Training Goal

HUAWEI

datacomm.huawei.com

HUAWEI

VPN General Description VPN Definition

datacomm.huawei.com

ACCESS VPN(VPDN)
HUAWEI

1. Remote Access VPN(VPDN)

datacomm.huawei.com

Intranet VPN
HUAWEI
R outer

datacomm.huawei.com

Extranet VPN
HUAWEI

datacomm.huawei.com

HUAWEI

VPN Type According to Realization Mode

ThekerneltechniquethatrealizesVPNbasedonIPisdifferentkindsof tunnelprotocols PointtoNet

L2TP : Layer 2 Tunnel Protocol (RFC 2661) PPTP : Point To Point Tunnel Protocol L2F : Layer 2 Forwarding

NettoNet
GRE : General Routing Encapsulation IPSEC : IP Security Protocol Suite IPSEC/BGP : Border Gateway Protocol MPLS/BGP : Multi-Protocol Lable Switch

datacomm.huawei.com

HUAWEI

VPN Design Principle Security`

VPN Security Design Principle
Tunnel and Encrypt Data Authentication User Authentication Fire W all and Attack Examination

datacomm.huawei.com

HUAWEI

VPN Design Principle Network Management

Network Risk Decrease Expansibility Economical Efficiency Reliability

VPN Manage Goal

datacomm.huawei.com

HUAWEI

Quidway Series Router VPN Technique

Tunnel Technique
IPSec

Internet Key Exchange Firewall Technique QoS Configuration Management

datacomm.huawei.com

HUAWEI

ACCESS VPN Realization Scheme

datacomm.huawei.com

Intranet VPN Solution

HUAWEI

datacomm.huawei.com

Extranet VPN
HUAWEI

datacomm.huawei.com

HUAWEI

L2TP Protocol Brief Introduction

L2TP:Layer2TunnelProtocolisaprotocolforPPPmessagetransparenttransmissionbetween userseverandcompanysever. Characteristics: AcceptableforPointtoPointProtocol SupportingPrivateAddressAssignmentwithoutTakingUpPublicIPAddress In tegratewithPPPtoSupportAAA,IntegratewithRadiustoSupportVividLocalTerm inaland R e m o teTerminal In tegratewithIPSECtoSupportMessageEncryption C o n figurateSim p le,ConnectintoVivid

datacomm.huawei.com

L2TP Realize VPDN Diagram

HUAWEI

VPDN Application Example

datacomm.huawei.com

HUAWEI

Basic Equipment for L2TP to Build VPDN

PSTN PSTN

client
LAC LAC ISP ISP tunnel info info in in AV AV pairs pairs tunnel LAC local name name LAC local Tunnel password password Tunnel Tunnel type type Tunnel LNS IP IP address address LNS L2TP L2TP

Internet

Coporate network

LNS

LA AC C L

RA AD DI IU US S R

LN NS S L

RA AD DI IU US S R

PPP PPP

IP IP

LAC: L2TPAccessConcentrator LNS: L2TPNetworkServer L A C / L N SR a d ius:LAC/LNSRemoteTestServer datacomm.huawei.com

HUAWEI

L2TP Basic Control-flow Analysis

Tunnel, Dialogue Establish Flow

L2TP session is triggered by PPP while tunnel is triggered by session. Because several sessions can be in the same tunnel, tunnel establish need not repeat when it has been established before session.
Procedure of Tunnel Establish : Three Times Handshake

LAC LNS SCCRQ > < SCCRP SCCCN >

Procedure of Session Establish: Three Times Handshake

L A C L N S ICRQ > ICRP < ICCN >

datacomm.huawei.com

HUAWEI

L2TP Basic Control-flow Analysis(to continue)

TunnelMain tenance LAC/LNS LNS/LAC Hello > ZLB < TunnelTeardown LAC/LNS LNS/LAC StopCDN > ZLB < D ialogueTeardown LAC/LNS LNS/LAC C D N > Z < L B datacomm.huawei.com

L2TP Data Transmission

HUAWEI

Basic Data Transmission Data Transmission with sequence number but without flow control Data Transmission with sequence number and flow control

datacomm.huawei.com

HUAWEI

L2TP Protocol Stack Architecture and Data Packet Encapsulation Process

L < A CS ideEncapsulationProcess Ppacket(publicaddress) U D Ph e a d e r L2TPheader P P Ph e a d e rIPpacket(privateaddress)

