CCNA Security - Chapter 8

2,882 views

Published on

0 Comments
13 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,882
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
13
Embeds 0
No embeds

No notes for slide
  • Note: Actual parameters vary based on IOS image.
  • Notice however, that policy numbers are only locally significant and do not have to match between IPsec peers.
  • A transform set can have one AH transform and up to two ESP transforms
  • CCNA Security - Chapter 8

    1. 1. CCNA Security Chapter Eight Implementing Virtual Private Networks© 2009 Cisco Learning Institute. 1
    2. 2. Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction© 2009 Cisco Learning Institute. 2
    3. 3. Major Concepts • Describe the purpose and operation of VPN types • Describe the purpose and operation of GRE VPNs • Describe the components and operations of IPsec VPNs • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CLI • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using SDM • Configure and verify a Remote Access VPN© 2009 Cisco Learning Institute. 3
    4. 4. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the purpose and operation of VPNs 2. Differentiate between the various types of VPNs 3. Identify the Cisco VPN product line and the security features of these products 4. Configure a site-to-site VPN GRE tunnel 5. Describe the IPSec protocol and its basic functions 6. Differentiate between AH and ESP 7. Describe the IKE protocol and modes 8. Describe the five steps of IPSec operation© 2009 Cisco Learning Institute. 4
    5. 5. Lesson Objectives 9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10. Configure IKE policies using the CLI 11. Configure the IPSec transform sets using the CLI 12. Configure the crypto ACLs using the CLI 13. Configure and apply a crypto map using the CLI 14. Describe how to verify and troubleshoot the IPSec configuration 15. Describe how to configure IPSec using SDM 16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM 17. Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM© 2009 Cisco Learning Institute. 5
    6. 6. Lesson Objectives 18. Verify, monitor and troubleshoot VPNs using SDM 19. Describe how an increasing number of organizations are offering telecommuting options to their employees 20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs 21. Describe how SSL is used to establish a secure VPN connection 22. Describe the Cisco Easy VPN feature 23. Configure a VPN Server using SDM 24. Connect a VPN client using the Cisco VPN Client software© 2009 Cisco Learning Institute. 6
    7. 7. What is a VPN? Business Partner with a Cisco Router Mobile Worker with a Cisco VPN Client CSA VPN Internet Firewall SOHO with a Cisco DSL Router Corporate WAN VPN Network - Virtual: Information within a private network is VPN transported over a public network. Regional branch with a VPN enabled - Private: The traffic is encrypted to keep the Cisco ISR router data confidential.© 2009 Cisco Learning Institute. 7
    8. 8. Layer 3 VPN IPSec VPN Internet IPSec SOHO with a Cisco DSL Router • Generic routing encapsulation (GRE) • Multiprotocol Label Switching (MPLS) • IPSec© 2009 Cisco Learning Institute. 8
    9. 9. Types of VPN Networks Business Partner Remote-access with a Cisco Router VPNs Mobile Worker with a Cisco VPN Client CSA MARS VPN SOHO with a Internet Firewall Cisco DSL Router Site-to-Site VPN IP VPNs WAN S VPN Iron Port CSA Regional branch with CSA CSACSA CSA a VPN enabled CSA Cisco ISR router Web Email Server Server DNS© 2009 Cisco Learning Institute. 9
    10. 10. Site-to-Site VPN Business Partner with a Cisco Hosts send and receive normal Router TCP/IP traffic through a VPN gateway CSA MARS VP N SOHO with a Internet Firewall Cisco DSL Router Site-to-Site VPN IP VPNs WAN S VPN Iron CSA Port Regional branch with CS CSA CS A CS CSA a VPN enabled A A Cisco ISR router Web Email Server Server DNS© 2009 Cisco Learning Institute. 10
    11. 11. Remote-Access VPNs Remote-access VPNs Mobile Worker with a Cisco VPN Client CSA MARS Internet Firewall VPN IPS Iron Port CSA CSA CSA CSA CSA CSA Web Email Server Server DNS© 2009 Cisco Learning Institute. 11
    12. 12. VPN Client Software R1 R1-vpn-cluster.span.com “R1” In a remote-access VPN, each host typically has Cisco VPN Client software© 2009 Cisco Learning Institute. 12
