lunedì, Maggio 16, 2022

SNRS – IPSec site-to-site

Trentatre anni, perito informatico, professionista da dieci nel mondo ICT, possiede varie certificazioni - nel mondo Cisco è CCNA da Dicembre. Lavora nel mondo Unix, Cisco ed Oracle per una delle maggiori telco a Düsseldorf (Germania) come deployment leader e responsabile della sicurezza. E' generalmente entusiasta di condividere le sue conoscenze e la sua visione del mondo con altri tecnici.

L2L connections

  • Land to land (site to site) connections are best suited for routers since they can do multiple dynamic site VNP
  • Extension of a classical WAN design
  • Configurations steps
    • Handle design and policy
    • Verify connectivity without IPSec (ping)
    • Create extended ACL to allow IPSec traffic into the router
    • Configure ISAKMP/IKE Phase 1 policies
    • Create extended ACL that defines which traffic is to be protected for the tunnel
    • Create transform sets
    • Create a crypto map that binds together the peer’s protection information
    • Activate crypto map on the interface
    • Test IPSec tunnel

Information to determine

  • Types of L2L solutions:
    • Classic method (small number of peers or non-Cisco router, or ASA/PIX)
    • GRE tunnels (medium number of Cisco peers)
    • DMVPN (large number of Cisco peers)
  • Authentication methods:
    • Pre-shared keys
    • RSA nounces (signatures)
    • Certificates (Certificate Authority)
  • Name/IP address of remote IPSec peer
  • Traffic to be protected
  • Encryption algorithm: DES, 3DES or AES
  • Hashing function to use: 1, 2 or 5
  • Life time of the tunnel
  • On which interface the traffic is leaving for the public network
  • Allow traffic:
  • rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask
    			eq isakmp|500
    rt(config)# access-list ACL_ID permit ahp|51 dst_IP wild_mask src_IP wild_mask
    rt(config)# access-list ACL_ID permit esp|50 dst_IP wild_mask src_IP wild_mask
    rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask
    eq non-isakmp|4500
    rt(config)# access-list ACL_ID permit udp dst_IP wild_mask src_IP wild_mask
    eq 10000
    rt(config)# access-list ACL_ID permit tcp dst_IP wild_mask src_IP wild_mask
    eq 10000
  • Enabling IPSec
    • Almost all router global IPSec commands begin with crypto
    • ISAKMP enabled by default
    • Can use host names or IP addresses to identify peers
    • Better set host names statically to avoid DNS spoofing
      rt(config)# crypto isakmp identity address | hostname
      rt(config)# ip host hostname IP_addr_1 [IP_addre_2] […]
    • Management connection policy
    • Phase 1 policies must match or tunnel will fail, except the lifetime (with some vendor it is compulsory too). In Cisco shortest lifetime used. Default 14800 seconds
    • priority_# uniquely identifies the policy
    • The smaller the number, the higher the priority
    • Most secure to be placed on top
      rt(config)# crypto isakmp policy priority_#
      rt(config-isakmp)# authentication rsa-sign | rsa-encr | pre-share
      rt(config-isakmp)# encryption des|3des|aes|aes 192|aes 256
      rt(config-isakmp)# group 1|2|5
      rt(config-isakmp)# hash md5|sha
      rt(config-isakmp)# lifetime #_of_seconds
      rt# show crypto isakmp policy
    • Phase 1 authentication
      rt(config)#	crypto key generate rsa
      rt(config)#	crypto isakmp key 0 key address IP_address [no xauth]
      rt(config)#	crypto isakmp key 0 key hostname host [no xauth]
      rt(config)#	crypto pki trustpoint Cert_Authority
      rt(config)#		enrollment url 
      rt(config)#		revocation check none
      rt(config)#	crypto pki crl request
      rt(config)#	crypto pki authenticate Cert_Authority
    • Phase 2 authentication
      rt(config)#	crypto ipsec security-association lifetime seconds #_seconds
      rt(config)#	crypto ipsec security-association lifetime kilobytes #_kbytes
      rt(config)#	access-list ACL permit proto local_addr local_mask rem_addr rem_mask
      rt(config)#	crypto ipsec transform-set tsname ts_1 [ts2 [ts3]]
      rt(config)#		mode tunnel|transport
      rt#	show crypto ipsec transform-set
    • Crypto Map
      • Ties together all ISAKMP/IKE components to form the data SA
      • Static
        • Connecting to IPSec device
        • When we know information from the remote peer
        • We must know upfront: address, ACL, transform set
          rt(config)#	crypto map map_name sequence_# ipsec-isakmp|ipsec-manual
          rt(config)#		match address ACL
          rt(config)#		local address interface
          rt(config)#		set peer hostname | IP
          rt(config)#		set pfs group1|group2|group3
          rt(config)#		set transform-set tsname ts_1 [ts2 [ts3]]
          rt(config)#		set security-association lifetime …
          rt(config)#	interface type number
          rt(config-if)#	crypto map map_name
          rt# show crypto map
      • Dynamic
        • We don’t know the remote peer, or dialup/DHCP
        • Remote must initiate the connection
        • One side static crypto map, other side dynamic
        • Router create a temporary static entry when the SA is formed
          rt(config)#	crypto dynamic-map map_name sequence_#
          rt(config-crypto-map)#		etc.…
        • Dynamic maps are embedded as entry into a static tunnel (Cisco syntax)
          rt(config)#	crypto map static_map_name sequence_#
                                             ipsec-isakmp dynamic dyn_map_name
          rt(config)#	interface int_ID
          rt(config-if)#	crypto map static_map_name
      • AAA and static crypto maps
        rt(config)#	crypto map static_map client authentication list aaa_list
        rt(config)#	crypto map static_map client isakmp authorization list aaa_list
        rt(config)#	crypto map static_map client configuration address initiate|respond

    Articoli correlati

    Il tuo Toolkit per un Mondo Senza Cookie

    Come crescere in un mondo senza cookie di terze parti Con la deprecazione dei cookie di terze parti nel 2023, i marketer devono affrontare molte...

    Digital Transformation


    Noleggia una Tesla per il tuo evento IT!