Ids Ips PDF

Chapter 8:
Implementing Virtual
Private Networks
CCNA Security
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 8: Objectives
In this chapter you will:
• Describe VPNs and their benefits.
• Describe VPNs and their benefits.
• Identify the Cisco VPN product line and the security features of these products.
• Configure a site-to-site VPN GRE tunnel.
• Describe the IPsec protocol and its basic functions.
• Compare AH and ESP protocols.
• Describe the IKE protocol and modes.
• Describe IPsec negotiation and the five steps of IPsec configuration.
• Explain how to prepare IPsec by ensuring that ACLs are compatible with IPsec.
• Configure IKE policies using CLI.
• Configure the IPsec transform sets using CLI.
• Configure the crypto ACLs using CLI.
• Configure a crypto map using CLI.
• Troubleshoot the IPsec configuration.
• Configure IPsec using CCP.
• Configure a site-to-site VPN using the Quick Setup VPN Wizard in CCP.
• Configure a site-to-site VPN using the step-by-step VPN Wizard in CCP.
• Troubleshoot VPNs using CCP.
• Explain how the corporate landscape is changing to support telecommuting.
• Compare remote-access IPsec VPNs and SSL VPNs.
• Explain how SSL is used to establish a secure VPN connection.
• Describe the Cisco Easy VPN feature.
• Configure a VPN server using CCP.
• Connect a VPN client using the Cisco VPN Client software.
Chapter 8
8.0 Introduction
8.1 VPNs
8.2 GRE VPNs
8.3 IPsec VPN Components and Operation
8.4 Implementing Site-to-Site VPNs with CLI
8.5 Implementing Site-to-Site VPNs with CCP
8.6 Implementing Remote-Access VPNs
8.6 Summary
8.1 VPNs
VPN Overview
Virtual Private Networks
▪ A Virtual Private Network (VPN) is a private network that is created via
tunneling over a public network, usually the Internet.
▪ VPNs have multiple benefits, including:
• Compatibility with broadband technology
• Cost savings
• Security
• Scalability
VPN Overview
Types of VPNs
▪ In the simplest sense, a VPN connects two endpoints, such as two
remote offices, over a public network to form a logical connection.
▪ The logical connections can be made at either Layer 2 or Layer 3 of the
OSI model.
▪ Common examples of Layer 3 VPNs are:
• Generic Routing Encapsulation (GRE)
• Multiprotocol Label Switching (MPLS)
• Internet Protocol Security (IPsec)
VPN Topologies
Site-to-Site VPNs
▪ Created when connection devices on both sides of the VPN
connection are aware of the VPN configuration in advance.
▪ The VPN remains static and internal hosts have no knowledge
that a VPN exists.
VPN Topologies
Remote-Access VPNs
• Allows for dynamically changing connection information and
can be enabled and disabled when needed.
• Example – A telecommuter’s PC being responsible for
establishing the VPN.
VPN Topologies
Remote-Access VPNs
▪ An evolution of circuit-switching networks, such as plain old
telephone service (POTS) or Integrated Services for Digital
Network ISDN.
▪ Support a client/server architecture. A VPN client (remote host)
requires secure access to the enterprise network via a VPN
server device at the network edge.
VPN Topologies
Site-to-Site VPNs Cont.
▪ An extension of a classic WAN network.
▪ Connect remote networks to each other.
▪ A site-to-site VPN can connect a branch office network to a
company headquarter network.
▪ Replaces a leased line or Frame Relay connection, because
most corporations now have Internet access.
VPN Topologies
VPN Client Software Operations
VPN Topologies
Cisco IOS SSL VPN
▪ The Cisco IOS SSL VPN is a technology that provides remote-
access connectivity from almost any Internet-enabled location
with a web browser and its native SSL encryption.
▪ SSL VPN currently delivers three modes of SSL VPN access:
• Clientless
• Thin client
• Full client
VPN Solutions
Cisco VPN Product Lines
Product Choice Remote-Access VPN Site-to-Site VPN
Cisco VPN-Enabled Routers and Switches Secondary role Primary role
Cisco PIX 500 Series Security Appliances (Legacy) Secondary role Primary role
Cisco ASA 5500 Adaptive Security Appliances Primary role Secondary role
