Professional Documents
Culture Documents
• VPN
DRAFT May 2003. All rights reserved.
Terry Alex
DRAFT May 2003. All rights reserved.
public key B public key A
Protocol Messages Protocol Messages
Data Traffic Data Traffic
Pay to Terry Smith $100.00 Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars Decrypt Decrypt One Hundred and xx/100 Dollars
4ehIDx67NMop9eR 4ehIDx67NMop9eR
U78IOPotVBn45TR
Internet U78IOPotVBn45TR
Peer A Peer B
DRAFT May 2003. All rights reserved.
Local Remote
DRAFT May 2003. All rights reserved.
Pay to Terry Smith $100.00 Pay to Terry Smith $100.00
KJklzeAidJfdlwiej47
DlItfd578MNSbXoE
Key Key
DRAFT May 2003. All rights reserved.
Encryption key
Pay to Terry Smith $100.00
Encrypt Decrypt Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars One Hundred and xx/100 Dollars
4ehIDx67NMop9eR
U78IOPotVBn45TR
Encryption algorithms
• DES
• 3DES
• AES
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-19
Data Integrity
Yes, I am
DRAFT May 2003. All rights reserved.
Alex Jones
Pay to Terry Smith Pay to Alex Jones $1000.00
$100.00
One Hundred and xx/100 Dollars One Thousand and xx/100 Dollars
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
Local Remote
DRAFT May 2003. All rights reserved.
Shared
Hash Hash
function function
Pay to Terry Smith $100.00
2
One Hundred and xx/100 Dollars
Hash
HMAC algorithms
function
• HMAC-MD5
• HMAC-SHA-1
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9 4ehIDx67NMop9
Match
4ehIDx67NMop9
4ehIDx67NMop9
Encryption Decryption
Hash
algorithm algorithm
Private
key Public
Hash key
Hash
algorithm
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Main site
DRAFT May 2003. All rights reserved.
VPN PIX
POP Concentrator Firewall
Regional office with
a PIX Firewall
Mobile worker with a
Cisco VPN Client
SOHO with a Cisco on a laptop computer Corporate
ISDN/DSL router
This quarterly report
does not look so
DRAFT May 2003. All rights reserved.
%
15
by
s off
Server ng
rni
Ea
Internet
Remote office
Corporate Office
DRAFT May 2003. All rights reserved.
Internet Hash
Authenticating hash
(Hash_I)
Computed
hash
(Hash)
=
Received
hash
(Hash_I)
Auth. key + ID Auth. key + ID
DRAFT May 2003. All rights reserved.
Hash Hash
Digital
2
signature
Private Hash_I
Hash
key
1
=
Encryption Internet
algorithm Decryption
algorithm Hash_I
Public Digital
Digital Digital key cert
cert + signature
Internet Hash
Authenticating hash
(Hash_I)
Computed
hash
(Hash_I)
=
Received
hash
(Hash_I)
IP HDR Data
DRAFT May 2003. All rights reserved.
Encrypted
Authenticated
Tunnel mode
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
HR
servers
Tunnel mode
Home office Corporate office
Internet
HR
servers
Tunnel mode
IPSec
Framework
DRAFT May 2003. All rights reserved.
ESP
IPSec Protocol ESP +AH
Encryption 3
DES
DES
10.0.1.3 10.0.2.3
Apply IPSec
Bypass IPSec
Discard
Host A Host B
Router A Router B
DRAFT May 2003. All rights reserved.
Negotiate the Negotiate the
policy policy
DiffieHellman DiffieHellman
exchange exchange
Verify the peer Verify the peer
identity identity
Transform 10 Transform 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Transform 20
3DES
SHA
pre-share
DH1
lifetime
Terry Alex
DRAFT May 2003. All rights reserved.
public key B public key A
Pay to Terry Smith
Pay to Terry Smith $100.00 $100.00
One Hundred and xx/100 Dollars
Encrypt Decrypt One Hundred and xx/100 Dollars
4ehIDx67NMop9eR 4ehIDx67NMop9eR
Internet U78IOPotVBn45TR
U78IOPotVBn45TR
Remote office
Corporate office
DRAFT May 2003. All rights reserved.
