1 2 Previous Next 15 Replies Latest reply: Jun 6, 2011 1:30 PM by cjinfantino RSS

    IPsec ISAKMP Policy and Crypto map config

    Gabriel

      Hi Guys,

       

      I'm hoping someone could clarify this for me

       

      I believe it is possible to have different crypto isakmp policies for different connections based on needs, different security parameters supported different devices, etc.

       

      My question is how is a specific policy applied to a specifi peer? Sample config below should make my question a bit clearer I hope.

       

      !

      !

      crypto isakmp policy 1

      encr 3des

      authentication pre-share

      group 2

      !

      !

      crypto isakmp policy 2

      encr aes 256

      authentication pre-share

      lifetime 28800

      !

      !


      The first policy clearly uses a different security parameter from the second one, thus if I needed to set up an IPsec connection using the first policy, how would apply/refer to it in the crypto map if this makes sense. Would it be something like:

       

      !

      !

      crypto map TestMap 1 ipsec-isakmp  --

      set peer 1.1.1.1

      set transform-set setname

      match address 101

      !

      Does this use the first policy 1 above?

       

      crypto map TestMap 2 ipsec-isakmp  --

      set peer 2.2.2.2

      set transform-set setname

      match address 101

       

      Does this use the first policy 2 above?

       

      Also, how can you check what one is being used?

       

      Any contributions will be much appreciated.

        • 1. Re: IPsec ISAKMP Policy and Crypto map config
          Brian A

          The set transform set command defines the parameters to be used for the phase 2(ipsec) part of the tunnel, not the phase one part.

           

          As far as which policy is used, I believe the initiator sends all of his polices and the recipient tries to match them one at a time to its defined polices.  First match is the one that is used.

           

            I am fairly confident that to see what isakmp policy is being used the command

           

          sh crypto isakmp  ...

           

          would be the place to start.  There is another word to be added to make the command complete but I could not verify which, if any, would show you the policy in use.

          • 2. Re: IPsec ISAKMP Policy and Crypto map config
            Richard

            first ACL 101 is the interesting traffic, and negotiation begins with between peers(1.1.1.1 or 2.2.2.2)

            2nd, identical isakmp policies that match both peers will be used. first-match basis if you will. regardless of the priority#

            what is important is that, two identical policies one from each peer.

            i hope this clarifies your query. and i hope im right

            • 3. Re: IPsec ISAKMP Policy and Crypto map config
              r@costa

              You need to define  an access-list to which traffic is allowed, also create an transform-set.

               

              crypto map TestMap 1 ipsec-isakmp

              set peer 1.1.1.1

              match address 101

              set transform-set setname

              set pfs group2

               

              Verify:

              #sh crypto map

              #sh crypto isakmp policy

              #sh crypto ipsec transform-set

              • 4. Re: IPsec ISAKMP Policy and Crypto map config
                nehalnaik

                Gabriel,

                 

                In phase 1 of IPSec negotiation between initiator and receiver. Initiator will send all his crypto policies configured to the receiver. From the received crypto policies receiver will choose the matching crypto policy [same encyption, authentication, DH group, life time can be different] configured on his end. To see which policy is being used on Cisco ASA you can use following commnad:

                # show crypto isakmp sa detail

                 

                Also considering the fact that these first two messages of phase 1 are non-encrypted you can either run tcpdump or enable debug on you router/firewall to see what actually happens. Careful if you are on live environment.

                #debug crypto isakmp

                 

                Hope this helps.

                • 5. Re: IPsec ISAKMP Policy and Crypto map config
                  Gabriel

                  Thanks for all the contributions guys. I think I get it now. Any more contributions welcome.

                   

                  Much appreciated

                  • 6. Re: IPsec ISAKMP Policy and Crypto map config
                    chris

                    but what about in cisco sdm.  Obviously in a lab there wouldn't be any digital certificate that you could use (DC's given out by the DG Authority)....so you wold us pre-shared keys in a site-to-site vpn.  My question is what do you enter for the pre-shared keys in cisco sdm.  Do you create one, do you call it what the keys name when you have configured ssh....my question is on configuration....Thank you

                    • 7. Re: IPsec ISAKMP Policy and Crypto map config
                      Gabriel

                      Chris,

                       

                      I'm not sure I quite understand your question/who it's directed to, I stand corrected, but I'm sure the ADSM allows for pre-shared key or perhaps a self-signed certificate could be used depending on the purpose?

                      • 8. Re: IPsec ISAKMP Policy and Crypto map config
                        chris

                        Im sorry sometimes I rant on.  But no...it is when you create a site to site vpn withing sdm.  You get to a point where you enter either a digital certificate or pre-shared key.  Im just not sure what exactly to put in this field or how to create and configure the digital certificate or pre-shared key manually in the cli.

                        • 9. Re: IPsec ISAKMP Policy and Crypto map config
                          chris

                          and another question off subject..Is it possible to use vmware workstation as a host for a router in gns3?

                          • 10. Re: IPsec ISAKMP Policy and Crypto map config
                            Antonio Knox - CCNP R&S, CCNA R&S/Security

                            The preshared key is defined by you.  It is merely a text string that must match at both ends of the tunnel. You can simply select preshared key and type (or paste) the string into the box.  As far as the digital certificate, to create one take a look here:

                             

                            http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtpsscer.html#wp1027188

                            • 11. Re: IPsec ISAKMP Policy and Crypto map config
                              naner2k

                              Yes, it's possible to use VMware workstation as a host for a router in GNS3.

