Vous êtes sur la page 1sur 55

Deploying and Managing

Enterprise IPsec VPNs


Ken Kaminski
Cisco Systems
Consulting Systems Engineer – Security/VPN Northeast
kkaminsk@cisco.com
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 1
IPsec - more than just crypto !

• Security Enforcement, Firewall, IDS


• Network Topology
• Routing (OSPF, EIGRP) design
• High Availability
• Performance
• QoS
• Path MTU Discovery
• Network Management
• .............

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 2


Agenda

• IPsec Design Options


• IPsec Design Issues
• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 3


Product Function Matrix

Site-to-Site Role Remote Access Role

Primary Role With recent addition of Cisco


IOS VPN Client now supported with
Full fledged Site-to-Site good feature set

Scales for large deployments


Integrated firewall and VPN
PIX device PDM 2.0 includes VPN
management

Not recommended for large- Primary Role


scale use due to lack of QOS,
3000 SLA monitoring, and Full fledged remote access
multiprotocol routing solution

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 4


Agenda

• IPsec Design Options


IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 5


Basic IPsec Example

2.2.2.2

1.1.1.1 10.1.2.0/24

10.1.1.0/24 Internet
10.1.3.0/24
3.3.3.3

• IKE Policy (Phase I)


crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 6


Basic IPsec Example

2.2.2.2

1.1.1.1 10.1.2.0/24

10.1.1.0/24 Internet
10.1.3.0/24
3.3.3.3

• IPsec Policy (Phase II)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


!
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 7


Basic IPsec Example

2.2.2.2

1.1.1.1 10.1.2.0/24

10.1.1.0/24 Internet
10.1.3.0/24
3.3.3.3

• IPsec Policy (Phase II)


crypto map IPSEC 20 ipsec-isakmp
set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 8


Basic IPsec Example

2.2.2.2

1.1.1.1 10.1.2.0/24

10.1.1.0/24 Internet
10.1.3.0/24
3.3.3.3

• Apply Crypto Map

interface serial 0
crypto map IPSEC
!
ip route 10.0.0.0 255.0.0.0 serial 0

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 9


Basic IPsec Summary

• Supported by IOS, Pix, VPN 3000 and several


other vendors
• Either side can initiate tunnel
• No support for routing protocol, multicast

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 10


Agenda

• IPsec Design Options


IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 11


IPsec Remote Access (EzVPN)
IOS
PIX ?
VPN Client
VPN 3K 1.1.1.1
Head office Internet
IOS
?
PIX
VPN 3002

• Client - Server Architecture


• Client always initiates IPsec connection
• Client may have dynamic ip address

• Very easy to configure !


• Very scalable, no routing expertise required !
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 12
IPsec Remote Access (EzVPN)
IOS
Pix
VPN 3K 1.1.1.1
Head office Internet

• Client extension mode :


Packets from all devices behind EzVPN Client are PATted to
one ip address (then tunneled in IPsec).
• Network extension mode :
Packets from all devices behind EzVPN client
are tunneled in IPsec (no PAT before IPsec)

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 13


EzVPN Configuration example

?
1.1.1.1

Head office Internet

Remote Office
?

crypto ipsec client ezvpn hw-client


group engineering-1 key secret
mode client
peer 1.1.1.1
!
interface Ethernet1
description connected to INTERNET
ip address .......
crypto ipsec client ezvpn hw-client

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 14


Agenda

• IPsec Design Options


IPsec
IPsec Remote Access (EzVPN)
IPsec/GRE
• IPsec Design Issues
• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 15


IPsec/GRE : Scalable Site-to-site VPNs

Internet

Frame Relay

• Routing Protocol (OSPF, EIGRP...) necessary !


• Routing (or multicast) not specified by IPsec
• Supported in IOS using GRE/IPsec

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 16


IPsec/GRE Example

2.2.2.2

1.1.1.1 ?

