7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455

315 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
315
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
27
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455

  1. 1. Chapter 8Implementing Virtual Private Networks CCNA Security
  2. 2. Major Concepts • • • • • • Describe the purpose and operation of VPN types Describe the purpose and operation of GRE VPNs Describe the components and operations of IPsec VPNs Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI Configure and verify a site-to-site IPsec VPN with preshared key authentication using SDM Configure and verify a Remote Access VPN
  3. 3. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the purpose and operation of VPNs 2. Differentiate between the various types of VPNs 3. Identify the Cisco VPN product line and the security features of these products 4. Configure a site-to-site VPN GRE tunnel 5. Describe the IPSec protocol and its basic functions 6. Differentiate between AH and ESP 7. Describe the IKE protocol and modes 8. Describe the five steps of IPSec operation
  4. 4. Lesson Objectives 9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10. Configure IKE policies using the CLI 11. Configure the IPSec transform sets using the CLI 12. Configure the crypto ACLs using the CLI 13. Configure and apply a crypto map using the CLI 14. Describe how to verify and troubleshoot the IPSec configuration 15. Describe how to configure IPSec using SDM 16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM 17. Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM
  5. 5. Lesson Objectives 18. Verify, monitor and troubleshoot VPNs using SDM 19. Describe how an increasing number of organizations are offering telecommuting options to their employees 20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs 21. Describe how SSL is used to establish a secure VPN connection 22. Describe the Cisco Easy VPN feature 23. Configure a VPN Server using SDM 24. Connect a VPN client using the Cisco VPN Client software H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  6. 6. What is a VPN? • A VPN is a private network that is created via tunneling over a public • network, usually the Internet. Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organization to the remote site. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  7. 7. Benefits of VPN • Cost savings: – VPNs eliminate expensive dedicated WAN links and modem banks. – Additionally, with the advent of cost-effective, high-bandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth. • Security: – Use advanced encryption and authentication protocols that protect data from unauthorized access. • Scalability – VPNs use the Internet infrastructure. So it is easy to add new users, corporations can add significant capacity without adding significant infrastructure • Compatibility with broadband technology – DSL, Cable, broadband wireless… H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  8. 8. Layer 3 VPN IPSec VPN Internet IPSec SOHO with a Cisco DSL Router • Generic routing encapsulation (GRE): point-to-point site connections • Multiprotocol Label Switching (MPLS): they can establish any-to-any • connectivity to many sites. IPSec: point-to-point site connections H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  9. 9. Layer 3 VPN • • VPN can be made at either Layer 2 or Layer 3 of the OSI model. Establishing connectivity between sites over a Layer 2 or Layer 3 is the same. This chapter focuses on Layer 3 VPN technology. Layer 3 VPNs: – – – GRE: point-to-point site connections MPLS: any-to-any site connections IPsec: point-to-point site connections H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  10. 10. Types of VPN Networks • There are two types of VPN network: • Site-to-site • Remote-Access H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  11. 11. Site-to-Site VPN • A site-to-site VPN is created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance. • The VPN remains static, and internal hosts have no knowledge that a VPN exists. • Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs. • In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500 Series Adaptive Security Appliance. • The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. • Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  12. 12. Remote-Access VPNs • A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled. • Remote-access VPNs can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. • Remote-access VPNs support a client / server architecture where a VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  13. 13. VPN Client Software R1 R1-vpn-cluster.span.com “R1” In a remote-access VPN, each host typically has Cisco VPN Client software H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  14. 14. Cisco IOS SSL VPN • Provides remote-access connectivity from almost any Internet-enabled host using a web browser and its native Secure Sockets Layer (SSL) encryption. Delivers two modes of access: – Clientless: • A remote client needs only an SSL-enabled web browser to access HTTP- or HTTPSenabled web servers on the corporate LAN. – Thin client: A remote client must download a small, Javabased applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment. • SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops. SSL VPNs are not a complete replacement for IPsec VPNs. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  15. 15. Cisco VPN Product Family Remote-Access VPN Site-to-Site VPN Cisco VPN-Enabled Router Secondary role Primary role Cisco PIX 500 Series Security Appliances Secondary role Primary role Cisco ASA 5500 Series Adaptive Security Appliances Primary role Secondary role Cisco VPN 3000 Series Concentrators Primary role Secondary role Home Routers (SOHO Routers) Primary role Secondary role Product Choice H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  16. 16. VPN Solutions Cisco provides a suite of VPNoptimized routers. Cisco IOS software for routers combines VPN services with routing services. The Cisco VPN software adds strong security using encryption and authentication The Cisco IOS feature sets incorporate many VPN features: – Voice and Video Enabled VPN (V3PN) – Ipsec stateful failover – Dynamic Multipoint Virtual Private Network (DMVPN) – Ipsec and MPLS integration – Cisco Easy VPN H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  17. 17. VPN features • • • Voice and Video Enabled VPN (V3PN) - Integrates IP telephony, QoS, and IPsec, providing an end-to-end VPN service that helps ensure the timely delivery of latency-sensitive applications such as voice and video. IPsec stateful failover - Provides fast and scalable network resiliency for VPN sessions between remote and central sites. With both stateless and stateful failover solutions available, such as Hot Standby Router Protocol (HSRP), IPsec stateful failover ensures maximum uptime of mission-critical applications. Dynamic Multipoint Virtual Private Network (DMVPN) - Enables the auto-provisioning of site-to-site IPsec VPNs, combining three Cisco IOS software features: Next Hop Resolution Protocol (NHRP), multipoint GRE, and IPsec VPN. This combination eases the provisioning challenges for customers and provides secure connectivity between all locations. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  18. 18. VPN features • • IPsec and MPLS integration – Enables ISPs to map IPsec sessions directly into an MPLS VPN. – This solution can be deployed on co-located edge routers that are connected to a Cisco IOS software MPLS provider edge (PE) network. Cisco Easy VPN – Simplifies VPN deployment for remote offices and teleworkers. – The Cisco Easy VPN solution centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  19. 19. Cisco ASA 5500 Series Adaptive Security Appliances • Cisco ASA 5500 Series Adaptive • • Security Appliances offer flexible technologies that deliver tailored solutions to suit remote-access and site-to-site connectivity requirements. These appliances provide easy-tomanage IPsec and SSL VPN-based remote-access and network-aware, site-to-site VPN connectivity These are some of the features that Cisco ASA 5500 Series Adaptive Security Appliances provide: – – – – – – – Flexible platform Resilient clustering Cisco Easy VPN Automatic Cisco VPN Client updates Cisco IOS SSL VPN VPN infrastructure for contemporary applications Integrated web-based management H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  20. 20. Cisco ASA 5500 Series Adaptive Security Appliances • Each Cisco ASA 5500 Series Adaptive Security Appliance supports a number of VPN peers: – Cisco ASA 5505 - 10 IPsec VPN peers and 25 SSL VPN peers, with a Base license, and 25 VPN peers (IPsec or SSL) with the Security Plus license – Cisco ASA 5510 - 250 VPN peers – Cisco ASA 5520 - 750 VPN peers – Cisco ASA 5540 - 5000 IPsec VPN peers and 2500 SSL VPN peers – Cisco ASA 5550 - 5000 VPN peers H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  21. 21. IPSec Clients Cisco remote-access VPNs can use four IPsec clients: • Certicom client: A wireless client that is loaded on to wireless personal digital assistants (PDAs) running the Palm or Microsoft Windows Mobile operating systems. • Cisco VPN Client software: Loaded on the PC or laptop of an individual, the Cisco VPN Client allows organizations to establish end-toend, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. • Cisco Remote Router VPN Client : A Cisco remote router, configured as a VPN client, that connects small office, home office (SOHO) LANs to the VPN. • Cisco AnyConnect VPN Client : Next-generation VPN client that provides remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance running Cisco ASA 5500 Series Software Version 8.0 and higher or Cisco ASDM Version 6.0 and higher. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  22. 22. Hardware Acceleration Modules To enhance performance and offload the encryption task to specialized hardware, the Cisco VPN family of devices offers hardware acceleration modules: • AIM: Advanced integration modules are installed inside the router chassis and offload encryption tasks from the router CPU. Cisco IPsec VPN SPA • Cisco IPSec VPN Shared Port Adapter (SPA): Delivers scalable and cost-effective VPN performance for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. • Cisco PIX VPN Accelerator Card+ (VAC+): The PIX Firewall VAC+ delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec encryption throughput. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  23. 23. GRE VPN Overview H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  24. 24. Encapsulation Encapsulated with GRE Original IP Packet H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  25. 25. Configuring a GRE Tunnel There are five steps to configuring a GRE tunnel: • Step 1. Creating a tunnel interface using the interface tunnel 0 • • • • command. Step 2. Assigning the tunnel an IP address. Step 3. Identifying the source tunnel interface using the tunnel source command. Step 4. Identifying the destination of the tunnel using the tunnel destination command. Step 5. Configuring which protocol GRE will encapsulate using the tunnel mode gre command. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  26. 26. Configuring a GRE Tunnel Create a tunnel interface Assign the tunnel an0 IP address R2(config)# interface tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 192.168.5.5 R2(config–if)# ip address 10.1.1.2 255.255.255.252 Identify the source source serial 0/0 R2(config–if)# tunnel tunnel interface R2(config–if)# tunnel destination 192.168.3.3 R2(config–if)# tunnel mode gre ip Identify the destination of the tunnel R2(config–if)# Configure what protocol GRE will encapsulate R1(config–if)# tunnel mode gre ip R1(config–if)# H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  27. 27. Using GRE GRE can be used to tunnel non-IP traffic over an IP network Ipsec only supports unicast traffic. GRE supports all types of traffic Routing Protocols are supported in GRE GRE does not provide encryption H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  28. 28. IPSec Topology Main Site Business Partner IPsec Perimeter with a Cisco Router Router Legacy Cisco Legacy POP Regional Office with a Cisco PIX Firewall Concentrator PIX ASA Firewall SOHO with a Cisco Mobile Worker with a Cisco VPN Client on a Laptop Computer Corporate SDN/DSL Router • Works at the network layer, protecting and authenticating IP packets. – It is a framework of open standards which is algorithm-independent. – It provides security: data confidentiality, data integrity, and origin authentication. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  29. 29. Essential security of IPsec • Confidentiality: IPsec ensures confidentiality by using encryption. • Integrity: IPsec ensures that data arrives unchanged at the • • destination using a hash algorithm such as MD5 or SHA. Authentication: IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates. Secure key exchange: IPsec uses the DH algorithm to provide a public key exchange method for two peers to establish a shared secret key. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  30. 30. IPSec Framework Diffie-Hellman H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com DH7
  31. 31. Confidentiality • Confidentiality is achieved through • • encryption of traffic as it travels down the VPN. The degree of security depends on the length of the key of the encryption algorithm. The following are some encryption algorithms and key lengths that VPNs use: • DES: Uses a 56-bit key. DES is a symmetric key cryptosystem. • 3DES: A variant of DES. 3DES uses three independent 56-bit encryption keys per 64bit block. 3DES is a symmetric key cryptosystem. • AES: Provides stronger security than DES and is computationally more efficient than 3DES. AES is a symmetric key cryptosystem. • Software-Optimized Encryption Algorithm (SEAL): Uses a 160-bit key. SEAL is a symmetric key cryptosystem. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  32. 32. Integrity H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  33. 33. Integrity • Hashed Message Authentication Codes (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  34. 34. Integrity There are two common HMAC algorithms: • • HMAC - Message Digest 5 (HMACMD5): The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. HMAC- Secure Hash Algorithm 1 (HMAC-SHA-1): The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5. It is recommended when slightly superior security is important. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  35. 35. Authentication • The device on the other end of the VPN tunnel must be authenticated • before the communication path is considered secure. There are two primary methods of configuring peer authentication.: – Pre-shared Keys (PSKs) - A pre-shared secret key value is entered into each peer manually and is used to authenticate the peer. – RSA signatures - The exchange of digital certificates authenticates the peers H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  36. 36. Pre-shared Key (PSK) •At the local device, the authentication key and the identity information (device-specific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending Diffie-Hellman DH7 hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. • The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  37. 37. RSA Signatures • At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. • Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.