    13. 13. Cisco IOS SSL VPN • Provides remote-access connectivity from any Internet-enabled host • Uses a web browser and SSL encryption • Delivers two modes of access: - Clientless - Thin client© 2009 Cisco Learning Institute. 13
    14. 14. Cisco VPN Product Family Remote-Access Product Choice Site-to-Site VPN VPN Cisco VPN-Enabled Router Secondary role Primary role Cisco PIX 500 Series Security Appliances Secondary role Primary role Cisco ASA 5500 Series Adaptive Security Primary role Secondary role Appliances Cisco VPN Primary role Secondary role 3000 Series Concentrators Home Routers Primary role© 2009 Cisco Learning Institute. 14
    15. 15. Cisco VPN-Optimized Routers Remote Office Cisco Router Main Office Cisco Router Internet Regional Office Cisco Router VPN Features: •Voice and video enabled VPN (V3PN) •IPSec stateful failover SOHO Cisco Router •DMVPN •IPSec and Multiprotocol Label Switching (MPLS) integration •Cisco Easy VPN© 2009 Cisco Learning Institute. 15
    16. 16. Cisco ASA 5500 Series AdaptiveSecurity Appliances Remote Site Central Site Internet Intranet Extranet Remote UserBusiness-to-Business • Flexible platform • Cisco IOS SSL VPN • Resilient clustering • VPN infrastructure for contemporary applications • Cisco Easy VPN • Integrated web-based • Automatic Cisco VPN management© 2009 Cisco Learning Institute. 16
    17. 17. IPSec Clients A wireless client that is loaded on a pda Certicom PDA IPsec VPN Client Router with Firewall and Internet VPN Client Cisco VPN Software Client Software loaded on a PC Small Office A network appliance that connects SOHO LANs to the VPN Cisco AnyConnect VPN Client Internet Provides remote users with secure VPN connections© 2009 Cisco Learning Institute. 17
    18. 18. Hardware Acceleration Modules • AIM • Cisco IPSec VPN Shared Port Adapter (SPA) • Cisco PIX VPN Accelerator Card+ (VAC+) • Enhanced Scalable Encryption Processing Cisco IPsec VPN SPA (SEP-E)© 2009 Cisco Learning Institute. 18
    19. 19. GRE VPN Overview© 2009 Cisco Learning Institute. 19
    20. 20. Encapsulation Encapsulated with GRE Original IP Packet© 2009 Cisco Learning Institute. 20
    21. 21. Configuring a GRE TunnelCreate a tunnelinterface Assign the tunnel an IP address R1(config)# interface tunnel 0 R2(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 192.168.5.5 Identify the source tunnel interface R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 192.168.3.3 R1(config–if)# tunnel mode gre ip R2(config–if)# tunnel mode gre ip R1(config–if)# R2(config–if)# Identify the destination of the tunnel Configure what protocol GRE will encapsulate© 2009 Cisco Learning Institute. 21
    22. 22. Using GRE IP User Only Yes Traffic ? No Tunnel GRE Use Use No Yes Unicast Only? IPsec VPN GRE does not provide encryption© 2009 Cisco Learning Institute. 22
    23. 23. IPSec Topology Main Site Business Partner with a Cisco Router IPsec Perimeter Router Legacy Legacy Concentrator Cisco POP PIXRegional Office with a ASA Firewall Cisco PIX Firewall Mobile Worker with a Cisco VPN Client Corporate SOHO with a Cisco on a Laptop Computer SDN/DSL Router • Works at the network layer, protecting and authenticating IP packets. - It is a framework of open standards which is algorithm-independent. - It provides data confidentiality, data integrity, and origin authentication.© 2009 Cisco Learning Institute. 23
    24. 24. IPSec Framework Diffie-Hellman DH7© 2009 Cisco Learning Institute. 24
    25. 25. Confidentiality Least secure Most secure Key length: - 56-bits Key length: - 56-bits (3 times) Key lengths: -128-bits Diffie-Hellman -DH7 192 bits -256-bits Key length: - 160-bits© 2009 Cisco Learning Institute. 25
    26. 26. Integrity Least secure Most secure Key length: - 128-bits Key length: Diffie-Hellman - 160-bits) DH7© 2009 Cisco Learning Institute. 26
    27. 27. Authentication Diffie-Hellman DH7© 2009 Cisco Learning Institute. 27
    28. 28. Pre-shared Key (PSK) •At the local device, the authentication key and the identity information (device-specific Diffie-Hellman information) are sent through a hash algorithm to form hash_I. One-way authentication is DH7 established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. • The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.© 2009 Cisco Learning Institute. 28
