Implementing Secure
Converged Wide
Area Networks
(ISCW)
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
1
Configuring IPsec
VPN using SDM
Module 3 – Lesson 4
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 Virtual private networks (VPNs) use advanced encryption
techniques and tunneling to permit organisations to establish
secure, end-to-end, private network connections over third-party
networks such as the Internet
 Cisco offers a wide range of VPN products, including VPNoptimised routers, PIX security and Adaptive Security Appliances
(ASA), and dedicated VPN concentrators. These infrastructure
devices are used to create VPN solutions that meet the security
requirements of any organisation
 This module explains fundamental terms associated with VPNs,
including the IP Security protocol, and Internet Key Exchange. It
then details how to configure various types of VPN, using various
currently available methods
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this fourth lesson, you will be able
to:
Describe how to configure a VPN using SDM on a Cisco
router
Successfully configure a site to site VPN using SDM on
Cisco routers
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
4
What is SDM?
 The Cisco Router and Security Device Manager (SDM) is an
easy-to-use, Java based, device management tool designed
for configuring LAN, WAN, and security features on a router
 SDM can reside in router memory or on your PC
 SDM simplifies router and security configuration by using
intelligent wizards to enable users to quickly and easily
deploy, configure, and monitor a Cisco access router
 SDM meets the needs of persons that are proficient in LAN
fundamentals and basic network design but have little or no
experience with the IOS CLI or may not be security experts
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
5
What is SDM (continued)
 SDM can also assist more advanced users
 SDM contains several other timesaving tools and
wizards, including
An access control list (ACL) editor,
A VPN crypto map editor,
A Cisco IOS CLI preview
 SDM has a unique Security Audit wizard that provides a
comprehensive router security audit. This uses Cisco
Technical Assistance Centre (TAC) and Internet
Computer Security Association (ICSA) recommended
security configurations as the basis for comparisons
and default settings
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
6
SDM ‘Wizards’
 Other intelligent Cisco wizards are available in
SDM for these three tasks:
Autodetecting misconfigurations and proposing fixes
Providing strong security and verifying configuration
entries
Using device and interface-specific defaults
 Examples of SDM wizards include:
Startup wizard for initial router configuration
One-step router lockdown wizard to harden the router
Policy-based firewall and access-list management to
easily configure firewall settings based on policy rules
One-step site-to-site VPN wizard
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
7
SDM Installation and Use
 Use the SDM wizards to provide quick deployment
A suggested workflow is given in the lower part of each wizard
screen to guide untrained users through the process
 Begin with configuring LAN, WAN, firewall, intrusion
prevention system (IPS), and VPN, and finish with
performing a security audit
 SDM is embedded and factory-installed within the
Cisco IOS 800–3800 Series routers and available for
download for select router platforms (see next)
 NB: This course focuses specifically on SDM version 2.2a. Due to the
nature of the software, changes must be expected with new revisions.
Although the features and screens may vary between versions of SDM,
the general concepts shown here are applicable to all versions.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
8
SDM Supported Platforms
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
9
SDM Home Page
‘Configure’ icon
About your
router
Configuration
overview
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
10
VPN Configuration
 To select and start a VPN wizard, follow this procedure:
1. Click the Configure icon in the top horizontal navigation bar of
the Cisco SDM main page (previous) to enter the configuration
page
2. Click VPN icon in the left vertical navigation bar to open the VPN
page.
3. Choose one of the available VPN wizards from the list.
 The example on the next slide shows the screen that appears
when you choose the Site to Site VPN wizard from the list.
Here you can create two types of site-to-site VPNs: classic and
generic routing encapsulation (GRE) over IPsec
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
11
VPN Configuration Page
1.
3.
Wizards for IPsec
solutions
2.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
Individual IPsec
components
12
Site-to-Site VPN Components
 VPN wizards use two sources to create a VPN connection:
User input during the step-by-step wizard process
Preconfigured VPN components
 SDM provides some default VPN components:
Two IKE policies
IPsec transform set for Quick Setup wizard
 Other components are created by the VPN wizards.
 Some components (for example, PKI) must be configured before
the wizards can be used.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
13
Site-to-Site VPN Components (Continued)
Two main components:
IPsec
IKE
Two optional components:
Group Policies for Easy VPN
Server functionality
Public Key Infrastructure for
IKE authentication using
digital certificates
Individual IPsec
components used
to build VPNs
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
14
Starting SDM
SDM Launcher
SDM Launch Page
SDM can be started on a router by entering the IP address of the router in a
browser
If SDM has been installed on the PC, start it by double-clicking the SDM
shortcut or by choosing it from the program menu (Start > Programs > Cisco
Systems > Cisco SDM) and enter the IP address of the router.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
15
SDM Home Page
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
16
Launching Site-to-Site VPN Wizard – Step 1
1.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
17
Selecting the Quick Setup or Step-by-Step
Configuration Wizard – Step 2
2a.
2b.
3.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
18
Quick Setup
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
19
Quick Setup Configuration Summary
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
20
Step-by-Step Setup
 Multiple steps are required to configure the VPN
connection:
Defining connection settings: Outside interface, peer address,
authentication credentials
Defining IKE proposals: Priority, encryption algorithm, HMAC,
authentication type, Diffie-Hellman group, lifetime
Defining IPsec transform sets: Encryption algorithm, HMAC,
mode of operation, compression
Defining traffic to protect: Single source and destination
subnets, ACL
Reviewing and completing the configuration
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
21
Configuring Connection Settings
1.
2.
3.
4.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
22
Configuring IKE Proposals
1.
2.
3.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
23
Configuring the Transform Set
1.
2.
3.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
24
Defining What Traffic to Protect: Simple Mode
(Single Source and Destination Subnet)
1.
2.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
3.
25
Defining What Traffic to Protect: Using an ACL
1.
2.
3.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
26
Adding Rules to ACLs
1.
2.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
27
Configuring a New ACL Rule Entry
1.
2.
3.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
28
Review the Generated Configuration
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
29
Review the Generated Configuration (Cont.)
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
30
Test Tunnel Configuration and Operation
~
~
ISCW-Mod3_L4
~
~
© 2007 Cisco Systems, Inc. All rights reserved.
31
Monitor Tunnel Operation
1.
3.
2.
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
32
Test, Monitor, and Troubleshoot Tunnel
Configuration and Operation
router#
show crypto isakmp sa
 To display all current IKE security associations (SAs), use the
show crypto isakmp sa command in EXEC mode. QM_IDLE
status indicates an active IKE SA.
router#
show crypto ipsec sa
 To display the settings used by current SAs, use the show crypto
ipsec sa command in EXEC mode. Non-zero encryption and
decryption statistics can indicate a working set of IPsec SA (see next
slide)
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
33
Encryption and Decryption Statistics
Router2#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mikesmap, local addr. 172.30.2.2
protected vrf:
local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
current_peer: 172.30.1.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest 0
From
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
a working tunnel!
local crypto endpt.: 172.30.2.2, remote crypto endpt.: 172.30.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 938FF981 etc etc etc………..
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
34
Troubleshooting
router#
debug crypto isakmp
• Debugs IKE communication
• Advanced troubleshooting uses the Cisco IOS CLI
• Requires knowledge of Cisco IOS CLI commands
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
35
ISCW-Mod3_L4
© 2007 Cisco Systems, Inc. All rights reserved.
36