Implementing VPN Solutions




                Laurel Boyer, CCIE 4918
                Presented, June 2003
Agenda
 Cost Analysis: Frame vs. VPN
 VPN Drawbacks
 VPN Equipment Alternatives
 Using GRE for Dynamic Routing
 Implementa...
Cost Analysis: Frame vs. VPN

 Premise – This discussion assumes that there is a
 requirement to remotely connect two or m...
VPN Drawbacks
 VPN connections traverse the Internet, resulting in
 vulnerabilities due to latency and interruptions that ...
VPN Equipment Alternatives
 PIX to PIX
 PIX to VPN Concentrator
 PIX to Router w/ IOS Firewall/IPSEC
 VPN Concentrator to ...
VPN & GRE Example

                          VPN

     4.1.1.1                               5.1.1.1




               10...
Generic Steps for setting up VPN

  1. Load Basic FW or Router Config
  2. Set up IPSEC Tunnel
  3. Set up static routes o...
Configure IPSEC Tunnel: ISAKMP

1. Define Encryption Algorithm: normally
   DES or 3DES
2. Define a Hashing Algorithm: MD5...
Configure IPSEC Tunnel: ISAKMP

Example:

crypto isakmp policy 10
  hash md5
  authentication pre-share
crypto isakmp key ...
Configure IPSEC Tunnel: IPSEC

1. Create extended ACL (Access List)
2. Create IPSEC transform(s)
3. Create Crypto Map
4. A...
VPN Router Configuration
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key vpn2vpn address 5.1...
VPN Router Configuration, Cont.
interface Ethernet1
 ip address 5.1.1.1 255.255.255.0
 ip nat outside
 crypto map vpntunne...
VPN PIX Configuration

nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list vpn-tunnel permi...
VPN PIX Configuration, Cont.
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
cr...
VPN & GRE
 GRE: Generic Routing Encapsulation. Used to
 encapsulate a wide variety of protocol packet types inside
 IP tun...
GRE Example
interface Loopback10
 description Loopback for GRE tunnel
 ip address 10.0.1.10 255.255.255.255
!
interface Tu...
Intro the VPN Concentrator
                                Cisco VPN       Cisco VPN       Cisco VPN        Cisco VPN     ...
TroubleshootingTroubleshooting,
Cont.
  Check IPSEC Tunnel
  –   Show crypto ipsec sa
  –   Show crypto isakmp sa
  –   Cl...
Questions ?
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Implementing VPN Solutions
Upcoming SlideShare
Loading in...5
×

Implementing VPN Solutions

2,098

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,098
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
175
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Implementing VPN Solutions

  1. 1. Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003
  2. 2. Agenda Cost Analysis: Frame vs. VPN VPN Drawbacks VPN Equipment Alternatives Using GRE for Dynamic Routing Implementation Examples Troubleshooting Questions/Discussion
  3. 3. Cost Analysis: Frame vs. VPN Premise – This discussion assumes that there is a requirement to remotely connect two or more offices/locations. This discussion focuses on a Hub/Spoke architecture. Frame Relay to DSL Cost examples Port Speed Frame CIR Frame Cost DSL Cost 128k 64k $700 192k $155 256k 128k $875 384k $195 512k 256k $1,180 768k 384k $1,520 $289 1544k 768k $1,650 $389
  4. 4. VPN Drawbacks VPN connections traverse the Internet, resulting in vulnerabilities due to latency and interruptions that the network administer cannot influence. DSL is normally a better choice than Cable Modem, as it does not share the broadcast media DSL may not be available in all areas, or may not be available at the required speeds. All DSL/ISP providers are not created equal. – Ensure that provider will give you public IP addresses to manage. – Ask provider where the POP is that connects to your office. – Request ping times from the POP to your Hub/Destination location. – Request peering information between provider and your destination. – Scrutinize customer service policy.
  5. 5. VPN Equipment Alternatives PIX to PIX PIX to VPN Concentrator PIX to Router w/ IOS Firewall/IPSEC VPN Concentrator to Router w/ IOS Firewall/IPSEC VPN Concentrator to VPN Concentrator Router w/ IOS Firewall/IPSEC to Router w/ IOS Firewall/IPSEC
  6. 6. VPN & GRE Example VPN 4.1.1.1 5.1.1.1 10.1.1.0 10.1.2.0
  7. 7. Generic Steps for setting up VPN 1. Load Basic FW or Router Config 2. Set up IPSEC Tunnel 3. Set up static routes on Routers 4. Set up GRE Tunnel
  8. 8. Configure IPSEC Tunnel: ISAKMP 1. Define Encryption Algorithm: normally DES or 3DES 2. Define a Hashing Algorithm: MD5 or SHA 3. Define Authentication RSA/CA or Pre- shared Key 4. Define SA (Security Association) Lifetime. Default is 86400 (1 day)
  9. 9. Configure IPSEC Tunnel: ISAKMP Example: crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn2vpn address 5.1.1.2
  10. 10. Configure IPSEC Tunnel: IPSEC 1. Create extended ACL (Access List) 2. Create IPSEC transform(s) 3. Create Crypto Map 4. Apply Crypto Map to Interface
  11. 11. VPN Router Configuration crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn2vpn address 5.1.1.2 ! crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ! crypto map vpntunnel 10 ipsec-isakmp set peer 5.1.1.2 set transform-set ESP-DES-MD5 match address vpn-tunnel ! interface Ethernet0 ip address 10.1.1.254 255.255.255.0 ip nat inside !
  12. 12. VPN Router Configuration, Cont. interface Ethernet1 ip address 5.1.1.1 255.255.255.0 ip nat outside crypto map vpntunnel ! ip nat inside source route-map Internet interface Ethernet1 overload ! ip access-list extended Nat deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip any any ip access-list extended vpn-tunnel permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 route-map Internet permit 10 match ip address Nat
  13. 13. VPN PIX Configuration nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list vpn-tunnel permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 interface ethernet0 10baset interface ethernet1 10full ip address outside 5.1.1.2 255.255.255.0 ip address inside 10.1.2.254 255.255.255.0 nat (inside) 0 access-list vpn-tunnel nat (inside) 1 10.0.0.0 255.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 5.1.1.1 1
  14. 14. VPN PIX Configuration, Cont. sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map vpntunnel 1 ipsec-isakmp crypto map vpntunnel 1 match address vpn-tunnel crypto map vpntunnel 1 set peer 5.1.1.1 crypto map vpntunnel 1 set transform-set ESP-DES-MD5 crypto map vpntunnel interface outside isakmp enable outside isakmp key vpn2vpn address 5.1.1.1 netmask 255.255.255.255 isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400
  15. 15. VPN & GRE GRE: Generic Routing Encapsulation. Used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to remote points over an IP network. In this instance, we use an IPSEC tunnel to create a secure/encrypted path between to public points. GRE is used to create a virtual Intranet path between two private points. Because GRE facilitates broadcast and multicast traffic, we can run EIGRP or other dynamic protocols, reducing the need for static routing in larger VPN topologies.
  16. 16. GRE Example interface Loopback10 description Loopback for GRE tunnel ip address 10.0.1.10 255.255.255.255 ! interface Tunnel10 description GRE tunnel to GRE-RTR ip address 10.0.0.1 255.255.255.252 tunnel source Loopback10 tunnel destination 10.0.0.10 ! ip access-list extended vpn-tunnel permit ip host 10.0.1.10 host 10.0.0.10 ! ip route 10.0.0.10 255.255.255.255 5.1.1.2
  17. 17. Intro the VPN Concentrator Cisco VPN Cisco VPN Cisco VPN Cisco VPN Cisco VPN 3005 3015 3030 3060 3080 Simultaneous Users 100 100 1,500 5,000 10,000 Maximum LAN-to-LAN 100 100 500 1,000 1,000 Sessions Encryption Throughput 4 Mbps 4 Mbps 50 Mbps 100 Mbps 100 Mbps Encryption Method Software Software Hardware Hardware Hardware Available Expansion Slots 0 4 3 2 2 Encryption (SEP) 0 0 1 2 4 Module Redundant SEP Option Option Yes 3264 MB 128/256 256/512 256/512 System Memory 128 MB (fixed) MB MB MB Client License Unlimited Unlimited Unlimited Unlimited Unlimited http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_models_comparison.html
  18. 18. TroubleshootingTroubleshooting, Cont. Check IPSEC Tunnel – Show crypto ipsec sa – Show crypto isakmp sa – Clear crypto sa – Debug crypto ipsec – Debug crypto isakmp Check for mismatched access-lists (most common problem!) Check for static routes - you must tell the local router/FW that the private destination is via the public interface
  19. 19. Questions ?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×