cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5148
Views
0
Helpful
16
Replies

ipsec AH in transport mode ,AH in tunnel mode

sarahr202
Level 5
Level 5

Hi everybody.

I am reading about Ipsec which contains two major protocols among others:  AH and ESP.

For now, I am focused on AH only. I read the theory on AH and two modes AH can operate :  Transport mode and tunnel mode.

(201.201.201.1)h1--------R1(199.199.199.1) s0--------------------------------------------------------s0(199.199.199.2)R2-------H2( 200.200.200.2)

I want to implement the following:

Every time R1 receives ip packet from H1 destined for H2, R1 should use AH in transport mode before it sends the packet out to R2, Similarly, R2 should use AH in transport for packets sent by H2 to H1, before sending them to R1.

I just need an example  as to how we can configure R1 and R2 to accomplish the above task..

Thanks for your help and have a great day.

.

7 Accepted Solutions

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi Sara,

Please find the configuration sample for the GRE IPsec VPN using transport mode.

(201.201.201.1)h1--------R1(199.199.199.1) s0---------------------------s0(199.199.199.2)R2-------H2( 200.200.200.2)

You can use the ACL to restrict only to the required ports that needed for the vpn like udp 500, ah, gre and 4500 and you can check. Hope this helps.

Also you can refer the belwo mentioned site for much better understanding about the differences between transport or tunnel mode.

R1:

===

version 12.4   

!    

hostname R1    

!    

ip cef    

!    

!    

crypto isakmp policy 10    

authentication pre-share    

crypto isakmp key CISCO address 199.199.199.2  

!    

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac    

mode transport    

!    

crypto ipsec profile MyProfile    

set transform-set MyTransSet    

!    

interface Tunnel0    

ip address 10.10.10.1 255.255.255.252  

tunnel source 199.199.199.1    

tunnel destination 199.199.199.2    

tunnel mode ipsec ipv4    

tunnel protection ipsec profile MyProfile    

!    

interface serial0    

ip address 199.199.199.1 255.255.255.0    

duplex auto    

speed auto    

!    

ip route 0.0.0.0 0.0.0.0 199.199.199.2   

!    

line con 0    

line aux 0    

line vty 0 4    

!    

!    

end

======================================================================

R2

=====

version 12.4   

!    

hostname R2    

!    

!    

!    

ip cef    

!    

!    

crypto isakmp policy 10    

authentication pre-share    

crypto isakmp key CISCO address 199.199.199.1   

!    

!    

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac    

mode transport    

!    

crypto ipsec profile MyProfile    

set transform-set MyTransSet    

!    

interface Tunnel0    

ip address 10.10.10.2 255.255.255.252   

tunnel source 199.199.199.2    

tunnel destination 199.199.199.1    

tunnel mode ipsec ipv4    

tunnel protection ipsec profile MyProfile    

!    

interface serial0    

ip address 199.199.199.2 255.255.255.0    

duplex auto    

speed auto    

!    

ip route 0.0.0.0 0.0.0.0 199.199.199.1   

!    

!    

line con 0    

line aux 0    

line vty 0 4    

!    

!    

end

Please do rate if the given information helps.

By

Karthik

View solution in original post

You can't configure that in Transport-mode. For IPSec (both AH and ESP) you have the following rule:

Transport-mode can only be used if the device that generated the packet also protects it and the device that verifies/decrypts it is the same that also processes the packet.

If you have security-gateways (R1 and R2) then you need two IP-headers. One for the end-to-end communication (with H1 and H2) and one for the gateway-to-gateway-communication (with R1 und R2).  But Transport-mode uses the original IP-header so that can't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

We want R1 to use AH in transport mode before sending out the above packet of s0. How can we configure AH in transport mode on R1 and R2?

You have to configure that the old way with crypto-maps. The tunnel-interfaces always use ipsec-tunnel-mode regardless what you configure in your transform-set.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Hi Sara,

I forget to mention the website info in my earlier post!!! Very welll explained scenario about the modes!!!

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

Please do rate if the given information helps.

By

Karthik

View solution in original post

Hi Karthik,

> I forget to mention the website info in my earlier post!!! Very welll explained scenario about the modes!!!
> http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

The explaination of Transport-mode on that website is comlpetely wrong and shouldn't be referenced. Section 4.5 of RFC 2401 shows how the headers are build for tunnel- and transport-mode.


Sent from Cisco Technical Support iPad App

View solution in original post

After being at the right PC now, here is an example for using AH with transport-mode (R1 shown, R2 is similar):

!

crypto isakmp key cisco address 2.2.2.2

!

!

crypto ipsec transform-set AH ah-sha-hmac

  mode transport

!

crypto map VPN local-address Loopback1

crypto map VPN 1 ipsec-isakmp

  set peer 2.2.2.2

  set transform-set AH

  match address VPN-R2

!