    29. 29. RSA Signatures • At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local devices private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. • Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the© 2009 Cisco Learning Institute.authentication process begins in the opposite direction and all steps are repeated 29
    30. 30. Secure Key Exchange Diffie-Hellman DH7© 2009 Cisco Learning Institute. 30
    31. 31. IPSec Framework Protocols Authentication Header R1 All data is in plaintext. R2 AH provides the following:  Authentication  Integrity Encapsulating Security Payload R1 Data payload is encrypted. R2 ESP provides the following:  Encryption  Authentication  Integrity© 2009 Cisco Learning Institute. 31
    32. 32. Authentication Header 1. The IP Header and data payload are hashed IP Header + Data + Key R2 Hash IP HDR AH Data Authentication Data IP Header + Data + Key (00ABCDEF) 3. The new packet is Internet transmitted to the Hash IPSec peer routerIP HDR AH Data Recomputed Received2. The hash builds a new AH Hash = Hash header which is prepended (00ABCDEF) (00ABCDEF) R1 to the original packet 4. The peer router hashes the IP© 2009 Cisco Learning Institute. 32
    33. 33. ESP Diffie-Hellman DH7© 2009 Cisco Learning Institute. 33
    34. 34. Function of ESP Internet Router Router IP HDR Data IP HDR Data ESP ESP New IP HDR ESP HDR IP HDR Data Trailer Auth Encrypted Authenticated • Provides confidentiality with encryption • Provides integrity with authentication© 2009 Cisco Learning Institute. 34
    35. 35. Mode Types IP HDR Data Original data prior to selection of IPSec protocol mode Transport Mode Encrypted ESP ESP IP HDR ESP HDR Data Trailer Auth Authenticated Tunnel Mode Encrypted ESP ESP New IP HDR ESP HDR IP HDR Data Trailer Auth Authenticated© 2009 Cisco Learning Institute. 35
    36. 36. Security Associations IPSec parameters are configured using IKE© 2009 Cisco Learning Institute. 36
    37. 37. IKE Phases R1 R2Host A Host B 10.0.1.3 10.0.2.3 IKE Phase 1 Exchange Policy 10 Policy 15 1. Negotiate IKE policy DES DES 1. Negotiate IKE policy MD5 MD5 sets pre-share pre-share sets DH1 DH1 lifetime lifetime 2. DH key exchange 2. DH key exchange 3. Verify the peer identity 3. Verify the peer identity IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy© 2009 Cisco Learning Institute. 37
    38. 38. IKE Phase 1 – First Exchange R1 R2Host A Host B Negotiate IKE Proposals 10.0.2.3 10.0.1.3 Policy 10 Policy 15 DES DES MD5 MD5 pre-share IKE Policy Sets pre-share DH1 DH1 lifetime lifetime Policy 20 3DES SHA pre-share DH1 lifetime Negotiates matching IKE policies to protect IKE exchange© 2009 Cisco Learning Institute. 38
    39. 39. IKE Phase 1 – Second Exchange Establish DH Key Private value, XA Private value, XB Alice Public value, YA Public value, YB Bob YA = g XA mod p Y = gXB mod p B YA YB XA XB (YB ) mod p = K (YA ) mod p = K A DH exchange is performed to establish keying material.© 2009 Cisco Learning Institute. 39
    40. 40. IKE Phase 1 – Third Exchange Authenticate Peer Remote Office Corporate Office Internet HR Servers Peer Authentication Peer authentication methods • PSKs • RSA signatures • RSA encrypted nonces A bidirectional IKE SA is now established.© 2009 Cisco Learning Institute. 40
    41. 41. IKE Phase 1 – Aggressive Mode R1 R2 Host A Host B 10.0.1.3 10.0.2.3 IKE Phase 1 Aggressive Mode Exchange Policy 10 Policy 15 1.Send IKE policy set DES MD5 DES MD5 pre-share pre-share and R1’s DH key DH1 DH1 lifetime lifetime 2. Confirm IKE policy set, calculate shared secret and send 3.Calculate shared R2’s DH key secret, verify peer identify, and confirm with peer 4. Authenticate peer and begin Phase 2. IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy© 2009 Cisco Learning Institute. 41
    42. 42. IKE Phase 2 R1 R2Host A Host B 10.0.1.3 Negotiate IPsec 10.0.2.3 Security Parameters • IKE negotiates matching IPsec policies. • Upon completion, unidirectional IPsec Security Associations(SA) are established for each protocol and algorithm combination.© 2009 Cisco Learning Institute. 42
    43. 43. IPSec VPN Negotiation10.0.1.3 R1 R2 10.0.2.3 1. Host A sends interesting traffic to Host B. 2. R1 and R2 negotiate an IKE Phase 1 session. IKE SA IKE Phase 1 IKE SA 3. R1 and R2 negotiate an IKE Phase 2 session. IPsec SA IKE Phase 2 IPsec SA 4. Information is exchanged via IPsec tunnel. IPsec Tunnel 5. The IPsec tunnel is terminated. © 2009 Cisco Learning Institute. 43
