Your SlideShare is downloading. ×

Vpn

517
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
517
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
61
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Benefits Very easy to configure and maintain The Spoke-to-Spoke links are established on demand whenever there is traffic between the spokes. The following packets are then able to bypass the Hub and use the Spoke-to-Spoke tunnel After a pre-configured amount (=time) of inactivity on the Spoke-to-Spoke tunnels, the router will tear down those tunnels in order to save resources (IPsec SAs). In this way, even the low end routers (like Cisco 1600, 1700) can participate in large (1000 nodes) IPsec VPNs, if they don't have too many simultaneous Spoke-to-Spoke tunnels. Limitations Traffic profile should be following the 80-20 rule: 80% of the traffic SPOKE-to-HUB and only 20% or less SPOKE-to-SPOKE traffic.
  • PIX supports DPD v6.0+; it supports HSRP+ like functionality today 3000 supports DPD v3.0+ and RRI in v3.5+; it supports HSRP+ like functionality with the clustering feature (load balancing not HA) IOS supports HSRP+ and RRI in 12.1(9)E and 12.2(8)T and DPD in 12.2(8)T and 12.2(1)S
  • Transcript

    • 1. Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer – Security/VPN Northeast kkaminsk@cisco.comSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 1
    • 2. IPsec - more than just crypto ! • Security Enforcement, Firewall, IDS • Network Topology • Routing (OSPF, EIGRP) design • High Availability • Performance • QoS • Path MTU Discovery • Network Management • .............SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 2
    • 3. Agenda • IPsec Design Options • IPsec Design Issues • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 3
    • 4. Product Function Matrix Site-to-Site Role Remote Access Role Primary Role With recent addition of Cisco IOS VPN Client now supported with Full fledged Site-to-Site good feature set Scales for large deployments Integrated firewall and VPN PIX device PDM 2.0 includes VPN management Not recommended for large- Primary Role scale use due to lack of QOS, 3000 SLA monitoring, and Full fledged remote access multiprotocol routing solutionSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 4
    • 5. Agenda • IPsec Design Options IPsec IPsec Remote Access (EzVPN) IPsec/GRE • IPsec Design Issues • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 5
    • 6. Basic IPsec Example 2.2.2.2 1.1.1.1 10.1.2.0/24 10.1.1.0/24 Internet 10.1.3.0/24 3.3.3.3 • IKE Policy (Phase I) crypto isakmp policy 1 authentication pre-shared hash sha encryption 3des crypto isakmp key cisco123isabadkey address 2.2.2.2 crypto isakmp key passwordisiabadkey address 3.3.3.3SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 6
    • 7. Basic IPsec Example 2.2.2.2 1.1.1.1 10.1.2.0/24 10.1.1.0/24 Internet 10.1.3.0/24 3.3.3.3 • IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 7
    • 8. Basic IPsec Example 2.2.2.2 1.1.1.1 10.1.2.0/24 10.1.1.0/24 Internet 10.1.3.0/24 3.3.3.3 • IPsec Policy (Phase II) crypto map IPSEC 20 ipsec-isakmp set peer 2.2.2.2 match address 102 set transform-set ESP-3DES-SHA crypto map IPSEC 30 ipsec-isakmp set peer 3.3.3.3 match address 103 set transform-set ESP-3DES-SHASEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 8
    • 9. Basic IPsec Example 2.2.2.2 1.1.1.1 10.1.2.0/24 10.1.1.0/24 Internet 10.1.3.0/24 3.3.3.3 • Apply Crypto Map interface serial 0 crypto map IPSEC ! ip route 10.0.0.0 255.0.0.0 serial 0SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 9
    • 10. Basic IPsec Summary • Supported by IOS, Pix, VPN 3000 and several other vendors • Either side can initiate tunnel • No support for routing protocol, multicastSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 10
    • 11. Agenda • IPsec Design Options IPsec IPsec Remote Access (EzVPN) IPsec/GRE • IPsec Design Issues • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 11
    • 12. IPsec Remote Access (EzVPN) IOS PIX ? VPN VPN 3K 1.1.1.1 Client Head office Internet IOS ? PIX VPN 3002• Client - Server Architecture• Client always initiates IPsec connection• Client may have dynamic ip address• Very easy to configure !• Very scalable, no routing expertise required ! SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 12
