How does IPSec enforce anti-replay?
IPSec VPN's automatically use serial numbers on packets that are sent through the tunnel. If a packet arrives with the same serial number as a previous packet, it is dropped because the receiving end belives it has already processed the packet.
Which command shows IKE Phase 1 policiess on a router?
# show crypto isakmp policy
Which command shows details of a crypto map and the contents of a IKE Phase 2 transform set?
# show crypto map
What command will show you the details of a IKE Phase 1 tunnel?
# show crypto isakmp sa detail
What command would you use to get more details on a IKE Phase 2 tunnel?
# show crypto ipsec sa
What is another command that will show if IPsec encryption / decryption is working?
# show crypto engine connections active
How many "tunnels" are actually setup once IPSec is passing VPN traffic on a site to site link?
There are actually 3
1 is for IKE Phase one traffic (secure communication between both peers) bi-directional
1 is for outbound traffic from Peer A to Peer B
the other is for inbound traffic from Peer B back to Peer A
What are the two modes that IKE Phase 1 uses to create the management tunnel between peers?
Main mode is usually preferred because it is more secure.
What are the DH Group encryption key sizes?
DH Group 1 = 786 bits
DH Group 2 = 1024 bits
DH Group 5 = 1536 bits
NOTE: there are no DH3 or DH4.
What does HAGLE stand for when referring to IKE Phase 1 negotiation?
H = Hash algorithym (MD5, SHA)
A = Authentication method (PSK or Digital Certs)
G = Diffie-Hellman Group (DH1, DH2, DH5)
L = Lifetime, how long until IKE Phase 1 tunnel should be torn down (seconds or kilobytes)
E = Encryption algorithm (DES, 3DES, AES)
When referring to HAGLE and IKE Phase 1 setup, which parameter can be different (and still have the tunnel come up)?
L or Lifetime. If this is different on each end, the shorter time of the two will be used.
What is the mode that IKE Phase 2 tunnel is built called?
What is a more proper term for the tunnels that are created by VPN peers?
Security Associations (SA)s
What are the policies used for IKE Phase 2 negotiations called?
What is a crypto ACL?
A crypto ACL is used to identify traffic that should be encrypted and sent over a VPN tunnel.
NOTE: crypto ACL's are not applied directly to interfaces but are referenced by a policy called a crypto map. The crypto map is applied to an interface.
How would you setup IKE Phase 1 parameters via command line?
# crypto isakmp policy 1
(1 is the policy number, this can be almost anything)
Once in (config-isakmp) mode you can configure HAGLE options.
(config-isakmp)# authentication pre-share (PSK)
(config-isakmp)# hash md5 (MD5 hashing)
(config-isakmp)# group 5 (Diffie-Hellman Group 5)
(config-isakmp)# lifetime 3600 (tear down tunnel in 1 hr)
(config-isakmp)# encr aes 123 (AES 128 bit encryption)
So you setup an IKE Phase 1 policy that is supposed to use PSKs for authentication, how do you setup the actual PSK?
Check that your isakmp policy is set to require pre-shared keys.
# show crypto isakmp policy
Check where it says authentication method: Pre-shared key
Then in global configuration mode:
(config)#: crypto isakmp key pass123 address 184.108.40.206
This configures a PSK of pass123 to authenticate with the VPN peer at 220.127.116.11
How do you configure the IKE Phase 2 tunne parameters for IPSec?
(config) # crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 256
The above command would create a transform set called "MYSET" and would require SHA hashing and AES 256 bit encryption.
*** dont forget to enable "tunnel" mode for the IPSec tunnel to actually encrypt and pass traffic on the client's behalf!
(cfg-crypto-trans)# mode tunnel
What two modes will IKE Phase 2 tunnels operate in?
Tunnel Mode - this is the most common usage, as in this mode the VPN peer will encrypt and pass packets on the behalf of clients sending through this peer device.
Transport Mode - rarely used, this mode is for when only the two peers themselves (for example two routers) are going to communicate directly with each other).
How do you create a crypto map to use an ACL to identify traffic that should be encrypted through the VPN tunnel?
(config) # crypto map MYMAP 1 ipsec-isakmp
This creates a map called MYMAP (sequence number 1) and requests the serviecs of ISAKMP
Here's how to use the ACL to match traffic:
(config-crypto-map)# match address 100 (100 is the extended ACL number)
if the traffic is matched, use this transform set:
(config-crypto-map)# set transform-set MYSET
(config-crypto-map)# set peer 18.104.22.168
What does ISAKMP stand for?
Internet Security Association Key Management Protocol