? Internet

?
3.3.3.3

• IKE Policy (Phase I) Same as without GRE


crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 17


IPsec/GRE Example

2.2.2.2
tunnel 2002 ?
1.1.1.1
? Internet

tunnel 2003
?
3.3.3.3

IPsec Policy (Phase II)


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
access-list 102 permit gre host 1.1.1.1 host 2.2.2.2
access-list 103 permit gre host 1.1.1.1 host 3.3.3.3

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 18


IPsec/GRE Example

2.2.2.2
tunnel 2002 ?
1.1.1.1
? Internet

tunnel 2003
?
3.3.3.3

crypto map IPSEC 20 ipsec-isakmp


set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 19


IPsec/GRE Example

tunnel 2002 2.2.2.2


?
1.1.1.1 10.99.1.0/24

? Internet

tunnel 2003
?
10.99.2.0/24 3.3.3.3
int tunnel 2002
ip address 10.99.1.1 255.255.255.0
tunnel source serial 0
tunnel destination 2.2.2.2
crypto map IPSEC
int tunnel 2003
ip address 10.99.2.1 255.255.255.0
tunnel source serial 0
tunnel destination 3.3.3.3
crypto map IPSEC

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 20


IPsec/GRE Example

tunnel 2002 2.2.2.2


10.99.1.0/24 ?
1.1.1.1
? Internet

tunnel 2003
?
10.99.2.0/24 3.3.3.3
int serial 0
ip address 1.1.1.1 255.255.255.252
crypto map IPSEC
!
ip route 2.2.2.2 255.255.255.255 serial 0
ip route 3.3.3.3 255.255.255.255 serial 0
!
router ospf 1
network 10.0.0.0 0.255.255.255 area 1

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 21


IPsec/GRE Summary

• IOS only (not Pix, VPN 3000)


• Enables Routing over IPsec protected Tunnels
• Enables IPsec protected multicast
• Enables Multi-Protocol (IPX...)
• Easy to configure thanks to trivial ACLs
• Reduces the number of SAs
• Uses standards : RFC 240x (IPsec), RFC 2784 (GRE)
• IPinIP (RFC 2003) is an alternative to GRE

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 22


Agenda

• IPsec Design Options


• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement

• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 23


Site-to-Site Full Mesh

Internet

• N * (N-1) / 2 tunnels
• Scaling issues with provisioning and routing
protocols
(....future Cisco features may help here...)
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 24
Dynamic Multipoint VPN (DMVPN)
12.2(13)T

• Objective : Easy to configure full mesh IPsec


VPN

• Uses multi-point GRE interfaces


• Uses NHRP (Next Hop Resolution Protocol)

• Only configure hub connection


• Spoke learns about spoke peer dynamically

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 25


Dynamic Multipoint VPN - DMVPN
= Dynamic&Temporary Spoke-to-spoke 10.100.1.0 255.255.255.0
IPsec tunnels
10.100.1.1
12.2(13)T
= Dynamic & Permanent spoke-to-hub
IPsec tunnels
130.25.13.1 Static
public IP
address

Dynamic
(or static)
public
10.1.2.1
IP addresses

10.1.2.0 255.255.255.0
Spoke

10.1.1.1

10.1.1.0 255.255.255.0

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 26


Full Mesh :Tunnel Endpoint Discovery
(TED)

MPLS-VPN/
Frame Relay

• Dynamically discover tunnel endpoint (peer)


• IOS since 12.0T
• Only works with routable (public) ip address
• Must be enabled in all peer routers
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 27
TED Example
Alice Bob
Y
X
IKE A to B (proxy X)
IP: A to B
IKE Y to X

A to B must be protected Traffic to B must be protected


No SA -> Send Probe No SA -> Block &Answer probe
Clive

X(config)#
crypto dynamic-map DYN 10
set transform-set ESP-3DES-SHA
match address 100
!
crypto map IPSEC 99 ipsec-isakmp dynamic discover
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 28
IPsec Migration Today

