3a IPsec VPN

IPsec VPNs
Introduction to IPsec
CIS 186 ISCW

Rick Graziani
Fall 2007
Introducing VPN Technology
Traditional WANs
• Traditional wide-area network (WAN) connections between branch

offices was accomplished with point-to-point (p2p) circuits:
– X.25
– ATM
– Frame Relay
• Due to the “open” nature of the Internet, it is not considered secure
• IPsec is used as a means of safeguarding IP data
• Note that IPsec can be used on any type of connectivity—not just
Internet links.
– Predominantly used on data that traverses insecure or untrusted
networks, such as the Internet.
Rick Graziani graziani@cabrillo.edu 3
Virtual Private Networks (VPNs)
• A Virtual Private Networks (VPN) creates a private connection, or

network, between two endpoints.
• This is a virtual connection because the physical means of connectivity
is indifferent to the safety of the data involved.
• IPsec adds a layer of protection to the data that travels across the
VPN.
• Create a private network over a public network infrastructure while
maintaining confidentiality and security.
VPN Components
• Components required to establish a VPN include:

– An existing network with servers and workstations
– Connection to the Internet
– VPN gateways (i.e., routers, PIX, ASA, VPN concentrators) that act
as endpoints to establish, manage, and control VPN connections
– Software to create and manage tunnels

Security: Encapsulation and Encryption
• VPNs secure data by:

– encapsulating the data or
– encrypting the data or
– both encapsulating the data and then encrypting the data
• Encapsulation is also referred to as tunneling
– encapsulation transmits data transparently from network to network
through a shared network infrastructure.
• Encryption codes data into a different format.
– Decryption decodes encrypted data into the data’s original
unencrypted format.
Overlay and Peer VPNs
• In terms of evolution, there are two major VPN models:

– Overlay VPN
– Peer-to-Peer VPN

Overlay VPNs
• Service providers (SPs) are the most common users of the overlay
VPN model.
• The design and provisioning of virtual circuits (VC) across the
backbone is complete prior to any traffic flow.
• In the case of an IP network, this means that even though the
underlying technology is connectionless, it requires a connection-
oriented approach to provision the service.
CPE-Based VPN
(Peer-to-Peer)
• CPE-based VPN same as L3 overlay VPN.

• The VPN is implemented using CPE.
• Customer creates a VPN:
– across an Internet connection
– without any specific knowledge or cooperation from the service
provider.
• Customer gains increased privacy using an inexpensive Internet
connection.
• SP loses opportunity for VPN service revenue.
SP-Provisioned VPN
• Multiprotocol Label Switching (MPLS) combines:

– the benefits of overlay VPNs (security and isolation among customers)
– benefits of the simplified routing of a peer-to-peer VPN.
• Only the Provider Edge (PE) routers need to be provisioned to support the
VPNs.
• Note that MPLS VPNs cannot replace all VPN implementations because MPLS
only supports IP as the Layer 3 protocol. Other protocols including IPX and
AppleTalk must be tunneled through the IP backbone.
• MPLS will be discussed in a later chapter

VPN Topologies
• Remote Access VPN

• Site-to-Site VPNs

VPN Topologies
Remote Access VPN

• Provide remote users access to an intranet or extranet over a shared
infrastructure.
• Users:
– Mobile users
– Telecommuters
– branch offices
• Securely connect using:
– Dialup
– ISDN
– DSL
– mobile IP
– cable technologies.
VPN Topologies
Remote Access VPN

• The party negotiating a secure connection with the VPN Gateway uses
VPN client software.
• The VPN Client software allows telecommuters and traveling users to
communicate on the central network and access servers from many
different locations.
• Tunnels are created using either:
– IPsec
– Point to Point Tunneling Protocol (PPTP) - Microsoft
– Layer 2 Tunnel Protocol (L2TP)
– Layer 2 Forwarding (L2F) Protocol - Cisco
VPN Topologies
Remote Access VPN

• Benefits:
– Reduce long-distance charges that are associated with
dialup access.
– Help increase productivity and confidence by ensuring
secure network access regardless of an employee’s
location.

VPN Topologies
Site-to-Site Intranet VPN

• Links over a shared infrastructure using dedicated connections:
– Headquarters
– Remote offices
– Branch offices
• Site-to-Site Intranet VPNs allow access only to trusted employees.
• Gateways at various physical locations within the same business.
• Negotiate secure tunnels across the Internet.

