Académique Documents
Professionnel Documents
Culture Documents
1
Lesson Planning
2
Major Concepts
3
Contents
8.1 VPNs
4
8.1 VPNs
5
VPNs
VPN Overview
VPN Technologies
VPN Solutions
6
VPN Overview
What is a VPN?
Layer 3 VPNs
7
What is a VPN?
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client
CSA
VPN
Internet
Firewall
SOHO with a Cisco
DSL Router
Corporate
WAN
VPN
Network
8
Layer 3 VPN
IPSec
VPN
Internet
IPSec
SOHO with a Cisco DSL
Router
9
VPN Technologies
10
Types of VPN Networks
CSA
MARS
VPN
SOHO with a Internet Firewall
Cisco DSL Router
Site-to-Site VPN
IP
VPNs WAN S
VPN
Iron Port CSA
Regional branch with CSA CSACSA
CSA
a VPN enabled CSA
Cisco ISR router
Web Email
Server Server DNS
11
Site-to-Site VPN
CSA
MARS
VP
N
SOHO with a
Internet Firewall
Cisco DSL
Router
Site-to-Site VPN
IP
VPNs WAN S
VPN
Iron CSA
Port
Regional branch with CSA CS
CSA
a VPN enabled CS A CS
A A
Cisco ISR router
Web Email
Server Server DNS
12
Remote-Access VPNs
Remote-access
VPNs
Mobile Worker
with a Cisco
VPN Client CSA
MARS
Internet Firewall
VPN
IPS
Web Email
Server Server DNS
13
VPN Client Software
R1 R1-vpn-cluster.span.com
“R1”
14
Cisco IOS SSL VPN
Provides remote-access
connectivity from any Internet-
enabled host
Uses a web browser and SSL
encryption
Delivers two modes of access:
Clientless
Thin client
15
VPN Solutions
16
Cisco VPN Product Family
Cisco PIX 500 Series Security Appliances Secondary role Primary role
Cisco VPN
Primary role Secondary role
3000 Series Concentrators
17
Cisco VPN-Optimized Routers
Remote Office
Cisco Router
Main Office
Cisco Router
Internet
Regional Office
Cisco Router VPN Features:
• Voice and video enabled VPN (V3PN)
SOHO
• IPSec stateful failover
Cisco Router • DMVPN
• IPSec and Multiprotocol Label Switching
(MPLS) integration
• Cisco Easy VPN
18
Cisco ASA 5500 Series Adaptive
Security Appliances
Intranet
19
IPSec Clients
Router with
Firewall and
Internet
VPN Client
Cisco VPN
Software Client
Software loaded on a PC
Small Office
A network appliance that connects SOHO LANs to the VPN
Cisco
AnyConnect
VPN Client
Internet
Provides remote users with secure VPN connections
20
Hardware Acceleration Modules
AIM
Cisco IPSec VPN Shared Port
Adapter (SPA)
Cisco PIX VPN Accelerator
Card+ (VAC+)
Enhanced Scalable Encryption
Processing (SEP-E)
21
8.2 GRE VPNs
22
GRE VPNs
Overview
Encapsulation
Using GRE
23
Overview
24
Encapsulation
Original IP Packet
25
Configuring a GRE Tunnel
Create a tunnel
interface
Assign the tunnel an IP address
R1(config)# interface tunnel 0 R2(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252 R2(config–if)# ip address 10.1.1.2 255.255.255.252
R1(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5 Identify the source tunnel interface
R2(config–if)# tunnel destination 192.168.3.3
R1(config–if)# tunnel mode gre ip R2(config–if)# tunnel mode gre ip
R1(config–if)# R2(config–if)#
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate
26
Using GRE
IP
User Only
Yes
Traffic ?
No
27
8.3 IPSec VPN Components
and Operation
28
IPSec VPN Components and Operation
Introducing IPSec
29
Introducing IPSec
IPSec Topology
IPSec Framework
Confidentiality
Integrity
Authentication
Pre-Shared Key
RSA Signature
30
IPSec Topology
Main Site
Business Partner
with a Cisco Router IPsec Perimeter
Router
Legacy Legacy
Concentrator Cisco
POP PIX
Regional Office with a ASA Firewall
Cisco PIX Firewall
31
IPSec Framework
Diffie-Hellman DH7
32
Confidentiality
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key lengths:
Diffie-Hellman -128-bits
DH7
-192 bits
-256-bits
Key length:
- 160-bits
33
Integrity
Key length:
- 128-bits
Key length:
Diffie-Hellman - 160-bits) DH7
34
Authentication
Diffie-Hellman DH7
35
Pre-shared Key (PSK)
•At the local device, the authentication key and the identity information (device-specific
Diffie-Hellman
information) are sent through a hash algorithm to form hash_I. One-way
DH7authentication is
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
• The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.
