You are on page 1of 138

ADVANCED IPSEC DEPLOYMENTS AND CONCEPTS

SEC-A04

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Associated Sessions
VVT-2003 IP Telephony Security NMS-D02 Managing Security Technologies

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Recommended Reading
Peripheral Reading Enhanced IP Services for Cisco Networks
ISBN: 1578701066

Network Security, Principles and Practice


ISBN: 1587050250

Managing Cisco Network Security,


ISBN: 1578701031

Network Security Architectures,


ISBN: 158705115X

Network Security First Step


ISBN: 1587200996

Network Security Fundamentals,


ISBN: 1587051672

Troubleshooting Virtual Private Networks


ISBN 1587051044

Dictionary of Internetworking Terms and Acronyms


ISBN:1587200457

Check the recommended Reading flyer at the Cisco Company Store books at 20% to 30% discount and dont forget to claim your free book!
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Prerequisites
You should be familiar with IPSec You may have configured IPSec already Some basic GRE/Routing knowledge wont hurt

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Agenda
General Design Considerations DMVPN Overview DMVPN Advanced Design DMVPN Details DMVPN example Deployments IOS CA SSL vs IPSec VPN

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

GENERAL CONSIDERATIONS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Design Considerations: Scaling, Sizing and Performance: I


Head-end VPN Device sizing consideration factors:
Total number of remote sites, tunnels VPN traffic throughput Features: routing protocols, GRE, Firewall, QoS

Scalability
The head-end design must scale to support future load requirements Consider integrated verses purposedefined devices Routing, resilience, load balancing, and the WAN connection are all key factors
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Design Considerations: Scaling, Sizing and Performance: II


A head-end device should not be deployed in a configuration that results in CPU utilization higher than 50% after failure The 50% target includes all overhead incurred by IPSec and any other enabled features (firewall, routing, IDS, logging, etc.) Branch devices should not be taxed above 65% CPU utilization

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Design Consideration: Topology


Peer-to-peer Hub and spoke
Most common topology Scales well, o(n) Performance penalty due to two encryption/decryption cycles

MeshPartial
Compared to hub and spoke topology, more direct spoke to spoke communications

MeshFull
Scaling issues: IPSec tunnels grow exponentially as number of sites increases Difficult to provision

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN OVERVIEW

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

10

What is DMVPN ?
Dynamic Multipoint VPN It is GRE, NHRP and IPSec mix NHRP allows the peers to have dynamic addresses (Dial, DSL,) with GRE / IPSec tunnels The backbone is a hub and spoke topology It allows direct spoke to spoke tunneling by auto leveling to a partial mesh

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

11

Site-to-Site, Dynamic Multipoint VPN (DMVPN)


mGRE/IPsec/NHRP Integration, only the HUB address is known
10.0.0.0 255.255.255.0 HUB 10.0.0.1

LANs can have private addressing

Static known IP address

Dynamic unknown IP addresses


SPOKE 10.0.3.1 10.0.3.0 255.255.255.0

10.0.1.1 10.0.1.0 255.255.255.0 = Static spoke-to-hub IPsec tunnels


SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

10.0.2.0 255.255.255.0 10.0.2.1 = Dynamic&Temporary Spoke-to-spoke IPsec tunnels


12

DMVPN: How Does It Work?


Relies on Two Proven Cisco Technologies
NHRPNext Hop Resolution Protocol
Client/server protocol: hub is server; spokes are clients Hub maintains a (NHRP) database of all the spokes real (public interface) addresses Each spoke registers its real address when it boots Spokes query HNRP database for real addresses of destination spokes to build direct tunnels

Multipoint GRE Tunnel Interface


Allows single GRE interface to support multiple IPSec tunnels Simplifies size and complexity of configuration

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

13

NHRP Registration Dynamically Addressed Spokes


= Dynamic permanent IPsec tunnels 192.168.0.1/24

NHRP mapping Routing Table

10.0.0.11 10.0.0.12 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

172.16.1.1 172.16.2.1 Conn. 10.0.0.11 10.0.0.12

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1

172.17.0.1 10.0.0.1 Conn. 10.0.0.1

10.0.0.1

172.17.0.1 10.0.0.1 10.0.0.1 Conn.

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

14

DMVPN: How Does It Work?


Spokes have a permanent IPSec tunnel to the hub, but not to the spokes; They register as clients of the NHRP server When a spoke needs to send a packet to a destination (private) subnet on another spoke, he queries the NHRP server for the real (outside) address of the destination spoke Now the originating spoke can initiate a dynamic ipsec tunnel to the target spoke (because he knows the peer address) The spoke to spoke tunnel is built over the mGRE interface
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

15

NHRP Resolution Process Switching


= Dynamic permanent IPsec tunnels 192.168.0.1/24

NHRP mapping (*NHS) Routing Table

10.0.0.11 10.0.0.12 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

172.16.1.1 172.16.2.1 Conn. 10.0.0.11 10.0.0.12

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Spoke A .1 .25 PC 192.168.1.0/24

Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Spoke B .1 192.168.2.0/24

Web .37

10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.1.0/24 172.16.1.1 (l) 192.168.2.0/24 192.168.2.37/32 172.16.2.1 ??? 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 Conn. 10.0.0.12

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.1.0/24 192.168.1.25/32 172.16.1.1 ??? 192.168.2.0/24 172.16.2.1 (l) 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 10.0.0.11 Conn.
16

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

ADVANCED DESIGN ISSUES

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

17

Advanced Design Issues


Network design
Design, Redundancy and Scaling

Routing
Dynamic routing protocols

Encryption peers
Finding, mapping and authenticating

Management
Deploying, Monitoring, and Maintaining

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

18

Network Design
Hub-and-spoke
All VPN traffic must go via hub Hub bandwidth and CPU utilization limit VPN Number of tunnels = O(n)

Dynamic-Mesh Dynamic spoke-spoke tunnels


Control traffic Hub to Hub and Hub and spoke Next Hop Resolution Protocol (NHRP), Dynamic Routing, IP Multicast Data traffic Dynamic mesh Spoke routers only need to support spoke-hub and spoke-spoke tunnels currently in use. Hub only supports spoke-hub traffic and overflow from spoke-spoke traffic. Number of tunnels > O(n), << O(n2)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

19

Network Design: Redundancy and Scaling Hub and Spoke


Configure spokes to use two hubs (primary, secondary). Can use multiple mGRE tunnel interfaces on Hub router
Increases number of spokes supported per hub Use same tunnel source and tunnel protection shared Each mGRE interface is a separate DMVPN network Different Tunnel key, NHRP network id and IP subnet

Hubs can be interconnected directly over physical links, mGRE tunnels or p-pGRE tunnels. Hub routers may pass routing information for DMVPN network through any of these paths.

