SNPA50SL11

Virtual Private
Network
Configuration
Lesson 11
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-1

Outline
 Secure VPN Tunnels

 How IPsec Works
 IPsec Configuration Tasks
 Scale Adaptive Security Appliance VPN Tunnels
 Summary

Secure VPN Tunnels

VPN Tunnels Overview
Home Office
Intranet VPNs
have low-cost
Remote Office
connections with
rich VPN services,
which lead to cost POP
Main
savings and new
applications. Office
VPN
POP Remote access
VPNs are
cost-effective.
Extranet VPNs
extend WANs to
business partners,
which leads to new Business Partner
applications and
business models.
Mobile Worker
What Is IPsec?
Internet
IPsec
IPsec is the IETF standard that enables encrypted communication

between peers.
 Consists of open standards for securing private communications
 Ensures data confidentiality, integrity, and authentication through network
layer encryption
 Scales from small to very large networks

How IPsec Works

Five Steps of IPsec
Security Security
Host A Host B
Appliance A Appliance B
 Interesting traffic: The VPN devices recognize the traffic to protect.

 IKE Phase 1: The VPN devices negotiate an IKE security policy and
establish a secure channel.
 IKE Phase 2: The VPN devices negotiate an IPsec security policy to
protect IPsec data.
 Data transfer: The VPN devices apply security services to traffic,
then transmit the traffic.
 Tunnel terminated: The tunnel is torn down.

Step 1: Interesting Traffic
Security Security
Host A Appliance A Appliance B Host B
10.0.1.3 Apply IPsec 10.0.2.3
Send in Clear Text
 Host A is sending traffic bound for Host B.

 The traffic is deemed interesting and will be encrypted.

Step 2: IKE Phase 1
Security Security
Host A Host B
IKE Phase 1:
10.0.1.3 10.0.2.3
Main Mode Exchange
Negotiate the Negotiate the

Policy Policy
DH Exchange DH Exchange
Verify the Peer Verify the Peer

Identity Identity

IKE Phase 1 Policy Sets
Security Security
Host A Host B
Negotiate IKE Proposals
10.0.1.3 10.0.2.3
Policy Set 10 Policy Set 15
3DES 3DES
MD5 MD5
Pre-share IKE Policy Sets Pre-share
DH1 DH1
Lifetime Lifetime
Policy Set 20
DES
SHA
Pre-share
DH1
Lifetime
 Negotiates matching IKE transform sets to protect IKE exchange

DH Key Exchange
Merchant Bank
Public Key B Public Key A
+ Private Key A + Private Key B
Shared Secret Shared Secret
Key (BA)
Key = Key
Key (AB)
Credit Card Charge $100.00 Credit Card Charge $100.00

Encrypt Decrypt
4ehIDx67NMop9eR Internet 4ehIDx67NMop9eR

U78IOPotVBn45TR U78IOPotVBn45TR

Authenticate Peer Identity
Remote Office Corporate Office

Security Security
Internet
HR
Servers
Peer
Authentication
Peer authentication methods

 Pre-shared keys
 RSA Signature

Step 3: IKE Phase 2
Host A Security Security Host B

Negotiate IPsec Security

Parameters

IPsec Transform Sets
Security Security
Host A Host B
Negotiate Transform Sets

10.0.1.3 10.0.2.3
Transform Set 30 Transform Set 55

ESP ESP
3DES 3DES
SHA IPsec transform sets SHA
Tunnel Tunnel
Lifetime Lifetime
Transform Set 40
ESP  A transform set is a combination of
DES
MD5 algorithms and protocols that enacts
Tunnel
Lifetime a security policy for traffic.

Security Associations
SAD
 Destination IP address
 SPI
 Protocol
192.168.2.1
SPD SPI–12
 Encryption algorithm ESP/3DES/SHA
 Algorithm authentication Tunnel
28800
 Mode
 Key lifetime
Internet
192.168.12.1
SPI–39
ESP/DES/MD5
Tunnel
28800

Security Association Lifetime
Data-Based Time-Based

Step 4: IPsec Session
Security Security
Host A Host B
IPsec Session
 SAs are exchanged between peers.

 The negotiated security services are applied to the traffic.

Step 5: Tunnel Termination
Host A Security Security Host B
IPsec Session
 A tunnel is terminated:
– By an SA lifetime timeout
– If the packet counter is exceeded
 Removes IPsec SA

IPsec Configuration
Tasks

Configuring IPsec Encryption
Task 1: Prepare to configure VPN support.

Task 2: Configure IKE parameters.
Task 3: Configure IPsec parameters.
Task 4: Test and verify VPN configuration.

Task 1:Prepare to
Configure VPN Support

Task 1: Prepare for IKE and IPsec
Step 1: Determine the IKE (IKE Phase 1) policy.

Step 2: Determine the IPsec (IKE Phase 2) policy.
Step 3: Ensure that the network works without encryption.
Step 4: (Optional) Implicitly permit IPsec packets to bypass
security appliance ACLs and access groups.

