7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455

Chapter 8-Implementing Virtual Private Networks

CCNA SecurityCCNA Security

Major Concepts

• Describe the purpose and operation of VPN types• Describe the purpose and operation of GRE VPNs• Describe the components and operations of IPsec VPNs• Configure and verify a site-to-site IPsec VPN with pre-

shared key authentication using CLIshared key authentication using CLI• Configure and verify a site-to-site IPsec VPN with pre-

shared key authentication using SDM• Configure and verify a Remote Access VPN

Lesson Objectives

Upon completion of this lesson, the successful participant will be able to:

1. Describe the purpose and operation of VPNs2. Differentiate between the various types of VPNs3. Identify the Cisco VPN product line and the security features of

these products4. Configure a site-to-site VPN GRE tunnel5. Describe the IPSec protocol and its basic functions6. Differentiate between AH and ESP7. Describe the IKE protocol and modes8. Describe the five steps of IPSec operation

Lesson Objectives

9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec

10. Configure IKE policies using the CLI11. Configure the IPSec transform sets using the CLI12. Configure the crypto ACLs using the CLI13. Configure and apply a crypto map using the CLI13. Configure and apply a crypto map using the CLI14. Describe how to verify and troubleshoot the IPSec configuration15. Describe how to configure IPSec using SDM16. Configure a site-to-site VPN using the Quick Setup VPN Wizard

in SDM17. Configure a site-to-site VPN using the step-by-step VPN Wizard

in SDM

Lesson Objectives

18. Verify, monitor and troubleshoot VPNs using SDM19. Describe how an increasing number of organizations are

offering telecommuting options to their employees20. Differentiate between Remote Access IPSec VPN solutions and

SSL VPNs21. Describe how SSL is used to establish a secure VPN

connectionconnection22. Describe the Cisco Easy VPN feature23. Configure a VPN Server using SDM24. Connect a VPN client using the Cisco VPN Client software

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com

What is a VPN?

• A VPN is a private network that is created via tunneling over a public network, usually the Internet.

• Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organization to the remote site.


Benefits of VPN

• Cost savings: – VPNs eliminate expensive dedicated WAN links and modem banks.– Additionally, with the advent of cost-effective, high-bandwidth technologies,

such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.

• Security:– Use advanced encryption and authentication protocols that protect data from – Use advanced encryption and authentication protocols that protect data from

unauthorized access.

• Scalability– VPNs use the Internet infrastructure. So it is easy to add new users,

corporations can add significant capacity without adding significant infrastructure

• Compatibility with broadband technology– DSL, Cable, broadband wireless…


Layer 3 VPN

SOHO with a Cisco DSL Router

VPNInternet

IPSec

IPSec

• Generic routing encapsulation (GRE): point-to-point site connections• Multiprotocol Label Switching (MPLS): they can establish any-to-any

connectivity to many sites.• IPSec: point-to-point site connections


Layer 3 VPN

• VPN can be made at either Layer 2 or Layer 3 of the OSI model. Establishing • VPN can be made at either Layer 2 or Layer 3 of the OSI model. Establishing connectivity between sites over a Layer 2 or Layer 3 is the same. This chapter focuses on Layer 3 VPN technology.

• Layer 3 VPNs:– GRE: point-to-point site connections– MPLS: any-to-any site connections– IPsec: point-to-point site connections


Types of VPN Networks

• There are two types of VPN network:

• Site-to-site

• Remote-Access


Site-to-Site VPN

• A site-to-site VPN is created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance.

• The VPN remains static, and internal hosts have no knowledge that a VPN exists.

• Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs.are examples of site-to-site VPNs.

• In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500 Series Adaptive Security Appliance.

• The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site.

• Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network


Remote-Access VPNs

• A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled.

• Remote-access VPNs can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic.

• Remote-access VPNs support a client / • Remote-access VPNs support a client / server architecture where a VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge.


VPN Client Software

R1 R1-vpn-cluster.span.com

“R1”

In a remote-access VPN, each host typically has Cisco VPN Client software


Cisco IOS SSL VPN

• Provides remote-access connectivity from almost any Internet-enabled host using a web browser and its native Secure Sockets Layer (SSL) encryption.

