• IpSec

IPSEC

IPSEC encryption related links. gre

• http://www.ccierants.com/2009/09/ipsec-with-vti-best-damn-way-to-do-it.html

• http://unixwiz.net/techtips/iguide-ipsec.html

• Step by step gre to ipsec tunnel

• Compare GRE vs VTI ipsec http://henrydu.com/blog/networks/vpn/ipsec-over-gre-and-ipsec-vti-368.html

Sample Cisco Config

!!# Phase One - isakmp #!!

crypto isakmp policy 10 
   hash sha 
   authentication pre-share 
   crypto isakmp key vpnkey address 10.0.0.2

!!# Phase Two - ipsec #!!

! crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac 
   exit 
crypto map vpnset 10 ipsec-isakmp 
   set peer 10.0.0.2 
   set transform-set vpnset
   ! set pfs group2
   match address 100

!!#Apply to outside int #!!

int ??
    !ip address 10.0.0.1
    crypto map vpnset
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.16.1

Verify IPSec VPN connections

• The following two commands can be used to verify VPN connections:

show crypto ipsec sa 
show crypto isakmp sa 

debug crypto isakmp 
debug crypto ipsec 

Example VTI

• Tunnel interface protected by ipsec - new since 2010.
  • See. No crypto map

  • Link Linux strongswan VTI http://end.re/2015/01/06/vti-tunnel-interface-with-strongswan/

!
crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key ******** address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 10
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
    set transform-set TSET
!
interface Tunnel0
    ip address 192.168.10.2 255.255.255.0
    tunnel source 10.0.149.220
    tunnel destination 10.0.149.221
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile VTI
!

...

CategorySecurity CategoryNetwork