Table Of Contents
IPSec Stateful Failover (VPN High Availability)
Feature Overview
Reverse Route Injection (RRI)
Hot Standby Router Protocol (HSRP)
Feature Summary
Benefits
Restrictions
Related Features and Technologies
Related Documents
Supported Platforms
Supported Standards, MIBs, and RFCs
Prerequisites
Configuration Tasks
Configuring HSRP
Enabling HSRP
Configuring HSRP Group Attributes
Configuring HSRP Examples
Configuring an IKE Policy
Configuring IKE Pre-Shared Key
Configuring an IPSec Transform Set
Defining an IPSec Transform Set
IPSec Protocols: AH and ESP
Selecting Appropriate Transforms
The Crypto Transform Configuration Mode
Changing Existing Transforms
Transform Example
Configuring Crypto Access Lists for IPSec Traffic
Creating Crypto Access Lists for IPSec Traffic
Creating Crypto Access List Example
Ensuring That Access Lists Are Compatible with IPSec
Setting Global Lifetimes for IPSec Security Associations
Configuring Crypto Maps
Creating Crypto Map Entries
Configuring Crypto Map Example
Creating Dynamic Crypto Maps
Configuring SSP Communications
Configuring SSP Communications Example
Transferring ISAKMP State
Transferring IPSec State
Global Mode
Applying Crypto Map Sets to Interfaces and Enabling Transferring IPSec State
Applying Crypto Map Sets to Interfaces Example
Configuration Examples
Show Configuration Tasks and Examples
Verifying IKE Configurations
Verifying IPSec Configurations
Verifying IPSec High Availability
Monitoring and Maintaining IPSec Stateful Failover (VPN High Availability)
Displaying SSP Information
Debug Configuration Tasks and Examples
Clearing Dormant SAs on Standby Routers
Debugging
Troubleshooting Tips
Command Reference
clear crypto isakmp ha standby
clear crypto sa ha standby
crypto isakmp ssp
crypto map
crypto map ha
debug crypto isakmp ha
debug crypto ipsec ha
debug ssp
port
remote
redundancy
show crypto ipsec ha
show crypto isakmp ha
show crypto ipsec sa
show ssp
ssp group
Glossary
IPSec Stateful Failover (VPN High Availability)
Feature History
Release
|
Modification
|
12.2(11)YX
|
This feature was introduced.
|
12.2(11)YX1
|
This feature was integrated into Cisco IOS Release 12.2(11)YX1.
|
12.2(14)SU
|
This feature was integrated into Cisco IOS Release 12.2(14)SU.
|
12.2(14)SU1
|
This feature was integrated into Cisco IOS Release 12.2(14)SU1.
|
12.2(14)SU2
|
This feature was integrated into Cisco IOS Release 12.2(14)SU2.
|
This document describes IPSec Stateful Failover (VPN High Availability) in Cisco IOS Release 12.2(14)SU2, 12.2(14)SU1, 12.2(14)SU, 12.2(11)YX1, and 12.2(11)YX, and contains the following sections:
•
Feature Overview
•Supported Platforms
•Supported Standards, MIBs, and RFCs
•Prerequisites
•Configuration Tasks
•Configuration Examples
•Show Configuration Tasks and Examples
•Debug Configuration Tasks and Examples
•Command Reference
•Glossary
Feature Overview
IPSec Stateful Failover (VPN High Availability) is a feature that enables a router to continue processing and forwarding packets after a planned or unplanned outage. You can employ a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.
IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with Reverse Route Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.
RRI and HSRP are supported together with the restriction that the HSRP configuration on the outside interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP configuration on the LAN side of the network (equal HSRP priority restriction still applies).
Reverse Route Injection (RRI)
RRI is a feature designed to simplify network design for VPNs which require redundancy and routing. RRI works with both dynamic and static crypto maps. When routes are created, they are injected into any dynamic routing protocol and distributed to surrounding devices. This causes traffic flows requiring IPSec to be directed to the appropriate head-end VPN router for transport across the correct security associations (SAs) to avoid IPSec policy mismatches and possible packet loss.
