Dear Valued Customer, We are upgrading our customer portal to enhance your experience. For Support, please send mail on support@seqrite.com Thank you for your patience and understanding. Best regards, Seqrite

How-To Articles

How to Configure IPSec Site to Site VPN between Seqrite UTM and Cisco 1841 Router with Cisco IOS.

25-02-2020 17:55:35

Overview

Internet Protocol Security generally called IPsec. IP Security (IPSec) provides a secure way to authenticate senders and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices. IPSec offers network administrators and their users the benefits of data confidentiality, data integrity, sender authentication, and anti-replay services. IPSec is increasingly becoming a critical component in today’s contemporary IP networks.

IPSec is a framework for ensuring secure private communication over IP networks and is based on standards developed by the International Engineering Task Force (IETF). The original IETF specifications are in RFC-1825 through RFC-1827, which published in 1995.

IPSec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services.

This document describes how to configure an IPSec site-to-site tunnel between a Seqrite UTM and Cisco 1841 Router with Cisco IOS.

Applicable Version: ALL

Scenario:

Requirements

Seqrite recommends that these requirements be met before you attempt the configuration that is described in this document:

  • The end-to-end IP connectivity must be established.
  • These protocols must be allowed:

User Datagram Protocol (UDP) 500 and 4500 for the IPSec control plane

Encapsulating Security Payload (ESP) IP Protocol 50 for the IPSec data plane


Configuration on Seqrite UTM

  1. To create a new IPSec connection, go to VPN > IPSec > Site to Site.

2. Enable the VPN Server and Click on the { + } sign for creating VPN configuration

Note: Using the Site to Site IPSec VPN connection various branch networks can access the remote network such as Head Office and Branch Office

3. We need to enter all the configuration details for VPN as below.

Parameter

Value

Description

Connection Name

VPN

Name to identify the IPSec Connection.

Network Interface

124.123.98.241

Select your Public IP. This is a WAN interfaces that you have configured in the Interface section.

Remote Server IP

183.82.106.171

Enter the Remote Server Public IP.

Local Networks

10.10.60.0/22

In Local Networks field, choose the local LAN created earlier.

Remote Networks

192.168.1.0 /24

In Remote Networks field, choose the remote LAN created earlier.

IKE Version

IKEv1 / IKEv2

Select the same IKE version for both side.

Authentication Type :

Set the Authentication Type to Pre-shared key.

You need to enter the same key in Cisco Device.

Advanced Options

Encryption Algorithm : 3DES
Authentication Algorithm: MD5
Key Group (DH): 2 (DH1024)
Select same Encryption Algorithm, Authentication Algorithm and the Key Group for Phase 1 and Phase 2 settings.
Note: This setting should be same as configured on the Cisco Device.

4. Click on the + Sign to Expand the Advanced Options.

5. Select the Phase 1 and Phase 2 Settings. These same settings has to be selected on the Cisco Device Options.

Then Click Apply.

6. Toggle the ON/OFF status switch to enable. It is disabled by default.

We have to allow any services in Interzone settings/custom rules as per your requirement to access over the IPSec tunnel.

Allow services in below four VPN rules

1. LAN -VPN

2. VPN-LAN

3. UTM-VPN

4. VPN-UTM

Go to Firewall > Interzone Rules > and allow the services.


Configuration on Cisco 1841 Router with Cisco IOS via CLI

1. Configure the ISAKMP (IKEv1) Policy

In order to configure the ISAKMP policies for the IKEv1 connections, enter the crypto isakmp policy command in global configuration mode.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

You can verify the IKE Parameters you configured by executing the following command:

show crypto isakmp policy

2. Configure a Crypto ISAKMP Key

In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:

crypto isakmp key ******** address 124.123.98.241

Note: Pre-shared key should be same which is already configured in Seqrite UTM.

3. Configure an ACL for VPN Traffic of Interest

Use the extended or named access list in order to specify the traffic that should be protected by encryption.

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.1.0 0.0.0.255 10.10.60.0 0.0.3.255

4. Configure a Transform Set

In order to define an IPSec transform set (an acceptable combination of security protocols and algorithms), enter the crypto ipsec transform-set command in global configuration mode. Here is an example:

crypto ipsec transform-set test esp-3des esp-md5-hmac

5.Configure a Crypto Map and Apply it to an Interface

In order to create or modify a crypto map entry and enter the crypto map configuration mode, enter the crypto map global configuration command. In order for the crypto map entry to be complete, there are some aspects that must be defined at a minimum:

  • The IPSec peers to which the protected traffic can be forwarded must be defined. These are the peers with which an SA can be established. In order to specify an IPSec peer in a crypto map entry, enter the set peer command.
  • The transform sets that are acceptable for use with the protected traffic must be defined. In order to specify the transform sets that can be used with the crypto map entry, enter the set transform-set command.
  • The traffic that should be protected must be defined. In order to specify an extended access list for a crypto map entry, enter the match address command.

crypto map CMAPVPN 13 ipsec-isakmp

description Tunnel to124.123.98.241

set peer 124.123.98.241

set transform-set test

match address 102

interface GigabitEthernet0/0

crypto map CMAPVPN


Verification

A. Verification on Seqrite UTM

  1. Once the VPN configuration is done on Cisco Device the VPN status will turn Active.

2. The same can be verified by checking the Live Logs option.

3. You can verify if the tunnel is working or not by pinging from one location to another location PC.


B. Verification on Cisco 1841 Router with Cisco IOS.

You can verify the IPSec VPN Tunnel working on Cisco device using the below commands

show crypto isakmp sa

This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers.

dst src state conn-id slot

124.123.98.241 183.82.106.171 QM_IDLE 1 0

show crypto ipsec sa

This command shows IPsec SAs built between peers. The encrypted tunnel is built between 183.82.106.171 and 124.123.98.241 for traffic that goes between networks 192.168.1.0 and 10.10.60.0. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since there are no AH SAs.

This output shows an example of the show crypto ipsec sa command.

interface: FastEthernet0

Crypto map tag: test, local addr. 183.82.106.171

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.60.0/255.255.252.0/0/0)

current_peer: 124.123.98.241

PERMIT, flags={origin_is_acl,}

#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918

#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0,

#pkts decompress failed: 0, #send errors 1, #recv errors 0

local crypto endpt.: 183.82.106.171, remote crypto endpt.: 124.123.98.241

path mtu 1500, media mtu 1500

current outbound spi: 3D3

inbound esp sas:

spi: 0x136A010F(325714191)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3442, flow_id: 1443, crypto map: test

sa timing: remaining key lifetime (k/sec): (4608000/52)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3D3(979)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3443, flow_id: 1444, crypto map: test

sa timing: remaining key lifetime (k/sec): (4608000/52)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Please contact Seqrite Technical Support for more assistance