Table of contents
Features
RSR series routers support IPSEC negotiation based on VRRP virtual interface IP.
Application scenarios
If the respective intranets of the head office and branches need to be able to share data with each other, and you hope that the data will not be easily intercepted, cracked, and stolen by hackers during network transmission to ensure the security and confidentiality of the data, you can use the network equipment of the head office and branches to ensure the confidentiality of the data. Establishing an IPSec VPN not only enables the head office and branches to directly access resources from each other, but also encrypts data transmission to ensure data security. If the IP address of the headquarters is fixed, and some branches use dial-up to access the Internet (IP addresses are not fixed), and some branches use fixed IP addresses to access the Internet, you can enable static and dynamic IPSec on the router of the head office. VPN, branch office router enables static IPSEC VPN.
1. Networking requirements
After the network flattening transformation, an insurance company used the CN2 network provided by Telecom (CN2 network is a next-generation bearer network built by Telecom. It can be simply understood as a bearer network built on the MPLS network to provide VPN services for enterprises. This VPN services are transparent to customers), and county companies can directly communicate with provincial/municipal companies. To ensure business security, IPSEC tunnels need to be established between provincial/city/county egress routers. Since the number of municipal companies and county companies is huge, dynamic IPSEC needs to be used. Otherwise, a large number of static IPSEC will need to be manually configured, which requires a lot of maintenance and is inflexible.
2. Network topology
3. Configuration points
1. Provincial company router R1
- IPSEC tunnels need to be established with all city/county companies. In order to reduce the amount of configuration and maintenance and increase flexibility, dynamic IPSEC needs to be configured as an IPSEC server to accept IPSEC dial-in from city/county companies.
2. City company router R2
- Need to configure static IPSEC and dial into the provincial company
- IPSEC tunnels need to be established with all county companies. In order to reduce the amount of configuration and maintenance and increase flexibility, dynamic IPSEC needs to be configured as an IPSEC server to accept IPSEC dial-in from county companies.
- There is only one external network exit, and both static IPSEC and dynamic IPSEC need to be implemented on this interface.
3. County company router R3
- Static IPSEC needs to be configured and dialed into the provincial/municipal company
Things to note when using dynamic IPSEC:
1. You must pay attention to whether business data can trigger the negotiation of IPSEC tunnels.
2. Dynamic encryption mapping is not used by the device to initiate new IPSec negotiations with remote peers, but is used to accept IPSec negotiations initiated by remote peers.
3. That is, the party that configures the dynamic encryption map cannot actively initiate IPSEC negotiation.
4. In the financial industry, all businesses are generally initiated from lower-level institutions to higher-level institutions, so it can stimulate the establishment of IPSEC tunnels.
5. After establishing the IPSEC tunnel, data can be communicated in both directions.
6. RSR50/RSR50E involving IPSEC function must be equipped with an AIM-VPN encryption card (how to check whether the RSR50/RSR50E is equipped with an AIM-VPN encryption card, please check the appendix at the end of this article)
7. The IP network segments that need to use IPSEC for mutual access cannot overlap.
4. Configuration steps
1. Provincial company router R1
Provincial companies configure IPSEC dynamic tunnels, refer to (Typical Configuration--->Security--->IPSEC--->IPSEC uses dynamic tunnels (main mode))
2. City company router R2
The municipal company router R2 needs to be configured with both static and dynamic IPSEC. Please pay attention to integrating the static and dynamic IPSEC into a crypto map:
crypto dynamic-map dymap 1
set transform-set myset
crypto map mymap 5 ipsec-isakmp
set peer 14.0.0.1
set transform-set myset
match address 100
crypto map mymap 10 ipsec-isakmp dynamic dymap //Dynamic and static IPSEC are integrated into an encryption map and related through Sequence munber
Note: Any encryption map entry that references the dynamic map is used as the lowest priority encryption map entry in the encryption map set (no matter what the configured sequence number is, it is equivalent to the largest configured sequence number), so that other encryption map entries will be evaluated first. When Dynamic crypto map entries are checked when no other static crypto map entries match.
