2. Major Concepts
•
•
•
•
•
•
Describe the purpose and operation of VPN types
Describe the purpose and operation of GRE VPNs
Describe the components and operations of IPsec VPNs
Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI
Configure and verify a site-to-site IPsec VPN with preshared key authentication using SDM
Configure and verify a Remote Access VPN
3. Lesson Objectives
Upon completion of this lesson, the successful participant will
be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
4. Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard
in SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard
in SDM
5. Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
6. What is a VPN?
• A VPN is a private network that is created via tunneling over a public
•
network, usually the Internet.
Instead of using a dedicated physical connection, a VPN uses virtual
connections routed through the Internet from the organization to the
remote site.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
7. Benefits of VPN
•
Cost savings:
– VPNs eliminate expensive dedicated WAN links and modem banks.
– Additionally, with the advent of cost-effective, high-bandwidth technologies,
such as DSL, organizations can use VPNs to reduce their connectivity costs
while simultaneously increasing remote connection bandwidth.
•
Security:
– Use advanced encryption and authentication protocols that protect data from
unauthorized access.
•
Scalability
– VPNs use the Internet infrastructure. So it is easy to add new users,
corporations can add significant capacity without adding significant
infrastructure
•
Compatibility with broadband technology
– DSL, Cable, broadband wireless…
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
8. Layer 3 VPN
IPSec
VPN
Internet
IPSec
SOHO with a Cisco DSL
Router
• Generic routing encapsulation (GRE): point-to-point site connections
• Multiprotocol Label Switching (MPLS): they can establish any-to-any
•
connectivity to many sites.
IPSec: point-to-point site connections
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
9. Layer 3 VPN
•
•
VPN can be made at either Layer 2 or Layer 3 of the OSI model. Establishing
connectivity between sites over a Layer 2 or Layer 3 is the same. This chapter
focuses on Layer 3 VPN technology.
Layer 3 VPNs:
–
–
–
GRE: point-to-point site connections
MPLS: any-to-any site connections
IPsec: point-to-point site connections
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
10. Types of VPN Networks
• There are two types of VPN network:
• Site-to-site
• Remote-Access
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
11. Site-to-Site VPN
•
A site-to-site VPN is created when
connection devices on both sides of the VPN
connection are aware of the VPN
configuration in advance.
•
The VPN remains static, and internal hosts
have no knowledge that a VPN exists.
•
Frame Relay, ATM, GRE, and MPLS VPNs
are examples of site-to-site VPNs.
•
In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN
gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500
Series Adaptive Security Appliance.
•
The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a
particular site and sending it through a VPN tunnel over the Internet to a peer VPN
gateway at the target site.
•
Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays
the packet toward the target host inside its private network
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
12. Remote-Access VPNs
•
A remote-access VPN is created when VPN
information is not statically set up, but
instead allows for dynamically changing
information and can be enabled and disabled.
•
Remote-access VPNs can support the needs
of telecommuters, mobile users, and extranet
consumer-to-business traffic.
•
Remote-access VPNs support a client /
server architecture where a VPN client
(remote host) requires secure access to the
enterprise network via a VPN server device
at the network edge.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
14. Cisco IOS SSL VPN
•
Provides remote-access connectivity
from almost any Internet-enabled host
using a web browser and its native
Secure Sockets Layer (SSL) encryption.
Delivers two modes of access:
– Clientless:
•
A remote client needs only an SSL-enabled
web browser to access HTTP- or HTTPSenabled web servers on the corporate
LAN.
– Thin client:
A remote client must download a small, Javabased applet for secure access of TCP
applications that use static port numbers.
UDP is not supported in a thin client
environment.
