i like ike…

ike phase 1

defines the key exchange mechanism used to pass and validate ike policies between peers

ike phase 2

exchanges and matches ipsec policies for the authentication and encryption of data

enable ike

r1(config)#crypto isakmp enable

create the isakmp policy

the isakmp policy defines authentication, encryption and hash used for control traffic for the peers to establish an SA (security association). once established between the peers, ike phase 1 is complete

h a g l e

hash authentication group lifetime encryption

r1(config)#crypto isakmp policy 10
r1(config-isakmp)#?
ISAKMP commands:
authentication  Set authentication method for protection suite
default         Set a command to its defaults
encryption      Set encryption algorithm for protection suite
exit            Exit from ISAKMP protection suite configuration mode
group           Set the Diffie-Hellman group
hash            Set hash algorithm for protection suite
lifetime        Set lifetime for ISAKMP security association
no              Negate a command or set its defaults

this policy must match for the peers

r1(config-isakmp)#hash sha
r1(config-isakmp)#authenti pre-share
r1(config-isakmp)#group 5
r1(config-isakmp)#lifetime 3600
r1(config-isakmp)#encryption aes 256

r1(config-isakmp)#do sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm:   AES – Advanced Encryption Standard (256 bit key.
hash algorithm:         Secure Hash Standard
authentication method:  Pre-Shared Key
Diffie-Hellman group:   #5 (1536 bit)
lifetime:               3600 seconds, no volume limit
Default protection suite
encryption algorithm:   DES – Data Encryption Standard (56 bit keys).
hash algorithm:         Secure Hash Standard
authentication method:  Rivest-Shamir-Adleman Signature
Diffie-Hellman group:   #1 (768 bit)
lifetime:               86400 seconds, no volume limit

create a pre-shared key for this example:

r1(config)#crypto isakmp key psycho add 10.2.2.1

a transform set is a crypto parameter used to negotiate the SA:

r1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac

create an access-list to define interesting traffic:

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

reverse this for the peer…

create a crypto map to match the access-list to the peers various ike and ipsec settings…

r1(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r1(config-crypto-map)#match address 101
r1(config-crypto-map)#set peer 10.2.2.1
r1(config-crypto-map)#set pfs group5
r1(config-crypto-map)#set transform-set 50
r1(config-crypto-map)#set security-association lifetime seconds 900
r1(config-crypto-map)#

assign the maps to the interfaces and send some traffic to light em up… (until traffic has been generated there will be no SA)

r3(config)#int s0/0
r3(config-if)#crypto map CMAP
r3(config-if)#
*Mar 31 12:18:11.831: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

r3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

ping from the host makes it interesting… note the first one times out…

vpn_ping

r1#sh crypto isakmp sa
dst             src             state          conn-id slot status
10.1.1.1        10.2.2.1        QM_IDLE              1    0 ACTIVE

r1#sh crypto ipsec sa

interface: Serial0/0
Crypto map tag: CMAP, local addr 10.1.1.1

protected vrf: (none)
local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 10.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x7805C8A3(2013644963)

inbound esp sas:
spi: 0x6BB78A0B(1807190539)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4501618/613)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x7805C8A3(2013644963)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4501618/595)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas: