Chapter 19 - Fundamentals of IP Security (IPSec)

Question 1

How does IPSec enforce anti-replay?

Answer 1

IPSec VPN’s automatically use serial numbers on packets that are sent through the tunnel. If a packet arrives with the same serial number as a previous packet, it is dropped because the receiving end belives it has already processed the packet.

Question 2

Which command shows IKE Phase 1 policiess on a router?

Answer 2

show crypto isakmp policy

Question 3

Which command shows details of a crypto map and the contents of a IKE Phase 2 transform set?

Answer 3

show crypto map

Question 4

What command will show you the details of a IKE Phase 1 tunnel?

Answer 4

show crypto isakmp sa detail

Question 5

What command would you use to get more details on a IKE Phase 2 tunnel?

Answer 5

show crypto ipsec sa

Question 6

What is another command that will show if IPsec encryption / decryption is working?

Answer 6

show crypto engine connections active

Question 7

How many “tunnels” are actually setup once IPSec is passing VPN traffic on a site to site link?

Answer 7

There are actually 3

1 is for IKE Phase one traffic (secure communication between both peers) bi-directional

1 is for outbound traffic from Peer A to Peer B

the other is for inbound traffic from Peer B back to Peer A

Question 8

What are the two modes that IKE Phase 1 uses to create the management tunnel between peers?

Answer 8

Main Mode

Aggressive Mode

Main mode is usually preferred because it is more secure.

Question 9

What are the DH Group encryption key sizes?

Answer 9

DH Group 1 = 786 bits

DH Group 2 = 1024 bits

DH Group 5 = 1536 bits

NOTE: there are no DH3 or DH4.

Question 10

What does HAGLE stand for when referring to IKE Phase 1 negotiation?

Answer 10

H = Hash algorithym (MD5, SHA)

A = Authentication method (PSK or Digital Certs)

G = Diffie-Hellman Group (DH1, DH2, DH5)

L = Lifetime, how long until IKE Phase 1 tunnel should be torn down (seconds or kilobytes)

E = Encryption algorithm (DES, 3DES, AES)

Question 11

When referring to HAGLE and IKE Phase 1 setup, which parameter can be different (and still have the tunnel come up)?

Answer 11

L or Lifetime. If this is different on each end, the shorter time of the two will be used.

Question 12

What is the mode that IKE Phase 2 tunnel is built called?

Answer 12

Quick Mode

Question 13

What is a more proper term for the tunnels that are created by VPN peers?

Answer 13

Security Associations (SA)s

Question 14

What are the policies used for IKE Phase 2 negotiations called?

Answer 14

Transform Sets

Question 15

What is a crypto ACL?

Answer 15

A crypto ACL is used to identify traffic that should be encrypted and sent over a VPN tunnel.

NOTE: crypto ACL’s are not applied directly to interfaces but are referenced by a policy called a crypto map. The crypto map is applied to an interface.

Question 16

How would you setup IKE Phase 1 parameters via command line?

Answer 16

crypto isakmp policy 1

(1 is the policy number, this can be almost anything)

Once in (config-isakmp) mode you can configure HAGLE options.

(config-isakmp)# authentication pre-share (PSK)

(config-isakmp)# hash md5 (MD5 hashing)

(config-isakmp)# group 5 (Diffie-Hellman Group 5)

(config-isakmp)# lifetime 3600 (tear down tunnel in 1 hr)

(config-isakmp)# encr aes 123 (AES 128 bit encryption)

Question 17

So you setup an IKE Phase 1 policy that is supposed to use PSKs for authentication, how do you setup the actual PSK?

Answer 17

Check that your isakmp policy is set to require pre-shared keys.

show crypto isakmp policy

Check where it says authentication method: Pre-shared key

Then in global configuration mode:

(config)#: crypto isakmp key pass123 address 43.0.0.2

This configures a PSK of pass123 to authenticate with the VPN peer at 43.0.0.2

Question 18

How do you configure the IKE Phase 2 tunne parameters for IPSec?

Answer 18

(config) # crypto ipsec transform-set MYSET esp-sha-hmac esp-aes 256

The above command would create a transform set called “MYSET” and would require SHA hashing and AES 256 bit encryption.

*** dont forget to enable “tunnel” mode for the IPSec tunnel to actually encrypt and pass traffic on the client’s behalf!

(cfg-crypto-trans)# mode tunnel

Question 19

What two modes will IKE Phase 2 tunnels operate in?

Answer 19

Tunnel Mode - this is the most common usage, as in this mode the VPN peer will encrypt and pass packets on the behalf of clients sending through this peer device.

Transport Mode - rarely used, this mode is for when only the two peers themselves (for example two routers) are going to communicate directly with each other).

Question 20

How do you create a crypto map to use an ACL to identify traffic that should be encrypted through the VPN tunnel?

Answer 20

(config) # crypto map MYMAP 1 ipsec-isakmp

This creates a map called MYMAP (sequence number 1) and requests the serviecs of ISAKMP

Here’s how to use the ACL to match traffic:

(config-crypto-map)# match address 100 (100 is the extended ACL number)

if the traffic is matched, use this transform set:

(config-crypto-map)# set transform-set MYSET

(config-crypto-map)# set peer 43.0.0.2

Question 21

What does ISAKMP stand for?

Answer 21

Internet Security Association Key Management Protocol