CCNA Security 08

CCNA Security
Chapter Eight Implementing Virtual Private Networks
2009 Cisco Learning Institute.
Lesson Planning
This lesson should take 3-4 hours to present The lesson should include lecture, demonstrations, discussions and assessments The lesson can be taught in person or using remote instruction
Major Concepts
Describe the purpose and operation of VPN types Describe the purpose and operation of GRE VPNs
Describe the components and operations of IPsec VPNs

Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI
Configure and verify a site-to-site IPsec VPN with preshared key authentication using SDM
Configure and verify a Remote Access VPN
Lesson Objectives
Upon completion of this lesson, the successful participant will be able to:
1. Describe the purpose and operation of VPNs 2. Differentiate between the various types of VPNs 3. Identify the Cisco VPN product line and the security features of these products 4. Configure a site-to-site VPN GRE tunnel 5. Describe the IPSec protocol and its basic functions 6. Differentiate between AH and ESP 7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI

12. Configure the crypto ACLs using the CLI 13. Configure and apply a crypto map using the CLI 14. Describe how to verify and troubleshoot the IPSec configuration 15. Describe how to configure IPSec using SDM 16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM 17. Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM
Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM 19. Describe how an increasing number of organizations are offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs
21. Describe how SSL is used to establish a secure VPN connection 22. Describe the Cisco Easy VPN feature 23. Configure a VPN Server using SDM 24. Connect a VPN client using the Cisco VPN Client software
VPNs
VPN Overview VPN Technologies VPN Solutions
VPN Overview
What is a VPN? Layer 3 VPNs
What is a VPN?
Business Partner with a Cisco Router Mobile Worker with a Cisco VPN Client
CSA
VPN
Internet
SOHO with a Cisco DSL Router

VPN
Firewall
WAN
Corporate Network
VPN
- Virtual: Information within a private network is transported over a public network. - Private: The traffic is encrypted to keep the data confidential.
9
Regional branch with a VPN enabled Cisco ISR router
Layer 3 VPN
IPSec
VPN
Internet
IPSec
Generic routing encapsulation (GRE)

Multiprotocol Label Switching (MPLS) IPSec
10
VPN Technologies
Types of VPN Networks Site-to-Site VPN Remote-Access VPN VPN Client Software
Cisco IOS SSL VPN
11
Types of VPN Networks

Business Partner with a Cisco Router
Remote-access VPNs
Mobile Worker with a Cisco VPN Client
CSA
MARS
VPN
Internet
Firewall
Site-to-Site VPNs
VPN
WAN
IP S
VPN
Iron Port
CSA
CSA CSA
CSA
CSACSA
Web Email Server Server
DNS
12
Site-to-Site VPN
Hosts send and receive normal TCP/IP traffic through a VPN gateway
CSA
MARS
VP N
Internet
Firewall
Site-to-Site VPNs
VPN
WAN
IP S
VPN
Iron Port
CSA
CSA CSA
CS CS A CS A A
Web Email Server Server
DNS
13
Remote-Access VPNs
Remote-access VPNs
Mobile Worker with a Cisco VPN Client
MARS
CSA
Internet
Firewall
VPN
IPS
Iron Port
CSA
CSA CSA
CSA CSA
CSA
Web Server
Email Server
DNS 14
VPN Client Software
R1
R1-vpn-cluster.span.com
R1
In a remote-access VPN, each host typically has Cisco VPN Client software
15
Cisco IOS SSL VPN

Provides remote-access connectivity from any Internet-enabled host Uses a web browser and SSL encryption Delivers two modes of access:
- Clientless - Thin client
16
VPN Solutions
Cisco VPN Product Family Cisco VPN-Optimized Routers Cisco ASA 5500 Series Adaptive Security Appliances IPSec Clients Hardware Acceleration Modules
17
Cisco VPN Product Family

Remote-Access VPN
Secondary role
Product Choice
Cisco VPN-Enabled Router
Site-to-Site VPN
Primary role
Cisco PIX 500 Series Security Appliances Cisco ASA 5500 Series Adaptive Security Appliances Cisco VPN 3000 Series Concentrators Home Routers
Secondary role
Primary role
Primary role
Secondary role
Primary role
Secondary role
Primary role
18
Cisco VPN-Optimized Routers

Remote Office Cisco Router Main Office Cisco Router
Internet
Regional Office Cisco Router
SOHO Cisco Router
VPN Features: Voice and video enabled VPN (V3PN) IPSec stateful failover DMVPN IPSec and Multiprotocol Label Switching (MPLS) integration Cisco Easy VPN
19
Cisco ASA 5500 Series Adaptive Security Appliances

Remote Site
Internet
Intranet Remote User
Central Site
Extranet Business-to-Business
Flexible platform Resilient clustering
Cisco IOS SSL VPN VPN infrastructure for contemporary applications
Cisco Easy VPN

Automatic Cisco VPN
Integrated web-based management

20
IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec VPN Client
Router with Firewall and VPN Client
Internet
Cisco VPN Software Client
Software loaded on a PC
Small Office
A network appliance that connects SOHO LANs to the VPN

Cisco AnyConnect VPN Client
Internet
Provides remote users with secure VPN connections
21
Hardware Acceleration Modules

AIM Cisco IPSec VPN Shared Port Adapter (SPA) Cisco PIX VPN Accelerator Card+ (VAC+) Enhanced Scalable Encryption Processing (SEP-E)
Cisco IPsec VPN SPA
22
GRE VPNs
Overview Encapsulation Configuring a GRE Tunnel Using GRE
23
Overview
24
Encapsulation
Encapsulated with GRE
Original IP Packet
25
Configuring a GRE Tunnel
Create a tunnel interface

R1(config)# interface tunnel 0 R1(configif)# ip address 10.1.1.1 255.255.255.252 R1(configif)# tunnel source serial 0/0 R1(configif)# tunnel destination 192.168.5.5 R1(configif)# tunnel mode gre ip R1(configif)#
Assign the tunnel an IP address

R2(config)# interface tunnel 0 R2(configif)# ip address 10.1.1.2 255.255.255.252 R2(configif)# tunnel source serial 0/0 R2(configif)# tunnel destination 192.168.3.3 R2(configif)# tunnel mode gre ip R2(configif)#
Identify the source tunnel interface
Identify the destination of the tunnel Configure what protocol GRE will encapsulate
26
Using GRE
User Traffic
No
IP Only ?
Yes
Use GRE Tunnel
No
Unicast Only?
Yes
Use IPsec VPN
GRE does not provide encryption

27
IPSec VPN Components and Operation

Introducing IPSec IPSec Security Protocols Internet Key Exchange (IKE)
28
Introducing IPSec
IPSec Topology
- IPSec Framework
Confidentiality
Integrity
Authentication
- Pre-Shared Key - RSA Signature
Secure Key Exchange

29
IPSec Topology
Main Site
IPsec
Perimeter Router Legacy Cisco PIX Firewall
Regional Office with a Cisco PIX Firewall
POP ASA
Legacy Concentrator
SOHO with a Cisco SDN/DSL Router
Mobile Worker with a Cisco VPN Client on a Laptop Computer
Corporate
Works at the network layer, protecting and authenticating IP packets.

- It is a framework of open standards which is algorithm-independent.
- It provides data confidentiality, data integrity, and origin authentication.

30
IPSec Framework
Diffie-Hellman
DH7
31
Confidentiality
Least secure
Most secure
Key length: - 56-bits Key length: - 56-bits (3 times)
Diffie-Hellman
Key lengths: -128-bits -DH7 192 bits -256-bits Key length: - 160-bits
32
Integrity
Least secure
Most secure
Key length: - 128-bits
Diffie-Hellman
Key length: - 160-bits)
DH7
33
Authentication
Diffie-Hellman
DH7
34
Pre-shared Key (PSK)
At the local device, the authentication key and the identity information (device-specific Diffie-Hellman DH7 information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.
35
RSA Signatures
At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.
36
Secure Key Exchange
Diffie-Hellman
DH7
37
IPSec Security Protocols

IPSec Framework Protocols Authentication Header ESP Function of ESP
Mode Types
38
IPSec Framework Protocols

Authentication Header R1 R2
All data is in plaintext.
AH provides the following:

Authentication Integrity
Encapsulating Security Payload R1

Data payload is encrypted.
R2
ESP provides the following:

Encryption Authentication Integrity
39
Authentication Header
1. The IP Header and data payload are hashed
IP Header + Data + Key
R2
Hash
IP HDR
AH
Data
Authentication Data
(00ABCDEF)
IP Header + Data + Key