Cisco VPN 3000 Series Concentrators Primary role Secondary role
SOHO Routers (Cisco 850 Series ISR and Linksys) Primary role Secondary role
VPN Solutions
VPN Services with Cisco ASA
VPN Solutions
Cisco IPsec Client Options
Cisco remote-access VPNs can
use three IPsec clients:
• Cisco VPN Client software -
Installed on the PC or laptop
of an individual.
• Cisco Remote Router VPN
Client - A Cisco remote router
(configured as a VPN client)
that connects small office,
home office (SOHO) LANs to
the VPN.
• Cisco AnyConnect Secure
Mobility Client - Next-
generation VPN client that
provides remote users with
secure VPN connections to
the Cisco ASA.
VPN Solutions
Cisco VPN Hardware Modules
To enhance performance and offload the encryption task to specialized
hardware.
• VPN Advanced Integration Module (AIM) - A broad range of Cisco routers
can be equipped with VPN AIM installed inside the ISR chassis to offload
encryption tasks from the router CPU.
• Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-
effective VPN performance for higher-end Cisco Catalyst series switches and
routers.
• Cisco VPN Accelerator Module 2+ (VAM2+) - Provides high performance
encryption/compression and key generation services for IPsec VPN
applications on Cisco 7204VXR, 7206VXR, and 7301 routers.
VPN AIM
8.2 GRE VPNs
Configuring a Site-to-Site GRE Tunnel
GRE Tunnels
▪ There are two popular site-to-site tunneling protocols:
• GRE
• IPsec
▪ When should you use GRE or IPsec?
Yes
IP
User Traffic
Only?
No
No Yes
Use GRE Unicast Use IPsec
Tunnel Only? VPN
GRE Tunnels Cont.
GRE can encapsulate almost any other type of packet.
• Uses IP to create a virtual point-to-point link between Cisco routers
• Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and,
therefore, routing protocols)
• Best suited for site-to-site multiprotocol VPNs
• RFC 1702 and RFC 2784
GRE Header
▪ GRE encapsulates the entire original IP packet with a standard IP
header and GRE header.
▪ GRE tunnel header contains at least two 2-byte mandatory fields:
• GRE flag
• Protocol type
GRE Header Cont.
▪ GRE does not provide encryption, but it can be monitored with a
protocol analyzer.
▪ While GRE and IPsec can be used together, IPsec does not
support multicast/broadcast and, therefore, does not forward
routing protocol packets. However, IPsec can encapsulate a GRE
packet that encapsulates routing traffic (GRE over IPsec).
Configuring GRE
1. Create a tunnel interface: interface tunnel 0
2. Assign the tunnel an IP address.
3. Identify the source tunnel interface: tunnel source
4. Identify the tunnel destination: tunnel destination
5. (Optional) Identify the protocol to encapsulate in the GRE
tunnel: tunnel mode gre ip
By default, GRE is tunneled in an IP packet.
Configuring GRE Cont.
GRE with IPsec
▪ The advantage of GRE is that it can be used to tunnel non-IP
traffic over an IP network.
▪ Unlike IPsec, which only supports unicast traffic, GRE supports
multicast and broadcast traffic over the tunnel link. Therefore,
routing protocols are supported in GRE.
▪ GRE does not provide encryption; if needed, IPsec should be
configured.
8.3 IPSec VPN
Components and
Operation
Introducing IPsec
IPsec As an IETF Standard
▪ A “framework” of open standards developed by the IETF to
create a secure tunnel at the network (IP) layer.
• The IETF spells out rules for secure communications.
• RFC 2401 - RFC 2412
▪ IPsec works at the network layer, protecting and authenticating IP
packets between participating IPsec devices, or peers.
▪ IPsec is not bound to any specific encryption or authentication
algorithms, keying technology, or security algorithms.
▪ IPsec allows newer and better algorithms to be implemented
without patching the existing IPsec standards.
Introducing IPsec
IPsec As an IETF Standard Cont.
Introducing IPsec
IPsec As an IETF Standard Cont.
▪ The IPsec
framework consists
of five building
blocks.
▪ The administrator
selects the
algorithms used to
implement the
security services
within that
framework.
Introducing IPsec
IPsec as an IETF Standard
Using the IPsec framework,

