Saturday, November 12, 2016

Cisco ASA VPN : Part 2 – Phase 1, phase 2 & combined view.

Cisco ASA VPN : Part 2 – Phase 1, phase 2 & combined view.
Before reading this it is recommended to go through Part 1 of Site to Site VPN. Click Here.
Phase 1
Phase 1 of VPN is where we create tunnel that sends management data across the peers. The major parameters in phase 1 are
  • Encryption : Specifies the encryption used in the phase 1.
  • Hashing : hashing algorithm are used to keep the integrity of the packet.
  • DH group : DH group used to share encryption keys over internet safely. DH algorithms uses a method called public-private key method to achieve this.
  • Timers : They define the re negotiation time.

Below is the part of configuration which defines phase 1 parameters :

       crypto ikev1 policy 10
  authentication pre-share
encryption aes
  hash sha
  group 2
lifetime 86400
ex

Suppose you want see policies configured in phase 1 then you need to run the following command.

ciscoasa# sh running-config | begin policy

Lets check what is the status of phase of VPN we created.
sh crypto isakmp sa

Here you can see ‘state : MM_ACTIVE’. This denotes phase 1 is operating in main mode. Phase 1 negotiations take place in two modes :
  • Main mode : Contains six packet exchanges. More secure.
    • Initiator sends packet with ISAKMP policy
    • Remote end responds with matching ISAKMP policy.
    • Initiator sends Key exchanges payload and Nonce payload. These payloads are required for generating DH secret key.
    • Remote end responds with key exchange and nonce payload. All further negotiations are encrypted.
    • Now the initiator sends hash payload, Identity payload, device’s IP address.
    • Remote ends responds with corresponding payload.

  • Aggressive mode : Contains three packet exchanges : less secure method.
    • All information required to generate DH secret is send to remote end by initiator.
    • Remote end responds with DH secret.
    • Initiator now sends identity and hash payloads. If this matches with remote end phase 1 tunnel will be up.

For reference :
Phase 2
Phase 2 of site to site VPN is where data is transferred. The following part of configuration is for phase 2.
crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac
We can use two protocols for phase 2 :
  • AH – provides encapsulation.
  • ESP – Provides encapsulation and encryption. Works well when a NAT in place.
AH is not used these days.
Phase will security associations for outbound and inbound data. Each outbound and inbound sa will have their own SPI (security perimeter index). It is based on this SPI firewall identifies the SA associated with packet and decrypts the data. Each SA will have details of encryption, hashing and other details.
Lets check the status of phase 2 in our VPN.

Sh crypto ipsec sa
If there are more subnets to be encrypted then you will see additional SAs and their SPIs.
The combined view : Phase 1 and Phase 2
Finally lets do a capture of phase 1 and phase 2 and go through it.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)