Virtual Private Network(VPN)

IPSec I mean Authentication Header (AH) and Encapsulating Security Payload (ESP).

ESP is Protocol type 50 and AH is 51. The IP Authentication Header (AH) protocol is used to provideintegrity and data origin authentication for IP datagrams in addition to optional, anti- replay capability. The anti- replay protection is only available if the receiver has the ability to perform a check on the sequence number (which was incremented by the sender). Theauthentication header provides an authentication for those fields in the IP header that donttypically change. While there is still value in using the AH, there is a limitation of what can be done. E.g. TTL field cannot be protected. Encapsulating Security Payload is largely used in stand- alone mode in todays IPsec VPN tunnels. The reason is that ESP can provide multiple services with just a single protocol. ESP can provide confidentiality using data encryption, authentication via a hash function, and a form of anti- replay capability. ESP provides two methods of operation, tunnel mode and transport mode. To configure a GRE tunnel on the source and destination routers the tasks are: 1. Create a tunnel interface. 2. Assign an IP address to the tunnel interface. 3. Configure source and destination tunnel IP addresses. 4. Configure the tunnel as GRE mode. 5. Bring up the tunnel.

Generic Routing Encapsulation(GRE) A way to tunnel IP traffic through another network. GRE was once used as a way to connect like networks over a dissimilar network or series of networks. But, these tunnels are not secureno encryption. Today, GRE tunnels can be used in conjunction with IPsec VPNs to carry routing protocols that cannot be natively carried over an IPsec VPN tunnel. Creating a GRE tunnel: Its similar to creating any other virtual interface, such as a loopback interface. Enter global configuration mode and perform the following configuration entry: RND1(config)# interface tunnel 0 RND1(config-if)#ip address 10.0.0.1 255.255.255.0, do no shut RND1#configure terminal RND1(config)#interface tunne10 RND1(config-if)#tunnel source 10.0.0.1 RND1(config-if)#tunnel destination 10.0.1.1 RND1(config-if)#tunnel mode gre VPN Operation

A tunnel goes down often when either the SAs are deleted or are timed out because they reached some previously configured timeout threshold. Cisco Specific Operation: There has to be first of all an access- list defined to specify source and destination traffic; it should than match a policy. When you defined the crypto map policy, you assigned the access list. 1. The crypto policy- used to define what the ISAKMP security settings will be between these two peers. In our example, we set the policy to use IPSEC (with the 3des encryption) and the authentication is set to pre- shared. 2. The crypto key - used as the pre- shared key between the two routers forming the IPSec VPN 3. The ipsec transform-set - used to set the IPSec encryption settings between the two routers forming the IPSec VPN 4. The Access-list - the ACL is very important as it defines what traffic is and is not encrypted between the two routers. If the traffic is not permitted in the ACL, that traffic is not encrypted.

 5. Creating the crypto-map - the crypto- map is what brings the policy, key, transform- set, and access- list all together. You define the name of the crypto- map and that name is then used to apply the crypto- map to the interface. 6. The crypto map command - you will notice on the Fa3/0 interface the crypto map {cryptomap1} statement. This is the last statement that should be added to the configuration. This is where the VPN tunnel is actually applied. Applying this enables the tunnel. Notice how the crypto map has a name (which we named "Cryptomap1"). Crypto- maps can have many line numbers. Notice the "10" above, that shows that we are configuring line 10 of the crypto- map. From there, you could add lines 20, 30, and so on. When the router boots up, the VPN is down. The encrypted tunnel is formed when the first packet is sent that matches the ACL. The router that this router is connecting to, on the other side of the tunnel, would have all the same settings except the IP addressing would be reversed. Also, don't forget to allow the following into your Access- list or firewall, coming into your router, from the Internet. access- list 150 permit udp host 1.1.1.1 any eq isakmp access- list 150 permit esp host 1.1.1.1 any

Here, 100 is the access- list created. ISAKMP policy that is shown below: crypto isakmp policy 1 encr 3des authentication pre-share group 2 First, you can see that the wizard has created a policy with the numeric identifier of 1. The identifier could be any number, but the first one configured through the SDM

wizard will be numbered 1. Next, the wizard specified 3DES as the encryption type. This is the default and is what youll see if you dont specify something else using the wizard. You chose a pre- shared key for authentication. Last, the wizard specified group 2. This indicates that Diffie- Hellman Group 2 is being used. Diffie- Hellman Group 2 is 1024 bits, as opposed to the default, which is Diffie- Hellman Group 1 and 768 bits. you could have multiple tunnels on the same router and, therefore, potentially multiple transform-sets. the peer remote IP address was set.