SlideShare a Scribd company logo

IPSec_VPN_Final_

P
Pratik Bhide

IPSec VPN is used to securely connect sites over the internet by forming an encrypted tunnel between peers. It uses the IPSec protocol suite including ESP and AH to provide data confidentiality, integrity, and authentication. IKE negotiates IPSec security associations and keys using either IKEv1 or IKEv2. NAT traversal (NAT-T) allows IPSec to work through NAT devices by encapsulating packets in UDP port 4500. Phase 1 of IKE establishes an IKE security association to protect further negotiation, while Phase 2 establishes IPSec security associations to encrypt data traffic.

1 of 20
Download to read offline
IPSec VPN Explained Contents  What is IPSec VPN  Why do we need IPSec VPN  IPSec Suite Explained o ESP – Encapsulating Security Payload o AH – Authentication Header o Encryption  Symmetric Encryption  Asymmetric Encryption  RSA (Rivest-Shamir-Adleman) Algorithm  Diffie-Hellman Key Exchange Protocol  IKE – Internet Key Exchnage o Difference between IKEv1 and IKEv2 o How to migrate from IKEv1 to IKEv2 o When the migration command is entered on the ASA  Explain ISAKMP Phase or Phase 1 o Main Mode o Aggressive Mode o How does DH & Symmetric Encryption work together to secure communication between two peers?  What do you mean by Security Association (SA) o IKE SA - o IPSec SA  NAT-Transversal or NAT-T o Why does IPSec Packets get Encapsulated in UDP Port 4500, after detecting NATting along the path o How does ASA detect that both the Peers support NAT o What is the difference between NAT-T and IPSec-over-UDP ? o Why does AH not support NAT-T ?  Explain IPSec Phase or Phase 2 o Transport Mode o Tunnel Mode o PFS or Perfect Forward Secrecy  IPSec VPN Deployment Scenario o L2TP Over IPSec o Remote Access IPSec VPN o VTI – Virtual Tunnel Interface
 SVTI  DVTI o Point-To-Point GRE over IPSec o DMVPN – Dynamic Multipoint VPN o VRF Aware IPSec o V3PN - Voice and Video Enabled IPSec VPN  How does the traffic get Encrypted, in simple terms  Steps to configure IPSec Site-To-Site VPN on ASA  Troubleshooting IPSec Site-To-Site VPN o Verification command o Phase 1 o Phase 2  FAQ – Frequently Asked Questions
IPSec VPN Explained What is IPSec VPN ? IPsec VPN is used to connect 2 or more sites securely over the internet. It forms a Tunnel between the peers and makes sure that the data is safe. IPsec VPN provides data integrity, keeps the data confidential and makes sure the data is sent to the correct user. Why do we need it ? Consider this; you have 2 sites located at different location. You want users to able to work with the users at the other sites so what will you do? You have multiple options Leased Line, Frame-Relay, MPLS etc but all of these options will cost you a fortune. So the easiest and the cheapest way to connect these sites is by IPSec Site-To-Site VPN. For this to work you just need an internet connection at both the sites. Explain IPSec Suite IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer; it uses IKE (ISAKMP) to handle negotiation of protocols and algorithms based on the local policy, and to generate the encryption and authentication keys to be used by IPsec. IPSec protocol (RFC 1825) provides IP network-layer encryption and defines a new set of headers to be added to IP datagram’s. IPsec works with the following serial encapsulations: High-Level Data-Links Control (HDLC), PPP, and Frame Relay. IPsec also works with Generic Routing Encapsulation (GRE) and IPinIP Layer 3, Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), Data Link Switching+ (DLSw+), and SRB tunneling protocols.
Encapsulating Security Payload (ESP) Encapsulating Security Payload is a member of the IPSec protocol suite. ESP operates directly on top of IP, using IP protocol number 50. ESP is primarily designed to provide encryption and authentication for the data that is being transferred over the internet. ESP header is inserted after the IP Header and before the next layer protocol header. Authentication Header (AH) Authentication Header is a member of the IPSec protocol suite. AH is used to authenticate the IP Packets and make sure the data integrity is intact. AH does not provide confidentiality, which means it does not encrypt tha data. AH operates directly on top of IP, using IP protocol number 51. Encryption Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating cipher text that can only be read if decrypted. There are two types of encryption i.e. Symmetric Encryption and Asymmetric Encryption.  Symmetric Encryption - Uses the same cryptographic key for both encryption of plain text and decryption of cipher text. For symmetric key cryptography to work for online communications, the secret key must be securely shared with authorized communicating parties and protected from discovery and use by unauthorized parties. Public key cryptography can be used to provide a secure method for exchanging secret keys online. Two of the most common key exchange algorithms are DH and RSA. Example - DES, 3DES, AES.
 Asymmetric Encryption or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipient's public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to. Example - DH, RSA RSA (Rivest-Shamir-Adleman) Algorithm RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. Let’s say we have 2 peers, Peer A and Peer B. Both the peers generate a public key and private key. Now only the public key is shared to each other keeping the private key to itself. If Peer A wants to send data to Peer B, it will use B's Public key to encrypt traffic, only B can decrypt the traffic as nobody else has the private key. DH (Diffie-Hellman Key Exchange Protocol) Diffie-Helman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. You’re not sharing information during the key exchange; you're creating a key together. There is absolutely no way of figuring out the key, even if someone is watching over the traffic. It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES. The below diagram will give you a basic understanding how DH generates shared secrert key. (Source – Wikipedia)
Hashing Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact. Example – If you see below I have hash value for word “Hello”. And now I will just change the CAPS ‘H’ to small ‘h’. What do I get is completely different hash. So even if you change a single letter or add anything, the hash will change.
IKE – Internet Key Exchnage A hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. While IKE can be used with other protocols, its initial implementation is with the IPsec protocol. IKE provides authentication of the IPsec peers, negotiates IPsec security associations, and establishes IPsec keys. ISAKMP/Oakley uses UDP port 500 for negotiation. We have 2 flavours of IKE i.e. IKEv1 and IKEv2 Diffrence between IKEv1 and IKEv2  IKev1 Does not support EAP authentication  IKev2 introduced a feature called MOBIKE, to be used on mobile platforms and by users with milti homed setups  IKEv2 less bandwidth consumption  IKEv2 has built in NAT-T & DPD, whearas IKEv1 has an extention of it.  Each peer can use a different authentication method (Asymmetrical authentication) (e.g.Initiator: PSK and Responder: RSA-Sig)  Each peer can delete SAs anytime by exchanging DELETE payloads. How to migrate from IKEv1 to IKEv2 If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On the command line, enter the migrate command: hostname(config)# migrate {l2l | remote-access {ikev2 | ssl} | overwrite}  L2L - This converts current IKEv1 l2l tunnels to IKEv2.  Remote access - This converts the remote access configuration. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2.  Overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. When the migration command is entered on the ASA  The current IKEv1 configurations are not deleted  IKEv1 and IKEv2 configurations run in parallel and on the same crypto map.  The ASA always prefers to initiate IKEv2, but if it cannot, it falls back to IKEv1.  When both IKEv1 and IKEv2 run in parallel, ASA uses a module called tunnel manager/IKE common on the initiator to determine the crypto map and IKE protocol version to use for a connection.
Explain ISAKMP Phase or Phase 1 Both the peers identify each other and negotiate a common policy on which the IKE SA's would be formed. The phase 1 encryption & hashing algorithm is used to protect negotiation messages between the peers & not the data. Phase 1 IKEv1 negotiations can use either main mode or aggressive mode. Aggressive mode requires only two exchanges between the peers totaling three messages and Main Mode requires three exchanges totaling six messages. Aggressive mode is faster, but does not provide identity protection for the communicating parties. Main Mode Note - First 4 messages are sent in plain text  1st Message - When IKE negotiations begin, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer tries to find a match.  2nd Message - The remote peer checks all of the peer's policies against each of its configured policies until it discovers a match. A match exists when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values. Note - Lifetime configured in Phase 1 is not mandatory to match on both the sides. The peer having the lower value is agreed upon during negotiation. Rest all of the components like, encryption, authentication, group and hash should match.  3rd Message - Key Exchange payload that contains public information exchanged in a Deffie- Hellman exchange in order to generate a DH shared key. Nonce payload used as an input in key generation algorithm and is also used as an ant replay mechanism to prevent an attacker to replay an old message.