Hot Standby Router Protocol (HSRP)
HSRP is designed to provide high network availability by routing IP traffic from hosts on Ethernet networks without relying on the availability of any single router. By providing network redundancy for IP networks, user traffic immediately and transparently recovers from first hop failures in network edge devices or access circuits.
A network administrator enables HSRP, assigns a virtual IP address, and enables IPSec Stateful Failover (VPN High Availability). After enabling both HSRP and IPSec Stateful Failover, the network administrator uses the show ssp, show crypto ipsec, and show crypto isakmp commands to verify that all processes are running properly. In the event of failover, the standby device takes over ownership of the standby IP address and begins to service remote VPN peers.
The information that the active router transmits to the standby router includes:
•IKE cookies stamp
•Session keys
•Cisco Service Assurance (SA) Agent attributes
•Sequence number counter and window state
•Kilobyte (KB) lifetime expirations
•Dead peer detection (DPD) sequence number updates
Figure 1 shows a sample topology for site-to-site configuration of IPSec Stateful Failover with generic routing encapsulation (GRE), a tunnel interface not tied to specific "passenger" or "transport" protocols. GRE supports multicast traffic, critical for V3PN applications.
Figure 1 Site-to-Site VPN Configuration
There are four possible configurations for the Cisco 7200 series routers using Cisco IOS Release 12.2(14)SU, 12.2(14)SU1, or 12.2(14)SU2:
•non-GRE High Availability (HA) with a virtual IP (VIP), or redundancy groups, on the outside and a VIP on the inside (see Figure 2)
•non-GRE HA with only VIPs on the outside. The route to the outside is provided by Reverse Route Injection (RRI) (see Figure 3)
•GRE HA, with VIPs on the outside and tested inside faces (see Figure 4)
•GRE HA, with only a VIP on the outside, using RRI to inject routes (see Figure 5)
Figure 2 HSRP VIP on Inside and Outside
Figure 3 HSRP VIP on Outside, RRI Injected Routes on Inside
Figure 4 GRE HA with VIPs on the Outside and Inside Faces
Figure 5 GRE HA with Only a VIP on the Outside, Using RRI to Inject Routes
Feature Summary
Table 1 provides a summary of features, by Cisco IOS software release.
Table 1 Feature List Comparison
Feature
|
12.2(11)YX
|
12.2(11)YX1
|
12.2(14)SU
|
12.2(14)SU1
|
12.2(14)SU2
|
GRE + IPSec Stateful Failover
|
No
|
Yes
|
Yes
|
Yes
|
Yes
|
Encrypted Pre-Shared Keys
|
No
|
No
|
Yes
|
Yes
|
Yes
|
AES support
|
No
|
No
|
Only for pre-shared keys
|
Only for pre-shared keys
|
Only for pre-shared keys
|
G1 processor
|
No
|
No
|
Yes
|
Yes
|
Yes
|
VAM
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
VAM2
|
No
|
No
|
Yes
|
Yes
|
Yes
|
Benefits
•IPSec VPN tunnels assigned to an active router will automatically be transitioned to a standby router upon any active router failure. Any transition from an active router to a standby router is transparent to peers, and requires no remote peer adjustment or reconfiguration.
•Businesses employing IPSec Stateful Failover (VPN High Availability) are 100% redundant with regard to IPSec VPN traffic.
•Utilizing IPSec Stateful Failover (VPN High Availability) does not appreciably affect overall router performance.
•Generic routing encapsulation (GRE) supports multicast traffic, critical for V3PN applications.
Restrictions
•Does not support failover of IKECFG attributes.
•Does not support IKE XAUTH states.
•Supports just a single VAM/VAM2 card in each active/standby router.
•Requires identical security policy configurations on both active and standby routers.
•Requires that IKE keepalives must not be used; enabling this feature will cause the connection to be torn down after the standby router assumes ownership control.
•Supports keepalives only with dead peer detection (DPD).
•Requires that priority values are equal on both active and standby routers for IP redundancy.
•IPSec MIB statistics could be erroneous on the standby router after a failover.
•Requires that active and standby routers be connected to an Ethernet interface.
•Does not support Cisco VPN Client 3.X client.
•Does not support PKI certificates.
