Encrypting a dedicated serial link

albertoff · ‎03-10-2008

Hello...

I need to encrypt a dedicated serial link between two Cisco routers (1760 & 2811) both capable of doing VPN, tunneling, etc.

I'm not sure where to start because I'd like to configure fast encryption method that doesn't eat the BW and keep the latencies low.

What would you suggest?... tunneling? VPN with fast algorythms?... any ideas (and links to case studies or configuration guides) are welcome.

Regards,

Alberto F.

Danilo Dy · ‎03-10-2008

Hi,

What are the reason behind this, security? If it is, tunneling like IP GRE is not recommended since serial link is already private, use IPSec VPN with AES-256/SHA-HMAC encryption. AES is faster than DES (3DES).

Regards,

Dandy

royalblues · ‎03-10-2008

There may be specific customer requirements to encrypt even a dedicated link especially with banking customers

As Dandy had pointed out, you can use IPsec to encrypt traffic between the routers

Have a look here

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

HTH

Narayan

Joseph W. Doherty · ‎03-10-2008

"fast encryption method that doesn't eat the BW and keep the latencies low."

You're usaully going to give up some, since it's then nature of the beast. However, one item to watch for, often the encryption imposes a smaller effective MTU. Packet fragmention can often adversely impact performance. For TCP, if supported, the IOS command IP TCP adjust-mss helps avoid the issue.

albertoff · ‎03-10-2008

Thanks for the quick responses guys...

As Narayan said, I've been requested to encrypt the private leased line for security reasons... we just want the data to be secured and encrypted, even to the eyes of the telco.

I'll look into some documents and I'll take your recommendations, particularly the IP TCP adjust-mss issue and the AES-256/SHA-HMAC encryption.

These are the docs I'm looking at:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf8887/0#selected_message

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml

Any other suggestions are more than welcome.

Regards,

Alberto

albertoff · ‎03-13-2008

Well, I managed to get the VPN up & running pretty fast... I just followed step by step the document (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml) and then I decided to add a litte extra security to the router config by encrypting the VPN pre-shared keys (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml).

Now I have a new problem... I've confirmed that all the traffic I want is going thru the VPN tunnel... nothing is going unencrypted anymore and that's exactly what I needed. However, we have Netflow running in the remote router and the Netflow packets are in fact getting encrypted in the remote side but then the peer routers rejects the packet by saying this over and over:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /10.50.10.10, src_addr= 10.60.10.1, prot= 17

Any light on this one?... I've looked it up in the web but have found pretty much nothing.

Thanks in advance,

Regards,

Alberto

Richard Burts · ‎03-13-2008

Alberto

This is an indication that the access list that you are using does not match the access list used on the other end of the connection. That access list has a statement that permits the Netflow traffic and your access list does not have a statement that permits it.

Look at both access lists. They should be mirror images of each other. I believe that you will find that there is at least one statement on the other end that is not matched on your end. Fix the access lists so that they are mirror images of each other and I believe that the problem will be solved.

HTH

Rick

HTH

Rick