IPsec provides these essential
security functions.
Introducing IPsec
Confidentiality
Confidentiality is achieved through encryption.
Introducing IPsec
Confidentiality Cont.
Encryption algorithms
and key lengths that
VPNs use:
• DES
• 3DES
• AES
• Software-
Optimized
Encryption
Algorithm (SEAL)
Introducing IPsec
Integrity
▪ A method of proving data integrity is required to
guarantee that the content has not been altered.
▪ A data integrity algorithm can provide this guarantee.
▪ Hashed Message Authentication Code (HMAC) is a data
integrity algorithm that guarantees the integrity of the
message using a hash value.
Introducing IPsec
Integrity Cont.
Two common HMAC
algorithms:
• HMAC-Message
Digest 5 (HMAC-
MD5)
• HMAC-Secure Hash
Algorithm 1 (HMAC-
SHA-1)
Introducing IPsec
Authentication
▪ The device on the other end of
the VPN tunnel must be
authenticated before the
communication path is
considered secure.
▪ There are two primary methods
of configuring peer
authentication:
• Pre-shared Keys (PSKs)
• RSA signatures
Introducing IPsec
Authentication Cont.
Introducing IPsec
Authentication Cont.
Introducing IPsec
Secure Key Exchange
▪ Encryption algorithms, such as
DES, 3DES, AES, and the MD5
and SHA-1 hashing algorithms
require a symmetric, shared
secret key to perform encryption
and decryption.
▪ How do the encrypting and
decrypting devices get the
shared secret key?
▪ The Diffie-Hellman (DH) key
agreement is a public key exchange
method that provides a way for two
peers to establish a shared secret
key that only they know.
IPsec Security Protocols
IPsec Framework Protocols
IPsec uses two main protocols to create a security framework:
• AH: Authentication Header
• ESP: Encapsulating Security Payload
Authentication Header
AH provides authentication and optional replay-detection
services.
• It authenticates the sender of the data.
• AH operates on protocol number 51.
• AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms.
Authentication Header Cont.
▪ AH does not provide confidentiality (encryption).
• It is appropriate to use when confidentiality is not required or
permitted.
• All text is transported unencrypted.
▪ It only ensures the origin of the data and verifies that the data has not
been modified during transit.
▪ If the AH protocol is used alone, it provides weak protection.
▪ AH can have problems if the environment uses NAT.
Authentication Header Cont.
The AH process occurs in this order:
1. The IP header and data payload are hashed using the shared secret key.
2. The hash builds a new AH header, which is inserted into the original packet.
3. The new packet is transmitted to the IPsec peer router.
4. The peer router hashes the IP header and data payload using the shared secret
key, extracts the transmitted hash from the AH header, and compares the two
hashes.
ESP
ESP provides the same security services as AH (authentication
and integrity) and encryption service.
• It encapsulates the data to be protected.
• It operates on protocol number 50.
ESP Cont.
Please don’t use bullet formatting for single sentences. Promote the sub-
bullets to level 1. ESP can also provide integrity and authentication.
• First, the payload is encrypted using DES (default), 3DES, AES, or SEAL.
• Next, the encrypted payload is hashed to provide authentication and data
integrity using HMAC-MD5 or HMAC-SHA-1.
Transport and Tunnel Modes
ESP and AH can be applied to IP packets in two different modes.
Transport and Tunnel Modes Cont.
▪ Security is provided only for the Transport Layer and above. It
protects the payload but leaves the original IP address in
plaintext.
▪ ESP transport mode is used between hosts.
▪ Transport mode works well with GRE, because GRE hides the
addresses of the end devices by adding its own IP.
Transport and Tunnel Modes Cont.
▪ Tunnel mode provides security for the complete original IP
packet. The original IP packet is encrypted and then it is
encapsulated in another IP packet (IP-in-IP encryption).
▪ ESP tunnel mode is used in remote access and site-to-site
implementations.
Internet Key Exchange
Security Associations
▪ The IPsec VPN solution
• Negotiates key exchange parameters (IKE).
• Establishes a shared key (DH).
• Authenticates the peer.
• Negotiates the encryption parameters.
▪ The negotiated parameters between two devices are known as a
security association (SA).
Security Associations
▪ An SA is a basic building block of IPsec. Security associations are
maintained within a SA database (SADB), which is established by
each device.
▪ A VPN has SA entries defining the IPsec encryption parameters
as well as SA entries defining the key exchange parameters.
▪ SAs represent a policy contract between two peers or hosts, and
