VPNs And IPSec In today’s world, it’s not enough to have remote communications a6 of a button or the click of a mouse. We need those communications) Secure as possible, and that's what Virtual Private Networks (VPNs) are! It’s the “private” part of VPN that we're most concerned with, sinew Security to a connection using a shared channel, treating that shared though it were a private network through an existing communication outlet, such as a Serial i = We can apply security rules and policies to the tunnel ito the connection we're tunneling through. WWPNs are sometimes called tunnels, since the VPN is bring data origin authentication, encryption, and: origin authentication allows the receiverVPNs bring data origin authentication, encryption, and data integrity to the table. Data origin authentication allows the receiver to guarantee the source of the packet. VPN Data Origin Authentication 172,12,123.1 ‘Are these packets REALLY coming from 172.12,423,1? encryption makes the contents of packets unreadable during transmissi Making intercepted packets useless to the interceptor Packet Content Regents DGHLRUUG Content ofhuge security hole is corrected by IP Security, gent . (Be careful how you type that, stranger.) IPSec offe ion, and is a combination of three protocols: Authentication Header (AH), which defines a method for auth ring data Encapsulating Security Payload (ESP), which defines a lauthenticating, security, and encrypting data Internet Key Exchange (IKE), which negotiates the security part ithentication keys The 1PSec Packet Format we esp. ; Header | *" | Header | PatDefined in RFC 2402, Authentication Header (AH) offers solid data origin authentication and optional anti-replay protection. The di AH is that the authentication it provides for the IP header is not of the IP fields cannot be correctly predicted by the receiver, sineé change during transmission. AH will protect the IP packet’s payload. In short, AH offers data origin authentication, data integrity, an play protection. AH does not offer data confidentiality. The Encapsulating Security Payload (ESP) does just that, Wil ind Trailer encapsulating the data. ESP offers data origin ‘protection, and data confidentiality. :Transport mode encrypts the IP packet's payload, but th sserted directly after the IP header. As a result, there is no p original IP address, it’s the original IP address that’s used for data from the Transport layer up is protected by IPSec. There are five main steps in creating an IPSec VPN. We start initialization via the receipt of interesting traffic, which is a really saying “The VPN creation process starts because traffic we said $0”. That interesting traffic is defined by a crypto access-list. Ne Phase 1, where the IKE SA (Internet Key Exchange Security negotiated Next in line is IKE Phase 2, where the IPSec SA is negotiat Completed, the IPSec tunnel (also called the IKE Phase omplete, he self-explanatory data transfer now takes place, te, the tunnel is torn down. This tunnel termi fter a certain number of bytes have passLet's get started! Creating The IKE Policy First things first - be sure the Internet Security Association: Management Protocol (ISAKMP) is on via the crypto isakmp enable should be on by default. Should be. © RL (gontian dery Ree enable isplay the current IKE policies, run show crypto ‘sakmp hereated ‘one yet, there won't be one... yetiion algorithm: pes!The IKE Policy things first - be sure the Internet Security Association nagement Protocol (ISAKMP) is on via the crypto isakmp enable co iid be on by default. Should be. Neonfig) crypto isakmp enable isplay the’current IKE policies, run show crypto isakmp policy. Sines. fe ‘Created one yet, there won't be one. Suthentication m, Diffie-Helinan gCity ye) Rie it) re) ) Cand CCC SCM CUCU B TRO BOAR Lo CCL RL) Ne Saat 0 RAT Car Ld ceed Jul 14 21:57:42,488: MSYS-5S-CONFIG_I: Configured from console by console rst) nm Ome end meee TIBI g Po aster TSM la kuadd SAUL Pasig algorithm: It seatgara” TT ele RCs ‘Iman group; Crsricctiy Dua RS eeRi(config)#crypto isakmp policy ? pare STE ae tad Cee PCa sae L EL NUR aE DiuarercE tat ta eerie a eer ta Une ICL Unter tart) oes mea Oe Uru Rear ULC uate CU Ceca U RC HMAT RE Cer catr as ECan Cea Ce PC eee Ce a des DES - Data Encryption Standard (56 bit keys). pene aPeE Lue aCe Od pel R1¢config-isakmp)#encryption 3des Peretti Core ere Ow tT ad SMMC MU Bieter oy ceo Poteet oryvar aT cet ae arr a ORT Seo eC mete eo rt a Ce CELLS ra be ber ieee ate At eae eg sf ay § ails te ye no volume Vimit Hy Pay Wave PU eC ay Dra AOL COO RUS OURO— The first value to consider is the policy priority. The lower the higher the priority, with “1” the best possible priority. This value ca to zero and there is no default, so you gotta put something in! Let's and then use IOS Help to see the possibilities. ' Davart Diana i~Adimmat Sti0 _ > Welt go heen vas ie en 1 pre oHarcu Reyes ane an Rl (config-isakmp) #authent ication pre-share Ri (config-isakmp) #encryption ? 3des Three key triple DES aes AES - Advanced Encryption Standard. k des DES - Data Encryption Standard (56 bit keys). We'll go with 3DES. What about the hash algorithm choices? i Ri (config-isakmp) tei Ri (config-isakmp) tha maS There's our old pal MDS along with the Secure Hash Stat the devil we know and use MDS. Ri (confi. mp) # IRL (config-+sha Secure Hash Standard There’s our old pal MDS along with the Secure Hash St the devil we know and use MDS. Ri (config-isakmp) encryption 3des Ri (config-isakmp)#hash 2 md5 Message Digest 5 sha Secure Hash standard Rl (config-isakmp) thash mas We'll set the SA lifetime with the lifetime option, setti number of seconds, which equals 24 hours. BeRL(config-isakmp)#hash maRi (config-isakmp) #1ifetime 2 <60-86400> lifetime in seconds Rl (config-isakmp) + me 864 show crypto isakmp policy displays the default suite” wrote. hash agora thms authentication Diffie-Hellman) gak Vw He These policies are all part of IKE Phase 1. If Phase 1 have a Phase 2! Phase 1 begins with the connection initiator to the desired VPN partner. IKE Phase 1 Begins! - ==) The recipient will then att: to find a match for that policy al policies, starting with its lowest numbered policy. If that polit the recipient checks its next lowest numbered policy, and So is found (or not) a It would be intuitive to think the policy match has to be it that’s not quite the case. The hash, encryption Hellman group number all have to match. When it com recipient policy must have a lifetime equal to o1 licy’s lifetime is lower tiist] Uae ee CBs ai Bet CT Ree ai rua Sauna aC SCLC a Cee IL Cae sae Lad i ST aCe ah MT client Set client configuration policy rca ree lg " identity ESC sks oc ae invalid-spi-recovery Initiate IKE and send Invalid SPI Notify ca Set a keepalive interval for use with IOs peers key SSS aa rg BSS OR Ce ig ee Ag abt ESS ee cae A Sales rand profi emia Eater inate R1(config)#crypto isakmp key 7 Mee INN alee eT Gea Pee tise ire taeae Define ISAKMP Profiles Peay Oa sr a ate tee R1(config)#crypto isakmp key ? PS abate Un scale ed 6 Specifies an ENCRYPTED password will