Cisco Router As A Vpn Server
Upcoming SlideShare
Loading in...5
×
 

Cisco Router As A Vpn Server

on

  • 17,174 views

 

Statistics

Views

Total Views
17,174
Views on SlideShare
17,001
Embed Views
173

Actions

Likes
3
Downloads
480
Comments
1

19 Embeds 173

http://strongpages.somee.com 54
http://orixoomit.blogspot.com 52
http://www.mickedevil.somee.com 16
http://www.slideshare.net 10
http://www.strongpages.somee.com 9
http://mickedevil.somee.com 9
http://orixoomit.blogspot.in 4
http://orixoomit.blogspot.de 3
http://www.lmodules.com 3
http://orixoomit.blogspot.com.au 2
http://orixoomit.blogspot.fr 2
http://orixoomit.blogspot.ca 2
http://orixoomit.blogspot.sk 1
http://orixoomit.blogspot.com.br 1
http://orixoomit.blogspot.it 1
http://orixoomit.blogspot.ch 1
http://webcache.googleusercontent.com 1
http://orixoomit.blogspot.ae 1
http://vj7200.mgmt.somee.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Good job on this post, also if you want to become anonymous online then you need to check this out. http://thebestproxyserver.com
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The IPSec Encapsulating Security Payload (ESP) provides data privacy. The ESP protocol also defines an authenticated format that provides data authentication and integrity, with data privacy. AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm

Cisco Router As A Vpn Server Cisco Router As A Vpn Server Presentation Transcript