    44. 44. Configuring IPsec Tasks to Configure IPsec: Task 1: Ensure that ACLs are compatible with IPsec. Task 2: Create ISAKMP (IKE) policy. Task 3: Configure IPsec transform set. Task 4: Create a crypto ACL. Task 5: Create and apply the crypto map.© 2009 Cisco Learning Institute. 44
    45. 45. Task 1Configure Compatible ACLs Site 1 AH Site 2 ESP 10.0.1.0/24 IKE 10.0.2.0/24 10.0.2.310.0.1.3 R1 R2 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 • Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec.© 2009 Cisco Learning Institute. 45
    46. 46. Permitting Traffic AH ESP Site 1 IKE Site 2 10.0.1.0/2 10.0.2.0/24 4 10.0.2.3 10.0.1.3 R1 R2 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1(config)# R1(config)# interface Serial0/0/0 R1(config-if)# ip address 172.30.1.2 255.255.255.0 R1(config-if)# ip access-group 102 in ! R1(config)# exit R1# R1# show access-lists access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1#© 2009 Cisco Learning Institute. 46
    47. 47. Task 2Configure IKE 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet Site 1 Site 2 Policy 110 DES MD5 Tunnel Preshare 86400 DH1 router(config)# crypto isakmp policy priority Defines the parameters within the IKE policy R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption des R1(config–isakmp)# group 1 R1(config–isakmp)# hash md5 R1(config–isakmp)# lifetime 86400© 2009 Cisco Learning Institute. 47
    48. 48. ISAKMP Parameters Default Parameter Keyword Accepted Values Description Value des 56-bit Data Encryption Standard 3des Triple DES Message encryptionencryption aes 128-bit AES des algorithm 192-bit AES aes 192 256-bit AES aes 256 sha SHA-1 (HMAC variant) Message integrityhash sha md5 MD5 (HMAC variant) (Hash) algorithm pre-shareauthenticati preshared keys Peer authentication rsa-encr RSA encrypted nonces rsa-sigon RSA signatures method rsa-sig 1 768-bit Diffie-Hellman (DH) Key exchangegroup 2 1024-bit DH 1 parameters (DH 1536-bit DH group identifier) 5 Can specify any number of 86,400 sec ISAKMP-establishedlifetime seconds seconds (one day) SA lifetime© 2009 Cisco Learning Institute. 48
    49. 49. Multiple Policies 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet Site 1 Site 2 R1(config)# R2(config)# crypto isakmp policy 100 crypto isakmp policy 100 hash md5 hash md5 authentication pre-share authentication pre-share ! ! crypto isakmp policy 200 crypto isakmp policy 200 hash sha hash sha authentication rsa-sig authentication rsa-sig ! ! crypto isakmp policy 300 crypto isakmp policy 300 hash md5 hash md5 authentication pre-share authentication rsa-sig© 2009 Cisco Learning Institute. 49
    50. 50. Policy NegotiationsR1 attempts to establish a VPN tunnel withR2 and sends its IKE policy parameters 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 InternetSite 1 Policy 110 Site 2 Preshare 3DES Tunnel SHA DH2 43200 R2 must have an ISAKMP policy configured with the same parameters. R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100 R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des R1(config–isakmp)# group 2 R2(config–isakmp)# group 2 R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200© 2009 Cisco Learning Institute. 50
    51. 51. Crypto ISAKMP Key router(config)# crypto isakmp key keystring address peer-address router(config)# crypto isakmp key keystring hostname hostname Parameter Description This parameter specifies the PSK. Use any combination of alphanumeric characters keystring up to 128 bytes. This PSK must be identical on both peers. peer- This parameter specifies the IP address of the remote peer. address This parameter specifies the hostname of the remote peer. hostname This is the peer hostname concatenated with its domain name (for example, myhost.domain.com). • The peer-address or peer-hostname can be used, but must be used consistently between peers. • If the peer-hostname is used, then the crypto isakmp identity hostname command must also be configured.© 2009 Cisco Learning Institute. 51
