Vpn site to site

  • 2,334 views
Uploaded on

Vpn site to site. More details...

Vpn site to site. More details...

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,334
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
196
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
  • SA’s will regenerate behind the scenes 7206BA#sh crypto ipsec security-association-lifetime Security association lifetime: 4608000 kilobytes/3600 seconds
  • Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
  • Site-to-site VPNs and remote access VPNs tend to have different requirements

Transcript

  • 1. Cisco VPN Solutions© 2001, Cisco Systems, Inc. 1
  • 2. Agenda • Introduction to IPSec • IPSec VPN Topologies • Cisco Site-to-Site VPN SolutionsVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 2
  • 3. IPSec Design Guide http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.ht m IPSecDesignGuide.pdf.lnkVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 3
  • 4. IPSec Overview • Initiating the IPSec session Phase one—exchanging keys Phase two—setting up security associations • Encrypting/decrypting packets • Rebuilding security associations Timing out security associations • Simple IPSec configurationVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 4
  • 5. Initiating the IPSec Session Phase One—ISAKMP • Internet Security Association Key Management Protocol (ISAKMP) • Both sides need to agree on the ISAKMP security parameters ISAKMP parameters Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulus Group lifetimeVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 5
  • 6. Initiating the IPSec Session Phase Two—IPSec • Both sides need to agree on the IPSec security parameters IPSec parameters IPSec peer Endpoint of IPSec tunnel IPSec proxy Traffic to be encrypted/decrypted IPSec transform Encryption and hashing IPSec lifetime Phase two SA regeneration timeVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 6
  • 7. Encrypting and Decrypting Packets • Phase one and phase two completes • Security Associations (SA) are created at both IPSec endpoints • Using the negotiated SA information Outbound packets are encrypted Inbound packets are decryptedVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 7
  • 8. Rebuilding Security Associations • To ensure that keys are not compromised they are periodically refreshed • Security associations will be rebuilt when: The lifetime expires, or Data volume has been exceeded, or Another SA is attempted with identical parametersVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 8
  • 9. Simple IPSec Configuration 10.1.1.0/24 10.1.2.0/24 192.1.1.1 200.1.1.2 Internet IPSec Tunnel crypto isakmp policy 1 crypto isakmp policy 1 authentication pre-share authentication pre-share hash md5 hash md5 crypto isakmp key cisco123 address 200.1.1.2 crypto isakmp key cisco123 address 192.1.1.1 crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto map vpnmap 10 ipsec-isakmp crypto map vpnmap 10 ipsec-isakmp set peer 200.1.1.2 set peer 192.1.1.1 set transform-set trans1 set transform-set trans1 match address 101 match address 101 interface Ethernet0 interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0 interface Ethernet1 interface Ethernet1 ip address 192.1.1.1 255.255.255.0 ip address 200.1.1.2 255.255.255.0 crypto map vpnmap crypto map vpnmap access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 9
  • 10. Topologies Standard Site-to-Site IPSec Enabled VPN Solution Design and Engineering Guide http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.ht m Site2SiteDesignGuide.urlVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 10
  • 11. GRE Over IPSec (Common Configuration Issues) • Apply crypto map on both the tunnel interfaces and the physical interfaces • Specify GRE traffic as IPSec interesting traffic. access-list 101 permit gre host 200.1.1.1 host 150.1.1.1 • Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted.VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 11
  • 12. GRE over IPSec (Avoid Recursive Routing) • To avoid GRE tunnel interface damping due to recursive routing, keep transport and passenger routing info. separate: Use different routing protocols or separate routing protocol identifiers Keep tunnel IP address and actual IP network addresses ranges distinct For tunnel interface IP address, don’t use unnumbered to loopback interface when the loopback’s IP address resides in the ISP address spaceVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 12
  • 13. GRE over IPsec (MTU Issues) • Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC): ESP overhead (with authentication) : 31 ~ 38 bytes GRE header: 24 bytes IP header: 20 byes • GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overheadVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 13
