WIFITECHBLOG

•          Branch office locations can take advantage of centralized services hosted at the corporate office.

•          This may include access to business applications that require per site license or database services that require user management or IT services that require standard implementation across all branches.

•          We will discuss a topology where Radius service is being provided by the corporate and accessed by all branch offices.

•          SW1 is the WS5100 switch at the corporate office providing RADIUS service to all branch offices.

•          SW2 is the WS5100 switch at the corporate office used to terminate VPN connections from all branch offices.

•          SW3 is the WS5100 switch at a branch office.

•          SW4 is the WS5100 switch used to simulate a public network. It is simply being used as a router.

•          Vlan100 is being used by the wireless clients at the branch office (SW3). Network address is 192.168.100.x/24

•          Vlan2 is being used by the corporate office to provide services. Network address is 192.168.2.x/24

•          VPN tunnel is established between Vlan64 interface of SW3 and Vlan32 interface of SW2. This makes them VPN peers!

Interface IP addresses

•          In the next few slides we will go through the VPN configuration on the branch office switch - SW3.

•          Details about the configuration are introduced in a slide preceding the web snapshot.

•          Here we begin. Next slide shows the switch summary screen. Important thing to note is the firmware version number and IP address of the switch which is being configured.

•          Security ACLs are needed to define the traffic that needs to go over the tunnel. Traffic can be defined based on source and destination host IP address (or network address using subnet masks).

•          If the traffic matching this definition is encountered a VPN tunnel will be opened and traffic will go through the tunnel. For this reason, this traffic is also termed as the “interesting traffic”.

•          First step is to create an ACL. We will create an extended ACL and give a meaningful name “HSACL” (for hotspot ACL).

•          Second step is to add rules to the ACL. We will define any IP and ICMP traffic originating from 192.168.100.x network and going to 192.168.2.x network as interesting.

•          We will also add a unicast destination address of 192.168.2.226 which is the remote RADIUS server. This is strictly not necessary because we already covered the entire 192.168.2.x network in our first definition.

Configuring Security->IKE settings

•          Internet Key Exchange (IKE) is a protocol that is used by IPsec to negotiate security parameters. Without IKE a user would need to manually specify the security parameters at all the VPN peers.

•          IKE provides greater flexibility and improved security because encryption keys can change during a session.

•          IKE protocol has two phases. Phase 1 will authenticate the VPN peer with which a tunnel is to be established. At the end of Phase 1 a secure tunnel is created so that Phase 2 negotiations can take place in a secure context. Phase 2 negotiations will setup security parameters for the actual data transfer through the tunnel at both the peers.

Defining VPN peer

•          In the configuration tab, click Add to create a VPN peer. Specify the IP address and use a pre-shared secret for the initial authentication. Having pre-shared key as the authentication type makes the configuration simpler but this approach may not scale for larger networks.

•          Aggressive mode will use fewer frames for exchange and hence it is faster. However, some of the information is sent prior to the secure context being established so it is less secure.

•          Click Ok to add the peer. Table will display the newly added peer.

Adding an IKE policy

•          Next step is to add a new IKE policy. We click Add in the IKE policies tab,  assign it a priority number and choose the algorithms for encryption, data integrity, authentication type, security association life time and DH group value. It is mandatory that these configuration settings be the same on the other peer.

•          Select the desired lifetime in seconds. Larger lifetime will eliminate the need for fast re-key. Shorter lifetime will increase CPU computations.

•          Select the DH group identifier. This is used by the IPsec peers to derive a shared secret without actually transmitting the identifier itself. Larger the identifier more secure the process of deriving a shared secret.

•          Click Ok to add the new policy. Table will display the newly added policy.

Security->IPsec VPN

•          So far we have configured the ACL’s that define the traffic to be tunneled and the encryption and authentication parameters configured for the IKE protocol which helps the VPN peers to negotiate in a secure context.

•          In this page we will configure the security parameters that apply to the actual data that is to be transferred over the tunnel.

ESP and AH Protocols

•          AH stands for Authentication Header.

•          ESP stands for Encapsulating Security Payload.

•          IPSec uses both AH and ESP to provide data integrity and data confidentiality.

•          AH does not provide any data confidentiality (encryption). It only provides data integrity (authentication).

•          ESP on the other hand provides encryption and also has an option of authentication.

•          A transform set is a combination of security protocols and algorithms.

•          We can have different transform sets to protect different traffic flows.

•          Click Add in the configuration tab.

•          Assign a name to this transform and pick authentication type and encryption type.

•          For site to site VPN transform set mode is tunnel.

•          Click Ok. Table will display the newly added transform set.

Crypto Maps.

•          Crypto map is the glue that binds all the configuration that we have done so far – ACL’s, VPN peer and transform set.

•          Click on the Crypto Maps tab.

•          In the Crypto Map Entires sub-tab, click Add to create a new crypto map entry.

•          Assign a Seq # (sequence number). The sequence number determines its priority among the other crypto maps. The lower the number, the higher the priority.

•          Assign the crypto map a Name to differentiate from others with similar configurations.

•          Select a security association (SA) lifetime value in seconds and Kilobytes which when expired forces a renegotiation of the SA.

•          From the ACL ID drop down menu, select the HSACL that was configured earlier.

•          In the Peers textbox, add the peer IP address that was configured earlier.

•          Select the transform set that was configured earlier and click OK. Table displays the newly added crypto map entry.

•          Peers and Transform Set tabs also get updated.

Configure the peer

•          This completes the VPN configuration on one of the peers. Repeat the steps on the other peer taking care that shared secrets, algorithm choices are the same.

•          Take care to correctly substitute the IP address in the ACL configuration and peer IP address in the IKE settings as well as the transform set.

Key points to remember.

•          IPSec VPN involves multiple protocols like IKE, ESP and AH.

•          IKE sets up the security context for the negotiation of the security association for actual data encryption and integrity.

•          It is important to configure the VPN peers with the same algorithms, protocols, mode options and shared secrets.