!

interface Loopback1

  ip address 1.1.1.1 255.255.255.255

!

!

interface FastEthernet0/0

  ip address 10.10.10.1 255.255.255.252

  crypto map VPN

!

ip route 2.2.2.2 255.255.255.255 10.10.10.2

!

ip access-list extended VPN-R2

permit ip host 1.1.1.1 host 2.2.2.2

And that is what flows over the wire with a ping:

Frame 14: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)

Ethernet II, Src: ca:00:36:91:00:08 (ca:00:36:91:00:08), Dst: ca:01:36:91:00:08 (ca:01:36:91:00:08)

Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)

Authentication Header

    Next Header: ICMP (0x01)

    Length: 24

    AH SPI: 0x87018e79

    AH Sequence: 2

    AH ICV: 389141bfef53445fbd77452c

Internet Control Message Protocol

    Type: 8 (Echo (ping) request)

    Code: 0

    Checksum: 0x63fa [correct]

    Identifier (BE): 0 (0x0000)

    Identifier (LE): 0 (0x0000)

    Sequence number (BE): 2 (0x0002)

    Sequence number (LE): 512 (0x0200)

    [Response In: 15]

    Data (72 bytes)

0000  00 00 00 00 00 02 1a 4c ab cd ab cd ab cd ab cd   .......L........

0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0040  ab cd ab cd ab cd ab cd                           ........

        Data: 0000000000021a4cabcdabcdabcdabcdabcdabcdabcdabcd...

        [Length: 72]

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

1) The "crypto-isakmp" commands don't specify to use tunnel mode or not. That's done in the "crypto ipsec transform-set". The ISAKMP-commands specify the parameters for the setup of the ISAKMP-tunnel. You can look at this tunnel as a management-connection between the two ipsec-peers. I skipped that because the router (starting with 12.4(20)T has usable defaults. You can see the defaults with "show crypto isakmp policy". The key is still needed to authenticate the connection-setup against Man-in-the-Mittle-attacks. Thats independent of using transport- or tunnel-mode.

2) The crypto-map is incomplete until you configure a "match address" and "set peer" statement. It just has to be there to work.


Sent from Cisco Technical Support iPad App

View solution in original post

16 Replies 16

nkarthikeyan
Level 7
Level 7

Hi Sara,

Please find the configuration sample for the GRE IPsec VPN using transport mode.

(201.201.201.1)h1--------R1(199.199.199.1) s0---------------------------s0(199.199.199.2)R2-------H2( 200.200.200.2)

You can use the ACL to restrict only to the required ports that needed for the vpn like udp 500, ah, gre and 4500 and you can check. Hope this helps.

Also you can refer the belwo mentioned site for much better understanding about the differences between transport or tunnel mode.

R1:

===

version 12.4   

!    

hostname R1    

!    

ip cef    

!    

!    

crypto isakmp policy 10    

authentication pre-share    

crypto isakmp key CISCO address 199.199.199.2  

!    

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac    

mode transport    

!    

crypto ipsec profile MyProfile    

set transform-set MyTransSet    

!    

interface Tunnel0    

ip address 10.10.10.1 255.255.255.252  

tunnel source 199.199.199.1    

tunnel destination 199.199.199.2    

tunnel mode ipsec ipv4    

tunnel protection ipsec profile MyProfile    

!    

interface serial0    

ip address 199.199.199.1 255.255.255.0    

duplex auto    

speed auto    

!    

ip route 0.0.0.0 0.0.0.0 199.199.199.2   

!    

line con 0    

line aux 0    

line vty 0 4    

!    

!    

end

======================================================================

R2

=====

version 12.4   

!    

hostname R2    

!    

!    

!    

ip cef    

!    

!    

crypto isakmp policy 10    

authentication pre-share    

crypto isakmp key CISCO address 199.199.199.1   

!    

!    

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac    

mode transport    

!    

crypto ipsec profile MyProfile    

set transform-set MyTransSet    

!    

interface Tunnel0    

ip address 10.10.10.2 255.255.255.252   

tunnel source 199.199.199.2    

tunnel destination 199.199.199.1    

tunnel mode ipsec ipv4    

tunnel protection ipsec profile MyProfile    

!    

interface serial0    

ip address 199.199.199.2 255.255.255.0    

duplex auto    

speed auto    

!    

ip route 0.0.0.0 0.0.0.0 199.199.199.1   

!    

!    

line con 0    

line aux 0    

line vty 0 4    

!    

!    

end

Please do rate if the given information helps.

By

Karthik

Hi Karthik

     

R1:

===

crypto isakmp policy 10

authentication pre-share

crypto isakmp key CISCO address 199.199.199.2

!

