Task 3: Configure IPSec Parameters

Step 3.1: Configure Crypto Access Lists

The first major step in configuring PIX Firewall IPSec is to configure crypto access lists to define which IP traffic is interesting and will be protected by IPSec, and which traffic won’t be protected by IPSec. Crypto access lists perform the following functions:

• Define the data traffic to be protected by IPSec.

• Filter inbound traffic and discard any traffic that should have been protected by IPSec.

• Determine whether to accept requests for IPSec SAs for the requested dataflows when processing IKE negotiations.

Define a crypto access list with the access-list global configuration command. Use the no form of the command to delete an entire access list. The syntax and an example follow.

While the access list syntax is the same as those applied to PIX Firewall interfaces, the meanings are slightly different for crypto access lists. Permit statements specify that any matching packets must be encrypted, while deny statements specify that any matching packets needn’t be encrypted.

Some additional details for access lists are as follows.

• Any unprotected inbound traffic matching a permit statement in the crypto access list for a crypto map is dropped because it should have been encrypted.

• Using port ranges can dramatically increase the number of IPSec tunnels the PIX Firewall can originate or terminate. A new tunnel is created for each port.

• Creating two different crypto access lists would be necessary to define two different types of traffic that require different combinations of IPSec protection. One type could define the traffic requiring authentication and encryption, while the second type might define traffic requiring authentication only.

Step 3.2: Configure Transform Set Suites

The next step in configuring PIX Firewall IPSec is to use the IPSec security policy to define a transform set. A transform set is a combination of individual IPSec transforms grouped to define a specific security policy for traffic. During IKE phase two negotiation for IPSec SA, the peers agree to use a particular transform set for protecting a particular dataflow. Transform sets combine the following IPSec factors:

• Payload authentication: AH transform

• Payload encryption: ESP transform

• IPSec mode (transport or tunnel)

Transform sets equal a combination of an AH transform, an ESP transform, and the IPSec mode, Tunnel (default) or Transport mode. Transform sets are limited to up to one AH and up to two ESP transforms. IPSec peers must have at least one matching transform set configured.

If you specify an ESP protocol in a transform set, you can specify only an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform. The PIX Firewall supports the following IPSec transforms.

AH’s lack of compatibility with NAT and PAT, as well as the fact that ESP is now available with authentication using the esp-sha-hmac and esp-md5-hmac transforms, makes AH an infrequent choice.

Use the configuration mode crypto ipsec transform-set command to define a transform set with up to three transoms. Before a transform set can be included in a crypto map entry, it must be defined using the crypto ipsec transform-set command. Use the no form of the command to delete a transform set. The syntax and an example follow.

Pix(config)# crypto ipsec transform-set trans-name [ah-md5-hmac |
 ah-sha-hmac] [esp-des | esp-null] [esp-md5-hmac|esp-sha-hmac]
Pix(config)# crypto ipsec transform-set seattle esp-des esp-md5-hmac

Step 3.4: Configure Crypto Maps

Crypto map statements must be configured for IPSec to set up SAs for traffic flows that must be encrypted. Crypto map statements set up SA parameters, tying together the various parts required to set up IPSec SAs, including the following:

• The type and granularity of traffic to be protected by IPSec. Uses a crypto access list to define.

• Where outbound IPSec-protected traffic should be sent (the remote IPSec peer).

• The local address to use for the IPSec traffic.

• What type of IPSec security, transform sets, should be applied to the traffic.

• Whether SAs are established via ISAKMP or manually configured.

• The IPSec SA lifetime.

Use the following substeps to configure a crypto map with the following forms of the crypto map command.

Step 3.4.1: Use the crypto map ipsec-manual | ipsec-isakmp command to create or modify a crypto map entry. Use the ipsec-manual option to create or modify an ipsec-manual crypto map entry. Use the ipsec-isakmp option to create or modify an ipsec-isakmp crypto map entry. A crypto map command without a keyword creates an ipsec-isakmp entry by default. Use the no crypto map command to delete a crypto map entry or set. The syntax and two examples follow.