Determine IKE Phase 1 Policy
Security Security
Appliance 1 Appliance 2
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
Parameter Weak Stronger

Encryption algorithm DES 3DES or AES
Hash algorithm MD5 SHA-1
Authentication method Pre-share RSA Signature
Key exchange DH group 1 DH Group 5
IKE SA lifetime 86,4000 seconds <86,400 seconds

Determine IPsec (IKE Phase 2) Policy
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
Parameter Weak Stronger

Encryption algorithm DES 3DES or AES
Authentication MD5 SHA-1
Perfect forward secrecy Group 1 Group 5
SA lifetime 86,400 seconds <86,400 seconds

Task: Configure IKE
Parameters

Task 2: Configure IKE
Step 1: Enable or disable IKE.

Step 2: Configure IKE Phase 1 policy.
Step 3: Configure a tunnel group.
Step 4: Configure the tunnel group attributes pre-shared key.
Step 5: Verify IKE Phase 1 policy.

Enable or Disable IKE
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
ciscoasa(config)#
isakmp enable interface-name
 Enables or disables IKE on the security appliance interfaces

 Disables IKE on interfaces not used for IPsec
asa1(config)# isakmp enable outside

Configure IKE Phase 1 Policy
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
asa1#(Config)# isakmp policy 10

asa1#(Config-isakmp-policy)# encryption des
asa1#(Config-isakmp-policy)# hash sha
asa1#(Config-isakmp-policy)# authentication pre-share
asa1#(Config-isakmp-policy)# group 1
asa1#(Config-isakmp-policy)# lifetime 86400
 Creates a policy suite grouped by priority number

 Creates policy suites that match peers
 Can use default values

Configure a Tunnel Group
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
Tunnel Group Tunnel Group

192.168.6.2 IPsec IPsec 192.168.1.2
LAN-to-LAN LAN-to-LAN
ciscoasa(config)#
tunnel-group name type type
 Names the tunnel group

 Defines the type of VPN connection that is to be established
asa1(config)# tunnel-group 192.168.2.2 type ipsec-l2l

Configuring Tunnel Groups:
General Attributes
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
Tunnel Group Tunnel Group

192.168.6.2 IPsec IPsec 192.168.1.2
L2L L2L
ciscoasa(config)#
tunnel-group name general-attributes
 Places you in tunnel group general attribute configuration mode
asa1(config)# tunnel-group 192.168.2.2 general-attributes

asa1(config-tunnel-general)# default-group-policy OURPOLICY
 Sets the default group policy

Configuring Tunnel Groups:
IPsec Attributes
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

Tunnel Group isakmp key cisco123 Tunnel Group
192.168.6.2 192.168.1.2
isakmp key cisco123
L2L L2L
ciscoasa(config)#
tunnel-group name ipsec-attributes
 Places you in tunnel group IPsec attribute configuration mode
asa1(config)# tunnel-group 192.168.2.2 ipsec-attributes
asa1(config-tunnel-ipsec)# pre-shared-key cisco123
asa2(config)# tunnel-group 192.168.1.2 ipsec-attributes

asa2(config-tunnel-ipsec)# pre-shared-key cisco123
 Associates a pre-shared keys with the connection policy
Verify IKE Phase 1 Policy
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
asa1# show run crypto isakmp

isakmp identity address
isakmp enable outside
isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
 Displays configured and default IKE protection suites

Task 3: Configure
IPsec Parameters

Task 3: Configure IPsec
Step 1: Configure interesting traffic: NAT 0 and ACL.

– access-list 101 permit
– nat 0
Step 2: Configure IPsec transform set suites.
– crypto ipsec transform-set
Step 3: Configure the crypto map.
– crypto map
Step 4: Apply the crypto map.
– crypto map map-name interface
interface-name

Configuring Interesting Traffic:
Crypto ACLs
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

10.0.1.X Encrypt
10.0.2.X
Security Appliance 1 (asa1)
asa1(config)# access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.2.0
255.255.255.0

asa6(config)# access-list 101 permit ip 10.0.2.0 255.255.255.0 10.0.1.0
255.255.255.0
 Lists are symmetrical or mirrors of each other.