• Delivers two modes of access:– Clientless:

A remote client needs only an SSL-enabled web browser to access HTTP- or HTTPS-enabled web servers on the corporate enabled web servers on the corporate LAN.

– Thin client:A remote client must download a small, Java-

based applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment.

• SSL VPNs are appropriate for user populations that require per-applicationor per-server access control, or access from non-enterprise-owned desktops. SSL VPNs are not a complete replacement for IPsec VPNs.


Cisco VPN Product Family

Product ChoiceRemote-Access

VPNSite-to-Site VPN

Cisco VPN-Enabled Router Secondary role Primary role

Cisco PIX 500 Series Security Appliances Secondary role Primary roleCisco PIX 500 Series Security Appliances Secondary role Primary role

Cisco ASA 5500 Series Adaptive Security Appliances

Primary role Secondary role

Cisco VPN 3000 Series Concentrators

Primary role Secondary role

Home Routers (SOHO Routers) Primary role Secondary role


VPN Solutions

Cisco provides a suite of VPN-optimized routers. Cisco IOS software for routers combines VPN services with routing services. The Cisco VPN software adds strong security using encryption and using encryption and authentication

The Cisco IOS feature sets incorporate many VPN features:

– Voice and Video Enabled VPN (V3PN)

– Ipsec stateful failover– Dynamic Multipoint Virtual Private

Network (DMVPN)– Ipsec and MPLS integration– Cisco Easy VPN


• Voice and Video Enabled VPN (V3PN) - Integrates IP telephony, QoS, and IPsec, providing an end-to-end VPN service that helps ensure the timely delivery of latency-sensitive applications such as voice and video.

• IPsec stateful failover - Provides fast and scalable network resiliency for VPN sessions between remote and central sites. With both stateless and stateful failover solutions available, such as Hot Standby Router Protocol (HSRP), IPsec stateful failover ensures maximum uptime of mission-critical

VPN features

(HSRP), IPsec stateful failover ensures maximum uptime of mission-critical applications.

• Dynamic Multipoint Virtual Private Network (DMVPN) - Enables the auto-provisioning of site-to-site IPsec VPNs, combining three Cisco IOS software features: Next Hop Resolution Protocol (NHRP), multipoint GRE, and IPsec VPN. This combination eases the provisioning challenges for customers and provides secure connectivity between all locations.


• IPsec and MPLS integration – Enables ISPs to map IPsec sessions directly into an MPLS VPN. – This solution can be deployed on co-located edge routers that are

connected to a Cisco IOS software MPLS provider edge (PE) network. • Cisco Easy VPN

– Simplifies VPN deployment for remote offices and teleworkers. – The Cisco Easy VPN solution centralizes VPN management across all

Cisco VPN devices, thus reducing the management complexity of VPN

VPN features

Cisco VPN devices, thus reducing the management complexity of VPN deployments.



• Cisco ASA 5500 Series Adaptive Security Appliances offer flexible technologies that deliver tailored solutions to suit remote-access and site-to-site connectivity requirements.

• These appliances provide easy-to-manage IPsec and SSL VPN-based remote-access and network-aware, site-to-site VPN connectivitysite-to-site VPN connectivity

• These are some of the features that Cisco ASA 5500 Series Adaptive Security Appliances provide:

– Flexible platform– Resilient clustering – Cisco Easy VPN – Automatic Cisco VPN Client updates– Cisco IOS SSL VPN– VPN infrastructure for contemporary applications– Integrated web-based management



• Each Cisco ASA 5500 Series Adaptive Security Appliance supports a number of VPN peers:– Cisco ASA 5505 - 10 IPsec VPN peers and 25 SSL VPN peers, with a Base

license, and 25 VPN peers (IPsec or SSL) with the Security Plus license– Cisco ASA 5510 - 250 VPN peers– Cisco ASA 5520 - 750 VPN peers– Cisco ASA 5540 - 5000 IPsec VPN peers and 2500 SSL VPN peers– Cisco ASA 5550 - 5000 VPN peers


IPSec Clients

Cisco remote-access VPNs can use four IPsec clients:

• Certicom client : A wireless client that is loaded on to wireless personal digital assistants (PDAs) running the Palm or Microsoft Windows Mobile operating systems.