Related Features and Technologies
•Internet Key Exchange (IKE)
•IP Security (IPSec)
•Reverse Route Injection (RRI)
•Hot Standby Router Protocol (HSRP)
•State Synchronization Protocol (SSP)
Related Documents
•HSRP Features and Functions
•Implementing HSRP in the Enterprise Network
•IPSec VPN High Availability Enhancements
Supported Platforms
•Cisco 7200 series
Supported Standards, MIBs, and RFCs
Standards
•None
MIBs
•None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB web site on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
•None
Prerequisites
You must configure IPSec and IKE on the router and a crypto map to all interfaces that require encryption service. See the "Configuration Tasks" section for configuration procedures.
•Cisco IOS Release 12.2(14)SU2, 12.2(14)SU1, 12.2(14)SU, 12.2(11)YX1, or Cisco IOS Release 12.2(11)YX
•Two Cisco 72xx routers configured with the same Cisco IOS release
•HSRP running
Configuration Tasks
See Figure 6 and use the following commands to implement, maintain, and debug IPSec Stateful Failover (VPN High Availability).
•Configuring HSRP (required)
•Configuring an IKE Policy (required)
•Configuring IKE Pre-Shared Key (required)
•Configuring an IPSec Transform Set (required)
•Configuring Crypto Access Lists for IPSec Traffic (required)
•Configuring Crypto Maps (required)
•Configuring SSP Communications (required)
•Applying Crypto Map Sets to Interfaces and Enabling Transferring IPSec State (required)
Figure 6 Sample Configuration for IPSec Stateful Failover (VPN High Availability
Configuring HSRP
This section describes the Hot Standby Router Protocol (HSRP) Support for Virtual Private Networks (VPNs) and includes the following sections:
•Enabling HSRP
•Configuring HSRP Group Attributes
•Configuring HSRP Examples
The HSRP Support for VPNs feature ensures that the HSRP virtual IP address is added to the correct IP routing table and not to the default routing table.
Keep in mind the following when configuring HSRP:
•Both the inside (private) and outside (public) interfaces must belong to separate HSRP groups. The interfaces then must track each other.
•The HSRP state of the inside and outside interface of each must be the same, that is, both must be active or both must be standby, otherwise there will be a black hole - packets won't have a route out of the private network. To avoid having one interface on standby while another is on active, confirm the conditions below:
–Standby priorities should be equal on active and standby routers. If they are not, IPSec Stateful failover may or may not occur automatically when the active router fails.
–The IP addresses on the HSRP-tracked interfaces on the standby and active routers should both be either lower or higher on one router than the other. In the case of equal priorities (an HA requirement), HSRP will assign the active state based on IP address. If an addressing scheme exists so that the public IP address of router A is lower than the public IP address of router B, but the opposite is true for their private interfaces, an active/standby-standby/active split condition could happen, which will break IPSec connectivity.
Enabling HSRP
To enable the HSRP on an interface, use the following command in interface configuration mode:
Command
|
Purpose
|
Router(config-if)# standby [hsrp-group-number] ip ip-address
|
Enables the HSRP.
|
Repeat this command to enable HSRP on each router.
|
Configuring HSRP Group Attributes
To configure other HSRP group attributes that affect how the local router participates in HSRP, use one or more of the following commands in interface configuration mode:
Command
|
Purpose
|
Router(config-if)# standby [group-number] timers
[msec] hellotime [msec] holdtime
|
Configures the time between hello packets and the hold time before other routers declare the active router to be down.
|
Router(config-if)# standby [group-number] [priority
priority] preempt [delay [minimum | sync] delay]
|
Sets the Hot Standby priority used in choosing the active router. The priority value range is from 1 to 255, where 1 denotes the lowest priority and 255 denotes the highest priority. Specify that, if the local router has priority over the current active router, the local router should attempt to take its place as the active router. Configure a preemption delay, after which the Hot Standby router preempts and becomes the active router.
|
Router(config-if)# standby [group-number] track type
number [interface-priority]
|
Configures the interface to track other interfaces, so that if one of the other interfaces goes down, the device's Hot Standby priority is lowered.
|
Router(config-if)# standby [group-number] name
|
Configures the standby group name for the interface.
|
Repeat this command to enable HSRP on each router.
|
Configuring HSRP Examples
The following example shows how to configure the outside interface:
Router(config-if)# interface fastEthernet 0/1
Router(config-if)# standby 1 ip 40.0.0.1
Router(config-if)# standby 1 name isp
Router(config-if)# standby 1 timers msec 500 3
Router(config-if)# standby delay minimum 30 reload 60
Router(config-if)# standby 1 preempt
Router(config-if)# standby 1 track fastEthernet 0/0
Note The standby delay command is not essential, but recommended. All other commands are required.
