SCOR 08

• VPN.
• Organizations deploy VPNs to provide data integrity, authentication, and data encryption to ensure
confidentiality of the packets sent over an unprotected network or the Internet.
• VPNs were originally designed to avoid the cost of unnecessary leased lines.
• Different VPN protocols:
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Forwarding (L2F) Protocol
- Layer 2 Tunneling Protocol (L2TP)
- Generic Routing Encapsulation (GRE) Protocol
- Multiprotocol Label Switching (MPLS) VPN
- Internet Protocol Security (IPsec)
- Secure Sockets Layer (SSL)
• VPN Types.
• Site-to-site VPNs.
• Enable organizations to establish VPN tunnels between two or more network infrastructure devices in different
sites.

• Remote-access VPNs.
• Enable users to work from remote locations such as their homes, as if they were directly connected to their
corporate network.

SCOR Page 1
 corporate network.

• An Overview of IPSec.
• IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote-
access VPN tunnels.
• Phase 1 negotiations:
- Encryption algorithms (DES, 3DES, AES)
- Hashing algorithms (MD5, SHA)
- Diffie-Hellman groups
- Authentication method (PSK, PKI)

• SPI (Security Parameter Index).

• A way of tracking a specific Security Association (SA) between router and a peer.
• Think of it as a serial number (unique) for each SA.

• IPsec protocols:
• Encapsulation Security Payload (ESP): IP Protocol 50
• Authentication Header (AH): IP Protocol 51

• IPsec can use two modes with either AH or ESP:

• Tunnel mode: Protects the entire IP packet
• Transport mode: Protects upper-layer protocols, such as User Datagram Protocol (UDP) and TCP

SCOR Page 2
• NAT Traversal (NAT-T).
• Allows traffic to get to the specified destination when a device does not have a public address.
• This is usually the case if your ISP is doing NAT, or the external interface of your firewall is connected to a
device that has NAT enabled.

• IKEv2
• Simplifies the key exchange flows and introduces measures to fix vulnerabilities present in IKEv1.
• Both IKEv1 and IKEv2 protocols operate in two phases.
• Supports the use of next-generation encryption protocols and anti-DoS capabilities.

• SSL (Secure Sockets Layer) VPN.

• Implements security of TCP sessions over encrypted SSL tunnels.
• Can be used for remote-access VPNs (also used to securely visit a web server that supports it via HTTPS).

• Cisco AnyConnect Secure Mobility

• Designed to secure connections from these mobile devices.

SCOR Page 3
•

• DEPLOYING AND CONFIGURING SITE-TO-SITE VPNS IN CISCO ROUTERS.

SCOR Page 4
!Configure ISAKMP policies.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 3600

crypto isakmp key cisco address 2.2.2.2

!Crypto ACL.
access-list 101 permit ip 10.0.0.0 0.255.255.255 20.0.0.0 0.255.255.255
crypto ipsec transform-set set1 esp-sha-hmac esp-aes
mode tunnel
!Crypto map.
crypto map mymap 1 ipsec-isakmp
match address 101
set transform-set set1
set peer 2.2.2.2

SCOR Page 5
 set peer 2.2.2.2
interface f1/0
crypto map mymap
sh crypto isakmp sa
• For number of encrypted packets.
sh crypto ipsec sa
• Perfect Forward Secrecy (PFS).
• A cryptographic technique where the newly generated keys are unrelated to any previously generated key.
• With PFS enabled, the ASA creates a new set of keys that is used during the IPsec Phase 2 negotiations.
• Without PFS, the Cisco ASA uses Phase 1 keys in the Phase 2 negotiations

• Tunnel Interfaces.
• This is accomplished by creating a logical interface that represents the source and destination endpoints of the
tunnel.

• DMVPN.
• A technology created by Cisco that aims to reduce the hub router configuration.
• DMVPN groups many spokes into a single mGRE interface.
• Uses Next Hop Resolution Protocol (NHRP), which is a client and server protocol (the hub is the server and the
spokes are the clients).

SCOR Page 6
•
spokes are the clients).
• The hub (or server) maintains an NHRP database of the public interface addresses of the each spoke.
• Hub Configurations.
interface tunnel 0
tunnel source f1/0
ip address 192.168.1.1 255.255.255.0
tunnel mode gre multipoint
tunnel key 4444
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp authentication P@ssw0rd
no ip split-horizon eigrp 55
no ip next-hop-self eigrp 55
router eigrp 55
network 10.0.0.0
network 192.168.1.0
no auto-summary

Spokes Configurations
interface tunnel 0
tunnel source f1/0
ip address 192.168.1.2 255.255.255.0
tunnel mode gre multipoint
tunnel key 4444
ip nhrp network-id 1
ip nhrp authentication P@ssw0rd
ip nhrp nhs 192.168.1.1
ip nhrp map 192.168.1.1 1.1.1.1
ip nhrp map multicast 1.1.1.1
router eigrp 55
network 20.0.0.0
network 192.168.1.0
!To display NHRP DB on the hub or mappings on the spoke.
do show ip nhrp
!To display DMVPN tunnels.
do show dmvpn

SCOR Page 7
SCOR Page 8
• GETVPN
• It is an ideal cryptographic solution for MPLS VPNs that need site-to-site encryption.
• Does not require a tunnel.
• Provides a flexibility that enables enterprises to manage their own security over a service provider WAN or to
offload the encryption services to the provider.
• The main server (key server) is called GCKS (Group controller/key servers) that acts as hub.
• Group members are other routers (spokes).

SCOR Page 9
• Incorporates Multicast Rekeying. Multicast Rekeying and GETVPN are based on GDOI.

• Remote Access VPN

• Configure clienless RAVPN.

SCOR Page 10
• To restore functionality:
conf t
webvpn
no anyconnect-essentials

• Configuring IPsec Remote Access VPN in the Cisco ASA

SCOR Page 11
SCOR Page 12
SCOR Page 13
SCOR Page 14