Dfn40143 Network Security Chapter 4 Implementing VPN

Chapter 4:
Implementing Virtual Private

Networks
CCNA Security v2.0

4.0 Introduction
4.1 VPNs
4.2 IPsec VPN Components and
Chapter Outline Operations
4.3 Implementing Site-to-Site
IPsec VPNs with CLI
4.4 Summary
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 4.1:
VPNs
Upon completion of this section, you should be able to:
• Describe VPNs and their benefits.
• Compare site-to-site and remote-access VPNs.
Topic 4.1.1:
VPN Overview
Introducing VPNs
• A virtual private network (VPN) is a technology that creates a

safe and encrypted connection over a less secure
network, such as the Internet.
• VPN technology was developed as a way to allow remote users
and branch offices to securely access corporate applications
and other resources.
• To ensure safety, data travels through secure tunnels and VPN
users must use authentication methods -- including
passwords, tokens and other unique identification methods --
to gain access to the VPN.
Introducing VPNs
• The benefit of using a secure VPN is it ensures the appropriate level

of security to the connected systems when that cannot provided by
the underlying network infrastructure alone.
• Typical uses of VPN:
• a) The mobile employee who uses hotel Internet facilities to

establish a VPN tunnel and connects to servers at the office.
• b) To establish a secure link from a regional office (branches) to a
corporate HQ.
Introducing VPNs
VPN Benefits:
• Cost Savings
• Security
• Scalability
• Compatibility
Layer 3 IPsec VPNs
Topic 4.1.2:
VPN Technologies
Two Types of VPNs
Remote-Access VPN
Site-to-Site VPN
Access
Components of Remote-Access VPNs
Remote-Access VPNs
• A remote access VPN used when employees of a company who are

in remote locations need to connect to the company's private
network.
• It connects a distance client to a central LAN location using the
Internet.
• Remote access VPN clients connect to a VPN gateway server on the
organization's network. The gateway requires the device to
authenticate its identity before granting access to internal network
resources such as file servers, printers and intranets
• Allow remote users like telecommuters to securely access the
corporate network wherever and whenever they need to.
• A remote access VPN makes the most sense for a mobile employee
within the company.
Remote-Access VPNs
Components of Site-to-Site VPNs
Site-to-Site VPNs
• Also known as Intranet VPN, it connects two routers (VPN
terminating devices) to secure traffic between two sites that are
physically separated.
• Site-to-site VPN uses a gateway device to connect an entire network
in one location (HQ) to a network in another location (branches).
• When networks are connected over the Internet, as shown in the
following figure, a router forwards packets to another router across a
VPN connection.
• It connected departments, branch offices of the company.
• An intranet VPN is best for remote offices within the same company.
• A site-to-site VPN requires large-scale encryption and dedicated

equipment.
Site-to-Site VPNs
• An intranet (password-protected site for company employees)-
based VPN connects LAN to LAN when a company wants to
connect multiple remote connections in one private network.
Section 4.2:
IPsec VPN Components and
Operation
• Describe the IPsec protocol and its basic functions.
• Compare AH and ESP protocols.
• Describe the IKE protocol.
Topic 4.2.1:
Introducing IPsec
IPsec Protocol
• The IPSec (Internet Protocol Security) Protocol Suite is a set of
network security protocols, developed to ensure the
Confidentiality, Integrity, and Authentication of Data traffic over
TCP/IP network.
• IPSec Protocol Suite provides security to the network traffic by
ensuring Data Confidentiality, Data Integrity, Sender and
Recipient Authentication and Replay Protection.
IPsec Technologies
IPsec Implementation
IPsec Framework Examples
Confidentiality
Confidentiality with Encryption:
Encrypted message
Confidentiality (Cont.)
Encryption Algorithms:
Confidentiality
Confidentiality:
• The Data in network traffic must be available only to the
intended recipient.
• In other words, the Data in network traffic MUST NOT be
available to anyone else other than the intended recipient.
• IPSec provides Data Confidentiality to Data by Encrypting it
during its journey – from sender to receiver/recipient.
Integrity
Hash Algorithms
Security of Hash Algorithms
Integrity
Integrity:
• The Data in network traffic MUST NOT be altered while in
network – during transmission.
• In other words, the Data which is received by the recipient must be
exactly same as the Data sent from the Sender.
• IPSec (Internet Protocol Security) provides Data Integrity by using
Hashing Algorithms.
Authentication
Peer Authentication Methods
PSK
Authentication (Cont.)
RSA
Authentication
Authentication:
• Sender and the Recipient MUST PROVE their identity with each
other.
• IPSec provides Authentication services by using Digital Certificates
or Pre-Shared keys.
Secure Key Exchange
Diffie-Hellman Key Exchange
Topic 4.2.2:
IPsec Protocols
IPsec Protocol Overview
IPsec Protocol
• Following are the three main components of IPSec.
• 1) Internet Key Exchange (IKE) Protocol:
• Internet Key Exchange (IKE) is an IETF protocol and it has two

