Overview
Internet Protocol Security generally called IPsec. IP Security (IPSec) provides a secure way to authenticate senders and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices. IPSec offers network administrators and their users the benefits of data confidentiality, data integrity, sender authentication, and anti-replay services. IPSec is increasingly becoming a critical component in today’s contemporary IP networks.
IPSec is a framework for ensuring secure private communication over IP networks and is based on standards developed by the International Engineering Task Force (IETF). The original IETF specifications are in RFC-1825 through RFC-1827, which published in 1995.
IPSec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services.
This document describes how to configure an IPSec site-to-site tunnel between a Seqrite UTM and Cisco 1841 Router with Cisco IOS.
Applicable Version: ALL
Scenario:
Requirements
Seqrite recommends that these requirements be met before you attempt the configuration that is described in this document:
User Datagram Protocol (UDP) 500 and 4500 for the IPSec control plane
Encapsulating Security Payload (ESP) IP Protocol 50 for the IPSec data plane
Configuration on Seqrite UTM
2. Enable the VPN Server and Click on the { + } sign for creating VPN configuration
Note: Using the Site to Site IPSec VPN connection various branch networks can access the remote network such as Head Office and Branch Office
3. We need to enter all the configuration details for VPN as below.
Parameter | Value | Description |
Connection Name | VPN | Name to identify the IPSec Connection. |
Network Interface | 124.123.98.241 | Select your Public IP. This is a WAN interfaces that you have configured in the Interface section. |
Remote Server IP | 183.82.106.171 | Enter the Remote Server Public IP. |
Local Networks | 10.10.60.0/22 | In Local Networks field, choose the local LAN created earlier. |
Remote Networks | 192.168.1.0 /24 | In Remote Networks field, choose the remote LAN created earlier. |
IKE Version | IKEv1 / IKEv2 | Select the same IKE version for both side. |
Authentication Type : | Set the Authentication Type to Pre-shared key. | You need to enter the same key in Cisco Device. |
Advanced Options | Encryption Algorithm : 3DES Authentication Algorithm: MD5 Key Group (DH): 2 (DH1024) | Select same Encryption Algorithm, Authentication Algorithm and the Key Group for Phase 1 and Phase 2 settings. Note: This setting should be same as configured on the Cisco Device. |
4. Click on the + Sign to Expand the Advanced Options.
5. Select the Phase 1 and Phase 2 Settings. These same settings has to be selected on the Cisco Device Options.
Then Click Apply.
6. Toggle the ON/OFF status switch to enable. It is disabled by default.
We have to allow any services in Interzone settings/custom rules as per your requirement to access over the IPSec tunnel.
Allow services in below four VPN rules
1. LAN -VPN
2. VPN-LAN
3. UTM-VPN
4. VPN-UTM
Go to Firewall > Interzone Rules > and allow the services.
Configuration on Cisco 1841 Router with Cisco IOS via CLI
1. Configure the ISAKMP (IKEv1) Policy
In order to configure the ISAKMP policies for the IKEv1 connections, enter the crypto isakmp policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
You can verify the IKE Parameters you configured by executing the following command:
show crypto isakmp policy
2. Configure a Crypto ISAKMP Key
In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:
crypto isakmp key ******** address 124.123.98.241
Note: Pre-shared key should be same which is already configured in Seqrite UTM.
3. Configure an ACL for VPN Traffic of Interest
Use the extended or named access list in order to specify the traffic that should be protected by encryption.
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.10.60.0 0.0.3.255
4. Configure a Transform Set
In order to define an IPSec transform set (an acceptable combination of security protocols and algorithms), enter the crypto ipsec transform-set command in global configuration mode. Here is an example:
crypto ipsec transform-set test esp-3des esp-md5-hmac
5.Configure a Crypto Map and Apply it to an Interface
In order to create or modify a crypto map entry and enter the crypto map configuration mode, enter the crypto map global configuration command. In order for the crypto map entry to be complete, there are some aspects that must be defined at a minimum:
crypto map CMAPVPN 13 ipsec-isakmp
description Tunnel to124.123.98.241
set peer 124.123.98.241
set transform-set test
match address 102
interface GigabitEthernet0/0
crypto map CMAPVPN
Verification
A. Verification on Seqrite UTM
2. The same can be verified by checking the Live Logs option.
3. You can verify if the tunnel is working or not by pinging from one location to another location PC.
B. Verification on Cisco 1841 Router with Cisco IOS.
You can verify the IPSec VPN Tunnel working on Cisco device using the below commands
show crypto isakmp sa
This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers.
dst src state conn-id slot
124.123.98.241 183.82.106.171 QM_IDLE 1 0
show crypto ipsec sa
This command shows IPsec SAs built between peers. The encrypted tunnel is built between 183.82.106.171 and 124.123.98.241 for traffic that goes between networks 192.168.1.0 and 10.10.60.0. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since there are no AH SAs.
This output shows an example of the show crypto ipsec sa command.
interface: FastEthernet0
Crypto map tag: test, local addr. 183.82.106.171
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.60.0/255.255.252.0/0/0)
current_peer: 124.123.98.241
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 183.82.106.171, remote crypto endpt.: 124.123.98.241
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Please contact Seqrite Technical Support for more assistance