    52. 52. Sample Configuration 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet Site 1 Site 2 R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption 3des R1(config–isakmp)# group 2 R1(config–isakmp)# hash sha R1(config–isakmp)# lifetime 43200 R1(config-isakmp)# exit R1(config)# crypto isakmp key cisco123 address 172.30.2.2 R1(config)# Note: R2(config)# crypto isakmp policy 110 • The keystring cisco1234 matches. R2(config–isakmp)# authentication pre-share R2(config–isakmp)# encryption 3des • The address identity method is R2(config–isakmp)# group 2 specified. R2(config–isakmp)# hash sha • The ISAKMP policies are compatible. R2(config–isakmp)# lifetime 43200 R2(config-isakmp)# exit • Default values do not have to be R2(config)# crypto isakmp key cisco123 address 172.30.1.2 configured. R2(config)#© 2009 Cisco Learning Institute. 52
    53. 53. Task 3Configure the Transform Set router(config)# crypto ipsec transform–set transform-set-name transform1 [transform2] [transform3]] crypto ipsec transform-set Parameters Description Command transform-set-name This parameter specifies the name of the transform set to create (or modify). Type of transform set. You may specify up to four transform1, "transforms": one Authentication Header (AH), one transform2, transform3 Encapsulating Security Payload (ESP) encryption, one ESP authentication. These transforms define the IP Security (IPSec) security protocols and algorithms. A transform set is a combination of IPsec transforms that enact a security policy for traffic.© 2009 Cisco Learning Institute. 53
    54. 54. Transform Sets Host A Host B R1 172.30.1.2 R2 10.0.1.3 Internet 10.0.2.3 172.30.2.2 1 transform-set ALPHA transform-set RED esp-3des 2 esp-des tunnel tunnel 3 4 transform-set BETA transform-set BLUE esp-des, esp-md5-hmac 5 esp-des, ah-sha-hmac tunnel 6 tunnel 7 transform-set CHARLIE 8 transform-set YELLOW esp-3des, esp-sha-hmac 9 Match esp-3des, esp-sha-hmac tunnel tunnel • Transform sets are negotiated during IKE Phase 2. • The 9th attempt found matching transform sets (CHARLIE - YELLOW).© 2009 Cisco Learning Institute. 54
    55. 55. Sample Configuration Site 1 R1 172.30.1.2 R2 Site 2 A Internet B 10.0.1.3 10.0.2.3 172.30.2.2 R1(config)# crypto isakmp key cisco123 address 172.30.2.2 R1(config)# crypto ipsec transform-set MYSET esp-aes 128 R1(cfg-crypto-trans)# exit R1(config)# Note: • Peers must share the same transform set R2(config)# crypto isakmp key cisco123 address 172.30.1.2 settings. R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128 R2(cfg-crypto-trans)# exit • Names are only locally significant.© 2009 Cisco Learning Institute. 55
    56. 56. Task 4Configure the Crypto ACLs Host A R1 Internet Outbound Encrypt Traffic Bypass (Plaintext) Permit Inbound Traffic Bypass Discard (Plaintext) • Outbound indicates the data flow to be protected by IPsec. • Inbound filters and discards traffic that should have been protected by IPsec.© 2009 Cisco Learning Institute. 56
    57. 57. Command Syntax Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] access-list access-list-number Parameters access-list access-list-number Description Command This option causes all IP traffic that matches the specified conditions to be protected by permit cryptography, using the policy described by the corresponding crypto map entry. deny This option instructs the router to route traffic in plaintext. This option specifies which traffic to protect by cryptography based on the protocol, protocol such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches that permit statement is encrypted. If the ACL statement is a permit statement, these are the networks, subnets, or hosts source and destination between which traffic should be protected. If the ACL statement is a deny statement, then the traffic between the specified source and destination is sent in plaintext.© 2009 Cisco Learning Institute. 57
    58. 58. Symmetric Crypto ACLs Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 S0/1 Applied to R1 S0/0/0 outbound traffic: R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 (when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0) Applied to R2 S0/0/0 outbound traffic: R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 (when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)© 2009 Cisco Learning Institute. 58
    59. 59. Task 5Apply the Crypto Map Site 1 Site 2 R1 R2 Internet 10.0.1.3 10.0.2.3 Crypto maps define the following:  ACL to be used  Remote VPN peers Encrypted Traffic  Transform set to be used  Key management method Router Interface  SA lifetimes or Subinterface© 2009 Cisco Learning Institute. 59