L N SS ideDe-encapsulationProcess >
The three gray PPP data in the diagram are absolutely identical: it shows that the data is transparent transmitted by LAC side; The three IP are identical shows that VPN is realized at IP layer

datacomm.huawei.com

HUAWEI

Apply L2TP to Implement VPDN

V P D Nn e twork-buildingProject--switch-onserver(asaLAC)initiateit

datacomm.huawei.com

HUAWEI

Apply L2TP to Implement VPDN

In itiatebyUserorIntranetMachine(LACissetupinbothofthem )

datacomm.huawei.com

HUAWEI

L2TP Tunnel and Session Test

datacomm.huawei.com

HUAWEI

L2TP Debug and Trouble shooting

L 2 T PD e b u g
Opening All Debug Switchs Quidway# debug l2tp all Checking Dialog Quidway# show l2tp session Checking Tunnel Quidway# show l2tp tunnel

L 2 T PM isarrange
User Login Fail Data transm ission Fail

datacomm.huawei.com

GRE General Description

HUAWEI

datacomm.huawei.com

GRE Build Intranet VPN

HUAWEI

Ethernet0/0

Headquarters tunnel interface0 Router 172.17.3.3/24

serial1/0 172.17.2.4/24

GRE tunnel

tunnel interface1 172.17.3.6/24

R e m o teOffice Router

Ethernet0/0

10.1.3.3/24

Internet
Ethernet0/1

10.1.4.2/24 serial1/0 172.24.2.5/24

10.1.6.4/24

Private Coroperate Server 10.1.3.6/24 Public Web Server 10.1.6.5/24

PC 10.1.4.3/2

datacomm.huawei.com

HUAWEI

GRE/IPSEC Build Extranet VPN

Headquarters Router
serial2/0 172.16.2.2/24

Ethernet0/0

GRE tunnel

R e m o teOffice Router

10.1.3.3/24

Internet
Ethernet0/1

10.1.6.4/24

PC A

Private Coroperate Server 10.1.3.6/24 Public Web Server 10.1.6.5/24

GRE/IPSEC tunnel

Internet

BusinessPartner Router Ethernet0/0

10.1.5.2/24 serial1/0 172.23.2.7/24 PC B 10.1.5.3/24

datacomm.huawei.com

HUAWEI

GRE Procotol Stack Illustration

IP/IPX GRE IP Link Layer Protocol
Passenger Protocol Carrying Protocol or Encapsulation Protocol Transmission Protocol

GRE Protocol Stack

G R EisaCarrierProtocolofthree-layertunnel
Link Layer IP GRE IP/IPX payload

Tunnel Interface Message Format

datacomm.huawei.com

GRE Implementation
HUAWEI

datacomm.huawei.com

GRE Configuration Task

HUAWEI

datacomm.huawei.com

Configurate Tunnel Interface

HUAWEI

Construct Tunnel Interface Configurate Source Address of Tunnel Interface Configurate Opposite Terminal address of Tunnel Interface Configurate Net Address of Tunnel Interface

Quidway(config)#interface tunnel number Quidway(config-if)#tunnel source ip-address Quidway(config-if)#tunnel destination ip-address

datacomm.huawei.com

Configurating Tunnel Mode

HUAWEI

Configurate the encapsulation and transmission protocol for tunnel interface

Quidway(config-if-tunnel)#tunnel mode gre ip

datacomm.huawei.com

HUAWEI

Parameter Configuration of GRE

Quidway(config-if)#tunnel key key-number

Quidway(config-if)#tunnel checksum
datacomm.huawei.com

Configuration Example
HUAWEI

erA

RouterB

Configurate physical interface for tunnel nfigurate physical interface for tunnel : RouterB(config)# interface serial 0 erA(config)# interface serial 0 Show interface address erface address: RouterB(config-if-serial0)# ip address 131.108.5.2 erA( config-if-serial0)# ip address 192.13.2.1 255.255.255.0 55.255.0 ! Construct interface tunnel0: nstruct interface tunnel0: RouterB(config)# interface tunnel 0 erA(config)# interface tunnel 0 Show tunnel0 interface address: nnel interface address: erA( config-if-tunnel0)# ip address 10.1.2.1 255.255.255.0 RouterB(config-if-tunnel0)#ip address 10.1.2.2 255.255.255.0 erA( config-if-tunnel0)# novell network 1f tional operation: designate GRE as the tunnel mode and RouterB(config-if-tunnel0)# novell network 1f Optional operation: designate GRE as the work modu transmission protocol : and IP as transmission protocol: erA( config-if-tunnel0)# tunnel mode gre ip urce address of tunnel interface(IP address of serial0) RouterB(config-if-tunnel0)# tunnel mode gre ip Source address of tunnel interface(IP address of erA( config-if-tunnel0)# tunnel source 192.13.2.1 posite terminal address of tunnel interface(IP address of serial0) RouterB(config-if-tunnel0)# tunnel source 131.108.5.2 erBserial0) Opposite terminal address of tunnel interface(IP addre erA(config-if-tunnel0) tunnel destination 131.108.5.2