36
RSA Signatures
•At the local device, the authentication key and identity information (device-specific
information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the
local device's private encryption key creating a digital signature. The digital signature and a
digital certificate are forwarded to the remote device. The public encryption key for decrypting
the signature is included in the digital certificate. The remote device verifies the digital signature
by decrypting it using the public encryption key. The result is hash_I.
•Next, the remote device independently creates hash_I from stored information. If the
calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the
remote device authenticates the local device, the authentication process begins in the opposite
direction and all steps are repeated from the remote device to the local device.
37
Secure Key Exchange
Diffie-Hellman DH7
38
IPSec Security Protocols
39
IPSec Framework Protocols
Authentication Header
R1 All data is in plaintext.
R2
Hash
IP HDR AH Data
Authentication Data IP Header + Data + Key
(00ABCDEF)
3. The new packet is
Internet
transmitted to the Hash
IPSec peer router
IP HDR AH Data
Recomputed Received
2. The hash builds a new AH Hash = Hash
header which is prepended (00ABCDEF) (00ABCDEF)
to theR1original packet
4. The peer router hashes the IP
header and data payload, extracts
the transmitted hash and compares
41
ESP
Diffie-Hellman DH7
42
Function of ESP
Internet
Router Router
IP HDR Data IP HDR Data
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
Provides confidentiality with encryption
Provides integrity with authentication
43
Mode Types
IP HDR Data
Original data prior to selection of IPSec protocol mode
Authenticated
Authenticated
44
Internet Key Exchange (IKE)
Security Associations
IKE Phases
IKE Phase 1 – Three Exchanges
IKE Phase 1 – Aggressive Mode
IKE Phase 2
45
Security Associations
10.0.1.3 10.0.2.3
47
IKE Phase 1 – First Exchange
R1 R2
Host A Host B
Negotiate IKE Proposals 10.0.2.3
10.0.1.3
Policy 10 Policy 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Policy 20
3DES
SHA
pre-share
DH1
lifetime
48
IKE Phase 1 – Second Exchange
Establish DH Key
Private value, XA Private value, XB
Alice Public value, YA Public value, YB
Bob
YA = g XA mod p Y = gXB mod p
B
YA
YB
XA XB
(YB ) mod p = K (YA ) mod p = K
A DH exchange is performed to establish keying material.
49
IKE Phase 1 – Third Exchange
Authenticate Peer
Remote Office Corporate Office
Internet
HR
Servers
Peer
Authentication
Peer authentication methods
PSKs
RSA signatures
RSA encrypted nonces
10.0.1.3 10.0.2.3
51
IKE Phase 2
R1 R2
Host A Host B
52
8.4 Implementing Site-to-
Site IPSec VPNs
53
Implementing Site-to-Site IPSec VPNs
54
Configuring Site-to-Site IPSec VPN
55
IPSec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3
56
Summary of Tasks
57
Task 1
Configure Compatible ACLs
Overview
Permitting Traffic
58
Overview
Site 1 AH Site 2
ESP
10.0.1.0/24 IKE 10.0.2.0/24
10.0.2.3
10.0.1.3 R1 R2
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic
are not blocked by incoming ACLs on interfaces used by IPsec.
59
Permitting Traffic
AH
ESP
Site 1 IKE Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
60
Task 2
Configure IKE
Overview
ISAKMP Parameters
Multiple Policies
Policy Negotiations
Crypto ISAKMP Key
Sample Configuration
61
Overview
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
Policy 110
DES
MD5 Tunnel
Preshare
86400
DH1
router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption des
R1(config–isakmp)# group 1
R1(config–isakmp)# hash md5
R1(config–isakmp)# lifetime 86400
62
ISAKMP Parameters
Default
Parameter Keyword Accepted Values Description
Value
des
3des 56-bit Data Encryption Standard
Triple DES
Message encryption
encryption aes 128-bit AES des
algorithm
192-bit AES
aes 192 256-bit AES
aes 256
sha SHA-1 (HMAC variant) Message integrity (Hash)
hash sha
md5 MD5 (HMAC variant) algorithm
pre-share
authenticatio preshared keys
Peer authentication
rsa-encr RSA encrypted nonces rsa-sig
n RSA signatures
method
rsa-sig
1 768-bit Diffie-Hellman (DH)
Key exchange parameters
group 2 1024-bit DH 1
(DH group identifier)
1536-bit DH
5
86,400 sec (one ISAKMP-established SA
lifetime seconds Can specify any number of seconds
day) lifetime
63
Multiple Policies
10.0.1.0/24 10.0.2.0/24
10.0.1.3
R1 R2 10.0.2.3
Internet
Site 1 Site 2
R1(config)# R2(config)#
crypto isakmp policy 100 crypto isakmp policy 100
hash md5 hash md5
authentication pre-share authentication pre-share
! !
crypto isakmp policy 200 crypto isakmp policy 200
hash sha hash sha
authentication rsa-sig authentication rsa-sig
! !
crypto isakmp policy 300 crypto isakmp policy 300
hash md5 hash md5
authentication pre-share authentication rsa-sig
64
Policy Negotiations
Internet
Site 1 Policy 110 Site 2
Preshare
3DES Tunnel
SHA
DH2
43200
R2 must have an ISAKMP policy
configured with the same parameters.