    60. 60. Crypto Map Command router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] crypto map Parameters Command Parameters Description Defines the name assigned to the crypto map set or indicates the name of the crypto map-name map to edit. seq-num The number assigned to the crypto map entry. ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs. ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs. (Default value) Indicates that CET will be used instead of IPsec for protecting the cisco traffic. (Optional) Specifies that this crypto map entry references a preexisting static crypto dynamic map. If this keyword is used, none of the crypto map configuration commands are available. (Optional) Specifies the name of the dynamic crypto map set that should be used as dynamic-map-name the policy template.© 2009 Cisco Learning Institute. 60
    61. 61. Crypto Map ConfigurationMode Commands Command Description Used with the peer, pfs, transform-set, and security-association set commands. peer [hostname | ip- Specifies the allowed IPsec peer by IP address or hostname. address] pfs [group1 | group2] Specifies DH Group 1 or Group 2. Specify list of transform sets in priority order. When the ipsec-manual transform-set parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic [set_name(s)] parameter is used with the crypto map command, up to six transform sets can be specified. security-association Sets SA lifetime parameters in seconds or kilobytes. lifetime match address [access- Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended list-id | name] ACL being matched. no Used to delete commands entered with the set command. exit Exits crypto map configuration mode.© 2009 Cisco Learning Institute. 61
    62. 62. Sample Configuration Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 R1 R2 10.0.2.3 10.0.1.3 Internet S0/0/0 172.30.2.2 R3 S0/0/0 172.30.3.2 R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 110 R1(config-crypto-map)# set peer 172.30.2.2 default R1(config-crypto-map)# set peer 172.30.3.2 R1(config-crypto-map)# set pfs group1 R1(config-crypto-map)# set transform-set mine R1(config-crypto-map)# set security-association lifetime seconds 86400 Multiple peers can be specified for redundancy.© 2009 Cisco Learning Institute. 62
    63. 63. Assign the Crypto Map Set Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 MYMAP router(config-if)# crypto map map-name R1(config)# interface serial0/0/0 R1(config-if)# crypto map MYMAP • Applies the crypto map to outgoing interface • Activates the IPsec policy© 2009 Cisco Learning Institute. 63
    64. 64. CLI Commands Show Command Description show crypto map Displays configured crypto maps show crypto isakmp policy Displays configured IKE policies show crypto ipsec sa Displays established IPsec tunnels show crypto ipsec Displays configured IPsec transform transform-set sets debug crypto isakmp Debugs IKE events Debugs IPsec events debug crypto ipsec© 2009 Cisco Learning Institute. 64
    65. 65. show crypto map Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 router# show crypto map Displays the currently configured crypto maps R1# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 110 access-list 102 permit ip host 10.0.1.3 host 10.0.2.3 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, }© 2009 Cisco Learning Institute. 65
    66. 66. show crypto isakmp policy Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 router# 172.30.1.2 172.30.2.2 show crypto isakmp policy R1# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: 3DES - Data Encryption Standard (168 bit keys). hash algorithm: Secure Hash Standard authentication method: preshared Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit© 2009 Cisco Learning Institute. 66
    67. 67. show crypto ipsec transform-set Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 show crypto ipsec transform-set Displays the currently defined transform sets R1# show crypto ipsec transform-set Transform set AES_SHA: { esp-128-aes esp-sha-hmac } will negotiate = { Tunnel, },© 2009 Cisco Learning Institute. 67
