More Related Content
Similar to Ccna sv2 instructor_ppt_ch8 (20)
Ccna sv2 instructor_ppt_ch8
- 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
8.0 Introduction
8.1 VPNs
8.2 IPsec VPN Components and
Operations
8.3 Implementing Site-to-Site
IPsec VPNs with CLI
8.4 Summary
- 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Upon completion of this section, you should be able to:
• Describe VPNs and their benefits.
• Compare site-to-site and remote-access VPNs.
- 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
VPN Benefits:
• Cost Savings
• Security
• Scalability
• Compatibility
- 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
- 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Remote-Access VPN
Site-to-Site VPN
Access
- 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
- 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
- 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Upon completion of this section, you should be able to:
• Describe the IPsec protocol and its basic functions.
• Compare AH and ESP protocols.
• Describe the IKE protocol.
- 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IPsec Implementation
ExamplesIPsec Framework
- 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Confidentiality with Encryption:
- 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Encryption Algorithms:
- 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Hash Algorithms
Security of Hash Algorithms
- 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Peer Authentication Methods
PSK
- 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
RSA
- 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Diffie-Hellman Key Exchange
- 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
- 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
AH Protocols
- 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Router Creates Hash and Transmits
to Peer
Peer Router Compares Recomputed
Hash to Received Hash
- 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
- 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
- 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Apply ESP and AH in Two Modes
- 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ESP Tunnel Mode
- 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
- 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
- 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
- 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Upon completion of this section, you should be able to:
• Describe IPsec negotiation and the five steps of IPsec configuration.
• Configure the ISAKMP policy.
• Configure the IPsec policy.
• Configure and apply a crypto map.
• Verify the IPsec VPN.
- 34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
IPsec VPN Negotiation:
Step 2 - R1 and R2
negotiate an IKE Phase 1
session.
IPsec VPN Negotiation:
Step 1 - Host A sends
interesting traffic to Host B.
IPsec VPN Negotiation:
Step 3 - R1 and R2
negotiate an IKE Phase
2 session.
- 35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
IPsec VPN Negotiation:
Step 4 - Information is
exchanged via IPsec tunnel.
IPsec VPN Negotiation:
Step 5 - The IPsec
tunnel is terminated.
- 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
- 37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
XYZCORP Security Policy Configuration Tasks
Encrypt traffic with AES 256 and SHA 1. Configure the ISAKMP policy for IKE Phase 1
Authentication with PSK 2. Configure the IPsec policy for IKE Phase 2
Exchange keys with group 24 3. Configure the crypto map for IPsec policy
ISAKMP tunnel lifetime is 1 hour 4. Apply the IPsec policy
IPsec tunnel uses ESP with a 15-min. lifetime 5. Verify the IPsec tunnel is operational
- 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ACL Syntax for
IPsec Traffic
- 39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Permitting Traffic for IPsec Negotiations
- 40. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
- 42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
- 43. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
- 44. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
- 45. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
The crypto isakmp key Command
- 46. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Pre-Shared Key Configuration
- 48. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
The IKE Phase 1 Tunnel Does Not Exist Yet
- 49. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Configure an ACL to Define Interesting Traffic
- 50. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
The crypto ipsec transform-set Command
- 51. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
The crypto ipsec transform-set Command
- 53. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
- 54. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Crypto Map Configuration Commands
- 55. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Crypto Map Configuration:
- 56. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Crypto Map Configuration:
- 57. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
- 59. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Use Extended Ping to Send Interesting Traffic
- 60. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Verify the ISAKMP Tunnel is Established
- 61. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Verify the IPsec Tunnel is Established
- 62. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Chapter Objectives:
• Explain the purpose of VPNs.
• Explain how IPsec VPNs operate.
• Configure a site-to-site IPsec VPN, with pre-shared key authentication,
using the CLI.
- 64. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page.
(https://www.netacad.com)
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
1
2
Editor's Notes
- 8.1.1.1 Introducing VPNs
- 8.1.1.2 Layer 3 IPsec VPNs
- 8.1.2.1 Two Types of VPNs
- 8.1.2.2 Components of Remote-Access VPNs
- 8.1.2.3 Components of Site-to-Site VPNs
8.1.2.4 Activity – Compare Remote-Access and Site-to-Site VPNs
- 8.2.1.1 IPsec Technologies
- 8.2.1.2 Confidentiality
- 8.2.1.2 Confidentiality (Cont.)
- 8.2.1.3 Integrity
- 8.2.1.4 Authentication
- 8.2.1.4 Authentication (Cont.)
- 8.2.1.5 Secure Key Exchange
8.2.1.6 Activity – Identify the Components fo the IPsec Framework
- 8.2.2.1 IPsec Protocol Overview
- 8.2.2.2 Authentication Header
- 8.2.2.2 Authentication Header (Cont.)
- 8.2.2.3 ESP
- 8.2.2.4 ESP Encrypts and Authenticates
- 8.2.2.5 Transport and Tunnel Modes
- 8.2.2.5 Transport and Tunnel Modes (Cont.)
8.2.2.6 Activity – Compare AH and ESP
- 8.2.3.1 The IKE Protocol
- 8.2.3.2 Phase 1 and 2 Key Negotiation
- 8.2.3.3 Phase 2: Negotiating Sas
8.2.3.4 Video Tutorial – IKE Phase 1 and Phase 2
- 8.3.1.1 IPsec Negotiation
- 8.3.1.1 IPsec Negotiation (Cont.)
- 8.3.1.2 Site-to-Site IPsec VPN Topology
- 8.3.1.3 IPsec VPN Configuration Tasks
- 8.3.1.4 Existing ACL Configurations
- 8.3.1.4 Existing ACL Configurations (Cont.)
- 8.3.1.5 Introduction to GRE Tunnels
8.3.1.6 Activity – Order the IPsec Negotiation Steps
- 8.3.2.1 The Default ISAKMP Policies
- 8.3.2.2 Syntax to Configure a New ISAKMP Policy
- 8.3.2.3 XYZCORP ISAKMP Policy Configuration
- 8.3.2.4 Configuring a Pre-Shared Key
- 8.3.2.4 Configuring a Pre-shared Key (Cont.)
- 8.3.3.1 Define Interesting Traffic
- 8.3.3.1 Define Interesting Traffic (Cont.)
- 8.3.3.2 Configure IPsec Transform Set
- 8.3.3.2 Configure IPsec Transform Set (Cont.)
- 8.3.4.1 Syntax to Configure a Crypto Map
- 8.3.4.1 Syntax to Configure a Crypto Map (Cont.)
- 8.3.4.2 XYZCORP Crypto Map Configuration
- 8.3.4.2 XYZCORP Crypto Map Configuration (Cont.)
- 8.3.4.3 Apply the Crypto Map
- 8.3.5.1 Send Interesting Traffic
8.3.5.2 Verify ISAKMP and IPsec Tunnels
- 8.3.5.2 Verify ISAKMP and IPsec Tunnels
- 8.3.5.2 Verify ISAKMP and IPsec Tunnels (Cont.)
- 8.4.1.1 Video Demonstration – Site-to-Site IPsec VPN Configuration
8.4.1.2 Packet Tracer – Configure and Verify a Site-to-Site IPsec VPN
8.4.1.3 Lab – Configuring a Site-to-Site VPN
8.4.1.4 Chapter 8: Implementing Virtual Private Networks
- https://www.netacad.com