• Cisco VPN Client software : Loaded on the PC or laptop of an individual, the Cisco VPN Client allows organizations to establish end-to-Client allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers.

• Cisco Remote Router VPN Client : A Cisco remote router, configured as a VPN client, that connects small office, home office (SOHO) LANs to the VPN.

• Cisco AnyConnect VPN Client : Next-generation VPN client that provides remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance running Cisco ASA 5500 Series Software Version 8.0 and higher or Cisco ASDM Version 6.0 and higher.


Hardware Acceleration Modules

To enhance performance and offload the encryption task to specialized hardware, the Cisco VPN family of devices offers hardware acceleration modules:

• AIM: Advanced integration modules are installed inside the router chassis and offload encryption tasks from the router CPU.

Cisco IPsec VPN SPAtasks from the router CPU.

• Cisco IPSec VPN Shared Port Adapter (SPA) : Delivers scalable and cost-effective VPN performance for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers.

• Cisco PIX VPN Accelerator Card+ (VAC+): The PIX Firewall VAC+ delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec encryption throughput.


GRE VPN Overview


Encapsulation

Original IP Packet

Encapsulated with GRE


There are five steps to configuring a GRE tunnel:

• Step 1 . Creating a tunnel interface using the interface tunnel 0 command.

• Step 2 . Assigning the tunnel an IP address.• Step 3 . Identifying the source tunnel interface using the tunnel

Configuring a GRE Tunnel

• Step 3 . Identifying the source tunnel interface using the tunnel source command.

• Step 4 . Identifying the destination of the tunnel using the tunnel destination command.

• Step 5 . Configuring which protocol GRE will encapsulate using the tunnel mode gre command.


Configuring a GRE Tunnel

Create a tunnel interface

Assign the tunnel an IP addressR1(config)# interface tunnel 0

R1(config–if)# ip address 10.1.1.1 255.255.255.252

R1(config–if)# tunnel source serial 0/0

R1(config–if)# tunnel destination 192.168.5.5

R1(config–if)# tunnel mode gre ip

R1(config–if)#

R2(config)# interface tunnel 0

R2(config–if)# ip address 10.1.1.2 255.255.255.252

R2(config–if)# tunnel source serial 0/0

R2(config–if)# tunnel destination 192.168.3.3

R2(config–if)# tunnel mode gre ip

R2(config–if)#

Assign the tunnel an IP address

Identify the source tunnel interface

Identify the destination of the tunnel

Configure what protocol GRE will encapsulate


Using GRE

GRE can be used to tunnel non-IP traffic over an IP network

Ipsec only supports unicast traffic. GRE supports all types of traffic

Routing Protocols are supported in GRE

GRE doesnot provide encryption


IPSec Topology

Business Partner

with a Cisco Router

Legacy

Concentrator

Main Site

Perimeter

Router

LegacyCisco

IPsec

POP

• Works at the network layer, protecting and authenticating IP packets.– It is a framework of open standards which is algorithm-independent.– It provides security: data confidentiality, data integrity, and origin

authentication.

Regional Office with aCisco PIX Firewall

SOHO with a Cisco

SDN/DSL Router

Mobile Worker with aCisco VPN Client

on a Laptop Computer

ASAConcentrator

PIX

Firewall

POP

Corporate


Essential security of IPsec

• Confidentiality: IPsec ensures confidentiality by using encryption. • Integrity: IPsec ensures that data arrives unchanged at the

destination using a hash algorithm such as MD5 or SHA.• Authentication: IPsec uses Internet Key Exchange (IKE) to

authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates.

• Secure key exchange: IPsec uses the DH algorithm to provide a public key exchange method for two peers to establish a shared secret key.


IPSec Framework

Diffie-Hellman DH7


Confidentiality

• Confidentiality is achieved through encryption of traffic as it travels down the VPN.

• The degree of security depends on the length of the key of the encryption algorithm.

• The following are some encryption • The following are some encryption algorithms and key lengths that VPNs use:• DES: Uses a 56-bit key. DES is a symmetric key cryptosystem.