VPN Topologies

• Example
– Data Center or mainframe at Main Office
– Remote Offices have access to Data Center
– Users from the networks on either side of the tunnel can
communicate with one another as if the networks were a single
network.
• These networks may need:
– strong encryption
– strict performance (QoS) and bandwidth requirements
• Tunnels are created using either: (later)
– IPsec
– IPsec/GRE
VPN Topologies

• Benefits:
– Offer cost savings over traditional leased-line or Frame
Relay technologies.

VPN Topologies
Site-to-Site Extranet VPN

• VPN links to an enterprise customer's network over a shared
infrastructure using dedicated connections:
– outside customers
– Suppliers
– partners
– communities of interest to an enterprise customer's network over a
shared infrastructure using dedicated connections.
• Extranet VPNs allow access to users who are outside the enterprise.
• Use firewalls AND VPN tunnels
– Secure access to specific data and resources
– Not gaining access to private corporate information

VPN Topologies
Site-to-Site Extranet VPN

• Benefits:
– Businesses enjoy the same policies as a private
network, including:
• Security
• Quality of Service (QoS)
• Manageability
• Reliability

Characteristics of a Secure VPNs

Characteristics of a
Secure VPNs
Authentication
• Ensures that a message:
– comes from an authentic source and
– goes to an authentic destination
• VPN technologies are making use of several reputable methods for
establishing the identity of the party at the other end of a network.
– passwords
– digital certificates
– smart cards
– biometrics
Secure VPNs
Data confidentiality
• Protecting data from eavesdroppers
• Aims at protecting the message contents from being
intercepted by unauthenticated or unauthorized sources.
• VPNs achieve confidentiality using:
– encapsulation and
– encryption

Secure VPNs
Data integrity
• Across the Internet, there is always the possibility that the data has
been modified.
• Data integrity guarantees that between the source and destination:
– No tampering or alternation to data
• VPNs typically use one of three technologies to ensure data integrity
(later):
– one-way hash functions
– message authentication codes (MAC)
– digital signatures
VPN Security:
Encapsulation
• Major components of confidentiality:

– Encapsulation
– Encryption
• Tunneling is the transmission of data through a public network so that
routing nodes in the public network are unaware that the transmission
is part of a private network.
• Tunneling allows the use of public networks to carry data on behalf of
users as though the users had access to a private network.
• This is where the name VPN comes from.
VPN Security:
Encapsulation
• VPNs build tunnels by:

– encapsulating the private network data and protocol information
– within public network protocol data
– tunneled data is not available to anyone examining the transmitted
data frames.
• Tunneling is the process of placing an entire packet within another
packet and sending the new, composite packet over a network.
VPN Security:
Encapsulation
• Three different protocols that tunneling uses:

– Carrier protocol:
• The protocol the information is traveling over.
• Frame Relay, PPP, ATM, etc.
– Encapsulating protocol:
• The protocol that is wrapped around the original data.
• GRE, IPsec, L2F, PPTP, L2TP
• Not all protocols offer the same level of security.
– Passenger protocol:
• The original data (IPX, AppleTalk, IPv4, IPv6).

VPN Security:
IPsec and GRE
• This course focuses on using:

– IPsec
– IPsec with GRE
• IPsec
– IP unicast only
• IPsec with GRE
– IP multicast
– dynamic IGP routing protocols
– non-IP protocols
• IPsec has two encryption modes:
– Tunnel mode
– Transport mode
IPsec Protocols
• IPsec is best thought of as a set of features that protects IP data as it

travels from one location to another.
• IPsec can protect only the IP layer and up (transport layer and
userdata).
– IPsec cannot extend its services to the data link layer.
– If protection of the data link layer is needed, then some form of link
encryption is needed.
• Often, the use of encryption is assumed to be a requirement of IPsec.
• In reality, encryption, or data confidentiality, is an optional (although
heavily implemented) feature of IPsec.

IPsec Protocols
• IPsec consist of the following:

– Data confidentiality
– Data integrity
– Data origin authentication
– Anti-replay (ensures that no packets are duplicated
within the VPN)

IPsec Protocols
• The features, or services, of IPsec are implemented by a series of

standards-based protocols.
• IPsec is based on open standards to ensure interoperability between
vendors.
• The IPsec protocols do not specify any particular:
– authentication
– encryption algorithms
– key generation techniques, or
– security association (SA) mechanisms
• The three main protocols that are used by IPsec are as follows:
– Internet Key Exchange (IKE)
– Encapsulating Security Payload (ESP)
– Authentication Header (AH)
• IPsec uses the preceding protocols to establish the rules for
authentication and encryption.
• Existing standards-based algorithms provide the actual means of
authentication, encryption, and key management.
IPsec Protocols: IKE
• Internet Key Exchange (IKE) is a framework for:

– negotiation and exchange of security parameters
– authentication keys.
• For now, it is important to understand that there are a variety of possible
options between two IPsec VPN endpoints.
• IKE also exchanges keys used for the symmetrical encryption algorithms within
an IPsec VPN.
• Compared to other encryption algorithms, symmetrical algorithms tend to be:
– more efficient
– easier to implement in hardware
• Symmetrical algorithms requires appropriate key material
– IKE provides the mechanism to exchange the keys.
IPsec Protocols: ESP
• Encapsulating Security Payload (ESP) provides the framework for:

– data confidentiality
– data integrity
– data origin authentication
– optional anti-replay features of IPsec
• ESP is the only IPsec protocol that provides data encryption.
• The following encryption methods are available to IPsec ESP:
– Data Encryption Standard (DES)—An older method of encrypting
information that has enjoyed widespread use.
– Triple Data Encryption Standard (3DES)—A block cipher that
uses DES three times.
– Advanced Encryption Standard (AES)—One of the most popular
symmetric key algorithms used today.
IPsec Protocols: AH
HMAC hash algorithms
• Authentication Header (AH) provides the framework for:

– data integrity
– data origin authentication
– optional anti-replay features of IPsec
• Note that data confidentiality is not provided by AH.
• ESP will do everything and more – don’t need to use both.
• AH ensures that the data has not been modified or tampered with, but
does not hide the data from inquisitive eyes during transit.
• Use of AH alone in today’s networks has faded in favor of ESP.
• Both AH and ESP use a Hash-based Message Authentication Code
(HMAC) as the authentication and integrity check.
IPsec Protocols
• IPsec has two encryption modes:

– Tunnel mode
– Transport mode

IPsec Protocols
• IPsec header follows an IP header, because it is

referenced by an IP protocol number.
• Encryption and integrity services can be offered only
beyond the IP header.

IPsec Host Host
IP
Protocols IP
• Transport mode: When IPsec headers are simply inserted in an IP

packet (after the IP header),
• The original IP header is exposed and unprotected.
• Data at the transport layer and higher layers benefits from the
implemented IPsec features.
• Transport mode protects the transport layer and up.
• As such, when the IPsec packet travels across an untrusted network,
all of the data within the packet is safe (based on the IPsec services
selected).
• Devices in the untrusted network can see only the actual IP addresses
of the IPsec participants.
IPsec Router Router
IP IP
Protocols
• Tunnel mode: The actual IP addresses of the original IP header, along

with all the data within the packet, are protected.
• Tunnel mode creates a new external IP header that contains the IP
addresses of the tunnel endpoints (such as routers or VPN
Concentrators).
• The exposed IP addresses are the tunnel endpoints, not the device IP
addresses that sit behind the tunnel end points.

IPsec Headers
• Both AH and ESP are
implemented by adding
headers to the original IP
packet.
• IPsec VPN uses:
– AH
– ESP
– Both - The use of AH
along with ESP has no
appreciable benefit.
• ESP implements all of the
IPsec features
• AH offers all features except
data confidentiality.
• Both AH and ESP are
transport layer protocols
– ESP = 50
– AH = 51

IPsec Headers
• AH authenticates the entire
packet after the Layer 2
header.
• Original IP header protected
New IP
Hdr
Transport
Tunnel

IPsec Headers
• If ESP authentication is
used, the outer IP
header is not
authenticated.
New IP
Hdr
Transport
Tunnel

Configuring Site-to-Site VPN (CLI)
Configuring Site-to-Site VPN (CLI)
• Most of the commands and concepts in this lab have not

yet been discussed.
• I wanted to give you a look at configuring a VPN so when
we do discuss these command and concepts they will
make a little more sense.
• Don’t worry about the details for now.

• Your questions will be answered in the next presentations!

Objectives
Learning Objectives
• Configure EIGRP on the routers
• Create a site-to-site IPsec VPN using IOS
• Verify IPsec operation
Scenario
• In this lab, you will configure a site-to-site IPsec VPN.

Once you have configured the VPN, the traffic between the
loopback interfaces on R1 and R3 will be encrypted.

Step 1: Configure Addressing
R1(config)# interface loopback0
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)# interface fastethernet0/0
R1(config-if)# no shutdown
R2(config)# interface fastethernet0/0

R2(config-if)# interface serial0/0/1
R2(config-if)# clockrate 64000
R3(config)# interface loopback0

R3(config-if)# interface serial0/0/1

Step 2: Configure EIGRP
R1(config)# router eigrp 1
R1(config-router)# no auto-summary
R1(config-router)# network 172.16.0.0


Should have full connectivity. Ping to test.