The following commands shows how to configure the HSRP inside interface:
Router(config-if)# interface fastEthernet 0/0
Router(config-if)# standby 2 ip 172.16.31.1
Router(config-if)# standby 2 name lan
Router(config-if)# standby 2 timers msec 500 3
Router(config-if)# standby delay minimum 30 reload 60
Router(config-if)# standby 2 preempt
Router(config-if)# standby 2 track fastEthernet 0/1
Note Configure the same commands on Router 2, including the same HSRP priority values (the default is 100) as on Router 1.
Configuring an IKE Policy
If you do not specify a value for a parameter, the default value is assigned. For information on default values, refer to the "IP Security and Encryption" chapter of the Security Command Reference publication.
To configure an IKE policy, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# crypto isakmp policy
priority
|
Defines an IKE policy and enters Internet Security Association Key Management Protocol (ISAKMP) policy configuration (config-isakmp) mode.
|
Step 2
|
Router(config-isakmp)# encryption {des |
3des | aes | aes 192 | aes 256}
|
Specifies the encryption algorithm within an IKE policy.
•des—Specifies 56-bit DES as the encryption algorithm.
•3des—Specifies 168-bit DES as the encryption algorithm.
•aes—(Not applicable)
•aes 192—(Not applicable)
•aes 256—(Not applicable)
|
Step 3
|
Router(config-isakmp)# authentication
{rsa-sig | rsa-encr | pre-share}
|
(Optional) Specifies the authentication method within an IKE policy.
•rsa-sig—Specifies Rivest, Shamir, and Adelman (RSA) signatures as the authentication method.
•rsa-encr—The VPN Acceleration Module (VAM) or VPN Acceleration Module 2 (VAM2) does not support this authentication method.
Note Use RSA signature-based authentication without certificate authority. To do this, apply the same configuration used for rsa-encr, but change the isakmp authentication method to rsa-sig.
•pre-share—Specifies preshared keys as the authentication method.
Note If this command is not enabled, the default value (rsa-sig) will be used.
|
Step 4
|
Router(config-isakmp)# lifetime seconds
|
(Optional) Specifies the lifetime of an IKE security association (SA).
seconds—Number of seconds that each SA should exist before expiring. Use an integer from 60 to 86,400 seconds.
Note If this command is not enabled, the default value (86,400 seconds [one day]) will be used.
|
Step 5
|
Router(config-isakmp)# hash {sha | md5}
|
(Optional) Specifies the hash algorithm within an IKE policy.
•sha—Specifies SHA-1 (HMAC variant) as the hash algorithm.
•md5—Specifies MD5 (HMAC variant) as the hash algorithm.
Note If this command is not enabled, the default value (sha) will be used.
|
Step 6
|
Router(config-isakmp)# group {1 | 2 | 5}
|
(Optional) Specifies the Diffie-Hellman (DH) group identifier within an IKE policy.
1—Specifies the 768-bit DH group.
2—Specifies the 1024-bit DH group.
5—Specifies the 1536-bit DH group.
Note If this command is not enabled, the default value (768-bit) will be used.
|
Step 7
|
Repeat these steps to configure an IKE policy on each router.
|
For detailed information on creating IKE policies, refer to the "Configuring Internet Key Exchange Security Protocol" chapter in the Security Configuration Guide publication.
Configuring IKE Pre-Shared Key
To specify pre-shared keys with a peer, use the following commands in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
Router (config)# crypto isakmp key keystring address
peer-address
or
Router (config)# crypto isakmp key keystring
hostname peer-hostname
|
At the local peer:
Specify the shared key to be used with a particular remote peer.