• 3DES: A variant of DES. 3DES uses three independent 56-bit encryption keys per 64-bit block. 3DES is a symmetric key cryptosystem.

• AES: Provides stronger security than DES and is computationally more efficient than 3DES. AES is a symmetric key cryptosystem.

• Software-Optimized Encryption Algorithm (SEAL): Uses a 160-bit key. SEAL is a symmetric key cryptosystem.


Integrity


Integrity

• Hashed Message Authentication Codes (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value.


There are two common HMAC algorithms:

• HMAC - Message Digest 5 (HMAC-MD5): The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash.

Integrity

output is a 128-bit hash. • HMAC- Secure Hash Algorithm 1

(HMAC-SHA-1): The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash.

HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5. It is recommended when slightly superior security is important.


Authentication

• The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure.

• There are two primary methods of configuring peer authentication.:– Pre-shared Keys (PSKs) - A pre-shared secret key value is entered into

each peer manually and is used to authenticate the peer.– RSA signatures - The exchange of digital certificates authenticates the

peersHọc viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com

Pre-shared Key (PSK)

DH7Diffie-Hellman

•At the local device, the authentication key and the identity information (device-specific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated.

• The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.


RSA Signatures

• At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I.

• Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.

Secure Key Exchange

• Encryption algorithms (DES, 3DES…) as well as the hashing algorithms (MD5, SHA) require a symmetric, shared secret key to perform encryption and decryption.

• How do the encrypting and decrypting devices get the shared secret key?secret key?

• The Diffie-Hellman (DH) key agreement is a public key exchange method that provides a way for two peers to establish a shared secret key that only they know.

• There are four DH groups: 1, 2, 5, and 7.


IPSec Framework Protocols

All data is in plaintext.R1 R2

Authentication Header

AH provides the following:� Authentication

� Integrity

Data payload is encrypted.R1 R2

Encapsulating Security Payload

� Integrity

ESP provides the following:� Encryption

� Authentication

� Integrity



Authentication Data

IP Header + Data + Key R2

Hash

IP Header + Data + Key

DataAHIP HDR

1. The IP Header and data payload are hashed

Authentication Data (00ABCDEF)

R1

Recomputed

Hash (00ABCDEF)

IP Header + Data + Key

Hash

Received

Hash(00ABCDEF)

=

DataAHIP HDR

Internet

2. The hash builds a new AH

header which is prependedto the original packet

3. The new packet is transmitted to the IPSec peer router

4. The peer router hashes the IP header and data payload, extracts the transmitted hash and compares


ESP

Diffie-Hellman DH7


Function of ESP

Router Router

IP HDR Data IP HDR Data

Internet

ESP

Trailer

ESP

Auth

• Provides confidentiality with encryption• Provides integrity with authentication

ESP HDRNew IP HDR IP HDR Data

AuthenticatedEncrypted


Mode Types

• Transport Mode: Protect the payload and transport layer but leave the original IP in plaintext. The original IP is used to route the packet through the InternetWork well with GRE

• Tunnel Mode:• Tunnel Mode:Protect complete original IP packet. The original IP packet is encrypted and then it is encapsulated in another IP packet. The packet is routed by outside IP address.Used in the Ipsec remote-access application.


Security Associations

• The negotiated parameters between two devices are known as a security association (SA).

• A VPN has SA entries defining the IPsec encryption parameters as well as SA entries defining the key exchange parameters.

• Diffie-Hellman (DH) is used to • Diffie-Hellman (DH) is used to create the shared secret key.

• IPsec uses the Internet Key Exchange (IKE) protocol to establish the key exchange process.

