index_162
Router Security Configuration Guide
UNCLASSIFIED
162
UNCLASSIFIED
Version 1.0g
5.2. IP Network Security
Prior to establishing an IPSec configuration on the router, certain network and current
router configuration checks should be made to eliminate any router connectivity
problems. Since IPSec utilizes IP protocols 50 and 51, and the User Datagram
Protocol (UDP) port 500 in its communications, any access list restrictions on these
ports or protocols should be removed or changed to allow the IPSec packets to be
transmitted and received by the participating routers. The example below illustrates
the ACL rule syntax for permitting incoming IPSec traffic.
access-list 100 permit 50 host 7.12.1.20 host 14.2.0.20
access-list 100 permit 51 host 7.12.1.20 host 14.2.0.20
access-list 100 permit udp host 7.12.1.20 host 14.2.0.20 eq 500
Also, the routers may be configured using several different modes of operation. For
the example in this section, we assume the routers have two modes of operation:
basic mode and privileged EXEC mode. In the basic mode of operation, anyone with
access to the router can view selected information about the current running
configuration. In the privileged EXEC mode, the administrator can update and/or
change the current running configuration. For more information about command
modes, see Section 4.1.
The security guidance of this section does not exhaustively cover all IPSec options.
Rather, it provides a set of options (e.g. which algorithms to use) and the appropriate
Cisco IOS commands to implement them in an easy-to-follow, step-by-step example
for helping you set up and test IPSec on your network. In the example that follows,
the external interfaces of the North router, 14.2.0.20, and the Remote router,
7.12.1.20, will be used to help demonstrate the concepts (see Figure 4-1).
5.2.1. Building IPSec Tunnels
Building IPSec tunnels between two Cisco routers will involve entering three sets of
information into each routers running configuration files. The sets can be labeled as:
1. Establishing a common IKE Authentication Key
2. Establishing an IKE Security Policy
3. Establishing the IPSec Protection Parameters
Establishing a Common IKE Authentication Key
Prior to establishing an IPSec tunnel between two routers, each router must determine
exactly which IP address they are building the tunnel with. This authentication
decision is made in the IPSec framework using the IKE protocol. While IKE has
several ways it can authenticate the two routers to each other, we will only discuss
how it uses a jointly held secret value (i.e. a pre-shared key) to do it. However, for
operational security we HIGHLY recommend that IKE authentication decisions be
made using IPSec authentication schemes in conjunction with digital certificates.