HR
servers
Peer
authentication
Host A Host B
Router A Router B
DRAFT May 2003. All rights reserved.
rvogt:
Transform set 30 Transform set 55
Need another ESP ESP
3DES 3DES
host in slide to IPSec Transform Sets
SHA SHA
clarify Tunnel Tunnel
Lifetime Lifetime
Transform set 40
ESP
• A transform set is a
DES
MD5
combination of algorithms
Tunnel
Lifetime
and protocols that enact a
security policy for traffic.
Host A Host B
IPSec session
Host A Host B
Router A Router B
DRAFT May 2003. All rights reserved.
• A tunnel is terminated
– By an SA lifetime timeout
– If the packet counter is
exceeded
• Removes IPSec SA
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-48
Site-to-Site VPN using Pre-shared
Keys
Determine the following policy details:
DRAFT May 2003. All rights reserved.
Goal: Minimize misconfiguration.
Determine the following policy details:
DRAFT May 2003. All rights reserved.
Goal: Minimize misconfiguration.
Cisco IOS software supports the following
DRAFT May 2003. All rights reserved.
IPSec transforms:
Cisco router
DRAFT May 2003. All rights reserved.
Other vendor’s
CA server
IPSec peers
router#
show crypto map
• View any configured crypto maps.
RouterA# show crypto map
Crypto Map "mymap" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 102
access-list 102 permit ip host 172.30.1.2 host 172.30.2.2
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ mine, }
Site 1 Site 2
RouterA RouterB
DRAFT May 2003. All rights reserved.
Internet
router#
show crypto ipsec transform-set
• View any configured transform sets.
Cisco RouterB
172.30.2.2
DRAFT May 2003. All rights reserved.
Cisco RouterA
172.30.1.2
Other vendor’s
CA server
IPSec peers
IKE
AH
DRAFT May 2003. All rights reserved.
• Ensure protocols 50 and 51, and UDP port 500 traffic are
not blocked at interfaces used by IPSec.
router(config)#
[no] crypto isakmp enable
router(config)#
crypto isakmp policy priority
• Defines an IKE policy, which is a set of parameters used
during IKE negotiation.
• Invokes the configisakmp command mode.
router(config)#
crypto isakmp policy priority
• Defines the parameters within the IKE policy 110.
RouterA(config)# crypto isakmp policy 110
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# group 1
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# lifetime 86400
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-69
IKE Policy Negotiation
Site 1 Site 2
RouterA RouterB
Internet
DRAFT May 2003. All rights reserved.
RouterA(config)# RouterB(config)#
crypto isakmp policy 100 crypto isakmp policy 100
hash md5 hash md5
authentication pre-share authentication pre-share
crypto isakmp policy 200 crypto isakmp policy 200
authentication rsa-sig authentication rsa-sig
hash sha hash sha
crypto isakmp policy 300 crypto isakmp policy 300
authentication pre-share authentication rsa-sig
hash md5 hash md5
• The first two policies in each router can be successfully
negotiated while the last one can not.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-70
Step 3—Configure ISAKMP Identity
Site 1 Site 2
RouterA RouterB
Internet
DRAFT May 2003. All rights reserved.
router(config)#
crypto isakmp identity {address | hostname}
• Defines whether ISAKMP identity is done by IP address
or hostname.
• Use consistently across ISAKMP peers.
router(config)#
crypto isakmp key keystring hostname hostname
Step 1—Configure transform set suites.
DRAFT May 2003. All rights reserved.
Step 2—Configure global IPSec SA
lifetimes.
crypto ipsec security-association
lifetime
Step 3—Create crypto access lists.
access-list
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-75
Task 3—Configure IPSec (cont.)
DRAFT May 2003. All rights reserved.
transform-set 10 transform-set 40
esp-3des esp-des
tunnel tunnel
transform-set 20 transform-set 50
esp-des, esp-md5-hmac esp-des, ah-sha-hmac
tunnel tunnel
transform-set 30 transform-set 60
esp-3des, esp-sha-hmac Match esp-3des, esp-sha-hmac
tunnel tunnel
• When a security association
expires, a new one is negotiated
without interrupting the data flow.
Outbound
Encrypt
traffic
Bypass (clear text)
Permit Inbound
Bypass traffic
Discard (clear text)
router(config)#
access-list access-list-number [dynamic dynamic-name
[timeout minutes]] {deny | permit} protocol source
source-wildcard destination destination-wildcard
[precedence precedence][tos tos] [log]
Site 1 Site 2
DRAFT May 2003. All rights reserved.
