Scribd
Upload
35 views

Lab 3 INWK 6119 IPSec CSR Pod Lab April2022

Uploaded by

siluvai.justus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views

Lab 3 INWK 6119 IPSec CSR Pod Lab April2022

Uploaded by

siluvai.justus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

1.1.1.1.1.1.1.

Master of Engineering in Internetworking

Lab # 3

IP Security Protocol- Manual Keying


AND
Internet key Management Protocol

INWK 6119

Copyright© Internetworking Program, Dalhousie University

1
TABLE OF CONTENTS

LIST OF FIGURES ................................................................................................................................ 3


1 IP SECURITY PROTOCOL- MANUAL KEYING ................................................................................. 4
1.1 THE TASK ......................................................................................................................................... 4
1.2 BACKGROUND ................................................................................................................................... 4
1.3 QUESTION ........................................................................................................................................ 4
CONFIGURING IPSEC WITH MANUAL KEYS ............................................................................... 6
2.1 CONFIGURATION STEPS ....................................................................................................................... 6
2.2 VERIFICATION COMMANDS .................................................................................................................. 7
2.3 QUESTIONS SET ................................................................................................................................. 8
INTERNET KEY MANAGEMENT PROTOCOL ............................................................................... 9
3.1 OBJECTIVES ...................................................................................................................................... 9
3.2 THE TASK ......................................................................................................................................... 9
3.3 BACKGROUND ................................................................................................................................... 9
3.4 QUESTIONS SET ............................................................................................................................... 10
CONFIGURING IPSEC WITH IKE ............................................................................................... 11
5.1 CONFIGURATION STEPS ..................................................................................................................... 11
5.2 VERIFICATION COMMANDS ................................................................................................................ 12
5.3 QUESTIONS SET ............................................................................................................................... 13
NETWORK DIAGRAMS ............................................................................................................ 14

2
LIST OF FIGURES

Figure 6-1: Network Diagram ......................................................................................14

3
1 IP SECURITY PROTOCOL- MANUAL KEYING

The objectives of this laboratory assignment are to familiarize students with IPSec and
related protocols.

Please, read the entire assignment before you proceed with the task.

Make sure that all unused interfaces are disabled to prevent them from affecting the
network’s operation.

1.1 The Task

In this exercise students will be using IPSec to encapsulate selected traffic and send it
between networks. IKE (Internet Key Exchange) is not used in this assignment;
therefore, all security associations are created manually.

1.2 Background

IPSec uses encryption technology to provide data confidentiality, integrity, and


authenticity between participating peers in a private network. IPSec provides IP
network-layer encryption. The standards define several new packet formats including:

▪ The authentication header (AH) to provide data integrity


▪ The encapsulating security payload (ESP) to provide confidentiality and data
integrity

AH and ESP can be used independently or together to achieve authenticity,


confidentiality, or both. IPSec provides two modes of operation, transport and tunnel
modes. In transport mode, only the IP payload is encrypted, and the original IP headers
are left intact. In tunnel mode, the entire original IP datagram is encrypted, and it
becomes the payload in a new IP packet.

IPSec needs security associations (SA) to define how two or more entities use security
services to communicate. A SA includes transforms and secret keys. IPSec does not
have a mechanism for creating security associations. Therefore, SA’s need to be created
manually or negotiated using Internet Key Management Protocol (IKMP).

1.3 Question

What are the advantages and disadvantages of using transport and tunnel modes?

4
1. Task 1 – Basic configuration
Initially, none of the routers are configured, so you will have to log into each of the four
routers and create a basic configuration that includes assigning a hostname to the router, and
an IP address to the interfaces connecting the routers. Note that the topology is constructed
using VLANs.

Complete the following steps to create the basic configuration using the diagrams in Appendix
A as a reference:

2. Login into each router to create basic configuration and skip the auto-configuration
options (if you are not presented with auto-configuration options, then the router
may have an existing configuration that you will need to erase and reload properly).
3. Enter configuration mode:
Router# enable
Router# configure terminal
4. To prevent mistyped commands and terminal output from interfering with your
configuration, apply these commands:
Router(config)# no ip domain lookup
Router(config)# line con 0
Router(config-if)# logging synchronous
Router(config-if)# exit
5. Configure the routers hostname, IP addresses (including loopback) using the
information given in the network topology of Appendix A. Disable all unused
interfaces.
interface GigabitEthernet1
no shutdown
interface GigabitEthernet1.x
encapsulation dot1Q x
ip address <ip address> <mask>
6. Enable RIP version 2:
Router(config)# router rip
Router(config-router) # version 2
7. Add all networks directly attached to the router:
Router(config-router) # network <network address>
8. Disable automatic summarization of network
Router(config-router) # no auto-summary
Table 1 Basic Configuration Information

Physical ID Hostname Loopback0


01 R1 150.1.1.1/32
02 R2 150.1.2.2/32
03 R3 150.1.3.3/32
04 R4 150.1.4.4/32

Deliverables
1. Confirm that all routers can ping each other.
2. Provide the final configuration of the routers.