• IKE is layered on UDP and uses UDP port 500 to exchange IKE information


Host A Host BR1 R2

10.0.1.3 10.0.2.3

IKE Phase 1 Exchange

1. Negotiate IKE policy sets

IKE Phases

Policy 15

DES

MD5

Policy 10

DES

MD5

1. Negotiate IKE policy sets

2. DH key exchange

3. Verify the peer identity

IKE Phase 2 Exchange

Negotiate IPsec policy Negotiate IPsec policy

MD5

pre-share

DH1

lifetime

MD5

pre-share

DH1

lifetime 2. DH key exchange

3. Verify the peer identity


Policy 15

DES

MD5

Policy 10

DES

MD5 IKE Policy Sets

Negotiate IKE Proposals

Host A Host BR1 R2

10.0.1.3 10.0.2.3

IKE Phase 1 – First Exchange

Negotiates matching IKE policies to protect IKE exchange

MD5

pre-share

DH1

lifetime

MD5

pre-share

DH1

lifetime

IKE Policy Sets

Policy 20

3DES

SHA

pre-share

DH1

lifetime


IKE Phase 1 – Second Exchange

Private value, XA

Public value, YA

Private value, XB

Public value, YBAlice

Bob

YYAA

YB = g mod pXBYYAA = g mod pXA

Establish DH Key

((YB ) mod p = K (YA ) mod p = KXBXA

YYAA

YYBB

A DH exchange is performed to establish keying material.


IKE Phase 1 – Third Exchange

HR Servers

Remote Office Corporate Office

Internet

Peer

Authenticate Peer

Peer authentication methods• PSKs• RSA signatures• RSA encrypted nonces

Peer

Authentication

A bidirectional IKE SA is now established.


IKE Phase 1 – Aggressive Mode

• The three exchanges of IKE Phase 1 transpire in what is called main mode.

• IKE Phase 1 can also transpire in aggressive mode. Aggressive mode is faster than main mode because there are fewer exchanges. fewer exchanges.

• Aggressive mode compresses the IKE SA negotiation phases into one exchange with three packets. Main mode requires three exchanges with six packets.


Aggressive mode packets include:• First packet - The initiator packages everything needed for the SA

negotiation in the first message, including its DH public key. • Second packet - The recipient responds with the acceptable

parameters, authentication information, and its DH public key.• Third packet - The initiator then sends a confirmation that it

IKE Phase 1 – Aggressive Mode

• Third packet - The initiator then sends a confirmation that it received that information.


Negotiate IPsec

Security Parameters

Host A Host BR1 R2

10.0.1.3 10.0.2.3

IKE Phase 2

Security Parameters

IKE Phase 2 performs the following functions:

• Negotiates IPsec security parameters, known as IPsec transform sets

• Establishes IPsec SAs

• Periodically renegotiates IPsec SAs to ensure security

• Optionally performs an additional DH exchange


IKE Phase 1IKE SA IKE SA

1. Host A sends interesting traffic to Host B.

2. R1 and R2 negotiate an IKE Phase 1 session.

R1 R2 10.0.2.310.0.1.3

IPSec VPN Negotiation

IKE Phase 1

IKE Phase 2

IKE SA IKE SA

IPsec SAIPsec SA

3. R1 and R2 negotiate an IKE Phase 2 session.

4. Information is exchanged via IPsec tunnel.

5. The IPsec tunnel is terminated.

IPsec Tunnel


Configuring IPsec

Task 1: Ensure that ACLs are compatible with IPsec.

Task 2: Create ISAKMP (IKE) policy.

Tasks to Configure IPsec:

Task 2: Create ISAKMP (IKE) policy.

Task 3: Configure IPsec transform set.

Task 4: Create a crypto ACL.

Task 5: Create and apply the crypto map.


Task 1: Configure Compatible ACLs

AH

ESP

IKE

Site 1 Site 2

10.0.1.310.0.2.3

R1 R2

Internet

10.0.1.0/2410.0.2.0/24

• Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec.

S0/0/0172.30.1.2

S0/0/0172.30.2.2


Permitting Traffic


Task 2: Configure IKE


ISAKMP Parameters


Multiple Policies


Policy Negotiations


Crypto ISAKMP Key


Sample Configuration


Task 3: Configure the Transform Set


Transform Sets


Task 4: Configure the Crypto ACLs


Command Syntax


Symmetric Crypto ACLs


Task 5: Apply the Crypto Map


crypto map map-name seq-num ipsec-manual

crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]

router(config)#

crypto map Parameters

Command Parameters Description

Defines the name assigned to the crypto map set or indicates the name of the crypto

Crypto Map Command

map-name Defines the name assigned to the crypto map set or indicates the name of the crypto map to edit.

seq-num The number assigned to the crypto map entry.

ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.

ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.

cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the traffic.

dynamic(Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword is used, none of the crypto map configuration commands are available.

dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.


Crypto Map Configuration- Mode Commands

Command Description

set Used with the peer, pfs, transform-set, and security-association commands.

peer [ hostname | ip-address]

Specifies the allowed IPsec peer by IP address or hostname.

pfs [ group1 | group2] Specifies DH Group 1 or Group 2.

Specify list of transform sets in priority order. When the ipsec -manual

transform-set [ set_name(s)]

Specify list of transform sets in priority order. When the ipsec -manual parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto map command, up to six transform sets can be specified.

security-association lifetime

Sets SA lifetime parameters in seconds or kilobytes.

match address [ access-list-id | name]

Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched.

no Used to delete commands entered with the set command.

exit Exits crypto map configuration mode.


Assign the Crypto Map Set


CLI Commands

Show Command Description

show crypto map Displays configured crypto maps

show crypto isakmp policy Displays configured IKE policies

show crypto ipsec sa Displays established IPsec tunnels

show crypto ipsec transform-set

Displays configured IPsec transform sets

debug crypto isakmp Debugs IKE events

debug crypto ipsecDebugs IPsec events


show crypto map


show crypto isakmp policy


show crypto ipsec transform-set


show crypto ipsec sa


debug crypto isakmp


Use SDM - Starting a VPN Wizard

Wizards for IPsec

Solutions, includes type of VPNs and

Individual IPsec components

1

2

3

1. Click Configure in main toolbar

3. Choose a wizard2

4

5

VPN implementationSubtypes. Vary based

On VPN wizard chosen.

2. Click the VPN buttonto open the VPN page

4. Click the VPN implementation subtype

5. Click the Launch theSelected Task button


VPN Components

Individual IPsec components used to build VPNs

VPN Wizards

SSL VPN parameters

Easy VPN server parameters

Public key certificate

parameters

Encrypt VPN passwords

VPN Components


Configuring a Site-to-Site VPN

Choose Configure > VPN > Site-to-Site VPN

Click the Launch the Selected Task button

Click the Create a Site-to-Site VPN


Site-to-Site VPN Wizard

Choose the wizard mode

Click Next to proceed to the configuration of parameters.


Quick Setup

Configure the parameters

• Interface to use

• Peer identity information

• Authentication method

• Traffic to encrypt


Verify Parameters


1

2

Step-by-Step Wizard

Choose the outsideinterface that is used

to connect to the

IPSec peerSpecify the IP

address of the peer

3

4

Choose the authentication

method and specify the

credentials

Click Next


Creating a Custom IKE Proposal

2Make the selections to configurethe IKE Policy and click OK

1

3Click Add to define a proposal Click Next


2

Creating a Custom IPSec Transform Set

Define and specify the transformset name, integrity algorithm,encryption algorithm, mode of operation and optional compression

1

3 Click NextClick Add


1

Protecting Traffic Subnet to Subnet

Click Protect All Traffic Between the Following subnets

2 3

Define the IP address and subnet mask of the local network

Define the IP addressand subnet mask of the remote network


Protecting Traffic Custom ACL

2

3

1

Click the Create/Select an Access-Listfor IPSec Traffic radio button

Click the ellipses buttonto choose an existing ACLor create a new one

To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option


Add a Rule

1

2Give the access rule a 2Give the access rule aname and description

Click Add


Configuring a New Rule Entry

1

2

Choose an action and enter a description of the rule entry

3

Define the source hosts or networks in the Source Host/Network paneand the destination hosts or network in the Destination/Host Network pane

(Optional) To provide protection for specific protocols, choosethe specific protocol radio box and desired port numbers


Configuration Summary

• Click Back to modify the configuration.• Click Finish to complete the configuration.


Verify VPN Configuration

Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN

Check VPN status.

Create a mirroring configuration if no Cisco SDM is available on the peer.

Test the VPN configuration.


Lists all IPsec tunnels, their parameters, and status.

1

Monitor

Choose Monitor > VPN Status > IPSec Tunnels

parameters, and status.