RouterA RouterB
RouterA(config)# RouterB(config)#
access-list 110 access-list 101
permit tcp permit tcp
10.0.1.0 10.0.2.0
0.0.0.255 0.0.0.255
10.0.2.0 10.0.1.0
0.0.0.255 0.0.0.255
• You must configure mirror image ACLs.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-86
Step 4—Create Crypto Maps
router(config)#
crypto map map-name seq-num ipsec-manual
RouterC
172.30.3.2
RouterA(config)# crypto map mymap 110 ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 172.30.2.2
RouterA(config-crypto-map)# set peer 172.30.3.2
RouterA(config-crypto-map)# set pfs group1
RouterA(config-crypto-map)# set transform-set mine
RouterA(config-crypto-map)# set security-association lifetime 86400
• Multiple peers can be specified for redundancy.
Site 1 Site 2
RouterA RouterB
DRAFT May 2003. All rights reserved.
mymap
router(config-if)#
crypto map map-name
RouterA(config)# interface ethernet0/1
RouterA(config-if)# crypto map mymap
• Apply the crypto map to outgoing interface
• Activates the IPSec policy
Site 1 Site 2
RouterA RouterB
DRAFT May 2003. All rights reserved.
Internet
Site 1 Site 2
RouterA RouterB
DRAFT May 2003. All rights reserved.
Internet
Site 1 Site 2
RouterA RouterB
DRAFT May 2003. All rights reserved.
Internet
router#
show crypto ipsec transform-set
router#
DRAFT May 2003. All rights reserved.
router#
debug crypto isakmp
• Displays debug messages about all ISAKMP actions.
router(config-crypto-map)#
DRAFT May 2003. All rights reserved.
• Specifies inbound or outbound SA.
• Sets Security Parameter Index (SPI) for the SA.
• Sets manual AH and ESP keys:
– ESP key length is 56 bits with DES, 168 with 3DES.
– AH HMAC key length is 128 bits with MD5, 160 bits with SHA.
• SPIs should be reciprocal for IPsec peer.
Planning includes the following steps:
DRAFT May 2003. All rights reserved.
Goal: Be ready for CA support configuration.
Internet
DRAFT May 2003. All rights reserved.
CA 172.30.1.51
vpnca
Parameter CA Server
Type of CA server Win2000
host name vpnca
IP address 172.30.1.51
URL vpnca.cisco.com
Administrator contact 18005551212
Determine the following policy details:
DRAFT May 2003. All rights reserved.
Goal: Minimize misconfiguration
Generate Keys
router(config)#
DRAFT May 2003. All rights reserved.
router#
clock set hh:mm:ss day month year
clock set hh:mm:ss month day year
• Sets the router’s time and date
CA 172.30.1.51
router(config)#
hostname name
• Specifies a unique name for the router
router(config)#
ip domain-name name
• Specifies a unique domain name for the router
CA 172.30.1.51
vpnca
router(config)#
ip host name address1 [address2...address8]
• Defines a static host nametoaddress mapping for the CA
server
• This step is necessary if the domain name is not resolvable
10.0.1.0 10.0.2.0
CA
router(config)#
crypto key generate rsa usage-keys
• Using the keyword usagekeys generates two sets of RSA keys:
– Use one key set for RSA signatures.
– Use one key set for RSA encrypted nonces.
CA 172.30.1.51
vpnca
router(config)#
RouterA(ca-trustpoint)# enrollment ?
http-proxy HTTP proxy server for enrollment
mode ra Mode supported by the Certicicate Authority
retry Polling parameters
url CA server enrollment URL\
CA 172.30.1.51
vpnca
10.0.1.0 10.0.2.0
Enroll Request
+ password CA 172.30.1.51
ID Cert Dnld vpnca
router(config)#
crypto ca enroll name
Internet
CA 172.30.1.51
vpnca
Internet
CA 172.30.1.51
vpnca
router#
show crypto ca certificates
• View any configured CA/RA certificates
router#
show crypto key mypubkey | pubkey-chain rsa
• View RSA keys for your router and other IPSec peers
enrolled with a CA
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—6-144
CA Support Configuration Example
10.0.1.0 10.0.2.0
CA 172.30.1.51
vpnca
Step 1—Configure transform set suites.
DRAFT May 2003. All rights reserved.