5
CONFIGURING IPSEC WITH MANUAL KEYS

The minimum IPSec configuration requires that the security associations be established
via pre-shared keys while IKE is disabled. The goal is to establish secure tunnels to
carry IP traffic between R1-R4 routers from different networks as shown in the
diagram.
Do not forget that you must have the same security parameters in both peers to
make IPSec work, which means you have to talk to the peer group to choose the
same (or precisely mirrored) SAs, ACLs, maps, and keys.

2.1 Configuration Steps

1) Disable IKE in all your routers


Router(config)# no crypto isakmp enable

2) Create an access list to define the traffic to protect. Choose IP traffic between
networks.

Note: The access lists used for IPSec are used only to determine which traffic should
be protected by IPSec, not which traffic should be blocked or permitted through the
interface. Using the permit keyword causes all IP traffic that matches the specified
conditions to be protected by crypto

In router R4:
Router(config)# access-list 101 permit Ip 155.1.24.0 0.0.0.255 155.1.13.0
0.0.0.255 log

In router R1:
Router(config)# access-list 101 permit Ip 155.1.13.0 0.0.0.255 155.1.24.0
0.0.0.255 log

3) Configure a transform set that defines how the traffic will be protected. You can
configure only one transform set for manually established security associations.
The peer must also have the same transform set specified (the name is case
sensitive). Check the reference for allowed arguments combinations.

Note: A transform set represents a certain combination of security protocols


and algorithms. During the IPSec security association negotiation, the peers agree
to use a particular transform set for protecting a particular data flow.

Router(config)# crypto ipsec transform-set iptraffic esp-des esp-md5-hmac


Router(cfg-crypto-trans)# exit

4) Create a crypto map entry in IPSec manual mode:


Router(config)# crypto map MyMap 10 ipsec-manual

6
5) Specify the following in the map entry:
• An IPSec access list. The access list can specify only one permit entry when
you are establishing manual security associations.
• The peer to which the IPSec-protected traffic can be forwarded. Only one peer
can be specified when you are establishing manual security associations.
• The transform set should be used. This must be the same transform set that is
specified in the peer's corresponding crypto map entry.

Router(config-crypto-map)# match address 101


Router(config-crypto-map)# set peer <remote peer interface ip address> -
155.1.14.1 in R4 and 155.1.14.4 in R1
Router(config-crypto-map)# set transform-set iptraffic

6) If the specified transform set includes the ESP protocol, set the ESP SPIs and keys
to apply to inbound and outbound protected traffic. If the transform set includes an
ESP cipher algorithm, specify the cipher keys. If the transform set includes an
ESP authenticator algorithm, specify the authenticator keys. The key should be 16
bytes long, at least.

Router(config-crypto-map)# set session-key inbound esp <300> cipher <cipher-


key> authenticator <auth-key>
Router(config-crypto-map)# set session-key outbound esp <450> cipher <cipher-
key> authenticator <auth-key>
where
spi = any number between 256-4294967295,
cipher-key = word in hexadecimal without leading 0x (12345678912345678912345678912345 in our
lab),
auth-key = word in hexadecimal without leading 0x (12345678912345678912345678912345 in our
lab)

7) Apply a crypto map set to an interface on which the IPSec traffic will be evaluated.

Router(config)# interface GigabitEthernet <interface number>


Router(config-if)# crypto map MyMap

2.2 Verification commands

Perform a Ping and a Telnet between R2 and R3 and use the command “Show
crypto ipsec sa” to confirm that the packet counters in the encapsulated and
decapsulated fields are increasing proving that the selected traffic is passing through
the tunnel. All other traffic should flow outside the tunnel.

Show crypto map in R1 and R4 to troubleshoot if tunnel is not UP or packet


counter in tunnel is not increasing.
Clear crypto sa – command to clear the counter

7
2.3 Questions set

a) Provide the results of the final configuration of routers R1 and R4. Comment
on the configuration that you did in this lab about IPSec.

b) Which transform combinations did you use in step (3)? Explain the purpose of
each one.

c) Explain the inbound and outbound traffic. In steps 6 or 7, is it possible to use


different keys for inbound and outbound traffic of the same interface of router
R1 or R4?

d) Is it important to have mirrored access lists at both IPSec peers? Explain.

e) If we permit TCP traffic in an access list, then what will happen to non-TCP
traffic after implementing the above procedure?

f) Provide a printout of show crypto map command.

8
INTERNET KEY MANAGEMENT PROTOCOL

3.1 Objectives

The objective of this laboratory assignment is to learn how to use IKMP (Internet Key
Management Protocol) to negotiate security associations for IPSec tunnels.

3.2 The Task

Students are required to revisit the network built in the previous laboratory session
and automate the key exchange process in IPSec by enabling Internet Key
Management Protocol.