  • Cisco Router as a VPN Server
  • Agenda
    • VPN
    • Categories of VPN
      • Secure VPNs
      • Trusted VPN
    • Hardware / Software Requirement
    • Network Diagram
    • Basic Router Configuration
    • Configuring AAA Server
    • Virtual Template
    • VPDN
    • IPSec
  • What is VPN ?
    • A virtual private network (VPN) is a computer network that is implemented in an additional logical layer (overlay) on top of an existing network. It has the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet.
    http://en.wikipedia.org/wiki/Virtual_private_network
  • Categories of VPN
    • VPN technologies may be classified by many standards.
    • Two broad categories of VPN are:
      • Secure VPNs
      • Trusted VPNs
  • Secure VPNs
    • Provide mechanisms for authentication of the tunnel endpoints and encryption of the traffic.
    • Provide remote access facilities to employees.
    • Connects multiple networks together securely using the Internet to carry the traffic.
    • Secure VPN protocols include IPSec, SSL or PPTP (with MPPE).
    • Doesn't provide Qos or routing.
  • Trusted VPNs
    • Created by carriers and large organizations on large core networks.
    • Provides Quality of Service.
    • Trusted VPN protocols include MPLS, ATM or Frame Relay.
    • Do not provide security features such as data confidentiality through encryption.
  • Hardware / Software Req
    • Cisco integrated services router with 12.4 advance enterprise IOS.
    • Ethernet Cables (Cross Over).
    • PCs / Laptops.
    • Cisco VPN Client (v5.0.06.0110).
    • Cisco Security Device Manager (SDM for GUI based configuration).
    • Java Runtime Environment (for SDM).
  • Network Diagram
  • Basic Router Configuration
    • Creating Local Login Users for VPN.
    • Router(config)# username [loginID] privilege [1-15] password 0 [password]
    • Configure Fast Ethernet Interfaces
    • Router#config t
    • Router(config)#int f0/0
    • Router(config-if)# description Internal LAN (192.168.0.0/24)
    • Router(config-if)#ip address 192.168.0.254 255.255.255.0
    • Router(config-if)#no shut
    • Router(config)#int f0/1
    • Router(config-if)# description VPN INT (10.1.1.0/24)
    • Router(config-if)#ip address 10.1.1.254 255.255.255.0
    • Router(config-if)#no shut
  • Basic Router Configuration (contd)
    • Configure Routing Protocol
    • Router#config t
    • Router(config)#router eigrp 1
    • Router(config-router)#network 192.168.0.0
    • Router(config-router)#network 172.16.1.0
    • Router(config-router)#network 10.0.0.0
    • IP Pool
    • Router(config)# ip local pool ip_pool 172.16.1.10 172.16.1.20
  • Configuring AAA
    • aaa-model
    • Enables the authentication, authorization, and accounting (AAA) access control model.
    • Router(config)#aaa new-model
    • aaa session-id [ common | unique ]
    • Ensures that all session identification (ID) information that is sent out for a given call will be made identical. The default behavior is common .
    • Router(config)#aaa session-id common
  • Configuring AAA (contd)
    • aaa authentication login [ list-name ] local
    • Sets (AAA) authentication at login. ‘Local’ keyword tells the AAA to use local username database for authentication.
    • Router(config)# aaa authentication login vpn_xauth local
    • aaa authorization network [list-name] local
    • Creates a list for authorization of all network-related service requests . ‘Local’ keyword tells the AAA to use local username database for authentication
    • Router(config)# aaa authorization network vpn_group local
  • Virtual Template
    • A virtual template interface is a logical entity that are created, configured dynamically, used, and then freed when no longer needed.
    • Requires the same amount of memory as a serial interface.
    • Cisco routers support a maximum of 300 virtual interfaces.
  • Benifts of Virtual Template
    • For easier maintenance, allows customized configurations to be predefined.
    • For scalability, allows interface configuration to be separated from physical interfaces.
    • For consistency and configuration ease, allows the same predefined template to be used for all users.
    • For efficient router operation, frees the virtual access interface memory for another dial-in use when the user's call ends.
  • Configuring Virtual Template
    • Router#config t
    • Router(config)# interface Virtual-Template1
    • Router(config-if)# ip unnumbered FastEthernet0/1
    • Router(config-if)# no peer default ip address
    • Router(config-if)# ppp encrypt mppe auto required
    • Router(config-if)# ppp authentication ms-chap ms-chap-v2
  • VPDN
    • A virtual private dial−up network (VPDN) allows a private network dial in service to span across to remote access servers (defined as the L2TP Access Concentrator [LAC]).
    • LAC forwards the PPP session on to an L2TP Network Server (LNS). The LNS then authenticates the user and starts the PPP negotiation.
    • VPDN uses the Layer 2 Forwarding protocol (L2F) which permits the tunneling of link level frames
  • Configuring VPDN
    • enable vpdn
    • Enables virtual private networking.
    • Router(config)#enable vpdn
    • vpdn-group [group name]
    • Ceates a vpdn group which specifies the protocol, dialup mode and interface
    • Router(config)# vpdn-group VPN_Server
    • Router(config)# accept-dialin
    • Router(config)# protocol pptp
    • Router(config)# virtual-template 1
  • IPSec
    • Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications.
    • IPsec uses the following protocols to perform various functions
      • Internet key exchange (IKE and IKEv2) to set up a security association (SA)
      • Authentication Header (AH) to provide connectionless integrity.
      • Encapsulating Security Payload (ESP) to provide confidentiality.
  • Configuring IPSec based VPN
    • Defines an Internet Key Exchange (IKE) policy. IKE policies define a set of parameters to be used during the IKE negotiation
    • Router(config)#crypto isakmp policy 1
    • Router(config-crypto-isakmp)# encr 3des
    • Router(config-crypto-isakmp)# authentication pre-share
    • Router(config-crypto-isakmp)# group 2
    • crypto isakmp policy [priority]
  • Configuring IPSec based VPN (contd)
    • sh crypto isakmp policy
    • Below command list the policy created as a result of last command (previous slide).
    • Router#sh crypto isakmp policy
    • Global IKE policy
    • Protection suite of priority 1
    • encryption algorithm: Three key triple DES
    • hash algorithm: Secure Hash Standard
    • authentication method: Pre-Shared Key
    • Diffie-Hellman group: #2 (1024 bit)
    • lifetime: 86400 seconds, no volume limit
  • Configuring IPSec based VPN (contd)
    • crypto isakmp client configuration group [name]
    • Specify which group’s policy profile will be defined by defining key and ip address pool.
    • Router(config)#crypto isakmp client configuration group ipsec_group
    • Router(config-crypto-isakmp )# key ipsec
    • Router(config-crypto-isakmp )# pool ip_pool
    • Router(config-crypto-isakmp )# netmask 255.255.255.255
  • Configuring IPSec based VPN (contd)
    • crypto ipsec transform-set
    • A transform set specifies the encryption and authentication algorithms used to protect the data in the VPN Tunnel.
    • Router(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    • Router(config-crypto-ipsec )# crypto dynamic-map DYNMAP 1
    • Router(config-crypto-ipsec )# set transform-set ESP-3DES-SHA
    • Transform Set:
    • Name:ESP-3DES-SHA1
    • ESP Encryption: ESP_3DES
    • ESP Integrity: ESP_SHA_HMAC
  • Configuring IPSec based VPN (contd)
    • crypto map
    • Creates a crypto profile that provides a template for configuration.
    • Router(config)#crypto map CMAP client authentication list vpn_auth
    • Router(config)#crypto map CMAP isakmp authorization list vpn_group
    • Router(config)#int f0/1
    • Router(config-if)#crypto map CMAP
    • Live Demonstration