  • 14. GRE over IPSec c IPSe GRE Internet Internet a. Original Packet b. GRE Encapsulation c. GRE over IPSec Transport Mode d. GRE over IPSec Tunnel Mode a IP Hdr 1 TCP hdr Data b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr DataVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 14
  • 15. GRE over IPSec (MTU Issues) • After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0 • The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets • The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradationVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 15
  • 16. GRE over IPSec (MTU issue) • To avoid fragementation and reassembly of IPSec packets: Set ip mtu 1420 (GRE/IPSec tunnel mode), ip mtu 1440 (GRE/IPSec transport mode) under tunnel interface. Enable “tunnel path-mtu-discovery” (DF bit copied after GRE encapsulation) under tunnel interface. • Use “show ip int switching” to verify switching pathVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 16
  • 17. GRE IPSec Configcrypto isakmp policy 1 encr 3des hash md5 authentication pre-sharecrypto isakmp key cisco123 address 172.18.45.1crypto isakmp key cisco123 address 172.18.45.2crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transportVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 17
  • 18. GRE IPSEC Config continued crypto map vpn 10 ipsec-isakmp set peer 172.18.45.1 set transform-set myset match address 101 crypto map vpn 20 ipsec-isakmp set peer 172.18.45.2 set transform-set myset match address 102VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 18
  • 19. GRE IPSEC Config continued interface Tunnel0 ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map vpn interface Tunnel1 ip address 10.4.2.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.2 crypto map vpn interface Serial0 ip address 172.18.31.1 255.255.255.0 crypto map vpnVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 19
  • 20. GRE IPSEC Config continued ip eigrp 100 network 10.0.0.0 ip route 172.18.0.0 255.255.0.0 serial0 ip access-list extended 101 permit gre host 172.18.31.1 host 172.18.45.1 ip access-list extended 102 permit gre host 172.18.31.1 host 172.18.45.2VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 20
  • 21. Preventing Traffic Injection • ACL on the physical interface Interface serial 0/0 ip access-group Only_ESP in ip access-list extended Only_ESP permit esp host 193.193.193.1 any permit udp host 193.193.193.1 eq 500 any deny ip any any log-input • Even better, VRF lite !VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 21
  • 22. VPN Types and Applications Type Application As Alternative To Benefits Remote Remote Dial Dedicated Dial Ubiquitous Access Access Lower Cost Connectivity VPN ISDN Site-to-Site Leased Line Site-to-Site Extend Connectivity Internal Frame Relay Increased Bandwidth VPN Connectivity ATM Lower Cost Biz-to-Biz Fax Extranet Facilitates External Mail VPN E-Commerce Connectivity EDIVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 22
  • 23. VPN Requirements Vary By Application Extranet Business Partner Mobile User POP Internet VPN DSL Cable Central Site Home Telecommuter Site-to-Site Remote Office Remote Access VPN Site-to-Site VPN • Evolution away from dial • Extension of classic WAN • Per-user manageability • Compatibility with diverse network traffic types • Multi-OS (desktop) support • Integration with routing • Deployment scalability • Deployment scalabilityVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 23
  • 24. Cisco VPN Portfolio Purpose-Built for Specific VPN EnvironmentsVPN Application Large Enterprise Medium Enterprise Small Biz/Branch SOHO New VPN 3015 VPN 3002 Remote VPN 3080 VPN 3030 VPN 3005 Hardware Client Access VPN 3060 Concentrator Concentrators VPN 3000 Cisco VPN 3000 Concentrators Software Client Site-to-Site 3600 900 7200 7100 IOS Routers 2600 800 7100 3600 1700 Firewall-Based Pix 535 Pix 525 Pix 515 VPN Pix 515 Pix 506 Pix 525 Pix 506 Pix FirewallVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 24
  • 25. VPN Product Function Matrix Site-to-Site VPN Remote Access VPN IOS VPN Routers •Primary role •Basic remote access functionality •All encompassing site-to- site connectivity features •Provides routing, QoS, WAN interfaces, multicast and multiprotocol support PIX Firewalls •Solution for security •Provides most remote organizations that prefer access features operating firewalls •Solution for security •Provides full firewall organizations that prefer features operating firewalls •Basic site-to-site •Provides full firewall functionality features VPN 3000 Concentrators •Basic site-to-site •Primary role functionality •Full featured remote access solutionVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 25