3. The new packet is Internet transmitted to the IPSec peer router
Hash
Recomputed Received Hash = Hash
(00ABCDEF) (00ABCDEF)
IP HDR
AH
Data
2. The hash builds a new AH header which is prepended R1 to the original packet
4. The peer router hashes the IP header and data payload, extracts the transmitted hash and compares
40
ESP
Diffie-Hellman
DH7
41
Function of ESP
Internet
Router
IP HDR Data
Router
IP HDR
Data
New IP HDR
ESP HDR
IP HDR
Data
ESP ESP Trailer Auth
Encrypted Authenticated
Provides confidentiality with encryption Provides integrity with authentication
42
Mode Types
IP HDR
Data
Original data prior to selection of IPSec protocol mode
Transport Mode
IP HDR ESP HDR
Encrypted Data Authenticated

Tunnel Mode
New IP HDR
Encrypted
IP HDR Authenticated Data
ESP HDR
43
Internet Key Exchange (IKE)

Security Associations IKE Phases IKE Phase 1 Three Exchanges IKE Phase 1 Aggressive Mode
IKE Phase 2
44
Security Associations
IPSec parameters are configured using IKE

45
IKE Phases
Host A 10.0.1.3 IKE Phase 1 Exchange
1. Negotiate IKE policy sets
Policy 10 DES MD5 pre-share DH1 lifetime Policy 15 DES MD5 pre-share DH1 lifetime
R1
R2
Host B 10.0.2.3
1. Negotiate IKE policy sets
2. DH key exchange
2. DH key exchange
3. Verify the peer identity
3. Verify the peer identity
IKE Phase 2 Exchange

Negotiate IPsec policy Negotiate IPsec policy
46
IKE Phase 1 First Exchange

Host A 10.0.1.3
Policy 10 DES MD5 pre-share DH1 lifetime Policy 20 3DES SHA pre-share DH1 lifetime
R1 Negotiate IKE Proposals
R2 Host B 10.0.2.3
Policy 15 DES MD5 pre-share DH1 lifetime
IKE Policy Sets
Negotiates matching IKE policies to protect IKE exchange
47
IKE Phase 1 Second Exchange

Establish DH Key
Alice
Private value, XA Public value, YA YA = g XA mod p
Private value, XB Public value, YB Y = gXB mod p

B
Bob
YA YB
XA (YB )
mod p = K
XB (YA )
mod p = K
A DH exchange is performed to establish keying material.
48
IKE Phase 1 Third Exchange

Authenticate Peer
Remote Office Corporate Office
Internet
HR Servers
Peer Authentication
Peer authentication methods

PSKs RSA signatures RSA encrypted nonces
A bidirectional IKE SA is now established.

49
IKE Phase 1 Aggressive Mode

Host A 10.0.1.3 IKE Phase 1 Aggressive Mode Exchange
1.Send IKE policy set and R1s DH key
Policy 10 DES MD5 pre-share DH1 lifetime Policy 15 DES MD5 pre-share DH1 lifetime
R1
R2
Host B 10.0.2.3
2.
3.Calculate shared secret, verify peer identify, and confirm with peer
Confirm IKE policy set, calculate shared secret and send R2s DH key Authenticate peer and begin Phase 2.
4.
IKE Phase 2 Exchange

Negotiate IPsec policy Negotiate IPsec policy
50
IKE Phase 2
Host A 10.0.1.3
R1
R2
Host B 10.0.2.3
Negotiate IPsec Security Parameters
IKE negotiates matching IPsec policies. Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and algorithm combination.
51
Implementing Site-to-Site IPSec VPNs

Configuring Site-to-Site IPSec VPNs Task 1 Configure Compatible ACLs Task 2 Configure IKE Task 3 Configure the Transform Set
Task 4 Configure the Crypto ACLs

Task 5 Apply the Crypto Map Verify and Troubleshoot the IPSec Configuration
52
Configuring Site-to-Site IPSec VPN

IPSec VPN Negotiation Summary of Tasks
53
IPSec VPN Negotiation

10.0.1.3 R1 R2 10.0.2.3
1. Host A sends interesting traffic to Host B.

2. R1 and R2 negotiate an IKE Phase 1 session. IKE SA
IKE Phase 1
IKE SA
3. R1 and R2 negotiate an IKE Phase 2 session. IPsec SA

IKE Phase 2
IPsec SA
4. Information is exchanged via IPsec tunnel.

IPsec Tunnel
5. The IPsec tunnel is terminated.