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

20

Network Design: Redundancy and Scaling Dynamic-Mesh


Configure spokes to use two hubs (primary, secondary) Hub routers can only have one mGRE tunnel interface
Reduces number of spokes supported per hub router

Hub routers must exchange routing information for DMVPN network through mGRE tunnel interfaces. Hub routers point to other hub routers as NHSs in a daisy-chain or pair wise fashion
Used for forwarding NHRP packets and data packets while dynamic spoke-spoke tunnels are being created

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

21

Routing New IP Routing/Forwarding Model


Regular IP networks
IP routing updates and data packets traverse same physical/logical links

DMVPN IP networks
IP routing updates only traverse hub-and-spoke tunnels IP data packets traverse both hub-and-spoke and direct dynamic spoke-spoke tunnels Routing protocol doesnt monitor state of spoke-spoke tunnels

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

22

Finding/Mapping Peers
Two layers of IP addresses
VPN layer, IP infrastructure (NBMA) layer

Mapping between VPN and IP Infrastructure


Next Hop Resolution Protocol (NHRP)

Authenticating peers
Pre-shared keys, certificates

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

23

Two Layers of IP Addresses

VPN Layer EIGRP 1/OSPF 1/RIP/ODR

STATIC EIGRP 2 OSPF 2 BGP IP Infrastructure Layer


SEC-A04

STATIC EIGRP 2 OSPF 2 BGP

2004 Cisco Systems, Inc. All rights reserved.

24

Routing Dynamic Routing Protocols


EIGRP
Good for hub-and-spoke and spoke-spoke More control, medium overhead, faster convergence

OSPF
Okay for hub-and-spoke, maximum of 2 hubs for spoke-spoke Less control, medium overhead, faster convergence

RIP
Okay for hub-and-spoke and spoke-spoke Okay control, medium overhead, slower convergence

ODR
Good for hub-and-spoke (non-split tunneling), no spoke-spoke Less control, low overhead, slower convergence, most scalable

BGP
Okay for hub-and-spoke and spoke-spoke Good control, lower overhead, slower convergence, static neighbor configuration
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

25

Routing Dynamic Routing Configuration


Hub-and-spoke
EIGRP
no ip split-horizon eigrp <as>

Dynamic Spoke-spoke
EIGRP
no ip split-horizon eigrp <as> no ip next-hop-self eigrp <as> no auto-summary

OSPF
ip ospf network point-multipoint

RIP
no ip split-horizon

OSPF
ip ospf network broadcast ip ospf priority (2(hub)|0(spoke))

ODR
distribute-list <acl> out

RIP
no ip split-horizon no auto-summary

BGP
Hub is route reflector next-hop self

BGP
Hub is route reflector

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

26

Authenticating Peers
Pre-shared keys Hub-and-spoke only Wildcard pre-shared keys Insecure Certificates
Certificate Authority/Server (CA/CS) Certificate distributionenrollment Manual (terminal, tftp), Automatic (SCEP) Some requirements for use Accurate timeNTP, SNTP Check for revocationcrl optional

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

27

Configuring and Maintaining


Provisioning
Bootstrap PKI Certificates Dynamic Addressing and Call Home Policy Push for IPsec, QoS, Firewall, IDS, NAT, Routing Hub-and-spoke, full and partial mesh topologies

Ongoing Management (ISC)


Separate Management Tunnel Router Configuration and Image Control Configuration Change Notification Audit Checks
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

28

DMVPN DETAILS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

29

Dynamic Multipoint VPN (DMVPN) Major Features


Supports encrypting IP unicast, multicast and dynamic routing protocols Supports remote IPsec peers with dynamically assigned addresses and NAT-T Configuration reduction Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

30

Multipoint GRE (mGRE) Tunnels


Single tunnel interface (multipoint)
Non-Broadcast Multi-Access (NBMA) Network Smaller hub configuration Multicast/broadcast support Harder to support Per-tunnel QoS

Dynamic tunnel destination


Next Hop Resolution Protocol (NHRP) VPN IP to NBMA IP address mapping Short-cut forwarding Direct support for dynamic addresses and NAT
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

31

Terminology pause
The tunnel address is the ip address defined on the tunnel interface The NBMA (Non-Broadcast Multiple Access) address is the ip address used as tunnel source (or destination) Example on router A, one configures interface Ethernet0/0 ip address 172.16.0.1 255.255.255.0 interface Tunnel0 ip address 10.0.0.1 255.0.0.0 tunnel source Ethernet0/0 [] 10.0.0.1 is router A's tunnel address 172.16.0.1 is router A's NBMA address

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

32

NHRP Peer Mapping


Static mappings on spokes for Hub (NHS)
Needed to start the game

NHRP Registration
Dynamically register spokes VPN to NBMA address mapping with hub (NHS).

NHRP Resolutions
Dynamically resolve remote spokes VPN to NBMA mapping to build spoke-spoke tunnels. CEF switching Forwarded along NHS path (spoke hub hub) Process switching Forwarded along routed path (spoke hub hub spoke)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

33

What is NHRP exactly ?


NHRP is a layer two resolution protocol and cache like ARP or Inverse ARP (Frame Relay) It is used in DMVPN to map a tunnel IP address to an NBMA address Like ARP, NHRP can have static and dynamic entries Since 12.2(13)T, NHRP can work fully dynamically

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

34

NHRP Functionality
Address mapping/resolution
Next Hop Client (NHC) registration with Next Hop Server (NHS) Resolution of VPN to NBMA mapping Routing: NHRP: destination VPN IP next-hop NBMA address

VPN IP next-hop

Short-cut forwarding
Single hop instead of multiple hops across NBMA network NHRP Resolution requests/replies forwarded via NHS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

35

Building Hub-and-Spoke tunnels NHRP Registration


Host1 Spoke1 IKE Initialization IKE Initialization IKE/IPsec Established IKE/IPsec Established NHRP Regist. Req. NHRP Regist. Rep. NHRP Regist. Req. NHRP Regist. Rep. Routing Adjacency Routing Adjacency Routing Update Routing Update Routing Update Routing Update Hub Spoke2 Host2

Encrypted
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Encrypted
36

Dynamic Spoke-Spoke Tunnels


mGRE/NHRP+IPsec configuration
On both hub and spokes ISAKMP authentication information Certificates, wildcard pre-shared keys (not secure)

Spoke-spoke data traffic direct


Reduced load on hub Reduced latency Single IPsec encrypt/decrypt

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

37

Dynamic Spoke-Spoke Tunnels Forwarding Data Packets


Process-switching
Routing selects outgoing interface and IP next-hop NHRP overrides IP next-hop from routing

CEF switching
IP Next-hop from routing table Next-hop Next-hop hub spoke data packets via hub data packets direct

Data packets via hub while spoke-spoke tunnel is coming up, then direct

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

38

NHRP: Data Packet Forwarding Process Switching


IP Data packet is forwarded out tunnel interface to IP next-hop from routing table NHRP looks in mapping table for IP destination
Found Entry (socket) Forward to NBMA from mapping table overriding IP next-hop Found Entry (no socket) If tunnel is not source interface convert to (socket) Not found Forward to IP next-hop (if in table) otherwise to NHS If arriving interface was not tunnel interface Initiate NHRP Resolution Request for IP destination

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

39

NHRP: Data Packet Forwarding CEF Switching


IP Data packet is forwarded out tunnel interface to IP next-hop from CEF FIB table Adjacency is of type Valid
Packet is encapsulated and forwarded by CEF out tunnel interface NHRP not involved

Adjacency is of type Glean or Incomplete


Punt packet to process switching If arriving interface was not tunnel interface Initiate NHRP Resolution Request for IP next-hop Resolution reply is used to create NHRP mapping and to complete the Adjacency
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