describe how the peers use IPsec security services to protect
network traffic.
▪ SAs contain all the security parameters needed to securely
transport packets between the peers or hosts, and practically
define the security policy used in IPsec.
Security Associations Cont.
Security Associations Cont.
▪ IKE helps IPsec securely exchange cryptographic keys between
distant devices. Combination of the ISAKMP and the Oakley Key
Exchange Protocol.
▪ Key Management can be preconfigured with IKE (ISAKMP) or
with a manual key configuration. IKE and ISAKMP are often used
interchangeably.
▪ The IKE tunnel protects the SA negotiations.
IKE Phase 1 and Phase 2
▪ There are two phases in every IKE negotiation
• Phase 1 (Authentication)
• Phase 2 (Key Exchange)
▪ IKE negotiation can also occur in:
• Main mode
• Aggressive mode
▪ The difference between the two is that Main mode requires the
exchange of six messages while Aggressive mode requires only
three exchanges.
IKE Phase 1 and Phase 2 Cont.
▪ IKE Phase One:
• Negotiates an IKE protection suite.
• Exchanges keying material to protect the IKE session (DH).
• Authenticates each other.
• Establishes the IKE SA.
• Main mode requires the exchange of six messages while
Aggressive mode only uses three messages.
▪ IKE Phase Two:
• Negotiates IPsec security parameters, known as IPsec transform
sets.
• Establishes IPsec SAs.
• Periodically renegotiates IPsec SAs to ensure security.
• Optionally performs an additional DH exchange.
IKE Phase 1 and Phase 2 Cont.
Three Key Exchanges
▪ Three exchanges transpire during IKE Phase 1.
▪ The first exchange between the initiator and the responder.
▪ Establishes the basic security policy.
▪ Peers negotiate and agree on the algorithms and hashes that are
used to secure the IKE communications.
▪ Rather than negotiate each protocol individually, the protocols are
grouped into sets, called IKE policy sets.
▪ The IKE policy sets are exchanged first.
Negotiate IKE Policy
Three Key Exchanges Cont.
The second exchange creates and exchanges the DH public keys
between the two endpoints.
Negotiate IKE Policy
Using the DH algorithm, each peer generates a shared secret without
actually exchanging secrets.
▪ In the third exchange, each end device must authenticate the other
end device before the communication path is considered secure.
▪ The initiator and recipient authenticate each other using one of the
three data-origin authentication methods:
• PSK
• RSA signature
• RSA encrypted nonce
IPsec Authentication
Aggressive Mode
Aggressive Mode Phase 1
▪ Aggressive mode is another
option for IKE Phase 1.
▪ Aggressive mode is faster
than Main mode due to
fewer exchanges.
Aggressive Mode Phase 2
IKE Phase 2
▪ The purpose of IKE Phase 2 is to negotiate the IPsec security
parameters that will be used to secure the IPsec tunnel.
▪ IKE Phase 2 is called quick mode.
▪ IKE Phase 2 can only occur after IKE has established the secure
tunnel in Phase 1.
▪ Quick mode negotiates the IKE Phase 2 SAs.
▪ In this phase, the SAs that IPsec uses are unidirectional. A separate
key exchange is required for each data flow.
Quick Mode
8.4 Implementing Site-to-
Site IPsec VPNs with
CLI
Configuring a Site-to-Site IPsec VPN
IPsec VPN Negotiation
▪ A VPN is a communications channel used to form a logical
connection between two endpoints over a public network.
▪ IPsec VPN negotiation involves several steps.
IPsec VPN Negotiation Cont.
IPsec Configuration Tasks
Some basic tasks must be completed to configure a site-to-
site IPsec VPN.
Task 1. Ensure that ACLs configured on interfaces are compatible
with the IPsec configuration.
Task 2. Create an ISAKMP (IKE) policy.
Task 3. Configure the IPsec transform set.
Task 4. Create a crypto ACL.
Task 5. Create and apply a crypto map.
Task 1 – Configure Compatible ACLs
Protocols 50 and 51 and UDP Port 500
Ensure that the ACLs are configured so that ISAKMP, ESP,
and AH traffic are not blocked at the interfaces used by
IPsec.
• ESP is assigned IP protocol number 50.
• AH is assigned IP protocol number 51.
• ISAKMP uses UDP port 500.
Task 1 – Configure Compatible ACLs
Configuring Compatible ACLs Cont.
Task 2 – Configure IKE
▪ The second major task in configuring Cisco IOS ISAKMP support is to
define the parameters within the IKE policy.
▪ Multiple ISAKMP policies can be configured on each peer participating in
IPsec.
The crypto isakmp policy command invokes ISAKMP policy
configuration command mode, where you can set the ISAKMP
parameters.
Negotiating ISAKMP Policies
Two endpoints must negotiate ISAKMP policies before they agree on the
SA to use for IPsec.
Negotiating ISAKMP Policies Cont.
Policy numbers are