follow RSA eT Re ad OMe oo amt a ce Bea) CNC arn 1 RT and atte elt re era Po Le OM arom ary NCD Leek Oak ae Wee ote ce ee UAT te Er OR oe Ue Lee ees Cee SC ee ae a) ac no-xauth Bypasses XAuth for this peer ors) = the IPSec Transform Sets! Sounds complicated, individual parameters that will enforce a security policy. Unsurpri endpoints must agree exactly on which encryption and algorithms wil D create the IPSec SA. MP policies, multiple transform sets can be wi ., The remote peer compares each set reKMP policies, multiple transform sets can be written and ‘a remote peer. The remote peer compares each set received agai sets, and when a match is found, the IPSec SA is built. We'll IPSec transform set right now via the crypto ipsec transform- ‘command. You do have to give it a name and then decide whether you're usil ESP or AH B3(config) terypto ipsec transform ah-md5-hma aH 7 ah-sha-hma ah-2ha2s« ion algorit (6s bitsy 5 j SEAL cipher aise aos :pe et Eta tiem Rar ta aires Pike eC er ee ee as esp-3des ia eer 9 esses a oe eS eae 9 erry aa ee eae usual usc rus usc usc Us cia Pusch using 3DES(EDE) cipher (168 bits) using AES cipher PSs ee an) PS ee eae Uby iar using SEAL cipher (160 bits) Pare Weta Ik1(config)#crypto ipsec transform-set CCNP_LAB ah-mdS-hmac_? aa ‘IP Compression using the 12S compression algorithm eee isd ec a ee a Pe eS Peg a esp-seal a eee sa Pusu Rusu RUS au Suda) Sua Pusch using 3DES(EDE) cipher (168 bits) PSC PS aa ea) PSUR eet kari using SEAL cipher (160 bits) PSC ee Metta RCRD Le sie akc uuu ae ee ki Ccfg-crypto-trans, fe PS auesp-nul] SSScuyees pe eC he Maret) eee ao rst mea ne ect etry PRC a ah at eee OCR Le Tog or ead IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) oer sco west Peary su weal ee) SC a ee ee es, alee esp-seal ESP transform using SEAL cipher (160 bits) Se ee SSMS one a pa Spee ees ‘ipsec transform-set CCNP_LAB ah-mdS-hmac R1Ccfg-crypto-trans)#tunnel ? Wires ec R1(cfg-crypto-trans)#mode 7. transport transport (payload encapsulation) mode pines tunnel (datagram encapsulation) mode ie Seeded STU R1¢cfg-crypto-trans)#exit Cneeiar LdR1(config)#crypto ipsec transform-set CCNP_LAB ah-md5-hmac Ri(cfg-crypto-trans)#tunnel ? Vere ed CNG Pag emer OL ag transport transport (payload encapsulation) node aa tunnel (datagram encapsulation) mode R1(cfg-crypto-trans)#exit Ri(config)#crypto ipsec 7? iran Configure a client df-bit Pe a iets taro Pep aakie tie a Saat og Sra ee sa Oastirl ER at sie Seance ae saat Configure an ipsec policy profile mee a rune alsa acl eas rues Pais Reese CHa meas Pri} R1(config)#crypto ipsec_security-association ? SPs oem itor srt hs ob CC Ue eC Seat Meer Tse cor tat a ranma eoThe crypto ACL is the exact same ACL that we've been writing our career, just put to a different use and a slightly different operation. A cry evaluating outbound traffic decides which traffic flows will be protected and which ones will not. Traffic permitted by the ACL is protected denied by the ACL are transmitted without IPSec’s protection. IP Sec Traffic (Encrypted) “eS Non-IP Sec Traffic (Non-Encrypted) ypto ACL “permit” on inbound traffic indicat ad when.it arrives. If-said traffic arrivNon-IP Sec Traffic (Non-Encrypted) Accrypto ACL “permit” on inbound traffic indicates traffic that should be I ected when it arrives. If said traffic arrives and is not so protected, will drop that traffic. Non-FP Sec Traffic iit Be i ‘Non-Encrypted, ae c ca lould be.Indicates this trot should be encrypted. Can't trust it, so 1'l dump it.” ‘Crypto ACLs are used to evaluate both inbound