40

NHRP Resolution Request/Response Forwarding


Insert protocol source to NBMA source address mapping, from request into mapping table (no socket) Lookup protocol destination in mapping table
If found (authoritative) Answer Request

Lookup protocol destination in routing table


If Outbound interface is not the tunnel This node is the exit point Answer Request

Look up IP next-hop in mapping table


Found Entry (socket) Forward to NBMA from mapping table Not found or Found Entry (no socket) Forward to NHS
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

41

NHRP Resolution Response


Lookup protocol destination in routing table for matching network, subnet mask and IP next-hop. Create NHRP local mapping entry for protocol destination network with mask-length to NBMA address Create NHRP Resolution Response with protocol destination, NBMA address and mask-length. Forwarding Resolution Response
Look up protocol source in mapping table Found Entry (socket) Forward to NBMA from mapping table Not found or Found Entry (no socket) Forward to IP next-hop (if in table) otherwise to NHS
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

42

Building Spoke-Spoke Tunnels Process Switching


Host1 Spoke1 Hubs Spoke2 Host2

NHRP Resol. Req.

NHRP Resol. Req. IKE Initialization NHRP Resol. Req.

NHRP Resol. Req. IKE Initialization

IKE/IPsec Established NHRP Resolution Replies

Encrypted

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

43

Building Spoke-Spoke Tunnels CEF Switching


Host1 Spoke1 Hubs Spoke2 Host2

NHRP Res. Request NHRP Res. Request NHRP Res. Reply IKE Initialization IKE Initialization

NHRP Res. Reply

IKE/IPsec Established

Encrypted

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

44

NHRP Resolution CEF Switching


NHRP mapping (*NHS) CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1 Conn. 10.0.0.11 10.0.0.12 172.16.1.1 172.16.2.1

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.11 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 10.0.0.12

172.17.0.1 (*) ??? 172.16.2.1 10.0.0.1 Conn. 10.0.0.12

10.0.0.1 10.0.0.11

172.17.0.1 (*) ??? 172.16.1.1 10.0.0.1 10.0.0.11 Conn.

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 10.0.0.12


SEC-A04

192.168.0.0/24 192.168.2.0/24 192.168.2.0/24 10.0.0.1 10.0.0.11

172.17.0.1 incomplete 172.16.2.1


2004 Cisco Systems, Inc. All rights reserved.

172.17.0.1 incomplete 172.16.1.1


45

DMVPN Data Structures


NHRP Mapping Table
Maps VPN and Tunnel IP addresses to NBMA (Physical address) show ip nhrp, debug nhrp { packet | cache | extension }

Crypto Socket Table


Mapping between NHRP and IPsec show crypto socket, debug crypto socket, show crypto ipsec profile, debug tunnel {protection}

Crypto Map Table


Dynamic Crypto map for each mGRE tunnel or for each IPsec profile (tunnel protection shared) show crypto map

IPsec SA Table
show crypto ipsec sa { | include Tag|peer|spi|endpt }

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

46

DMVPN NHRP Mapping Tables


Hub1
Hub1#show ip nhrp 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 01:03:41, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:03:38, expire 00:04:18 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.1.2 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:15, expire 00:05:44 Type: dynamic, Flags: router implicit NBMA address: 172.16.2.2 (no-socket) SpokeB#show ip nhrp 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:11, expire 00:04:26 Type: dynamic, Flags: router NBMA address: 172.16.2.2

Spoke A

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

47

DMVPN Crypto Socket Tables


Hub1
Hub1# show crypto socket Number of Crypto Socket connections 2 Tu0 Peers (local/remote): 172.17.0.1/172.17.0.5 Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.17.0.5/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Tu0 Peers (local/remote): 172.17.0.1/172.16.1.2 Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.16.1.2/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Crypto Sockets in Listen state: 1 TUNNEL SEC Profile: "vpnprof" Map-name "Tunnel0-head-0" SpokeA#show cry socket Number of Crypto Socket connections 2 Tu0 Peers (local/remote): 172.16.1.2/172.17.0.1 Local Ident (addr/mask/port/prot): (172.16.1.2/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Tu0 Peers (local/remote): 172.16.1.2/172.16.2.2 Local Ident (addr/mask/port/prot): (172.16.1.2/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.16.2.2/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Crypto Sockets in Listen state: 1 TUNNEL SEC Profile: "vpnprof" Map-name "Tunnel0-head-0"

Spoke A

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

48

DMVPN Crypto Map Tables


Hub1
Hub1#show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: vpnprof SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Trans sets={ trans1, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.0.5, access-list permit gre host 172.17.0.1 host 172.16.0.5 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={ trans1, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.1.2, access-list permit gre host 172.17.0.1 host 172.16.1.2 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={ trans1, }

Spoke A

Spoke1#sho crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: vpnprof SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N ,Transform sets={trans1, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.17.0.1, access-list permit gre host 172.16.1.2 host 172.17.0.1 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={trans1, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.2.2, access-list permit gre host 172.16.1.2 host 172.16.2.2 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={trans1, }

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

49

DMVPN Crypto IPsec SAs


Hub1
Hub1#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr. 172.17.0.1 local crypto endpt.: 172.17.0.1, remote crypto endpt.: 172.16.1.2 current outbound spi: D111D4E0 inbound esp sas: spi: 0x8FE87A1B(2414377499) {Transport, } outbound esp sas: spi: 0xD111D4E0(3507606752) {Transport, } local crypto endpt.: 172.17.0.1, remote crypto endpt.: 172.17.0.5 current outbound spi: 149FA5E7 inbound esp sas: spi: 0x3C32F075(1009971317) {Transport, } outbound esp sas: spi: 0x149FA5E7(346007015) {Transport, } SpokeA#sho crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr. 172.16.1.2 local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.17.0.1 current outbound spi: 8FE87A1B inbound esp sas: spi: 0xD111D4E0(3507606752) {Transport, } outbound esp sas: spi: 0x8FE87A1B(2414377499) {Transport, } local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.2 current outbound spi: 32E65B6D inbound esp sas: spi: 0x3B44DBD0(994368464) {Transport, } spi: 0x8B07B649(2332538441) {Transport, } outbound esp sas: spi: 0x8CCD4943(2362263875) {Transport, } spi: 0x32E65B6D(853957485) {Transport, }

Spoke A

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

50

DMVPN Routing Tables


Hub1
Hub1# show ip route C C C D D S* 172.17.0.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [90/2611200] via 10.0.0.11, 00:42:39, Tunnel0 192.168.2.0/24 [90/2636800] via 10.0.0.12, 00:42:37, Tunnel0 0.0.0.0/0 [1/0] via 172.17.0.2

Spoke A

SpokeA# show ip route C C D C D S* 172.16.1.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 [90/297372416] via 10.0.0.1, 00:42:34, Tunnel0 192.168.1.0/24 is directly connected, Ethernet0/0 192.168.2.0/24 [90/297321216] via 10.0.0.12, 00:42:34, Tunnel0 0.0.0.0/0 [1/0] via 172.16.1.1

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

51

EXAMPLE DMVPN DEPLOYMENTS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

52

Example DMVPN Deployments


DMVPN Dual Hub
Redundancy Routing and Load Balancing

DMVPN High Concentration Hub


Server Load Balancing (SLB) CAT6500/7600, VPNSM, MWAM

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

53

DMVPN Dual Hub Features


Redundancy
Two spoke-hub links for each spoke All spokes connected to both hubs Can lose 1 hub and spoke not isolated

Routing and load balancing


Both spoke-hub links always up Dynamic routing controls packet flow for redundancy and/or load balancing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

54

DMVPN Dual Hub


Single DMVPN Dual Hub Single mGRE tunnel on all nodes
Physical: 172.17.0.5 Tunnel0: 10.0.0.2 192.168.0.0/24 .2 .1

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: (dynamic) Tunnel0: 10.0.0.12

Spoke B Physical: (dynamic) Tunnel0: 10.0.0.11

.1

.37 Web

192.168.2.0/24

.1 192.168.1.0/24

Spoke A .25

...
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
55

PC
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

..