If the remote peer specified their ISAKMP identity with an address, use the address keyword in this step; otherwise use the hostname keyword in this step.
|
Step 2
|
Router (config)# crypto isakmp key_keystring address
peer-address
or
Router (config)# crypto isakmp key_keystring
hostname peer-hostname
|
At the remote peer:
Specify the shared key to be used with the local peer. This is the same key you just specified at the local peer.
If the local peer specified their ISAKMP identity with an address, use the address keyword in this step; otherwise use the hostname keyword in this step.
|
Step 3
|
Repeat the previous two steps for each remote peer.
|
Remember to repeat these tasks at each peer that uses pre-shared in an IKE policy.
Configuring an IPSec Transform Set
This section includes the following topics:
•Defining an IPSec Transform Set (required)
•IPSec Protocols: AH and ESP (optional)
•Selecting Appropriate Transforms (optional)
•The Crypto Transform Configuration Mode (optional)
•Changing Existing Transforms (optional)
•Transform Example (optional)
A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. During the IPSec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Defining an IPSec Transform Set
A transform set is a combination of security protocols and algorithms. During the IPSec security association negotiation, peers agree to use a specific transform set to protect a particular data flow.
To define a transform set, use the following commands, starting in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# crypto ipsec
transform-set transform-set-name
transform1 [transform2 [transform3]]
|
transform-set-name
Specify the name of the transform set to create (or modify).
transform1
transform2
transform3
Specify up to three transforms (one is required) that define the IPSec security protocol(s) and algorithm(s). Accepted transform values are described in Table 2.
|
Step 2
|
Router(cfg-crypto-tran)# mode [tunnel |
transport]
|
(Optional) Changes the mode associated with the transform set. The mode setting is only applicable to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic. (All other traffic is in tunnel mode only.)
|
Step 3
|
end
|
Exits the crypto transform configuration mode to enabled mode.
|
Step 4
|
clear crypto sa
or
clear crypto sa peer {ip-address |
peer-name}
or
clear crypto sa map map-name
or
clear crypto sa spi destination-address
protocol spi
|
Clears existing IPSec security associations so that any changes to a transform set take effect on subsequently established security associations (SAs). (Manually established SAs are reestablished immediately.)
Using the clear crypto sa command without parameters clears out the full SA database, which clears out active security sessions. You may also specify the peer, map, or entry keywords to clear out only a subset of the SA database.
|
Step 5
|
Repeat these steps to configure IPSec transform sets on each router.
|
Table 2 shows allowed transform combinations for the AH and ESP protocols.
Table 2 Allowed Transform Combinations
Transform Type
|
Transform
|
Description
|
AH Transform (Pick up to one.)
|
ah-md5-hmac
ah-sha-hmac
|
AH with the MD5 (Message Digest 5) (HMAC variant) authentication algorithm
AH with the SHA (Secure Hash Algorithm) (HMAC variant) authentication algorithm
|
ESP Encryption Transform (Note: If an ESP Authentication Transform is used, you must pick one.)
|
esp-aes
esp-des
esp-3des
esp-null
|
ESP with the 128-bit Advanced Encryption Standard (AES) encryption algorithm (Note: AES is not available with Cisco IOS Release 12.2(14)SU2, 12.2(14)SU1, 12.2(14)SU)
ESP with the 56-bit Data Encryption Standard (DES) encryption algorithm
ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)
Null encryption algorithm
|
ESP Authentication Transform (Pick up to one.)
|
esp-md5-hmac
esp-sha-hmac
|
ESP with the MD5 (HMAC variant) authentication algorithm
ESP with the SHA (HMAC variant) authentication algorithm
|
IP Compression Transform (Pick up to one.)
|
comp-lzs
|
IP compression with the Lempel-Ziv-Stac (LZS) algorithm
|
Note AES is not available with Cisco IOS Release 12.2(14)SU2, 12.2(14)SU1 or 12.2(14)SU.
Examples of acceptable transform combinations are as follows:
•ah-md5-hmac
•esp-des
•esp-3des and esp-md5-hmac
•ah-sha-hmac and esp-des and esp-sha-hmac
•comp-lzs
The parser will prevent you from entering invalid combinations; for example, once you specify an AH transform it will not allow you to specify another AH transform for the current transform set.
