Professional Documents
Culture Documents
Introduction to IPsec
• Service providers (SPs) are the most common users of the overlay
VPN model.
• The design and provisioning of virtual circuits (VC) across the
backbone is complete prior to any traffic flow.
• In the case of an IP network, this means that even though the
underlying technology is connectionless, it requires a connection-
oriented approach to provision the service.
Rick Graziani graziani@cabrillo.edu 8
CPE-Based VPN
(Peer-to-Peer)
Authentication
• Ensures that a message:
– comes from an authentic source and
– goes to an authentic destination
• VPN technologies are making use of several reputable methods for
establishing the identity of the party at the other end of a network.
– passwords
– digital certificates
– smart cards
– biometrics
Rick Graziani graziani@cabrillo.edu 21
Characteristics of a
Secure VPNs
Data confidentiality
• Protecting data from eavesdroppers
• Aims at protecting the message contents from being
intercepted by unauthenticated or unauthorized sources.
• VPNs achieve confidentiality using:
– encapsulation and
– encryption
Data integrity
• Across the Internet, there is always the possibility that the data has
been modified.
• Data integrity guarantees that between the source and destination:
– No tampering or alternation to data
• VPNs typically use one of three technologies to ensure data integrity
(later):
– one-way hash functions
– message authentication codes (MAC)
– digital signatures
Rick Graziani graziani@cabrillo.edu 23
VPN Security:
Encapsulation
New IP
Hdr
Transport
Tunnel
New IP
Hdr
Transport
Tunnel
Learning Objectives
• Configure EIGRP on the routers
• Create a site-to-site IPsec VPN using IOS
• Verify IPsec operation
Rick Graziani graziani@cabrillo.edu 43
Scenario
• IKE Phase 1
– Create an Internet Security Association and Key Management Protocol (ISAKMP)
policy
– Configure a peer association involving that ISAKMP policy.
• An ISAKMP policy defines the:
– authentication algorithm
– encryption algorithm
– hash function
• Between the two VPN endpoints.
• You can verify your IKE policy with the show crypto
isakmp policy command.
• Now that you have created all of these small configuration modules,
you can bring them together in a crypto map.
• A crypto map is a mapping that associates traffic matching an access
list (like the one we created earlier) to a peer and various IKE and
IPsec settings.
• Global configuration command crypto map name sequence-num type
to enter the crypto map configuration mode for that sequence number.
• Multiple crypto map statements can belong to the same crypto map,
and they will be evaluated in ascending numerical order.