0. - -

1. IPsec -

- no communication possible - time

2. IPsec IPsec

- all encrypted -

Problem : Migration to IPsec in large networks


SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 29
IPSEC Passive Mode
12.2(13)T

0. - -

1. passive -

2. passive passive

- now all router are on passive - time

3. active passive

4. active active

- now all router are running normal IPsec -

# crypto ipsec optional

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 30


Agenda

• IPsec Design Options


• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement

• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 31


High-Availability Design

Stateless options today:


IPsec and Dead Peer Detection
IPsec and HSRP
IPsec/GRE : Routing Protocols

HE-2
Remote VPN
10.1.5.0 Internet Head-End Corporate
Intranet
VPN
HE-1

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 32


Dead Peer Detection (IKE keepalives)
• Supported on IOS, Pix, VPN 3000, Cisco VPN Client
• hellos are sent between IKE peers that have active
tunnels established
• Will detect dead peers (stale IPsec SAs)
• On the third hello packet failure, IKE attempts to set up a
new tunnel to the next peer in list

VPN
Client
Head-End
HE-2
R1
Internet Corporate
S2
Intranet
P1 Hello HE-1
S1 Hello Hello

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 33


Dead Peer Detection vs IKE keepalives

• DPD is an optimization to IKE keepalives :


"I don't bother to check peer by sending
keepalive, if I am receiving data from peer"

• DPD compatibility :
IOS 12.2(8)T and later
Pix 6.0 and later
VPN 3000 3.0 and later

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 34


High Availability with Dead Peer Detection

1.1.1.2 HE-2
Remote
X Internet Head-End Corporate
Intranet
1.1.1.1
HE-1

crypto map IPSEC 10


match address 10
set peer 1.1.1.1
set peer 1.1.1.2
set transform-set ESP-3DES-SHA

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 35


IPsec and HSRP+

HE-2
Remote
X Internet Head-End
Corporate
Intranet

HE-1

• Supported on IOS
• HSRP address used as tunnel endpoint
• Active device terminates IPsec tunnel
• In the event of failure, standby device takes
over (SAs will be renegotiated)
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 36
High Availability with IPsec and HSRP+

1.1.1..3
HE-2
Remote Internet
X Corporate
Intranet

HE-1

interface Ethernet1/0
ip address 1.1.1.1 255.255.255.248
crypto map IPSEC 10
match address 10 standby 1 ip 1.1.1.3
set peer 1.1.1.3 standby 1 priority 200
set transform-set ESP-3DES-SHA
standby 1 preempt
standby 1 name VPNHA
standby 1 track Ethernet1/1 150
crypto map VPN redundancy VPNHA

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 37


Reverse Route Injection (RRI)

Because IOS is active-active, and it is not possible for the next-hop-


device to know which router “has” the active tunnel, Reverse Route
Injection (RRI) is required for state tracking
Works with DPD and HSRP+
12.2(8)T

who should I
send traffic to
for 10.1.5.0 ?
HE-2
Remote
10.1.5.0 Internet Head-End
Corporate
Intranet

HE-1

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 38


Reverse Route Injection Example

HE-2
Remote
X Internet Head-End
Corporate
Intranet
2.2.2.2
HE-1

crypto isakmp keepalive 10


!
crypto map vpn 20 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 102
reverse-route
!

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 39


RRI In Action

RRI triggers when SA goes down

(1) SA Established To Primary


Sending IKE Keepalives
(2) Router P RRI:“I can reach 10.1.5.0”
Remote
Internet P (3) 10.1.5.0/24 via P
Head-End
10.1.5.0/24 (8) 10.1.5.0/24 via S
S
(5) Secondary Active
(6) New SA Established To Secondary
Sending IKE Keepalives
(7) Router S RRI:“I can reach 10.1.5.0”

= Unscheduled Immediate Memory Initialization Routine (4)


SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 40
High Availability with IPsec/GRE

• Just plain routing ! (OSPF, EIGRP...)