54
Summary of Tasks
Tasks to Configure IPsec:

Task 1: Ensure that ACLs are compatible with IPsec. Task 2: Create ISAKMP (IKE) policy. Task 3: Configure IPsec transform set. Task 4: Create a crypto ACL. Task 5: Create and apply the crypto map.
55
Task 1 Configure Compatible ACLs

Overview Permitting Traffic
56
Overview
Site 1
10.0.1.0/24 10.0.1.3 R1 AH ESP IKE
Site 2
10.0.2.0/24
R2
10.0.2.3
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec.
57
Permitting Traffic
Site 1
10.0.1.0/24 10.0.1.3 R1 AH ESP IKE R2
Site 2
10.0.2.0/24 10.0.2.3
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1(config)# R1(config)# interface Serial0/0/0 R1(config-if)# ip address 172.30.1.2 255.255.255.0 R1(config-if)# ip access-group 102 in ! R1(config)# exit R1# R1# show access-lists access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1#
58
Task 2 Configure IKE

Overview ISAKMP Parameters Multiple Policies Policy Negotiations
Crypto ISAKMP Key

Sample Configuration
59
Overview
10.0.1.0/24 10.0.1.3 R1 R2 10.0.2.0/24 10.0.2.3
Internet
Site 1
Site 2
Policy 110 DES MD5 Preshare 86400 DH1
Tunnel
router(config)# crypto isakmp policy priority Defines the parameters within the IKE policy
R1(config)# crypto R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(configisakmp)#
isakmp policy 110 authentication pre-share encryption des group 1 hash md5 lifetime 86400
60
ISAKMP Parameters
Parameter Keyword
des 3des aes aes 192 aes 256 sha md5
Accepted Values
56-bit Data Encryption Standard Triple DES 128-bit AES 192-bit AES 256-bit AES
Default Description Value
encryption
des
Message encryption algorithm
hash
SHA-1 (HMAC variant) MD5 (HMAC variant) preshared keys RSA encrypted nonces RSA signatures
sha
Message integrity (Hash) algorithm
pre-share authenticati rsa-encr on rsa-sig group lifetime

rsa-sig
Peer authentication method
1 2 5 seconds
768-bit Diffie-Hellman (DH) 1024-bit DH 1536-bit DH Can specify any number of seconds
Key exchange parameters (DH group identifier) ISAKMP-established SA lifetime

61
86,400 sec (one day)
Multiple Policies
10.0.1.3 10.0.1.0/24 R1 R2 10.0.2.0/24 10.0.2.3
Internet Site 1
R1(config)#
crypto isakmp policy 100 hash md5 authentication pre-share ! crypto isakmp policy 200 hash sha authentication rsa-sig ! crypto isakmp policy 300 hash md5 authentication pre-share
Site 2
R2(config)#
crypto isakmp policy 100 hash md5 authentication pre-share ! crypto isakmp policy 200 hash sha authentication rsa-sig ! crypto isakmp policy 300 hash md5 authentication rsa-sig
62
Policy Negotiations
R1 attempts to establish a VPN tunnel with R2 and sends its IKE policy parameters
10.0.1.0/24 10.0.1.3 10.0.2.0/24
R1
R2
10.0.2.3
Internet
Site 1
Policy 110
Preshare 3DES SHA DH2 43200
Site 2
Tunnel
R2 must have an ISAKMP policy configured with the same parameters.

R2(config)# crypto R2(configisakmp)# R2(configisakmp)# R2(configisakmp)# R2(configisakmp)# R2(configisakmp)# isakmp policy 100 authentication pre-share encryption 3des group 2 hash sha lifetime 43200
R1(config)# crypto R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(configisakmp)#
isakmp policy 110 authentication pre-share encryption 3des group 2 hash sha lifetime 43200
63
Crypto ISAKMP Key

router(config)# crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters up to 128 bytes. This PSK must be identical on both peers. This parameter specifies the IP address of the remote peer. This parameter specifies the hostname of the remote peer. This is the peer hostname concatenated with its domain name (for example, myhost.domain.com).
keystring
peeraddress hostname
The peer-address or peer-hostname can be used, but must be used consistently between peers. If the peer-hostname is used, then the crypto isakmp identity hostname command must also be configured.
64
10.0.1.0/24 10.0.1.3 R1 10.0.2.0/24 10.0.2.3
R2
Site 1
R1(config)# crypto R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(configisakmp)# R1(config-isakmp)# R1(config)# crypto R1(config)#
Internet
Site 2
isakmp policy 110 authentication pre-share encryption 3des group 2 hash sha lifetime 43200 exit isakmp key cisco123 address 172.30.2.2
Note:
The keystring cisco1234 matches.

