Configuring site-to-site vpn part 1

Configuring site-to-site vpn part 1

by Cyrus Lok on Saturday, March 6, 2010 at 10:02am

I have got a router in Bukit Batok and another router in Ayer Rajah, I want my network traffic to route to another remote network in Ayer Rajah. Due to budget I have put off the idea of subscribing a lease line from an ISP and decided to use the existing MOL connection for my routing using site-to-site vpn.

Router in Bukit Batok is R1
Router in Ayer Rajah is R2

R1 is a new router with no specific configuration that meets my personal needs.

Set up hostname to identify my router:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#

Turn off http server:
R1(config)#no ip http server
R1(config)#

Turn on https server:
R1(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

R1(config)#
*Mar 5 23:50:10.935: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Mar 5 23:50:11.423: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue “write memory” to save n
ew certificate
R1(config)#

Set up a local user database in my router, privilege 15 is for account with full access of the router, the password is weak, password should be at least 10 characters long, with mixture of alphanumeric and other characters such as these : @#$%^&*

R1(config)#username cyrus privilege 15 secret 0 cisco
R1(config)#

the keyword secret will hash my password using MD5

The digest of my password will look like this:
R1(config)#do sh run | i user
username cyrus privilege 15 secret 5 $1$XXb2$PM7aly7v9v/CY3RnNtrOg0

This is a 128-bit digest, MD5 algorithm is always a 128-bit long no matter which output you put. SHA-1 provides a longer keylength for the digest output which is 160-bit long and SHA is said to be more secured than MD5.

The reason to set https server and a local user database with privilege 15 is for the use of SDM 2.5, SDM 2.5 requires a level 15 username during authentication.

Turn on AAA:
R1(config)#aaa new-model
R1(config)#

Define a domain name for my router:
R1(config)#ip domain-name cyruslab.com
R1(config)#

Generate a 1024-bit RSA for ssh using PuTTY

R1(config)#crypto key generate
The name for the keys will be: R1.cyruslab.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

Create a md5 hashed password for global configuration mode:
R1(config)#enable secret 0 cisco
R1(config)#

Create a method list, since I do not have Radius server or TACACS+ servers yet I will use local database as my password, enable password is for redundancy in case local user database has a problem for some reasons.

R1(config)#aaa authentication login LOCAL_LIST local enable
R1(config)#

Create authentication methods for ssh telnet:
I have set up my virtual terminal connection idle time to be 15mins.
R1(config)#line vty 0 4
R1(config-line)#login authentication LOCAL_LIST
R1(config-line)#transport input ssh
R1(config-line)#logging synchronous
R1(config-line)#exec-timeout 15
R1(config-line)#session-limit 3

Go to my console and disable login via console port:
R1(config-line)#line con 0
R1(config-line)#no login authentication
R1(config-line)#

There is no need to set up login for console port as long as my router is secured with locks and cameras, a hacker who has put so much effort to break into my datacentre will seek to destroy my equipments with a baseball bat and console login is for emergency.

Set my console login idle time as 15minutes.
R1(config-line)#exec-timeout 15
R1(config-line)#

To protect against dictionary attack within 10s if there are more than 3 failures to attempt to ssh telnet the login session will be blocked for 100s.
R1(config)#login block-for 100 attempts 3 within 10
R1(config)#

Create a standard access list for a backdoor during quiet mode:
R1(config)#ip access-list standard BACKDOOR
R1(config-std-nacl)#permit host 10.0.0.2 log
R1(config-std-nacl)#permit host 192.168.47.1 log
R1(config-std-nacl)#exit
R1(config)#

So that during quiet mode the host which I specified can still ssh login to my router.
R1(config)#login quiet-mode access-class BACKDOOR
R1(config)#

Syslog for every 3 failure attempts.
R1(config)#login on-failure log every 3
R1(config)#

Assigned my inside interface fa0/0 which is connected to network 10.0.0.0/24 an ip address:
R1(config)#int fa0/0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
*Mar 6 00:29:06.419: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 6 00:29:07.419: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state
to up

I have not set up my syslog server yet that’s why the syslog output keeps appearing fortunately I have turned on logging synchronous so that the syslog message will not “cut” my incomplete command into half.

My outside interface is fa0/1, this interface is connected to my cable modem, MOL is using dynamic ip address hence I cannot configure static ip address
R1(config-if)#int fa0/1
R1(config-if)#ip address dhcp client-id fa0/1
R1(config-if)#no shut

This way fa0/1 is a dhcp client, the client will send dhcp request to my isp’s dhcp server, my cable modem which is connected to fa0/1 will act as a relay to dhcp server. dhcp server will then send back dhcp offer message, and once my dhcp client agrees to take the ip address allocated by dhcp server; my client will send back dhcp request message back to dhcp server; dhcp server will send back dhcp ack message back to my client to confirm that the allocated ip address will be the ip address of the leased time. 80% towards the lease expired my dhcp client will send dhcp request message to dhcp server to request for the renew of the ip address lease time.

R1(config-if)#do sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.1 YES manual up up
FastEthernet0/1 unassigned YES DHCP up up

fa0/1 has no ip address yet because this interface is not connected to the cable modem yet.