datacomm.huawei.com

GRE Supervisory Control

HUAWEI

RouterA#show interface tunnel 0 tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.1.2.1 255.255.255.0 Encapsulation TUNNEL Tunnel source 192.13.2.1, destination 131.108.5.2 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Checksumming of packets disabled

datacomm.huawei.com

HUAWEI

GRE Supervisory Control to continue

Queueing strategy:fifo Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 29 packets output, 2348 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out

datacomm.huawei.com

Misarranging Example
HUAWEI

F a ilure:Bothendsof tu n n e l in terfaceconfiguratecorrectlyandcanpasspingw h ilep in gc a nn o tb ep a s s e d betw e e nP C Aa n dP C B . F a ilurerecovery:Checkwhetherthereisroutingbetweentunnelinterfaces,i.e.whetherthereisroutingfrom e 10.2.0.0/16 tointerfacetunnel0inRouterAandroutingfrom1 0 .1.0.0/16tointerfacetunnel0inRouterB(adding staticroutingcanrealizeit)

datacomm.huawei.com

Description
HUAWEI

datacomm.huawei.com

Compose of IPSEC Protocol

HUAWEI

datacomm.huawei.com

Security Feature of IPSEC

HUAWEI

datacomm.huawei.com

Basic Concept of IPSEC

HUAWEI

Security Association Security Parameter Index Sequence Number Lifetime Data Flow Crypto Map

datacomm.huawei.com

Message Format of AH
HUAWEI

datacomm.huawei.com

Message Format of ESP

HUAWEI

datacomm.huawei.com

Relation with IKE

HUAWEI

datacomm.huawei.com

IPSEC Protocol Stack

HUAWEI

Link layer

datacomm.huawei.com

IPSEC Protocol Stack

HUAWEI

Link layer

datacomm.huawei.com

Preparing for Configuration

HUAWEI

datacomm.huawei.com

HUAWEI

Constructing Security Strategy

Constructing Security Strategy

Quidway(config)#crypto map map-name seq-num mode

Configurating origin and end point of tunnel

Quidway(config-crypto-map)#set local-address ip-address Quidway(config-crypto-map)#set peer ip-address

datacomm.huawei.com

HUAWEI

Constructing Security Strategy

Selecting data flow into tunnel Configurating ACL Application in Security Strategy

Quidway(config)#access-list acl-num permit proto source-address source-mask dest-addr dest-mask

Quidway(config-crypto-map)#match address acl-num

datacomm.huawei.com

HUAWEI

Constructing Security Strategy

Configurating conversion mode
Constructing Conversion Mode Selecting Security Protocol and Algorithm Selecting Message Encapsulation Mode

Quidway(config)#crypto ipsec transform name Quidway(config-crypto-transform)#transform proto Quidway(config-crypto-transform)#proto{encryption|hash} algorithm Quidway(config-crypto-transform)#mode {transport|tunnel}

datacomm.huawei.com

HUAWEI

Constructing Security Strategy

Applying transform Mode to Security Strategy

Quidway(config-crypto-map)#set transform-set transform-name, ..., transform-name

Configurating Lifetim efor Security Association

Quidway(config-crypto-map)#set sa lifetime {secondes | kilobytes} lifetime-value

datacomm.huawei.com

HUAWEI

Constructing Security Strategy

Quidway(config-crypto-map)#set session-key {inbound | outbound} {ah | esp} spi spi-value

Configurating SPI for Security Association

Configurating Cryptographic Key for Security Associ

Quidway(config-crypto-map)#set session-key {inbound | outbound} ah {string-key | hex-key-string} key-string Quidway(config-crypto-map)#set session-key {inbound | outbound} esp {string-key | auth-key | cipher-key} key-string
datacomm.huawei.com