The address identity method is specified. The ISAKMP policies are compatible. Default values do not have to be configured.
R2(config)# crypto R2(configisakmp)# R2(configisakmp)# R2(configisakmp)# R2(configisakmp)# R2(configisakmp)# R2(config-isakmp)# R2(config)# crypto R2(config)#
isakmp policy 110 authentication pre-share encryption 3des group 2 hash sha lifetime 43200 exit isakmp key cisco123 address 172.30.1.2
65
Task 3 Configure the Transform Set

Overview Transform Sets Sample Configuration
66
Overview
router(config)# crypto ipsec transformset transform-set-name transform1 [transform2] [transform3]] crypto ipsec transform-set Parameters
Command transform-set-name Description
This parameter specifies the name of the transform set to create (or modify).
Type of transform set. You may specify up to four "transforms": one Authentication Header (AH), one transform1, Encapsulating Security Payload (ESP) encryption, one transform2, transform3 ESP authentication. These transforms define the IP Security (IPSec) security protocols and algorithms.
A transform set is a combination of IPsec transforms that enact a security policy for traffic.
67
Transform Sets
Host A
R1
172.30.1.2
R2
10.0.2.3
Host B
10.0.1.3
Internet
172.30.2.2
1 2 3
transform-set ALPHA esp-3des tunnel transform-set BETA esp-des, esp-md5-hmac tunnel
transform-set RED esp-des tunnel
4 5 6 7
transform-set BLUE esp-des, ah-sha-hmac tunnel transform-set YELLOW esp-3des, esp-sha-hmac tunnel
transform-set CHARLIE esp-3des, esp-sha-hmac tunnel
Match
Transform sets are negotiated during IKE Phase 2. The 9th attempt found matching transform sets (CHARLIE - YELLOW).
68
Site 1
10.0.1.3
R1
A
172.30.1.2
R2
B
Site 2
10.0.2.3
Internet
172.30.2.2
R1(config)# crypto isakmp key cisco123 address 172.30.2.2 R1(config)# crypto ipsec transform-set MYSET esp-aes 128 R1(cfg-crypto-trans)# exit R1(config)#
Note: Peers must share the same transform set settings. Names are only locally significant.
R2(config)# crypto isakmp key cisco123 address 172.30.1.2 R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128 R2(cfg-crypto-trans)# exit
69
Task 4 Configure the Crypto ACLs

Overview Command Syntax Symmetric Crypto ACLs
70
Overview
Host A
R1
Internet
Outbound Traffic
Encrypt Bypass (Plaintext) Permit Bypass Inbound Traffic
Discard (Plaintext)
Outbound indicates the data flow to be protected by IPsec.
Inbound filters and discards traffic that should have been protected by IPsec.
71
Command Syntax
Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
10.0.2.3
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
access-list access-list-number Parameters

access-list access-list-number Command permit deny protocol Description
This option causes all IP traffic that matches the specified conditions to be protected by cryptography, using the policy described by the corresponding crypto map entry. This option instructs the router to route traffic in plaintext. This option specifies which traffic to protect by cryptography based on the protocol, such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches that permit statement is encrypted. If the ACL statement is a permit statement, these are the networks, subnets, or hosts between which traffic should be protected. If the ACL statement is a deny statement, then the traffic between the specified source and destination is sent in plaintext.
72
source and destination
Symmetric Crypto ACLs

Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
10.0.2.3
Internet
S0/0/0 172.30.1.2
S0/1
S0/0/0 172.30.2.2
Applied to R1 S0/0/0 outbound traffic: R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic source: 10.0.2.0, destination: 10.0.1.0)
Applied to R2 S0/0/0 outbound traffic: R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 (when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)
73
Task 5 Apply the Crypto Map

Overview Crypto Map Command Crypto Map Configuration Mode Commands Sample Configuration
Assign the Crypto Map Set
74
Overview
Site 1
R1 R2
Site 2
Internet
10.0.1.3 10.0.2.3
Crypto maps define the following:

ACL to be used Remote VPN peers Transform set to be used
Encrypted Traffic
Key management method