    68. 68. show crypto ipsec sa Site 1 Site 2 10.0.1.0/24 10.0.2.0/24 10.0.1.3 R1 R2 10.0.2.3 Internet S0/0/0 S0/0/0 172.30.1.2 172.30.2.2 R1# show crypto ipsec sa Interface: Serial0/0/0 Crypto map tag: MYMAP, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flacs={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2 path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C© 2009 Cisco Learning Institute. 68
    69. 69. debug crypto isakmp router# debug crypto isakmp 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2 • This is an example of the Main Mode error message. • The failure of Main Mode suggests that the Phase I policy does not match on both sides. • Verify that the Phase I policy is on both peers and ensure that all the attributes match.© 2009 Cisco Learning Institute. 69
    70. 70. Starting a VPN Wizard 1. Click Configure in main toolbar 1 Wizards for IPsec 3 Solutions, includes type of VPNs and Individual IPsec components 2 3. Choose a wizard2. Click the VPN button 4. Click the VPN to open the VPN page implementation subtype VPN implementation 4 Subtypes. Vary based On VPN wizard chosen. 5 5. Click the Launch the Selected Task button © 2009 Cisco Learning Institute. 70
    71. 71. VPN Components VPN Wizards SSL VPN parameters Individual IPsec components used to build VPNs Easy VPN server parameters VPN Components Public key certificate parameters Encrypt VPN passwords© 2009 Cisco Learning Institute. 71
    72. 72. Configuring a Site-to-Site VPN Choose Configure > VPN > Site-to-Site VPN Click the Create a Site-to-Site VPN Click the Launch the Selected Task button© 2009 Cisco Learning Institute. 72
    73. 73. Site-to-Site VPN Wizard Choose the wizard mode Click Next to proceed to the configuration of parameters.© 2009 Cisco Learning Institute. 73
    74. 74. Quick Setup Configure the parameters •Interface to use •Peer identity information •Authentication method •Traffic to encrypt© 2009 Cisco Learning Institute. 74
    75. 75. Verify Parameters© 2009 Cisco Learning Institute. 75
    76. 76. Step-by-Step Wizard Choose the outside interface that is used 1 to connect to the IPSec peer 2 Specify the IP address of the peer 3 Choose the authentication method and specify the credentials 4 Click Next© 2009 Cisco Learning Institute. 76
    77. 77. Creating a Custom IKE Proposal Make the selections to configure 2 the IKE Policy and click OK 1 Click Add to define a proposal 3 Click Next© 2009 Cisco Learning Institute. 77
    78. 78. Creating a Custom IPSecTransform Set Define and specify the transform set name, integrity algorithm, 2 encryption algorithm, mode of operation and optional compression 1 Click Add 3 Click Next© 2009 Cisco Learning Institute. 78
    79. 79. Protecting TrafficSubnet to Subnet Click Protect All Traffic Between the Following subnets 1 2 3Define the IP addressand subnet mask of the Define the IP addresslocal network and subnet mask of the remote network© 2009 Cisco Learning Institute. 79
    80. 80. Protecting TrafficCustom ACL Click the ellipses button to choose an existing ACL or create a new one 1 2Click the Create/Select an Access-List 3for IPSec Traffic radio button To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option© 2009 Cisco Learning Institute. 80
    81. 81. Add a Rule 1 Give the access rule a 2 name and description Click Add© 2009 Cisco Learning Institute. 81
    82. 82. Configuring a New Rule Entry Choose an action and enter a description of the rule entry 1 2 Define the source hosts or networks in the Source Host/Network pane and the destination hosts or network in the Destination/Host Network pane 3 (Optional) To provide protection for specific protocols, choose the specific protocol radio box and desired port numbers© 2009 Cisco Learning Institute. 82
    83. 83. Configuration Summary • Click Back to modify the configuration. • Click Finish to complete the configuration.© 2009 Cisco Learning Institute. 83
    84. 84. Verify VPN Configuration Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN Check VPN status. Create a mirroring configuration if no Cisco SDM is available on the peer. Test the VPN configuration.© 2009 Cisco Learning Institute. 84
    85. 85. Monitor Choose Monitor > VPN Status > IPSec Tunnels 1 Lists all IPsec tunnels, their parameters, and status.© 2009 Cisco Learning Institute. 85
    86. 86. Telecommuting • Flexibility in working location and working hours • Employers save on real- estate, utility and other overhead costs • Succeeds if program is voluntary, subject to management discretion, and operationally feasible© 2009 Cisco Learning Institute. 86