  38. 38. Secure Key Exchange • • • • Encryption algorithms (DES, 3DES…) as well as the hashing algorithms (MD5, SHA) require a symmetric, shared secret key to perform encryption and decryption. How do the encrypting and decrypting devices get the shared secret key? The Diffie-Hellman (DH) key agreement is a public key exchange method that provides a way for two peers to establish a shared secret key that only they know. There are four DH groups: 1, 2, 5, and 7. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  39. 39. IPSec Framework Protocols Authentication Header R1 All data is in plaintext. R2 AH provides the following: Authentication Integrity Encapsulating Security Payload R1 Data payload is encrypted. ESP provides the following: Encryption Authentication Integrity H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com R2
  40. 40. Authentication Header H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  41. 41. Authentication Header 1. The IP Header and data payload are hashed IP Header + Data + Key R2 Hash IP HDR Authentication Data (00ABCDEF) IP HDR AH Data AH Data IP Header + Data + Key 3. The new packet is Internet transmitted to the IPSec peer router 2. The hash builds a new AH header which is prepended R1 to the original packet Hash Recomputed Received Hash Hash = (00ABCDEF) 4. The peer router hashes the IP (00ABCDEF) header and data payload, extracts the transmitted hash and compares H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  42. 42. ESP Diffie-Hellman H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com DH7
  43. 43. Function of ESP Internet Router Router IP HDR Data IP HDR ESP HDR IP HDR ESP ESP Trailer New IP HDR Auth Data Encrypted Authenticated • • Provides confidentiality with encryption Provides integrity with authentication H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com Data
  44. 44. Mode Types • • Transport Mode: Protect the payload and transport layer but leave the original IP in plaintext. The original IP is used to route the packet through the Internet Work well with GRE Tunnel Mode: Protect complete original IP packet. The original IP packet is encrypted and then it is encapsulated in another IP packet. The packet is routed by outside IP address. Used in the Ipsec remote-access application. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  45. 45. Security Associations • • • • • The negotiated parameters between two devices are known as a security association (SA). A VPN has SA entries defining the IPsec encryption parameters as well as SA entries defining the key exchange parameters. Diffie-Hellman (DH) is used to create the shared secret key. IPsec uses the Internet Key Exchange (IKE) protocol to establish the key exchange process. IKE is layered on UDP and uses UDP port 500 to exchange IKE information H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  46. 46. IKE Phases R1 Host A R2 Host B 10.0.2.3 10.0.1.3 IKE Phase 1 Exchange 1. Negotiate IKE policy sets Policy 10 Policy 15 DES DES MD5 MD5 pre-share pre-share DH1 DH1 lifetime 2. DH key exchange 1. Negotiate IKE policy sets lifetime 2. DH key exchange 3. Verify the peer identity 3. Verify the peer identity IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  47. 47. IKE Phase 1 – First Exchange Host A R1 R2 Host B Negotiate IKE Proposals 10.0.1.3 10.0.2.3 Policy 10 Policy 15 DES DES MD5 IKE Policy Sets MD5 pre-share pre-share DH1 Policy 20 lifetime 3DES DH1 lifetime SHA pre-share DH1 lifetime Negotiates matching IKE policies to protect IKE exchange H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  48. 48. IKE Phase 1 – Second Exchange Establish DH Key Private value, XA Alice Private value, XB Public value, YA YA = g XA mod p Public value, YB YB = gXB mod p YA YB XA (YB ) mod p = K XB (YA ) mod p = K A DH exchange is performed to establish keying material. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com Bob
  49. 49. IKE Phase 1 – Third Exchange Authenticate Peer Remote Office Corporate Office Internet HR Servers Peer Authentication Peer authentication methods • PSKs • RSA signatures • RSA encrypted nonces A bidirectional IKE SA is now established. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  50. 50. IKE Phase 1 – Aggressive Mode • • • The three exchanges of IKE Phase 1 transpire in what is called main mode. IKE Phase 1 can also transpire in aggressive mode. Aggressive mode is faster than main mode because there are fewer exchanges. Aggressive mode compresses the IKE SA negotiation phases into one exchange with three packets. Main mode requires three exchanges with six packets. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  51. 51. IKE Phase 1 – Aggressive Mode Aggressive mode packets include: • First packet - The initiator packages everything needed for the SA negotiation in the first message, including its DH public key. • Second packet - The recipient responds with the acceptable parameters, authentication information, and its DH public key. • Third packet - The initiator then sends a confirmation that it received that information. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  52. 52. IKE Phase 2 Host A 10.0.1.3 R1 R2 Negotiate IPsec Host B 10.0.2.3 Security Parameters IKE Phase 2 performs the following functions: • Negotiates IPsec security parameters, known as IPsec transform sets • Establishes IPsec SAs • Periodically renegotiates IPsec SAs to ensure security • Optionally performs an additional DH exchange H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  53. 53. IPSec VPN Negotiation R1 10.0.1.3 R2 1. Host A sends interesting traffic to Host B. 2. R1 and R2 negotiate an IKE Phase 1 session. IKE SA 3. IKE SA R1 and R2 negotiate an IKE Phase 2 session. IPsec SA 4. IKE Phase 1 IKE Phase 2 IPsec SA Information is exchanged via IPsec tunnel. IPsec Tunnel 5. The IPsec tunnel is terminated. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com 10.0.2.3
  54. 54. Configuring IPsec Tasks to Configure IPsec: Task 1: Ensure that ACLs are compatible with IPsec. Task 2: Create ISAKMP (IKE) policy. Task 3: Configure IPsec transform set. Task 4: Create a crypto ACL. Task 5: Create and apply the crypto map. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  55. 55. Task 1: Configure Compatible ACLs AH Site 1 ESP IKE 10.0.1.0/24 10.0.1.3 Site 2 10.0.2.0/24 R2 R1 10.0.2.3 Internet S0/0/0 172.30.1.2 S0/0/0 172.30.2.2 • Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  56. 56. Permitting Traffic H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  57. 57. Task 2: Configure IKE H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  58. 58. ISAKMP Parameters H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  59. 59. Multiple Policies H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  60. 60. Policy Negotiations H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  61. 61. Crypto ISAKMP Key H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  62. 62. Sample Configuration H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  63. 63. Task 3: Configure the Transform Set H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  64. 64. Task 3: Configure the Transform Set H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  65. 65. Transform Sets H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  66. 66. Sample Configuration H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  67. 67. Task 4: Configure the Crypto ACLs H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  68. 68. Command Syntax H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  69. 69. Symmetric Crypto ACLs H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  70. 70. Task 5: Apply the Crypto Map H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  71. 71. Crypto Map Command router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] crypto map Parameters Command Parameters Description map-name Defines the name assigned to the crypto map set or indicates the name of the crypto map to edit. seq-num The number assigned to the crypto map entry. ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs. ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs. cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the traffic. dynamic (Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword is used, none of the crypto map configuration commands are available. dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  72. 72. Crypto Map Configuration- Mode Commands Command Description Used with the peer, pfs, transform-set, and security-association commands. set peer [hostname | ipaddress] pfs [group1 | group2] transform-set [set_name(s)] security-association lifetime match address [accesslist-id | name] no exit Specifies the allowed IPsec peer by IP address or hostname. Specifies DH Group 1 or Group 2. Specify list of transform sets in priority order. When the ipsec-manual parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto map command, up to six transform sets can be specified. Sets SA lifetime parameters in seconds or kilobytes. Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched. Used to delete commands entered with the set command. Exits crypto map configuration mode. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  73. 73. Sample Configuration H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  74. 74. Assign the Crypto Map Set H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  75. 75. CLI Commands Show Command Description show crypto map Displays configured crypto maps show crypto isakmp policy Displays configured IKE policies show crypto ipsec sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec Displays established IPsec tunnels Displays configured IPsec transform sets Debugs IKE events Debugs IPsec events H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  76. 76. show crypto map H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  77. 77. show crypto isakmp policy H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  78. 