  • 26. Cisco IOS Software Enhanced VPN Software Features • • Quality of Service Quality of Service ––Application-aware packet classification Application-aware packet classification ––Congestion management and packet queuing Congestion management and packet queuing ––Traffic shaping and policing Traffic shaping and policing • • Stateful IOS Firewall Stateful IOS Firewall ––Per application content filtering and Java blocking Per application content filtering and Java blocking ––Denial of service protection and intrusion detection Denial of service protection and intrusion detection ––Time-based ACLs Time-based ACLs GRE • • VPN Resiliency VPN Resiliency ––Dynamic Route Recovery - -using routing protocols Dynamic Route Recovery using routing protocols QoS through IPSec secured GRE tunnel through IPSec secured GRE tunnel ––Dynamic Tunnel Recovery - -IPSec Keep-Alives Dynamic Tunnel Recovery IPSec Keep-Alives FW • • Full Layer 33Routing and Broad Interface Support Full Layer Routing and Broad Interface Support BGP IPSec ––EIGRP, BGP, OSPF, and others EIGRP, BGP, OSPF, and others ––Numerous LAN and WAN interfaces Numerous LAN and WAN interfacesVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 26
  • 27. Cisco Site-to-Site VPN Solutions Scalability for Every Site Cisco 7100 & 7200 Series Cisco 7100 & 7200 Series Cisco 1700 Series Cisco 1700 Series Remote •7100 for dedicated VPN head-end •7100 for dedicated VPN head-end •VPN-optimized router •VPN-optimized router Office •7200 for hybrid private WAN ++VPN •7200 for hybrid private WAN VPN connecting remote offices connecting remote offices connectivity connectivity at T1/E1 speeds at T1/E1 speeds Main Office Regional Internet Office Cisco 2600 & 3600 Series Cisco 2600 & 3600 Series •VPN-optimized routers •VPN-optimized routers connecting branch and connecting branch and Cisco 800 & 900 Series Cisco 800 & 900 Series regional offices at regional offices at •VPN-optimized routers for ISDN, Small Office/ •VPN-optimized routers for ISDN, nxT1/E1 speeds nxT1/E1 speeds Home Office DSL, and cable connectivity DSL, and cable connectivityVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 27
  • 28. VPN-Enabled Broadband Routers 806 827/804 905 Simultaneous Tunnels 50 50 50 Performance 384 kbps 384 kbps 6 Mbps Hardware Acceleration None None (built-in) WAN Interfaces Ethernet DSL/ISDN Cable LAN Interfaces 4xEthernet 1xEthernet 4xEthernetVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 28
  • 29. VPN-Enabled Routers 1710 1720/1750 2611/2621 2651 3620/3640 Simultaneous Tunnels 100 100 300 800 800 Performance (Mbps) 4 4 10/12 14 10/19 Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MP WAN Interfaces 1xEtherne (varies) (varies) (varies) (varies) t LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies)VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 29
  • 30. VPN-Enabled Routers 3660 7120 7140 7140 7200 Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000 Performance (Mbps) 40 50 90 140 145 Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAM WAN Interfaces (varies) (varies) (varies) None (varies) LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies)VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 30
  • 31. 2650 Enhanced Performance VPN Module New! • AIM-VPN/EP Enhanced Performance Module Delivers 14 Mbps 3DES performance New AIM-VPN/EP is specially designed to take advantage of the 2650 High Performance Router This VPN Module is being offered in addition to our present AIM-VPN/BP (Base Performance Module) Supported on all 2600 platformsVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 31
  • 32. VPN Acceleration Module (VAM) for 7100/7200 New! Greater than DS3 encryption performance 145 Mbps 3DES IPSec performance for scalable site-to-site encryption Allows large number of VPN Tunnels 5000 simultaneous IPSec sessions SA-VAM for 7200 Fast VPN tunnel setup time Hardware acceleration for RSA: Tunnel setup & key generation Compression for bandwidth conservation Hardware acceleration for IPPCP LZS compression SM-VAM for 7100VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 32
  • 33. VPN Management • VPN Device Manager Embedded web single device policy manager • VPN Management Solutions Enterprise VPN monitoring & policy manager • Cisco Secure Policy Manager Centralized, intelligent security policy management for firewall and VPN • Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBsVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 33
  • 34. Site-to-Site VPN Platform Summary • Comprehensive Suite of Site-to-Site VPN Features Supports the most diverse VPN environments • High Performance VPN Up to 145 Mbps 3DES/HMAC-SHA1 IPSec Up to 5,000 simultaneous tunnels • Site Specific VPN Scalability DSL, Cable, & ISDN VPN routers Ethernet-to-Ethernet broadband routers • Network Management Tailored for Site-to-Site ApplicationsVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 34
  • 35. For More Information... Blog.router-switch.com •News, tutorials, tips, info & thoughts on Developments in the Cisco, Cisco network, IT, Software & Network Hardware IndustryVPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 35
  • 36. Presentation_ID © 1999, Cisco Systems, Inc. 36