HUAWEI

Using Security Strategy in Interface

Application in interface

Quidway(config-if)#crypto map map-name

datacomm.huawei.com

Configuration Diagram
HUAWEI

datacomm.huawei.com

Hand-configuration
HUAWEI

Configurating Router-A as follows: Configurate access list and define data flow from subnet 10.1.1.x to subnet 10.1.2.x Quidway(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 Construct conversion mode named tran1 Quidway(config)#crypto ipsec transform-set tran1 Adopt tunnel mode for message encapsulation format Quidway(config-crypto-transform-tran1)#mode tunnel Adopt ESP as security protocol Quidway(config-crypto-transform-tran1)#transform esp-new Select algorithm Quidway(config-crypto-transform-tran1)#esp-new encrypt des Quidway(config-crypto-transform-tran1)#esp-new hash sha1-hmac-96 Exit to global configuration mode Quidway(config-crypto-transform-tran1)#exit Construct a security strategy with manual negotiation mode Quidway(config)#crypto map map1 10 manual Introduce access list Quidway(config-crypto-map-map1-10)#match address 101

datacomm.huawei.com

Hand-configuration
HUAWEI

Set opposite terminal address idway(config-crypto-map-map1-10)#set peer 202.38.162.1 Set local terminal address idway(config-crypto-map-map1-10)#set local-address 202.38.163.1 ntroduce conversion mode idway(config-crypto-map-map1-10)#set transform-set tran1 Set SPI idway(config-crypto-map-map1-10)#set session-key outbound esp spi 12345 idway(config-crypto-map-map1-10)#set session-key inbound esp spi 54321 Set cryptographic key idway(config-crypto-map-map1-10)#set session-key outbound esp string-key abcdefg idway(config-crypto-map-map1-10)#set session-key inbound esp string-key gfedcba Exit to global configuration mode idway(config-crypto-map-map1-10)#exit Enter serial port configuration mode idway(config)#interface serial 0 Apply security strategy library to serial port idway(config-if-serial0)#crypto map map1

datacomm.huawei.com

Hand-configuration
HUAWEI

Configurate Router-B as follows: Configurate an access list and define data flow from subnet 10.1.2.x to subnet 10.1.1.x Quidway(config)#access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Construct conversion named tran1 Quidway(config)#crypto ipsec transform-set tran1 Adopt tunnel mode for message encapsulation format Quidway(config-crypto-transform-tran1)#mode tunnel Adopt ESP as security protocol Quidway(config-crypto-transform-tran1)#transform esp-new Select algorithm Quidway(config-crypto-transform-tran1)#esp-new encrypt des Quidway(config-crypto-transform-tran1)#esp-new hash sha1-hmac-96 Exit to global configuration mode Quidway(config-crypto-transform-tran1)#exit Construct a security strategy with manual negotiation mode Quidway(config)#crypto map use1 10 manual Introduce access list Quidway(config-crypto-map-use1-10)#match address 101

datacomm.huawei.com

Hand-configuration
HUAWEI

Set opposite terminal address idway(config-crypto-map-use1-10)#set peer 202.38.163.1 Set local terminal address idway(config-crypto-map-use1-10)#set local-address 202.38.162.1 ntroduce conversion mode idway(config-crypto-map-use1-10)#set transform-set tran1 Set SPI idway(config-crypto-map-use1-10)#set session-key outbound esp spi 54321 idway(config-crypto-map-use1-10)#set session-key inbound esp spi 12345 Set cryptographic key idway(config-crypto-map-use1-10)#set session-key outbound esp string-key gfedcba idway(config-crypto-map-use1-10)#set session-key inbound esp string-key abcdefg Exit to global configuration mode idway(config-crypto-map-use1-10)#exit Enter serial port configuration mode idway(config)#interface serial 0 Aplly security strategy library to serial port idway(config-if-serial0)#crypto map use1

datacomm.huawei.com

Hand-configuration
HUAWEI

Set opposite terminal address idway(config-crypto-map-use1-10)#set peer 202.38.163.1 Set local terminal address idway(config-crypto-map-use1-10)#set local-address 202.38.162.1 ntroduce conversion mode idway(config-crypto-map-use1-10)#set transform-set tran1 Set SPI idway(config-crypto-map-use1-10)#set session-key outbound esp spi 54321 idway(config-crypto-map-use1-10)#set session-key inbound esp spi 12345 Set cryptographic key idway(config-crypto-map-use1-10)#set session-key outbound esp string-key gfedcba idway(config-crypto-map-use1-10)#set session-key inbound esp string-key abcdefg Exit to global configuration mode idway(config-crypto-map-use1-10)#exit Enter serial port configuration mode idway(config)#interface serial 0 Aplly security strategy library to serial port idway(config-if-serial0)#crypto map use1