•
SSL VPNs are appropriate for user populations that require per-application
or per-server access control, or access from non-enterprise-owned
desktops. SSL VPNs are not a complete replacement for IPsec VPNs.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
15. Cisco VPN Product Family
Remote-Access
VPN
Site-to-Site VPN
Cisco VPN-Enabled Router
Secondary role
Primary role
Cisco PIX 500 Series Security Appliances
Secondary role
Primary role
Cisco ASA 5500 Series Adaptive Security
Appliances
Primary role
Secondary role
Cisco VPN
3000 Series Concentrators
Primary role
Secondary role
Home Routers (SOHO Routers)
Primary role
Secondary role
Product Choice
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
16. VPN Solutions
Cisco provides a suite of VPNoptimized routers. Cisco IOS
software for routers combines
VPN services with routing
services. The Cisco VPN
software adds strong security
using encryption and
authentication
The Cisco IOS feature sets
incorporate many VPN features:
– Voice and Video Enabled VPN
(V3PN)
– Ipsec stateful failover
– Dynamic Multipoint Virtual Private
Network (DMVPN)
– Ipsec and MPLS integration
– Cisco Easy VPN
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
17. VPN features
•
•
•
Voice and Video Enabled VPN (V3PN) - Integrates IP telephony, QoS,
and IPsec, providing an end-to-end VPN service that helps ensure the
timely delivery of latency-sensitive applications such as voice and video.
IPsec stateful failover - Provides fast and scalable network resiliency for
VPN sessions between remote and central sites. With both stateless and
stateful failover solutions available, such as Hot Standby Router Protocol
(HSRP), IPsec stateful failover ensures maximum uptime of mission-critical
applications.
Dynamic Multipoint Virtual Private Network (DMVPN) - Enables the
auto-provisioning of site-to-site IPsec VPNs, combining three Cisco IOS
software features: Next Hop Resolution Protocol (NHRP), multipoint GRE,
and IPsec VPN. This combination eases the provisioning challenges for
customers and provides secure connectivity between all locations.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
18. VPN features
•
•
IPsec and MPLS integration
– Enables ISPs to map IPsec sessions directly into an MPLS VPN.
– This solution can be deployed on co-located edge routers that are
connected to a Cisco IOS software MPLS provider edge (PE) network.
Cisco Easy VPN
– Simplifies VPN deployment for remote offices and teleworkers.
– The Cisco Easy VPN solution centralizes VPN management across all
Cisco VPN devices, thus reducing the management complexity of VPN
deployments.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
19. Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500 Series Adaptive
•
•
Security Appliances offer flexible
technologies that deliver tailored
solutions to suit remote-access and
site-to-site connectivity requirements.
These appliances provide easy-tomanage IPsec and SSL VPN-based
remote-access and network-aware,
site-to-site VPN connectivity
These are some of the features that Cisco ASA 5500 Series Adaptive
Security Appliances provide:
–
–
–
–
–
–
–
Flexible platform
Resilient clustering
Cisco Easy VPN
Automatic Cisco VPN Client updates
Cisco IOS SSL VPN
VPN infrastructure for contemporary applications
Integrated web-based management
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
20. Cisco ASA 5500 Series Adaptive Security Appliances
• Each Cisco ASA 5500 Series Adaptive Security Appliance supports a
number of VPN peers:
– Cisco ASA 5505 - 10 IPsec VPN peers and 25 SSL VPN peers, with a Base
license, and 25 VPN peers (IPsec or SSL) with the Security Plus license
– Cisco ASA 5510 - 250 VPN peers
– Cisco ASA 5520 - 750 VPN peers
– Cisco ASA 5540 - 5000 IPsec VPN peers and 2500 SSL VPN peers
– Cisco ASA 5550 - 5000 VPN peers
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
21. IPSec Clients
Cisco remote-access VPNs can use four IPsec
clients:
• Certicom client: A wireless client that is
loaded on to wireless personal digital
assistants (PDAs) running the Palm or
Microsoft Windows Mobile operating systems.
• Cisco VPN Client software: Loaded on the
PC or laptop of an individual, the Cisco VPN
Client allows organizations to establish end-toend, encrypted VPN tunnels for secure
connectivity for mobile employees or
teleworkers.
• Cisco Remote Router VPN Client : A Cisco remote router, configured as a VPN
client, that connects small office, home office (SOHO) LANs to the VPN.