and outbound traffic; there 0 “in” or “out” when applying a crypto ACL to an interface. Basically, the s. is read forward for outbound traffic and backwards for inbound sume this ACL is on R1 Bifcontig)#access-list 103 permit iS$: 172.12.123.1 The IPSec Decision on Ri Is the source 172.12.123.1, and is the destination 172.12.123.3? = and backwards for incoming traffic.The IPSec Decision on Ri: “Is the source 172.12.123.1, and is the destination 172.12.123.3? .. and backwards for incoming traffic. S:172.12.123.3 D: 172.12.123.1 “ti do The IPSec Decision on RL 4 "Is the source 172.12.123.3, and is the destination 172.12,123.12%ehavior makes it vital to put a symmetrical ACL on ti int, not an identical one. We can’t just cut and paste this Ri (config) #access-list 103 permit ip host 172.12.123,1 host 172e4@ Instead, we need to put a mirror image of that ACL on R3. R3(config) taccess-1i F p host 172.12.123.3 host) gama _ There's no problem using host in a crypto ACL, but Cisco strongly against using any, especially permit any any. You can end up with way nerypted traffic leaving the interface and / or dropping pted incoming contro! traffic. sert into eryBee onfigurationSees OMC LU ee eed Sua Se Te near Hua rea ap ad CR UT) Tal gaa RRS ae . poet thee Sequence to insert into crypto map entry Specify client configuration settings pret Ramet onal ae pre ee akg ea eer ete st ow ee et ec Peer, Per a aCe ret Drake aang Seer mean nm aL)Peri eeat Scart ein arte ore (RCC ap REL eae a Sst Sc aan see Ra rg Selec ae oe eS Ct me) Por) Access-list name iconfig-crypto-map)#match address 103 PRS ee Lead aod PCS Mera ss pace ae Cd Sn Rae een ES Pa meruarsty i Be a3 ace Specify pfs settings Garant ume eke Ssh atie Us Se aed Baer ee aac (config-crypto-map)#set peer ? A.B8.C.D IP address of peer or Pe ee Oe accuses Les Lee eae eae Cee) suareaaeens #set transform-set CCNP_LABery SSR 3 Sars ao UN nse Soe ane sey Se ee ass SSS sae cea Came phew Seesevar ue cre tote Ste sa ot te LE eee {(config-crypto-map)#set peer ? A.8.C.D IP address of peer Po) paren an rary Seite sed eal herp [config-crypto-map)#set transform-set CCNP_LAB ims SS [config)#int seri: iJ : ee aeaa scart Se ee ne a Sending 5, 100-byte ICMP Echos to 172.12.123.3, timeout is 2 seconds DUI 16 00:02:24,427: IPSEC(sa_request): , ICTS ea Ci eae te ae Pee EES AS aoa Eee ee Tocal_proxy= 172.12.123.1/255.255.255.255/0/0 (type=1), TS ie ECPI aA OS ae x) ee Use oe ec Dee ier rou lim 0 ES OFS CII Seti Ra enced WR OUCE YE SCL Cg CAL ie ae ee ie he eae ae (key eng. msg.) INBOUND local= 172.12.123.1, remote= 172.12.123.3, Tri hss i LPC R UCT LT IL ELT Oars iio te re CLRe EACLE cry OS aa RUM eae et aT ee RL TOM et Ok MOE oe aL ead BREE ee Dee aa pirat ris 1METTLE 60(884221280), conn_id= 0 TEM SCM a ta success rate is 80 percent (4/5), round-trip min/avg/max Centrality Te EOE IG Coal g “her ere ae] xara oO cand Cy as re) ie 16 00:02:25.157: IPSEC(crypto_ipsec_sa_find_ident_head): reconr FUL g ae ere ee) +157: IPSec: Flow_switching Allocated flow for sib] ae IPSEC(policy_db_add_ident): src 172.12.123.1, 6 157: IpseCc(create_sa): sa created, Fw oae Eee Pere ie On Tt oa Cee te ae kel Le a_trans= ah-mdS-hmac , sa_conn_id= 2001 SDC Meet ees eee deter yD [OREM ieee rere Se) Pe EMCer erLCL rr rsrtio a SO Cee ae el Ld :Parr ese rah re it ake 157: IPSec: Flow_switching Allocated flow for si 02:25.157: IPSEC(policy_db_add_ident): sre 172.12.123 cae an) Jul 16 00:02:25.157: IPsec(create_sa): sa created, (CS SRT e ae ree ree ary r ane Sa_spi= Ox3AECDOF4 (988598516) , ; h-md5-hmac , sa_conn_id= 