Implementing Remote-Access VPNs


Telecommuting

• Flexibility in working location and working hours

• Employers save on real-estate, utility and other overhead costs

• Succeeds if program is • Succeeds if program is voluntary, subject to management discretion, and operationally feasible


Telecommuting Benefits

• Organizational benefits:– Continuity of operations– Increased responsiveness– Secure, reliable, and manageable access to information– Cost-effective integration of data, voice, video, and applications– Increased employee productivity, satisfaction, and retention

• Social benefits:• Social benefits:– Increased employment opportunities for marginalized groups– Less travel and commuter related stress

• Environmental benefits:– Reduced carbon footprints, both for individual workers and

organizations


Implementing Remote Access


Methods for Deploying Remote Access

IPsec Remote

Access VPN

SSL-Based

VPNAny

ApplicationAnywhere

Access


Comparison of SSL and IPSec

SSL IPsec

Applications Web-enabled applications, file sharing, e-mail All IP-based applications

EncryptionModerate

Key lengths from 40 bits to 128 bitsStronger

Key lengths from 56 bits to 256 bits

AuthenticationModerate

One-way or two-way authentication

StrongTwo-way authentication using shared secrets

or digital certificates

Ease of Use Very highModerate

Can be challenging to nontechnical users

Overall SecurityModerate

Any device can connect

StrongOnly specific devices with specific

configurations can connect


SSL VPNs

• Integrated security and routing

• Browser-based full network SSL VPN access

SSL VPN

Headquarters

Internet

Workplace

Resources

Headquarters

SSL VPN

Tunnel


Types of Access


Full Tunnel Client Access Mode


User using SSL client

Establishing an SSL Session

User makes a connection to TCP port 443

Router replies with a digitally signed public key

User software creates a

1

2

3

SSL VPN enabled ISR

router

Shared-secret key, encrypted with public key of the server, is sent to

the router

Bulk encryption occurs using the shared-secret key with a symmetric

encryption algorithm

User software creates a shared-secret key

3

4

5

router


SSL VPN Design Considerations

• User connectivity• Router feature• Infrastructure planning• Implementation scope


Cisco Easy VPN

• Negotiates tunnel parameters• Establishes tunnels according to

set parameters• Automatically creates a NAT /

PAT and associated ACLs• Authenticates users by

usernames, group names, usernames, group names, and passwords

• Manages security keys for encryption and decryption

• Authenticates, encrypts, and decrypts data through the tunnel


Cisco Easy VPN


Securing the VPN

Initiate IKE Phase 1

Establish ISAKMP SA

Accept Proposal1

Username/Password Challenge

1

2

3

4

Username/Password

System Parameters Pushed

Reverse Router Injection (RRI) adds a static route entry on the router for the remote clients IP

address

Initiate IKE Phase 2: IPsec IPsec SA

5

6

7


Configuring Cisco Easy VPN Server

1

2

3

4

5


Configuring IKE Proposals

Specify required parameters

1

2

3Click Add

Specify required parameters

Click OK


Creating an IPSec Transform Set

1

3

24


Group Authorization and Group Policy Lookup

1

3

Select the location whereEasy VPN group policiescan be stored

Click Add

2 45

Click NextClick Next

Configure the localgroup policies


Summary of Configuration Parameters


VPN Client Overview



• Establishes end-to-end, encrypted VPN tunnels for secure connectivity

• Compatible with all Cisco VPN products• Supports the innovative Cisco Easy VPN capabilities


Establishing a Connection

R1-vpn-cluster.span.com Once authenticated, status changes to connected.


“R1”


Summary

• A VPN is a private network that is created via tunneling over a public network, usually the Internet.

• There are site-to-site VPNs and remote access VPNs.• VPNs require the use of modern encryption techniques to ensure secure

transport of information.


Summary


• IPsec is a framework of open standards that establishes the rules for secure communications.

• IPsec relies on existing algorithms to achieve encryption, authentication, and key exchange.

Summary

key exchange.• IPsec can encapsulate a

packet using either Authentication Header (AH) or the more secure Encapsulation Security Protocol (ESP).

• IPsec uses the Internet Key Exchange (IKE) protocol to establish the key exchange process.


Summary


7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455

Technology

Transcript of 7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455