Step 3.4.2: Assign a crypto access list, created earlier, to the crypto map entry to be used by IPSec to determine which traffic should be protected by IPSec crypto and which traffic doesn’t need protection. Permit traffic will be protected, while deny traffic won’t be protected by IPSec.

The defined crypto access list is used to evaluate both inbound and outbound traffic. Outbound traffic is evaluated to determine if it should be protected by crypto and, if so (traffic matches a permit entry), which crypto policy to apply. Inbound traffic is evaluated to determine if it should have been protected by crypto. If the inbound traffic should have been protected, but wasn’t, it’s discarded as suspect.

The access list is also used to identify the flow for which the IPSec security associations are established. In the outbound case, the permit entry is used as the dataflow identity (in general). In the inbound case, the data flow identity specified by the peer must be “permitted” by the crypto access list.

Use the following syntax to assign a crypto access list to a crypto map. Use the no form of the command to reverse the command. The syntax and an example follow.

Pix(config)# crypto map map-name seq-num match address acl-name 
Pix(config)# crypto map testmap 10 match address 150

Remember, the crypto access list doesn’t determine whether to permit or deny traffic through the interface. An access list applied directly to the interface with the access- group command makes that determination.

Step 3.4.3: Use the crypto map set peer command to define the IPSec peer in a crypto map entry. The peer is the terminating interface of the IPSec peer. This command is required for all static crypto maps, except for a dynamic crypto map (with the crypto dynamic-map command). Use the no form of the command to remove an IPSec peer from a crypto map entry. The syntax and an example follow.

Pix(config)# crypto map map-name seq-num set peer {hostname | ip-address} 
Pix(config)# crypto map testmap set peer 1.1.40.25

You can specify multiple peers for ipsec-isakmp crypto entries by repeating the command. The peer that packets are sent to is determined by the last peer the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

You can only specify one peer per crypto map with ipsec-manual crypto entries. To change a peer, you must first delete the old peer, and then specify the new peer.

Step 3.4.4: IPSec peers negotiate a matching transform set during IKE phase two. Only one transform set can be defined for an ipsec-manual crypto map, but both ipsec-isakmp and dynamic crypto map entries can have up to six transform sets. When defining multiple transform sets, list them in preference (priority) starting with the highest priority. The most secure transforms should be the highest priority and, therefore, early in the list.

Use the crypto map set transform-set command to define which transform set(s) can be used with the crypto map entry. Before a transform set can be included in a crypto mapset entry, it must be defined using the crypto ipsec transform-set command. Use the no crypto map set transform-set command to remove all transform sets from a crypto map entry. The syntax and an example follow.

Step 3.4.5: (Optional.) Perfect forward secrecy (PFS) requires a new Diffie–Hellman exchange every time a new SA is negotiated for ipsec-isakmp crypto map entries and dynamic crypto map entries. PFS adds an additional level of security because if one key is ever compromised, only the data sent with that key will be affected. This additional security does require additional processing resources and time. PFS isn’t on by default.

Use the crypto map set pfs command to ask for PFS and the no form of the command to turn off the feature. The default (group1) is used if the set pfs statement doesn’t specify a group. The 1024-bit Diffie–Hellman group2 provides more security than group1, but it also consumes more processing time than group1. The syntax and two examples follow.

Pix(config)# crypto map map-name seq-num set pfs [group1 | group2] 
Pix(config)# crypto map testmap 10 set pfs
Pix(config)# crypto map testmap 10 set pfs group2

Step 3.4.6: (Optional.) Use the crypto map set security-association lifetime command to override the global lifetime value for a particular crypto map entry. The global lifetime is used when negotiating IPSec security associations. While the command increases security levels, this is at the expense of additional CPU resources. This option is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries. Use the no form of the command to reset a crypto map entry’s lifetime value to the global value. The syntax and an example follow.