2001 IPSEC(create_sa): sa created, Uae eRe LLYN aE 34 ii Mess hn sy fC Ll a] Tega UES Pe BE] Bier reer reg A ts Fy O ’ SanES ee Mey Trento eT OL) ICME Eee CES ee ES oa a Caron fs COUT ks Sho Ee tees Cab CEES UPS weet eet eres) og ident (addr/mask/prot/port): (172.12:123.3/255.255.255.255 ORT Ee a Na-oaeace CRD Ro eee sc ae ese eed #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 Uae as UR eo oo ED #send errors 1, #recv errors 0 ES URL ae eR Pe aR pC ee Re CM RE TEES Te Me EM er ret CLL Laelt) ST Re ee ory 1/0 inbound ah sas: eaeSt ee eo Spi: Ox3AECDOF4 (988598516) SMe Lecce eran Esso esa CC Mea RR ee ag iming: remaining key lifetime (k/sec): (4594752/1674) CSS eee Barwa Beccary Sess eta LAS conn id: 2002, flow_id: SwW:2, crypto map: CCNP. sa timing: remaining key lifetime (k/sec): (4594752/1617) POEs uee a ad Status: ACTIVE Oe eer ce Rt| Introduction To DMVPN For the sake of clarity and sanity, I’ve left the cloud out of the illustrations. We have six remote office spokes and one central office hub. Spoke 3 S Ss Ss Central Office - Ss a) spoke 3 S first thing any of us learned about hub-and-spoke networks is: communication has to go through the hub. To have It manner possible, we need to allow go through the hub.first thing any of us learned about hub-and-spoke networks oke communication has to go through the hub. To have our most efficient manner possible, we need to allow direct sp that do not go through the hub. We could implement a full mesh of VPNs, but as with static routing and a full mesh is a technically correct manner of getting things done that comes @ ton of overhead and some administrative nightmares on the side at no ge. Each spoke router would require us to configure five VPNs. Wo eventual troubleshooting that comes with that much static config fact that the VPNs will stay up even when there’s no traffic going 's a real waste of router resources and bandwidth. ymuch more efficient solution, DMVPN (Dynamic Multipoint VP <€ router to dynamically create a VPN to another spoke when # meeded, and then to tear that same VPN down. when it's) does not work in a vacuum. Far from it! For DM! peration of...= ___ A much more efficient solution, OMVPN (Dynamic Multipoint _ Spoke router to dynamically create a VPN to another spoke when the actually needed, and then to tear that same VPN down when it’s no needed. DMVPN does not work in a vacuum. Far from it! For DMVPNs to work, need the cooperation of «. a stable dynamic routing protocol (and / or a static route) .. GRE (mGRE, to be specific) NHRP, the Next-Hop Routing Protocol «=. and IPSec! familiar with IPSec, and we'll discuss mGRE and NHRP in ROW, a quick work regarding the routing protocol this is really obvious, but I’m mentioning it since For a router to build a dynamic tunnel to,; to know how to reach the remote router. Remember, the directly involved in the tunnel build; the DMVPN goes directly from On a related point, if you see the tunnel bouncing or flapping - that ‘up, then down, then up, then down - that indicates the local router reach the remote router only intermittently. That can be anything from a adjacency issue to an unstable OSPF area (and just about anything in Tn short, if your loca! router has issues reaching the remote router for tunnel’s going down: When it comes to troubleshooting DI With the connectivity (or lack of same) to the remote router, then ‘IPSec. speaking of mGRE ¥s got gaps, I got gaps, tog we fill gaps.” ~~ Rocky ‘one glaring weakness - the inability to GRE can encapsulate multicast packets, Over