The purpose of VPN is to secure the confidentiality of the communication between two sites by using encryption. Two tunnels are set up, the first tunnel is for Diffie Hellman key exchange, the second tunnel is for data transmission either in transport or tunnel mode. Transport mode in addition to what tunnel mode is doing obscures the layer 4 information while sending data over the IPsec tunnel.
Cisco router configuration
Define the traffic that needs to be encrypted
ip access-list extended vpn-traffic permit ip host 192.168.0.10 host 172.21.0.10 remark "Host to host has to be encrypted"
Define phase 1 proposal
crypto isakmp policy 1 encr aes authentication pre-share group 2
The default is using SHA for integrity checking (hash), default lifetime is 1 day which is 86400 seconds. The default commands are not shown in the list above.
Define the pre-share key for phase 1
crypto isakmp key cyruslab address 10.0.0.2 255.255.255.252
Define IPsec transform set / proposal
Transform set is also known as IPsec proposal, the encryption and integrity checking (HMAC) to be used for data transmission.
crypto ipsec transform-set cisco->eagle_set esp-aes esp-sha-hmac
Create a crypto map that includes phase 2 proposal
The crypto map will be applied to the interface that initiates or responds to vpn establishment. The crypto map contains the IPsec proposal, the traffic that has to be encrypted, the peer vpn device, the perfect forward secrecy DF group for DF key generation.
crypto map cisco->eagle_map 1 ipsec-isakmp set peer 10.0.0.2 set transform-set cisco->eagle_set set pfs group2 match address vpn-traffic
Apply the crypto map to the interface
interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.252 duplex auto speed auto crypto map cisco->eagle_map end
Static default route
Insert a static route, since this setup only has one exit and entrance point a static default route is fine.
ip route 0.0.0.0 0.0.0.0 10.0.0.2
Hirschmann Eagle20 configuration
It is encourage to use the web interface to configure vpn, Hirschmann provides a Wizard to setup VPN easily. However I will show you how to use command line first.
Make sure Eagle20 is in routed mode
As of Eagle20 old platform software version SDV 5.2, VPN can only be configured in routed mode.
!(Hirschmann Eagle) #show network mode Network mode ------------ operating mode..........................router !(Hirschmann Eagle) #
To change the mode use network mode router command under privilege exec mode.
You will need to assign IP address on the trusted and untrusted interface, the vpn tunnel will be established from the untrusted interface.
!(Hirschmann Eagle) #network router param ext ip-address 10.0.0.2 !(Hirschmann Eagle) #network router param ext netmask 255.255.255.252 !*(Hirschmann Eagle) #network router param int ip-address 172.21.0.1 !*(Hirschmann Eagle) #network router param int netmask 255.255.255.0 !*(Hirschmann Eagle) #save [====================] OK. !(Hirschmann Eagle) #
Make sure the interfaces are configured correctly.
!(Hirschmann Eagle) #show network router params Index IP-Addr Netmask use VLAN VLAN protocol ----- --------------- --------------- -------- ------ -------- int 172.21.0.1 255.255.255.0 disable 1 none ext 10.0.0.2 255.255.255.252 disable 1 none !(Hirschmann Eagle) #
Define static route
Strange thing about Eagle20 firewall is that it does not have ways to do default route that matches all prefixes, you need to define the subnet and prefix explicitly.
!(Hirschmann Eagle) #network router route add interface ext ip-address 192.168.0.0 mask 255.255.255.0 gateway 10.0.0.1 !(Hirschmann Eagle) #save [====================] OK.
To ensure the route is configured.
!(Hirschmann Eagle) #show network router route Index IP-Addr Netmask Gateway Intf. Status ----- --------------- --------------- --------------- ----- ------ ext 192.168.0.0 255.255.255.0 10.0.0.1 ext [x] !*(Hirschmann Eagle) #
Make sure the status has a [x], usually after you have inserted a static route the status will be crossed, if not you can use the command:
!*(Hirschmann Eagle) #network router route status interface ext ip-address 192.168.0.0 mask 255.255.255.0 enable
If you receive an error that looks like this Error: Command execution failed 'mask' when you are trying to enable the route, make sure your mode is router mode and not transparent mode.
Configuring vpn with command line
To check if there are existing vpn connections setting use this command:
!(Hirschmann Eagle) (config)#show vpn connections summary No. Description Servicemode Active Status --- ----------------------------- ----------- ------ --------- !(Hirschmann Eagle) (config)#
Add an entry for vpn connection:
!(Hirschmann Eagle) (config)#vpn connection add 1 name eagle_to_cisco
Configure the vpn access in the first entry:
!*(Hirschmann Eagle) (config)#vpn connection modify 1 access method psk pre-shared-key cyruslab local-type default remote-type any
The vpn peers use ip address to be their own ID by default if you choose to use pre-share-key. remote-type any means you set Eagle20 not to check the ID of the incoming VPN peer that wishes to establish a VPN connection, this is a lab to demonstrate but it is not an good idea not to check.
Configure the phase 2 proposal:
!*(Hirschmann Eagle) (config)#vpn connection modify 1 data-exchange algorithms key-agreement modp1024 integrity hmacsha1 encryption aes128 !*(Hirschmann Eagle) (config)#vpn connection modify 1 data-exchange mode encapsulation tunnel lifetime 28800
modp1024 is actually Diffie Hellman group 2 which uses 1024-bit length. Eagle20 maximum phase 2 lifetime is 28800 seconds. This is actually the proposal for ipsec tunnel which is the phase 2 tunnel for data exchange.
Configure the phase 1 proposal:
!*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange algorithms key-agreement modp1024 hash sha1 integrity hmacsha1 encryption aes128 !*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange mode protocol v1 !*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange mode startup initiator
I use IKE version 1 for this set up. Cisco router seems to be a responder so I make Eagle20 to be the initiator.
To define the peer:
!*(Hirschmann Eagle) (config)#vpn connection modify 1 key-exchange endpoints local-address 10.0.0.2 remote-address 10.0.0.1
Define the interesting traffic:
First define the profile of the traffic-selector, Eagle20 vpn setup will only work if you use specific host, for some reason I never make it work when I specify a subnet with prefix.
!*(Hirschmann Eagle) (config)#vpn traffic-selector 1 add 1 name eagle-to-cisco
The command vpn traffic-selector 1 actually means to associate the traffic selector to the first entry of the vpn connection profile.
!*(Hirschmann Eagle) (config)#vpn traffic-selector 1 modify 1 source-net 172.21.0.10 dest-net 192.168.0.10
Enable the traffic selector and vpn connection
!(Hirschmann Eagle) (config)#vpn traffic-selector 1 status 1 enable !(Hirschmann Eagle) (config)#vpn connection status 1 enable !(Hirschmann Eagle) (config)#save [====================] OK.
If you receive an error Error: Command execution failed 'status'while enabling vpn connection, your vpn connection profile configuration could be incomplete such as you have forgotten to put the peer address.
Verification
To check if the vpn tunnel is up for Hirschmann Eagle20:
!*(Hirschmann Eagle) (config)#show vpn connections summary No. Description Servicemode Active Status --- ----------------------------- ----------- ------ --------- 1 eagle_to_cisco disabled [x] up !*(Hirschmann Eagle) (config)#
To check if vpn connection is up for Cisco router:
Router#show crypto isakmp sa dst src state conn-id slot status 10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVE Router#
cyruslab 