Re: site-to-site vpn secure lan?

boren.cheang · ‎12-05-2013

Hi Expert,

I configure site-to-site vpn on cisco router to secure traffic like following config.

I just want to make sure it secure enough or I need to do more config.

Do I need to apply any acl to outside interface to secure my lan?

Thanks

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 5

!

crypto isakmp key Cisco@2013 address 100.100.100.1

!

crypto ipsec transform-set trans esp-3des esp-md5-hmac

!

crypto map IPSEC_MAP 1 ipsec-isakmp

set peer 100.100.100.1

set transform-set trans

match address LinktoHQ

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 123

ip address 100.100.100.2 255.255.255.0

crypto map IPSEC_MAP

!

interface GigabitEthernet0/1

ip address 192.100.138.1 255.255.255.0

!

ip route 192.100.110.0 255.255.255.0 100.100.100.1

!

ip access-list extended LinktoHQ

permit ip 192.100.138.0 0.0.0.255 192.100.110.0 0.0.0.255

deny ip any any

!

Karsten Iwen · ‎12-05-2013

3DES is legacy encryption and MD5 should't be used any more at all. It's better to migrate to AES (128bit is ok and still better then 3DES) and SHA-1 at a minimum.

The PSK has to be long (up to 128 characters) and very random. If you configure both routers by your own and you don't have to negotiate the key by phone, then generate a very long random key and paste him into the config.

And you should have an ACL on the public interface that only allows needed traffic. For S2S VPN where both Endpoints are not NATted that is IP protocol 50 (ESP) and UDP/500 (ISAKMP).

For the interface-ACL, here is an example: https://supportforums.cisco.com/docs/DOC-38580

More on the selection of cryptographic algorithms (if you want to dig deeper into the stuff):
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

Sent from Cisco Technical Support iPad App