R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100
R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2 R2(config–isakmp)# group 2
R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200
65
Crypto ISAKMP Key
router(config)#
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname
Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters up to 128 bytes.
keystring This PSK must be identical on both peers.
peer-
This parameter specifies the IP address of the remote peer.
address
This parameter specifies the hostname of the remote peer.
hostname This is the peer hostname concatenated with its domain name (for example, myhost.domain.com).
Internet
Site 1 Site 2
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
67
Task 3
Configure the Transform Set
Overview
Transform Sets
Sample Configuration
68
Overview
router(config)#
crypto ipsec transform–set transform-set-name
transform1 [transform2] [transform3]]
Description
Command
This parameter specifies the name of the transform set to create
transform-set-name
(or modify).
Type of transform set. You may specify up to four "transforms":
one Authentication Header (AH), one Encapsulating Security
transform1, transform2,
Payload (ESP) encryption, one ESP authentication. These
transform3
transforms define the IP Security (IPSec) security protocols and
algorithms.
69
Transform Sets
Host A Host B
R1 172.30.1.2 R2
10.0.1.3
Internet 10.0.2.3
172.30.2.2
1
transform-set ALPHA transform-set RED
esp-3des 2 esp-des
tunnel tunnel
3
4
transform-set BETA transform-set BLUE
esp-des, esp-md5-hmac 5 esp-des, ah-sha-hmac
tunnel 6
tunnel
7
70
Sample Configuration
Note:
• Peers must share the
same transform set R2(config)# crypto isakmp key cisco123 address 172.30.1.2
settings. R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
71
Task 4
Configure the Crypto ACLs
Overview
Command Syntax
Symmetric Crypto ACLs
72
Overview
Host A
R1
Internet
Outbound
Encrypt
Traffic
Bypass (Plaintext)
Permit Inbound
Traffic
Bypass
Discard (Plaintext)
73
Command Syntax
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
This option specifies which traffic to protect by cryptography based on the protocol, such as
protocol TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches that permit
statement is encrypted.
If the ACL statement is a permit statement, these are the networks, subnets, or hosts between
source and destination which traffic should be protected. If the ACL statement is a deny statement, then the traffic
between the specified source and destination is sent in plaintext.
74
Symmetric Crypto ACLs
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
S0/1
75
Task 5
Apply the Crypto Map
Overview
Crypto Map Command
Crypto Map Configuration Mode Commands
Sample Configuration
Assign the Crypto Map Set
76
Overview
Site 1 Site 2
R1 R2
Internet
10.0.1.3 10.0.2.3
77
Crypto Map Command
router(config)#
crypto map map-name seq-num ipsec-manual
map-name Defines the name assigned to the crypto map set or indicates the name of the crypto map to edit.
ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.
cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the traffic.
(Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword
dynamic
is used, none of the crypto map configuration commands are available.
dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.
78
Crypto Map Configuration
Mode Commands
Command Description
set Used with the peer, pfs, transform-set, and security-association commands.
Specify list of transform sets in priority order. When the ipsec-manual parameter is
transform-set used with the crypto map command, then only one transform set can be defined.
[set_name(s)] When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto
map command, up to six transform sets can be specified.
security-association
Sets SA lifetime parameters in seconds or kilobytes.
lifetime
match address [access- Identifies the extended ACL by its name or number. The value should match the
access-list-number or name argument of a previously defined IP-extended ACL being
list-id | name] matched.
79
Sample Configuration
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
R1 R2
10.0.2.3
10.0.1.3
Internet
S0/0/0
172.30.2.2
R3
S0/0/0
172.30.3.2
80
Assign the Crypto Map Set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
MYMAP
router(config-if)#
81
Verify and Troubleshoot the
IPSec Configuration
82
CLI Commands
83
show crypto map
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router#
show crypto map
Displays the currently configured crypto maps
R1# show crypto map
Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }
84
show crypto isakmp policy
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
router# 172.30.1.2 172.30.2.2
85
show crypto ipsec transform-set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
86
show crypto ipsec sa
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
87
debug crypto isakmp
router#
debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
88
8.5 Implementing Site-to-Site
IPSec VPNs Using SDM
89
Implementing Site-to-Site IPSec
VPNs Using SDM
90
Configuring IPSec Using SDM
91
Starting a VPN Wizard
1. Click Configure in main toolbar
2 3. Choose a wizard
92
VPN Components
VPN Wizards
Individual IPsec
components used
to build VPNs
93
Configuring a Site-to-Site VPN
Choose Configure > VPN > Site-to-Site VPN
94
Site-to-Site VPN Wizard
95
VPN Wizard-Quick Setup
Quick Setup
Verify Parameters
96
Quick Setup
97
Verify Parameters
98
VPN Wizard-Step-by-Step Setup
Step-by-Step Wizard
Creating a Custom IKE Proposal
Creating a Custom IPSec Transform Set
Protecting Traffic - Subnet to Subnet
Protecting Traffic - Custom ACL
Add a Rule
Configuring a New Rule Entry
Configuration Summary
99
Step-by-Step Wizard
Choose the outside
interface that is used
1 to connect to the
IPSec peer
2 Specify the IP
address of the peer
3
Choose the authentication
method and specify the
credentials
4 Click Next
100
Creating a Custom IKE Proposal
1
Click Add to define a proposal 3 Click Next
101
Creating a Custom IPSec
Transform Set
Define and specify the transform
set name, integrity algorithm, 2
encryption algorithm, mode of
operation and optional compression
1
Click Add 3 Click Next
102
Protecting Traffic
Subnet to Subnet
2 3
Define the IP address
and subnet mask of the Define the IP address
local network and subnet mask of the
remote network
103
Protecting Traffic
Custom ACL
105
Configuring a New Rule Entry
Choose an action and enter a description of the rule entry
106
Configuration Summary
107
Verifying, Monitoring, and
Troubleshooting VPNs
108
Verify VPN Configuration
Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
109
Monitor
Choose Monitor > VPN Status > IPSec Tunnels
110
8.6 Implementing A Remote
Access VPN
111
Implementing A Remote Access VPN
112
The Changing Corporate Landscape
Telecommuting
Telecommuting Benefits
Telecommuting Requirements
113
Telecommuting
114
Telecommuting Benefits
Organizational benefits:
Continuity of operations
Increased responsiveness
Secure, reliable, and manageable access to information
Cost-effective integration of data, voice, video, and applications
Increased employee productivity, satisfaction, and retention
Social benefits:
Increased employment opportunities for marginalized groups
Less travel and commuter related stress
Environmental benefits:
Reduced carbon footprints, both for individual workers and organizations
115
Telecommuting Requirements
116
Introduction to Remote Access
117
Methods for Deploying Remote Access
118
Comparison of SSL and IPSec
SSL IPsec
Moderate Stronger
Encryption
Key lengths from 40 bits to 128 bits Key lengths from 56 bits to 256 bits
Strong
Moderate
Authentication Two-way authentication using shared secrets or
One-way or two-way authentication
digital certificates
Moderate
Ease of Use Very high
Can be challenging to nontechnical users
Strong
Moderate
Overall Security Only specific devices with specific configurations can
Any device can connect
connect
119
SSL VPNs
Overview
Types of Access
Full Tunnel Client Access Mode
Establishing an SSL Session
Design Considerations
120
Overview
• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
Internet
Headquarters
SSL VPN
Tunnel
Workplace
Resources
121
Types of Access
122
Full Tunnel Client Access Mode
123
Establishing an SSL Session
4
Shared-secret key, encrypted
with public key of the server, is
sent to the router
124
SSL VPN Design Considerations
User connectivity
Router feature
Infrastructure planning
Implementation scope
125
Cisco Easy VPN
Overview
Components
Securing the VPN
126
Overview
127
Components
128
Securing the VPN
1 Initiate IKE Phase 1
2 Establish ISAKMP
SA
3 Accept Proposal1
Username/Password
4 Challenge
Username/Password
129
Configuring a VPN Server Using SDM
130
Configuring Cisco Easy VPN Server
131
Configuring IKE Proposals
2
Specify required parameters
132
Creating an IPSec Transform Set
3
1
2
4
133
Group Authorization and Group
Policy Lookup
1
Select the location where
Easy VPN group policies Click Add
3
can be stored
2 4
5
Click Next
Click Next
134
Summary of Configuration
Parameters
135
Connecting with a VPN Client
Overview
Establishing a Connection
136
VPN Client Overview
R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
137
Establishing a Connection
R1-vpn-cluster.span.com
Once
authenticated,
status changes to
connected.
R1 R1-vpn-cluster.span.com
“R1”
138
139