    • 13. IPsec Remote Access (EzVPN) IOS Pix VPN 3K 1.1.1.1 Head office Internet ?• Client extension mode : Packets from all devices behind EzVPN Client are PATted to one ip address (then tunneled in IPsec).• Network extension mode : Packets from all devices behind EzVPN client are tunneled in IPsec (no PAT before IPsec) SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 13
    • 14. EzVPN Configuration example ? 1.1.1.1 Head office Internet Remote Office ? crypto ipsec client ezvpn hw-client group engineering-1 key secret mode client peer 1.1.1.1 ! interface Ethernet1 description connected to INTERNET ip address ....... crypto ipsec client ezvpn hw-clientSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 14
    • 15. Agenda • IPsec Design Options IPsec IPsec Remote Access (EzVPN) IPsec/GRE • IPsec Design Issues • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 15
    • 16. IPsec/GRE : Scalable Site-to-site VPNs Internet Frame Relay • Routing Protocol (OSPF, EIGRP...) necessary ! • Routing (or multicast) not specified by IPsec • Supported in IOS using GRE/IPsecSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 16
    • 17. IPsec/GRE Example 2.2.2.2 1.1.1.1 ? ? Internet ? 3.3.3.3 • IKE Policy (Phase I) Same as without GRE crypto isakmp policy 1 authentication pre-shared hash sha encryption 3des crypto isakmp key cisco123isabadkey address 2.2.2.2 crypto isakmp key passwordisiabadkey address 3.3.3.3SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 17
    • 18. IPsec/GRE Example 2.2.2.2 tunnel 2002 ? 1.1.1.1 ? Internet tunnel 2003 ? 3.3.3.3 IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport access-list 102 permit gre host 1.1.1.1 host 2.2.2.2 access-list 103 permit gre host 1.1.1.1 host 3.3.3.3SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 18
    • 19. IPsec/GRE Example 2.2.2.2 tunnel 2002 ? 1.1.1.1 ? Internet tunnel 2003 ? 3.3.3.3 crypto map IPSEC 20 ipsec-isakmp set peer 2.2.2.2 match address 102 set transform-set ESP-3DES-SHA crypto map IPSEC 30 ipsec-isakmp set peer 3.3.3.3 match address 103 set transform-set ESP-3DES-SHASEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 19
    • 20. IPsec/GRE Example tunnel 2002 2.2.2.2 ? 1.1.1.1 10.99.1.0/24 ? Internet tunnel 2003 ? 10.99.2.0/24 3.3.3.3 int tunnel 2002 ip address 10.99.1.1 255.255.255.0 tunnel source serial 0 tunnel destination 2.2.2.2 crypto map IPSEC int tunnel 2003 ip address 10.99.2.1 255.255.255.0 tunnel source serial 0 tunnel destination 3.3.3.3 crypto map IPSECSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 20
    • 21. IPsec/GRE Example tunnel 2002 2.2.2.2 10.99.1.0/24 ? 1.1.1.1 ? Internet tunnel 2003 ? 10.99.2.0/24 3.3.3.3 int serial 0 ip address 1.1.1.1 255.255.255.252 crypto map IPSEC ! ip route 2.2.2.2 255.255.255.255 serial 0 ip route 3.3.3.3 255.255.255.255 serial 0 ! router ospf 1 network 10.0.0.0 0.255.255.255 area 1SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 21
    • 22. IPsec/GRE Summary• IOS only (not Pix, VPN 3000)• Enables Routing over IPsec protected Tunnels• Enables IPsec protected multicast• Enables Multi-Protocol (IPX...)• Easy to configure thanks to trivial ACLs• Reduces the number of SAs• Uses standards : RFC 240x (IPsec), RFC 2784 (GRE)• IPinIP (RFC 2003) is an alternative to GRESEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 22
    • 23. Agenda • IPsec Design Options • IPsec Design Issues Topologies High Availability Split Tunneling Device Placement • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 23
    • 24. Site-to-Site Full Mesh Internet • N * (N-1) / 2 tunnels • Scaling issues with provisioning and routing protocols (....future Cisco features may help here...)SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 24
    • 25. Dynamic Multipoint VPN (DMVPN) 12.2(13)T• Objective : Easy to configure full mesh IPsec VPN• Uses multi-point GRE interfaces• Uses NHRP (Next Hop Resolution Protocol)• Only configure hub connection• Spoke learns about spoke peer dynamicallySEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 25
    • 26. Dynamic Multipoint VPN - DMVPN = Dynamic&Temporary Spoke-to-spoke 10.100.1.0 255.255.255.0 IPsec tunnels 12.2(13)T 10.100.1.1 = Dynamic & Permanent spoke-to-hub IPsec tunnels 130.25.13.1 Static public IP address Dynamic (or static) public 10.1.2.1 IP addresses 10.1.2.0 Spoke 255.255.255.0 10.1.1.1 10.1.1.0 255.255.255.0SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 26
