VPN setup, Am I on the right track?

FrankGuthrieFrankGuthrie Member Posts: 245
Ok, for a migration i'm asked to migrate customers from our old VPN platform (Pix) to our new VPN platform (Cisco 7206)

Looking at config I need some help with understanding the config. So here is a config used for some of our customers:

1)
vrf definition VRF00
description VPN Customer00
rd 00:1

This part I get. We need to define a VRF to segregate customers traffic. What does the RD part do?

2)
crypto keyring Customer00
pre-shared-key address 192.168.1.1 key techexam

This is the key we have agreed on with the customer, no questions here.

3)
crypto isakmp profile Customer00
vrf VRF00
keyring Customer00
match identity address 192.168.1.1 255.255.255.255

What does this isakmp profile do? Is this for phase 1 authentication?? The rest of the config seems to be clear, just need to know what this isakmp profile exactly does.

4)
crypto map VPN Customer00 xxx ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 28800
set transform-set SET_1
set isakmp-profile Customer00
match address Customer00

If isakmp was phase 1 does this ipsec-isakmp mean it's phase 2 of the VPN setup?? The peer is the customer EDGE rooter. What does the security association lifetime do? I guess the tansform set describes whaty kind of authentication/encryption is used in Phase 2?? You also set the isakmp profile in this, what is the purpose of that, you already defined it at number 3??

Is this the complete config for a working VPN connection or am i missing some things?

What are the pittfalls of setting this up and what do I need to check when I setup the new VPN connection with the customer?

Comments

  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    If isakmp was phase 1 does this ipsec-isakmp mean it's phase 2 of the VPN setup?? The peer is the customer EDGE rooter. What does the security association lifetime do? I guess the tansform set describes whaty kind of authentication/encryption is used in Phase 2?? You also set the isakmp profile in this, what is the purpose of that, you already defined it at number 3??

    Is this the complete config for a working VPN connection or am i missing some things?

    Yes your first question is right ipsec-isakmp is phase 2. The peer should be the edge routers outside interface.

    Security associate lifetime -is how long the link stays alive
    if my math is correct 28800 seconds equates to 8hrs

    You did not list the actual transform-set so I'm not sure what encryption you are using. While the transform set does show the encryption there should be a line that looks similar to this

    Crypto ipsec transform-set SET_1 esp-sha-hmac esp-aes-256

    This line is what shows what you set the encryption to.

    Also I don't see a isakmp policy.

    The purpose of a isakmp profile is to set different parameters if you have different IPSec tunnels. For the VRF aware IPSecs its required to have profiles configured.

    To be honest if you are not sure what you need to get a VRF-Aware IPSec up and running you need to step back and do some research so you can fully understand what you are doing and understand how IPSecs work before implementing it and screwing something up.
    What are the pittfalls of setting this up and what do I need to check when I setup the new VPN connection with the customer?

    The pitfalls?! Only you know your customers topology and what is best.
    show crypto ipsec sa vrf Customer00
    show crypto isakmp key
    show crypto isakmp profile
    show crypto key pubkey-chain rsa
    debug crypto ipsec
    debug crypto isakmp

    Theres different ways you could get this going do some research before anything else.
  • FrankGuthrieFrankGuthrie Member Posts: 245
    Hi dmarcisco

    I agree on doing more research, but that what I'm doing here :)

    The transform set I left out, because I was not sure if it was sensitive info to our company.

    So does the transform set describer how the phase 2 data is going to be encrypted?

    I think I forgot about the isakmp Policy. That's the phase 1 policy right.

    Also I'm wondering why do we need 2 phases to built a VPN. When connecting to a site with SSL(HTTPS), I think you only use 1 form/phase for security right?
Sign In or Register to comment.