DMVPN and IPSEC

IPSec can provide four important services: Confidentiality, data integrity, authentication, and anti-replay protection. Each service can be described in the following ways:
• Confidentiality is attained through packet encryption, which prevents packets from being read if they are intercepted.
• IPSec uses checksums to provide data integrity. Checksums allow the receiver to verify that transmitted data was received without changes or alterations.
• IPSec authentication ensures that communication is only with a desired partner by enabling the receiver to verify the source of the packets it receives.
• Anti-replay protection is used to verify that each packet received is unique, not duplicated, by using a sequence number for each packet. Anti-replay protection causes duplicate and late packets to be dropped.

IKE policies are used to define the parameters that are used during IKE negotiation. The ISAKMP protocol is used to define an IKE policy for phase 1 negotiations. Each policy is uniquely identified by the priority parameter when the policy is created. The group parameter  in the policy sets the identifier that is used by peers to derive a shared secret key without transmitting it to each other. The hash algorithm configured is used to ensure data integrity by ensuring the source of the packet and that it has not been modified in transit.

Configuration example : ( hub )
(config)#crypto isakmp policy #
(config-isakmp)#hash md5
(config-isakmp)#authentication pre-share
(config-isakmp)#group #

On Hub, issue the following command to define a preshared key of dmvpnkey that will be used to authenticate all remote peers
(config)#crypto isakmp key dmvpnkey address 0.0.0.0

On Hub, issue the following command to define an IPSec transform set named dmvpnset that includes ESP-3DES authentication and encryption
(config)#crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac
(config)#mode transport

The IPSec profile is a repository of the configurations used to authenticate peers. On Hub, issue the following commands to define a crypto profile named dmvpnprofile that specifies the IPSec transform set dmvpnset:
(config)#crypto ipsec profile dmvpnprofile
(ipsec-profile)#set transform-set dmvpnset

On Hub, issue the following commands to assign the IPSec profile named dmvpnprofile to the Tunnel 0 interface
(ipsec-profile)#interface tunnel 0
(config)#ip mtu 1400
(config)#ip tcp adjust-mss 1360

(config-if)#tunnel protection ipsec profile dmvpnprofile

 

Configuration example : ( Spoke )

(config)#crypto isakmp policy 5
(config-isakmp)#hash md5
(config-isakmp)#authentication pre-share
(config-isakmp)#group 1

issue the following command to define a preshared key of dmvpnkey that will be used to authenticate all remote peers
(config)#crypto isakmp key dmvpnkey address 0.0.0.0

Issue the following command to define an IPSec transform set named dmvpnset that includes ESP-3DES authentication and encryption
(config)#crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac
(config)#mode transport

Issue the following commands to define a crypto profile named dmvpnprofile that specifies the IPSec transform set dmvpnset
(config)# crypto ipsec profile dmvpnprofile
(ipsec-profile)#set transform-set “dmvpnset”

Issue the following commands to assign the IPSec profile named dmvpnprofile to the Tunnel 0 interface
(config)#interface tunnel 0
(config)#ip mtu 1400
(config)#ip tcp adjust-mss 1360

(config-if)#tunnel protection ipsec profile dmvpnprofile

show crypto ipsec sa
show crypto isakmp policy
show crypto ipsec profile

Leave a Comment