IPSec Protocols: AH and ESP
Both the AH and ESP protocols implement security services for IPSec.
AH provides data authentication and antireplay services.
ESP provides packet encryption and optional data authentication and antireplay services.
ESP encapsulates the protected data—either a full IP datagram (or only the payload)—with an ESP header and an ESP trailer. AH is embedded in the protected data; it inserts an AH header immediately after the outer IP header and before the inner IP datagram or payload. Traffic that originates and terminates at the IPSec peers can be sent in either tunnel or transport mode; all other traffic is sent in tunnel mode. Tunnel mode encapsulates and protects a full IP datagram, while transport mode encapsulates/protects the payload of an IP datagram. For more information about modes, refer to the mode (IPSec) command description.
Selecting Appropriate Transforms
The following tips may help you select transforms that are appropriate for your situation:
•If you want to provide data confidentiality, include an ESP encryption transform.
•If you want to ensure data authentication for the outer IP header as well as the data, include an AH transform. (Some consider the benefits of outer IP header data integrity to be debatable.)
•If you use an ESP encryption transform, also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.
•If you want data authentication (either using ESP or AH) you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms. The SHA algorithm is generally considered stronger than MD5 but is slightly slower.
•Note that some transforms might not be supported by the IPSec peer.
Note If a user enters an IPSec transform that the hardware (the IPSec peer) does not support, a warning message will be displayed immediately after the crypto ipsec transform-set command is entered.
•In cases where you need to specify an encryption transform but do not actually encrypt packets, you can use the esp-null transform.
Suggested transform combinations follow:
•esp-aes and esp-sha-hmac
•ah-sha-hmac and esp-aes and esp-sha-hmac
The Crypto Transform Configuration Mode
After you issue the crypto ipsec transform-set command, you are put into the crypto transform configuration mode. While in this mode, you can change the mode to tunnel or transport. (These are optional changes.) After you have made these changes, type exit to return to global configuration mode. For more information about these optional changes, refer to the match address (IPSec) and mode (IPSec) command descriptions.
Changing Existing Transforms
If one or more transforms are specified in the crypto ipsec transform-set command for an existing transform set, the specified transforms will replace the existing transforms for that transform set.
If you change a transform set definition, the change is only applied to crypto map entries that reference the transform set. The change will not be applied to existing SAs, but will be used in subsequent negotiations to establish new SAs. If you want the new settings to take effect sooner, you can clear all or part of the SA database by using the clear crypto sa command.
Transform Example
The following example defines two transform sets. The first transform set will be used with an IPSec peer that supports the newer ESP and AH protocols. The second transform set will be used with an IPSec peer that only supports the older transforms.
crypto ipsec transform-set SDM_TRASFORMSET_1 esp-3des esp-sha-hmac
The following example is a sample warning message that is displayed when a user enters an IPSec transform that the hardware does not support:
crypto ipsec transform transform-1 esp-aes 256 esp-md5
WARNING:encryption hardware does not support transform
esp-aes 256 within IPSec transform transform-1
Configuring Crypto Access Lists for IPSec Traffic
This section includes the following topics:
•Creating Crypto Access Lists for IPSec Traffic (required)
•Creating Crypto Access List Example
•Ensuring That Access Lists Are Compatible with IPSec (required)
•Setting Global Lifetimes for IPSec Security Associations (optional)
See the "Configuring IPSec Network Security" of the Cisco IOS Security Configuration Guide for more information on configuring IPSec.
Creating Crypto Access Lists for IPSec Traffic
Crypto access lists define which IP traffic will be protected by encryption. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, access lists can be created to protect all IP traffic between Subnet A and Subnet Y or Telnet traffic between Host A and Host B.
To create crypto access lists, use the following command in global configuration mode:
Step
|
Command
|
Purpose
|
Step 1
|
Router(config)# access-list access-list-number
{permit | deny} protocol source source-wildcard
destination destination-wildcard [log]
or
Router(config)# ip access-list extended name
|
access-list-number
Specify an integer from 100 to 199 that you select for the list.
permit
Permits the frame.
deny
Denies the frame.