SA lifetimes
Router Interface or Subinterface
75
Crypto Map Command

router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] crypto map Parameters
Command Parameters Description
map-name seq-num ipsec-manual ipsec-isakmp cisco
Defines the name assigned to the crypto map set or indicates the name of the crypto map to edit. The number assigned to the crypto map entry. Indicates that ISAKMP will not be used to establish the IPsec SAs. Indicates that ISAKMP will be used to establish the IPsec SAs.
(Default value) Indicates that CET will be used instead of IPsec for protecting the traffic.
(Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword is used, none of the crypto map configuration commands are available. (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.
76
dynamic
dynamic-map-name
Crypto Map Configuration Mode Commands

Command set peer [hostname | ipaddress] pfs [group1 | group2] transform-set [set_name(s)] security-association lifetime match address [accesslist-id | name] Description
Used with the peer, pfs, transform-set, and security-association commands. Specifies the allowed IPsec peer by IP address or hostname.
Specifies DH Group 1 or Group 2. Specify list of transform sets in priority order. When the ipsec-manual parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto map command, up to six transform sets can be specified. Sets SA lifetime parameters in seconds or kilobytes. Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched. Used to delete commands entered with the set command. Exits crypto map configuration mode.
no
exit
77
Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
R1
10.0.1.3
R2
10.0.2.3
Internet
S0/0/0 172.30.2.2
R3
S0/0/0 172.30.3.2
R1(config)# crypto map R1(config-crypto-map)# R1(config-crypto-map)# R1(config-crypto-map)# R1(config-crypto-map)# R1(config-crypto-map)# R1(config-crypto-map)#
MYMAP 10 ipsec-isakmp match address 110 set peer 172.30.2.2 default set peer 172.30.3.2 set pfs group1 set transform-set mine set security-association lifetime seconds 86400
Multiple peers can be specified for redundancy.

78
Assign the Crypto Map Set

Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
10.0.2.3
MYMAP
router(config-if)#
crypto map map-name
R1(config)# interface serial0/0/0 R1(config-if)# crypto map MYMAP
Applies the crypto map to outgoing interface Activates the IPsec policy
79
Verify and Troubleshoot the IPSec Configuration

CLI Command Summary show crypto map show crypto isakmp policy show crypto ipsec transform-set
show crypto ipsec sa

debug crypto isakmp
80
CLI Commands
Show Command show crypto map show crypto isakmp policy show crypto ipsec sa show crypto ipsec transform-set debug crypto isakmp debug crypto ipsec Description
Displays configured crypto maps Displays configured IKE policies Displays established IPsec tunnels Displays configured IPsec transform sets Debugs IKE events Debugs IPsec events
81
show crypto map

Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
10.0.2.3
router# show crypto map Displays the currently configured crypto maps
R1# show crypto map Crypto Map MYMAP" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 110 access-list 102 permit ip host 10.0.1.3 host 10.0.2.3 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, }
82
show crypto isakmp policy

Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
Internet
router#
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
10.0.2.3
show crypto isakmp policy
R1# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: 3DES - Data Encryption Standard (168 bit keys). hash algorithm: Secure Hash Standard authentication method: preshared Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
83
show crypto ipsec transform-set

Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
10.0.2.3
show crypto ipsec transform-set Displays the currently defined transform sets
R1# show crypto ipsec transform-set Transform set AES_SHA: { esp-128-aes esp-sha-hmac } will negotiate = { Tunnel, },
84
show crypto ipsec sa

Site 1
10.0.1.0/24
Site 2
10.0.2.0/24
10.0.1.3
R1
R2
Internet
S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
10.0.2.3
R1# show crypto ipsec sa Interface: Serial0/0/0 Crypto map tag: MYMAP, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flacs={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2 path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C
85
debug crypto isakmp

router# debug crypto isakmp
1d00h: offers 1d00h: 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no accepted! ISAKMP (0:1): SA not acceptable! %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
This is an example of the Main Mode error message. The failure of Main Mode suggests that the Phase I policy does not match on both sides. Verify that the Phase I policy is on both peers and ensure that all the attributes match.
86
Implementing Site-to-Site IPSec VPNs Using SDM

Configuring IPSec Using SDM VPN Wizard-Quick Setup VPN Wizard-Step-by-Step Setup Verifying, Monitoring, and Troubleshooting VPNs
87
Configuring IPSec Using SDM

Starting a VPN Wizard VPN Components Configuring a Site-to-Site VPN Site-to-Site VPN Wizard
88
Starting a VPN Wizard