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile MyProfile

set transform-set MyTransSet

!

interface Tunnel0

ip address 10.10.10.1 255.255.255.252

tunnel source 199.199.199.1

tunnel destination 199.199.199.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile MyProfile

!

interface serial0

ip address 199.199.199.1 255.255.255.0

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 199.199.199.2

All the packets destined for 202.202.202.0 will be matched by static default route above which means R1 will use interface so to forward them.  ipsec will not be used because packets are not directed to tunnel configured on R1.

If we want all the packets destined for 202.202.202.0/24 network to use ipsec, we  must modify the static route above as shown below:

ip route 0.0.0.0 0.0.0.0 10.10.10.2 ( which is the next hop address from tunnel 0 on R1)

Am  I correct?

You can't configure that in Transport-mode. For IPSec (both AH and ESP) you have the following rule:

Transport-mode can only be used if the device that generated the packet also protects it and the device that verifies/decrypts it is the same that also processes the packet.

If you have security-gateways (R1 and R2) then you need two IP-headers. One for the end-to-end communication (with H1 and H2) and one for the gateway-to-gateway-communication (with R1 und R2).  But Transport-mode uses the original IP-header so that can't work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks Karsten and Karthik.

You can't configure that in Transport-mode. For IPSec (both AH and ESP) you have the following rule:

Transport-mode  can only be used if the device that generated the packet also protects  it and the device that verifies/decrypts it is the same that also  processes the packet.

I got it.  I am trying to understand how we can configure AH in transport mode on a router.

  R1(199.199.199.1)S0-----------------------------------S0(199.199.199.2)R2

R1 has Loopback1 1.1.1                                                                  R2 has   Loopback 2.2.2.2

R1 sends a ping packet with src ip 1.1.1.1 ,dst ip  2.2.2.2.

We want R1 to use AH in transport mode before sending out the above packet of s0. How can we configure AH in transport mode on R1 and R2?

Thanks and have a great weekend.

We want R1 to use AH in transport mode before sending out the above packet of s0. How can we configure AH in transport mode on R1 and R2?

You have to configure that the old way with crypto-maps. The tunnel-interfaces always use ipsec-tunnel-mode regardless what you configure in your transform-set.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac

mode transport

Above the mode is transport, if we do not specify the mode , what is the default mode ?

Thanks

> Above the mode is transport, if we do not specify the mode , what is the default mode ?

The default is tunnel-mode. That's what most of the time is needed on a vpn-gateway that protects the data of other systems.


Sent from Cisco Technical Support iPad App

Hi Sara,

I forget to mention the website info in my earlier post!!! Very welll explained scenario about the modes!!!

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

Please do rate if the given information helps.

By

Karthik

Hi Karthik,

> I forget to mention the website info in my earlier post!!! Very welll explained scenario about the modes!!!
> http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

The explaination of Transport-mode on that website is comlpetely wrong and shouldn't be referenced. Section 4.5 of RFC 2401 shows how the headers are build for tunnel- and transport-mode.


Sent from Cisco Technical Support iPad App

Thanks karsten!!! let me check the rfc definition and explaination for the same!!!

HI Karsten,

Could you please explain me on the headers explained in rfc. I do not see any difference in opinion and am not sure if am missing anything.

RFC Says

===========

Case 1. The case of providing end-to-end security between 2 hosts

across the Internet (or an Intranet).

====================================

| |

H1* ------ (Inter/Intranet) ------ H2*

Note that either transport or tunnel mode can be selected by the

hosts. So the headers in a packet between H1 and H2 could looklike any of the following:

Transport Tunnel

----------------- ---------------------

1. [IP1][AH][upper]

4. [IP2][AH][IP1][upper] --> ( Method that explained in firewall forum)

2. [IP1][ESP][upper]

5. [IP2][ESP][IP1][upper]

3. [IP1][AH][ESP][upper]

Firewall forum says

===============

ipsec-modes-transport-tunnel-6

The packet diagram below illustrates

IPSec Transport mode

with

AH header

:

ipsec-modes-transport-tunnel-4

The AH can be applied alone or together with the ESP when IPSec is in transport mode. AH’s job is to protect the entire packet, however, IPSec in transport mode does not create a  new IP header in front of the packet but places a copy of the original  with some minor changes to the protocol ID therefore not providing  essential protection to the details contained in the IP header (Source  IP, destination IP etc). AH is identified in the New IP header with an IP protocol ID of 51.

By

Karthik

Hi Karthik,

The line that you quoted in bold is from the right column in the RFC where the tunnel-mode is shown. Nr. 1) is what we are talking about at the moment:

1. [IP1][AH][upper]

And there the problem is with the diagram and the explaination from your referenced site. In transport mode, the original header is used. The AH is placed between the IP-header and the upper layers. But no copy of the original header is used.