    87. 87. Telecommuting Benefits • Organizational benefits: - Continuity of operations - Increased responsiveness - Secure, reliable, and manageable access to information - Cost-effective integration of data, voice, video, and applications - Increased employee productivity, satisfaction, and retention • Social benefits: - Increased employment opportunities for marginalized groups - Less travel and commuter related stress • Environmental benefits: - Reduced carbon footprints, both for individual workers and organizations© 2009 Cisco Learning Institute. 87
    88. 88. Implementing Remote Access© 2009 Cisco Learning Institute. 88
    89. 89. Methods for DeployingRemote Access IPsec Remote Any Anywhere SSL-Based Application Access Access VPN VPN© 2009 Cisco Learning Institute. 89
    90. 90. Comparison of SSL and IPSec SSL IPsec Web-enabled applications, file sharing, e- Applications mail All IP-based applications Moderate Stronger Encryption Key lengths from 40 bits to 128 bits Key lengths from 56 bits to 256 bits Strong Moderate Authentication Two-way authentication using shared secrets One-way or two-way authentication or digital certificates Moderate Ease of Use Very high Can be challenging to nontechnical users Strong Moderate Overall Security Only specific devices with specific Any device can connect configurations can connect© 2009 Cisco Learning Institute. 90
    91. 91. SSL VPNs • Integrated security and routing • Browser-based full network SSL VPN access SSL VPN Internet Headquarters SSL VPN Tunnel Workplace Resources© 2009 Cisco Learning Institute. 91
    92. 92. Types of Access© 2009 Cisco Learning Institute. 92
    93. 93. Full Tunnel Client Access Mode© 2009 Cisco Learning Institute. 93
    94. 94. Establishing an SSL Session User makes a connection 1 to TCP port 443 Router replies with a 2 User using digitally signed public key SSL VPN SSL client enabled ISR 3 User software creates a router shared-secret key 4 Shared-secret key, encrypted with public key of the server, is sent to the router Bulk encryption occurs using the 5 shared-secret key with a symmetric encryption algorithm© 2009 Cisco Learning Institute. 94
    95. 95. SSL VPN Design Considerations • User connectivity • Router feature • Infrastructure planning • Implementation scope© 2009 Cisco Learning Institute. 95
    96. 96. Cisco Easy VPN • Negotiates tunnel parameters • Establishes tunnels according to set parameters • Automatically creates a NAT / PAT and associated ACLs • Authenticates users by usernames, group names, and passwords • Manages security keys for encryption and decryption • Authenticates, encrypts, and decrypts data through the tunnel© 2009 Cisco Learning Institute. 96
    97. 97. Cisco Easy VPN© 2009 Cisco Learning Institute. 97
    98. 98. Securing the VPN 1 Initiate IKE Phase 1 2 Establish ISAKMP SA 3 Accept Proposal1 Username/Password 4 Challenge Username/Password 5 System Parameters Pushed Reverse Router Injection 6 (RRI) adds a static route entry on the router for the remote clients IP address 7 Initiate IKE Phase 2: IPsec IPsec SA© 2009 Cisco Learning Institute. 98
    99. 99. Configuring Cisco Easy VPN Server 1 4 3 2 5© 2009 Cisco Learning Institute. 99
    100. 100. Configuring IKE Proposals 2 Specify required parameters 1 Click Add 3 Click OK© 2009 Cisco Learning Institute. 100
    101. 101. Creating an IPSec Transform Set 3 1 2 4© 2009 Cisco Learning Institute. 101
    102. 102. Group Authorization and GroupPolicy Lookup 1 Select the location where Easy VPN group policies Click Add 3 can be stored 2 4 5 Click Next Click Next Configure the local group policies© 2009 Cisco Learning Institute. 102
    103. 103. Summary of ConfigurationParameters© 2009 Cisco Learning Institute. 103
    104. 104. VPN Client Overview R1 R1-vpn-cluster.span.com R1 R1-vpn-cluster.span.com • Establishes end-to-end, encrypted VPN tunnels for secure connectivity • Compatible with all Cisco VPN products • Supports the innovative Cisco Easy VPN capabilities© 2009 Cisco Learning Institute. 104
    105. 105. Establishing a Connection R1-vpn-cluster.span.com Once authenticated, status changes to connected. R1 R1-vpn-cluster.span.com “R1”© 2009 Cisco Learning Institute. 105
    106. 106. © 2009 Cisco Learning Institute. 106

    ×