 4th Message - This fourth packet as you would expect comes from the remote endpoint back to initiator and contains the remote endpoints Key Exchange and Nonce payload. Note - After the 4th Message both the peers generate 4 secret keys (SKEYID, SKEYID_d, SKEYID_a, and SKEYID_e) Session Key(SKEY ID) - Is a string derived from secret material known only to the active players in the exchange  SKEYID_d - Used to calculate IPSec Keying Material (For Phase 2)  SKEYID_a - Used to provide data integrity and authentication to IKE Messages  SKEYID_e - Used to encrypt IKE Messages The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:  SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)  SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)  SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) SKEYID_e is used to encrypt the payloads of 5th and 6th message  5th Message - It contains the Identity payload and Hash Payload of the initiator. The identity can be IPv4 address, IPv6 address or FQDN. Hash payload would contain the hash value of Pre- Shared Key and sent across to the other peer.  6th Message - It contains the Identity payload and Hash Payload of the responder. Note - Peers get authenticated in the 5th and 6th message. Both the peer’s exchange the Hash Payload, which contains the hash value of the pre-shared key. Once the responder gets the 5th message, it calculates the hash value of the pre-shred configured on its side and matches it with the hash value in the 5th message. If both the hash value matches the peer is authenticated. Same process happens in 6th message and the other side is authenticated. Aggressive Mode The purpose of the Aggressive mode is the same as Main mode. It exchanges 3 messages in total, which makes it less secure compared to Main mode. The identities are not protected as they are sent in plain text.  1st Message - The initiator sends a list of ISAKMP Policy, DH public value, nonce and the identity in the first message.  2nd Message - The responder reply back with the ISAKMP Policy selected, his DH public value, his identity, authentication payload for pre-shared key and encrypted nonce authentication payload.  3rd Message - The initiator sends his authentication payload as the final message
How does DH & Symmetric Encryption work together to secure communication between two peers ? Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So A becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the encrypted message and decrypts it with the help of the secret code. Anyone else who sees the message will see only nonsense. What do you mean by Security Association (SA) An SA is a relationship between two VPN endpoints, which describes how those endpoints will use security services (technologies and protocols) to communicate securely.  IKE SA - The IKE SA governs negotiation of the IPSec SA as specified in the "crypto isakmp policy". IKE SA is bi-directional in nature, it simply means that a single SA is agreed upon and used to send and receive to the remote peer.  IPSec SA - The two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity).As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session. The IPsec SA must be unidirectional (each peer has 2 SAs with separate keying material), 1 SA to send and 1 SA to receive from the remote peer. NAT-Transversal or NAT-T What if there is NATing Device along the path ? Enable IPsec over NAT-T NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagram’s, using port 4500, which provides NAT devices with port information. NAT-T auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is disabled by default. NAT Traversal performs two tasks:  Detects if both ends support NAT-T  Detects NAT devices along the transmission path (NAT-Discovery) Enter the following command to enable IPsec over NAT-T globally on the ASA: Hostname(config)#crypto isakmp nat-traversal natkeepalive Note - When you enable NAT-T, the ASA automatically opens port 4500 on all IPsec-enabled interfaces
Why does IPSec Packets get Encapsulated in UDP Port 4500, after detecting NATting along the path ESP is an IP Protocol just like TCP and UDP but it does not have any port information. Because there is no port to change in the ESP packet, the binding database can't assign a unique port to the packet at the time it changes its RFC 1918 address to the publically routable address. If the packet can't be assigned a unique port then the database binding won't complete and there is no way to tell which inside host sourced this packet. As a result there is no way for the return traffic to be untranslated successfully. How does ASA detect that both the Peers support NAT  Main Mode: Message 1 & 2: It checks if both the devises support NAT-T  Main Mode: Message 3 & 4: If both the devices support NAT-T, then NAT-Discovery messages are exchanged. The NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists  Main Mode: Message 5 & 6: If NAT device has been determined to exist - all ISAKMP packets change from UDP port 500 to UDP port 4500. What is the difference between NAT-T and IPSec-over-UDP ? When NAT-T is enabled, it encapsulates the ESP packet with UDP only when it encounters a NAT device. Otherwise, no UDP encapsulation is done. But, IPSec Over UDP, always encapsulates the packet with UDP. NAT-T always use the standard port, UDP-4500. It is not configurable. IPSec over UDP normally uses UDP-10000 but this could be any other port based on the configuration on the VPN server. Why does AH not support NAT-T ? AH is incompatible with Network Address Translation (NAT) because NAT changes the source IP address, which breaks the AH header and causes the packets to be rejected by the IPSec peer. Explain IPSec Phase or Phase 2 In phase 2 you still specify parameters such as encryption and hashing algorithms which are quite similar to those in Phase 1. However, these parameters configured in Phase 2 are used to protect the "data" itself & not the negotiation messages. In IKE phase 2, we don’t need to do DiffieHellman key exchange again, as the peers already have the keys setup (which they did in IKE phase 1 during the Diffie-Hellman exchange). It is possible to tell the peers to run DH again, during IKE phase 2, to generate new keys, but this isn't the default. You need to configure PFS (Perfect Forward Secrecy) if you want different DH keys in Phase 2. Phase 2 is also called as Quick mode and 3 messages are exchanged between the peers. All the 3 messages are protected by SKEYID_e generated in Phase 1.
Note - If PFS is not needed, and KE payloads are not exchanged, the new keying material is defined as  KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). If PFS is desired and KE payloads were exchanged, the new keying material is defined as  KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b) where g(qm)^xy is the shared secret from the ephemeral Diffie-Hellman exchange of this Quick Mode. We can configure Phase 2 in Tunnel Mode or Transport Mode as per the network requirement. Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution Transport Mode In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this always will invalidate the hash value. NAT traversal IS NOT supported with the transport mode. MSS is higher, when compared to Tunnel mode, as no additional headers are required. Tunnel Mode In Tunnel Mode, the entire IP Packet is encrypted and /or authenticated. It is encapsulated with new IP Packet with a new IP Header. Tunnel mode is most commonly used between gateways, or at an end- station to a gateway, the gateway acting as a proxy for the hosts behind it. NAT traversal is supported with the tunnel mode. Additional headers are added to the packet; so the payload MSS is less. The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.
PFS or Perfect Forward Secrecy During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value. These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges. If you do not specify PFS, the same public and private DH values derived in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic. When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2. These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic. IPSec VPN Deployment Scenario It gives you an overview of various design topologies, features and services currently used with IPSec. Each technology uses IPsec as the underlying transport mechanism for each VPN.  L2TP Over IPSec Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco® Systems, Inc. Rather than having two incompatible tunneling protocols competing in the marketplace and causing customer confusion, the IETF mandated that the two technologies be combined into a single tunneling protocol that represents the best features of PPTP and L2F. L2TP is documented in RFC 2661. The primary benefit of configuring L2TP with IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. The Windows 2000 L2TP/IPSec client uses IPSec transport mode—only the IP payload is encrypted, and the