That can be seen in the capture:

Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)

    Version: 4

    Header length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

    Total Length: 124

    Identification: 0x0001 (1)

    Flags: 0x00

    Fragment offset: 0

    Time to live: 255

    Protocol: AH (51)

    Header checksum: 0xb548 [correct]

    Source: 1.1.1.1 (1.1.1.1)

    Destination: 2.2.2.2 (2.2.2.2)

Authentication Header

    Next Header: ICMP (0x01)

    Length: 24

    AH SPI: 0x87018e79

    AH Sequence: 1

    AH ICV: aaed169f7013d8ae9a3f2a7e

Internet Control Message Protocol

    Type: 8 (Echo (ping) request)

    Code: 0

    Checksum: 0x640f [correct]

    Identifier (BE): 0 (0x0000)

    Identifier (LE): 0 (0x0000)

    Sequence number (BE): 1 (0x0001)

    Sequence number (LE): 256 (0x0100)

    Data (72 bytes)

There is no inner IP-header. Only the original one. ICMP (the upper layer in my capture) follows directly behind the AH. The Protocol number in the original header is changed to 51 (AH) and the next-header field in the AH shows the protocol ICMP which was in the original IP-header.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

After being at the right PC now, here is an example for using AH with transport-mode (R1 shown, R2 is similar):

!

crypto isakmp key cisco address 2.2.2.2

!

!

crypto ipsec transform-set AH ah-sha-hmac

  mode transport

!

crypto map VPN local-address Loopback1

crypto map VPN 1 ipsec-isakmp

  set peer 2.2.2.2

  set transform-set AH

  match address VPN-R2

!

!

interface Loopback1

  ip address 1.1.1.1 255.255.255.255

!

!

interface FastEthernet0/0

  ip address 10.10.10.1 255.255.255.252

  crypto map VPN

!

ip route 2.2.2.2 255.255.255.255 10.10.10.2

!

ip access-list extended VPN-R2

permit ip host 1.1.1.1 host 2.2.2.2

And that is what flows over the wire with a ping:

Frame 14: 138 bytes on wire (1104 bits), 138 bytes captured (1104 bits)

Ethernet II, Src: ca:00:36:91:00:08 (ca:00:36:91:00:08), Dst: ca:01:36:91:00:08 (ca:01:36:91:00:08)

Internet Protocol Version 4, Src: 1.1.1.1 (1.1.1.1), Dst: 2.2.2.2 (2.2.2.2)

Authentication Header

    Next Header: ICMP (0x01)

    Length: 24

    AH SPI: 0x87018e79

    AH Sequence: 2

    AH ICV: 389141bfef53445fbd77452c

Internet Control Message Protocol

    Type: 8 (Echo (ping) request)

    Code: 0

    Checksum: 0x63fa [correct]

    Identifier (BE): 0 (0x0000)

    Identifier (LE): 0 (0x0000)

    Sequence number (BE): 2 (0x0002)

    Sequence number (LE): 512 (0x0200)

    [Response In: 15]

    Data (72 bytes)

0000  00 00 00 00 00 02 1a 4c ab cd ab cd ab cd ab cd   .......L........

0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0040  ab cd ab cd ab cd ab cd                           ........

        Data: 0000000000021a4cabcdabcdabcdabcdabcdabcdabcdabcd...

        [Length: 72]

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

  Hi Karsten

Please  consider the partial configuration for tunnel mode below:

R1(config)# crypto isakmp policy 1

R1(config-isakmp)# encr 3des

R1(config-isakmp)# hash md5

R1(config-isakmp)# authentication pre-share

R1(config)#crypto isakmp key firewallcx address 1.1.1.2

above we have configuration related to formation of tunnel,( tunnel mode), According to above configuration,  all negotiations will be authenticated using md5, encrypted by 3des, and the other end of tunnel must be configured with key firewallcx in order to form tunnel with R1.

But now when i look at your example for implementing AH in transport mode,  I found:

crypto isakmp key cisco address 2.2.2.2

1)My question is since we don't have a tunnel mode here, so what is the purpose of configuring the key" cisco " above ?

=============================================================================================================

Please consider the partial configurations from your example:

crypto map VPN local-address Loopback1

crypto map VPN 1 ipsec-isakmp

set peer 2.2.2.2

set transform-set AH

match address VPN-R2

2)I understand in tunnel mode the " set peer 2.2.2.2"  will cause router to use 2.2.2.2 as destination ip before packet is forwarded out of tunnel.  But why do we have " set peer 2.2.2.2" in above configuration for AH in transport mode?

I really appreciate your help.

thanks and have a great day.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: