CCNA Security

Chapter 8 Implementing Virtual Private Networks

1
Lesson Planning

 This lesson should take 3-4 hours to present

 The lesson should include lecture, demonstrations,
discussions and assessments
 The lesson can be taught in person or using remote
instruction

2
Major Concepts

 Describe the purpose and operation of VPN types

 Describe the purpose and operation of GRE VPNs
 Describe the components and operations of IPsec VPNs
 Configure and verify a site-to-site IPsec VPN with pre-shared key
authentication using CLI
 Configure and verify a site-to-site IPsec VPN with pre-shared key
authentication using SDM
 Configure and verify a Remote Access VPN

3
Contents
 8.1 VPNs

 8.2 GRE VPNs

 8.3 IPSec VPN Components and Operation

 8.4 Implementing Site-to-Site IPSec VPNs

 8.5 Implementing Site-to-Site IPSec VPNs Using SDM

 8.6 Implementing A Remote Access VPN

4
8.1 VPNs

5
VPNs

 VPN Overview
 VPN Technologies
 VPN Solutions

6
VPN Overview

 What is a VPN?

 Layer 3 VPNs

7
What is a VPN?
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client

CSA

VPN
Internet
Firewall
SOHO with a Cisco
DSL Router
Corporate
WAN
VPN
Network

Virtual: Information within a private network is

VPN transported over a public network.
Regional branch with Private: The traffic is encrypted to keep the data
a VPN enabled
Cisco ISR router confidential.

8
Layer 3 VPN
IPSec

VPN
Internet
IPSec
SOHO with a Cisco DSL
Router

 Generic Routing Encapsulation (GRE)

 Multiprotocol Label Switching (MPLS)
 IPSec

9
VPN Technologies

 Types of VPN Networks

 Site-to-Site VPN
 Remote-Access VPN
 VPN Client Software
 Cisco IOS SSL VPN

10
Types of VPN Networks

Business Partner Remote-access

with a Cisco Router
VPNs
Mobile Worker
with a Cisco
VPN Client

CSA

MARS
VPN
SOHO with a Internet Firewall
Cisco DSL Router

Site-to-Site VPN
IP
VPNs WAN S

VPN
Iron Port CSA
Regional branch with CSA CSACSA
CSA
a VPN enabled CSA
Cisco ISR router
Web Email
Server Server DNS

11
Site-to-Site VPN

Business Partner Hosts send and receive normal

with a Cisco
Router TCP/IP traffic through a VPN gateway

CSA

MARS
VP
N
SOHO with a
Internet Firewall
Cisco DSL
Router
Site-to-Site VPN
IP
VPNs WAN S

VPN
Iron CSA
Port
Regional branch with CSA CS
CSA
a VPN enabled CS A CS
A A
Cisco ISR router
Web Email
Server Server DNS

12
Remote-Access VPNs
Remote-access
VPNs

Mobile Worker
with a Cisco
VPN Client CSA

MARS

Internet Firewall

VPN
IPS

Iron Port CSA

CSA CSA CSA

CSA
CSA

Web Email
Server Server DNS

13
VPN Client Software

R1 R1-vpn-cluster.span.com

“R1”

In a remote-access VPN, each host

typically has Cisco VPN Client software

14
Cisco IOS SSL VPN

 Provides remote-access
connectivity from any Internet-
enabled host
 Uses a web browser and SSL
encryption
 Delivers two modes of access:
Clientless
Thin client

15
VPN Solutions

 Cisco VPN Product Family

 Cisco VPN-Optimized Routers
 Cisco ASA 5500 Series Adaptive Security Appliances
 IPSec Clients
 Hardware Acceleration Modules

16
Cisco VPN Product Family

Product Choice Remote-Access VPN Site-to-Site VPN

Cisco VPN-Enabled Router Secondary role Primary role

Cisco PIX 500 Series Security Appliances Secondary role Primary role

Cisco ASA 5500 Series Adaptive Security

Primary role Secondary role
Appliances

Cisco VPN
Primary role Secondary role
3000 Series Concentrators

Home Routers Primary role ?

17
Cisco VPN-Optimized Routers

Remote Office
Cisco Router

Main Office
Cisco Router

Internet

Regional Office
Cisco Router VPN Features:
• Voice and video enabled VPN (V3PN)
SOHO
• IPSec stateful failover
Cisco Router • DMVPN
• IPSec and Multiprotocol Label Switching
(MPLS) integration
• Cisco Easy VPN
18
 Cisco ASA 5500 Series Adaptive
Security Appliances

Remote Site Central Site

Internet

Intranet

Extranet Remote User

Business-to-Business

 Flexible platform  Cisco IOS SSL VPN

 Resilient clustering  VPN infrastructure for
contemporary applications
 Cisco Easy VPN
 Integrated web-based
 Automatic Cisco VPN Client
management
updates

19
IPSec Clients

A wireless client that is loaded on a pda

Certicom PDA IPsec

VPN Client

Router with
Firewall and
Internet
VPN Client

Cisco VPN
Software Client
Software loaded on a PC
Small Office
A network appliance that connects SOHO LANs to the VPN
Cisco
AnyConnect
VPN Client

Internet
Provides remote users with secure VPN connections
20
Hardware Acceleration Modules

 AIM
 Cisco IPSec VPN Shared Port
Adapter (SPA)
 Cisco PIX VPN Accelerator
Card+ (VAC+)
 Enhanced Scalable Encryption
Processing (SEP-E)

Cisco IPsec VPN SPA

21
8.2 GRE VPNs

22
GRE VPNs

 Overview

 Encapsulation

 Configuring a GRE Tunnel

 Using GRE

23
Overview

24
Encapsulation

Encapsulated with GRE

Original IP Packet

25
 Configuring a GRE Tunnel

Create a tunnel
interface
Assign the tunnel an IP address
R1(config)# interface tunnel 0 R2(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252 R2(config–if)# ip address 10.1.1.2 255.255.255.252
R1(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5 Identify the source tunnel interface
R2(config–if)# tunnel destination 192.168.3.3
R1(config–if)# tunnel mode gre ip R2(config–if)# tunnel mode gre ip
R1(config–if)# R2(config–if)#
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate

26
Using GRE

IP
User Only
Yes

Traffic ?

No

Use No Yes Use

Unicast
GRE Only? IPsec
Tunnel VPN

GRE does not provide encryption

27
8.3 IPSec VPN Components
and Operation

28
IPSec VPN Components and Operation

 Introducing IPSec

 IPSec Security Protocols

 Internet Key Exchange (IKE)

29
Introducing IPSec

 IPSec Topology
IPSec Framework

 Confidentiality
 Integrity
 Authentication
Pre-Shared Key
RSA Signature

 Secure Key Exchange

30
 IPSec Topology
Main Site

Business Partner
with a Cisco Router IPsec Perimeter
Router

Legacy Legacy
Concentrator Cisco
POP PIX
Regional Office with a ASA Firewall
Cisco PIX Firewall

Mobile Worker with a

Cisco VPN Client Corporate
SOHO with a Cisco on a Laptop Computer
SDN/DSL Router

 Works at the network layer, protecting and authenticating IP packets.

It is a framework of open standards which is algorithm-independent.
It provides data confidentiality, data integrity, and origin authentication.

31
IPSec Framework

Diffie-Hellman DH7

32
Confidentiality

Least secure Most secure

Key length:
- 56-bits

Key length:
- 56-bits (3 times)

Key lengths:
Diffie-Hellman -128-bits
DH7
-192 bits
-256-bits

Key length:
- 160-bits

33
Integrity

Least secure Most secure

Key length:
- 128-bits

Key length:
Diffie-Hellman - 160-bits) DH7

34
Authentication

Diffie-Hellman DH7

35
Pre-shared Key (PSK)

•At the local device, the authentication key and the identity information (device-specific
Diffie-Hellman
information) are sent through a hash algorithm to form hash_I. One-way
DH7authentication is
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
• The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.

36
RSA Signatures

•At the local device, the authentication key and identity information (device-specific
information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the
local device's private encryption key creating a digital signature. The digital signature and a
digital certificate are forwarded to the remote device. The public encryption key for decrypting
the signature is included in the digital certificate. The remote device verifies the digital signature
by decrypting it using the public encryption key. The result is hash_I.
•Next, the remote device independently creates hash_I from stored information. If the
calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the
remote device authenticates the local device, the authentication process begins in the opposite
direction and all steps are repeated from the remote device to the local device.
37
Secure Key Exchange

Diffie-Hellman DH7

38
IPSec Security Protocols

 IPSec Framework Protocols

 Authentication Header
 ESP
 Function of ESP
 Mode Types

39
IPSec Framework Protocols
Authentication Header
R1 All data is in plaintext.
R2

AH provides the following:

 Authentication
 Integrity

Encapsulating Security Payload

R1 Data payload is encrypted.
R2

ESP provides the following:

 Encryption
 Authentication
 Integrity
40
 Authentication Header
1. The IP Header and data payload are hashed
IP Header + Data + Key R2

Hash
IP HDR AH Data
Authentication Data IP Header + Data + Key
(00ABCDEF)
3. The new packet is
Internet
transmitted to the Hash
IPSec peer router
IP HDR AH Data
Recomputed Received
2. The hash builds a new AH Hash = Hash
header which is prepended (00ABCDEF) (00ABCDEF)
to theR1original packet
4. The peer router hashes the IP
header and data payload, extracts
the transmitted hash and compares
41
ESP

Diffie-Hellman DH7

42
Function of ESP

Internet
Router Router
IP HDR Data IP HDR Data

ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth

Encrypted
Authenticated
 Provides confidentiality with encryption
 Provides integrity with authentication

43
Mode Types
IP HDR Data
Original data prior to selection of IPSec protocol mode

Transport Mode Encrypted

ESP ESP
IP HDR ESP HDR Data Trailer Auth

Authenticated

Tunnel Mode Encrypted

ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth

Authenticated

44
Internet Key Exchange (IKE)

 Security Associations
 IKE Phases
 IKE Phase 1 – Three Exchanges
 IKE Phase 1 – Aggressive Mode
 IKE Phase 2

45
Security Associations

IPSec parameters are configured using IKE

46
 IKE Phases
R1 R2
Host A Host B

10.0.1.3 10.0.2.3

IKE Phase 1 Exchange

Policy 10 Policy 15
1. Negotiate IKE policy sets DES DES 1. Negotiate IKE policy sets
MD5 MD5
pre-share pre-share
DH1 DH1
lifetime lifetime

2. DH key exchange 2. DH key exchange

3. Verify the peer identity 3. Verify the peer identity

IKE Phase 2 Exchange

Negotiate IPsec policy Negotiate IPsec policy

47
 IKE Phase 1 – First Exchange
R1 R2
Host A Host B
Negotiate IKE Proposals 10.0.2.3
10.0.1.3

Policy 10 Policy 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime

Policy 20
3DES
SHA
pre-share
DH1
lifetime

Negotiates matching IKE policies to protect IKE exchange

48
 IKE Phase 1 – Second Exchange
Establish DH Key
Private value, XA Private value, XB
Alice Public value, YA Public value, YB
Bob
YA = g XA mod p Y = gXB mod p
B

YA
YB

XA XB
(YB ) mod p = K (YA ) mod p = K
A DH exchange is performed to establish keying material.

49
IKE Phase 1 – Third Exchange
Authenticate Peer
Remote Office Corporate Office

Internet
HR
Servers
Peer
Authentication
Peer authentication methods
PSKs
RSA signatures
RSA encrypted nonces

A bidirectional IKE SA is now established.

50
 IKE Phase 1 – Aggressive Mode
R1 R2
Host A Host B

10.0.1.3 10.0.2.3

IKE Phase 1 Aggressive Mode Exchange

Policy 10 Policy 15
1.Send IKE policy set DES DES
MD5 MD5
and R1’s DH key pre-share
DH1
pre-share
DH1
lifetime lifetime 2. Confirm IKE policy
set, calculate
shared secret and
send R2’s DH key
3.Calculate shared
secret, verify peer
identify, and confirm 4. Authenticate peer
with peer and begin Phase 2.

IKE Phase 2 Exchange

Negotiate IPsec policy Negotiate IPsec policy

51
 IKE Phase 2

R1 R2
Host A Host B

10.0.1.3 Negotiate IPsec 10.0.2.3

Security Parameters

 IKE negotiates matching IPsec policies.

 Upon completion, unidirectional IPsec Security Associations(SA)
are established for each protocol and algorithm combination.

52
8.4 Implementing Site-to-
Site IPSec VPNs

53
Implementing Site-to-Site IPSec VPNs

 Configuring Site-to-Site IPSec VPNs

 Task 1 – Configure Compatible ACLs
 Task 2 – Configure IKE
 Task 3 – Configure the Transform Set
 Task 4 – Configure the Crypto ACLs
 Task 5 – Apply the Crypto Map
 Verify and Troubleshoot the IPSec Configuration

54
Configuring Site-to-Site IPSec VPN

 IPSec VPN Negotiation

 Summary of Tasks

55
 IPSec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3

1. Host A sends interesting traffic to Host B.

2. R1 and R2 negotiate an IKE Phase 1 session.
IKE SA IKE Phase 1 IKE SA

3. R1 and R2 negotiate an IKE Phase 2 session.

IPsec SA IKE Phase 2 IPsec SA

4. Information is exchanged via IPsec tunnel.

IPsec Tunnel

5. The IPsec tunnel is terminated.

56
Summary of Tasks

Tasks to Configure IPsec:

Task 1: Ensure that ACLs are compatible with IPsec.
Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.

57
Task 1
Configure Compatible ACLs

 Overview
 Permitting Traffic

58
 Overview

Site 1 AH Site 2
ESP
10.0.1.0/24 IKE 10.0.2.0/24
10.0.2.3
10.0.1.3 R1 R2

Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2

 Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic
are not blocked by incoming ACLs on interfaces used by IPsec.

59
Permitting Traffic
AH
ESP
Site 1 IKE Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3

Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2

R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2

R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1(config)#
R1(config)# interface Serial0/0/0
R1(config-if)# ip address 172.30.1.2 255.255.255.0
R1(config-if)# ip access-group 102 in
!
R1(config)# exit
R1#
R1# show access-lists
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#

60
Task 2
Configure IKE

 Overview
 ISAKMP Parameters
 Multiple Policies
 Policy Negotiations
 Crypto ISAKMP Key
 Sample Configuration

61
Overview
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3

Internet
Site 1 Site 2
Policy 110
DES
MD5 Tunnel
Preshare
86400
DH1

router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption des
R1(config–isakmp)# group 1
R1(config–isakmp)# hash md5
R1(config–isakmp)# lifetime 86400

62
 ISAKMP Parameters
Default
Parameter Keyword Accepted Values Description
Value
des
3des 56-bit Data Encryption Standard
Triple DES
Message encryption
encryption aes 128-bit AES des
algorithm
192-bit AES
aes 192 256-bit AES
aes 256
sha SHA-1 (HMAC variant) Message integrity (Hash)
hash sha
md5 MD5 (HMAC variant) algorithm

pre-share
authenticatio preshared keys
Peer authentication
rsa-encr RSA encrypted nonces rsa-sig
n RSA signatures
method
rsa-sig
1 768-bit Diffie-Hellman (DH)
Key exchange parameters
group 2 1024-bit DH 1
(DH group identifier)
1536-bit DH
5
86,400 sec (one ISAKMP-established SA
lifetime seconds Can specify any number of seconds
day) lifetime

63
Multiple Policies
10.0.1.0/24 10.0.2.0/24
10.0.1.3
R1 R2 10.0.2.3

Internet
Site 1 Site 2
R1(config)# R2(config)#
crypto isakmp policy 100 crypto isakmp policy 100
hash md5 hash md5
authentication pre-share authentication pre-share
! !
crypto isakmp policy 200 crypto isakmp policy 200
hash sha hash sha
authentication rsa-sig authentication rsa-sig
! !
crypto isakmp policy 300 crypto isakmp policy 300
hash md5 hash md5
authentication pre-share authentication rsa-sig

64
 Policy Negotiations

R1 attempts to establish a VPN tunnel with

R2 and sends its IKE policy parameters
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3

Internet
Site 1 Policy 110 Site 2
Preshare
3DES Tunnel
SHA
DH2
43200
R2 must have an ISAKMP policy
configured with the same parameters.
R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100
R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2 R2(config–isakmp)# group 2
R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200

65
Crypto ISAKMP Key
router(config)#
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname

Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters up to 128 bytes.
keystring This PSK must be identical on both peers.

peer-
This parameter specifies the IP address of the remote peer.
address
This parameter specifies the hostname of the remote peer.
hostname This is the peer hostname concatenated with its domain name (for example, myhost.domain.com).

• The peer-address or peer-hostname can be used, but must be

used consistently between peers.
• If the peer-hostname is used, then the crypto isakmp
identity hostname command must also be configured.
66
Sample Configuration
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3

Internet
Site 1 Site 2
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#

Note: R2(config)# crypto isakmp policy 110

• The keystring cisco1234 matches. R2(config–isakmp)# authentication pre-share
R2(config–isakmp)# encryption 3des
• The address identity method is R2(config–isakmp)# group 2
specified. R2(config–isakmp)# hash sha
• The ISAKMP policies are compatible. R2(config–isakmp)# lifetime 43200
R2(config-isakmp)# exit
• Default values do not have to be R2(config)# crypto isakmp key cisco123 address 172.30.1.2
configured. R2(config)#

67
Task 3
Configure the Transform Set

 Overview
 Transform Sets
 Sample Configuration

68
Overview
router(config)#
crypto ipsec transform–set transform-set-name
transform1 [transform2] [transform3]]

crypto ipsec transform-set Parameters

Description
Command
This parameter specifies the name of the transform set to create
transform-set-name
(or modify).
Type of transform set. You may specify up to four "transforms":
one Authentication Header (AH), one Encapsulating Security
transform1, transform2,
Payload (ESP) encryption, one ESP authentication. These
transform3
transforms define the IP Security (IPSec) security protocols and
algorithms.

A transform set is a combination of IPsec transforms that enact a

security policy for traffic.

69
 Transform Sets
Host A Host B
R1 172.30.1.2 R2

10.0.1.3
Internet 10.0.2.3
172.30.2.2

1
transform-set ALPHA transform-set RED
esp-3des 2 esp-des
tunnel tunnel
3

4
transform-set BETA transform-set BLUE
esp-des, esp-md5-hmac 5 esp-des, ah-sha-hmac
tunnel 6
tunnel
7

transform-set CHARLIE 8 transform-set YELLOW

esp-3des, esp-sha-hmac 9 Match
esp-3des, esp-sha-hmac
tunnel tunnel

 Transform sets are negotiated during IKE Phase 2.

 The 9th attempt found matching transform sets (CHARLIE - YELLOW).

70
Sample Configuration

Site 1 R1 172.30.1.2 R2 Site 2

A
Internet B
10.0.1.3 10.0.2.3
172.30.2.2
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#

Note:
• Peers must share the
same transform set R2(config)# crypto isakmp key cisco123 address 172.30.1.2
settings. R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit

• Names are only locally

significant.

71
 Task 4
Configure the Crypto ACLs

 Overview
 Command Syntax
 Symmetric Crypto ACLs

72
Overview
Host A
R1
Internet

Outbound
Encrypt
Traffic
Bypass (Plaintext)

Permit Inbound
Traffic
Bypass

Discard (Plaintext)

 Outbound indicates the data flow to be protected by IPsec.

 Inbound filters and discards traffic that should have been
protected by IPsec.

73
Command Syntax
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2

router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]

access-list access-list-number Parameters

access-list access-list-number Description
Command
This option causes all IP traffic that matches the specified conditions to be protected by
permit
cryptography, using the policy described by the corresponding crypto map entry.

deny This option instructs the router to route traffic in plaintext.

This option specifies which traffic to protect by cryptography based on the protocol, such as
protocol TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches that permit
statement is encrypted.

If the ACL statement is a permit statement, these are the networks, subnets, or hosts between
source and destination which traffic should be protected. If the ACL statement is a deny statement, then the traffic
between the specified source and destination is sent in plaintext.

74
Symmetric Crypto ACLs
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24

10.0.1.3 R1 R2 10.0.2.3

Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
S0/1

Applied to R1 S0/0/0 outbound traffic:

R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

(when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0)

Applied to R2 S0/0/0 outbound traffic:

R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)

75
Task 5
Apply the Crypto Map

 Overview
 Crypto Map Command
 Crypto Map Configuration Mode Commands
 Sample Configuration
 Assign the Crypto Map Set

76
 Overview
Site 1 Site 2
R1 R2

Internet
10.0.1.3 10.0.2.3

Crypto maps define the following:

 ACL to be used
 Remote VPN peers Encrypted Traffic
 Transform set to be used
 Key management method Router
Interface
 SA lifetimes or Subinterface

77
Crypto Map Command
router(config)#
crypto map map-name seq-num ipsec-manual

crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]

crypto map Parameters

Command Parameters Description

map-name Defines the name assigned to the crypto map set or indicates the name of the crypto map to edit.

seq-num The number assigned to the crypto map entry.

ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.

ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.

cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the traffic.

(Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword
dynamic
is used, none of the crypto map configuration commands are available.

dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.

78
Crypto Map Configuration
Mode Commands
Command Description
set Used with the peer, pfs, transform-set, and security-association commands.

peer [hostname | ip-

Specifies the allowed IPsec peer by IP address or hostname.
address]

pfs [group1 | group2] Specifies DH Group 1 or Group 2.

Specify list of transform sets in priority order. When the ipsec-manual parameter is
transform-set used with the crypto map command, then only one transform set can be defined.
[set_name(s)] When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto
map command, up to six transform sets can be specified.

security-association
Sets SA lifetime parameters in seconds or kilobytes.
lifetime
match address [access- Identifies the extended ACL by its name or number. The value should match the
access-list-number or name argument of a previously defined IP-extended ACL being
list-id | name] matched.

no Used to delete commands entered with the set command.

exit Exits crypto map configuration mode.

79
Sample Configuration
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
R1 R2
10.0.2.3
10.0.1.3
Internet
S0/0/0
172.30.2.2

R3

S0/0/0
172.30.3.2

R1(config)# crypto map MYMAP 10 ipsec-isakmp

R1(config-crypto-map)# match address 110
R1(config-crypto-map)# set peer 172.30.2.2 default
R1(config-crypto-map)# set peer 172.30.3.2
R1(config-crypto-map)# set pfs group1
R1(config-crypto-map)# set transform-set mine
R1(config-crypto-map)# set security-association lifetime seconds 86400

Multiple peers can be specified for redundancy.

80
Assign the Crypto Map Set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2

MYMAP

router(config-if)#

crypto map map-name

R1(config)# interface serial0/0/0

R1(config-if)# crypto map MYMAP

 Applies the crypto map to outgoing interface

 Activates the IPsec policy

81
Verify and Troubleshoot the
IPSec Configuration

 CLI Command Summary

 show crypto map
 show crypto isakmp policy
 show crypto ipsec transform-set
 show crypto ipsec sa
 debug crypto isakmp

82
CLI Commands

Show Command Description

show crypto map Displays configured crypto maps

show crypto isakmp policy Displays configured IKE policies

show crypto ipsec sa Displays established IPsec tunnels

show crypto ipsec transform-

Displays configured IPsec transform sets
set

debug crypto isakmp Debugs IKE events

Debugs IPsec events

debug crypto ipsec

83
show crypto map
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router#
show crypto map
Displays the currently configured crypto maps
R1# show crypto map
Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }

84
show crypto isakmp policy
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
router# 172.30.1.2 172.30.2.2

show crypto isakmp policy

R1# show crypto isakmp policy

Protection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: preshared
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

85
show crypto ipsec transform-set

Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2

show crypto ipsec transform-set

Displays the currently defined transform sets
R1# show crypto ipsec transform-set
Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },

86
show crypto ipsec sa

Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2

R1# show crypto ipsec sa

Interface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C

87
 debug crypto isakmp

router#
debug crypto isakmp

1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2

• This is an example of the Main Mode error message.

• The failure of Main Mode suggests that the Phase I policy
does not match on both sides.
• Verify that the Phase I policy is on both peers and ensure that
all the attributes match.