    • 27. Full Mesh :Tunnel Endpoint Discovery(TED) MPLS-VPN/ Frame Relay• Dynamically discover tunnel endpoint (peer)• IOS since 12.0T• Only works with routable (public) ip address• Must be enabled in all peer routersSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 27
    • 28. TED Example Alice Bob Y X IKE A to B (proxy X) IP: A to B IKE Y to X Z A to B must be protected Traffic to B must be protected No SA -> Send Probe No SA -> Block &Answer probe CliveX(config)#crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA match address 100!crypto map IPSEC 99 ipsec-isakmp dynamic discover!access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.00.255.255.255 SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 28
    • 29. IPsec Migration Today 0. - - 1. IPsec - - no communication possible - time 2. IPsec IPsec - all encrypted - Problem : Migration to IPsec in large networksSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 29
    • 30. IPSEC Passive Mode 12.2(13)T 0. - - 1. passive - 2. passive passive - now all router are on passive - time 3. active passive 4. active active - now all router are running normal IPsec -# crypto ipsec optional SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 30
    • 31. Agenda • IPsec Design Options • IPsec Design Issues Topologies High Availability Split Tunneling Device Placement • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 31
    • 32. High-Availability Design Stateless options today: IPsec and Dead Peer Detection IPsec and HSRP IPsec/GRE : Routing Protocols HE-2 Remote VPN10.1.5.0 Internet Head-End Corporate Intranet VPN HE-1 SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 32
    • 33. Dead Peer Detection (IKE keepalives)• Supported on IOS, Pix, VPN 3000, Cisco VPN Client• hellos are sent between IKE peers that have active tunnels established• Will detect dead peers (stale IPsec SAs)• On the third hello packet failure, IKE attempts to set up a new tunnel to the next peer in list VPN Clien t Head-End HE-2 R1 Internet Corporate S2 Intranet P1 Hello HE-1 S1 Hello HelloSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 33
    • 34. Dead Peer Detection vs IKE keepalives• DPD is an optimization to IKE keepalives : "I dont bother to check peer by sendingkeepalive, if I am receiving data from peer"• DPD compatibility : IOS 12.2(8)T and later Pix 6.0 and later VPN 3000 3.0 and laterSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 34
    • 35. High Availability with Dead Peer Detection 1.1.1.2 HE-2 Remote X Internet Head-End Corporate Intranet 1.1.1.1 HE-1crypto map IPSEC 10 match address 10 set peer 1.1.1.1 set peer 1.1.1.2 set transform-set ESP-3DES-SHASEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 35
    • 36. IPsec and HSRP+ HE-2 RemoteX Internet Head-End Corporate Intranet HE-1 • Supported on IOS • HSRP address used as tunnel endpoint • Active device terminates IPsec tunnel • In the event of failure, standby device takes over (SAs will be renegotiated)SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 36
    • 37. High Availability with IPsec and HSRP+ 1.1.1..3 HE-2 Remote Internet X Corporate Intranet HE-1 interface Ethernet1/0 ip address 1.1.1.1 255.255.255.248crypto map IPSEC 10 match address 10 standby 1 ip 1.1.1.3 set peer 1.1.1.3 standby 1 priority 200 set transform-set ESP-3DES-SHA standby 1 preempt standby 1 name VPNHA standby 1 track Ethernet1/1 150 crypto map VPN redundancy VPNHA SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 37
    • 38. Reverse Route Injection (RRI) Because IOS is active-active, and it is not possible for the next-hop- device to know which router “has” the active tunnel, Reverse Route Injection (RRI) is required for state tracking Works with DPD and HSRP+ 12.2(8)T who should I send traffic to for 10.1.5.0 ? HE-2 Remote10.1.5.0 Internet Head-End Corporate Intranet HE-1 SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 38
    • 39. Reverse Route Injection Example HE-2 Remote X Internet Head-End Corporate Intranet 2.2.2.2 HE-1 crypto isakmp keepalive 10 ! crypto map vpn 20 ipsec-isakmp set peer 2.2.2.2 set transform-set ESP-3DES-SHA match address 102 reverse-route !SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 39
    • 40. RRI In Action RRI triggers when SA goes down (1) SA Established To Primary Sending IKE Keepalives (2) Router P RRI:“I can reach 10.1.5.0” Remote Internet P (3) 10.1.5.0/24 via P Head-End10.1.5.0/24 (8) 10.1.5.0/24 via S S (5) Secondary Active (6) New SA Established To Secondary Sending IKE Keepalives (7) Router S RRI:“I can reach 10.1.5.0” = Unscheduled Immediate Memory Initialization Routine (4)SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 40