– permit = encrypt
– deny = do not encrypt
NAT 0 and Interesting Traffic
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
10.0.1.11
Do Not
Translate 10.0.2.11
Do Not
Translate
asa1(config)# nat (inside) 0 access-list 101

Configure an IPsec Transform Set
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
ciscoasa(config)#
crypto ipsec transform-set transform-set-name

transform1 [transform2]
 Sets are limited to two transforms
 Default mode is Tunnel
 Configures matching sets between IPsec peers
asa1(config)# crypto ipsec transform-set ASA2 esp-

des esp-md5-hmac

Available IPsec Transforms
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
esp-des ESP transform using DES cipher (56 bits)

esp-3des ESP transform using 3DES cipher(168 bits)
esp-aes ESP transform using AES-128 cipher
esp-aes-192 ESP transform using AES-192 cipher
esp-aes-256 ESP transform using AES-256 cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-none ESP no authentication
esp-null ESP null encryption

Configure the Crypto Map
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
asa1(config)# crypto map ASA1MAP 10 match address 101

asa1(config)# crypto map ASA1MAP 10 set peer 192.168.2.2
asa1(config)# crypto map ASA1MAP 10 set transform-set ASA2
asa1(config)# crypto map ASA1MAP 10 set security-
association lifetime seconds 28800
 Specifies IPsec (IKE Phase 2) parameters

 Maps names and sequence numbers of group entries into a
policy

Apply the Crypto Map to an Interface
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11
ciscoasa(config)#
crypto map map-name interface interface-name
 Applies the crypto map to an interface
 Activates IPsec policy
asa1(config)# crypto map ASA1MAP interface outside

Example: Crypto Map for Security
Appliance 1
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

asa1# show run crypto map
crypto map ASA1MAP 10 match address 101
crypto map ASA1MAP 10 set peer 192.168.2.2
crypto map ASA1MAP 10 set transform-set ASA2
crypto map ASA1MAP interface outside

Example: Crypto Map for Security
Appliance 2
Security Security
Site 1 Site 2
Internet
10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

asa2# show run crypto map
crypto map ASA1MAP 10 match address 101
crypto map ASA1MAP 10 set peer 192.168.1.2
crypto map ASA1MAP 10 set transform-set ASA1
crypto map ASA1MAP interface outside

Task 4: Test and Verify
VPN Configuration

Task 4: Test and Verify VPN
Configuration
 Verify ACLs and interesting traffic.

– show run access-list
 Verify correct IKE configuration.
– show run isakmp
– show run tunnel-group
 Verify correct IPsec configuration.
– show run ipsec
 Verify IPsec and ISAKMP SAs
– show crypto ipsec sa
– show crypto isakmp sa

Task 4: Test and Verify VPN
Configuration (Cont.)
 Verify correct crypto map configuration.

– show run crypto map
 Clear IPsec SA.
– clear crypto ipsec sa
 Clear IKE SA.
– clear crypto isakmp sa
 Debug IKE and IPsec traffic through the security
appliance.
– debug crypto ipsec
– debug crypto isakmp

Summary
 A VPN is a service that offers secure, reliable connectivity over a

shared public network infrastructure such as the Internet.
 Cisco security appliances enable a secure VPN.
 IPsec configuration tasks include configuring IKE and IPsec
parameters.

Lab Visual Objective
Web
FTP
.50
172.26.26.0
.150
Pods 1–5 .1 .1 Pods 6–10
192.168.P.0 RBB 192.168.Q.0

.2 .2
Bastion Host: .2 .1 .2 Bastion Host:
Web
.1
ASA ASA Web
FTP 172.16.P.0 FTP
172.16.Q.0
.1 .1
10.0.P.0 10.0.Q.0
.100 .100
RTS RTS
Web or FTP Web or FTP

Local: 10.0.P.11 and Syslog and Syslog Local: 10.0.Q.11
Student PC Student PC


SNPA50SL11

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SNPA50SL11

Загружено:

Авторское право:

Доступные форматы

Virtual Private

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-1

 Secure VPN Tunnels

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-3

IPsec is the IETF standard that enables encrypted communication

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-5

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-6

 Interesting traffic: The VPN devices recognize the traffic to protect.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-7

10.0.1.3 Apply IPsec 10.0.2.3

Send in Clear Text

 Host A is sending traffic bound for Host B.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-8

Negotiate the Negotiate the

Verify the Peer Verify the Peer

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-9

Negotiate IKE Proposals

 Negotiates matching IKE transform sets to protect IKE exchange

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-10

Credit Card Charge $100.00 Credit Card Charge $100.00

4ehIDx67NMop9eR Internet 4ehIDx67NMop9eR

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-11

Remote Office Corporate Office

Peer authentication methods

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-12

Host A Security Security Host B

Negotiate IPsec Security

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-13

Negotiate Transform Sets

Transform Set 30 Transform Set 55

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-14

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-15

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-16

 SAs are exchanged between peers.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-17

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-18

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-19

Task 1: Prepare to configure VPN support.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-20

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-21

Step 1: Determine the IKE (IKE Phase 1) policy.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-22

10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

Parameter Weak Stronger

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-23

10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

Parameter Weak Stronger

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-24

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-25

Step 1: Enable or disable IKE.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-26

10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

 Enables or disables IKE on the security appliance interfaces

asa1(config)# isakmp enable outside

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-27

10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

asa1#(Config)# isakmp policy 10

 Creates a policy suite grouped by priority number

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—11-28

10.0.1.11 Gig0/0 192.168.1.1 Gig0/0 192.168.2.2 10.0.2.11

Tunnel Group Tunnel Group

 Names the tunnel group