• Cisco AnyConnect VPN Client : Next-generation VPN client that provides remote
users with secure VPN connections to the Cisco 5500 Series Adaptive Security
Appliance running Cisco ASA 5500 Series Software Version 8.0 and higher or Cisco
ASDM Version 6.0 and higher.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
22. Hardware Acceleration Modules
To enhance performance and offload the
encryption task to specialized hardware, the
Cisco VPN family of devices offers hardware
acceleration modules:
• AIM: Advanced integration modules are installed
inside the router chassis and offload encryption
tasks from the router CPU.
Cisco IPsec VPN SPA
• Cisco IPSec VPN Shared Port Adapter (SPA): Delivers scalable and
cost-effective VPN performance for Cisco Catalyst 6500 Series Switches and
Cisco 7600 Series Routers.
• Cisco PIX VPN Accelerator Card+ (VAC+):
The PIX Firewall VAC+
delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec
encryption throughput.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
23. GRE VPN Overview
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
25. Configuring a GRE Tunnel
There are five steps to configuring a GRE tunnel:
• Step 1. Creating a tunnel interface using the interface tunnel 0
•
•
•
•
command.
Step 2. Assigning the tunnel an IP address.
Step 3. Identifying the source tunnel interface using the tunnel
source command.
Step 4. Identifying the destination of the tunnel using the tunnel
destination command.
Step 5. Configuring which protocol GRE will encapsulate using the
tunnel mode gre command.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
26. Configuring a GRE Tunnel
Create a tunnel
interface
Assign the tunnel an0 IP address
R2(config)# interface tunnel
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5
R2(config–if)# ip address 10.1.1.2 255.255.255.252
Identify the source source serial 0/0
R2(config–if)# tunnel tunnel interface
R2(config–if)# tunnel destination 192.168.3.3
R2(config–if)# tunnel mode gre ip
Identify the destination of the tunnel
R2(config–if)#
Configure what protocol GRE will encapsulate
R1(config–if)# tunnel mode gre ip
R1(config–if)#
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
27. Using GRE
GRE can be used to tunnel non-IP traffic over an IP network
Ipsec only supports unicast traffic. GRE supports all types of traffic
Routing Protocols are supported in GRE
GRE does not provide encryption
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
28. IPSec Topology
Main Site
Business Partner
IPsec
Perimeter
with a Cisco Router
Router
Legacy
Cisco
Legacy
POP
Regional Office with a
Cisco PIX Firewall
Concentrator
PIX
ASA
Firewall
SOHO with a Cisco
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
Corporate
SDN/DSL Router
• Works at the network layer, protecting and authenticating IP
packets.
– It is a framework of open standards which is algorithm-independent.
– It provides security: data confidentiality, data integrity, and origin
authentication.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
29. Essential security of IPsec
• Confidentiality: IPsec ensures confidentiality by using encryption.
• Integrity: IPsec ensures that data arrives unchanged at the
•
•
destination using a hash algorithm such as MD5 or SHA.
Authentication: IPsec uses Internet Key Exchange (IKE) to
authenticate users and devices that can carry out communication
independently. IKE uses several types of authentication, including
username and password, one-time password, biometrics, pre-shared
keys (PSKs), and digital certificates.
Secure key exchange: IPsec uses the DH algorithm to provide a
public key exchange method for two peers to establish a shared
secret key.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
31. Confidentiality
• Confidentiality is achieved through
•
•
encryption of traffic as it travels down
the VPN.
The degree of security depends on the
length of the key of the encryption
algorithm.
The following are some encryption
algorithms and key lengths that VPNs
use:
•
DES: Uses a 56-bit key. DES is a symmetric key cryptosystem.
•
3DES: A variant of DES. 3DES uses three independent 56-bit encryption keys per 64bit block. 3DES is a symmetric key cryptosystem.
•
AES: Provides stronger security than DES and is computationally more efficient than
3DES. AES is a symmetric key cryptosystem.
•
Software-Optimized Encryption Algorithm (SEAL): Uses a 160-bit key. SEAL is a
symmetric key cryptosystem.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
32. Integrity
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
33. Integrity
• Hashed Message Authentication Codes (HMAC) is a data integrity
algorithm that guarantees the integrity of the message using a hash
value.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
34. Integrity
There are two common HMAC
algorithms:
•
•
HMAC - Message Digest 5 (HMACMD5): The variable-length message
and 128-bit shared secret key are
combined and run through the
HMAC-MD5 hash algorithm. The
output is a 128-bit hash.