3. County company router R3
The county company configures IPSEC static tunnels, refer to (Typical Configuration--->Security--->IPSEC--->IPSEC uses static tunnels)
Note that provincial company R1 and city company R2 need to define the stream of interest and cryto map rules respectively.
crypto map mymap 5 ipsec-isakmp
set peer 14.0.0.1
set transform-set myset
match address 100
crypto map mymap 10 ipsec-isakmp
set peer 24.0.0.2
set transform-set myset
match address 101
5. Configuration verification
1. Stimulate the establishment of an IPSEC tunnel between the municipal company router R2 and the provincial company router R1
R2#ping 1.1.1.1 so 2.2.2.2
Sending 5, 100-byte ICMP Echoes to 1.1.1.1, timeout is 2 seconds:
< press Ctrl+C to break >
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/12/20 ms
R2#sho cry isakmp sa
destinationsourcestateconn-idlifetime(second)
14.0.0.124.0.0.2QM_IDLE3386378
R2#sho cry ipsec on
Interface: FastEthernet 0/0
Crypto map tag:mymap, local addr 24.0.0.2
media 1500 people
==================================
item type:static, seqno:5, id=32
local ident (addr/mask/prot/port): (2.2.2.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (1.1.1.0/0.0.0.255/0/0))
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#send errors 0, #recv errors 0
Inbound esp sas:
spi:0x3f944b2d (1066683181)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606999/3574)
IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x4012256 (67183190)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606999/3574)
IV size: 8 bytes
Replay detection support:Y
2. Stimulate the IPSEC tunnel between the county company router R3 and the provincial company router R1
R3#ping 1.1.1.1 so 3.3.3.3
Sending 5, 100-byte ICMP Echoes to 1.1.1.1, timeout is 2 seconds:
< press Ctrl+C to break >
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 10/22/30 ms
R3#sho cry isakmp sa
destinationsourcestateconn-idlifetime(second)
14.0.0.134.0.0.3QM_IDLE3386390
R3#sho cry ipsec on
Interface: FastEthernet 0/0
Crypto map tag:mymap, local addr 34.0.0.3
media 1500 people
==================================
item type:static, seqno:5, id=32
local ident (addr/mask/prot/port): (3.3.3.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (1.1.1.0/0.0.0.255/0/0))
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#send errors 0, #recv errors 0
Inbound esp sas:
spi:0x173938a6 (389626022)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606998/3587)
IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x499357 (4821847)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606998/3587)
IV size: 8 bytes
Replay detection support:Y
==================================
item type:static, seqno:10, id=34
local ident (addr/mask/prot/port): (3.3.3.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (2.2.2.0/0.0.0.255/0/0))
PERMIT
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 0, #recv errors 0
No sa is created now.
3. Stimulate the IPSEC tunnel between the county company router R3 and the city company router R2
R3#ping 2.2.2.2 so 3.3.3.3
Sending 5, 100-byte ICMP Echoes to 2.2.2.2, timeout is 2 seconds:
< press Ctrl+C to break >
.!!!!
View R2 -related IPSEC information
R2#sho cry isakmp sa
destinationsourcestateconn-idlifetime(second)
34.0.0.324.0.0.2QM_IDLE3686370
14.0.0.124.0.0.2QM_IDLE 33 85869
R2#sho cry ipsec on
Interface: FastEthernet 0/0
Crypto map tag:mymap, local addr 24.0.0.2
media 1500 people
==================================
item type:static, seqno:5, id=32
local ident (addr/mask/prot/port): (2.2.2.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (1.1.1.0/0.0.0.255/0/0))
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#send errors 0, #recv errors 0
Inbound esp sas:
spi:0x3f944b2d (1066683181)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606999/3064)
IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x4012256 (67183190)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 5
sa timing: remaining key lifetime (k/sec): (4606999/3064)
IV size: 8 bytes
Replay detection support:Y
==================================
item type:temporary, seqno:0, id=37
local ident (addr/mask/prot/port): (2.2.2.0/0.0.0.255/0/0))
local ident (addr/mask/prot/port): (3.3.3.0/0.0.0.255/0/0))
PERMIT
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#send errors 0, #recv errors 0
Inbound esp sas:
spi:0x67a19141 (1738641729)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 0
sa timing: remaining key lifetime (k/sec): (4607999/3566)
IV size: 8 bytes
Replay detection support:Y
Outbound esp sas:
spi:0x6ca7929b (1822921371)
transform: esp-3des esp-md5-hmac
in use settings={Tunnel,}
crypto map mymap 0
sa timing: remaining key lifetime (k/sec): (4607999/3566)
IV size: 8 bytes
Replay detection support:Y