The Security Tutorial Zone: cisco pix, wep cracking, backtrack, wireless, hacking, intrusion, nmap, recon, security...and much more.

CISCO PIX: CONFIGURING SITE TO SITE VPN'S CONT...

PSK

Code:

London(config)# access-list IKE permit udp host 80.81.81.81 host 80.80.80.80 eq isakmp
London(config)# access-list IKE permit host 80.81.81.81 host 80.80.80.80
London(config)# access-list IKE permit esp host 80.81.81.81 host 80.80.80.80

London(config)# nat (inside) 0 access-list VPN_PROTECTED

London(config)# isakmp enable outside
London(config)# isakmp identity address

London(config)# isakmp policy 10 authentication pre-share
London(config)# isakmp policy 10 encryption 3des
London(config)# isakmp policy 10 group 2
London(config)# isakmp policy 10 hash md5
London(config)# isakmp policy 10 lifetime 86400
London(config)# isakmp key qwertyuiop address 80.81.81.81 netmask 255.255.255.255

London(config)# access-list VPN_PROTECTED permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
London(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
London(config)# crypto ipsec transform-set STRONGEST mode tunnel
London(config)# crypto ipsec security-association lifetime seconds 86400
London(config)# crypto map VPN 10 match address VPN_PROTECTED
London(config)# crypto map VPN 10 set transform-set STRONGEST
London(config)# crypto map VPN 10 set peer 80.81.81.81
London(config)# crypto map VPN interface outside

Certificates

Code:

London(config)# access-list IKE permit udp host 80.81.81.81 host 80.80.80.80 eq isakmp
London(config)# access-list IKE permit host 80.81.81.81 host 80.80.80.80
London(config)# access-list IKE permit esp host 80.81.81.81 host 80.80.80.80

London(config)# access-list IKE permit tcp any host 80.80.80.90 eq 80
London(config)# static (inside, outside) 80.80.80.90 192.168.10.10 netmask 255.255.255.255
London(config)# nat (inside) 0 access-list VPN_PROTECTED

London(config)# ca identity Certserver 192.168.10.10:/certserv/mscep/mscep.dll
London(config)# ca configure Certserver ra 1 5 crloptional
London(config)# ca enroll Certserver abcdefg12345

London(config)# isakmp enable outside
London(config)# isakmp identity address

London(config)# isakmp policy 10 authentication rsa-sig
London(config)#isakmp policy 10 encryption 3des
London(config)# isakmp policy 10 group 2
London(config)# isakmp policy 10 hash md5

London(config)# access-list VPN_PROTECTED permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
London(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
London(config)# crypto ipsec transform-set STRONGEST mode tunnel
London(config)# crypto ipsec security-association lifetime seconds 86400
London(config)# crypto map VPN 10 match address VPN_PROTECTED
London(config)# crypto map VPN 10 set transform-set STRONGEST
London(config)# crypto map VPN 10 set peer 80.81.81.81
London(config)# crypto map VPN interface outside

In this configuration I have NAT’ed the CA server (192.168.10.10 to the external IP of 80.80.80.90 and allowed connections on port 80 for certificate authentication reasons. The internal IP is included in the ‘protect’ ACL so IPSec traffic can reach it internally but the Peer can also reach it via it’s global address when needed before the IPSec connection is established.

Troubleshooting
Troubleshooting VPN’s can be an absolute nightmare at time, but nearly always come down to the configurations not matching on both peers.
First check if you can ping the remote peer – the other firewall admin may have disabled ICMP and you may need to ask him to enable it temporarily.

Once your ping has been successful, the following ‘show’ commands will show you all of your VPN configuration:

Show isakmp
Show isakmp policy
Show access-list
show crypto map
Show cryptoipsectransform-set
Show crypto ipsec security-association lifetime
Show crypto isakmp sa
Show crypto ipsec sa

By comparing the results of the above command(s) on both VP end points you should be able to narrow down your miss configuration.

Check the PSK’s are identical and the remote peer’s IP address and subnet mask are correct.
Check you have enabled IKE
Check the relevant traffic is being protected
Check you are not NAT’ing the protected traffic
AND check your configurations are identical!

The final step in troubleshooting VPN’s is to debug the entire VPN and watch the tunnel forming in real time (this is process heavy so conduct it during periods of low activity)

Debug crypto isakmp
Debug crypto ipsec

The commands speak for themselves and will allow you to see either the isakmp negotiation taking place, or the IPSec association, depending on which command you use.

The next paper will be on the ADSM.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on January 30th, 2007 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.