Step 3: Create IKE Policies
• IPsec is a framework of open standards developed by the Internet

Engineering Task Force (IETF).
• There are two central configuration elements to the implementation of
an IPsec VPN:
1. Implement Internet Key Exchange (IKE) parameters (ISAKMP
Policy)
2. Implement IPsec parameters (Transform Set)
• IKE
– First used to pass and validate IKE policies between peers.
– Then, the peers exchange and match IPSec policies for the
authentication and encryption of data traffic.
• The IKE policy controls the authentication, encryption algorithm, and
key exchange method used for IKE proposals that are sent and
received by the IPSec endpoints.
• The IPSec policy is used to encrypt data traffic sent through the VPN
tunnel.

Enable IKE
R1(config)# crypto isakmp enable
Internet Security Association and Key Management Protocol

(ISAKMP) policy
• IKE is enabled by default on IOS images with
cryptographic feature sets.
• If it is disabled for some reason, you can enable it with the
command crypto isakmp enable.

1. Implement Internet Key Exchange (IKE)
parameters (ISAKMP Policy)
R1(config)# crypto isakmp policy 10

R1(config-isakmp)# ?
ISAKMP commands:
authentication Set authentication method for
protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection
suite
exit Exit from ISAKMP protection suite configuration
mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security
association
no Negate a command or set its defaults

IKE Phase 1
• IKE Phase 1
– Create an Internet Security Association and Key Management Protocol (ISAKMP)
policy
– Configure a peer association involving that ISAKMP policy.
• An ISAKMP policy defines the:
– authentication algorithm
– encryption algorithm
– hash function
• Between the two VPN endpoints.

IKE Phase 1
IKE Phase 1: IKE Security Associations (SAs) - later

• Issue the crypto isakmp policy number command in global
configuration mode.
• This initiates the ISAKMP policy configuration mode.
• Once in this mode, you can view the various IKE parameters available
by typing ?.
• Encryption algorithm: controls how confidential the control channel
between the endpoints will be.
• Hash algorithm: Controls data integrity, that is, surety that the data
received from a peer has not been tampered with in transit.
• Authentication type: Ensures that the packet was indeed sent and
signed by the remote peer.
• Diffie-Hellman group: Used to create a secret key shared by the
peers that has never been sent across the network.

• Give the policy a lifetime of 3600 seconds (one hour).
• Same policy on must be configured on both routers.
• Older versions of the IOS do not support AES 256
encryption and/or SHA as your hash algorithm.
– Substitute whatever encryption and hashing algorithm
your router supports.
• Although you only need to configure one policy here, you
can configure multiple IKE policies.

Verify IKE policy
• You can verify your IKE policy with the show crypto
isakmp policy command.

Step 4: Configure Pre-Shared Keys
• Since we chose pre-shared keys as our authentication method in the

IKE policy, we must configure a key on each router corresponding to
the other VPN endpoint.
– These keys must match.
– For simplicity we can use the key “cisco”.
• A production network should use a more complex key.

• Use the global configuration command crypto isakmp key key-
string address address to enter a pre-shared key.
– Use the IP address of the remote peer.
• Ensure that the IP address is the remote interface that the peer would
use to route traffic to the local router.

2. Implement IPsec parameters (Transform Set)

Step 5: Configure the IPsec Transform Set and
Lifetimes
IKE Phase 2: IPsec Security Associations (SAs) - later

• The IPsec transform set is another crypto configuration parameter that
routers negotiate to form a security association.
• In the same way that ISAKMP policies can, multiple transform sets can
exist on a router.
• Routers will compare their transform sets to the remote peer until they
find a transform set that matches exactly.
IPsec Transform Set
• For R1 and R3, create a transform set with:

– Tag 50
– ESP transform with an AES 256 cipher first
– Encapsulating Security Protocol (ESP) with SHA hash function
– Aauthentication header using SHA

IPsec Transform Set

– Tag 50
– Authentication header using SHA

IPsec Transform Set

– Tag 50
IPsec Transform Set

– Tag 50
IPsec Transform Set

– Tag 50

Step 6: Define Interesting Traffic
• Define extended access lists to tell the router which traffic

to encrypt.

