2. Overview of IPSec L2L VPN
• Also known as Site-to-Site Virtual Private Networks
• Allows for secure connectivity between private networks over untrusted networks such as the Internet
• Two phases – Phase 1 (IKEv1/2) & Phase 2 (IPsec)
• IKE is used for key management and the creation of IPsec Associations
• IPsec provides security for data traffic
• IPsec provides the following:
• Confidentiality = Encryption of Data
• Integrity = Ensures Data Isn’t Modified in Transit
• Authentication = Verifies the identity of the sending IPsec device
• Anti-replay protection = Stops and attacker replaying traffic using sequence numbers
• IPsec makes use of 1 of 2 protocols:
• Authentication Header (AH) Protocol 51 (RFC 4302)
• Origin authentication and data integrity but not confidentiality
• Encapsulating Security Payload (ESP) Protocol 50 (RFC 4303)
• Confidentiality, Integrity & option of Authentication
• AH & ESP support two modes:
• Tunnel Mode: ESP & AH are applied to interesting traffic that is tunneled (Gateway-to-Gateway security)
• Transport Mode: ESP & AH provide protection end-to-end, client to client but could be a network device also
#NetworkWizkids YouTube: NetworkWiizkiids
Twitter:@iwiizkiid
5. Steps & Configuration
Phase 1 IKE Phase 2 IPsec
Create IKE policy (Lowest policy has priority)
TIP: HAGLE
Hash – Authentication – Group – Lifetime – Encryption
Configure objects for interesting traffic
Configure S2S tunnel parameters Configure crypto ACL that will be defined by the
crypto map
Enable IKE on interface Configure IPsec transform set
Configure crypto maps
Consider NAT and interface security levels
#NetworkWizkids YouTube: NetworkWiizkiids
Twitter:@iwiizkiid