3.3 Background

IPSec does not have a mechanism for creating security associations. It relies on
Internet Key Management Protocol (IKMP) to negotiate security associations.
Internet Key Exchange (IKE) creates an authenticated, secure tunnel between two
entities and then negotiates the security association for IPSec. This process requires
two steps: 1) the two entities must authenticate themselves to each other, and 2)
exchange keys.

Authentication
IKE supports multiple authentication methods:

▪ Pre-shared keys: The same key is pre-installed on each host. IKE peers
authenticate each other by computing and sending a keyed hash of data that
includes the pre-shared key. If the receiving peer is able to independently
create the same hash using its pre-shared key, it knows that both parties must
share the same secret, thus authenticating the other party.
▪ Public key cryptography: Each party generates a pseudo-random number (a
nonce) and encrypts it with the other party’s public key using the RSA (Rivest
Shamir Adleman) algorithm. The other party can decrypt the number with the
local private key. This process authenticates the parties to each other.
▪ Digital signature: Each device digitally signs a set of data and sends it to the
other party. Both the RSA public key algorithm and the digital signature
standard (DSS) are supported.

Key Exchange
Both parties must have a shared session key to encrypt the IKE tunnel. The Diffie-
Hellman protocol is used to agree on a common session key.

9
3.4 Questions Set

a) Explain how the Diffie-Hellman protocol can guard against “man-in-the-


middle” attacks.

b) Does public key cryptography scale to larger networks (Internet)?

c) Why are transactions authenticated using public key cryptography considered


“deniable”?

10
CONFIGURING IPSEC WITH IKE

Start with the same configuration as previous laboratory assignment but


ERASE IPSec configuration.

Use the following three steps to remove the previous IPSec settings using the
keyword “No” – negation cisco command.

1. Remove crypto map from the interface.


2. Remove the crypto map.
3. Remove the crypto transform-set.

You must create IKE policies at each peer. An IKE policy defines a combination of
security parameters to be used during the IKE negotiation. IKE negotiations must be
protected, so each IKE negotiation begins by each peer agreeing on a common
(shared) IKE policy. This policy states which security parameters will be used to
protect subsequent IKE negotiations.

5.1 Configuration Steps

Follow these steps to create an IPSec tunnel between R1 and R4:

1) Make sure IKMP is enabled in your routers


Router(config)# crypto isakmp enable

2) You must create IKE policies at each peer. An IKE policy defines a combination
of security parameters to be used during the IKE negotiation. IKE negotiations
must be protected, so each IKE negotiation begins by each peer agreeing on a
common (shared) IKE policy. This policy states which security parameters will be
used to protect subsequent IKE negotiations.
Router(config)# crypto isakmp policy 15
Router(config-isakmp)# encryption des
Router(config-isakmp)# hash md5
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# exit

3) Manually configure RSA keys:


Router(config)# crypto isakmp key <shared-key> address <remote interface IP address>
where the shared-key=any word (you may use “inwk” for this lab).
4) Create an access list to define the traffic to protect. Choose TCP traffic between
networks.
In router R1:
Router(config)# access-list 101 permit tcp 155.1.13.0 0.0.0.255 155.1.24.0 0.0.0.255
In router R4:
Router(config)# access-list 101 permit tcp 155.1.24.0 0.0.0.255 155.1.13.0 0.0.0.255

11
5) Configure a transform set that defines how the traffic will be protected.
Router(config)# crypto ipsec transform-set MySet esp-des esp-md5-hmac

6) Create a crypto map entry using IKE


Router(config)# crypto map MyMap 10 ipsec-isakmp

7) Specify the following in the map entry:


- The IPSec access list.
- The peer to which the IPSec-protected traffic can be forwarded.
- The transform set should be used. This must be the same transform set that is
specified in the peer's corresponding crypto map entry.

Router(config-crypto-map)# match address <access list number>


Router(config-crypto-map)# set peer <remote peer interface ip address>
Router(config-crypto-map)# set transform-set <transform set>

8) Apply a crypto map set to an interface on which the IPSec traffic will be
evaluated.

Router(config)# interface <port_number>


Router(config-if)# crypto map MyMap

To make new security associations take effect immediately, you must clear the
existing security associations using clear crypto sa.

Verify your configuration by establishing a Ping and a Telnet sessions between


routers R2 and R3 of the two different networks.

5.2 Verification commands

show crypto ipsec sa


show crypto ipsec transform-set
show crypto map

12
5.3 Questions set

a) Provide the results of the final configuration of routers. Comment on the


configuration that you did in this lab with regard to IPSec.

b) Provide a printout of the commands used in the verification process and write
your comments on it.

c) What are the default values for SA’s lifetime?

d) Did you find any difference in both sections? Which technique is better,
provide at least three reasons to support your answer?

13
NETWORK DIAGRAMS

Figure 5-1: Network Diagram

14

You might also like