{"id":27,"date":"2005-05-07T22:29:46","date_gmt":"2005-05-07T21:29:46","guid":{"rendered":"http:\/\/security-planet.de\/?p=88"},"modified":"2005-05-07T22:29:46","modified_gmt":"2005-05-07T21:29:46","slug":"cisco-ios-configuring-manual-ipsec","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2005\/05\/07\/cisco-ios-configuring-manual-ipsec\/","title":{"rendered":"IPSec: manual configuration in Cisco IOS"},"content":{"rendered":"<p>This example shows how manual IPSec is configured in Cisco IOS.<!--more--> With this configuration no ISAKMP\/IKE is needed to negotiate keys and the session keys are configured statically on the routers. This is of course <strong>not<\/strong> the recommended way of configuring IPSec!<\/p>\n<p><strong>Topology used in this example:<\/strong><\/p>\n<table>\n<tr>\n<td>\n<img decoding=\"async\" src=\"https:\/\/blog.iwen.de\/wp-content\/uploads\/2006\/08\/ipsecexample.png\" id=\"image89\" alt=\"Topologie for IPSec Example\" \/><\/td>\n<\/tr>\n<\/table>\n<p>The relevant starting configuration of Router1:<\/p>\n<pre class=\"code\"><code>\ninterface Loopback11\n ip address 11.11.1.1 255.255.255.0\n!\ninterface FastEthernet0\n ip address 10.255.255.201 255.255.255.0\n<\/code><\/pre>\n<p>For manual IPSec no ISAKMP is needed. So it is disabled:<\/p>\n<pre class=\"code\"><code>\nno crypto isakmp enable\n<\/code><\/pre>\n<p>we need a transform-set. First we use one without encryption to be able to capture and analyze the traffic:<\/p>\n<pre class=\"code\"><code>\ncrypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac\n<\/code><\/pre>\n<p>an access-list has to define the traffic that has to be protected. This ACL is only allowed to have <em>one<\/em> entry for manual IPSec:<\/p>\n<pre class=\"code\"><code>\naccess-list 100 permit ip 11.11.1.0 0.0.0.255 11.11.2.0 0.0.0.255\n<\/code><\/pre>\n<p>A crypto map is written. Inside the crypto-map, the session keys are specified:<\/p>\n<pre class=\"code\"><code>\ncrypto map test 10 ipsec-manual\n set peer 10.255.255.1\n set session-key in esp 2001 auth 0123456789012345678901234567890123456789\n set session-key out esp 1002 auth 0123456789012345678901234567890123456789\n set transform-set esp-none-sha1\n match address 100\n<\/code><\/pre>\n<p>Each SA has a unique Security Parameter Index (SPI). In this case the SPI 1002 is used to protect the outgoing datagrams with authentication, the incoming datagrams are expected to have an SPI of 2001. As we are using SHA-1, the kession-key is 160 bit or 40 characters<\/p>\n<p>The crypto map is applied to the outbound interface:<\/p>\n<pre class=\"code\"><code>\ninterface FastEthernet0\n crypto map test\n<\/code><\/pre>\n<p>The resulting config of Router1:<\/p>\n<pre class=\"code\"><code>\nno crypto isakmp enable\n!\ncrypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac\n!\ncrypto map test 10 ipsec-manual\n set peer 10.255.255.1\n set session-key in esp 2001 auth 0123456789012345678901234567890123456789\n set session-key out esp 1002 auth 0123456789012345678901234567890123456789\n set transform-set esp-none-sha1\n match address 100\n!\naccess-list 100 permit ip 11.11.1.0 0.0.0.255 11.11.2.0 0.0.0.255\n!\ninterface Loopback11\n ip address 11.11.1.1 255.255.255.0\n!\ninterface FastEthernet0\n ip address 10.255.255.201 255.255.255.0\n crypto map test\n<\/code><\/pre>\n<p>Router 2 is configured the same way (Vlan1 is the outgoing interface on R2):<\/p>\n<pre class=\"code\"><code>\ncrypto ipsec transform-set esp-none-sha1 esp-null esp-sha-hmac\n!\ncrypto map test 10 ipsec-manual\n set peer 10.255.255.201\n set session-key in esp 1002 auth 0123456789012345678901234567890123456789\n set session-key out esp 2001 auth 0123456789012345678901234567890123456789\n set transform-set esp-none-sha1\n match address 100\n!\naccess-list 100 permit ip 11.11.2.0 0.0.0.255 11.11.1.0 0.0.0.255\n!\ninterface Loopback11\n ip address 11.11.2.1 255.255.255.0\n!\ninterface Vlan1\n crypto map test\n<\/code><\/pre>\n<p>The connection is tested:<\/p>\n<pre class=\"code\"><code>\nR1#ping 11.11.2.1 source loopback 11 repeat 2 data 1a2b size 38\n\nType escape sequence to abort.