You are on page 1of 58


Germán Bastidas, Ing.
Universidad San Francisco de Quito
Implementing Virtual
Private Networks
CCNA Security 1.0
Implementing Network Security
Cisco Networking Academy
VPN Overview
• A VPN is a private network that is created via tunneling over a public
network, usually the Internet.
• VPNs have many benefits:
– Cost savings
– Security
– Scalability
– Compatibility with broadband technology
Types of VPN Networks
• Site-to-site. Devices on both sides of the VPN
connection are aware of the VPN configuration in
advance. The VPN remains static, and internal
hosts have no knowledge that a VPN exists. Frame
Relay, ATM, GRE, and MPLS VPNs are examples of
site-to-site VPNs.
• Remote-access. VPN information is not statically
set up, but instead allows for dynamically
changing information and can be enabled and
Cisco VPN Client Software
The Cisco VPN Client software encapsulates and encrypts that traffic before sending it over
the Internet to the VPN gateway at the edge of the target network
SSL VPNs allow users to access web pages and services, including the ability to access files,
send and receive email, and run TCP-based applications without IPsec VPN Client software.
The primary restriction of SSL VPNs is that they are currently supported only in software.
SSL VPN Modes of Access
• Clientless SSL VPN. A remote client needs only an
SSL-enabled web browser to access HTTP- or
HTTPS-enabled web servers on the corporate LAN.

• Client SSL VPN. A remote client must download a
small, Java-based applet for secure access of TCP
applications that use static port numbers. UDP is
not supported in a thin client environment.
VPN Solutions
VPN Specialized Hardware
AIM - A broad range of Cisco routers can be equipped with AIM. Advanced integration
modules are installed inside the router chassis and offload encryption tasks from the
router CPU.

Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-effective VPN
performance for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers.
Cisco IPsec VPN SPA
Generic Routing Encapsulation (GRE)
GRE does not include any strong security mechanisms to protect its payload.
GRE Tunnel Header
The GRE header, together with the tunneling IP header,
creates at least 24 bytes of additional overhead for
tunneled packets.
Configuring a Site-to-Site GRE Tunnel
When To Use GRE
• IETF standard (RFC 2401-2412) that defines how a
VPN can be configured using the IP addressing
• IPsec is not bound to any specific encryption,
authentication, security algorithms, or keying
• IPsec is a framework of open standards that spells
out the rules for secure communications.
• IPsec relies on existing algorithms to implement
the encryption, authentication, and key exchange.
IPsec Framework
Authentication - PSK
Authentication - RSA
Secure Key Exchange
• The Diffie-Hellman (DH) key agreement is a public key
exchange method that provides a way for two peers to
establish a shared secret key that only they know, even
though they are communicating over an insecure channel.
• There are four DH groups: 1, 2, 5, and 7.
– DH groups 1, 2, and 5 support exponentiation over a prime
modulus with a key size of 768 bits, 1024 bits, and 1536 bits,
– Cisco 3000 clients support DH groups 1, 2, and 5. DES and 3DES
encryption support DH groups 1 and 2.
– AES encryption supports DH groups 2 and 5.
– The Certicom movianVPN client supports group 7.
– Group 7 supports Elliptical Curve Cryptography (ECC), which
reduces the time needed to generate keys.
IPsec Framework Protocols
IP protocol 51
IP protocol 50
Transport Mode and Tunnel Mode
Internet Key Exchange (IKE)
• Protocol used to set up a Security Association (SA)
• An SA is a basic building block of IPsec. Security
associations are maintained within a SA database
• IKE uses UDP port 500.
• An alternative to using IKE is to manually
configure all parameters required to establish a
secure IPsec connection.
IKE Phase 1 Main Mode
IKE Phase 1 Aggressive Mode
IKE Phase 2 (Quick Mode)
• The purpose of IKE Phase 2 is to negotiate the
IPsec security parameters that will be used to
secure the IPsec tunnel.
• IKE Phase 2 performs the following functions:
– Negotiates IPsec security parameters, known as IPsec
transform sets
– Establishes IPsec SAs
– Periodically renegotiates IPsec SAs to ensure security
– Optionally performs an additional DH exchange
IPsec VPN Steps
Task to Configure IPsec
• Task 1. Ensure that ACLs configured on the Interface are compatible with IPsec
configuration. Usually there are restrictions on the interface that the VPN traffic
uses; for example, block all traffic that is not IPsec or IKE.

• Task 2. Create an ISAKMP policy to determine the ISAKMP parameters that will
be used to establish the tunnel.

• Task 3. Define the IPsec transform set. The definition of the transform set
defines the parameters that the IPsec tunnel uses. The set can include the
encryption and integrity algorithms.

• Task 4. Create a crypto ACL. The crypto ACL defines which traffic is sent through
the IPsec tunnel and protected by the IPsec process.

• Task 5. Create and apply a crypto map. The crypto map groups the previously
configured parameters together and defines the IPsec peer devices. The crypto
map is applied to the outgoing interface of the VPN device.
Task 1
Task 1 - Configuration
Task 2. Create an ISAKMP policy
Use an integer from 1 to 10,000, with 1 being
the highest priority and 10,000 the lowest.
ISAKMP Parameters
Task 2. Configure a PSK
Task 3 – Configure the Transform Sets
Transform Combinations
Transform Sets Negotiation Example
Transform Sets Configuration Example
Task 4 – Configure the Crypto ACL
Task 5 – Create the Crypto Map
Crypto Map Command
Crypto Map Configuration Mode Commands
Task 5 – Configuration Example
Task 5 – Apply the Crypto Map
Verify and Troubleshoot IPsec Configuration
Configure IPsec with SDM
Teleworking Benefits
Methods for Deploying Remote-Access VPNs
IPsec vs SSL Remote-Access VPNs
Establishing an SSL Session
Cisco Easy VPN
Establishing an IPsec Remote-Access Session
Configure a VPN Server with SDM
Connect with a VPN Client