original IP headers are left intact. In order for Windows 2000 L2TP/IPSec clients to connect to the security appliance, you must configure IPSec transport mode More on this (http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn _l2tp_ipsec.html)  Remote Access IPSec VPN Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network such as the Internet. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets two hosts agree on how to build an IPSec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2. Phase 1 creates the first tunnel to protect later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection. The security appliance requires a method for assigning IP addresses to users by configuring Address Pool. To identify remote access users to the security appliance, configure usernames and passwords and Set the connection type to IPSec remote access. We configure dynamic crypto maps that let the security appliance receive connections from peers that have unknown IP addresses. Remote access clients fall in this category. More on this (http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.ht ml)  VTI – Virtual Tunnel Interface With IPSec VTIs, users can provide highly secure connectivity for site-to-site VPNs and can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks. The IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple paths. VTI comes in two flavors, SVTI (tunnel interface) and DVTI (virtual-template interface). SVTI - It is used to have static "on-all-the-time" IPSec tunnels and typically should be thought of as a lan to lan tunnel. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, thus reducing the bandwidth for sending encrypted data. DVTI - It is used to provide "on-demand" connectivity. DVTI would be used in case of ezvpn (both server and client!) and recently webvpn. The DVTI technology replaces dynamic crypto maps and the dynamic
hub-and-spoke method for establishing tunnels. Dynamic VTIs function like any other real interface so that you can apply QoS, firewall, other security services as soon as the tunnel is active. More on this (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html)  Point-To-Point GRE over IPSec Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. By default IPSec VPN cannot send multicast traffic between the peers, so that means we cannot use dynamic protocols inside a tunnel. To overcome this issue, cisco developed GRE so that we can run dynamic protocols (like – OSPF, EIGRP, RIP) between the sites. More on This (http://www.cisco.com/c/en/us/support/docs/security/vpn-5000-series- concentrators/3969-vpn5k-stat.html)  DMVPN – Dynamic Multipoint VPN The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints. We have 3 Phases in DMVPN, those are  DMVPN Phase 1: All the spokes are static tunnels so you won’t get any dynamic spoke-to-spoke connectivity.  DMVPN Phase 2: This phase involves everysite being configured with mGRE interface so you get your dynamic spoke-to-spoke connectivity.  DMVPN Phase 3: This involve summarizing into the DMVPN cloud to provide. NHRP – Next Hop Resolution Protocol NHRP is a layer two resolution protocol and cache like ARP or Reverse ARP (Frame Relay). It is used in DMVPN to map a tunnel IP address to an NBMA address. More on this (http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15- mt/sec-conn-dmvpn-15-mt-book.pdf)
 VRF Aware IPSec One obstacle to successfully deploying peer-to-peer VPNs is the separation of routing tables, and the use of overlapping addresses, which usually results from using private IP addresses in customer networks. The VRF-Aware IPsec feature, which introduces IPsec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs, solves this problem. The VRF-Aware IPsec feature, known as VRF mode, allows you to map IPsec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address. Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called the inside VRF (IVRF) The Cisco VPN Services Port Adapter (VSPA) is the next-generation VPN module designed to support next-generation VPN technologies such as Virtual Routing and Forwarding (VRF)-Aware IPsec VPN. Although the Cisco VSPA does not have physical WAN or LAN interfaces, it takes advantage of the breadth of LAN and WAN interfaces in the Cisco Catalyst 6500 Series Switches, making it very attractive for enterprises deploying the Cisco Catalyst 6500 Series Switch. More on this (http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/gui de/ivmsw_book/ivmvpna.html#wp1055559)  V3 PN - Voice and Video Enabled IPSec VPN It is nothing but Voice and Video Enabled IPSec VPN, which integrates three core Cisco technologies: IP Telephony, Quality of Service (QoS), and IP Security (IPSec) VPN. The Cisco V3PN solution outlines a VPN architecture that accommodates voice and video over IPsec. Because IP multicast is a key component of many voice and video streaming technologies, V3PN requires the use of IPsec+GRE. More on this (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/V3PN_SRND/V3PN_SRN D/v3p_intr.html) How does the traffic get Encrypted, in simple terms  Router has a packet that is about to be forwarded, and it notices that it matches a crypto ACL.  Router looks to see if there is an IPSec SA in place, if not....  Router looks to see if there is an IKE Phase 1 SA in place, if not...  Router becomes initiator, and sends over all of its IKE phase 1 policies.  Remote router responds, by specifying which IKE phase 1 policy is a match.  Both peers run DH, and generate shared secret keying material.
 Both peer authenticate with each other, using authentication method agreed to in IKE phase 1 negotiations. (IKE phase 1 tunnel is now up.)  Using the IKE phase 1 tunnel as a cloak of security, they two peers negotiate the details of IKE Phase 2.  DH is not run again, and shared secret keying material is used from the DH in IKE phase 1, unless PFS is used.  IKE phase 2 tunnel (AKA, the IPSec tunnel) is now in place, and the data is encapsulated and sent through the tunnel. Steps to configure IPSec Site-To-Site VPN on ASA  Access-list - This is the interesting traffic or the traffic which you want to protect  Configure Phase 1 parameters o Encryption – DES, 3DES or AES o Hashing – MD5 or SHA o DH Group – DH 2 , DH 5 etc o Authentication – Pre-Shared Key, RSA, o Lifetime – Default 24 Hours  Configure Phase 2 parameters o Transform-set – AH or ESP, what encryption and hash to use o Mode – Transport or Tunnel  Configure Tunnel-group o Peer IP o Pre-Shared Key  Configure Crypto-map – We call all the parameters we configured earlier o Access-list o Peer IP o Transform-set o NAT-T (Optional) o PFS (Optional) o Lifetime (Optional)  Apply that crypto-map to the outside interface  Enable Crypto to the outside Interface
Troubleshooting IPSec VPN Troubleshooting IPSec Site-To-Site VPN is quite simple. It’s always better to start your troubleshooting by checking the Phase 1 and Phase 2 configs on both the side match exactly the same. Verification Commands  To check Phase 1 - ASA# show crypto isakmp sa detail | be <Peer IP>  To check Phase 2 - ASA# show crypto ipsec sa peer <Peer IP>  To check Phase 1 and Phase 2 parameters - ASA# show vpn-sessiondb detail l2l filter ipaddress <Peer IP>  To check Pre-Shared Key – ASA# more: system running-config | begin Tunnel-group <Peer IP> Phase 1  Check Phase 1 policies on both the side  You see nothing when you hit “Show Crypto ISAKMP SA” o What to Check  Check access-list to see if you see any hit counts increasing when you try to initiate the traffic  Check internal Routing  Do a Trace-route, to see where the packet is getting dropped  If you see MM_WAIT_MSG2 error message that means, you have initiated the traffic and sent him the Phase 1 polices to match on his side but he is not able to reach your peer IP o What to Check  Weather crypto-map is enabled on outside interface  Probably ISP Routing Issue on his side  Phase 1 Policies do not match  You would probably not able to ping the Peer IP ( ISP Routing Issue)  If you see MM_WAIT_MSG4 error message o What to check  Probably pre-shared key mis-match on both side  If You see MM_WAIT_MSG6 error message o What to check  Probably Pre-Shared Key is not configured  Phase 1 is not stable, I mean it is continuously going round and round from message 1 o 6 o What to check  Access-list mis-match  PFS is enabled on one side only  Transform-set missing on one side  NAT-T enabled on one side only o
 After this Phase 1 will get established and you will see "MM_WAIT_Active" message Note – MM is Main Mode and AM is Aggressive Mode Phase 2  Check Phase 2 configs on both the side  When the phase 2 is good, you will see encaps and decaps increasing, if ether is not then there is an issue.  If Encaps increasing on your side and Decaps 0 - That means the issue is on the other side. o What to check  Check the NAT statement, if they are properly configured  Check the internal routing  Check if the Severs are up and running  Check the FW rules and see if the required services are allowed access  Ask the other side to ping the servers from the Peer IP Device or do a trace route and see where the packets are getting dropped  If Encaps 0 on your side and Decaps increasing – That means the issue is on our side o What to check  Do the same steps mentioned above
FAQ – Frequently Asked Questions  Does ASA support IPSec Site-To-Site VPN in multi context mode ? o ASA 9.0(1) introduced support for IPsec site-to-site VPN in multi-context mode  What if the IPSec Peer is dynamically assigned, what is the solution to this problem. o Configure dynamic crypto map o crypto dynamic-map DMAP 1 set transform-set myset o crypto dynamic-map DMAP 1 set reverse-route o crypto map CMAP 10 ipsec-isakmp dynamic DMAP o crypto map CMAP interface outside  How to check the Pre-Shared Key configured? o ASA# more system: running config | begin tunnel-group <Peer IP>  Can i use dynamic routing with IPSec VPN? o IPSec only supports unicast traffic. The common solution for this is to create a GRE tunnel and have that encapsulated within the IPSec tunnel. GRE supports multicast traffic.  Does ASA support GRE Tunnel? o The ASA does not support GRE tunnels, so unless you have routers behind the ASAs which could host these GRE tunnels, this option is not viable.  Can I terminate VPN connections on my FWSM? o VPN functionality is not supported on the FWSM. Termination of VPN connections is the responsibility of the switch and/or VPN Services Module