Specifies conditions to determine which IP packets will be protected.1 (Enable or disable crypto for traffic that matches these conditions.)
We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword.
|
Step 2
|
Add permit and deny statements as appropriate.
|
Adds permit or deny statements to access lists.
|
Step 3
|
End
|
Exits the configuration command mode.
|
Step 4
|
Repeat these steps to create access lists on each router.
|
For detailed information on configuring access lists, refer to the "Configuring IPSec Network Security" chapter in the Cisco IOS Security Configuration Guide publication.
Creating Crypto Access List Example
The following example shows a typical example for creating an access list for IPSec traffic on both routers:
access-list 100 permit ip any 192.168.4.0.0.0.0.255
Ensuring That Access Lists Are Compatible with IPSec
IKE uses UDP port 500. The IPSec Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols use protocol numbers 50 and 51. Ensure that your interface access lists are configured so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec. In some cases, you might need to add a statement to your access lists to explicitly permit this traffic.
Setting Global Lifetimes for IPSec Security Associations
You can change the global lifetime values which are used when negotiating new IPSec security associations. (These global lifetime values can be overridden for a particular crypto map entry).
These lifetimes only apply to security associations established via IKE. Manually established security associations do not expire.
To change a global lifetime for IPSec security associations, use one or more of the following commands in global configuration mode:
Step
|
Command
|
Purpose
|
Step 1
|
Router(config)# crypto ipsec
security-association lifetime seconds seconds
|
Changes the global "timed" lifetime for IPSec SAs.
This command causes the security association to time out after the specified number of seconds have passed.
|
Step 2
|
Router(config)# crypto ipsec
security-association lifetime kilobytes
kilobytes
|
Changes the global "traffic-volume" lifetime for IPSec SAs.
This command causes the security association to time out after the specified amount of traffic (in kilobytes) have passed through the IPSec "tunnel" using the security association.
|
Step 3
|
Router(config)# clear crypto sa
or
Router(config)# clear crypto sa peer {ip-address
| peer-name}
or
Router(config)# clear crypto sa map map-name
or
Router (config)# clear crypto sa entry
destination-address protocol spi
|
(Optional) Clears existing security associations. This causes any existing security associations to expire immediately; future security associations will use the new lifetimes. Otherwise, any existing security associations will expire according to the previously configured lifetimes.
Note Using the clear crypto sa command without parameters will clear out the full SA database, which will clear out active security sessions. You may also specify the peer, map, or entry keywords to clear out only a subset of the SA database. For more information, see the clear crypto sa command.
|
Step 4
|
Repeat these steps to set global lifetimes for IPSec security associations on each router.
|
Configuring Crypto Maps
You can apply only one crypto map set to a single interface. The crypto map set can include a combination of IPSec/IKE and IPSec/manual entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces.
This section includes the following topics:
•Creating Crypto Map Entries (required)
•Configuring Crypto Map Example
•Creating Dynamic Crypto Maps (optional)
Creating Crypto Map Entries
To create crypto map entries that use IKE to establish the security associations, use the following commands, starting in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
Router (config)# crypto map map-name seq-num
ipsec-isakmp
|
Create the crypto map and enter crypto map configuration mode.
|
Step 2
|
Router (config)# set peer {hostname |
ip-address}
|
Specify a remote IPSec peer. This is the peer to which IPSec-protected traffic can be forwarded.
Repeat for multiple remote peers.
|
Step 3
|
Router (config)# set transform-set
transform-set-name1
[transform-set-name2...transform-set-name6]
|
Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first).
|
Step 4
|
Router (config)# match address access-list-id
|
Specify an extended access list. This access list determines which traffic is protected by IPSec and which is not.
|
Step 5
|
Repeat these steps to create additional crypto maps on each router.
|
Configuring Crypto Map Example
The following example shows an example of configuring a crypto map:
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 192.168.3.1
set transform-set SDM_TRASNFORMSET_1
Creating Dynamic Crypto Maps
A dynamic crypto map entry is a crypto map entry with some parameters not configured.The missing parameters are later dynamically configured (as the result of an IPSec negotiation). Dynamic crypto maps are only available for use with ISAKMP.
Dynamic crypto map entries are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic-map-name, each with a different dynamic-seq-num.
