Security is a vital consideration when designing a bridged wireless link between Ethernet segments. This document demonstrates how to secure the traffic crossing a bridged wireless link by the use of an IPSEC tunnel.
In this example, two Cisco Aironet 350 Series Bridges establish WEP; the two routers set up an IPSEC tunnel.
Before attempting this configuration, ensure that you are comfortable with the use of these:
Cisco Aironet Bridge configuration interface
Cisco IOS command line interface
The information in this document is based on these software and hardware versions:
Cisco 2600 Series routers running IOS version 12.1
Cisco Aironet 350 Series Bridges running firmware version 11.08T
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Cisco Aironet 340, 350, and 1400 Series Bridges provide up to 128-bit WEP encryption. This cannot be relied upon for secure connectivity due to well-known problems in WEP algorithms and the ease of exploitation, as described in Security of the WEP algorithm and in the Cisco Aironet Response to Press - Flaws in 802.11 Security.
One method of increasing the security of traffic passed across a wireless bridged link is to create an encrypted router-to-router IPSEC tunnel that crosses the link. This works because bridges operate at layer 2 of the OSI model. You can run IPSEC router-to-router over the connection between the bridges.
If the security of the wireless link is breached, the traffic it contains remains encrypted and secure.
For more information on document conventions, see the Cisco Technical Tips Conventions.
This section presents information to configure the features described in this document.
Note: To find additional information on the commands used in this document, use the IOS Command Lookup tool.
This document uses the network setup shown in this diagram:
This document uses these configurations:
|RouterA (Cisco 2600 Router)|
RouterA#show running-config Building configuration... Current configuration : 1258 bytes ! version 12.1 no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterA ! logging rate-limit console 10 except errors ! ip subnet-zero no ip finger ip dhcp excluded-address 10.1.1.20 ip dhcp excluded-address 10.1.1.30 ! ip dhcp pool wireless network 10.1.1.0 255.255.255.0 ! ip audit notify log ip audit po max-events 100 call rsvp-sync ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 10.1.1.30 ! ! crypto ipsec transform-set set esp-3des esp-md5-hmac ! crypto map vpn 10 ipsec-isakmp set peer 10.1.1.30 set transform-set set match address 120 ! interface Loopback0 ip address 184.108.40.206 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.20 255.255.255.0 crypto map vpn ! ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.30 no ip http server no ip http cable-monitor ! access-list 120 permit ip 220.127.116.11 0.0.0.255 18.104.22.168 0.0.0.255 ! ! line con 0 transport input none line vty 0 4 ! end
|RouterB (Cisco 2600 Router)|
RouterB#show running-config Building configuration... Current configuration : 1177 bytes ! version 12.1 no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterB ! logging rate-limit console 10 except errors ! ip subnet-zero no ip finger ! ip audit notify log ip audit po max-events 100 call rsvp-sync crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 10.1.1.20 ! ! crypto ipsec transform-set set esp-3des esp-md5-hmac ! crypto map vpn 10 ipsec-isakmp set peer 10.1.1.20 set transform-set set match address 120 interface Loopback0 ip address 22.214.171.124 255.255.255.0 ! interface Ethernet0 ip address 10.1.1.30 255.255.255.0 no ip mroute-cache crypto map vpn ! ip classless ip route 0.0.0.0 0.0.0.0 10.1.1.20 no ip http server no ip http cable-monitor ! access-list 120 permit ip 126.96.36.199 0.0.0.255 188.8.131.52 0.0.0.255 ! ! line con 0 transport input none line vty 0 4 login ! end
|Cisco Aironet Bridges|
This section provides information you can use to confirm your configuration is working properly.
show crypto engine connections active - this command is used to view the current active encrypted session connections
RouterA#show crypto engine connection active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Ethernet0 10.1.1.20 set HMAC_MD5+DES_56_CB 0 0 2002 Ethernet0 10.1.1.20 set HMAC_MD5+3DES_56_C 0 3 2003 Ethernet0 10.1.1.20 set HMAC_MD5+3DES_56_C 3 0 RouterB#show crypto engine connection active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 <none> <none> set HMAC_MD5+DES_56_CB 0 0 2000 Ethernet0 10.1.1.30 set HMAC_MD5+3DES_56_C 0 3 2001 Ethernet0 10.1.1.30 set HMAC_MD5+3DES_56_C 3 0
This section provides information you can use to troubleshoot your configuration.
To troubleshoot IPSEC connectivity, refer to:
For troubleshooting the wireless connection, refer to:
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.