Overview


Internet Protocol Security generally called as IPsec. IP Security (IPSec) provides a secure way to authenticate senders and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices. IPSec offers network administrators and their users the benefits of data confidentiality, data integrity, sender authentication, and anti-replay services. IPSec is increasingly becoming a critical component in today’s contemporary IP networks.


IPSec is a framework for ensuring secure private communication over IP networks and is based on standards developed by the International Engineering Task Force (IETF). The original IETF specifications are in RFC-1825 through RFC-1827, which published in 1995.


IPSec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services.

This document describes how to configure an IPSec site-to-site tunnel between a Seqrite UTM and Cisco 1841 Router with Cisco IOS.


Scenario

 


Requirements


Seqrite recommends that these requirements be met before you attempt the configuration that is described in this document:

  • The end-to-end IP connectivity must be established.
  • These protocols must be allowed:

                               User Datagram Protocol (UDP) 500 and 4500 for the IPSec control plane

                               Encapsulating Security Payload (ESP) IP Protocol 50 for the IPSec data plane


Configuration on Seqrite UTM


  1. To create a new IPSec connection, go to VPN > IPSec > Site to Site.



2. Enable the VPN Server and Click on the { + } sign for creating VPN configuration



Note: Using the Site to Site IPSec VPN connection various branch networks can access the remote network such as Head Office and Branch Office.

We need to enter all the configuration details for VPN as below.


3. We need to enter all the configuration details for VPN as below.


Parameter

Value

Description

Connection Name

VPN

Name to identify the IPSec Connection.

Network Interface

124.123.98.241

Select your Public IP. This is a WAN interfaces that you have configured in the Interface section.

Remote Server IP

183.82.106.171

Enter the Remote Server Public IP.

Local Networks

10.10.60.0/22

In Local Networks field, choose the local LAN created earlier.

Remote Networks

192.168.1.0 /24

 In Remote Networks field, choose the remote LAN created earlier.

IKE Version

IKEv1 / IKEv2

Select the same IKE version for both side.

Authentication Type : 

Set the Authentication Type to Pre-shared key.

You need to enter the same key in Cisco Device.

Advanced Options 

Encryption Algorithm : 3DES
Authentication Algorithm: MD5
Key Group (DH): 2 (DH1024)
Select same Encryption Algorithm, Authentication Algorithm and the Key Group for Phase 1 and Phase 2 settings.
Note: This setting should be same as configured on the Cisco Device.



4. Click on the + Sign to Expand the Advanced Options.



5. Select the Phase 1 and Phase 2 Settings. This same settings has to be selected on the Cisco Device Options. 

     Then Click Apply.


6. Toggle the ON/OFF status switch to enable. It is disabled by default.



We have to allow any services in interzone settings / custom rules as per your requirement to access over the IPSec tunnel.


Allow services in below four VPN rules

 1. LAN -VPN 

 2. VPN-LAN

 3. UTM-VPN

 4. VPN-UTM


Go to Firewall > Interzone Rules > and allow the services.



Configuration on Cisco 1841 Router with Cisco IOS via CLI


1. Configure the ISAKMP (IKEv1) Policy


In order to configure the ISAKMP policies for the IKEv1 connections, enter the crypto isakmp policy <priority> command in global configuration mode.

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

You can verify the IKE Parameters you configured by executing the following command:


show crypto isakmp policy


2. Configure a Crypto ISAKMP Key


In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:


crypto isakmp key  ********  address 124.123.98.241


Note: Pre-shared key should be same which is already configured in Seqrite UTM.


3. Configure an ACL for VPN Traffic of Interest


Use the extended or named access list in order to specify the traffic that should be protected by encryption.


access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.1.0 0.0.0.255 10.10.60.0 0.0.3.255


4. Configure a Transform Set


In order to define an IPSec transform set (an acceptable combination of security protocols and algorithms), enter the crypto ipsec transform-set command in global configuration mode. Here is an example:


crypto ipsec transform-set test esp-3des esp-md5-hmac 


5. Configure a Crypto Map and Apply it to an Interface


In order to create or modify a crypto map entry and enter the crypto map configuration mode, enter the crypto map global configuration command. In order for the crypto map entry to be complete, there are some aspects that must be defined at a minimum:

  • The IPSec peers to which the protected traffic can be forwarded must be defined. These are the peers with which an SA can be established. In order to specify an IPSec peer in a crypto map entry, enter the set peer command.
  • The transform sets that are acceptable for use with the protected traffic must be defined. In order to specify the transform sets that can be used with the crypto map entry, enter the set transform-set command.
  • The traffic that should be protected must be defined. In order to specify an extended access list for a crypto map entry, enter the match address command.


crypto map CMAPVPN 13 ipsec-isakmp 

 description Tunnel to124.123.98.241

 set peer 124.123.98.241

 set transform-set test 

 match address 102    


interface GigabitEthernet0/0

 crypto map CMAPVPN




Verification

 

A. Verification on Seqrite UTM


  1. Once the VPN configuration is done on Cisco Device the VPN status will turn Active.



2. The same can be verified by checking the Live Logs option.



3. You can verify if the tunnel is working or not by pinging from one location to another location PC.




B. Verification on Cisco 1841 Router with Cisco IOS.


 You can verify the IPSec VPN  Tunnel working on Cisco device using the below commands


show crypto isakmp sa

This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers.

dst                                  src                        state     conn-id     slot

124.123.98.241  183.82.106.171       QM_IDLE          1           0


show crypto ipsec sa

This command shows IPsec SAs built between peers. The encrypted tunnel is built between 183.82.106.171 and 124.123.98.241 for traffic that goes between networks 192.168.1.0 and 10.10.60.0. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since there are no AH SAs.

This output shows an example of the show crypto ipsec sa command.

  interface: FastEthernet0

    Crypto map tag: test, local addr. 183.82.106.171

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.60.0/255.255.252.0/0/0)

   current_peer: 124.123.98.241

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918

    #pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0,

    #pkts decompress failed: 0, #send errors 1, #recv errors 0

     local crypto endpt.: 183.82.106.171, remote crypto endpt.: 124.123.98.241

     path mtu 1500, media mtu 1500

     current outbound spi: 3D3

     inbound esp sas:

      spi: 0x136A010F(325714191)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 3442, flow_id: 1443, crypto map: test

        sa timing: remaining key lifetime (k/sec): (4608000/52)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

inbound pcp sas:

outbound esp sas:

   spi: 0x3D3(979)

    transform: esp-3des esp-md5-hmac ,

    in use settings ={Tunnel, }

    slot: 0, conn id: 3443, flow_id: 1444, crypto map: test

    sa timing: remaining key lifetime (k/sec): (4608000/52)

    IV size: 8 bytes

    replay detection support: Y

outbound ah sas:

outbound pcp sas:



For assistance please write us @ UTMSupport@Seqrite.com