Single DMVPN Dual Hub Crypto and Interface Configuration


crypto ca trustpoint msca-root enrollment terminal crl optional rsakeypair <hostname> crypto ca certificate chain msca-root certificate <router-certificate-id> certificate ca 1244325DE0369880465F977A18F61CA8 ! crypto isakmp policy 1 encryption 3des ! crypto ipsec transform-set trans1 esp-3des esp-md5-hmac mode transport required ! crypto ipsec profile vpnprof set transform-set trans1 ! interface Ethernet0/0 ! < inside interface > ip address 192.168.<x>.<x> 255.255.255.0 ! interface Serial1/0 ! < outside interface > ip address 172.<16|17>.<x>.<x> 255.255.255.252
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

56

DMVPN Dual Hub Hub1


Common Subnet Static NHRP to Hub2 interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 2 ip ospf cost 100 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.0.0 0.0.0.255 area 0

OSPF Network Priority and cost

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

57

DMVPN Dual Hub Hub2


Common Subnet Static NHRP to Hub1 interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 2 ip ospf cost 105 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.0.0 0.0.0.255 area 0

OSPF Network Priority and cost

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

58

DMVPN Dual Hub Spoke A


interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.1.0 0.0.0.255 area 1 distance 111 192.168.0.2 0.0.0.0
59

Hub1 NHRP mappings Hub2 NHRP mappings

OSPF Network and Priority

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Spoke B


interface Tunnel0 bandwidth 1000 ip address 10.0.0.12 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.2.0 0.0.0.255 area 1 distance 111 192.168.0.2 0.0.0.0
60

Hub1 NHRP mappings Hub2 NHRP mappings

OSPF Network and Priority

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Hub Routing Tables


Hub1
C C C O O 172.17.0.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [110/110] via 10.0.0.11, 00:36:53, Tunnel0 192.168.2.0/24 [110/110] via 10.0.0.12, 00:36:53, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.17.0.2

Hub 2

C C C O O

172.17.0.4/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [110/115] via 10.0.0.11, 00:42:02, Tunnel0 192.168.2.0/24 [110/115] via 10.0.0.12, 00:42:02, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.17.0.6

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

61

DMVPN Dual Hub Spoke Routing Tables


Spoke A
C 172.16.1.0/30 is directly connected, Serial1/0 C 10.0.0.0/24 is directly connected, Tunnel0 O IA 192.168.0.0/24 [110/110] via 10.0.0.1, 00:46:20, Tunnel0 C 192.168.1.0/24 is directly connected, Ethernet0/0 O 192.168.2.0/24 [110/110] via 10.0.0.12, 00:46:20, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.16.1.2

Spoke B

C 172.16.2.0.0/30 is directly connected, Serial1/0 C 10.0.0.0/24 is directly connected, Tunnel0 O IA 192.168.0.0/24 [110/110] via 10.0.0.1, 00:53:14, Tunnel0 O 192.168.1.0/24 [110/110] via 10.0.0.11, 00:53:14, Tunnel0 C 192.168.2.0/24 is directly connected, Ethernet0/0 ... S* 0.0.0.0/0 [1/0] via 172.16.2.2

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

62

DMVPN Dual Hub Hub NHRP tables


Hub1
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:58:13, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 02:51:46, expire 00:04:13 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 02:51:26, expire 00:04:33 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 02:48:42, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 02:43:05, expire 00:05:01 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 02:44:08, expire 00:05:20 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.2.1

Hub 2

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

63

DMVPN Dual Hub Spoke NHRP tables


Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 02:51:20, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:51:20, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:05 Type: dynamic, Flags: router unique used NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 02:51:18, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:51:18, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:24, expire 00:04:27 Type: dynamic, Flags: router unique used NBMA address: 172.16.1.1

Spoke B

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

64

DMVPN Dual Hub Summary


Network design
Hub and spokerouting Dynamic meshdata traffic

Add spoke routers without hub or other spoke router changes


NHRP and dynamic routing propagate information

Hub redundancy
Must lose both before spoke isolated

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

65

Example DMVPN Deployments


DMVPN Dual Hub
Redundancy Routing and Load Balancing

DMVPN Multi-hub
Redundancy, Scaling NHRP Resolution Forwarding

DMVPN High Concentration Hub


Server Load Balancing (SLB) CAT6500/7600, VPNSM, MWAM

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

66

DMVPN Multi-Hub Features


Redundancy
Two spoke-hub links for each spoke (example only shows one for clarity) Can lose 1 hub and spoke not isolated hub-and-spoke

Routing and load balancing


Both spoke-hub links always up Dynamic routing controls packet flow for redundancy and/or load balancing Dynamic routing configuration more complex

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

67

DMVPN Multi-Hub Hub Daisy Chaining


Daisy chain styles
Single daisy chain through all hubs Spokes two tunnels distributed across hubs equally Two single daisy chains one through primary hubs and other through secondary hubs. Spokes connected to both a primary and secondary hub

Loss of Hub breaks daisy chain


No new spoke-spoke dynamic tunnels until hub back online Cross-connect between primary and secondary hubs restores spoke-spoke data traffic, but goes through hubs.
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

68

DMVPN Multi-Hub
Single DMVPN Multi-hub, Single mGRE tunnel on all nodes
.2 .3 Physical: 172.17.0.5 Tunnel0: 10.0.0.2 .1 Physical: 172.17.0.9 Tunnel0: 10.0.0.3 192.168.0.0/24

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: (dynamic) Tunnel0: 10.0.0.13

Spoke C Physical: (dynamic) Tunnel0: 10.0.0.11 Physical: (dynamic) Tunnel0: 10.0.0.12

.1 192.168.3.0/24

.1 192.168.1.0/24

Spoke A

...
Spoke B .1 192.168.2.0/24
69

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

..