To create a dynamic crypto map entry, use the following commands starting in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# crypto dynamic-map dynamic-map-name
dynamic-seq-num
|
Creates a dynamic crypto map entry.
|
Step 2
|
Router(config-crypto-m)# set transform-set
transform-set-name1
[transform-set-name2...transform-set-name6]
|
Specifies which transform sets are allowed for the crypto map entry. List multiple transform sets in order of priority (highest priority first).
This is the only configuration statement required in dynamic crypto map entries.
|
Step 3
|
Router(config-crypto-m)# match address
access-list-id
|
(Optional) Access list number or name of an extended access list. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec security in the context of this crypto map entry.
Note Although access lists are optional for dynamic crypto maps, they are highly recommended.
If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list.
If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets. This is similar to static crypto maps because they also require that an access list be specified.
Care must be taken if the any keyword is used in the access list, because the access list is used for packet filtering as well as for negotiation.
|
Step 4
|
Router(config-crypto-m)# set peer {hostname |
ip-address}
|
(Optional) Specifies a remote IPSec peer. Repeat for multiple remote peers.
This is rarely configured in dynamic crypto map entries. Dynamic crypto map entries are often used for unknown remote peers.
|
Step 5
|
Router(config-crypto-m)# set security-association
lifetime seconds seconds
and
Router (config-crypto-m)# set security-association
lifetime kilobytes kilobytes
|
(Optional) If you want the security associations for this crypto map to be negotiated using shorter IPSec security association lifetimes than the globally specified lifetimes, specify a key lifetime for the crypto map entry.
|
Step 6
|
Router(config-crypto-m)# set pfs [group1 | group2]
|
(Optional) Specifies that IPSec should ask for perfect forward secrecy when requesting new security associations for this crypto map entry or should demand perfect forward secrecy in requests received from the IPSec peer.
|
Step 7
|
Router(config-crypto-m)# exit
|
Exits crypto-map configuration mode and return to global configuration mode.
|
Step 8
|
Repeat these steps to create dynamic crypto maps on each router, as required.
|
To add a dynamic crypto map set into a crypto map set, use the following command in global configuration mode:
Command
|
Purpose
|
Router(config)# crypto map map-name seq-num
ipsec-isakmp dynamic dynamic-map-name
|
Adds a dynamic crypto map set to a static crypto map set.
|
Configuring SSP Communications
Perform the following commands to enable and debug SSP:
| |
Command
|
|
|
|
Router(config)# ssp group group
|
Indicates channel used to communicate HA information.
|
|
|
Router(config-ssp-group)# redundancy name
|
Identifies the HSRP group.
|
|
|
Router(config-ssp-group)# remote ipaddr
|
Identifies peer that will receive HA transmissions.
|
|
|
Router(config-ssp-group)# port tcp-port
|
Identifies the TCP port for SSP communications.
|
|
|
Router# show ssp [packet | peers | redundancy | clients]
|
Displays SSP related information.
|
|
|
Router# debug ssp [fsm | socket | packet | peers | redundancy | config]
|
Enables SSP debugging.
|
Configuring SSP Communications Example
The following example shows an SSP communications configuration on each HA router:
Router 1:
Router 2:
Transferring ISAKMP State
Perform the following commands, starting in configuration mode to enable SSP communication state transfers for ISAKMP:
| |
Command
|
Purpose
|
Step 1
|
Router# crypto isakmp ssp id
|
Enables ISAKMP state to be transferred by the SSP channel described by the ID. If this feature is disabled, all dormant SA entries bound to that ID on the standby router will be removed and any new state entries will not be added.
|
Step 2
|
Router# show crypto isakmp ha [standby |
active]
|
Displays the ISAKMP standby or active SAs. Standby ISAKMP SAs are those not used, but could be used if the router goes active. active ISAKMP SAs are those currently in use.
|
Step 3
|
Repeat the previous two steps for each remote peer.
|
Transferring IPSec State
Perform the following command in global mode to transfer IPSec state from the active router to the standby router:
Global Mode
| |
Command
|
Purpose
|
|
|
Router(config)# crypto map name ha replay-interval inbound inbound interval outbound |