Step 7: Create and Apply Crypto Maps
• Now that you have created all of these small configuration modules,
you can bring them together in a crypto map.
• A crypto map is a mapping that associates traffic matching an access
list (like the one we created earlier) to a peer and various IKE and
IPsec settings.
• Global configuration command crypto map name sequence-num type
to enter the crypto map configuration mode for that sequence number.
• Multiple crypto map statements can belong to the same crypto map,
and they will be evaluated in ascending numerical order.

Create and Apply Crypto Maps
• Use the match address access-list command to specify

which access list will define which traffic to encrypt.

• Setting a peer IP or hostname is required, so set it to R3’s

remote VPN endpoint interface using the set peer address
command.
• Set the perfect forwarding secrecy type using the set pfs
type command, and also modify the default IPsec security
association lifetime with the set security-association
lifetime seconds seconds command.
• Last step in the process of creating site-to-site VPNs is

applying the maps to interfaces.

Step 8: Verify IPsec Configuration
• show crypto isakmp policy command to show the

configured ISAKMP policies on the router

Verify IPsec Configuration
• show crypto map command to display the crypto maps

that will be applied to the router

Step 9: Verify IPsec Operation
• show crypto isakmp sa command, it will reveal that

no IKE SAs exist yet.
• Once we send some interesting traffic later in this lab, this
command output will change.

Verify IPsec Operation
• show crypto ipsec sa command, this command will

show the unused SA between R1 and R3

Step 10: Test
• ping 172.16.3.1 source 172.16.1.1

More later!
• More details and explanations to follow in the next

presentations.
• Also, SDM next week!

SDM

SDM


3a IPsec VPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3a IPsec VPN

Uploaded by

Copyright:

Available Formats

IPsec VPNs

CIS 186 ISCW

• Traditional wide-area network (WAN) connections between branch

• A Virtual Private Networks (VPN) creates a private connection, or

• Components required to establish a VPN include:

Rick Graziani graziani@cabrillo.edu 5

• VPNs secure data by:

• In terms of evolution, there are two major VPN models:

Rick Graziani graziani@cabrillo.edu 7

• CPE-based VPN same as L3 overlay VPN.

• Multiprotocol Label Switching (MPLS) combines:

Rick Graziani graziani@cabrillo.edu 10

• Remote Access VPN

Rick Graziani graziani@cabrillo.edu 11

Remote Access VPN

Remote Access VPN

Remote Access VPN

Rick Graziani graziani@cabrillo.edu 14

Site-to-Site Intranet VPN

Rick Graziani graziani@cabrillo.edu 15

Site-to-Site Intranet VPN

Site-to-Site Intranet VPN

Rick Graziani graziani@cabrillo.edu 17

Site-to-Site Extranet VPN

Rick Graziani graziani@cabrillo.edu 18

Site-to-Site Extranet VPN

Rick Graziani graziani@cabrillo.edu 19

Rick Graziani graziani@cabrillo.edu 20

Rick Graziani graziani@cabrillo.edu 22

• Major components of confidentiality:

• VPNs build tunnels by:

• Three different protocols that tunneling uses:

Rick Graziani graziani@cabrillo.edu 26

• This course focuses on using:

• IPsec is best thought of as a set of features that protects IP data as it

Rick Graziani graziani@cabrillo.edu 28

• IPsec consist of the following:

Rick Graziani graziani@cabrillo.edu 29

• The features, or services, of IPsec are implemented by a series of

• Internet Key Exchange (IKE) is a framework for:

• Encapsulating Security Payload (ESP) provides the framework for:

• Authentication Header (AH) provides the framework for:

• IPsec has two encryption modes:

Rick Graziani graziani@cabrillo.edu 34

• IPsec header follows an IP header, because it is

Rick Graziani graziani@cabrillo.edu 35

• Transport mode: When IPsec headers are simply inserted in an IP

• Tunnel mode: The actual IP addresses of the original IP header, along

Rick Graziani graziani@cabrillo.edu 37

Rick Graziani graziani@cabrillo.edu 38

Rick Graziani graziani@cabrillo.edu 39

Rick Graziani graziani@cabrillo.edu 40

• Most of the commands and concepts in this lab have not

• Don’t worry about the details for now.

Rick Graziani graziani@cabrillo.edu 42

• In this lab, you will configure a site-to-site IPsec VPN.

Rick Graziani graziani@cabrillo.edu 44

R2(config)# interface fastethernet0/0

R3(config)# interface loopback0

Rick Graziani graziani@cabrillo.edu 45

R2(config)# router eigrp 1

R3(config)# router eigrp 1

Should have full connectivity. Ping to test.