #_seconds
      rt(config)#	crypto ipsec security-association lifetime kilobytes #_kbytes
      rt(config)#	access-list ACL permit proto local_addr local_mask rem_addr rem_mask
      rt(config)#	crypto ipsec transform-set tsname ts_1 [ts2 [ts3]]
      rt(config)#		mode tunnel|transport
      rt#	show crypto ipsec transform-set
    • Crypto Map
      • Ties together all ISAKMP/IKE components to form the data SA
      • Static
        • Connecting to IPSec device
        • When we know information from the remote peer
        • We must know upfront: address, ACL, transform set
          rt(config)#	crypto map map_name sequence_# ipsec-isakmp|ipsec-manual
          rt(config)#		match address ACL
          rt(config)#		local address interface
          rt(config)#		set peer hostname | IP
          rt(config)#		set pfs group1|group2|group3
          rt(config)#		set transform-set tsname ts_1 [ts2 [ts3]]
          rt(config)#		set security-association lifetime …
          rt(config)#	interface type number
          rt(config-if)#	crypto map map_name
          rt# show crypto map
      • Dynamic
        • We don’t know the remote peer, or dialup/DHCP
        • Remote must initiate the connection
        • One side static crypto map, other side dynamic
        • Router create a temporary static entry when the SA is formed
          rt(config)#	crypto dynamic-map map_name sequence_#
          rt(config-crypto-map)#		etc.…
        • Dynamic maps are embedded as entry into a static tunnel (Cisco syntax)
          rt(config)#	crypto map static_map_name sequence_#
                                             ipsec-isakmp dynamic dyn_map_name
          rt(config)#	interface int_ID
          rt(config-if)#	crypto map static_map_name
      • AAA and static crypto maps
        rt(config)#	crypto map static_map client authentication list aaa_list
        rt(config)#	crypto map static_map client isakmp authorization list aaa_list
        rt(config)#	crypto map static_map client configuration address initiate|respond

    Articoli correlati

    Digital Transformation


    Noleggia una Tesla per il tuo evento ICT!