1. Click Configure in main toolbar 1 3
Wizards for IPsec Solutions, includes type of VPNs and Individual IPsec components
2
2. Click the VPN button to open the VPN page
3. Choose a wizard 4. Click the VPN implementation subtype 4 5 5. Click the Launch the Selected Task button
VPN implementation Subtypes. Vary based On VPN wizard chosen.
89
VPN Components
VPN Wizards
SSL VPN parameters
Individual IPsec components used to build VPNs
Easy VPN server parameters
VPN Components
Public key certificate parameters
Encrypt VPN passwords
90
Configuring a Site-to-Site VPN

Choose Configure > VPN > Site-to-Site VPN
Click the Create a Site-to-Site VPN
Click the Launch the Selected Task button
91
Site-to-Site VPN Wizard
Choose the wizard mode
Click Next to proceed to the configuration of parameters.
92
VPN Wizard-Quick Setup

Quick Setup Verify Parameters
93
Quick Setup
Configure the parameters Interface to use Peer identity information Authentication method Traffic to encrypt
94
Verify Parameters
95
VPN Wizard-Step-by-Step Setup

Step-by-Step Wizard Creating a Custom IKE Proposal
Creating a Custom IPSec Transform Set

Protecting Traffic - Subnet to Subnet Protecting Traffic - Custom ACL Add a Rule Configuring a New Rule Entry Configuration Summary
96
Step-by-Step Wizard
Choose the outside interface that is used 1 to connect to the IPSec peer 2 Specify the IP address of the peer
3 Choose the authentication method and specify the credentials
4 Click Next
97
Creating a Custom IKE Proposal

Make the selections to configure 2 the IKE Policy and click OK
1 Click Add to define a proposal
3 Click Next
98
Creating a Custom IPSec Transform Set

Define and specify the transform set name, integrity algorithm, encryption algorithm, mode of operation and optional compression 2
1 Click Add 3 Click Next
99
Protecting Traffic Subnet to Subnet
Click Protect All Traffic Between the Following subnets 1
2 Define the IP address and subnet mask of the local network
3 Define the IP address and subnet mask of the remote network
100
Protecting Traffic Custom ACL
Click the ellipses button to choose an existing ACL or create a new one 1 2 3
Click the Create/Select an Access-List for IPSec Traffic radio button
To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option
101
Add a Rule
Give the access rule a name and description
2 Click Add
102
Configuring a New Rule Entry

Choose an action and enter a description of the rule entry 1
2 Define the source hosts or networks in the Source Host/Network pane and the destination hosts or network in the Destination/Host Network pane 3
(Optional) To provide protection for specific protocols, choose the specific protocol radio box and desired port numbers
103
Configuration Summary
Click Back to modify the configuration. Click Finish to complete the configuration.
104
Verifying, Monitoring, and Troubleshooting VPNs

Verify VPN Configuration Monitor
105
Verify VPN Configuration

Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
Check VPN status.
Create a mirroring configuration if no Cisco SDM is available on the peer.
Test the VPN configuration.
106
Monitor
Choose Monitor > VPN Status > IPSec Tunnels
1 Lists all IPsec tunnels, their parameters, and status.
107
Implementing A Remote Access VPN

The Changing Corporate Landscape Introduction to Remote Access SSL VPNs Cisco Easy VPN
Configure a VPN Server Using SDM

Connect with a VPN Client
108
The Changing Corporate Landscape

Telecommuting Telecommuting Benefits Telecommuting Requirements
109
Telecommuting
Flexibility in working location and working hours Employers save on realestate, utility and other overhead costs
Succeeds if program is voluntary, subject to management discretion, and operationally feasible
110
Telecommuting Benefits
Organizational benefits:
- Continuity of operations - Increased responsiveness - Secure, reliable, and manageable access to information - Cost-effective integration of data, voice, video, and applications - Increased employee productivity, satisfaction, and retention
Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress
Environmental benefits:
- Reduced carbon footprints, both for individual workers and organizations
111
Telecommuting Requirements
112
Introduction to Remote Access

Methods for Deploying Remote Access Comparison of SSL and IPSec
113
Methods for Deploying Remote Access
IPsec Remote Access VPN
Any Application
Anywhere Access
SSL-Based VPN
114
Comparison of SSL and IPSec

SSL Applications
Web-enabled applications, file sharing, e-mail
IPsec
All IP-based applications
Encryption
Moderate Key lengths from 40 bits to 128 bits Moderate One-way or two-way authentication
Stronger Key lengths from 56 bits to 256 bits Strong Two-way authentication using shared secrets or digital certificates Moderate Can be challenging to nontechnical users
Authentication
Ease of Use
Very high
Overall Security
Moderate Any device can connect
Strong Only specific devices with specific configurations can connect
115
SSL VPNs
Overview Types of Access Full Tunnel Client Access Mode Establishing an SSL Session
Design Considerations
116
Overview
Integrated security and routing Browser-based full network SSL VPN access SSL VPN
Internet
Headquarters
SSL VPN Tunnel
Workplace Resources
117
Types of Access
118
Full Tunnel Client Access Mode
119
Establishing an SSL Session