HMAC- Secure Hash Algorithm 1
(HMAC-SHA-1): The variable-length
message and the 160-bit shared
secret key are combined and run
through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit
hash.
HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5. It is
recommended when slightly superior security is important.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
35. Authentication
• The device on the other end of the VPN tunnel must be authenticated
•
before the communication path is considered secure.
There are two primary methods of configuring peer authentication.:
– Pre-shared Keys (PSKs) - A pre-shared secret key value is entered into
each peer manually and is used to authenticate the peer.
– RSA signatures - The exchange of digital certificates authenticates the
peers
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
36. Pre-shared Key (PSK)
•At the local device, the authentication key and the identity information (device-specific information)
are sent through a hash algorithm to form hash_I. One-way authentication is established by sending
Diffie-Hellman
DH7
hash_I to the remote device. If the remote device can independently create the same hash, the local
device is authenticated.
• The authentication process continues in the opposite direction. The remote device combines its
identity information with the preshared-based authentication key and sends it through the hash
algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently
create the same hash, the remote device is authenticated.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
37. RSA Signatures
• At the local device, the authentication key and identity information (device-specific information) are sent
through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private
encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to
the remote device. The public encryption key for decrypting the signature is included in the digital
certificate. The remote device verifies the digital signature by decrypting it using the public encryption
key. The result is hash_I.
• Next, the remote device independently creates hash_I from stored information. If the calculated hash_I
equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the
local device, the authentication process begins in the opposite direction and all steps are repeated from
the remote device to the local device.
38. Secure Key Exchange
•
•
•
•
Encryption algorithms (DES,
3DES…) as well as the hashing
algorithms (MD5, SHA) require a
symmetric, shared secret key to
perform encryption and decryption.
How do the encrypting and
decrypting devices get the shared
secret key?
The Diffie-Hellman (DH) key
agreement is a public key exchange
method that provides a way for two
peers to establish a shared secret
key that only they know.
There are four DH groups: 1, 2, 5,
and 7.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
39. IPSec Framework Protocols
Authentication Header
R1
All data is in plaintext.
R2
AH provides the following:
Authentication
Integrity
Encapsulating Security Payload
R1
Data payload is encrypted.
ESP provides the following:
Encryption
Authentication
Integrity
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
R2
41. Authentication Header
1. The IP Header and data payload are hashed
IP Header + Data + Key
R2
Hash
IP HDR
Authentication Data
(00ABCDEF)
IP HDR
AH
Data
AH
Data
IP Header + Data + Key
3. The new packet is
Internet
transmitted to the
IPSec peer router
2. The hash builds a new AH
header which is prepended
R1
to the original packet
Hash
Recomputed Received
Hash
Hash =
(00ABCDEF)
4. The peer router hashes the IP (00ABCDEF)
header and data payload, extracts
the transmitted hash and compares
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
43. Function of ESP
Internet
Router
Router
IP HDR
Data
IP HDR
ESP HDR
IP HDR
ESP
ESP
Trailer
New IP HDR
Auth
Data
Encrypted
Authenticated
•
•
Provides confidentiality with encryption
Provides integrity with authentication
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
Data
44. Mode Types
•
•
Transport Mode:
Protect the payload and transport
layer but leave the original IP in
plaintext.
The original IP is used to route the
packet through the Internet
Work well with GRE
Tunnel Mode:
Protect complete original IP packet.
The original IP packet is encrypted
and then it is encapsulated in
another IP packet. The packet is
routed by outside IP address.
Used in the Ipsec remote-access
application.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
45. Security Associations
•
•
•
•
•
The negotiated parameters
between two devices are known as
a security association (SA).
A VPN has SA entries defining the
IPsec encryption parameters as
well as SA entries defining the key
exchange parameters.
Diffie-Hellman (DH) is used to
create the shared secret key.
IPsec uses the Internet Key
Exchange (IKE) protocol to
establish the key exchange
process.