Recommended

IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
davisli
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
dborsan
 
I psec
I psecI psec
I psecnlekh
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
Sourabh Badve
 

Recommended

IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
davisli
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
dborsan
 
I psec
I psecI psec
I psecnlekh
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
Sourabh Badve
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AH
jtlevesque
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
Chinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
ALLCAD Services Pvt Limited
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
CAS
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10
Infinity Tech Solutions
 
Ike
IkeIke
Ike
shashi712
 
I psec
I psecI psec
I psecMohamed Gamel
 
IP Sec by Amin Pathan
IP Sec by Amin PathanIP Sec by Amin Pathan
IP Sec by Amin Pathanaminpathan11
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
anoean
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Ip sec
Ip secIp sec
Ip secShiva Krishna Chandra Shekar
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
NetProtocol Xpert
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
Information Security Awareness Group
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA Firewall
Harris Andrea
 

More Related Content

What's hot

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AH
jtlevesque
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
Chinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
ALLCAD Services Pvt Limited
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
CAS
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10
Infinity Tech Solutions
 
Ike
IkeIke
Ike
shashi712
 
IP Sec by Amin Pathan
IP Sec by Amin PathanIP Sec by Amin Pathan
IP Sec by Amin Pathanaminpathan11
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
anoean
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 

What's hot (19)

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
Ipsec
IpsecIpsec
Ipsec
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AH
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar
 
IP Security
IP SecurityIP Security
IP Security
 
Ipsec
IpsecIpsec
Ipsec
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
Network security cs9 10
Network security cs9 10Network security cs9 10
Network security cs9 10
 
Ike
IkeIke
Ike
 
I psec
I psecI psec
I psec
 
IP Sec by Amin Pathan
IP Sec by Amin PathanIP Sec by Amin Pathan
IP Sec by Amin Pathan
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Ip sec
Ip secIp sec
Ip sec
 

Viewers also liked

IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
NetProtocol Xpert
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
Information Security Awareness Group
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA Firewall
Harris Andrea
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNs
ThousandEyes
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnels
Mustafa Khaleel
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Duane Bodle
 
NAT in ASA Firewall
NAT in ASA Firewall NAT in ASA Firewall
NAT in ASA Firewall
NetProtocol Xpert
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiHuy Eav
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Global Online Trainings
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
Ip sec training
Ip sec trainingIp sec training
Ip sec training
Wahyu Nasution
 
Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+
Wahyu Nasution
 
Cisco trouble shooting
Cisco trouble shootingCisco trouble shooting
Cisco trouble shooting
Hamid Younesi
 
Checkpoint ccsa r76
Checkpoint ccsa r76Checkpoint ccsa r76
Checkpoint ccsa r76
Vaibhav Agrawal
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 

Viewers also liked (18)

IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
The rsa algorithm JooSeok Song
The rsa algorithm JooSeok SongThe rsa algorithm JooSeok Song
The rsa algorithm JooSeok Song
 
Configuring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA FirewallConfiguring GRE Tunnel Through a Cisco ASA Firewall
Configuring GRE Tunnel Through a Cisco ASA Firewall
 
Par2 2 0901(1)
Par2 2 0901(1)Par2 2 0901(1)
Par2 2 0901(1)
 
Troubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNsTroubleshooting Remote Workers and VPNs
Troubleshooting Remote Workers and VPNs
 
IPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnelsIPsec vpn topology over GRE tunnels
IPsec vpn topology over GRE tunnels
 
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
Cisco ASA Firewall Interview Question "aka Stump-the-Chump" Question # 01
 
VSS_Final
VSS_FinalVSS_Final
VSS_Final
 
NAT in ASA Firewall
NAT in ASA Firewall NAT in ASA Firewall
NAT in ASA Firewall
 
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wikiIp sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
Ip sec vpn with dynamic routing mikrotik and cisco - mikro-tik wiki
 
Checkpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online CourseCheckpoint Firewall Training | Checkpoint Firewall Online Course
Checkpoint Firewall Training | Checkpoint Firewall Online Course
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
Ip sec training
Ip sec trainingIp sec training
Ip sec training
 