User makes a connection to TCP port 443 Router replies with a digitally signed public key User software creates a shared-secret key Shared-secret key, encrypted with public key of the server, is sent to the router Bulk encryption occurs using the shared-secret key with a symmetric encryption algorithm
User using SSL client

3
SSL VPN enabled ISR router
120
SSL VPN Design Considerations

User connectivity Router feature Infrastructure planning Implementation scope
121
Cisco Easy VPN

Overview Components Securing the VPN
122
Overview
Negotiates tunnel parameters Establishes tunnels according to set parameters Automatically creates a NAT / PAT and associated ACLs Authenticates users by usernames, group names, and passwords Manages security keys for encryption and decryption Authenticates, encrypts, and decrypts data through the tunnel
123
Components
124
Securing the VPN

1
Initiate IKE Phase 1 Establish ISAKMP SA Accept Proposal1 Username/Password Challenge Username/Password System Parameters Pushed
6
Reverse Router Injection (RRI) adds a static route entry on the router for the remote clients IP address
Initiate IKE Phase 2: IPsec IPsec SA
125
Configuring a VPN Server Using SDM

Configuring Cisco Easy VPN Server Configuring IKE Proposals Creating an IPSec Transform Set Group Authorization and Group Policy Lookup
Summary of Configuration Parameters
126
Configuring Cisco Easy VPN Server

1 4
127
Configuring IKE Proposals
Specify required parameters
Click Add
Click OK
128
Creating an IPSec Transform Set
3
1
2 4
129
Group Authorization and Group Policy Lookup
Select the location where Easy VPN group policies can be stored
2 5
Click Add
Click Next
Click Next
Configure the local group policies
130
Summary of Configuration Parameters
131
Connecting with a VPN Client

Overview Establishing a Connection
132
VPN Client Overview
R1 R1
Establishes end-to-end, encrypted VPN tunnels for secure connectivity Compatible with all Cisco VPN products Supports the innovative Cisco Easy VPN capabilities
133
Establishing a Connection
Once authenticated, status changes to connected.
R1
R1
134
135

CCNA Security 08

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CCNA Security 08

Загружено:

Авторское право:

Доступные форматы

CCNA Security

Chapter Eight Implementing Virtual Private Networks

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

Describe the components and operations of IPsec VPNs

2009 Cisco Learning Institute.

8. Describe the five steps of IPSec operation

2009 Cisco Learning Institute.

11. Configure the IPSec transform sets using the CLI

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

SOHO with a Cisco DSL Router

Regional branch with a VPN enabled Cisco ISR router

2009 Cisco Learning Institute.

SOHO with a Cisco DSL Router

Generic routing encapsulation (GRE)

2009 Cisco Learning Institute.

Cisco IOS SSL VPN

2009 Cisco Learning Institute.

Types of VPN Networks

SOHO with a Cisco DSL Router

Regional branch with a VPN enabled Cisco ISR router

Web Email Server Server

2009 Cisco Learning Institute.

SOHO with a Cisco DSL Router

Regional branch with a VPN enabled Cisco ISR router

Web Email Server Server

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

VPN Client Software

Cisco IOS SSL VPN

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

Cisco VPN Product Family

2009 Cisco Learning Institute.

Cisco VPN-Optimized Routers

SOHO Cisco Router

2009 Cisco Learning Institute.

Cisco ASA 5500 Series Adaptive Security Appliances

Flexible platform Resilient clustering

Cisco IOS SSL VPN VPN infrastructure for contemporary applications

Cisco Easy VPN

Integrated web-based management

Router with Firewall and VPN Client

A network appliance that connects SOHO LANs to the VPN

Hardware Acceleration Modules

Cisco IPsec VPN SPA

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

2009 Cisco Learning Institute.

Configuring a GRE Tunnel

Create a tunnel interface

Assign the tunnel an IP address

Identify the source tunnel interface

2009 Cisco Learning Institute.

Use GRE Tunnel

Use IPsec VPN

GRE does not provide encryption

IPSec VPN Components and Operation