PIX: Dynamic Site-to-Site IPSEC Configuration
SCENARIO:
Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.
This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).
Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.
TOPOLOGY:
10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0
STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24
CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.
PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2
PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5
STATIC PIX 6.X:
access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.0/7.1:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.2:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto isakmp nat-traversal
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside
DYNAMIC PIX 6.X:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.0/7.1:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.2:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
crypto isakmp identity hostname
crypto isakmp nat-traversal
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
REFERENCE
PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.
This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).
Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.
TOPOLOGY:
10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0
STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24
CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.
PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2
PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5
STATIC PIX 6.X:
access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.0/7.1:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.2:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto isakmp nat-traversal
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside
DYNAMIC PIX 6.X:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.0/7.1:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.2:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
crypto isakmp identity hostname
crypto isakmp nat-traversal
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
REFERENCE
PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Wednesday, March 12, 2008
IPSEC Checklist and Best Practices
- IP address of the static VPN peers
- IP addresses/networks that will be tunneled
--> networks behind each VPN peer (site-to-site)
--> network behind VPN and pool (remote access)
- PHASE I / ISAKMP parameters
--> authentication (pre-shared key/certificate)
--> encryption (DES, 3DES, AES)
--> hash (SHA, MD5)
--> group (2, 5)
- PHASE II / IPSEC Parameters
--> transform set
- VPN Group (remote access only)
--> VPN Group Name
--> VPN Group Password