88
8.5 Implementing Site-to-Site
IPSec VPNs Using SDM

89
Implementing Site-to-Site IPSec
VPNs Using SDM

 Configuring IPSec Using SDM

 VPN Wizard-Quick Setup
 VPN Wizard-Step-by-Step Setup
 Verifying, Monitoring, and Troubleshooting VPNs

90
Configuring IPSec Using SDM

 Starting a VPN Wizard

 VPN Components
 Configuring a Site-to-Site VPN
 Site-to-Site VPN Wizard

91
 Starting a VPN Wizard
1. Click Configure in main toolbar

1 Wizards for IPsec

Solutions, includes
3 type of VPNs and
Individual IPsec
components

2 3. Choose a wizard

2. Click the VPN button 4. Click the VPN

to open the VPN page implementation subtype
VPN implementation
4 Subtypes. Vary based
On VPN wizard chosen.

5. Click the Launch the

Selected Task button

92
VPN Components

VPN Wizards

SSL VPN parameters

Individual IPsec
components used
to build VPNs

Easy VPN server parameters

VPN Components
Public key certificate
parameters

Encrypt VPN passwords

93
Configuring a Site-to-Site VPN
Choose Configure > VPN > Site-to-Site VPN

Click the Create a Site-to-Site VPN

Click the Launch the Selected Task button

94
Site-to-Site VPN Wizard

Choose the wizard mode

Click Next to proceed to the configuration of parameters.

95
VPN Wizard-Quick Setup

 Quick Setup
 Verify Parameters

96
Quick Setup

Configure the parameters

• Interface to use
• Peer identity information
• Authentication method
• Traffic to encrypt

97
Verify Parameters

98
VPN Wizard-Step-by-Step Setup

 Step-by-Step Wizard
 Creating a Custom IKE Proposal
 Creating a Custom IPSec Transform Set
 Protecting Traffic - Subnet to Subnet
 Protecting Traffic - Custom ACL
 Add a Rule
 Configuring a New Rule Entry
 Configuration Summary

99
Step-by-Step Wizard
Choose the outside
interface that is used
1 to connect to the
IPSec peer

2 Specify the IP
address of the peer

3
Choose the authentication
method and specify the
credentials

4 Click Next

100
Creating a Custom IKE Proposal

Make the selections to configure

2 the IKE Policy and click OK

1
Click Add to define a proposal 3 Click Next

101
Creating a Custom IPSec
Transform Set
Define and specify the transform
set name, integrity algorithm, 2
encryption algorithm, mode of
operation and optional compression

1
Click Add 3 Click Next

102
 Protecting Traffic
Subnet to Subnet

Click Protect All Traffic Between the Following subnets

1

2 3
Define the IP address
and subnet mask of the Define the IP address
local network and subnet mask of the
remote network

103
 Protecting Traffic
Custom ACL

Click the ellipses button

to choose an existing ACL
or create a new one
1 2
Click the Create/Select an Access-List 3
for IPSec Traffic radio button
To use an existing ACL, choose the Select an Existing
Rule (ACL) option. To create a new ACL, choose the
Create a New Rule (ACL) and Select option
104
Add a Rule

Give the access rule a 2

name and description
Click Add

105
Configuring a New Rule Entry
Choose an action and enter a description of the rule entry

Define the source hosts or networks in the Source Host/Network pane

and the destination hosts or network in the Destination/Host Network pane

(Optional) To provide protection for specific protocols, choose

the specific protocol radio box and desired port numbers

106
Configuration Summary

 Click Back to modify the configuration.

 Click Finish to complete the configuration.

107
Verifying, Monitoring, and
Troubleshooting VPNs

 Verify VPN Configuration

 Monitor

108
Verify VPN Configuration
Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN

Check VPN status.

Create a mirroring configuration if

no Cisco SDM is available on the
peer.

Test the VPN

configuration.

109
 Monitor
Choose Monitor > VPN Status > IPSec Tunnels

Lists all IPsec tunnels, their

parameters, and status.

