Summary of Installations
• Remote Site– Guildhall School of Music and Drama– Southgate and Capel Manor Colleges
• Remote Users– Conservatoire of Dance and Drama
Crypto Route Map
• Crypto map– Static or Dynamic
• IKE Policy• Additional Optional Steps
– User authentication– Peer configuration
• Integrate with overall router config
IKE Policies
• Algorithms to be offered• Authentication method
– Pre-shared key– X.509 certificates– RSA encrypted nonces
• Diffie-Hellman Group
GSMD Physical Installation
Remote Site Main Campus
GSMD: Equipment at Remote Site
• ‘Wires Only’ ADSL Connection– One Static IP Address
• Splitter• Cisco 827H Router
– Ethernet hub (4 ports) plus ATM port
Static Crypto Components
• Create Crypto Map– Define trigger (ACL)– Peer Identity (IP address or FQDN)– Define transform
• Mode (tunnel or transport)• List of algorithms that will be offered to peer
– Lifetime of SA
• Bind crypto map to external interface
Authentication of Known Peers
• One-to-one mappings between:– Peer IP addresses– Shared secret (unique to each peer)
• IKE Phase I Main Mode exchanges:1. Negotiate IKE SA and exchange cookies2. Diffie-Hellman public values and
pseudo-random nonces3. Peers identify themselves and
exchange authenticating hash
IKE Main Mode
Hdr, SA Proposals
Hdr, Chosen Proposal
Hdr, KE, Nonce
Hdr, KE, Nonce
Hdr, IDii, Hash_I
Hdr, IDir, Hash_R
IKE SA Established
Initiator Responder
Coexistence of NAT and IPSec
• IPSec Precedes NAT– AH fails because source and/or
destination addresses have changed– Transport-mode ESP invalidates TCP
checksums– Invalidates IKE authentication exchange
• NAT Precedes IPSec– Crypto triggers do not fire when
expected
Dynamic NAT vs Crypto
A1
A2
B1
B2
B3
Dialer
ACL
Ethernet
NAT
IPSec Tunnel
Crypto
Southgate and Capel Manor
• Shared student records database at Southgate
• Database queries & updates over high-speed WAN with crypto.
• Back-up interface using ISDN
Integrating Crypto and Routing
1. Create GRE tunnel interface
2. Routing protocol receives updates over T1 & T2
3. Bind crypto map to T1 and T2
4. Watch out for double fragmentations!
Fragmentation Hell
CDD and Physical Installation
CDD: Logical Installation
• Remote peer IP not known– Dynamic crypto– IKE Phase 1 uses aggressive mode
• Insecure shared secret– IKE extended authentication (XAuth)
• Central control of remote peer’s config– IPSec Mode-configuration (MODECFG)
Authentication of Unknown Peers
• Pre-shared secret not indexed by IP address
• IKE Phase I Aggressive Mode Exchange
• Supplementary authentication of user credentials
IKE Aggressive Mode
Hdr, SA, KE, Nonce, IDii
Hdr, SA, KE, Nonce, IDir, Hash_R
Hdr, Hash_I
IKE SA Established
Initiator Responder
CDD: IKE XAuth• Router PC
– ISAKMP_CFG_REQUEST
• PC Router– ISAKMP_CFG_REPLY
• Router PC– ISAKMP_CFG_SET
• PC Router– ISAKMP_CFG_ACK
CDD: Mode Configuration
Remote station configured by router with:
• a private IP address and mask• a list of local prefixes that will be
tunnelled• a list of local domains and their
associated resolvers
Selective Static NATip nat inside source static 10.0.0.5 212.219.240.225 route-map
selective-nat
!
access-list 100 deny ip host 10.0.0.5 192.168.0.0 0.0.0.255
!
route-map selective-nat permit 10
match ip address 100
Windows Gotchas
• Domain Logons Over Tunnel– Kerberos not tunnelled
• Shared secret not supported– Registry hack