DMVPN Multi-Hub Hub1


Common Subnet Set Hub2 as NHS
interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip nhrp nhs 10.0.0.2 no ip split-horizon eigrp 1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

70

DMVPN Multi-Hub Hub2


Common Subnet Set Hub3 as NHS
interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.3 172.17.0.9 ip nhrp map multicast 172.17.0.9 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip nhrp nhs 10.0.0.3 no ip split-horizon eigrp 1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

71

DMVPN Multi-Hub Hub3


Common Subnet Set Hub1 as NHS
interface Tunnel0 bandwidth 1000 ip address 10.0.0.3 255.255.255.0 ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip nhrp nhs 10.0.0.1 no ip split-horizon eigrp 1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

72

DMVPN Multi-Hub Spoke A


interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255 no auto-summary

Hub1 NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

73

DMVPN Multi-Hub Spoke B


interface Tunnel0 bandwidth 1000 ip address 10.0.0.12 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.2 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.2.0 0.0.0.255 no auto-summary

Hub2 NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

74

DMVPN Multi-Hub Spoke C


interface Tunnel0 bandwidth 1000 ip address 10.0.0.13 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.9 ip nhrp map 10.0.0.3 172.17.0.9 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.3 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.3.0 0.0.0.255 no auto-summary

Hub3 NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

75

DMVPN Multi-Hub Hub NHRP tables

Hub1

10.0.0.2/32, NBMA addr: 172.17.0.5 (stat, auth, used) 10.0.0.3/32, NBMA addr: 172.17.0.9 (dyn, auth, uniq, reg) 10.0.0.11/32, NBMA addr: 172.16.1.2 (dyn, auth, uniq, reg) 10.0.0.13/32, NBMA addr: 172.16.3.2 (no-socket) (dyn, router) 10.0.0.1/32, NBMA addr: 172.17.0.1 (dyn, auth, uniq, reg) 10.0.0.3/32, NBMA addr: 172.17.0.9 (stat, auth, used) 10.0.0.11/32, NBMA addr: 172.16.1.2 (no-socket) (dyn, router) 10.0.0.12/32, NBMA addr: 172.16.2.2 (dyn, auth, uniq, reg) 10.0.0.1/32, NBMA addr: 172.17.0.1 (stat, auth, used) 10.0.0.2/32, NBMA addr: 172.17.0.5 (dyn, auth, uniq, reg) 10.0.0.11/32, NBMA addr: 172.16.1.2 (no-socket) (dyn, router) 10.0.0.13/32, NBMA addr: 172.16.3.2 (dyn, auth, uniq, reg)

Hub 2

Hub 3

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

76

DMVPN Multi-Hub Spoke NHRP tables

Spoke A

10.0.0.1/32, Tunnel0 created 1d10h, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.13/32, Tunnel0 created 00:00:12, expire 00:04:18 Type: dynamic, Flags: router used NBMA address: 172.16.3.2 10.0.0.3/32, Tunnel0 created 1d10h, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.9 10.0.0.11/32, Tunnel0 created 00:00:54, expire 00:03:36 Type: dynamic, Flags: router NBMA address: 172.16.1.2

Spoke C

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

77

DMVPN Multi-Hub Summary


Multi-hub and spoke (redundant DMVPN)
Use to increase the number of spokes in DMVPN cloud Daisy-chain hubs as NHSs of each other

Daisy-chaining
Currently fragilelose one hub and cant create new dynamic spoke-spoke tunnels

Consider setting up smaller regional DMVPN networks interconnected with dedicated high speed physical links
Probably will give better performance then cross-country spoke-spoke dynamic tunnels
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

78

High Concentration Design

BGP IPSec + GRE + NHRP + OSPF/EIGRP Hub 1 Hub 2 Hub 3

Server Load Balancer

SLB will load each hub smoothly. SLB is fine tunable. Dynamic GRE w/ NHRP Dynamic routing on a hub with IGP Dynamic routing to core with BGP

Spoke 1 Spoke 2

Spoke 3

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

79

DMVPN High Concentration Hub Features


Single hub-and-spoke tunnel per spoke Server Load Balancing (SLB) is used to load balance mGRE tunnels (after decryption) between MWAM processors or 7200 router farm If you lose an MWAM processor then SLB will redistribute tunnels to other processors
Loss of traffic until spoke sends next NHRP registration

Routing
Use EIGRP for routing between hub (MWAM) and spoke Use BGP for routing between hubs

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

80

DMVPN High Concentration Hub


CAT6500
VPNSM
VLAN 11 VLAN 10 10.1.0.0

MFSC

MWAM
VLAN 100 10.1.1.0

P h y s i c a l

I n t e r f a c e s

SLB
VIP 172.18.7.32

.2 .3

172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32

.1

.1

.4 .5 .6 .7

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

81

DMVPN High Concentration Hub MSFC: SLB Configuration


MWAM Routers
mwam module 2 port 1 allowed-vlan 1,100 mwam module 2 port 2 allowed-vlan 1,100 ... mwam module 2 port 6 allowed-vlan 1,100 ! ip slb probe PING-PROBE ping faildetect 3 ! ip slb serverfarm MWAM-FARM predictor leastconns failaction purge probe PING-PROBE ! real 10.0.0.2 maxconns 750 inservice ... ! real 10.0.0.7 maxconns 750 inservice ! ip slb vserver GRE virtual 172.18.7.32 255.255.255.252 gre serverfarm MWAM-FARM no advertise sticky 17 inservice
82

SLB

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub MSFC Configuration


! interface Loopback0 ip address 172.18.7.32 255.255.255.255 ! interface GigabitEthernet7/1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,1002-1005 switchport mode trunk ! interface GigabitEthernet7/2 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,11,1002-1005 switchport mode trunk vlan 10-11,100 ! interface FastEthernet4/1 no ip address switchport switchport access vlan 11 switchport mode access

...

! interface Vlan10 ip address 10.1.0.1 255.255.255.0 crypto map cm ! interface Vlan11 no ip address crypto connect vlan 10 ! interface Vlan100 ip address 10.1.1.1 255.255.255.0

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

83

DMVPN High Concentration Hub MWAM Routers


Same secondary for spoke neighbor
interface Loopback0 ip address 172.18.7.32 255.255.255.255 ! interface Tunnel0 bandwidth 1000 ip mtu 1400 ip address 10.0.0.1 255.255.0.0 secondary ip address 10.0.0.<x> 255.255.0.0 ! x = 2,3,4,5,6,7 no ip next-hop-self eigrp 1 ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 no ip split-horizon eigrp 1 delay 1000 ip tcp adjust-mss 1360 tunnel source Loopback0 tunnel mode gre multipoint tunnel key 100000 ! interface GigabitEthernet0/0.100 encapsulation dot1Q 100 ip address 10.1.1.<x> 255.255.255.0 ! router eigrp 1 network 10.0.0.0 0.0.255.255 no auto-summary router bgp 1 bgp router-id 10.0.0.<x> redistribute eigrp 1 neighbor 10.1.1.1 remote-as 1
84

EIGRP and BGP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub Spoke


interface Tunnel0 bandwidth 1000 ip address 10.0.0.<z> 255.255.0.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.18.7.32 ip nhrp map 10.0.0.1 172.18.7.32 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.255.255 network <local-network> <inverse-mask> no auto-summary

Hub NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

85

DMVPN High Concentration Hub Summary


Spokes load balanced by SLB over six MWAM processors
Single Hub per Spoke, but dynamically redundant MWAM and VPNSM processors. Use another 6500/7600, VPNSM, MWAM as a second hub

Use as a hub for DMVPN


Uses dynamic crypto-map on VPNSM so it cannot initiate IPsec tunnels

Possibly use as a high bandwidth spoke


Rely on DMVPN initiating spoke-spoke tunnels from both sides
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