Firewall
FirewallFirewall
Firewall
 
Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+Alu xgpon solution for pt telkom akses 20130830+
Alu xgpon solution for pt telkom akses 20130830+
 
Cisco trouble shooting
Cisco trouble shootingCisco trouble shooting
Cisco trouble shooting
 
Checkpoint ccsa r76
Checkpoint ccsa r76Checkpoint ccsa r76
Checkpoint ccsa r76
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
 

Similar to IPSec_VPN_Final_

A technical comparison of ip sec and ssl 2005
A technical comparison of ip sec and ssl 2005A technical comparison of ip sec and ssl 2005
A technical comparison of ip sec and ssl 2005Nadeer Abu Jraerr
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Network security Slides fir bs-13.PPT.pptx
Network security Slides fir bs-13.PPT.pptxNetwork security Slides fir bs-13.PPT.pptx
Network security Slides fir bs-13.PPT.pptx
ahsanAli918806
 
The Security layer
The Security layerThe Security layer
The Security layer
Swetha S
 
IPSEC
IPSECIPSEC
IPSEC
Martin Cabrera
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Network security
Network securityNetwork security
Network security
anoop negi
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
Wahyu Nasution
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
KishoreTs3
 
Ip Security.pptx
Ip Security.pptxIp Security.pptx
Ip Security.pptx
TouseeqHaider11
 
Moein
MoeinMoein
Moein
itrraincity
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164Thivya Devaraj
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
n|u - The Open Security Community
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
Babaa Naya
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
solimankellymattwe60
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 

Similar to IPSec_VPN_Final_ (20)

A technical comparison of ip sec and ssl 2005
A technical comparison of ip sec and ssl 2005A technical comparison of ip sec and ssl 2005
A technical comparison of ip sec and ssl 2005
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Network security Slides fir bs-13.PPT.pptx
Network security Slides fir bs-13.PPT.pptxNetwork security Slides fir bs-13.PPT.pptx
Network security Slides fir bs-13.PPT.pptx
 
The Security layer
The Security layerThe Security layer
The Security layer
 
ssl
sslssl
ssl
 
IPSEC
IPSECIPSEC
IPSEC
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Network security
Network securityNetwork security
Network security
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
Ch16
Ch16Ch16
Ch16
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Ip Security.pptx
Ip Security.pptxIp Security.pptx
Ip Security.pptx
 
Moein
MoeinMoein
Moein
 
Thesis presentation 14023164
Thesis presentation 14023164Thesis presentation 14023164
Thesis presentation 14023164
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 

