HostedDB - Dedicated UNIX Servers
index_162
Router Security Configuration Guide UNCLASSIFIED 162 UNCLASSIFIED Version 1.0g 5.2.  IP Network Security Prior to establishing an IPSec configuration on the router, certain network and current router configuration checks should be made to eliminate any router connectivity problems. Since IPSec utilizes IP protocols 50 and 51, and the User Datagram Protocol (UDP) port 500 in its communications, any access list restrictions on these ports or protocols should be removed or changed to allow the IPSec packets to be transmitted and received by the participating routers.  The example below illustrates the ACL rule syntax for permitting incoming IPSec traffic. access-list 100 permit 50  host 7.12.1.20 host 14.2.0.20   access-list 100 permit 51  host 7.12.1.20 host 14.2.0.20 access-list 100 permit udp host 7.12.1.20 host 14.2.0.20 eq 500 Also, the routers may be configured using several different modes of operation. For the example in this section, we assume the routers have two modes of operation: basic mode and privileged EXEC mode. In the basic mode of operation, anyone with access to the router can view selected information about the current running configuration. In the privileged EXEC mode, the administrator can update and/or change the current running configuration. For more information about command modes, see Section 4.1.   The security guidance of this section does not exhaustively cover all IPSec options. Rather, it provides a set of options (e.g. which algorithms to use) and the appropriate Cisco IOS commands to implement them in an easy-to-follow, step-by-step example for helping you set up and test IPSec on your network. In the example that follows, the external interfaces of the North router, 14.2.0.20, and the Remote router, 7.12.1.20, will be used to help demonstrate the concepts (see Figure 4-1).   5.2.1.    Building IPSec Tunnels Building IPSec tunnels between two Cisco routers will involve entering three sets of information into each router’s running configuration files. The sets can be labeled as: 1.     Establishing a common IKE Authentication Key 2.     Establishing an IKE Security Policy 3.     Establishing the IPSec Protection Parameters Establishing a Common IKE Authentication Key Prior to establishing an IPSec tunnel between two routers, each router must determine exactly which IP address they are building the tunnel with. This authentication decision is made in the IPSec framework using the IKE protocol. While IKE has several ways it can authenticate the two routers to each other, we will only discuss how it uses a jointly held secret value (i.e. a pre-shared key) to do it. However, for operational security we HIGHLY recommend that IKE authentication decisions be made using IPSec authentication schemes in conjunction with digital certificates.