Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
11916 Views 15 Replies Latest reply: Jun 6, 2011 1:30 PM by cjinfantino RSS 1 2 Previous Next

Currently Being Moderated

IPsec ISAKMP Policy and Crypto map config

Apr 12, 2011 11:55 PM

Gabriel 25 posts since
Jul 3, 2008

Hi Guys,

 

I'm hoping someone could clarify this for me

 

I believe it is possible to have different crypto isakmp policies for different connections based on needs, different security parameters supported different devices, etc.

 

My question is how is a specific policy applied to a specifi peer? Sample config below should make my question a bit clearer I hope.

 

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

lifetime 28800

!

!


The first policy clearly uses a different security parameter from the second one, thus if I needed to set up an IPsec connection using the first policy, how would apply/refer to it in the crypto map if this makes sense. Would it be something like:

 

!

!

crypto map TestMap 1 ipsec-isakmp  --

set peer 1.1.1.1

set transform-set setname

match address 101

!

Does this use the first policy 1 above?

 

crypto map TestMap 2 ipsec-isakmp  --

set peer 2.2.2.2

set transform-set setname

match address 101

 

Does this use the first policy 2 above?

 

Also, how can you check what one is being used?

 

Any contributions will be much appreciated.

  • Brian A 40 posts since
    Oct 29, 2009
    Currently Being Moderated
    1. Apr 13, 2011 1:00 AM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    The set transform set command defines the parameters to be used for the phase 2(ipsec) part of the tunnel, not the phase one part.

     

    As far as which policy is used, I believe the initiator sends all of his polices and the recipient tries to match them one at a time to its defined polices.  First match is the one that is used.

     

      I am fairly confident that to see what isakmp policy is being used the command

     

    sh crypto isakmp  ...

     

    would be the place to start.  There is another word to be added to make the command complete but I could not verify which, if any, would show you the policy in use.

  • Richard 6 posts since
    Mar 7, 2011
    Currently Being Moderated
    2. Apr 13, 2011 1:06 AM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    first ACL 101 is the interesting traffic, and negotiation begins with between peers(1.1.1.1 or 2.2.2.2)

    2nd, identical isakmp policies that match both peers will be used. first-match basis if you will. regardless of the priority#

    what is important is that, two identical policies one from each peer.

    i hope this clarifies your query. and i hope im right

  • Currently Being Moderated
    3. Apr 13, 2011 1:13 AM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    You need to define  an access-list to which traffic is allowed, also create an transform-set.

     

    crypto map TestMap 1 ipsec-isakmp

    set peer 1.1.1.1

    match address 101

    set transform-set setname

    set pfs group2

     

    Verify:

    #sh crypto map

    #sh crypto isakmp policy

    #sh crypto ipsec transform-set

  • nehalnaik 9 posts since
    Apr 22, 2010
    Currently Being Moderated
    4. Apr 13, 2011 4:03 PM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    Gabriel,

     

    In phase 1 of IPSec negotiation between initiator and receiver. Initiator will send all his crypto policies configured to the receiver. From the received crypto policies receiver will choose the matching crypto policy [same encyption, authentication, DH group, life time can be different] configured on his end. To see which policy is being used on Cisco ASA you can use following commnad:

    # show crypto isakmp sa detail

     

    Also considering the fact that these first two messages of phase 1 are non-encrypted you can either run tcpdump or enable debug on you router/firewall to see what actually happens. Careful if you are on live environment.

    #debug crypto isakmp

     

    Hope this helps.

  • chris 27 posts since
    Sep 24, 2010
    Currently Being Moderated
    6. May 28, 2011 2:08 AM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    but what about in cisco sdm.  Obviously in a lab there wouldn't be any digital certificate that you could use (DC's given out by the DG Authority)....so you wold us pre-shared keys in a site-to-site vpn.  My question is what do you enter for the pre-shared keys in cisco sdm.  Do you create one, do you call it what the keys name when you have configured ssh....my question is on configuration....Thank you

  • chris 27 posts since
    Sep 24, 2010
    Currently Being Moderated
    8. May 28, 2011 11:32 PM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    Im sorry sometimes I rant on.  But no...it is when you create a site to site vpn withing sdm.  You get to a point where you enter either a digital certificate or pre-shared key.  Im just not sure what exactly to put in this field or how to create and configure the digital certificate or pre-shared key manually in the cli.

  • chris 27 posts since
    Sep 24, 2010
    Currently Being Moderated
    9. May 28, 2011 11:46 PM (in response to chris)
    Re: IPsec ISAKMP Policy and Crypto map config

    and another question off subject..Is it possible to use vmware workstation as a host for a router in gns3?