110
8.6 Implementing A Remote
Access VPN

111
Implementing A Remote Access VPN

 The Changing Corporate Landscape

 Introduction to Remote Access
 SSL VPNs
 Cisco Easy VPN
 Configure a VPN Server Using SDM
 Connect with a VPN Client

112
The Changing Corporate Landscape

 Telecommuting
 Telecommuting Benefits
 Telecommuting Requirements

113
Telecommuting

 Flexibility in working location

and working hours
 Employers save on real-
estate, utility and other
overhead costs
 Succeeds if program is
voluntary, subject to
management discretion, and
operationally feasible

114
Telecommuting Benefits
 Organizational benefits:
Continuity of operations
Increased responsiveness
Secure, reliable, and manageable access to information
Cost-effective integration of data, voice, video, and applications
Increased employee productivity, satisfaction, and retention
 Social benefits:
Increased employment opportunities for marginalized groups
Less travel and commuter related stress
 Environmental benefits:
Reduced carbon footprints, both for individual workers and organizations

115
Telecommuting Requirements

116
Introduction to Remote Access

 Methods for Deploying Remote Access

 Comparison of SSL and IPSec

117
Methods for Deploying Remote Access

IPsec Remote Any Anywhere SSL-Based

Application Access
Access VPN VPN

118
Comparison of SSL and IPSec

SSL IPsec

Applications Web-enabled applications, file sharing, e-mail All IP-based applications

Moderate Stronger
Encryption
Key lengths from 40 bits to 128 bits Key lengths from 56 bits to 256 bits

Strong
Moderate
Authentication Two-way authentication using shared secrets or
One-way or two-way authentication
digital certificates

Moderate
Ease of Use Very high
Can be challenging to nontechnical users

Strong
Moderate
Overall Security Only specific devices with specific configurations can
Any device can connect
connect

119
SSL VPNs

 Overview
 Types of Access
 Full Tunnel Client Access Mode
 Establishing an SSL Session
 Design Considerations

120
Overview
• Integrated security and routing
• Browser-based full network SSL VPN access

SSL VPN
Internet
Headquarters

SSL VPN
Tunnel
Workplace
Resources

121
Types of Access

122
Full Tunnel Client Access Mode

123
Establishing an SSL Session

User makes a connection

1 to TCP port 443

Router replies with a

2
User using digitally signed public key
SSL VPN
SSL client enabled ISR
3 User software creates a router
shared-secret key

4
Shared-secret key, encrypted
with public key of the server, is
sent to the router

Bulk encryption occurs using the

5
shared-secret key with a
symmetric encryption algorithm

124
SSL VPN Design Considerations

 User connectivity
 Router feature
 Infrastructure planning
 Implementation scope

125
Cisco Easy VPN

 Overview
 Components
 Securing the VPN

126
Overview

 Negotiates tunnel parameters

 Establishes tunnels according to
set parameters
 Automatically creates a NAT / PAT
and associated ACLs
 Authenticates users by
usernames, group names,
and passwords
 Manages security keys for
encryption and decryption
 Authenticates, encrypts, and
decrypts data through the tunnel

127
Components

128
Securing the VPN
1 Initiate IKE Phase 1

2 Establish ISAKMP
SA
3 Accept Proposal1

Username/Password
4 Challenge
Username/Password

5 System Parameters Pushed

Reverse Router Injection
6 (RRI) adds a static route
entry on the router for the
remote clients IP address

7 Initiate IKE Phase 2: IPsec

IPsec SA

129
Configuring a VPN Server Using SDM

 Configuring Cisco Easy VPN Server

 Configuring IKE Proposals
 Creating an IPSec Transform Set
 Group Authorization and Group Policy Lookup
 Summary of Configuration Parameters

130
Configuring Cisco Easy VPN Server

131
Configuring IKE Proposals

2
Specify required parameters

Click Add 3 Click OK

132
Creating an IPSec Transform Set

3
1

2
4

133
Group Authorization and Group
Policy Lookup

1
Select the location where
Easy VPN group policies Click Add
3
can be stored

2 4
5

Click Next
Click Next

Configure the local

group policies

134
Summary of Configuration
Parameters

135
Connecting with a VPN Client

 Overview
 Establishing a Connection

136
VPN Client Overview

R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com

 Establishes end-to-end, encrypted VPN tunnels for secure

connectivity
 Compatible with all Cisco VPN products
 Supports the innovative Cisco Easy VPN capabilities

137
Establishing a Connection

R1-vpn-cluster.span.com
Once
authenticated,
status changes to
connected.

R1 R1-vpn-cluster.span.com

“R1”

138
139