Friday, September 7, 2012

VPN QoS, TED and ISAKMP Authorization


L2L QoS
  • Functions much like IOS (MQC)
  • Under class-map, you match tunnel-group as well as other parameters (dscp, ipp, etc)
  • Create a policy-map
  • Attach to interface with service-policy
QoS Pre-classify
  • This was similar to some of the frame-relay shaping commands from R&S
  • Enable qos pre-classify under the crypto map
  • Configure your class-maps, policy-map just like normal
  • Create a parent policy-map, configure class-default, shape and attach your QoS policy here. It is the parent policy that will be applied to the interface.
Fragmentation
  • A near-MTU sized packet can be fragmented before or after encryption with an interface-level 'crypto ipsec fragmentation before/after' command
IOS Router ISAKMP pre-shared keys with AAA
  • Router sends remote peer ID as login name along with 'cisco' which is a hardcoded value. The attributes in reply are used to extract pre-shared key for IKE and deduce various other attributes
  • On authenticating router, set identity and password with 'crypto isakmp peer address 1.1.1.1' command
    • set aggressive-mode password CISCO
    • set aggressive-mode client-endpoint ....
  • On secure router, enable isakmp authentication with
    • crypto map VPN isakmp authorization list AAA_GRP_NAME
  • You also need to set parameters in ACS
    • AV Pair : ipsec:key-exchange=IKE
    • IETF Service : outbound
    • IETF Tunnel-Type : IP ESP
    • IETF Tunnel-Password : pre-shared key
  • Create user in ACS and add to group with the above parameters
  • For some reason, my routers weren't picking up on the ISAKMP authorization list, so I had to create a default. This could be something with GNS3 or a bug.
Tunnel Endpoint Discovery
  • Create a dynamic map that matches the IP addresses and sets the transform set. Then attach the dynamic map to a crypto map with the keyword of 'dynamic' at the end
    • crypto map VPN 10 ipsec-isakmp dynamic-map DISCOVER discover
Well, that puts the finishing touches on another couple of sections. Down to 200 pages left, which has me pretty excited. I want to make it through this so I can get some more reading done (compare to blueprint) and begin some full labs to see how this is all tied together.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)