IKE is layered on UDP and uses
UDP port 500 to exchange IKE
information
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
46. IKE Phases
R1
Host A
R2
Host B
10.0.2.3
10.0.1.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets
Policy 10
Policy 15
DES
DES
MD5
MD5
pre-share
pre-share
DH1
DH1
lifetime
2. DH key exchange
1. Negotiate IKE policy sets
lifetime
2. DH key exchange
3. Verify the peer identity
3. Verify the peer identity
IKE Phase 2 Exchange
Negotiate IPsec policy
Negotiate IPsec policy
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
47. IKE Phase 1 – First Exchange
Host A
R1
R2
Host B
Negotiate IKE Proposals
10.0.1.3
10.0.2.3
Policy 10
Policy 15
DES
DES
MD5
IKE Policy Sets
MD5
pre-share
pre-share
DH1
Policy 20
lifetime
3DES
DH1
lifetime
SHA
pre-share
DH1
lifetime
Negotiates matching IKE policies to protect IKE exchange
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
48. IKE Phase 1 – Second Exchange
Establish DH Key
Private value, XA
Alice
Private value, XB
Public value, YA
YA = g XA mod p
Public value, YB
YB = gXB mod p
YA
YB
XA
(YB ) mod p = K
XB
(YA )
mod p = K
A DH exchange is performed to establish keying material.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
Bob
49. IKE Phase 1 – Third Exchange
Authenticate Peer
Remote Office
Corporate Office
Internet
HR Servers
Peer
Authentication
Peer authentication methods
• PSKs
• RSA signatures
• RSA encrypted nonces
A bidirectional IKE SA is now established.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
50. IKE Phase 1 – Aggressive Mode
•
•
•
The three exchanges of IKE
Phase 1 transpire in what is
called main mode.
IKE Phase 1 can also transpire
in aggressive mode.
Aggressive mode is faster than
main mode because there are
fewer exchanges.
Aggressive mode compresses
the IKE SA negotiation phases
into one exchange with three
packets. Main mode requires
three exchanges with six
packets.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
51. IKE Phase 1 – Aggressive Mode
Aggressive mode packets include:
• First packet - The initiator packages everything needed for the SA
negotiation in the first message, including its DH public key.
• Second packet - The recipient responds with the acceptable
parameters, authentication information, and its DH public key.
• Third packet - The initiator then sends a confirmation that it
received that information.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
52. IKE Phase 2
Host A
10.0.1.3
R1
R2
Negotiate IPsec
Host B
10.0.2.3
Security Parameters
IKE Phase 2 performs the following functions:
• Negotiates IPsec security parameters, known as IPsec transform sets
• Establishes IPsec SAs
• Periodically renegotiates IPsec SAs to ensure security
• Optionally performs an additional DH exchange
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
53. IPSec VPN Negotiation
R1
10.0.1.3
R2
1.
Host A sends interesting traffic to Host B.
2.
R1 and R2 negotiate an IKE Phase 1 session.
IKE SA
3.
IKE SA
R1 and R2 negotiate an IKE Phase 2 session.
IPsec SA
4.
IKE Phase 1
IKE Phase 2
IPsec SA
Information is exchanged via IPsec tunnel.
IPsec Tunnel
5.
The IPsec tunnel is terminated.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
10.0.2.3
54. Configuring IPsec
Tasks to Configure IPsec:
Task 1: Ensure that ACLs are compatible with IPsec.
Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
55. Task 1: Configure Compatible ACLs
AH
Site 1
ESP
IKE
10.0.1.0/24
10.0.1.3
Site 2
10.0.2.0/24
R2
R1
10.0.2.3
Internet
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
• Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
70. Task 5: Apply the Crypto Map
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
71. Crypto Map Command
router(config)#
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
crypto map Parameters
Command Parameters
Description
map-name
Defines the name assigned to the crypto map set or indicates the name of the crypto
map to edit.
seq-num
The number assigned to the crypto map entry.
ipsec-manual
Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp
Indicates that ISAKMP will be used to establish the IPsec SAs.
cisco
(Default value) Indicates that CET will be used instead of IPsec for protecting the
traffic.
dynamic
(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.
dynamic-map-name
(Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
72. Crypto Map Configuration- Mode Commands
Command
Description
Used with the peer, pfs, transform-set, and security-association
commands.
set
peer [hostname | ipaddress]
pfs [group1 | group2]
transform-set
[set_name(s)]
security-association
lifetime
match address [accesslist-id | name]
no
exit
Specifies the allowed IPsec peer by IP address or hostname.