78. show crypto ipsec transform-set H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  79. 79. show crypto ipsec sa H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  80. 80. debug crypto isakmp H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  81. 81. Use SDM - Starting a VPN Wizard 1. Click Configure in main toolbar 1 Wizards for IPsec 3 Solutions, includes type of VPNs and Individual IPsec components 3. Choose a wizard 2 2. Click the VPN button to open the VPN page 4. Click the VPN implementation subtype VPN implementation 4 Subtypes. Vary based On VPN wizard chosen. 5 5. Click the Launch the Selected Task button H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  82. 82. VPN Components VPN Wizards SSL VPN parameters Individual IPsec components used to build VPNs Easy VPN server parameters Public key certificate parameters Encrypt VPN passwords H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com VPN Components
  83. 83. Configuring a Site-to-Site VPN Choose Configure > VPN > Site-to-Site VPN Click the Create a Site-to-Site VPN Click the Launch the Selected Task button H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  84. 84. Site-to-Site VPN Wizard Choose the wizard mode Click Next to proceed to the configuration of parameters. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  85. 85. Quick Setup Configure the parameters • Interface to use • Peer identity information • Authentication method • Traffic to encrypt H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  86. 86. Verify Parameters H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  87. 87. Step-by-Step Wizard 1 Choose the outside interface that is used to connect to the IPSec peer 2 Specify the IP address of the peer 3 Choose the authentication method and specify the credentials 4 Click Next H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  88. 88. Creating a Custom IKE Proposal Make the selections to configure 2 the IKE Policy and click OK 1 Click Add to define a proposal 3 Click Next H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  89. 89. Creating a Custom IPSec Transform Set Define and specify the transform set name, integrity algorithm, encryption algorithm, mode of operation and optional compression 2 1 Click Add 3 H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com Click Next
  90. 90. Protecting Traffic Subnet to Subnet Click Protect All Traffic Between the Following subnets 1 2 3 Define the IP address and subnet mask of the local network Define the IP address and subnet mask of the remote network H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  91. 91. Protecting Traffic Custom ACL Click the ellipses button to choose an existing ACL or create a new one 2 1 Click the Create/Select an Access-List for IPSec Traffic radio button 3 To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  92. 92. Add a Rule 1 Give the access rule a name and description 2 Click Add H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  93. 93. Configuring a New Rule Entry Choose an action and enter a description of the rule entry 1 2 Define the source hosts or networks in the Source Host/Network pane and the destination hosts or network in the Destination/Host Network pane 3 (Optional) To provide protection for specific protocols, choose the specific protocol radio box and desired port numbers H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  94. 94. Configuration Summary • Click Back to modify the configuration. • Click Finish to complete the configuration. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  95. 95. Verify VPN Configuration Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN Check VPN status. Create a mirroring configuration if no Cisco SDM is available on the peer. Test the VPN configuration. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  96. 96. Monitor Choose Monitor > VPN Status > IPSec Tunnels 1 Lists all IPsec tunnels, their parameters, and status. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  97. 97. Implementing Remote-Access VPNs H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  98. 98. Telecommuting • • • Flexibility in working location and working hours Employers save on realestate, utility and other overhead costs Succeeds if program is voluntary, subject to management discretion, and operationally feasible H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  99. 99. Telecommuting Benefits • Organizational benefits: – – – – – Continuity of operations Increased responsiveness Secure, reliable, and manageable access to information Cost-effective integration of data, voice, video, and applications Increased employee productivity, satisfaction, and retention • Social benefits: – Increased employment opportunities for marginalized groups – Less travel and commuter related stress • Environmental benefits: – Reduced carbon footprints, both for individual workers and organizations H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  100. 100. Implementing Remote Access H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  101. 101. Methods for Deploying Remote Access IPsec Remote Access VPN Any Application Anywhere Access H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com SSL-Based VPN