86

DMVPN Hub-and-Spoke Hub Throughput


7200, NPE-G1, VAM2, mGRE 350 EIGRP IMIX, 75% CPU 325 OSPF IMIX, 75% CPU 1200 ODR IMIX, 75% CPU 800 EIGRP EMIX, 82% CPU 2 mGRE, 2 VAM2 3576 EIGRP EMIX, ~24% CPU (MSFC, MWAM) CAT6500, VPNSM, MWAM Encrypted (PPS) 27,000 27,000 26,000 45,212 453,000 Encrypted (Mbps) 87.3 87.3 79.3 104.2 1004

EMIX Enterprise Mix


Average packet size 188B(down)/144B(up) (FTP, VoIP, WWW, POP3)

IMIX Internet Mix


Average packet size 344B (7x64B, 4x570B, 1x1400B)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

87

MANAGEMENT

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

88

Management: A Case Study


Cisco: Enterprise Class Teleworker (ECT) Network What is ECT? ECT is a SOHO Remote Access IOS based VPN solution for enterprise users using the public Internet service while providing additional services (VoIP, QoSS, Multicast) with Security as its primary concern.
Cisco IT

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

89

ECT Technology Overview


ECT
Connectivity
Enterprise Class Teleworker (ECT)
Cisco 83x, 17xx series

Security
Public Key Infrastructure
PKI-AAA Integration Auto Enrolment Multiple Trust Points Secure RSA Private Key

Network Integration
DMVPN
Dynamic Addressing for Spoke-to-Hub On-Demand Spoke-toSpoke Tunnels

Management
Touchless Provisioning (ISC)
Bootstrap PKI Certificates Dynamic Addressing and Call Home Policy Push for IPsec, QoS, Firewall, IDS, NAT, Routing Hub-and-spoke, full and partial mesh topologies

Full Service Branch (FSB)


Cisco 17xx, 26xx, 37xx series

V3PN
QoS VoIP Video Multicast

Enterprise Aggregation
Cisco 37xx, 72xx series

Device and User Authentication


Secure ARP Authentication Proxy/802.1x

Resiliency
Self-Healing and Load Balancing

Service Provider Edge


Cisco 72xx series

Stateful Firewall Intrusion Protection

Ongoing Management (ISC)


Management Tunnel Configuration Change Notification Audit Checks
90

Scalability
Full Mesh up to 1000 Sites

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

ECT Large Scale VPN Management Challenges


Ease of large scale deployment with minimal end-user intervention Distribution of updated configurations and security policies Varying third party provider network connections (cable modem, DSL) Ongoing security monitoring and auditing Automated software update

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

91

ECT Management and Provisioning


Touchless provisioning of routing, IPsec, NAT, QoS, firewall, IDS Bootstrapping and call home
Automatic registration and policy push, no user intervention

Automatic CA enrolment for PKI certificates Dedicated management tunnel facilitates outsourcing of management Per-user or per-group configuration policies Email notification on spoke events: config change, or policy audit violations
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

92

ECT Management Tools Used


ISC IP Solution Center for deploying and managing configurations CNS provide event based management
Intelligence Engine 2100 CNS server CNS Event Gateway and Auto Update Server CNS agent running on IOS in the spoke routers

CA Servers
IOS Certificate Server - bootstrap certificate Production CA Server - certificate for data tunnels

AAA server - RADIUS


SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

93

Cisco IP Solution Center 3.0: Carrier-Class Network and Service Management


Hub-and-spoke, full and partial mesh topologies Design and deploy complex firewall rules Cisco IOS IDS provisioning and tuning Integrated routing OSPF, EIGRP, RIP Automate provisioning of failover and load balancing
Siteto-site VPN Managed firewall Logi Device Customer cal VPN RBAC Remote Access NAT Service Service Invento Inventory Data StoreData Store Relationship Netw DMVPN Managed IDS ry ork Easy VPN
Topo logy Device Abstraction Layer

QoS provisioning NAT configuration deployment PKI-based end-to-end authentication and audit checks
94

Network-based IPsec

IOS Router
SEC-A04

PIX Appliance

VPN 3000

IDS

2004 Cisco Systems, Inc. All rights reserved.

ISC Touchless Provisioning


Home routers are bootstrapped before given to the end-users Permanent management tunnel to provide secured connectivity to management servers to perform
Initial configuration of home router upon call-home Listen to config changes Automatic software update

Separate VPN gateway devices


Management Gateway to terminate management tunnels Data Gateway to tunnel traffic into the corporate network

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

95

Initial Provisioning (Bootstrapping)


Two methods
Bootstrap in the corporate network using ISC Bootstrap remotely using EzSDD (Ez Secure Device Deployment)

Bootstrap in the corporate network requires less end-user intervention EzSDD provides total automatic device deployment without initial bootstrapping home routers in the corporate network

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

96

Corporate Network Bootstrapping Steps


Enterprise orders the router for end-user The following basic configuration is bootstrapped on the router using ISC
IP Connectivity (Cable, PPPoE, etc.) Certificate for authenticating to the management gateway Crypto policy used for the management tunnel CNS Agent configuration to communicate with IE2100 External NTP server configurations

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

97

Deployment in Action
1.
Linux, MAC, MS-Windows PC WLAN/TKIP

Remote routers call home and management tunnel is set up. Management server authenticates remote router using certificate authority and AAA servers. Management server pushes policy including new certificate. Remote router establishes primary data tunnel, access to corporate resources. Secondary tunnel established, stays active for instant failover. When required, remote router establishes direct spoke-tospoke tunnel with other authorized remotes and torn down after use.
98

2.
On-Demand Peer 1. Call Home 6. On-Demand Tunnel

3.

ISP
5. Secondary Tunnel 4. Data Tunnel

4.

3. Management VPN Gateway ISC, IE2100 Certificate Authority, AAA

Policy Push Data VPN Gateway 1

Data VPN Gateway 2 Access to Corporate Resources

5.

2. Authenticate

Internal Network
2004 Cisco Systems, Inc. All rights reserved.

6.

SEC-A04

ECT Ongoing Management


Management tunnel maintained throughout the operations of the router Event-driven notification and regular audit checks used to satisfy security requirements
Attempt to downgrade/upgrade IOS Password recovery Enable/vty password change Modified/disabled CNS Agent

IOS image management via CNS Image Agent

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

99

Summary
DMVPN is used today We have a couple of x00(0) nodes networks deployed Customers are having the SLB Design in production Add spokes without touching the headend Routing for resiliency

Presentation_ID

2004 Cisco Systems, Inc. All rights reserved.

100

IOS CERTIFICATE SERVER

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

101

Cisco IOS Certificate Server


Allows router to be a Certificate Authority Issues certificates for routers via Simple Certificate Enrollment Protocol (SCEP) Not a real CA, just the bare minimum Useful for IPsec VPN
Site-to-site Dynamic Multipoint VPN (DMVPN)

Can be in automatic mode (always grant a certificate to all requests) or manual Storage of certs & crl is either flash, or (T)FTP server Implemented with other security features:
VPN Cisco IOS Firewall
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