Specifies DH Group 1 or Group 2.
Specify list of transform sets in priority order. When the ipsec-manual
parameter is used with the crypto map command, then only one transform set
can be defined. When the ipsec-isakmp parameter or the dynamic parameter
is used with the crypto map command, up to six transform sets can be
specified.
Sets SA lifetime parameters in seconds or kilobytes.
Identifies the extended ACL by its name or number. The value should match
the access-list-number or name argument of a previously defined IP-extended
ACL being matched.
Used to delete commands entered with the set command.
Exits crypto map configuration mode.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
74. Assign the Crypto Map Set
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
75. CLI Commands
Show Command
Description
show crypto map
Displays configured crypto maps
show crypto isakmp policy
Displays configured IKE policies
show crypto ipsec sa
show crypto ipsec
transform-set
debug crypto isakmp
debug crypto ipsec
Displays established IPsec tunnels
Displays configured IPsec transform
sets
Debugs IKE events
Debugs IPsec events
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
76. show crypto map
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
77. show crypto isakmp policy
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
78. show crypto ipsec transform-set
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
79. show crypto ipsec sa
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
81. Use SDM - Starting a VPN Wizard
1. Click Configure in main toolbar
1
Wizards for IPsec
3
Solutions, includes
type of VPNs and
Individual IPsec
components
3. Choose a wizard
2
2. Click the VPN button
to open the VPN page
4. Click the VPN
implementation subtype
VPN implementation
4 Subtypes. Vary based
On VPN wizard chosen.
5
5. Click the Launch the
Selected Task button
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
82. VPN Components
VPN Wizards
SSL VPN parameters
Individual IPsec
components used to
build VPNs
Easy VPN server parameters
Public key certificate
parameters
Encrypt VPN passwords
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
VPN Components
83. Configuring a Site-to-Site VPN
Choose Configure > VPN > Site-to-Site VPN
Click the Create a Site-to-Site VPN
Click the Launch the Selected Task button
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
84. Site-to-Site VPN Wizard
Choose the wizard mode
Click Next to proceed to the configuration of parameters.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
85. Quick Setup
Configure the parameters
• Interface to use
• Peer identity information
• Authentication method
• Traffic to encrypt
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
87. Step-by-Step Wizard
1
Choose the outside
interface that is used
to connect to the
IPSec peer
2 Specify the IP
address of the peer
3
Choose the authentication
method and specify the
credentials
4 Click Next
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
88. Creating a Custom IKE Proposal
Make the selections to configure
2 the IKE Policy and click OK
1
Click Add to define a proposal
3 Click Next
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
89. Creating a Custom IPSec Transform Set
Define and specify the transform
set name, integrity algorithm,
encryption algorithm, mode of
operation and optional compression
2
1
Click Add
3
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
Click Next
90. Protecting Traffic Subnet to Subnet
Click Protect All Traffic Between the Following subnets
1
2
3
Define the IP address and
subnet mask of the local
network
Define the IP address
and subnet mask of the
remote network
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
91. Protecting Traffic Custom ACL
Click the ellipses button
to choose an existing ACL
or create a new one
2
1
Click the Create/Select an Access-List
for IPSec Traffic radio button
3
To use an existing ACL, choose the Select an Existing Rule
(ACL) option. To create a new ACL, choose the Create a
New Rule (ACL) and Select option
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
92. Add a Rule
1
Give the access rule a
name and description
2
Click Add
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
93. Configuring a New Rule Entry
Choose an action and enter a description of the rule entry
1
2
Define the source hosts or networks in the Source Host/Network pane
and the destination hosts or network in the Destination/Host Network pane
3
(Optional) To provide protection for specific protocols, choose
the specific protocol radio box and desired port numbers
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
94. Configuration Summary
• Click Back to modify the configuration.
• Click Finish to complete the configuration.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
95. Verify VPN Configuration
Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
Check VPN status.