\nSending 2, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:\nPacket sent with a source address of 11.11.1.1\nPacket has data pattern 0x1A2B\n!!\nSuccess rate is 100 percent (2\/2), round-trip min\/avg\/max = 1\/2\/4 ms\n<\/code><\/pre>\n<p>The resulting SA on R1 shows two protected packets:<\/p>\n<pre class=\"code\"><code>\nR1#sh cry ips sa\n\ninterface: FastEthernet0\n    Crypto map tag: test, local addr. 10.255.255.201\n\n   protected vrf:\n   local  ident (addr\/mask\/prot\/port): (11.11.1.0\/255.255.255.0\/0\/0)\n   remote ident (addr\/mask\/prot\/port): (11.11.2.0\/255.255.255.0\/0\/0)\n   current_peer: 10.255.255.1:500\n     PERMIT, flags={origin_is_acl,}\n    #pkts encaps: 2, #pkts encrypt: 0, #pkts digest 2\n    #pkts decaps: 2, #pkts decrypt: 0, #pkts verify 2\n    #pkts compressed: 0, #pkts decompressed: 0\n    #pkts not compressed: 0, #pkts compr. failed: 0\n    #pkts not decompressed: 0, #pkts decompress failed: 0\n    #send errors 0, #recv errors 0\n\n     local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1\n     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0\n     current outbound spi: 3EA\n\n     inbound esp sas:\n      spi: 0x7D1(2001)\n        transform: esp-null esp-sha-hmac ,\n        in use settings ={Tunnel, }\n        slot: 0, conn id: 2001, flow_id: 1, crypto map: test\n        no sa timing\n        IV size: 0 bytes\n        replay detection support: N\n\n     inbound ah sas:\n\n     inbound pcp sas:\n\n     outbound esp sas:\n      spi: 0x3EA(1002)\n        transform: esp-null esp-sha-hmac ,\n        in use settings ={Tunnel, }\n        slot: 0, conn id: 2000, flow_id: 2, crypto map: test\n        no sa timing\n        IV size: 0 bytes\n        replay detection support: N\n\n     outbound ah sas:\n\n     outbound pcp sas:\nR1#\n<\/code><\/pre>\n<p><strong>For the next test the routers are also configured for encryption with DES<\/strong><br \/>\nFor that, we need a transform-set with esp-encryption and the des-session-keys in the crypto-map have to be added:<\/p>\n<p>The changes for Router 1:<\/p>\n<pre class=\"code\"><code>\ncrypto ipsec transform-set esp-des-sha1 esp-des esp-sha-hmac\ncrypto map test 10 ipsec-manual\n set session-key in esp 2001 cipher 0123456789012345 auth 0123456789...\n set session-key out esp 1002 cipher 0123456789012345 auth 0123456789...\n set transform-set esp-des-sha1\n<\/code><\/pre>\n<p>The des-cipher is specified with the full 64 bits, 56 bits are actually used for encryption.<\/p>\n<p>The changes for Router 2:<\/p>\n<pre class=\"code\"><code>\ncrypto map test 10 ipsec-manual\n set peer 10.255.255.201\n set session-key in esp 1002 cipher 0123456789012345 auth 0123456789...\n set session-key out esp 2001 cipher 0123456789012345 auth 0123456789...\n set transform-set esp-des-sha1\n<\/code><\/pre>\n<p>The connection is tested again:<\/p>\n<pre class=\"code\"><code>\nR1#ping 11.11.2.1 source loopback 11 repeat 2 data 1a2b size 38\n\nType escape sequence to abort.\nSending 2, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:\nPacket sent with a source address of 11.11.1.1\nPacket has data pattern 0x1A2B\n!!\nSuccess rate is 100 percent (2\/2), round-trip min\/avg\/max = 4\/4\/4 ms\n<\/code><\/pre>\n<p>The IPSec SA shows that there is now also encrypted and decrypted traffic:<\/p>\n<pre class=\"code\"><code>\nR1#sh crypto ips sa\n\ninterface: FastEthernet0\n    Crypto map tag: test, local addr. 10.255.255.201\n\n   protected vrf:\n   local  ident (addr\/mask\/prot\/port): (11.11.1.0\/255.255.255.0\/0\/0)\n   remote ident (addr\/mask\/prot\/port): (11.11.2.0\/255.255.255.0\/0\/0)\n   current_peer: 10.255.255.1:500\n     PERMIT, flags={origin_is_acl,}\n    #pkts encaps: 4, #pkts encrypt: 2, #pkts digest 4\n    #pkts decaps: 4, #pkts decrypt: 2, #pkts verify 4\n    #pkts compressed: 0, #pkts decompressed: 0\n    #pkts not compressed: 0, #pkts compr. failed: 0\n    #pkts not decompressed: 0, #pkts decompress failed: 0\n    #send errors 0, #recv errors 0\n\n     local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1\n     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0\n     current outbound spi: 3EA\n\n     inbound esp sas:\n      spi: 0x7D1(2001)\n        