Create a crypto acl for use with isakmp ipsec vpn, traffic from network 10.0.0.0/24 to 192.168.47.0/24 will be protected under isakmp-ipsec tunnel.

R1(config)#ip access-list extended PROTECT_TRAFFIC
R1(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 192.168.47.0 0.0.0.255
R1(config-ext-nacl)#

Set up IKE phase 1 i.e. ISAKMP tunnel:
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400

The isakmp policy states the symmetric encryption used for isakmp tunnel is 128-bit AES, using SHA-1 as the hashing algorithm for use with Diffie-Hellman(DH) key exchange, DH group 2 is 1024-bit long asymmetric key to calculate the pre-share key for both routers. The lifetime for the isakmp tunnel is one day.

Create IKE phase 2 i.e. IPsec tunnel transform set:
R1(config)#crypto ipsec transform-set MYSET esp-aes 128 esp-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
R1(cfg-crypto-trans)#exit

IPsec vpn can run on transport mode and tunnel mode. I choose tunnel mode, in this mode layer 3 up to layer 7 headers will be encrypted.
Transport mode will only encrypt layer 4 to layer 7, layer 3 information is in clear text. This is when you can use GRE tunnel to hide your actual ip address. GRE will encapsulate the actual ip packet with its own header and trailer hence the actual ip address is hidden.

Create crypto map for used in phase 2:
R1(config)#crypto map MYMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.

The note is a notification that the map must be configured to an interface for the tunnel to be set up.

Continue:
R1(config-crypto-map)#match address PROTECT_TRAFFIC
R1(config-crypto-map)#set transform-set MYSET
R1(config-crypto-map)#set peer 192.168.47.2

NOTE: 192.168.47.2 is a tentative peer ip address this is a wrong address, the peer address is unknown as my isp gives out dynamic ip address, I can identify R2 router by using it’s domain name/host name, I have not set R2 in Ayer Rajah yet.

Apply the map to interface fa0/1 which is the interface that’s connecting the cable modem.
R1(config-if)#crypto map MYMAP
R1(config-if)#
*Mar 6 00:54:25.811: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Funny why is isakmp on? How can this be? The peer router is turned off!

R1(config)#crypto isakmp key 0 cisco address 192.168.47.2 255.255.255.0
NOTE: the peer address 192.168.47.2 is temporary! The peer ip address is WRONG.
For dynamic ip address use this:
R1(config)#crypto isakmp key 0 cisco hostname <domain name of the peering router>

Configure a static route to the peer router:
R1(config)#ip route 192.168.47.0 255.255.255.0 fa0/1

Set up NAT.
Label fa0/1 as outside and fa0/0 as inside:
R1(config)#int fa0/1
R1(config-if)#ip nat outside
R1(config-if)#int fa0/0
R1(config-if)#ip nat inside

Use ACL to define which range of ip addresses will be translated:
R1(config)#access-list 10 permit 10.0.0.0 0.0.0.255
R1(config)#ip nat inside source list 10 interface fa0/1 overload

*VPN TUNNEL WILL NOT WORK BECAUSE THE VPN TRAFFIC IS BEING TRANSLATED, I HAVE TO EXCLUDE VPN TRAFFIC FROM NAT, HERE’S HOW:
R1(config)#no ip access-list standard PTE_IP
R1(config)#ip access-list extended NAT_LIST
R1(config-ext-nacl)#remark Exclude vpn traffic from being translated
R1(config-ext-nacl)#deny ip 10.0.0.0 0.0.0.255 192.168.47.0 0.0.0.255 log
R1(config-ext-nacl)#permit ip 10.0.0.0 0.0.0.255 any

*RESULTS FROM EXTENDED PING AFTER VPN TRAFFIC HAS BEEN EXCLUDED FROM NAT:
Sending 5, 100-byte ICMP Echos to 192.168.47.2, timeout is 5 seconds:
Packet sent with a source address of 10.0.0.1

*Mar 6 10:56:06.719: %SEC-6-IPACCESSLOGDP: list NAT_LIST denied icmp 10.0.0.1 -> 192.168.47.2 (0/0)
, 1 packet .!
*Mar 6 10:56:11.719: %SEC-6-IPACCESSLOGDP: list NAT_LIST denied icmp 10.0.0.1 -> 192.168.47.2 (0/0)
, 1 packet !!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 500/564/652 ms

R1#copy run start
Destination filename [startup-config]?
Building configuration…
[OK]

Ok the vpn configuration for R1 is done. I need to set up R2 in Ayer Rajah, and I must note that the peer address in my crypto map is WRONG. The peer address for the crypto key isakmp is also WRONG.

Advertisements
This entry was posted in Security. Bookmark the permalink.

One Response to Configuring site-to-site vpn part 1

  1. ciscolok says:

    *
    *
    *
    o
    Cyrus Lok NAT is not compatible with IPsec vpn, tested the configuration, extended ping drop when it reaches the endpoint.
    March 6 at 4:00am · LikeUnlike ·
    o
    Cyrus Lok There is a workaround for this, I got the answer from Toor in CCNA sec study group.
    March 6 at 9:48am · LikeUnlike ·
    * Write a comment…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s