102

Deployment Considerations
Cisco IOS Hypertext Transfer Protocol (HTTP) server must be enabled Small deployments use internal HTTP server for revocation database External server is used for certificate revocation list (CRL)
HTTP, Lightweight Directory Access Protocol (LDAP), Online Certificate Status Protocol (OCSP) External revocation server strongly recommended for large deployments

Cert Signing is CPU-intensive


CPU utilization spikes, when enrollment requests are processed

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

103

Cisco IOS Certificate Server Small VPN


Cisco IOS Certificate Server Head end router are configured for Cisco IOS Certificate Server, IPsec VPN Connections, and CRL distribution HTTP must be enabled and exposed to public internet for enrollment and CRL requests Cisco IOS Firewall features may be employed for private network security
Remote Sites

Head End
Certificate Enrollment and VPN Tunnels

Ideal for site-to-site and DMVPN IPsec networks


104

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Cisco IOS Certificate Server Medium/Large VPN


Central Site
Cisco IOS Certificate VPN Router Server/VPN CRL Server

Head end router are configured for Cisco IOS Certificate Server and VPN Connections CRL distribution is carried by external HTTP or LDAP server HTTP must be enabled and exposed to public internet for enrollment and CRL requests Cisco IOS Firewall features may be employed for private network security
105

VPN Tunnels

Certificate Enrollment

Remote Sites

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Configuring Certificate Server /1

crypto pki server MY_SCEP database level names database url disk0: issuer-name cn=Homer Simpson,o=PowerPlant,c=com grant auto % This will cause all certificate requests to be automatically granted. Are you sure you want to do this? [yes/no]: yes cdp-url http://192.168.0.3/disk0/MY_SCEP.crl no shutdown

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

106

Configuring Certificate Server /2


NTP or clock must be configured HTTP server must be enabled If CRL Distribution Point is the router, direct flash access must be enabled
ntp server 192.168.0.47 ip http server ip http path disk0:

Misc info including CA fingerprint:


#show crypto pki ser CA cert fingerprint: 1B42B189 B5984C40 B17292A1 FD70D5DA

Storage media contains:


Directory of disk0:/ 6 -rw53 7 -rw2 8 -rw294 9 -rw51
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Jun Jun Jun Jun

30 30 30 30

2003 2003 2003 2003

06:38:34 10:46:28 07:29:48 06:44:56

1.cnm MY_SCEP.ser MY_SCEP.crl 2.cnm


107

Configuring IOS Clients

crypto ca trustpoint MY_SCEP enrollment url http://192.168.0.3:80 serial-number subject-name cn=Kwik-E-Mart,o=PowerPlant,c=com auto-enroll 90 crypto ca authenticate MY_SCEP

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

108

Adding Resilience & Scalability CRL Distribution Point, Lifetime,


IOS CS will use FTP to store CRL, to an external web server
crypto pki server MY_SCEP database level names database url ftp://192.168.0.47/public_html/ database username crusty password 0 clown issuer-name cn=Homer Simpson,o=PowerPlant,c=com grant auto lifetime crl 1 lifetime ca-certificate 1825 cdp-url http://192.168.0.47/Springfield/MY_SCEP.crl

FTP server requires some credentials

CDP will be reached by HTTP


SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

109

Enrolling Clients on Certificate Server Without Automatic Grant

#crypto pki server MY_SCEP info requests


Enrollment Request Database: ReqID State Fingerprint SubjectName -------------------------------------------------------------10 pending E5F7D1B235542F9EC7868D9512352CB4 serialNumber=C10ADCA9+ipaddress= 192.168.0.11+hostname=c2651b.cisco.com,cn=2651c,o=PowerPlant,c=com

#crypto pki server MY_SCEP grant 10

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

110

Cisco IOS Certificate Server Summary


VPN deployment
Offers simple solution to deploy IPsec VPN with certificates Relieves expense and workload from configuring full-featured Certification Authority server No multi-vendor finger pointing for support calls Certification Authority server falls into router ops/sec ops instead of server ops group responsibility

Simplifies laboratory VPN testing


Configuration of full-featured Certification Authority for quick lab testing of IPsec VPN features is not necessary

Provides low-cost solution, which is easy to configure and deploy Interoperates with other security and VPN functions in Cisco IOS Software
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

111

SSL vs. IPSec VPN

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

112

Virtual Private Network (VPN) Overview


IP Security (IPSec) and SSL
Mechanism for secure communication over IP
Authenticity (Unforged/trusted party) Integrity (Unaltered/tampered) Confidentiality (Unread)

Remote Access (RA) VPN Components


Client (mobile or fixed) Termination device (high number of endpoints)
VPN Tunnel VPN Concentrator
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

VPN Client or Browser


113

Technical Overview SSL and IPSec


SSL VPN
Connections originated from a web browser Dependent on applet delivery for access to other programs on the PC Granular access control that can limit access to specific web pages or other internal resources IT department may have limited or no control over the remote system, especially in the case of a partner Strong authentication a necessity

IPSec VPN
Tunneled connection, allowing installed system applications to operate same as when in office No browser dependency Access control less granularwide open or limited to certain internal hosts or subnets IT department often maintains complementary applications on PC like Anti-Virus and Personal FW software Strong authentication desirable

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

114

Deployment Considerations Remote Access VPNs: Pros and Cons


SSL VPN
PROS
No manual software deployment Easy network traversal Anywhere access Seamless wireless roaming since session isnt locked to IP

IPSec VPN
PROS
Full Network access Same as office experience Wide application availability

SSL VPN
CONS
Dependency on Active X or Java for non browser-enabled access More limited application availability Browser specific support

IPSec VPN
CONS
Manual software deployment Most appropriate for corporate managed PCs No support for proxy server traversal

BEST OF BOTH WORLDS IS HAVING THE FLEXIBILITY TO CONNECT USERS WITH EITHER IPSEC OR SSL, DEPENDING ON SPECIFIC REQUIREMENTS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

115

Firewall Traversal
SSL VPN
HTTPS (TCP 443) HTTP (TCP 80) (If HTTP redirection desired)
THE PORTS AND PROTOCOLS LISTED MUST BE OPEN FOR A REMOTE USER TO BE ABLE TO CONNECT SUCCESSFULLY; HTTPS (TCP 443) WILL BE OPEN THROUGH MOST NETWORKS WHILE THE PROTOCOLS REQUIRED FOR IPSEC MAY NOT BE OPEN BY DEFAULT ON A NETWORK THAT OUTBOUND PERFORMS FILTERING
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

IPSec VPN
Standard IPSec
ESP (Protocol 50) IKE (UDP 500)

Standard NAT/PAT Traversal


IKE (UDP 500) ESP over UDP (UDP 4500)

Proprietary TCP Encapsulation


Administrator defined TCP port(s)

116

Understanding Your Remote Users


What applications do they need to access?
Web browsing (including Web-based email) Thick client applications (TCP) Full network access

Where will they be accessing from?


Corporate managed computers Unmanaged computers Kiosks/Public systems

How long will users stay connected?