IPSec_VPN_Final_

  • 1. IPSec VPN Explained Contents  What is IPSec VPN  Why do we need IPSec VPN  IPSec Suite Explained o ESP – Encapsulating Security Payload o AH – Authentication Header o Encryption  Symmetric Encryption  Asymmetric Encryption  RSA (Rivest-Shamir-Adleman) Algorithm  Diffie-Hellman Key Exchange Protocol  IKE – Internet Key Exchnage o Difference between IKEv1 and IKEv2 o How to migrate from IKEv1 to IKEv2 o When the migration command is entered on the ASA  Explain ISAKMP Phase or Phase 1 o Main Mode o Aggressive Mode o How does DH & Symmetric Encryption work together to secure communication between two peers?  What do you mean by Security Association (SA) o IKE SA - o IPSec SA  NAT-Transversal or NAT-T o Why does IPSec Packets get Encapsulated in UDP Port 4500, after detecting NATting along the path o How does ASA detect that both the Peers support NAT o What is the difference between NAT-T and IPSec-over-UDP ? o Why does AH not support NAT-T ?  Explain IPSec Phase or Phase 2 o Transport Mode o Tunnel Mode o PFS or Perfect Forward Secrecy  IPSec VPN Deployment Scenario o L2TP Over IPSec o Remote Access IPSec VPN o VTI – Virtual Tunnel Interface
  • 2.  SVTI  DVTI o Point-To-Point GRE over IPSec o DMVPN – Dynamic Multipoint VPN o VRF Aware IPSec o V3PN - Voice and Video Enabled IPSec VPN  How does the traffic get Encrypted, in simple terms  Steps to configure IPSec Site-To-Site VPN on ASA  Troubleshooting IPSec Site-To-Site VPN o Verification command o Phase 1 o Phase 2  FAQ – Frequently Asked Questions
  • 3. IPSec VPN Explained What is IPSec VPN ? IPsec VPN is used to connect 2 or more sites securely over the internet. It forms a Tunnel between the peers and makes sure that the data is safe. IPsec VPN provides data integrity, keeps the data confidential and makes sure the data is sent to the correct user. Why do we need it ? Consider this; you have 2 sites located at different location. You want users to able to work with the users at the other sites so what will you do? You have multiple options Leased Line, Frame-Relay, MPLS etc but all of these options will cost you a fortune. So the easiest and the cheapest way to connect these sites is by IPSec Site-To-Site VPN. For this to work you just need an internet connection at both the sites. Explain IPSec Suite IPsec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer; it uses IKE (ISAKMP) to handle negotiation of protocols and algorithms based on the local policy, and to generate the encryption and authentication keys to be used by IPsec. IPSec protocol (RFC 1825) provides IP network-layer encryption and defines a new set of headers to be added to IP datagram’s. IPsec works with the following serial encapsulations: High-Level Data-Links Control (HDLC), PPP, and Frame Relay. IPsec also works with Generic Routing Encapsulation (GRE) and IPinIP Layer 3, Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP), Data Link Switching+ (DLSw+), and SRB tunneling protocols.
  • 4. Encapsulating Security Payload (ESP) Encapsulating Security Payload is a member of the IPSec protocol suite. ESP operates directly on top of IP, using IP protocol number 50. ESP is primarily designed to provide encryption and authentication for the data that is being transferred over the internet. ESP header is inserted after the IP Header and before the next layer protocol header. Authentication Header (AH) Authentication Header is a member of the IPSec protocol suite. AH is used to authenticate the IP Packets and make sure the data integrity is intact. AH does not provide confidentiality, which means it does not encrypt tha data. AH operates directly on top of IP, using IP protocol number 51. Encryption Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating cipher text that can only be read if decrypted. There are two types of encryption i.e. Symmetric Encryption and Asymmetric Encryption.  Symmetric Encryption - Uses the same cryptographic key for both encryption of plain text and decryption of cipher text. For symmetric key cryptography to work for online communications, the secret key must be securely shared with authorized communicating parties and protected from discovery and use by unauthorized parties. Public key cryptography can be used to provide a secure method for exchanging secret keys online. Two of the most common key exchange algorithms are DH and RSA. Example - DES, 3DES, AES.
  • 5.  Asymmetric Encryption or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipient's public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to. Example - DH, RSA RSA (Rivest-Shamir-Adleman) Algorithm RSA involves a public key and a private key. The public key can be known by everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. Let’s say we have 2 peers, Peer A and Peer B. Both the peers generate a public key and private key. Now only the public key is shared to each other keeping the private key to itself. If Peer A wants to send data to Peer B, it will use B's Public key to encrypt traffic, only B can decrypt the traffic as nobody else has the private key. DH (Diffie-Hellman Key Exchange Protocol) Diffie-Helman is a way of generating a shared secret between two people in such a way that the secret can't be seen by observing the communication. You’re not sharing information during the key exchange; you're creating a key together. There is absolutely no way of figuring out the key, even if someone is watching over the traffic. It is primarily used as a method of exchanging cryptography keys for use in symmetric encryption algorithms like AES. The below diagram will give you a basic understanding how DH generates shared secrert key. (Source – Wikipedia)
  • 6. Hashing Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. Hashes play a role in security systems where they're used to ensure that transmitted messages have not been tampered with. The sender generates a hash of the message, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. If they're the same, there is a very high probability that the message was transmitted intact. Example – If you see below I have hash value for word “Hello”. And now I will just change the CAPS ‘H’ to small ‘h’. What do I get is completely different hash. So even if you change a single letter or add anything, the hash will change.
  • 7. IKE – Internet Key Exchnage A hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. While IKE can be used with other protocols, its initial implementation is with the IPsec protocol. IKE provides authentication of the IPsec peers, negotiates IPsec security associations, and establishes IPsec keys. ISAKMP/Oakley uses UDP port 500 for negotiation. We have 2 flavours of IKE i.e. IKEv1 and IKEv2 Diffrence between IKEv1 and IKEv2  IKev1 Does not support EAP authentication  IKev2 introduced a feature called MOBIKE, to be used on mobile platforms and by users with milti homed setups  IKEv2 less bandwidth consumption  IKEv2 has built in NAT-T & DPD, whearas IKEv1 has an extention of it.  Each peer can use a different authentication method (Asymmetrical authentication) (e.g.Initiator: PSK and Responder: RSA-Sig)  Each peer can delete SAs anytime by exchanging DELETE payloads. How to migrate from IKEv1 to IKEv2 If your IKEv1, or even SSL, configuration already exists, the ASA makes the migration process simple. On the command line, enter the migrate command: hostname(config)# migrate {l2l | remote-access {ikev2 | ssl} | overwrite}  L2L - This converts current IKEv1 l2l tunnels to IKEv2.  Remote access - This converts the remote access configuration. You can convert either the IKEv1 or the SSL tunnel groups to IKEv2.  Overwrite - If you have a IKEv2 configuration that you wish to overwrite, then this keyword converts the current IKEv1 configuration and removes the superfluous IKEv2 configuration. When the migration command is entered on the ASA  The current IKEv1 configurations are not deleted  IKEv1 and IKEv2 configurations run in parallel and on the same crypto map.  The ASA always prefers to initiate IKEv2, but if it cannot, it falls back to IKEv1.  When both IKEv1 and IKEv2 run in parallel, ASA uses a module called tunnel manager/IKE common on the initiator to determine the crypto map and IKE protocol version to use for a connection.
  • 8. Explain ISAKMP Phase or Phase 1 Both the peers identify each other and negotiate a common policy on which the IKE SA's would be formed. The phase 1 encryption & hashing algorithm is used to protect negotiation messages between the peers & not the data. Phase 1 IKEv1 negotiations can use either main mode or aggressive mode. Aggressive mode requires only two exchanges between the peers totaling three messages and Main Mode requires three exchanges totaling six messages. Aggressive mode is faster, but does not provide identity protection for the communicating parties. Main Mode Note - First 4 messages are sent in plain text  1st Message - When IKE negotiations begin, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer tries to find a match.  2nd Message - The remote peer checks all of the peer's policies against each of its configured policies until it discovers a match. A match exists when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values. Note - Lifetime configured in Phase 1 is not mandatory to match on both the sides. The peer having the lower value is agreed upon during negotiation. Rest all of the components like, encryption, authentication, group and hash should match.  3rd Message - Key Exchange payload that contains public information exchanged in a Deffie- Hellman exchange in order to generate a DH shared key. Nonce payload used as an input in key generation algorithm and is also used as an ant replay mechanism to prevent an attacker to replay an old message.