    • 41. High Availability with IPsec/GRE • Just plain routing ! (OSPF, EIGRP...) • Routing copes with some failures other methods cant detect • Local and Geographical redundancy possible • Except under failure conditions: The IPsec and GRE tunnels are always up since routing protocols are always running HE-2 Remote Internet Head-End Corporate Intranet HE-1SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 41
    • 42. High Availability with IPsec/GRE tunnel 2 HE-2 Remote Internet Head-End Corporate Intranet tunnel 1 HE-1Remote :!int tunnel 1 HE-1 HE-2 ...... ! ! ip ospf cost 10 int tunnel 1 int tunnel 2 ..... ...... ......! ip ospf cost 10 ip ospf cost 10int tunnel 2 ..... ..... ...... ip ospf cost 20 ...... SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 42
    • 43. Local/Geographical Failover/Load-Balancing • The Cisco VPN Client supports the notion of backup servers for high availability PIX, 3000, and IOS compatible • The 3000 Concentrator also supports local clustering Supports local load sharing (not geographical) DNS resolution based load balancing could also be used as the client resolves the FQDN of the head-end device (geographical)SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 43
    • 44. High Availability Summary • Key: DPD = Dead Peer Detection; RP = Routing Protocol; RRI = Reverse Route Injection Head-end Device IOS PIX 3000 Remote Device RP DPD (RRI) DPD(RRI) IOS HSRP+ (RRI) DPD HSRP+ (RRI) DPD(RRI) PIX Failover DPD (RRI) DPD HSRP+ (RRI) DPD(RRI) 3000 DPD (RRI) DPDSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 44
    • 45. Agenda • IPsec Design Options • IPsec Design Issues Topologies High Availability Split Tunneling Device Placement • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 45
    • 46. Split Tunneling www.evilhackers.com NAT for Internet trafficVPN Split-Tunneling EnabledHW VPNClient Internet No NAT for corporate traffic SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 46
    • 47. Split Tunneling• Should it be allowed ? Policy Decision !• If allowed, firewall is needed at remote end• Cisco VPN Client - $0 firewall Default stops incoming connections; allows outgoing connections Firewall active even when VPN client is not connected Firewall policies can be pushed from VPN 3000 concentratorSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 47
    • 48. Agenda • IPsec Design Options • IPsec Design Issues Topologies High Availability Split Tunneling Device Placement • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 48
    • 49. VPN Device with separate Firewall VPN Termination Focused LayerStateless L3 4–7 AnalysisFiltering (IKE, ESP) VPN To WAN Edge To Campus L4–L7 Stateful DMZ Inspection and Filtering Nothing To See DoS Mitigation (crypto-wise) SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 49
    • 50. Agenda • IPsec Design Options • IPsec Design Issues • IPsec ManagementSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 50
    • 51. VPN Management • Nothing dramatically new - configuration management - performance management - fault management - sw updates • Many of the same tools apply : SNMP, TFTP, SSH • Management traffic should be encrypted ( IPsec vs SSH)SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 51
    • 52. VPN Management Applications • Device Managers (on the box) PDM—PIX Device Manager VDM—VPN Device Manager for IOS and 3000 • VPN/Security Management Solution (VMS) 2.1 IOS, IDS, PIX Multiple Device Centers • VPN Solution Center (VPNSC) Primary focus : Service ProvidersSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 52
    • 53. VPN/Security Management Solution 2.1 Management Centers (MCs) for VPN Routers Pix Firewall IDS SensorsSEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 53
    • 54. VMS 2.1 / Router MC• Web based• IOS IPsec/GRE (Hub/Spoke topologies)• Workflow approach (create task/approve task)• Grouping of devices/apply policy on group SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 54
    • 55. VMS 2.1 / VPN Monitor• Performance Monitoring of IOS and VPN 3000 Number of tunnels Status/Performance of tunnels Performance threshold violations SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 55

    ×