only locally
significant and do
not have to match
between IPsec
peers.
Pre-Shared Keys
▪ The key string cisco123 matches.
▪ The address identity method is specified.
▪ The ISAKMP policies are compatible.
▪ Default values do not have to be configured.
Task 3 – Configure the Transform Sets
Defining the Transform Sets
A transform set is a combination of individual IPsec transforms designed to
enact a specific security policy for traffic.
Router(config)# crypto ipsec transform-set transform-set-name ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-null ESP transform w/o cipher
Notes:
• esp-md5-hmac and esp-sha-hmac provide more data integrity.
• They are compatible with NAT/PAT and are used more frequently than
ah-md5-hmac and ah-sha-hmac.
Configuring the Transform Sets
▪ Transform sets are negotiated during IKE Phase 2 quick mode.
▪ R1 has transform sets ALPHA, BETA, and CHARLIE configured, while
R2 has RED, BLUE, and YELLOW configured.
▪ Each R1 transform set is compared against each R2 transform set in
succession until a match is found.
R1 R2
Configuring the Transform Sets Cont.
R1 R2
R1 R2
R1 R2
Task 4 – Configure the Crypto ACLs
Defining Crypto ACLs
▪ Crypto ACLs identify the traffic flows to protect.
▪ Outbound crypto ACLs select outbound traffic that IPsec should protect.
Traffic not selected is sent in plaintext.
▪ If desired, inbound ACLs can be created to filter and discard traffic that
should have been protected by IPsec.
Crypto ACL Syntax
Outbound crypto ACLs define the interesting traffic to be encrypted. All
other traffic passes as plaintext.
Symmetric Crypto ACL Syntax
Symmetric crypto ACLs must be configured for use by IPsec.
RouterA#(config)
access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
RouterB#(config)
access-list 110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
Task 5 – Apply the Crypto Map
Defining Crypto Maps
Crypto maps define:
• Which traffic to protect using a crypto ACL
• Granularity of the flow to be protected by a set of SAs
• Who the remote IPsec peers are
• Local address used for the IPsec traffic (optional)
• Which type of IPsec security is applied to this traffic (transform sets)
• Key management method
• SA lifetimes
Crypto Map Syntax
Crypto Map Syntax Cont.
Applying the Crypto Map
Verify and Troubleshoot the IPsec Configuration
Defining Crypto Maps
IPsec Show Commands
R1# show crypto map

Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 102
access-list 102 permit ip host 172.30.1.2 host 172.30.2.2
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MINE, }
The show crypto map command verifies configurations and shows the
SA lifetime.
IPsec Show Commands Cont.
R1# show crypto isakmp policy

Protection suite of priority 110
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: pre-share
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
The show crypto isakmp policy command displays configured IKE policies
and the default IKE policy settings.
IPsec Show Commands Cont.
The show crypto ipsec transform-set command shows all

configured transform sets.
Verifying Security Associations
R1# show crypto isakmp sa
dst src state conn-id slot

172.30.2.2 172.30.1.2 QM_IDLE 47 5
show crypto ipsec sa indicates that an SA is established, the rest of

the configuration is assumed to be working.
Troubleshooting VPN Connectivity
▪ This is an example of the Main Mode error message.
▪ The failure of Main Mode suggests that the Phase I policy does
not match on both sides.
R1# debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h:
ISAKMP (0:1); no offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with
peer at 150.150.150.1
▪ Verify that the Phase I policy is on both peers and ensure that all
the attributes match.
• Encryption: DES or 3DES
• Hash: MD5 or SHA
• Diffie-Hellman: Group 1 or 2
• Authentication: rsa-sig, rsa-encr or pre-share
8.5 Implementing Site-to-
Site IPsec VPNs with
CCP
Configuring IPsec VPN Configuration with CCP
Steps for IPsec VPN Configuration with CCP
▪ In addition to configuring IPsec VPNs via CLI, it is possible to
configure them using a CCP wizard.
▪ To select and start a VPN wizard, follow these steps:
Step 1. Click Configure in the main toolbar.
Step 2. Click the Security folder and then click the VPN subfolder.
Step 3. Select a wizard from the VPN list.
Step 4. Click the VPN implementation subtype.
Step 5. Click Launch the selected task to start the wizard
Steps for IPsec VPN Configuration with CCP Cont.
Step 1. Click Configure in the main toolbar.
Step 2. Click the Security folder and then click the VPN subfolder.
Step 3. Select a wizard from the VPN list.
Step 4. Click the VPN implementation subtype.
Step 5. Click Launch the selected task to start the wizard.
CCP VPN Wizards
Under the VPN folder are three subfolders:
• The SSL VPN
• The GET VPN
• VPN components
Site-to-Site VPN Wizards
Quick Setup and Step-by-Step Wizard
VPN Wizard – Quick Setup
Quick Setup
VPN Wizard – Quick Setup
Finishing Quick Setup
VPN Wizard – Step-by-Step Setup
Step-by-Step Setup
Step 1. Choose the
outside interface to
connect to the IPsec
peer over the
untrusted network.
Step-by-Step Setup Cont.
Step 2. Specify the
IP address of the
peer.
Step 3. Choose
the authentication
method and
specify the
credentials. Use
long, random
PSKs to prevent
brute-force and
dictionary attacks
against IKE.
Step 4. Click Next.
IKE Proposal
Step 1. Click Add
to define a proposal
and specify the IKE
proposal priority,
encryption
algorithm, hashing
algorithm, IKE
authentication
method, DH group,
and IKE lifetime.
IKE Proposal Cont.
Step 2. From the
Add IKE Policy
window, configure
the IKE proposal
specifics and click
OK when done.
IKE Proposal Cont.
Step 3. When
finished with adding
IKE policies,
choose the
proposal to use.
Click Next.
Transform Set
Step 1. Click Add
to define the
transform set and
specify the name,
integrity algorithm,
encryption
algorithm, mode of
operation, and
optional
compression.
Transform Set Cont.
Step 2. From the
Add Transform Set
window, configure
the transform set
specifics and click
OK when done.
Transform Set Cont.
Step 3. When
finished adding
transform sets,
choose the
transform set to
use, and click Next
to proceed to the