  • 9.  4th Message - This fourth packet as you would expect comes from the remote endpoint back to initiator and contains the remote endpoints Key Exchange and Nonce payload. Note - After the 4th Message both the peers generate 4 secret keys (SKEYID, SKEYID_d, SKEYID_a, and SKEYID_e) Session Key(SKEY ID) - Is a string derived from secret material known only to the active players in the exchange  SKEYID_d - Used to calculate IPSec Keying Material (For Phase 2)  SKEYID_a - Used to provide data integrity and authentication to IKE Messages  SKEYID_e - Used to encrypt IKE Messages The result of either Main Mode or Aggressive Mode is three groups of authenticated keying material:  SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0)  SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)  SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) SKEYID_e is used to encrypt the payloads of 5th and 6th message  5th Message - It contains the Identity payload and Hash Payload of the initiator. The identity can be IPv4 address, IPv6 address or FQDN. Hash payload would contain the hash value of Pre- Shared Key and sent across to the other peer.  6th Message - It contains the Identity payload and Hash Payload of the responder. Note - Peers get authenticated in the 5th and 6th message. Both the peer’s exchange the Hash Payload, which contains the hash value of the pre-shared key. Once the responder gets the 5th message, it calculates the hash value of the pre-shred configured on its side and matches it with the hash value in the 5th message. If both the hash value matches the peer is authenticated. Same process happens in 6th message and the other side is authenticated. Aggressive Mode The purpose of the Aggressive mode is the same as Main mode. It exchanges 3 messages in total, which makes it less secure compared to Main mode. The identities are not protected as they are sent in plain text.  1st Message - The initiator sends a list of ISAKMP Policy, DH public value, nonce and the identity in the first message.  2nd Message - The responder reply back with the ISAKMP Policy selected, his DH public value, his identity, authentication payload for pre-shared key and encrypted nonce authentication payload.  3rd Message - The initiator sends his authentication payload as the final message
  • 10. How does DH & Symmetric Encryption work together to secure communication between two peers ? Think of it like this: You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. So A becomes "C," and "B" becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the encrypted message and decrypts it with the help of the secret code. Anyone else who sees the message will see only nonsense. What do you mean by Security Association (SA) An SA is a relationship between two VPN endpoints, which describes how those endpoints will use security services (technologies and protocols) to communicate securely.  IKE SA - The IKE SA governs negotiation of the IPSec SA as specified in the "crypto isakmp policy". IKE SA is bi-directional in nature, it simply means that a single SA is agreed upon and used to send and receive to the remote peer.  IPSec SA - The two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA for integrity).As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session. The IPsec SA must be unidirectional (each peer has 2 SAs with separate keying material), 1 SA to send and 1 SA to receive from the remote peer. NAT-Transversal or NAT-T What if there is NATing Device along the path ? Enable IPsec over NAT-T NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagram’s, using port 4500, which provides NAT devices with port information. NAT-T auto-detects any NAT devices and only encapsulates IPsec traffic when necessary. This feature is disabled by default. NAT Traversal performs two tasks:  Detects if both ends support NAT-T  Detects NAT devices along the transmission path (NAT-Discovery) Enter the following command to enable IPsec over NAT-T globally on the ASA: Hostname(config)#crypto isakmp nat-traversal natkeepalive Note - When you enable NAT-T, the ASA automatically opens port 4500 on all IPsec-enabled interfaces
  • 11. Why does IPSec Packets get Encapsulated in UDP Port 4500, after detecting NATting along the path ESP is an IP Protocol just like TCP and UDP but it does not have any port information. Because there is no port to change in the ESP packet, the binding database can't assign a unique port to the packet at the time it changes its RFC 1918 address to the publically routable address. If the packet can't be assigned a unique port then the database binding won't complete and there is no way to tell which inside host sourced this packet. As a result there is no way for the return traffic to be untranslated successfully. How does ASA detect that both the Peers support NAT  Main Mode: Message 1 & 2: It checks if both the devises support NAT-T  Main Mode: Message 3 & 4: If both the devices support NAT-T, then NAT-Discovery messages are exchanged. The NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists  Main Mode: Message 5 & 6: If NAT device has been determined to exist - all ISAKMP packets change from UDP port 500 to UDP port 4500. What is the difference between NAT-T and IPSec-over-UDP ? When NAT-T is enabled, it encapsulates the ESP packet with UDP only when it encounters a NAT device. Otherwise, no UDP encapsulation is done. But, IPSec Over UDP, always encapsulates the packet with UDP. NAT-T always use the standard port, UDP-4500. It is not configurable. IPSec over UDP normally uses UDP-10000 but this could be any other port based on the configuration on the VPN server. Why does AH not support NAT-T ? AH is incompatible with Network Address Translation (NAT) because NAT changes the source IP address, which breaks the AH header and causes the packets to be rejected by the IPSec peer. Explain IPSec Phase or Phase 2 In phase 2 you still specify parameters such as encryption and hashing algorithms which are quite similar to those in Phase 1. However, these parameters configured in Phase 2 are used to protect the "data" itself & not the negotiation messages. In IKE phase 2, we don’t need to do DiffieHellman key exchange again, as the peers already have the keys setup (which they did in IKE phase 1 during the Diffie-Hellman exchange). It is possible to tell the peers to run DH again, during IKE phase 2, to generate new keys, but this isn't the default. You need to configure PFS (Perfect Forward Secrecy) if you want different DH keys in Phase 2. Phase 2 is also called as Quick mode and 3 messages are exchanged between the peers. All the 3 messages are protected by SKEYID_e generated in Phase 1.
  • 12. Note - If PFS is not needed, and KE payloads are not exchanged, the new keying material is defined as  KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). If PFS is desired and KE payloads were exchanged, the new keying material is defined as  KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b) where g(qm)^xy is the shared secret from the ephemeral Diffie-Hellman exchange of this Quick Mode. We can configure Phase 2 in Tunnel Mode or Transport Mode as per the network requirement. Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution Transport Mode In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this always will invalidate the hash value. NAT traversal IS NOT supported with the transport mode. MSS is higher, when compared to Tunnel mode, as no additional headers are required. Tunnel Mode In Tunnel Mode, the entire IP Packet is encrypted and /or authenticated. It is encapsulated with new IP Packet with a new IP Header. Tunnel mode is most commonly used between gateways, or at an end- station to a gateway, the gateway acting as a proxy for the hosts behind it. NAT traversal is supported with the tunnel mode. Additional headers are added to the packet; so the payload MSS is less. The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets.
  • 13. PFS or Perfect Forward Secrecy During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value. These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges. If you do not specify PFS, the same public and private DH values derived in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic. When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2. These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic. IPSec VPN Deployment Scenario It gives you an overview of various design topologies, features and services currently used with IPSec. Each technology uses IPsec as the underlying transport mechanism for each VPN.  L2TP Over IPSec Layer Two Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding (L2F), a technology proposed by Cisco® Systems, Inc. Rather than having two incompatible tunneling protocols competing in the marketplace and causing customer confusion, the IETF mandated that the two technologies be combined into a single tunneling protocol that represents the best features of PPTP and L2F. L2TP is documented in RFC 2661. The primary benefit of configuring L2TP with IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. The Windows 2000 L2TP/IPSec client uses IPSec transport mode—only the IP payload is encrypted, and the
  • 14. original IP headers are left intact. In order for Windows 2000 L2TP/IPSec clients to connect to the security appliance, you must configure IPSec transport mode More on this (http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn _l2tp_ipsec.html)  Remote Access IPSec VPN Remote access VPNs allow users to connect to a central site through a secure connection over a TCP/IP network such as the Internet. The Internet Security Association and Key Management Protocol, also called IKE, is the negotiation protocol that lets two hosts agree on how to build an IPSec Security Association. Each ISAKMP negotiation is divided into two sections called Phase1 and Phase2. Phase 1 creates the first tunnel to protect later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data travelling across the secure connection. The security appliance requires a method for assigning IP addresses to users by configuring Address Pool. To identify remote access users to the security appliance, configure usernames and passwords and Set the connection type to IPSec remote access. We configure dynamic crypto maps that let the security appliance receive connections from peers that have unknown IP addresses. Remote access clients fall in this category. More on this (http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.ht ml)  VTI – Virtual Tunnel Interface With IPSec VTIs, users can provide highly secure connectivity for site-to-site VPNs and can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks. The IPsec VTI allows for the flexibility of sending and receiving both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple paths. VTI comes in two flavors, SVTI (tunnel interface) and DVTI (virtual-template interface). SVTI - It is used to have static "on-all-the-time" IPSec tunnels and typically should be thought of as a lan to lan tunnel. The advantage of using SVTIs as opposed to crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes required for GRE headers, thus reducing the bandwidth for sending encrypted data. DVTI - It is used to provide "on-demand" connectivity. DVTI would be used in case of ezvpn (both server and client!) and recently webvpn. The DVTI technology replaces dynamic crypto maps and the dynamic
