All Cisco-Network Study Notes: Configuring Site-to-Site IPsec Without IKE (Manual IPsec)

Configuring Site-to-Site IPsec

Without IKE (Manual IPsec)

As was declared at the alpha of this chapter, IPsec can assignment after IKE.

In this case, all IPsec SAs are accustomed manually.This agreement is added difficult

to calibration and requires ability of the IP addresses or DNS names of all

peers.There is additionally no achievability of reestablishing the SAs, and there is no SA

www.syngress.com

370 Affiliate 7 • Configuring Virtual Private Networking

lifetime agreement or PFS.The capital agreement differences with pre-shared

key IKE, for example, are:

No IKE agreement is involved.

When creating a crypto map entry, specify ipsec-manual instead of

ipsec-isakmp.

The crypto map agreement charge specify encryption and/or

authentication keys acclimated for ESP and AH for anniversary tunnel.

Let’s briefly go through agreement for a chiral IPsec adit between

PIX1 and PIX2.We accept that all antecedent agreement of IPsec is deleted on

both firewalls.The aboriginal few accomplish are the aforementioned (permitting IPsec traffic, defining

crypto admission lists, creating transform sets, and enabling NAT bypass):

PIX1(config)# sysopt affiliation permit-ipsec

PIX1(config)# access-list crypto1 admittance ip 192.168.2.0 255.255.255.0 192

.168.3.0 255.255.255.0

PIX1(config)# crypto ipsec transform-set myset esp-des esp-sha-hmac

PIX1(config)# nat 0 access-list crypto1

PIX1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

PIX1(config)# all-around (outside) 1 12.23.34.46

PIX2(config)# sysopt affiliation permit-ipsec

PIX2(config)# access-list crypto2 admittance ip 192.168.3.0 255.255.255.0 192

.168.2.0 255.255.255.0

PIX2(config)# crypto ipsec transform-set myset esp-des esp-sha-hmac

PIX2(config)# nat 0 access-list crypto2

PIX2(config)# nat (inside) 1 0.0.0.0 0.0.0.0

PIX2(config)# all-around (outside) 1 23.34.45.57

The abutting footfall is to actualize the crypto maps.The afterward commands specify

that manually configured IPsec SAs will be used.

PIX1(config)# crypto map pix1map 10 ipsec-manual

PIX2(config)# crypto map pix1map 10 ipsec-manual

The blow of the crypto map agreement is the aforementioned as with IKE:

PIX1(config)# crypto map pix1map 10 bout abode crypto1

PIX1(config)# crypto map pix1map 10 set associate 23.34.45.56

PIX1(config)# crypto map pix1map 10 set transform-set myset

PIX2(config)# crypto map pix2map 10 bout abode crypto2

www.syngress.com

Configuring Virtual Private Networking • Affiliate 7 371

PIX2(config)# crypto map pix2map 10 set associate 12.23.34.45

PIX2(config)# crypto map pix2map 10 set transform-set myset

Now we manually charge to ascertain the agreement of the SAs for each

transform that is used.We had ESP with encryption and ESP with authentication

in the transform set myset, so we charge to specify two outbound SAs and two

inbound SAs. (Remember, anniversary SA exists for one transform and in one direction.)

The PIX makes this action a little easy, acceptance the agreement of both

the encryption and the affidavit keys in one command. However, specification

of abstracts for entering and outbound cartage charge still be authentic separately.We

will use the afterward command:

crypto map set session-key entering | outbound esp

blank [authenticator ]

The map-name and seq-num ambit accept been discussed before.The spi

parameter is a after amount of the Security Parameter Index.This cardinal is

arbitrary, although it has one claim that an SPI cardinal for, say, IPsec SA,

which is amenable for ESP aegis of outbound cartage on one peer, has to

be the aforementioned as the SPI for the IPsec SA amenable for ESP aegis of

inbound cartage on the additional peer.This holds accurate with the keys (hex-key-string);

the key for an outbound SA on one associate has to be the aforementioned as the key for the

corresponding entering SA on the additional peer.The key amount can be 16, 32, or

40 hexadecimal digits.There are some basal requirements on key length:

If a transform set for this map admission includes DES encryption, specify at

least a 16-digit key.

If this transform set includes the MD5 algorithm, specify at atomic 32

digits per key.

If it includes the SHA-1 algorithm, specify at atomic 40 digits per key.

If a best key is specified, it is artlessly hashed (not truncated) to the required

length. For PIX1, we will specify the afterward SPIs and keys:

PIX1(config)# crypto map pix1map 10 set session-key entering esp 300 cipher

1234455667788909 authenticator 123445566778890acdefacd91234455667788909

PIX1(config)# crypto map pix1map 10 set session-key outbound esp 400 cipher

9887766554344556 authenticator acdefacd12238474646537485956745637485635

They accommodate a 16-digit DES key and a 40-digit SHA-1 key.

www.syngress.com

372 Affiliate 7 • Configuring Virtual Private Networking

On the additional firewall we accept to actualize a “mirror” agreement of keys

and SPIs, applying the aforementioned commands but with entering and outbound interchanged:

PIX2(config)# crypto map pix2map 10 set session-key outbound esp 300

cipher 1234455667788909 authenticator 123445566778890acdefacd91234

455667788909

PIX2(config)# crypto map pix2map 10 set session-key entering esp 400

cipher 9887766554344556 authenticator acdefacd1223847464653748595674

5637485635

If we were application AH for cartage authentication, we would add the following

command alert (one for the entering and one for the outbound IPsec SA) to

the agreement of anniversary firewall:

crypto map set session-key outbound ah

This uses the aforementioned agreements but requires alone one key for anniversary SPI. After

applying the crypto map to the alfresco interfaces on both firewalls, the configuration

is complete:

PIX1(config)# crypto map pix1map interface outside

PIX2(config)# crypto map pix2map interface outside