datacomm.huawei.com

Self Negotiation
HUAWEI

Construct a security strategy with isakmp negotiation mode Quidway(config)#crypto map map1 10 isakmp Introduce access list Quidway(config-crypto-map-map1-10)#match address 101 Set opposite terminal address Quidway(config-crypto-map-map1-10)#set peer 202.38.162.1 Introduce conversion mode Quidway(config-crypto-map-map1-10)#set transform-set tran1 Exit to global configuration mode Quidway(config-crypto-map-map1-10)#exit Enter serial port configuration mode Quidway(config)#interface serial 0 Apply security strategy library to serial port Quidway(config-if-serial0)#crypto map map1 Corresponding IKE configuration Quidway(config)#crypto ike key abcde address 202.38.162.1

datacomm.huawei.com

Self Negotiation
HUAWEI

Configurate Router-B as follows Configurate a access list and define date flow from subnet 10.1.2.x to subnet 10.1.1.x Quidway(config)#access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 Construct conversion mode named tran1 Quidway(config)#crypto ipsec transform-set tran1 Adopt tunnel mode for message encapsulation format Quidway(config-crypto-transform-tran1)#mode tunnel Adopt ESP as security protocol Quidway(config-crypto-transform-tran1)#transform esp-new Select algorithm Quidway(config-crypto-transform-tran1)#esp-new encrypt des Quidway(config-crypto-transform-tran1)#esp-new hash sha1-hmac-96 Exit to global configuration mode Quidway(config-crypto-transform-tran1)#exit

datacomm.huawei.com

Self Negotiation
HUAWEI

Construct a security strategy with isakmp negotiation mode uidway(config)#crypto map use1 10 isakmp Introduce access list uidway(config-crypto-map-use1-10)#match address 101 Set opposite terminal address uidway(config-crypto-map-use1-10)#set peer 202.38.163.1 Introduce conversion mode uidway(config-crypto-map-use1-10)#set transform-set tran1 Exit to global configuration mode uidway(config-crypto-map-use1-10)#exit Enter serial port configuration mode uidway(config)#interface serial 0 Apply security strategy library to serial port uidway(config-if-serial0)#crypto map use1 Corresponding IKE configuration uidway(config)#crypto ike key abcde address 202.38.163.1

datacomm.huawei.com

IPSEC Supervisory Control

HUAWEI

Show IPSEC SA Current State

Quidway(config)#show crypto ipsec sa

Clear Security Association

Quidway(config)#clear crypto sa

datacomm.huawei.com

IPSEC Supervisory Control

HUAWEI

debug ipsec packet

datacomm.huawei.com

General Description of IKE

HUAWEI

datacomm.huawei.com

IKE Effect in IPSEC

HUAWEI

datacomm.huawei.com

Relevant Knowledge of IKE

HUAWEI

datacomm.huawei.com

IKE State-exchange Machine

HUAWEI

datacomm.huawei.com

IKE Security Mechanism

HUAWEI

datacomm.huawei.com

HUAWEI

DH Exchange and Cryptographic Key Generate

Peer 1
a
1 2 2 3 3

g, p

Peer 2
1

c=gamod p damod p
4

d=gbmod p cbmod p
4

datacomm.huawei.com

IKE Configuration Task

HUAWEI

datacomm.huawei.com

Prepare for Configuration

HUAWEI

datacomm.huawei.com

Construct IKE Crypto Map?

HUAWEI

Quidway(config)#crypto ike policy num

Quidway(config-ike-policy)#hash {md5|sha}

Quidway(config-ike-policy)#encryption des

Quidway(config-ike-policy)#group {1|2}

Quidway(config-ike-policy)#ahthentication pre-shared

datacomm.huawei.com

Configurate Pre-shared Key

HUAWEI

Quidway(config)#crypto ike key key-string address peer-address

datacomm.huawei.com

Configuration Example
HUAWEI

! Configurate an IKE crypto map Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# hash md5 Quidway(config-crypto-ike-policy-10)# authentication pre-share Quidway(config-crypto-ike-policy-10)# lifetime 5000 Quidway(config-crypto-ike-policy-10)# exit !Configurate pre-shared key Quidway(config)# crypto ike key abcde address 202.38162.1

datacomm.huawei.com

IKE Supervisory Control

HUAWEI

Display current security association state

Quidway(config)#show crypto ike sa

Delete security association

Quidway(config)#clear crypto ike sa conn-id

datacomm.huawei.com

IKE Debug
HUAWEI

debug ike error debug ike message debug ike exchange

datacomm.huawei.com