Pix(config)# crypto map map-name seq-num set security-association lifetime
 {seconds seconds | kilobytes kilobytes} 
Pix(config)# crypto map testmap 10 set security-association lifetime
 seconds 2700

Step 3.4.7: (Optional.) Five crypto dynamic-map commands cover many of the IPSec parameters just introduced. These commands can be used to define dynamic crypto map features. A dynamic crypto map entry is basically a crypto map entry without all the parameters configured. It acts as a policy template where the missing parameters are later dynamically configured to match a peer’s requirements as the result of an IPSec negotiation. This allows peers to exchange IPSec traffic with the PIX Firewall, even if the PIX Firewall doesn’t have a crypto map entry specifically configured to meet all the peer’s requirements.

The following is the syntax of the commands:

crypto dynamic-map dyn-map-name dyn-seq-num match address acl-name crypto dynamic-map dyn-map-name dyn-seq-num set peer {hostname | ip-address} crypto dynamic-map dyn-map-name dyn-seq-num set pfs [group1 | group2] crypto dynamic-map dyn-map-name dyn-seq-num set security-association lifetime seconds seconds | kilobytes kilobytes crypto dynamic-map dyn-map-name dyn-seq-num set transform-set trans-set-name1 [ trans-set-name9]

The following output shows an example of using each of the commands:

Pix(config)# crypto dynamic-map reachus 20 match address 150
Pix(config)# crypto dynamic-map reachus 20 set peer 1.1.70.25
Pix(config)# crypto dynamic-map reachus 20 set pfs group2
Pix(config)# crypto dynamic-map reachus 20 set security-association lifetime seconds10000
Pix(config)# crypto dynamic-map reachus 20 set transform-set tacoma

The show crypto dynamic-map command is used to display the dynamic crypto map information.

The following output shows the minimum commands required for crypto map configuration when IKE is used to establish the security associations.

Pix(config)# access-list 150 permit ip 1.1.40.0 255.255.255.0 1.1.2.0
  255.255.255.0
Pix(config)# crypto transform-set testset ah-md5-hmac esp-sha-hmac
Pix(config)# crypto map testmap 10 ipsec-isakmp
Pix(config)# crypto map testmap 10 match address 150
Pix(config)# crypto map testmap 10 set transform-set testset
Pix(config)# crypto map testmap 10 set peer 1.1.40.7

The following example shows the minimum required crypto map configuration when the security associations are manually established.

Pix(config)# access-list 150 permit ip 1.1.40.0 255.255.255.0 1.1.2.0
  255.255.255.0
Pix(config)# crypto transform-set testset2 ah-md5-hmac esp-des
Pix(config)# crypto map testmap2 10 ipsec-manual
Pix(config)# crypto map testmap2 10 match address 150
Pix(config)# crypto map testmap2 10 set transform-set testset2
Pix(config)# crypto map testmap2 10 set peer 1.1.40.7
Pix(config)# crypto map testmap2 10 set session-key inbound ah 256
  12093487567854903212093487568903
Pix(config)# crypto map testmap2 10 set session-key outbound ah 256
  asdfghjklpoiuytrewqzxcvbnmqazxsw
Pix(config)# crypto map testmap2 10 set session-key inbound esp 256
  cipher 8765432167890543
Pix(config)# crypto map testmap2 10 set session-key outbound esp 256
  cipher plokmnjiuhbvgytf
Pix(config)#

Step 3.5: Apply Crypto Maps to the Terminating/Originating Interface

While the current PIX software, since 5.1, supports IPSec termination on any active interface, this doesn’t mean you terminate traffic coming from the outside on the inside interface. VP traffic terminated on any interface originated on the networks attached to that interface. Traffic terminated on the inside interface originated from the inside network— the same with the outside interface and any DMZs.

Use the crypto map interface command to assign a crypto map set to any active PIX Firewall interface. Use the no form of the command to remove the crypto map set from an interface. The syntax and an example follow.

Pix(config)# crypto map map-name interface int-name 
Pix(config)# crypto map testmap interface outside