  102. 102. Comparison of SSL and IPSec SSL IPsec Applications Web-enabled applications, file sharing, e-mail All IP-based applications Encryption Moderate Key lengths from 40 bits to 128 bits Stronger Key lengths from 56 bits to 256 bits Authentication Moderate One-way or two-way authentication Strong Two-way authentication using shared secrets or digital certificates Ease of Use Very high Moderate Can be challenging to nontechnical users Overall Security Moderate Any device can connect Strong Only specific devices with specific configurations can connect H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  103. 103. SSL VPNs • Integrated security and routing • Browser-based full network SSL VPN access SSL VPN Internet Headquarters SSL VPN Tunnel Workplace Resources H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  104. 104. Types of Access H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  105. 105. Full Tunnel Client Access Mode H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  106. 106. Establishing an SSL Session 1 User makes a connection to TCP port 443 2 Router replies with a digitally signed public key User using SSL client 3 4 5 User software creates a shared-secret key Shared-secret key, encrypted with public key of the server, is sent to the router Bulk encryption occurs using the shared-secret key with a symmetric encryption algorithm H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com SSL VPN enabled ISR router
  107. 107. SSL VPN Design Considerations • • • • User connectivity Router feature Infrastructure planning Implementation scope H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  108. 108. Cisco Easy VPN • Negotiates tunnel parameters • Establishes tunnels according to set parameters • Automatically creates a NAT / PAT and associated ACLs • Authenticates users by usernames, group names, and passwords • Manages security keys for encryption and decryption • Authenticates, encrypts, and decrypts data through the tunnel H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  109. 109. Cisco Easy VPN H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  110. 110. Securing the VPN 1 Initiate IKE Phase 1 2 Establish ISAKMP SA 3 Accept Proposal1 Username/Password Challenge 4 Username/Password 5 System Parameters Pushed 6 7 Reverse Router Injection (RRI) adds a static route entry on the router for the remote clients IP address Initiate IKE Phase 2: IPsec IPsec SA H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  111. 111. Configuring Cisco Easy VPN Server 1 4 3 2 5 H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  112. 112. Configuring IKE Proposals Specify required parameters 2 1 Click Add 3 H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com Click OK
  113. 113. Creating an IPSec Transform Set 3 1 2 4 H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  114. 114. Group Authorization and Group Policy Lookup 1 Select the location where Easy VPN group policies can be stored 3 Click Add 2 5 Click Next 4 Click Next Configure the local group policies H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  115. 115. Summary of Configuration Parameters H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  116. 116. VPN Client Overview R1 R1 • • • R1-vpn-cluster.span.com R1-vpn-cluster.span.com Establishes end-to-end, encrypted VPN tunnels for secure connectivity Compatible with all Cisco VPN products Supports the innovative Cisco Easy VPN capabilities H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  117. 117. Establishing a Connection R1-vpn-cluster.span.com Once authenticated, status changes to connected. R1 R1-vpn-cluster.span.com “R1” H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  118. 118. Summary • • • A VPN is a private network that is created via tunneling over a public network, usually the Internet. There are site-to-site VPNs and remote access VPNs. VPNs require the use of modern encryption techniques to ensure secure transport of information. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  119. 119. Summary H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  120. 120. Summary • • • • IPsec is a framework of open standards that establishes the rules for secure communications. IPsec relies on existing algorithms to achieve encryption, authentication, and key exchange. IPsec can encapsulate a packet using either Authentication Header (AH) or the more secure Encapsulation Security Protocol (ESP). IPsec uses the Internet Key Exchange (IKE) protocol to establish the key exchange process. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  121. 121. Summary H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  122. 122. Summary H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com
  123. 123. H c vi n công ngh thông tin Bach Khoa - Website: www.bkacad.com

×