Create a mirroring configuration if no
Cisco SDM is available on the peer.
Test the VPN
configuration.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
96. Monitor
Choose Monitor > VPN Status > IPSec Tunnels
1
Lists all IPsec tunnels, their
parameters, and status.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
98. Telecommuting
•
•
•
Flexibility in working
location and working hours
Employers save on realestate, utility and other
overhead costs
Succeeds if program is
voluntary, subject to
management discretion,
and operationally feasible
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
99. Telecommuting Benefits
• Organizational benefits:
–
–
–
–
–
Continuity of operations
Increased responsiveness
Secure, reliable, and manageable access to information
Cost-effective integration of data, voice, video, and applications
Increased employee productivity, satisfaction, and retention
• Social benefits:
– Increased employment opportunities for marginalized groups
– Less travel and commuter related stress
• Environmental benefits:
– Reduced carbon footprints, both for individual workers and
organizations
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
101. Methods for Deploying
Remote Access
IPsec Remote
Access VPN
Any
Application
Anywhere
Access
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
SSL-Based
VPN
102. Comparison of SSL and IPSec
SSL
IPsec
Applications
Web-enabled applications, file sharing, e-mail
All IP-based applications
Encryption
Moderate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
Authentication
Moderate
One-way or two-way authentication
Strong
Two-way authentication using shared secrets
or digital certificates
Ease of Use
Very high
Moderate
Can be challenging to nontechnical users
Overall Security
Moderate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
103. SSL VPNs
• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
Internet
Headquarters
SSL VPN
Tunnel
Workplace
Resources
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
104. Types of Access
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
105. Full Tunnel Client Access Mode
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
106. Establishing an SSL Session
1
User makes a connection to
TCP port 443
2
Router replies with a
digitally signed public key
User using SSL
client
3
4
5
User software creates a
shared-secret key
Shared-secret key, encrypted with
public key of the server, is sent to
the router
Bulk encryption occurs using the
shared-secret key with a symmetric
encryption algorithm
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
SSL VPN
enabled ISR
router
107. SSL VPN Design Considerations
•
•
•
•
User connectivity
Router feature
Infrastructure planning
Implementation scope
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
108. Cisco Easy VPN
• Negotiates tunnel parameters
• Establishes tunnels according to
set parameters
• Automatically creates a NAT /
PAT and associated ACLs
• Authenticates users by
usernames, group names,
and passwords
• Manages security keys for
encryption and decryption
• Authenticates, encrypts, and
decrypts data through the tunnel
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
109. Cisco Easy VPN
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
110. Securing the VPN
1
Initiate IKE Phase 1
2
Establish ISAKMP SA
3
Accept Proposal1
Username/Password Challenge
4
Username/Password
5
System Parameters Pushed
6
7
Reverse Router Injection (RRI)
adds a static route entry on the
router for the remote clients IP
address
Initiate IKE Phase 2: IPsec
IPsec SA
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
111. Configuring Cisco Easy VPN Server
1
4
3
2
5
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
112. Configuring IKE Proposals
Specify required parameters
2
1
Click Add
3
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
Click OK
113. Creating an IPSec Transform Set
3
1
2
4
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
114. Group Authorization and Group
Policy Lookup
1
Select the location where
Easy VPN group policies
can be stored
3
Click Add
2
5
Click Next
4
Click Next
Configure the local
group policies
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
118. Summary
•
•
•
A VPN is a private network that is created via tunneling over a public network,
usually the Internet.
There are site-to-site VPNs and remote access VPNs.
VPNs require the use of modern encryption techniques to ensure secure
transport of information.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
119. Summary
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
120. Summary
•
•
•
•
IPsec is a framework of open
standards that establishes the
rules for secure
communications.
IPsec relies on existing
algorithms to achieve
encryption, authentication, and
key exchange.
IPsec can encapsulate a
packet using either
Authentication Header (AH) or
the more secure Encapsulation
Security Protocol (ESP).
IPsec uses the Internet Key
Exchange (IKE) protocol to
establish the key exchange
process.
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
121. Summary
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
122. Summary
H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
123. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com