                               

                              You can create a simple network like this: host-router-router-router-host

                              • 12. Re: IPsec ISAKMP Policy and Crypto map config
                                chris

                                How would you create the connection to the virtual interface from the guest os

                                • 13. Re: IPsec ISAKMP Policy and Crypto map config
                                  Gabriel

                                  I believe that can be done by bridging the interface? See link below for more info

                                   

                                  http://www.vmware.com/support/ws55/doc/ws_net_configurations_bridged.html

                                   

                                  PS. GNS3 is a resource hogger on a physical host so be careful when running it on a VM. Of course, you can always use the idle timer thingy

                                  • 14. Re: IPsec ISAKMP Policy and Crypto map config
                                    chris

                                    Can someone look at this config and tell me what is wrong please

                                     

                                    router1(config-if)#do sh run

                                    Building configuration...

                                     

                                    Current configuration : 1233 bytes

                                    !

                                    Version 12.3

                                    service timestamps debug uptime

                                    service timestamps log uptime

                                    no service password-encryption

                                    !

                                    hostname router1

                                    !

                                    !

                                    !

                                    !

                                    ip subnet-zero

                                    !

                                    ip domain name chris.com

                                    !

                                    !

                                    !

                                    !

                                    !

                                    crypto isakmp policy 1

                                    encryption 3des

                                    authentication pre-share

                                    hash md5

                                    group 2

                                    !

                                    crypto isakmp key chris address 172.16.0.1

                                    !

                                    !

                                    crypto ipsec transform-set VPN1 esp-3des esp-sha-hmac

                                    !

                                    crypto map CM 1 ipsec-isakmp

                                    set peer 172.16.0.1

                                    set transform-set VPN1

                                    match address 100

                                    !

                                    !

                                    !

                                    !

                                    interface Serial0/0

                                    ip address 200.10.1.1 255.255.255.240

                                    crypto map CM

                                    encapsulation frame-relay

                                    frame-relay interface-dlci 102

                                    !

                                    interface Serial0/1

                                    no ip address

                                    no ip directed-broadcast

                                    shutdown

                                    !

                                    interface FastEthernet0/0

                                    ip address 10.0.0.1 255.255.255.240

                                    no ip directed-broadcast

                                    ip access-group 100 in

                                    !

                                    interface FastEthernet0/1

                                    no ip address

                                    no ip directed-broadcast

                                    shutdown

                                    !

                                    !

                                    !

                                    !

                                    ip classless

                                    no ip http server

                                    !

                                    ip route 0.0.0.0 0.0.0.0 200.10.1.2

                                    access-list 100 permit ip 10.0.0.1 0.0.0.255 172.16.0.1 0.0.0.255

                                    !

                                    !

                                    !

                                    !

                                    !

                                    !

                                    line con 0

                                    line aux 0

                                    line vty 0 4

                                    login

                                    password chris

                                    transport input ssh telnet

                                    !

                                    no scheduler allocate

                                    end

                                     

                                     

                                     

                                     

                                     

                                    Router2#sh run

                                    Building configuration...

                                     

                                    Current configuration : 1278 bytes

                                    !

                                    Version 12.3

                                    service timestamps debug uptime

                                    service timestamps log uptime

                                    no service password-encryption

                                    !

                                    hostname Router2

                                    !

                                    !

                                    !

                                    !

                                    ip subnet-zero

                                    !

                                    ip domain name chris.com

                                    !

                                    !

                                    !

                                    !

                                    !

                                    crypto isakmp policy 1

                                    encryption 3des

                                    authentication pre-share

                                    hash md5

                                    group 2

                                    !

                                    crypto isakmp key chris address 200.10.1.1

                                    !

                                    crypto isakmp key chris address 10.0.0.1

                                    !

                                    !

                                    crypto ipsec transform-set VPN1 esp-3des esp-sha-hmac

                                    !

                                    crypto map CM 1 ipsec-isakmp

                                    set peer 10.0.0.1

                                    set transform-set VPN1

                                    match address 100

                                    !

                                    !

                                    !

                                    !

                                    interface Serial0/0

                                    ip address 200.10.1.2 255.255.255.240

                                    crypto map CM

                                    encapsulation frame-relay

                                    frame-relay interface-dlci 201

                                    !

                                    interface Serial0/1

                                    no ip address

                                    no ip directed-broadcast

                                    shutdown

                                    !

                                    interface FastEthernet0/0

                                    ip address 172.16.0.1 255.255.255.240

                                    no ip directed-broadcast

                                    ip access-group 100 in

                                    !

                                    interface FastEthernet0/1

                                    no ip address

                                    no ip directed-broadcast

                                    shutdown

                                    !

                                    !

                                    !

                                    !

                                    ip classless

                                    no ip http server

                                    !

                                    ip route 0.0.0.0 0.0.0.0 200.10.1.1

                                    access-list 100 permit ip 172.16.0.1 0.0.0.255 10.0.0.1 0.0.0.255

                                    !

                                    !

                                    !

                                    !

                                    !

                                    !

                                    line con 0

                                    line aux 0

                                    line vty 0 4

                                    login

                                    password chris

                                    transport input ssh telnet

                                    !

                                    no scheduler allocate

                                    end

                                     

                                    I have configured the peers to be the fa0/0 end point of the VPN any help would be appreciated

                                    1 2 Previous Next