next task.
Traffic to Protect – Subnet to Subnet
Step 1. On the
Traffic to Protect
window, click the
Protect all traffic
between the
following subnets
option.
Traffic to Protect – Subnet to Subnet Cont.
Step 2. Define the
IP address and
subnet mask of the
local network
where IPsec traffic
originates.
Traffic to Protect – Subnet to Subnet Cont.
Step 3. Define the
IP address and
subnet mask of
the remote
network where
IPsec traffic is
sent.
Traffic to Protect – Custom ACL
Step 1. On the
Traffic to Protect
window, click the
Create/Select an
access-list for
IPsec traffic
option.
Traffic to Protect – Custom ACL Cont.
Step 2. Click the
ellipsis (...) button
to choose an
existing ACL or to
create a new one.
Traffic to Protect – Custom ACL Cont.
Step 3. To use an
existing ACL, select
the Select an
existing rule (ACL)
option. To create a
new ACL, select the
Create a new rule
(ACL) and select
option.
Configuration Summary – Add a Rule
Step 1. Give the access
rule a name and
description.
Step 2.Click Add button
to start adding rule
entries.
Configuration Summary – Add an Entry
Step 1. From the Select
an action drop-down
list, select an action and
enter a description of
the rule entry in the
Description text box.
Configuration Summary – Add an Entry Cont.
Step 2. Define the
source hosts or networks
in the Source
Host/Network pane, and
the destination hosts or
networks in the
Destination Host/Network
pane.
Each rule entry defines
one pair of source and
destination addresses or
networks. Be sure to use
wildcard bits and not the
subnet mask bits in the
Wildcard Mask field.
Configuration Summary – Add an Entry Cont.
Step 3. (Optional) To
provide protection for a
specific protocol, choose
the desired protocol radio
button (TCP, UDP, or
ICMP) and the port
numbers. If IP is selected
as the protocol, the rule
applies to all IP traffic.
Configuration Summary – Summary
▪ At the end of the
configuration, the wizard
presents a summary of
the configured
parameters.
▪ To modify the
configuration, click Back.
Click Finish button to
complete the
configuration.
Verifying, Monitoring, and Troubleshooting VPNs
Testing the Tunnel
▪ Click Generate Mirror to
generate a mirroring
configuration that is
required on the other end
of the tunnel.
▪ This is useful if the other
router does not have
CCP and must use the
CLI to configure the
tunnel.
▪ Click Configure >
Security > VPN > Site-
to-Site VPN > Edit Site
to Site VPN>Test
Tunnel.
Verifying, Monitoring, and Troubleshooting VPNs
View IPsec Tunnels
To view all IPsec
tunnels, their
parameters, and status,
on the Cisco
Configuration
Professional window,
click Monitor>Security
>VPN Status> IPsec
Tunnels.
8.6 Implementing Remote-
Access VPNs
Shift to Telecommuting
Advantages of Telecommuting
▪ Organizational benefits:
• Continuity of operations
• Increased responsiveness
• Secure, reliable, and manageable access to information
• Cost-effective integration of data, voice, video, and applications
• Increased employee productivity, satisfaction, and retention.
▪ Social benefits:
• Increased employment opportunities for marginalized groups
• Less travel and commuter related issues.
▪ Environmental benefits:
• Reduced carbon footprints, both for individual workers and
organizations
Shift to Telecommuting
Benefits of Telecommuting
▪ Telecommuting offers organizational, social, and
environmental benefits.
▪ Studies have shown that telecommuting improves employee
lifestyles by decreasing job-related stresses.
▪ There may be some drawbacks.
▪ Example - telecommuters working from home can
experience distractions that they would not have at work.
Introducing Remote Access VPNs
Remote-Access VPN Options
There are two primary methods for deploying remote-access
VPNs, as shown in the figure:
1. IPsec
2. SSL
IPsec Remote Any Anywhere SSL-Based