transform: esp-des esp-sha-hmac ,\n        in use settings ={Tunnel, }\n        slot: 0, conn id: 2001, flow_id: 1, crypto map: test\n        no sa timing\n        IV size: 8 bytes\n        replay detection support: N\n\n     inbound ah sas:\n\n     inbound pcp sas:\n\n     outbound esp sas:\n      spi: 0x3EA(1002)\n        transform: esp-des esp-sha-hmac ,\n        in use settings ={Tunnel, }\n        slot: 0, conn id: 2000, flow_id: 2, crypto map: test\n        no sa timing\n        IV size: 8 bytes\n        replay detection support: N\n\n     outbound ah sas:\n\n     outbound pcp sas:\nR1#\n<\/code><\/pre>\n<p><strong>The next example shows the result of using different authentication-keys on both routers.<\/strong> For that we change the inbound-authentication-key on Router1:<\/p>\n<pre class=\"code\"><code>\ncrypto map test 10 ipsec-manual\n set session-key in esp 2001 ciph 0123456789012345 auth 01234...89aaaaaaaaaa\n<\/code><\/pre>\n<p>Router2 still has the same outbound-key as before:<\/p>\n<pre class=\"code\"><code>\ncrypto map test 10 ipsec-manual\n set session-key out esp 2001 ciph 0123456789012345 auth 01234...890123456789\n<\/code><\/pre>\n<p>We test it with an outgoing ping from Router1. As only the inbound key on Router1 was changed, Router2 can decrypt the ping and respond to it:<\/p>\n<pre class=\"code\"><code>\nR1#ping 11.11.2.1 source loopback 11 repeat 1 data 1a2b size 38\n\nType escape sequence to abort.\nSending 1, 38-byte ICMP Echos to 11.11.2.1, timeout is 2 seconds:\nPacket sent with a source address of 11.11.1.1\nPacket has data pattern 0x1A2B\n.\nSuccess rate is 0 percent (0\/1)\n<\/code><\/pre>\n<p>On Router1 the following Message was displayed:<\/p>\n<pre class=\"code\"><code>\n%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001\n<\/code><\/pre>\n<p>The SADB shows one packet as encrypt\/digest, but the received one had an error:<\/p>\n<pre class=\"code\"><code>\nR1#sh cry ips sa\n\ninterface: FastEthernet0\n    Crypto map tag: test, local addr. 10.255.255.201\n\n   protected vrf:\n   local  ident (addr\/mask\/prot\/port): (11.11.1.0\/255.255.255.0\/0\/0)\n   remote ident (addr\/mask\/prot\/port): (11.11.2.0\/255.255.255.0\/0\/0)\n   current_peer: 10.255.255.1:500\n     PERMIT, flags={origin_is_acl,}\n    #pkts encaps: 1, #pkts encrypt: 1, #pkts digest 1\n    #pkts decaps: 1, #pkts decrypt: 0, #pkts verify 0\n    #pkts compressed: 0, #pkts decompressed: 0\n    #pkts not compressed: 0, #pkts compr. failed: 0\n    #pkts not decompressed: 0, #pkts decompress failed: 0\n    #send errors 0, #recv errors 1\n\n     local crypto endpt.: 10.255.255.201, remote crypto endpt.: 10.255.255.1\n     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0\n     current outbound spi: 3EA\n\n     inbound esp sas:\n      spi: 0x7D1(2001)\n        transform: esp-des esp-sha-hmac ,\n        in use settings ={Tunnel, }\n        slot: 0, conn id: 2001, flow_id: 1, crypto map: test\n        no sa timing\n        IV size: 8 bytes\n        replay detection support: N\n\n     inbound ah sas:\n\n     inbound pcp sas:\n\n     outbound esp sas:\n      spi: 0x3EA(1002)\n        transform: esp-des esp-sha-hmac ,\n        in use settings ={Tunnel, }\n        slot: 0, conn id: 2000, flow_id: 2, crypto map: test\n        no sa timing\n        IV size: 8 bytes\n        replay detection support: N\n\n     outbound ah sas:\n\n     outbound pcp sas:\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This example shows how manual IPSec is configured in Cisco IOS.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5,7],"tags":[307,317,358],"class_list":["post-27","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cisco-security","tag-ios","tag-ipsec","tag-konfiguration"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/27","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=27"}],"version-history":[{"count":0,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/27\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=27"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=27"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=27"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}