24x7 or entire business day Limited period of time
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

117

Deployment Example
Using IPSec and SSL VPN to Reach Diverse User Populations
Supply Partner Extranet Account Manager Mobile User IP/Internet VPN Doctor at Home Unmanaged Desktop
IPSEC VPN
ENGINEERMany servers/apps, needs native app formats, VoIP, frequent access, long connect times ACCOUNT MANAGERDiverse apps, homegrown apps, always works from enterprisemanaged desktop
118

Central Site

Software Engineer Telecommuter


SSL VPN
PARTNERFew apps/servers, tight access control, no control over desktop software environment, firewall traversal DOCTOROccasional access, few apps, no desktop software control

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

SSL VPN Client Options


Clientless
Web browser Proxying and/or application translation at concentrator

Thin Client
Port Forwarding via Java/ActiveX Enhanced Client Delivered from concentrator

Thick Client
Persistent Full Tunneling or Nailed Client Delivered from concentrator

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

119

SSL VPN: Proxying


Standard Browser Clientless
Concentrator proxies HTTP(S) over SSL connection Limited to web pages
HTML pages Web-based (webified) applications

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

120

Data Flow URL Mangling


Web Server Web Browse SSL Tunnel Concentrator Web Server HTTP Request Web Server

HTTP Requests
protocol://user:password@host:port/path?query

https://user:password@chost:cport/protocol/flags/host/path?query

http://www.yahoo.com https://1.2.3.4/http/0/www.yahoo.com https://www.abc.com/d/index.html https://1.2.3.4/https/0/www.abc.com/d/index.html http://www.abc.com/x.cgi?a=b https://1.2.3.4/http/0/www.abc.com/x.cgi?a=b http://www.xyz.com:8080 https://1.2.3.4/http/8080/www.xyz.com


SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

121

SSL VPN: Application Translation


Standard Browser Clientless
Concentrator webifies application
Translates (proxies) protocol to HTTP

Requires detailed application knowledge Delivers HTML look-and-feel Expands use to some non-web applications
CIFS (NT and Active Directory file sharing)

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

122

SSL VPN: Port Forwarding


Java/ActiveX Thin or Enhanced Client
Local thin client acts as proxy
Tunnels and forwards application traffic

Delivered via Java/ActiveX from concentrator Some system permissions may be required Maintains native application look-and-feel Works with predictable non-web applications
Generally outbound, TCP-based, with static port(s) Telnet, SMTP, POP3

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

123

Port Forwarding
HTTPS connection to concentrator Client Workstation HOSTS Web Browser Java Applet Protocol connection to remote server Concentrator

Client Program

Remote Server

TCP Connection to local port (127.0.0.x:y)

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

124

Port Forwarding
Local Port Destination Protocol

1100

sun.test.com:22

SSH

1101

sun2.test.com:22

SSH

1102

mail.test.com:110

POP3

1103

mail.test.com:25

SMTP

127.0.0.1:1100; Host File Is Not Modified If Host File Can be Modified: Applet Listens on Server.test.com:22; where server.test.com Is Mapped to 127.0.0.x (x Is Greater than 1, Determined at Run Time)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

125

SSL VPN: Network Extension


Persistent Thick, Full Tunneling or Nailed Client
Traditional-style client delivered via concentrator Requires administrative privileges Provides access very similar to IPSec
Better accessibility over firewalls and NAT

Lacks the granularity of other SSL mechanisms

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

126

SSL VPN: Client Authentication


SSL requires central site digital certificates Often combined with other user auth. mechanisms
Username and password Tokens Smart cards

Authenticated against
RADIUS LDAP Active Directory (AD)

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

127

SSL VPN: Access Control


User and group authentication Extremely granular
Source and destination IP URL Directory-level

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

128

ACLs
The following ACL allows access to all resources within the company, but denies access to resources outside the company
permit url http://*.company.com permit url https://*.company.com permit url cifs://*.company.com permit url pop3://*.company.com permit url imap4://*.company.com permit url smtp://*.company.com

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

129

Endpoint Control
Determine trust of the end system
Is it a corporate machine?

Assess endpoint security


Does it have virus protection, personal firewall installed?

Endpoint cleanup
Can I remove confidential info?

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

130

Endpoint Security for SSL VPN Sessions


Prevent or restrict SSL VPN access from users under some of the following categories
Restrict access to corporate managed machines Allow access from non-corporate managed machines (i.e. employee home PC), but ensure all content is destroyed on these specific systems after connection is complete Clientless compatible endpoint posture assessmentAV, PFW, running processes, registry items/values

Protect data delivered to systems with suspect complianceany files downloaded, content, or cookie information would not remain on system after connection complete
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

131

Whats Left Behind


The Risk of VPN on Public Systems
Cookies
Usernames and passwords

URL history Page caches


Sensitive corporate data

Downloaded files

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

132

Cisco Acquisition of Twingo Systems


Comprehensive Endpoint Security for SSL VPN
THE TECHNOLOGY: VIRTUAL SECURE DESKTOP Removes sensitive security information (cookies, browser cache/history, e-mail file attachments, etc.) related to an SSL VPN connection at the close of the session; This protects from exploitation of such information for host network or system penetration The Virtual Secure Desktop is transparent to the end user and automatically creates a secure session under Windows 2000 and Windows XP User can still have access to all of the PCs hardware and software resources All applications and processes that run in the Virtual Secure Desktop are controlled The Virtual Secure Desktop creates a cryptographic file system on the fly and nothing is ever written in clear on the disk

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

133

Twingo Features and Benefits


FOR THE END USER Small download size and rapid installation Transparent use, no new UI to learn and get used to Access to all PC Hardware and Software Automatic session and data cleanup FOR THE IT MANAGER User proof
Easy download and install process User is guided into the Twingo Session (one click only) User cannot unintentionally save documents or data to the non-encrypted portion of the disk

TWINGO SECURITY FEATURES Prevents digital leakage Protects against malicious code Protects user privacy Is easy to implement and manage

User experience is greatly customizable


Look and feel Windows and browser settings and all office application templates and settings

Added security features


Automatic time out of Twingo session Easy integration with major authentication mechanisms

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

134

How Twingo Works


Twingo components are installed or updated Installation can be done through either an activeX, a java applet or an executable Total size is less than 500kB No reboot, no specific privilege required Twingo supports four 64-bit block encryption algorithm: DES (56-bit key), triple DES (168-bit key), CAST (128-bit key) and Blowfish (256-bit key) 128-character password is randomly generated

Secure vault is created

Virtual session is created

All processes on the Virtual Secure Desktop are monitored and can be controlled All hard-disk (file or registry) are redirected to the vault

Session is closed Vault is closed

All processes on the Virtual Secure Desktop are killed Secure vault is closed and password is lost At this time, it is not possible to recover any information

Vault is destroyed Byte-to-byte

Sanitization of the vault Implementation of the Department of Defense clearing and sanitizing standard DOD 5220.22-M
135

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

SSL vs. IPSec - Summary


The technologies should be considered complementary. Both have strong features

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

136

Housekeeping
Dont forget to complete your evaluations - you can access them on-line via Schedule Builder! Visit the World of Next Generation Solutions on Level -01! You can collect your session printouts at the
Print Center on Level -01

Please remember this is a No Smoking venue! Please switch off your mobile phones! Please remember to wear your badge at all times including the Party!

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

137

2003, Cisco Systems, Inc. All rights reserved.

138