  • 15. hub-and-spoke method for establishing tunnels. Dynamic VTIs function like any other real interface so that you can apply QoS, firewall, other security services as soon as the tunnel is active. More on this (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html)  Point-To-Point GRE over IPSec Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network. By default IPSec VPN cannot send multicast traffic between the peers, so that means we cannot use dynamic protocols inside a tunnel. To overcome this issue, cisco developed GRE so that we can run dynamic protocols (like – OSPF, EIGRP, RIP) between the sites. More on This (http://www.cisco.com/c/en/us/support/docs/security/vpn-5000-series- concentrators/3969-vpn5k-stat.html)  DMVPN – Dynamic Multipoint VPN The Dynamic Multipoint VPN (DMVPN) feature allows users to better scale large and small IPSec VPNs by combining generic routing encapsulation (GRE) tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP) to provide users with easy configuration through crypto profiles, which override the requirement for defining static crypto maps, and dynamic discovery of tunnel endpoints. We have 3 Phases in DMVPN, those are  DMVPN Phase 1: All the spokes are static tunnels so you won’t get any dynamic spoke-to-spoke connectivity.  DMVPN Phase 2: This phase involves everysite being configured with mGRE interface so you get your dynamic spoke-to-spoke connectivity.  DMVPN Phase 3: This involve summarizing into the DMVPN cloud to provide. NHRP – Next Hop Resolution Protocol NHRP is a layer two resolution protocol and cache like ARP or Reverse ARP (Frame Relay). It is used in DMVPN to map a tunnel IP address to an NBMA address. More on this (http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15- mt/sec-conn-dmvpn-15-mt-book.pdf)
  • 16.  VRF Aware IPSec One obstacle to successfully deploying peer-to-peer VPNs is the separation of routing tables, and the use of overlapping addresses, which usually results from using private IP addresses in customer networks. The VRF-Aware IPsec feature, which introduces IPsec tunnel mapping to Multiprotocol Label Switching (MPLS) VPNs, solves this problem. The VRF-Aware IPsec feature, known as VRF mode, allows you to map IPsec tunnels to VPN routing and forwarding instances (VRFs) using a single public-facing address. Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called the inside VRF (IVRF) The Cisco VPN Services Port Adapter (VSPA) is the next-generation VPN module designed to support next-generation VPN technologies such as Virtual Routing and Forwarding (VRF)-Aware IPsec VPN. Although the Cisco VSPA does not have physical WAN or LAN interfaces, it takes advantage of the breadth of LAN and WAN interfaces in the Cisco Catalyst 6500 Series Switches, making it very attractive for enterprises deploying the Cisco Catalyst 6500 Series Switch. More on this (http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/gui de/ivmsw_book/ivmvpna.html#wp1055559)  V3 PN - Voice and Video Enabled IPSec VPN It is nothing but Voice and Video Enabled IPSec VPN, which integrates three core Cisco technologies: IP Telephony, Quality of Service (QoS), and IP Security (IPSec) VPN. The Cisco V3PN solution outlines a VPN architecture that accommodates voice and video over IPsec. Because IP multicast is a key component of many voice and video streaming technologies, V3PN requires the use of IPsec+GRE. More on this (http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/V3PN_SRND/V3PN_SRN D/v3p_intr.html) How does the traffic get Encrypted, in simple terms  Router has a packet that is about to be forwarded, and it notices that it matches a crypto ACL.  Router looks to see if there is an IPSec SA in place, if not....  Router looks to see if there is an IKE Phase 1 SA in place, if not...  Router becomes initiator, and sends over all of its IKE phase 1 policies.  Remote router responds, by specifying which IKE phase 1 policy is a match.  Both peers run DH, and generate shared secret keying material.
  • 17.  Both peer authenticate with each other, using authentication method agreed to in IKE phase 1 negotiations. (IKE phase 1 tunnel is now up.)  Using the IKE phase 1 tunnel as a cloak of security, they two peers negotiate the details of IKE Phase 2.  DH is not run again, and shared secret keying material is used from the DH in IKE phase 1, unless PFS is used.  IKE phase 2 tunnel (AKA, the IPSec tunnel) is now in place, and the data is encapsulated and sent through the tunnel. Steps to configure IPSec Site-To-Site VPN on ASA  Access-list - This is the interesting traffic or the traffic which you want to protect  Configure Phase 1 parameters o Encryption – DES, 3DES or AES o Hashing – MD5 or SHA o DH Group – DH 2 , DH 5 etc o Authentication – Pre-Shared Key, RSA, o Lifetime – Default 24 Hours  Configure Phase 2 parameters o Transform-set – AH or ESP, what encryption and hash to use o Mode – Transport or Tunnel  Configure Tunnel-group o Peer IP o Pre-Shared Key  Configure Crypto-map – We call all the parameters we configured earlier o Access-list o Peer IP o Transform-set o NAT-T (Optional) o PFS (Optional) o Lifetime (Optional)  Apply that crypto-map to the outside interface  Enable Crypto to the outside Interface
  • 18. Troubleshooting IPSec VPN Troubleshooting IPSec Site-To-Site VPN is quite simple. It’s always better to start your troubleshooting by checking the Phase 1 and Phase 2 configs on both the side match exactly the same. Verification Commands  To check Phase 1 - ASA# show crypto isakmp sa detail | be <Peer IP>  To check Phase 2 - ASA# show crypto ipsec sa peer <Peer IP>  To check Phase 1 and Phase 2 parameters - ASA# show vpn-sessiondb detail l2l filter ipaddress <Peer IP>  To check Pre-Shared Key – ASA# more: system running-config | begin Tunnel-group <Peer IP> Phase 1  Check Phase 1 policies on both the side  You see nothing when you hit “Show Crypto ISAKMP SA” o What to Check  Check access-list to see if you see any hit counts increasing when you try to initiate the traffic  Check internal Routing  Do a Trace-route, to see where the packet is getting dropped  If you see MM_WAIT_MSG2 error message that means, you have initiated the traffic and sent him the Phase 1 polices to match on his side but he is not able to reach your peer IP o What to Check  Weather crypto-map is enabled on outside interface  Probably ISP Routing Issue on his side  Phase 1 Policies do not match  You would probably not able to ping the Peer IP ( ISP Routing Issue)  If you see MM_WAIT_MSG4 error message o What to check  Probably pre-shared key mis-match on both side  If You see MM_WAIT_MSG6 error message o What to check  Probably Pre-Shared Key is not configured  Phase 1 is not stable, I mean it is continuously going round and round from message 1 o 6 o What to check  Access-list mis-match  PFS is enabled on one side only  Transform-set missing on one side  NAT-T enabled on one side only o
  • 19.  After this Phase 1 will get established and you will see "MM_WAIT_Active" message Note – MM is Main Mode and AM is Aggressive Mode Phase 2  Check Phase 2 configs on both the side  When the phase 2 is good, you will see encaps and decaps increasing, if ether is not then there is an issue.  If Encaps increasing on your side and Decaps 0 - That means the issue is on the other side. o What to check  Check the NAT statement, if they are properly configured  Check the internal routing  Check if the Severs are up and running  Check the FW rules and see if the required services are allowed access  Ask the other side to ping the servers from the Peer IP Device or do a trace route and see where the packets are getting dropped  If Encaps 0 on your side and Decaps increasing – That means the issue is on our side o What to check  Do the same steps mentioned above
  • 20. FAQ – Frequently Asked Questions  Does ASA support IPSec Site-To-Site VPN in multi context mode ? o ASA 9.0(1) introduced support for IPsec site-to-site VPN in multi-context mode  What if the IPSec Peer is dynamically assigned, what is the solution to this problem. o Configure dynamic crypto map o crypto dynamic-map DMAP 1 set transform-set myset o crypto dynamic-map DMAP 1 set reverse-route o crypto map CMAP 10 ipsec-isakmp dynamic DMAP o crypto map CMAP interface outside  How to check the Pre-Shared Key configured? o ASA# more system: running config | begin tunnel-group <Peer IP>  Can i use dynamic routing with IPSec VPN? o IPSec only supports unicast traffic. The common solution for this is to create a GRE tunnel and have that encapsulated within the IPSec tunnel. GRE supports multicast traffic.  Does ASA support GRE Tunnel? o The ASA does not support GRE tunnels, so unless you have routers behind the ASAs which could host these GRE tunnels, this option is not viable.  Can I terminate VPN connections on my FWSM? o VPN functionality is not supported on the FWSM. Termination of VPN connections is the responsibility of the switch and/or VPN Services Module