7/29/2019 Cisco SAN-OS VPN Configuration

1/3

Cisco SAN-OS VPN Configuration

Scenario 1: Storage-to-Router with preshared secrets

The following is a typical storage-to-router VPN that uses a presharedsecret for authentication.

172.23.9.0/24||--

+------------+ /-^-^-^-^--\ +-----------+ || MDS System |=====| Internet |=====| Gateway B |-----|+------------+ \--v-v-v-v-/ BW+-----------+BL |

14.15.16.17 22.23.24.25 172.23.9.1 |--|

MDS System is connected to Gateway B through Internet. MDS System'sWAN (Internet) interface has the address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. GatewayB's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LANinterface address, 172.23.9.1, can be used for testing IPsec but is notneeded for configuring MDS System.

The IKE Phase 1 parameters used in Scenario 1 are:

* Main mode* TripleDES* SHA-1* MODP group 2 (1024 bits)* pre-shared secret of "hr5xb84l6aa9r6"* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are:

* TripleDES* SHA-1* ESP tunnel mode* MODP group 2 (1024 bits)* Perfect forward secrecy for rekeying* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying* Selectors for all IP protocols, all ports, between 14.15.16.17/32 and172.23.9.0/24, using IPv4 subnets

To set up MDS System for this scenario, use the following steps:

Cisco SAN-OS 2.0(1) which supports IPSec on a "2x1GE IPS, 14x1/2GbpsFC Module/Supervisor".

All configuration changes are volatile, and immediate, until the"copy running-config startup-config" command is executed, when theconfiguration is saved to flash and will be reloaded after a reboot.At any time, you may examine the running configuration with the command"show running-configuration", or view the saved configuration with

7/29/2019 Cisco SAN-OS VPN Configuration

2/3

the command "show startup-config". Most commands can be abbreviated.Use a ? at the prompt or in a command to see options.

To configure IPSec for the scenario shown in above figure, follow these steps:Enable IKE and IPSec in MDS System.MDS# config termMDS(config)# crypto ike enableMDS(config)# crypto ipsec enable

Configure IKE in MDS System.MDS(config)# crypto ike domain ipsecMDS(config-ike-ipsec)# key hr5xb84l6aa9r6 address 22.23.24.25MDS(config-ike-ipsec)# initiator version 1 address 22.23.24.25MDS(config-ike-ipsec)# policy 1MDS(config-ike-ipsec-policy)# encryption 3desMDS(config-ike-ipsec-policy)# hash shaMDS(config-ike-ipsec-policy)# group 2MDS(config-ike-ipsec-policy)# lifetime seconds 28800MDS(config-ike-ipsec-policy)# endMDS#

Configure the ACL in MDS System.MDS# conf tMDS(config)# ip access-list acl1 permit ip 14.15.16.17 0.0.0.0 172.23.9.0 0.0.0.255

Configure the transform set in MDS System.MDS(config)# crypto transform-set domain ipsec tfs-02 esp-3des esp-sha1-hmac

Configure the crypto map in MDS System.MDS(config)# crypto map domain ipsec cmap-01 1MDS(config-crypto-map-ip)# match address acl1MDS(config-crypto-map-ip)# set peer 22.23.24.25MDS(config-crypto-map-ip)# set transform-set tfs-02MDS(config-crypto-map-ip)# set security-association lifetime seconds 3600MDS(config-crypto-map-ip)# set pfs group2

MDS(config-crypto-map-ip)# endMDS#

Bind the interface to the crypto map set in MDS System.(2x1GE IPS, 14x1/2Gbps FC Module is in slot7 of MDS A and GigE 7/1 is connected toInternet)MDS# conf tMDS(config)# int gigabitethernet 7/1MDS(config-if)# ip addr 14.15.16.17 255.255.255.0MDS(config-if)# crypto map domain ipsec cmap-01MDS(config-if)# no shutMDS(config-if)# exitMDS(config)#

Configure route in MDS System.MDS(config)#MDS(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.1MDS(config)# exitMDS#

Verify the configuration in MDS System.MDS# show crypto global domain ipsec security-association lifetimeSecurity Association Lifetime: 450 gigabytes/3600 seconds

7/29/2019 Cisco SAN-OS VPN Configuration

3/3

MDS# show crypto map domain ipsecCrypto Map cmap-01 1 ipsec

Peer = 22.23.24.25IP ACL = acl1

permit ip 14.15.16.17 255.255.255.255 172.23.9.0 255.255.255.0Transform-sets: tfs-02,Security Association Lifetime: 450 gigabytes/3600 seconds

PFS (Y/N): YPFS Group: group2

Interface using crypto map set cmap-01:GigabitEthernet7/1

MDS# show crypto transform-set domain ipsecTransform set: tfs-02 {esp-3des esp-sha1-hmac}

will negotiate {tunnel}

MDS# show crypto spd domain ipsecPolicy Database for interface: GigabitEthernet7/1, direction: Both# 0: deny udp any port eq 500 any# 1: deny udp any any port eq 500

# 2: permit ip 14.15.16.17 255.255.255.255 172.23.9.0 255.255.255.0# 127: deny ip any any

MDS# show crypto sad domain ipsecinterface: GigabitEthernet7/1

Crypto map tag: cmap-01, local addr. 14.15.16.17protected network:local ident (addr/mask): (14.15.16.17/255.255.255.255)remote ident (addr/mask): (172.23.9.0/255.255.255.0)current_peer: 22.23.24.25local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25mode: tunnel, crypto algo: esp-3des, auth algo: esp-sha1-hmactunnel id is: 1current outbound spi: 0x900b01e (151040030), index: 0

lifetimes in seconds:: 3600lifetimes in bytes:: 4718592000current inbound spi: 0x38fe700e (956198926), index: 0lifetimes in seconds:: 3600lifetimes in bytes:: 4718592000

MDS# show crypto ike domain ipsec keykey hr5xb84l6aa9r6 address 22.23.24.25

MDS# show crypto ike domain ipsec policyPriority 1, auth pre-shared, lifetime 28800 secs, encryption 3des, hash sha, DHgroup 2

MDS# show crypto ike domain ipsec saTunn Local Addr Remote Addr Encr Hash Auth Method Lifetime-------------------------------------------------------------------------------1* 14.15.16.17[500] 22.23.24.25[500] 3des sha preshared key 28800-------------------------------------------------------------------------------NOTE: tunnel id ended with * indicates an IKEv1 tunnel