@(#)Configuring IPsec on Cisco routers 10 MAY 2000 Rob Thomas robt@cymru.com Configuring IPsec on Cisco routers I have included a simple IPSEC configuration. This may not be the exact configuration any given site may use. However, it does provide the basics of IPsec configuration on a Cisco router. The setup (in fine ASCII art) is: Sun SPARC 20 192.168.80.9/24 | 192.168.80.222/24 Cisco 2514 192.168.10.1/30 | 192.168.10.2/30 Cisco 2514 10.10.10.1/24 The test was a ping and a telnet from 192.168.0.9 to 10.10.10.1. The routing was all static. Here is the configuration for one of the IPSEC-enabled routers, with comments. Note the differences between the snoop output. When there is no IPsec configured, the packets flow as one would expect. However, when IPsec is running, the packets flow within an IPSEC "tunnel" between 192.168.10.1 and 192.168.10.2, regardless of the actual source and destination addresses. ! @(#)IPsec Cisco router configuration 10 MAY 2000 Rob Thomas robt@cymru.com ! crypto isakmp policy 1 ! Set the crypto policy to ISAKMP, priority 1. hash md5 ! Use MD5 as the authentication algorithm (instead ! of SHA, which is slower yet more secure). authentication pre-share ! Utilize the hard-coded key "123FOO123". ! crypto isakmp key 123FOO123 address 192.168.10.2 ! Set the key and the peer with whom to share the ! key. Be careful not to share this with anyone! ! crypto ipsec transform-set OURIPS esp-des esp-md5-hmac ! Create a transform set called OURIPS that utilizes ! ESP (Encapsulating Security Payload) encrypted with ! DES and authenticated with MD5. In this case, we ! will encrypt only the payload of the packet, not the ! header. ! crypto map IPSEC-TO-RMT local-address Ethernet0 ! Specify that the crypto map called IPSEC-TO-RMT ! will use the local-address on E0 for identification ! purposes. This is not always necessary, but makes ! for nice documentation. ! crypto map IPSEC-TO-RMT 1 ipsec-isakmp ! Map IPSEC-TO-RMT, sequence number 1, that uses ! ISAKMP for key exchange. set peer 192.168.10.2 ! Our remote peer set transform-set OURIPS ! Apply the proper transform set (q.v.) match address IPSEC-TUN ! Only IPSEC the packets that match the extended ! ACL named IPSEC-TUN ip access-list extended IPSEC-TUN ! Build an ACL to use for IPSEC. remark IPSEC ACL ! Comments are good. :-) permit ip any any ! This is a bit misleading. While it will attempt ! to ESP encrypt all packets, multicast packets can ! not be encrypted with IPSEC. For multicast pack- ! ets, a GRE tunnel must be used. Recall that most ! routing protocols use multicast (OSPF, RIP v2) for ! the routing updates. interface Ethernet0 ip address 192.168.10.1 255.255.255.252 no ip redirects no ip proxy-arp no ip mroute-cache crypto map IPSEC-TO-RMT ! Apply the crypto map IPSEC-TO-RMT to the e0 ! interface. Snoop before IPSEC configuration: 192.168.80.9 -> 10.10.10.1 ICMP Echo request 10.10.10.1 -> 192.168.80.9 ICMP Echo reply 192.168.80.9 -> 10.10.10.1 ICMP Echo request 10.10.10.1 -> 192.168.80.9 ICMP Echo reply 192.168.80.9 -> 10.10.10.1 ICMP Echo request 10.10.10.1 -> 192.168.80.9 ICMP Echo reply Snoop after IPSEC configuration: 192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=243 192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136, ID=625 192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=244 192.168.10.2 -> 192.168.10.1 IP D=192.168.10.1 S=192.168.10.2 LEN=136, ID=628 192.168.10.1 -> 192.168.10.2 IP D=192.168.10.2 S=192.168.10.1 LEN=136, ID=245 Rob Thomas, robt@cymru.com http://www.enteract.com/~robt