Professional Documents
Culture Documents
Dfn40143 Network Security Chapter 4 Implementing VPN
Dfn40143 Network Security Chapter 4 Implementing VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 4.1:
VPNs
Upon completion of this section, you should be able to:
• Describe VPNs and their benefits.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 4.1.1:
VPN Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introducing VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introducing VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Introducing VPNs
VPN Benefits:
• Cost Savings
• Security
• Scalability
• Compatibility
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Layer 3 IPsec VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Topic 4.1.2:
VPN Technologies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Two Types of VPNs
Remote-Access VPN
Site-to-Site VPN
Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Components of Remote-Access VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Remote-Access VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Remote-Access VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Components of Site-to-Site VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Site-to-Site VPNs
• Also known as Intranet VPN, it connects two routers (VPN
terminating devices) to secure traffic between two sites that are
physically separated.
• Site-to-site VPN uses a gateway device to connect an entire network
in one location (HQ) to a network in another location (branches).
• When networks are connected over the Internet, as shown in the
following figure, a router forwards packets to another router across a
VPN connection.
• It connected departments, branch offices of the company.
• An intranet VPN is best for remote offices within the same company.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Site-to-Site VPNs
• An intranet (password-protected site for company employees)-
based VPN connects LAN to LAN when a company wants to
connect multiple remote connections in one private network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Section 4.2:
IPsec VPN Components and
Operation
Upon completion of this section, you should be able to:
• Describe the IPsec protocol and its basic functions.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Topic 4.2.1:
Introducing IPsec
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
IPsec Protocol
• The IPSec (Internet Protocol Security) Protocol Suite is a set of
network security protocols, developed to ensure the
Confidentiality, Integrity, and Authentication of Data traffic over
TCP/IP network.
• IPSec Protocol Suite provides security to the network traffic by
ensuring Data Confidentiality, Data Integrity, Sender and
Recipient Authentication and Replay Protection.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IPsec Technologies
IPsec Implementation
IPsec Framework Examples
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Confidentiality
Confidentiality with Encryption:
Encrypted message
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Confidentiality (Cont.)
Encryption Algorithms:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Confidentiality
Confidentiality:
• The Data in network traffic must be available only to the
intended recipient.
• In other words, the Data in network traffic MUST NOT be
available to anyone else other than the intended recipient.
• IPSec provides Data Confidentiality to Data by Encrypting it
during its journey – from sender to receiver/recipient.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Integrity
Hash Algorithms
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Integrity
Integrity:
• The Data in network traffic MUST NOT be altered while in
network – during transmission.
• In other words, the Data which is received by the recipient must be
exactly same as the Data sent from the Sender.
• IPSec (Internet Protocol Security) provides Data Integrity by using
Hashing Algorithms.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Authentication
PSK
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Authentication (Cont.)
RSA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Authentication
Authentication:
• Sender and the Recipient MUST PROVE their identity with each
other.
• IPSec provides Authentication services by using Digital Certificates
or Pre-Shared keys.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Secure Key Exchange
Diffie-Hellman Key Exchange
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Topic 4.2.2:
IPsec Protocols
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IPsec Protocol Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IPsec Protocol
• Following are the three main components of IPSec.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
IPsec Protocol
• Following are the three main components of IPSec.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IPsec Protocol
• Following are the three main components of IPSec.
• Note: ESP is more widely deployed than AH, because ESP provides
all the benefits of IPSec, that is, Confidentiality, Integrity,
Authentication and Re-Play attack protection.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Authentication Header
AH Protocols
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Authentication Header (Cont.)
Router Creates Hash and Transmits
to Peer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Encapsulating Security Payload (ESP)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
ESP Encrypts and Authenticates
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Transport and Tunnel Modes
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Transport and Tunnel Modes (Cont.)
ESP Tunnel Mode
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Topic 4.2.3:
Internet Key Exchange
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
The IKE Protocol
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Phase 1 and 2 Key Negotiation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Phase 2: Negotiating SAs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Section 4.3:
Implementing Site-to-Site IPsec
VPNs with CLI
Upon completion of this section, you should be able to:
• Describe IPsec negotiation and the five steps of IPsec configuration.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Topic 4.3.1:
Configuring a Site-to-Site IPsec VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
IPsec Negotiation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
IPsec Negotiation (Cont.)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
How IPsec Works
• IPSec's operation can be broken down into five main steps:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
How IPsec Works
• IPSec's operation can be broken down into five main steps:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
How IPsec Works
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
IPsec Negotiation
• To build the VPN tunnel, IPSec peers exchange a series of
messages about encryption and authentication, and attempt to
agree on many different parameters.
• This process is known as VPN negotiations.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
IPsec Negotiation
Phase 1
• The main purpose of Phase 1 is to set up a secure encrypted
channel through which the two peers can negotiate Phase 2. When
Phase 1 finishes successfully, the peers quickly move on to Phase 2
negotiations. If Phase 1 fails, the devices cannot begin Phase 2.
Phase 2
• The purpose of Phase 2 negotiations is for the two peers to agree
on a set of parameters that define what traffic can go through the
VPN, and how to encrypt and authenticate the traffic. This
agreement is called a Security Association.
• The Phase 1 and Phase 2 configurations must match for the devices
on either end of the tunnel.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Site-to-Site IPsec VPN Topology
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
IPsec VPN Configuration Tasks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Existing ACL Configurations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Existing ACL Configurations (Cont.)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Introduction to GRE Tunnels
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Topic 4.3.2:
ISAKMP Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
The Default ISAKMP Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Syntax to Configure a New ISAKMP Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
XYZCORP ISAKMP Policy Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Configuring a Pre-Shared Key
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Configuring a Pre-Shared Key (Cont.)
Pre-Shared Key Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Topic 4.3.3:
IPsec Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Define Interesting Traffic
The IKE Phase 1 Tunnel Does Not Exist Yet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Define Interesting Traffic (Cont.)
Configure an ACL to Define Interesting Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Configure IPsec Transform Set
The crypto ipsec transform-set Command
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Configure IPsec Transform Set (Cont.)
The crypto ipsec transform-set Command
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Topic 4.3.4:
Crypto Map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Syntax to Configure a Crypto Map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Syntax to Configure a Crypto Map (Cont.)
Crypto Map Configuration Commands
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
XYZCORP Crypto Map Configuration
Crypto Map Configuration:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
XYZCORP Crypto Map Configuration (Cont.)
Crypto Map Configuration:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Apply the Crypto Map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Topic 4.3.5:
IPsec VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Send Interesting Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Verify ISAKMP and IPsec Tunnels
Verify the ISAKMP Tunnel is Established
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Verify ISAKMP and IPsec Tunnels (Cont.)
Verify the IPsec Tunnel is Established
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Section 4.4:
Summary
Chapter Objectives:
• Explain the purpose of VPNs.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Thank you.
Instructor Resources
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 82