  • Antonio Knox - CCNP CCNA-SEC CIOSSS 211 posts since
    Mar 25, 2009
    Currently Being Moderated
    10. May 31, 2011 5:59 AM (in response to chris)
    Re: IPsec ISAKMP Policy and Crypto map config

    The preshared key is defined by you.  It is merely a text string that must match at both ends of the tunnel. You can simply select preshared key and type (or paste) the string into the box.  As far as the digital certificate, to create one take a look here:

     

    http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtpsscer.html#wp1027188

  • naner2k 2 posts since
    Mar 3, 2009
    Currently Being Moderated
    11. Jun 1, 2011 12:04 AM (in response to chris)
    Re: IPsec ISAKMP Policy and Crypto map config

    Yes, it's possible to use VMware workstation as a host for a router in GNS3.

     

    You can create a simple network like this: host-router-router-router-host

  • chris 27 posts since
    Sep 24, 2010
    Currently Being Moderated
    12. Jun 2, 2011 11:25 PM (in response to naner2k)
    Re: IPsec ISAKMP Policy and Crypto map config

    How would you create the connection to the virtual interface from the guest os

  • chris 27 posts since
    Sep 24, 2010
    Currently Being Moderated
    14. Jun 4, 2011 12:28 PM (in response to Gabriel)
    Re: IPsec ISAKMP Policy and Crypto map config

    Can someone look at this config and tell me what is wrong please

     

    router1(config-if)#do sh run

    Building configuration...

     

    Current configuration : 1233 bytes

    !

    Version 12.3

    service timestamps debug uptime

    service timestamps log uptime

    no service password-encryption

    !

    hostname router1

    !

    !

    !

    !

    ip subnet-zero

    !

    ip domain name chris.com

    !

    !

    !

    !

    !

    crypto isakmp policy 1

    encryption 3des

    authentication pre-share

    hash md5

    group 2

    !

    crypto isakmp key chris address 172.16.0.1

    !

    !

    crypto ipsec transform-set VPN1 esp-3des esp-sha-hmac

    !

    crypto map CM 1 ipsec-isakmp

    set peer 172.16.0.1

    set transform-set VPN1

    match address 100

    !

    !

    !

    !

    interface Serial0/0

    ip address 200.10.1.1 255.255.255.240

    crypto map CM

    encapsulation frame-relay

    frame-relay interface-dlci 102

    !

    interface Serial0/1

    no ip address

    no ip directed-broadcast

    shutdown

    !

    interface FastEthernet0/0

    ip address 10.0.0.1 255.255.255.240

    no ip directed-broadcast

    ip access-group 100 in

    !

    interface FastEthernet0/1

    no ip address

    no ip directed-broadcast

    shutdown

    !

    !

    !

    !

    ip classless

    no ip http server

    !

    ip route 0.0.0.0 0.0.0.0 200.10.1.2

    access-list 100 permit ip 10.0.0.1 0.0.0.255 172.16.0.1 0.0.0.255

    !

    !

    !

    !

    !

    !

    line con 0

    line aux 0

    line vty 0 4

    login

    password chris

    transport input ssh telnet

    !

    no scheduler allocate

    end

     

     

     

     

     

    Router2#sh run

    Building configuration...

     

    Current configuration : 1278 bytes

    !

    Version 12.3

    service timestamps debug uptime

    service timestamps log uptime

    no service password-encryption

    !

    hostname Router2

    !

    !

    !

    !

    ip subnet-zero

    !

    ip domain name chris.com

    !

    !

    !

    !

    !

    crypto isakmp policy 1

    encryption 3des

    authentication pre-share

    hash md5

    group 2

    !

    crypto isakmp key chris address 200.10.1.1

    !

    crypto isakmp key chris address 10.0.0.1

    !

    !

    crypto ipsec transform-set VPN1 esp-3des esp-sha-hmac

    !

    crypto map CM 1 ipsec-isakmp

    set peer 10.0.0.1

    set transform-set VPN1

    match address 100

    !

    !

    !

    !

    interface Serial0/0

    ip address 200.10.1.2 255.255.255.240

    crypto map CM

    encapsulation frame-relay

    frame-relay interface-dlci 201

    !

    interface Serial0/1

    no ip address

    no ip directed-broadcast

    shutdown

    !

    interface FastEthernet0/0

    ip address 172.16.0.1 255.255.255.240

    no ip directed-broadcast

    ip access-group 100 in

    !

    interface FastEthernet0/1

    no ip address

    no ip directed-broadcast

    shutdown

    !

    !

    !

    !

    ip classless

    no ip http server

    !

    ip route 0.0.0.0 0.0.0.0 200.10.1.1

    access-list 100 permit ip 172.16.0.1 0.0.0.255 10.0.0.1 0.0.0.255

    !

    !

    !

    !

    !

    !

    line con 0

    line aux 0

    line vty 0 4

    login

    password chris

    transport input ssh telnet

    !

    no scheduler allocate

    end

     

    I have configured the peers to be the fa0/0 end point of the VPN any help would be appreciated

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)