IPSec. Basicallreally comes in handy in our dreaded hub-and-spoke tipoint GRE makes it possible for the hub to use only one interface for as tunnels as you need. Thing is, if we have a single multipoint interface on and multiple endpoints for our tunnels, we gotta have some apping in there. That’s where the Next Hop Resolution Protocol (NHRP) MULTIPOINT Subintertaci (On NHRP ServerIHRP deployment uses the client-server model, with our hub ‘and the spokes as the client. The clients send two IP addresses to the one identiying the physical address used for the tunnel and the other | i assigned to the tunnel itself. The server puts this info in its _ database. Phys IP; 172.12.123.2/ Tunn IP: 10.1.1.2Phys IP: 172.12.123.2 Tunn IP: 10.1.1.2 a R2: NHRP Client database comes into play when one of our spokes needs to another. When R2 wants to build a tunnel to R3, R2 face IP address is mapped to the tunnel IP. database for the answer, Ri answer tunnel to R3. When NHRP info is li see the authoritative flagtunnel to R3. When NHRP info is received di ver, you'll see the authoritative flag set in the output “What IP phys. address is mapped to 10.1.1.3?” R2: NHRP Client 5 in a similar fashion to 2 While we'll have. > want to point out the ti waathe tunnel source as usual... Ri (config) #int tunnel 0 Ri(config-if)#ip address 10.1.1.1 255 Ri (config-if)#tunnel source serial 0/2 Ri (config-if) #tunnel destination ? Hostname or A.B.C.D ip address Brox: TPvé addres s. but you: will not put a single destination address, since an doesn't have a single destination. Instead, be sure to configure the ‘as gre multipoint. Bi (config) #3 Bi (config-it) +ir Meonfig-it) tun: Meonfig-if)ttunne! ae Hostname or A? setunped mode? ‘TunnelTalkyApple?alk 21IPVv6 address Rl (config-if)#tunnel mode ? aurp cayman dvmrp eon gre ipip ipsec Ri (cofttig ap apye AURP TunnelTalk AppleTalk encapsulation Cayman TunnelTalk AppleTalk encapsulation DVMRP multicast tunnel EON compatible CLNS tunnel generic route encapsulation protocol IP encapsulation 1 encapsulati Gultipoin (contig‘RUN Compacipie LLNS cunnes generic route encapsulation protocol IP over IP encapsulation IPSec tunnel encapsulation Apple IPTalk encapsulation Generic packet tunneling in IPvé IPv6 over IP encapsulation MPLS encapsulations IP over IP encapsulation KASQ/NOS. compatible) RBSCP in IP tunnel ip ipvé multipoint Bi (config-it) stun Meonfig-is) + Final Word Regarding GRE

UAE Fa0/0.4PRS PSs ee ee ee en ne 4 iA Reap a Aug 21 11:05:07.470: %SYS-5-CONFIG_I: Configured from console by console R1#show ip vrt Name Dg) Bar aod Witz} porary ed pia Ee) pitaprsse Fa0/0.4 SERUM Cee ia ee se ee ee eo D - EIGRP, EX’- EIGRP external, O ~ OSPF, IA -'OSPF inter area CMe aos aS] On ee gC aa Ld El - OSPF external type 1, E2 - OSPF external type 2 {- IS-1S, su - IS-IS summary, 11 - IS-IS level-1, 12 - Is-Is level- ia - Is-IS inter area, * - candidate default, U -'per-user static rc Ce a aah DAO Rd Set RIeens i .05 Re ae ee Ce eg D - EIGRP, EX'- EIGRP external, 0 ~ OSPF, IA - OSPF inte N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-Is, su - IS-IS summary, 11 - IS-1S level-1, L2 - Is-Is 1 ia - Is-IS inter area, * - candidate default, U -'per-user static Ce oa OY eee ae Gateway of last resort is not set stead reece eat UC eR 2 R1(config)#int fast 0/0.2 R1(config-subif)j#ip address 10.2.2.1 255.255.255.0 Taree alae ay oe} Pict aa tater seer aie ae) picaat eer aby acca I ae R1(config-subif)#AZ oe *Aug 21 11:09:05.043: %SYS-5-CONFIG_I: Configured from console by console a aes ae PSE me as ee