Access VPN Application Access VPN
Introducing Remote Access VPNs
Access Requirements Determine Remote-Access VPNs
IPsec exceeds SSL in many significant ways:
• Number of applications that are supported
• Strength of encryption
• Strength of authentication
• Overall security
SSL VPNs
Cisco IOS SSL VPN Technology
Cisco SSL VPN deliver many remote-access connectivity
features and benefits:
• Web-based clientless access and full network access without
preinstalled desktop software.
• Protection against viruses, worms, spyware, and hackers on a VPN
connection by integrating network and endpoint security in the Cisco
SSL VPN platform.
• Simple, flexible, and cost-effective licensing. SSL uses a single
license.
• Single device for both SSL VPN and IPsec VPN.
SSL VPNs
Types of SSL VPN Access
SSL VPNs provide different types of access:
• Clientless
• Thin client
• Full client
SSL VPNs
Steps to Establishing SSL VPN
SSL VPNs
SSL VPN Design
SSL VPN design considerations:
• User connectivity
• Router feature
• Router hardware
• Infrastructure planning
• Implementation scope
Cisco Easy VPN
Cisco Easy VPN
Cisco Easy VPN consists of three components:
• Cisco Easy VPN Server - A Cisco IOS router or Cisco ASA Firewall
acting as the VPN head-end device in site-to-site or remote-access
VPNs.
• Cisco Easy VPN Remote - A Cisco IOS router or Cisco ASA
Firewall acting as a remote VPN client.
• Cisco VPN Client - An application supported on a PC used to
access a Cisco VPN server.
Cisco Easy VPN
Cisco Easy VPN Cont.
Cisco Easy VPN
Cisco Easy VPN Endpoints
Cisco Easy VPN
Cisco Easy VPN Connection Steps
Configuring a VPN Server with CCP
CCP Tasks for Cisco Easy VPN Server
Configuring Cisco Easy VPN Server functionality using CCP
consists of two major tasks:
Task 1. Configure prerequisites, such as AAA, privileged users, and the
enable secret password, based on the chosen VPN design.
Task 2. Configure the Cisco Easy VPN Server.
CCP Tasks for Cisco Easy VPN Server
On the CCP main window, click Configure, click the Security folder,
click the VPN subfolder, and then select the Easy VPN Server option.
Initial Easy VPN Server Steps
▪ Specify the router interface where the VPN connection will terminate
and the authentication method (e.g., pre-shared keys, digital
certificates, or both).
▪ Click Next to display the IKE Proposals window.
Initial Easy VPN Server Steps Cont.
When configuring IKE proposals, use the default policy that is predefined
by CCP or add a custom IKE Policy.
Selecting the Transform Set
Group Authorization & Group Policy Lookup
Easy VPN group policies can be
stored:
• Local - All groups are in the
router configuration in
NVRAM.
• RADIUS - The router uses
the RADIUS server for
group authorization.
• RADIUS and Local - The
router can look up policies
stored in an AAA server
database that can be
reached via RADIUS.
Group Authorization & Group Policy Lookup Cont.
Configure the Group Authorization parameters
Easy VPN Server Summary
After all the steps are completed, the Easy VPN Server wizard displays a
summary of the configured parameters.
Easy VPN Server Summary Cont.
Easy VPN Server Summary Cont.
Connecting with a VPN Client
Cisco VPN Client
▪ The Cisco VPN Client is simple to deploy and operate.
▪ It allows organizations to establish end-to-end, encrypted VPN tunnels
for secure connectivity for mobile employees or telecommuters.
Connecting with a VPN Client
Connection Status
▪ When the Cisco VPN client is installed, open the Cisco VPN client
window to start an IPsec VPN connection on a PC.
▪ The application lists the available preconfigured sites.
Summary
▪ A VPN is a private network that is created via tunneling
over a public network, usually the Internet.
▪ Organizations typically deploy site-to-site VPNs and
remote access VPNs.
▪ GRE is a tunneling protocol that is used to create a point-
to-point link to Cisco routers.
▪ GRE supports multiprotocol tunneling, including IP.
▪ IPsec only supports unicast traffic and, therefore, does not
support routing protocols, because they require multicast
or broadcasts. GRE supports multicast or broadcast traffic
and is, therefore, often used in combination with IPsec.
Summary Cont.
▪ VPNs require the use of modern encryption techniques to
ensure secure transport of information.
▪ IPsec is a framework of open standards that establishes
the rules for secure communications.
▪ IPsec relies on existing algorithms to achieve encryption,
authentication, and key exchange.
▪ IPsec can encapsulate a packet using either
Authentication Header (AAH) or the more secure option,
ESP.
Summary Cont.
▪ IPsec uses the IKE protocol to establish the key exchange
process.
▪ There are several tasks required to create a site-to-site
VPN:
• Ensure that the existing ACLs on perimeter routers, firewalls, or
other routers do not block IPsec traffic.
• Define the parameters within the IKE policy, which are used
during negotiation to establish ISAKMP peering.
• Define the IPsec transform set, which consists of a combination of
an AH transform, an ESP transform, and the IPsec mode.
• Configure the crypto ACL to define which traffic is protected
through the IPsec tunnel.
• Create and apply a crypto map that specifies the parameters of
the IPsec SAs.
Summary Cont.
▪ More organizations offer telecommuting options to their
employees.
▪ Remote access connections can be provided using a
remote access IPsec VPN solution or an SSL VPN.
▪ SSL VPN is a technology that provides remote-access
connectivity from almost any Internet-enabled location with
a web browser and its native SSL encryption.

Ids Ips PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ids Ips PDF

Uploaded by

Copyright:

Available Formats

Chapter 8:

Cisco VPN-Enabled Routers and Switches Secondary role Primary role

Cisco VPN 3000 Series Concentrators Primary role Secondary role

By default, GRE is tunneled in an IP packet.

Using the IPsec framework,

▪ AH can have problems if the environment uses NAT.

Negotiate IKE Policy

Negotiate IKE Policy

Aggressive Mode Phase 2

Policy numbers are

R1# show crypto map

R1# show crypto isakmp policy

The show crypto ipsec transform-set command shows all

R1# show crypto isakmp sa

dst src state conn-id slot

show crypto ipsec sa indicates that an SA is established, the rest of

IPsec Remote Any Anywhere SSL-Based

You might also like