versions, an old version IKEv1 and a relatively new version, IKEv2.
• Internet Key Exchange (IKE) is used to establish Security
Association (SA) between two communicating IPSec devices.
• It designed to allow two devices to dynamically exchange
Encryption Keys and negotiate Security Associations (SA).
• Internet Key Exchange (IKE) Security Associations (SA) can be
established dynamically and removed at a negotiated time period.
IPsec Protocol
• 2) Encapsulating Security Payload (ESP):
• IPSec uses ESP (Encapsulating Security Payload) to provide Data

Integrity, Encryption, Authentication, and Anti-Replay functions
for IPSec VPN.
• Cisco IPSec implementations uses DES, 3DES and AES for Data
Encryption.
• ESP authenticates the data within the VPN, ensuring Data
Integrity and that it coming from the correct source.
IPsec Protocol
• 3) Authentication Header (AH): IPSec uses Authentication

Header (AH) to provide Data Integrity, Authentication, and Anti-
Replay functions for IPSec VPN.
• Authentication Header (AH) does not provide any Data Encryption.
• Authentication Header (AH) can be used to provide Data Integrity

services to ensure that Data is not tampered (not altered)
during its journey.
• Note: ESP is more widely deployed than AH, because ESP provides
all the benefits of IPSec, that is, Confidentiality, Integrity,
Authentication and Re-Play attack protection.
Authentication Header
AH Protocols
Authentication Header (Cont.)
Router Creates Hash and Transmits
to Peer
Peer Router Compares Recomputed

Hash to Received Hash
Encapsulating Security Payload (ESP)
ESP Encrypts and Authenticates
Transport and Tunnel Modes
Apply ESP and AH in Two Modes
Transport and Tunnel Modes (Cont.)
ESP Tunnel Mode
Topic 4.2.3:
Internet Key Exchange
The IKE Protocol
Phase 1 and 2 Key Negotiation
Phase 2: Negotiating SAs
Section 4.3:
Implementing Site-to-Site IPsec
VPNs with CLI
• Describe IPsec negotiation and the five steps of IPsec configuration.
• Configure the ISAKMP policy.
• Configure the IPsec policy.
• Configure and apply a crypto map.
• Verify the IPsec VPN.
Topic 4.3.1:
Configuring a Site-to-Site IPsec VPN
IPsec Negotiation
IPsec VPN Negotiation:

Step 1 - Host A sends
interesting traffic to Host B.

Step 2 - R1 and R2
negotiate an IKE Phase 1
session.

Step 3 - R1 and R2
negotiate an IKE Phase
2 session.
IPsec Negotiation (Cont.)

Step 4 - Information is
exchanged via IPsec tunnel.

Step 5 - The IPsec
tunnel is terminated.
How IPsec Works
• IPSec's operation can be broken down into five main steps:
1. "Interesting traffic" initiates the IPSec process. Traffic is deemed

interesting when the IPSec security policy configured in the
IPSec peers starts the IKE process.
2. IKE phase 1. IKE authenticates IPSec peers and negotiates IKE

SAs during this phase, setting up a secure channel for
negotiating IPSec SAs in phase 2.
How IPsec Works
• IPSec's operation can be broken down into five main steps:
3. IKE phase 2. IKE negotiates IPSec SA parameters and sets up

matching IPSec SAs in the peers.
4. Data transfer. Data is transferred between IPSec peers based on

the IPSec parameters and keys stored in the SA database.
5. IPSec tunnel termination. IPSec SAs terminate through deletion

or by timing out.
How IPsec Works
IPsec Negotiation
• To build the VPN tunnel, IPSec peers exchange a series of
messages about encryption and authentication, and attempt to
agree on many different parameters.
• This process is known as VPN negotiations.
• One device in the negotiation sequence is the initiator and the

other device is the responder.
• VPN negotiations happen in two distinct phases: Phase 1 and
Phase 2.
• The Phase 1 and Phase 2 configurations must match for the devices
on either end of the tunnel.
IPsec Negotiation
Phase 1
• The main purpose of Phase 1 is to set up a secure encrypted
channel through which the two peers can negotiate Phase 2. When
Phase 1 finishes successfully, the peers quickly move on to Phase 2
negotiations. If Phase 1 fails, the devices cannot begin Phase 2.
Phase 2
• The purpose of Phase 2 negotiations is for the two peers to agree
on a set of parameters that define what traffic can go through the
VPN, and how to encrypt and authenticate the traffic. This
agreement is called a Security Association.
• The Phase 1 and Phase 2 configurations must match for the devices
on either end of the tunnel.
Site-to-Site IPsec VPN Topology
IPsec VPN Configuration Tasks
XYZCORP Security Policy Configuration Tasks

Encrypt traffic with AES 256 and SHA 1. Configure the ISAKMP policy for IKE Phase 1
Authentication with PSK 2. Configure the IPsec policy for IKE Phase 2
Exchange keys with group 24 3. Configure the crypto map for IPsec policy
ISAKMP tunnel lifetime is 1 hour 4. Apply the IPsec policy
IPsec tunnel uses ESP with a 15-min. lifetime 5. Verify the IPsec tunnel is operational
Existing ACL Configurations
ACL Syntax for

IPsec Traffic
Existing ACL Configurations (Cont.)
Permitting Traffic for IPsec Negotiations
Introduction to GRE Tunnels
Topic 4.3.2:
ISAKMP Policy
The Default ISAKMP Policies
Syntax to Configure a New ISAKMP Policy
XYZCORP ISAKMP Policy Configuration
Configuring a Pre-Shared Key
The crypto isakmp key Command
Configuring a Pre-Shared Key (Cont.)
Pre-Shared Key Configuration
Topic 4.3.3:
IPsec Policy
Define Interesting Traffic
The IKE Phase 1 Tunnel Does Not Exist Yet
Define Interesting Traffic (Cont.)
Configure an ACL to Define Interesting Traffic
Configure IPsec Transform Set
The crypto ipsec transform-set Command
Configure IPsec Transform Set (Cont.)
The crypto ipsec transform-set Command
Topic 4.3.4:
Crypto Map
Syntax to Configure a Crypto Map
Syntax to Configure a Crypto Map (Cont.)
Crypto Map Configuration Commands
XYZCORP Crypto Map Configuration
Crypto Map Configuration:
XYZCORP Crypto Map Configuration (Cont.)
Crypto Map Configuration:
Apply the Crypto Map
Topic 4.3.5:
IPsec VPN
Send Interesting Traffic
Use Extended Ping to Send Interesting Traffic
Verify ISAKMP and IPsec Tunnels
Verify the ISAKMP Tunnel is Established
Verify ISAKMP and IPsec Tunnels (Cont.)
Verify the IPsec Tunnel is Established
Section 4.4:
Summary
Chapter Objectives:
• Explain the purpose of VPNs.
• Explain how IPsec VPNs operate.
• Configure a site-to-site IPsec VPN, with pre-shared key authentication,

using the CLI.
Thank you.
Instructor Resources
• Remember, there are

helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

Dfn40143 Network Security Chapter 4 Implementing VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dfn40143 Network Security Chapter 4 Implementing VPN

Uploaded by

Copyright:

Available Formats

Chapter 4:

Implementing Virtual Private

CCNA Security v2.0

• Compare site-to-site and remote-access VPNs.

• A virtual private network (VPN) is a technology that creates a

• The benefit of using a secure VPN is it ensures the appropriate level

• a) The mobile employee who uses hotel Internet facilities to

• A remote access VPN used when employees of a company who are

• A site-to-site VPN requires large-scale encryption and dedicated

• Compare AH and ESP protocols.

• Describe the IKE protocol.

Security of Hash Algorithms

Peer Authentication Methods

• 1) Internet Key Exchange (IKE) Protocol:

• Internet Key Exchange (IKE) is an IETF protocol and it has two

• 2) Encapsulating Security Payload (ESP):

• IPSec uses ESP (Encapsulating Security Payload) to provide Data

• 3) Authentication Header (AH): IPSec uses Authentication

• Authentication Header (AH) can be used to provide Data Integrity

Peer Router Compares Recomputed

Apply ESP and AH in Two Modes

• Configure the ISAKMP policy.

• Configure the IPsec policy.

• Configure and apply a crypto map.

• Verify the IPsec VPN.

IPsec VPN Negotiation:

IPsec VPN Negotiation:

IPsec VPN Negotiation:

IPsec VPN Negotiation:

IPsec VPN Negotiation:

1. "Interesting traffic" initiates the IPSec process. Traffic is deemed

2. IKE phase 1. IKE authenticates IPSec peers and negotiates IKE

3. IKE phase 2. IKE negotiates IPSec SA parameters and sets up

4. Data transfer. Data is transferred between IPSec peers based on

5. IPSec tunnel termination. IPSec SAs terminate through deletion

• One device in the negotiation sequence is the initiator and the

XYZCORP Security Policy Configuration Tasks

ACL Syntax for

Permitting Traffic for IPsec Negotiations

The crypto isakmp key Command

Use Extended Ping to Send Interesting Traffic

• Explain how IPsec VPNs operate.

• Configure a site-to-site IPsec VPN, with pre-shared key authentication,

• Remember, there are

You might also like