• Routing copes with some failures other methods can't
detect
• Local and Geographical redundancy possible
• Except under failure conditions:
The IPsec and GRE tunnels are always up since
routing protocols are always running
HE-2
Remote
Internet Head-End
Corporate
Intranet

HE-1

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 41


High Availability with IPsec/GRE

tunnel 2 HE-2
Remote
Internet Head-End
Corporate
Intranet

tunnel 1 HE-1

Remote :
!
int tunnel 1 HE-1 HE-2
...... ! !
ip ospf cost 10 int tunnel 1 int tunnel 2
..... ...... ......
! ip ospf cost 10 ip ospf cost 10
int tunnel 2 ..... .....
......
ip ospf cost 20
......

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 42


Local/Geographical Failover/Load-
Balancing

• The Cisco VPN Client supports the notion of


backup servers for high availability
PIX, 3000, and IOS compatible
• The 3000 Concentrator also supports local
clustering
Supports local load sharing (not geographical)
DNS resolution based load balancing could also be
used as the client resolves the FQDN of the head-end
device (geographical)

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 43


High Availability Summary

• Key: DPD = Dead Peer Detection; RP = Routing


Protocol; RRI = Reverse Route Injection
Head-end
Device IOS PIX 3000
Remote
Device
RP
DPD (RRI) DPD(RRI)
IOS HSRP+ (RRI)
DPD

HSRP+ (RRI)
DPD(RRI)
PIX Failover DPD (RRI) DPD

HSRP+ (RRI)
DPD(RRI)
3000 DPD (RRI) DPD

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 44


Agenda

• IPsec Design Options


• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement

• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 45


Split Tunneling

www.evilhackers.com
NAT for Internet
traffic

VPN Split-Tunneling Enabled


HW
VPN
Client Internet

No NAT for
corporate traffic
SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 46
Split Tunneling

• Should it be allowed ? Policy Decision !


• If allowed, firewall is needed at remote end
• Cisco VPN Client - $0 firewall
Default stops incoming connections; allows outgoing
connections
Firewall active even when VPN client is not connected
Firewall policies can be pushed from VPN 3000 concentrator

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 47


Agenda

• IPsec Design Options


• IPsec Design Issues
Topologies
High Availability
Split Tunneling
Device Placement

• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 48


VPN Device with separate Firewall

VPN Termination
Focused Layer
Stateless L3 4–7 Analysis
Filtering (IKE, ESP) VPN

To WAN Edge To Campus

L4–L7 Stateful
DMZ Inspection and Filtering
Nothing To See DoS Mitigation
(crypto-wise)

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 49


Agenda

• IPsec Design Options


• IPsec Design Issues
• IPsec Management

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 50


VPN Management
• Nothing dramatically new
- configuration management
- performance management
- fault management
- sw updates
• Many of the same tools apply :
SNMP, TFTP, SSH
• Management traffic should be encrypted
( IPsec vs SSH)

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 51


VPN Management Applications

• Device Managers (on the box)


PDM—PIX Device Manager
VDM—VPN Device Manager for IOS and 3000
• VPN/Security Management Solution (VMS) 2.1
IOS, IDS, PIX Multiple Device Centers
• VPN Solution Center (VPNSC)
Primary focus : Service Providers

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 52


VPN/Security Management Solution 2.1

Management Centers
(MCs) for

VPN Routers
Pix Firewall
IDS Sensors

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 53


VMS 2.1 / Router MC

• Web based
• IOS IPsec/GRE (Hub/Spoke topologies)
• Workflow approach (create task/approve task)
• Grouping of devices/apply policy on group

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 54


VMS 2.1 / VPN Monitor

• Performance Monitoring of IOS and VPN 3000

Number of tunnels
Status/Performance of tunnels
Performance threshold violations

SEC-210 © 2002, Cisco Systems, Inc. All rights reserved. 55