Wednesday, 5 August 2009

IPSec Tunnel..with a difference.

Well although it looks like July was quiet..it wasnt :)

Got some new kit in the lab another 2610XM for more IPSec madness and a very nice 3550 EMI for some MLS shenanigans.

So i was over here: http://www.networking-forum.com/viewtopic.php?f=35&t=12877

And I thought I would blog about the problem.

Here is the Lab:














First stage was to setup static routes across the routers so here is what they looked like:
R1

ip route 172.20.1.0 255.255.255.0 192.168.4.2
ip route 172.21.1.0 255.255.255.0 192.168.4.2
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2

Core

ip route 172.16.1.0 255.255.255.0 192.168.4.1
ip route 172.17.1.0 255.255.255.0 192.168.4.1
ip route 172.20.1.0 255.255.255.0 192.168.1.2
ip route 172.21.1.0 255.255.255.0 192.168.1.2
ip route 192.168.3.0 255.255.255.0 192.168.1.2

BB1

ip route 172.16.1.0 255.255.255.0 192.168.1.1
ip route 172.17.1.0 255.255.255.0 192.168.1.1
ip route 172.20.1.0 255.255.255.0 192.168.3.2
ip route 172.21.1.0 255.255.255.0 192.168.3.2
ip route 192.168.4.0 255.255.255.0 192.168.1.1


BB2

ip route 172.16.1.0 255.255.255.0 192.168.3.1
ip route 172.17.1.0 255.255.255.0 192.168.3.1
ip route 192.168.1.0 255.255.255.0 192.168.3.1
ip route 192.168.4.0 255.255.255.0 192.168.3.1





Next step was to get up ISAKMP Policies on CORE and BB2 like this:
(same on each router)

crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0


Then IPSEC transform sets:
Core:

crypto ipsec transform-set CORE_TRANSFORM esp-3des esp-sha-hmac

BB2:

crypto ipsec transform-set BB2_TRANSFORM esp-3des esp-sha-hmac


Then Crypto ACLs, now you have to be becareful with these as from what I have seen this is the number one area where people slip up ( and the PFS setting)
Rememeber it is always from perspective of which traffic you wish to be encrypted when it leaves the interface you apply the map too.


So here are the Crypto ACLs;
Core:

!This is to allow BB2 to ping 172.16.1.1 (from console)
access-list 100 permit ip host 172.16.1.1 host 192.168.3.2
!This is to allow BB2 to ping 172.17.1.1 (from console)
access-list 100 permit ip host 172.17.1.1 host 192.168.3.2
!This is to allow R1 to ping 172.20.1.1 (from console)
access-list 100 permit ip host 192.168.4.1 host 172.20.1.1
!This is to allow R1 to ping 172.21.1.1 (from console)
access-list 100 permit ip host 192.168.4.1 host 172.21.1.1
!This is to allow R1's networks to connect to BB2's Networks
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 172.21.1.0 0.0.0.255
access-list 100 permit ip 172.17.1.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 100 permit ip 172.17.1.0 0.0.0.255 172.21.1.0 0.0.0.255


BB2:

!This is to allow BB2 to ping 172.16.1.1 (from console)
access-list 100 permit ip host 192.168.3.2 host 172.16.1.1
!This is to allow BB2 to ping 172.17.1.1 (from console)
access-list 100 permit ip host 192.168.3.2 host 172.17.1.1
!This is to allow R1 to ping 172.21.1.1 (from console)
access-list 100 permit ip host 172.21.1.1 host 192.168.4.1
!This is to allow R1 to ping 172.21.1.1 (from console)
access-list 100 permit ip host 172.20.1.1 host 192.168.4.1
!This is to allow BB2's networks to connect to R1's Networks
access-list 100 permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.20.1.0 0.0.0.255 172.17.1.0 0.0.0.255
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.17.1.0 0.0.0.255




Then bring it all together with a Crypto Map:
Core:

crypto map R12BB2 10 ipsec-isakmp
set peer 192.168.3.2
set transform-set CORE_TRANSFORM
match address 100


BB2:

crypto map BB22R1 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set BB2_TRANSFORM
match address 100



Then apply the Crypto maps under the interfaces:
Core:

crypto map R12BB2

BB2

crypto map BB22R1

No comments: