GlobalConfig.net» Studies In VPN

IKEv1 Aggressive Mode vs. IKEv1 Main Mode

Brandon Carroll, CCIE #23837 — Wed, 20 Apr 2011 12:00:25 +0000

The question often comes up regarding the differences between IKE aggressive mode and IKE main mode. The answer is pretty simple. In this post we break down IKEv1 aggressive mode and main mode differences and provide a recommendation based on using the more scalable and more secure solution.

The Breakdown

Aggressive mode requires two exchanges totaling three messages whereas Main mode requires three exchanges totaling six messages. If you’re wondering what the difference is, or why you would even care, it all boils down to the level of security you desire. While the two offer the same services its Main mode that protects the identity of the communicating parties. Aggressive mode does not provide protection for the communicating parties. This means that the peers have to exchange information prior to establishing a secure SA.
In the end, Main mode is slower because of the more lengthy exchange. But alas, it is more secure.

What Should I Do?

You may wish to disable IKEv1 aggressive mode. If you do there is something else to consider. If using a Cisco IPsec VPN Client you will no longer be able to authenticate using pre-shared keys. So, if you don’t mind using digital certificates then go for it.

To disable IKEv1 aggressive mode you will need to type the following:

crypto ikev1 am-disable

New Video: Comparing Crypto Maps and VTI’s Part 2

Brandon Carroll, CCIE #23837 — Fri, 15 Apr 2011 20:44:44 +0000

In this video I show the configuration of a site-to-site IPsec VPN using static VTI interfaces. I really like using this method because its very straight forward in my eyes. You dont have to use ACL’s to define what gets encrypted but you can use them to filter what goes across the tunnel. Find more information on VTI interface at Cisco.com in the 12.4T documentation

New Video: Comparing Crypto Maps and VTI’s Part 1

Brandon Carroll, CCIE #23837 — Wed, 06 Apr 2011 19:02:54 +0000

I’m trying something new here. I seem to do that alot! Let me explain why. Basically it takes to long to type up a full post and worry about all the screenshots and command line snippets to be able to get you good content quickly. And the since the members area of Global Config is video focused I have gotten quite a bit faster at creating videos and editing them. So, here is the first of what I hope will become a number of video tutorials.

This one covers Crypto Map configurations for a site-to-site VPN between two routers. In the second video I’ll cover the VTI configuration for comparison.

Useful Links:
Become a Member
How to Configure IPSec VPN’s (Cisco.com)

Configuring SSL VPN with Full Tunnel Access on Cisco ASA 8.2 Part 1

Brandon Carroll, CCIE #23837 — Fri, 10 Sep 2010 17:16:18 +0000

This is a short excerpt from a lesson I taught on SSL VPNs usin ASA 8.2 and the Any Connect Client. This is Part 1. Watch for Part 2 in the next day or so.

Happy Labbing!

VPN3k CLI only

Brandon Carroll, CCIE #23837 — Fri, 19 Dec 2008 07:54:59 +0000

It is possible to configure a L2L session on a VPN3k using CLI only. It is a completley different configuration. Here is the summation of it:

Create an SA
Create inbound and Outbound rules for the hosts to be encrypted.
Apply the rules to the public filter with the action of “Apply IPSec” and attach the Security Association.
Create a group with the preshared key.
Set it to type L2L.

Now it seems like a short list but jumping around in the CLI menus makes it tough.

TIP:

When you are looking at the public filter you want to see the
IPSec Rules applied with the Security Association Attached.

Uploaded with plasq‘s Skitch!

No Related Posts

Studies in VPN: Part 3

Brandon Carroll, CCIE #23837 — Fri, 24 Oct 2008 16:00:07 +0000

IOS Lan-to-Lan with PSK through an ASA. ***The Catch: Nat configured and Dynamic Crypto Maps configured.

Uploaded with plasq‘s Skitch!

I ran into an Intersting situation:

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
    Peer = 136.5.122.2
    Extended IP access list r1tor2
        access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
    Current peer: 136.5.122.2
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
        3des-esp,
    }
    Interfaces using crypto map vpn:
        FastEthernet0/0

Pings fail:

r1#ping 150.2.2.2 source l0

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds: Packet sent with a source address of 150.1.1.1 ..... Success rate is 0 percent (0/5)

But it looks like its working based on the stats:

local ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0) current_peer: 136.5.122.2:4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2 path mtu 1500, media mtu 1500 current outbound spi: 674293ED inbound esp sas: spi: 0xBD012AAD(3170970285) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4590553/3219) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x674293ED(1732416493) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel UDP-Encaps, } slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn sa timing: remaining key lifetime (k/sec): (4590551/3219) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas:

r1#

A little tweaking on the ASA, clear the ASA and try again:

r1#clear cry sa r1# r1# r1#sh cry isa sa dst src state conn-id slot 136.5.122.2 136.5.121.1 MM_NO_STATE 1 0 (deleted) r1#ping 150.2.2.2 source l0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds: Packet sent with a source address of 150.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms r1#sh cry isa sa dst src state conn-id slot 136.5.122.2 136.5.121.1 QM_IDLE 2 0 136.5.122.2 136.5.121.1 MM_NO_STATE 1 0 (deleted)

r1#

So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

Studies in VPN: Part 2

Brandon Carroll, CCIE #23837 — Thu, 23 Oct 2008 05:44:22 +0000

IOS to IOS with PSK thru an ASA without NAT

The topology:

Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:

No Related Posts

Studies in VPN: Part 1

Brandon Carroll, CCIE #23837 — Wed, 22 Oct 2008 17:31:58 +0000

DISCLAIMER***

The first note I want to make as regards to the VPN topics that I will be blogging is that these are actually my personal notes from Internetwork Experts Volume 1 and 2 Lab Guide and the IPexpert Security Lab Workbook. There are a few topologies that I will be exploring, and I dont plan on taking you through each step of the Lab guide, rather I will be making notes on the tangents I take. If you want to do their labs dont rely on these posts, go buy their workbooks. Its worth every penny.

Site-to-Site between routers with a PIX in the middle

The First VPN configuration is based on one of the IPexpert Security Workbook Labs. It requires that I configure a VPN between two routers, with the VPN traffic passing through a PIX.

The first step was to load the default configs. There were no default for the switches so I had to create them on the fly. You can find the initial configurations here:

Switch1 Switch2 R1 R2 R4 R5 PIX

The next step was to statically map R5 and make sure that IPSec traffic could pass thru the PIX:

No Related Posts

GlobalConfig.net» Studies In VPN

IKEv1 Aggressive Mode vs. IKEv1 Main Mode

The Breakdown

What Should I Do?

Related Posts:

New Video: Comparing Crypto Maps and VTI’s Part 2

Related Posts:

New Video: Comparing Crypto Maps and VTI’s Part 1

Related Posts:

Configuring SSL VPN with Full Tunnel Access on Cisco ASA 8.2 Part 1

Related Posts:

VPN3k CLI only

Related Posts:

Studies in VPN: Part 3

Related Posts:

Studies in VPN: Part 2

IOS to IOS with PSK thru an ASA without NAT

Related Posts:

Studies in VPN: Part 1

Related Posts: