Scribd
Upload
38 views71 pages

ITNET04 Module06 VPNs

This module covers Virtual Private Networks (VPNs) and their implementation, focusing on site-to-site and remote access connectivity. It explains the benefits of VPNs, types of VPNs, and the process of configuring a Generic Routing Encapsulation (GRE) tunnel. Additionally, it outlines the steps for verifying and managing GRE tunnels in a network environment.

Uploaded by

Chaos Victoria
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
38 views71 pages

ITNET04 Module06 VPNs

This module covers Virtual Private Networks (VPNs) and their implementation, focusing on site-to-site and remote access connectivity. It explains the benefits of VPNs, types of VPNs, and the process of configuring a Generic Routing Encapsulation (GRE) tunnel. Additionally, it outlines the steps for verifying and managing GRE tunnels in a network environment.

Uploaded by

Chaos Victoria
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Module 6

Virtual Private Networks

ITNET04
WAN Connectivity
Module Objectives

Module Title: Virtual Private Networks


Module Objectives:
• Explain how VPNs secure site-to-site and remote access connectivity.
• Implement a GRE tunnel.
• Implement a secure IPSec tunnel.

Module References:
 CCNAv7 ENSA– Module 9

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
6.1 Virtual Private Networks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Fundamentals of VPNs
Introducing VPNs
 VPNs are used to create an end-to-end
network connection that appears to be
private over third-party networks, such
as the Internet
 Commonly used to connect private LANs
over a public network
 A secure implementation of VPN with
encryption, such as IPsec VPNs, is what is
usually meant by virtual private networking.
 To implement VPNs, a VPN gateway is
necessary - could be a router, a firewall, or
a dedicated VPN appliance (e.g. Cisco
ASA)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Fundamentals of VPNs
Benefits of VPNs
 The benefits of a VPN include the
following:
• Cost savings - VPNs enable organizations to
use cost-effective, high-bandwidth
technologies, such as DSL to connect remote
offices and remote users to the main site.
• Scalability - Organizations are able to add
large amounts of capacity without adding
significant infrastructure.
• Compatibility with broadband technology -
Allow mobile workers and telecommuters to
take advantage of high-speed, broadband
connectivity.
• Security - VPNs can use advanced
encryption and authentication protocols.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Types of VPNs
Site-to-Site VPNs
 Site-to-site VPNs connect entire networks in fixed location to each other, for example, connecting
a branch office network to a company headquarters network.
 In a site-to-site VPN, end hosts send and receive normal TCP/IP traffic through a VPN “gateway”.

 The VPN gateway is responsible for encapsulating and encrypting outbound traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Types of VPNs
Remote Access VPNs
 Used to connect individual hosts that must access their company network securely over the Internet.
 A remote-access VPN supports the needs of telecommuters, mobile users, and extranet traffic.
 Users can remotely access resources and services on the private network as if they were directly plugged
in to the network
 Allows for dynamically changing information, and can be enabled and disabled as needed
 VPN client software may need to be installed on the mobile user’s end device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Types of VPNs
Remote-Access VPNs

• Remote-access VPNs are


typically enabled dynamically by
the user when required and can
be created using either IPsec or
SSL.
• Clientless VPN connection -
The connection is secured using
a web browser SSL connection.
• Client-based VPN connection
- VPN client software must be
installed on the remote user’s
end device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
VPN Technology
Enterprise and Service Provider VPNs
VPNs can be managed and
deployed as:
• Enterprise VPNs - common solution
for securing enterprise traffic across
the internet. Site-to-site and remote
access VPNs are created and
managed by the enterprise using
IPsec and SSL VPNs.
• Service Provider VPNs - created
and managed by the provider
network. The provider uses
Multiprotocol Label Switching
(MPLS) at Layer 2 or Layer 3 to
create secure channels between an
enterprise’s sites, effectively
segregating the traffic from other
customer traffic.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Types of VPNs
Service Provider MPLS VPNs
Today, service providers use MPLS in their core network. Traffic is forwarded through
the MPLS backbone using labels. Traffic is secure because service provider
customers cannot see each other’s traffic.
• MPLS can provide clients with managed VPN solutions; therefore, securing traffic
between client sites is the responsibility of the service provider.
• There are two types of MPLS VPN solutions supported by service providers:
• Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a
peering between the customer’s routers and the provider’s routers.
• Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead,
the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet
multiaccess LAN segment over the MPLS network. No routing is involved. The customer’s
routers effectively belong to the same multiaccess network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
6.2 Generic Routing Encapsulation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Fundamentals of VPNs
Tunneling
 Tunneling is the process of encapsulating an entire packet within another packet before it's
transported over a network
 Involves:

• Passenger or encapsulated protocol - protocol over which the original data was carried
• Encapsulating protocol - protocol wrapped around the original data (optional)
• Carrier or delivery protocol – protocol over which the wrapped data travels

 The encapsulating protocol protects the contents of the passenger protocol


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Fundamentals of VPNs
Tunneling in Relation to VPNs
 VPN and tunneling often go hand-in-hand since most VPN technologies use a form of tunneling
to accomplish the task of making networks seem like they are directly connected to each other

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
[Link]
13
GRE Overview
GRE Introduction
 Generic Routing Encapsulation
(GRE) is a non-secure, site-to-site
VPN tunneling protocol.
• Developed by Cisco.
• GRE is stateless.
• Does not include any mechanisms
for data confidentiality and integrity.
• GRE is defined as an IETF
standard (RFC 2784).
 GRE manages the transportation of
multiprotocol and IP multicast traffic
between two or more sites

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
GRE Overview
GRE Characteristics
 In the outer IP header, 47 is used in the protocol field.

 GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of
any OSI Layer 3 protocol.
 GRE header, together with the tunneling IP header, creates at least 24 bytes of additional
overhead for tunneled packets.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Implement GRE
Configure GRE
 Before configuring GRE, first ensure the following:

1. The 2 routers that will connected via the tunnel can reach each other’s external interface (e.g. To
create a tunnel between R1 and R2, ensure that R1 can successfully ping S0/0/0 of R2 and vice
versa)
2. ACLs on peer router interfaces allow GRE traffic
R1(config)# access-list 100 permit gre host [Link] host [Link]
R1(config)# interface S0/0/0
.
R1(config-if)# ip access-group 100 in

R2(config)# access-list 101 permit gre host [Link] host [Link]


R2(config)# interface S0/0/0
R2(config-if)# ip access-group 101 in © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 1. Create a tunnel interface using the interface tunnel number command.

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 2. Specify GRE tunnel mode as the tunnel interface mode (optional)

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 3. Configure an IP address for the tunnel interface. (Usually a private address)

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#ip address [Link] R2(config-if)#ip address [Link]
[Link] [Link]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 4. Specify the tunnel source interface or IP address. If using IP address, this should match the
IP address of the physical interface where the tunneled traffic will exit

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#ip address [Link] R2(config-if)#ip address [Link]
[Link] [Link]
R1(config-if)#tunnel source [Link] R2(config-if)#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 4. Specify the tunnel source interface or IP address. If using IP address, this should match the
IP address of the physical interface where the tunneled traffic will exit

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#ip address [Link] R2(config-if)#ip address [Link]
[Link] [Link]
R1(config-if)#tunnel source [Link] R2(config-if)#tunnel source [Link]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 4. Specify the tunnel source interface or IP address. If using IP address, this should match the
IP address of the physical interface where the tunneled traffic will exit

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#ip address [Link] R2(config-if)#ip address [Link]
[Link] [Link]
R1(config-if)#tunnel source [Link] R2(config-if)#tunnel source [Link]
or or
R1(config-if)#tunnel source S0/0/0 R2(config-if)#tunnel source s0/0/0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 5. Specify the tunnel destination IP address. This is the IP address of the physical interface of
the destination router where the tunneled traffic will be sent to

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#ip address [Link] R2(config-if)#ip address [Link]
[Link] [Link]
R1(config-if)#tunnel source [Link] R2(config-if)#tunnel source [Link]
R1(config-if)#tunnel destination [Link] R2(config-if)#
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Implement GRE
Configure GRE
 Five steps to configuring a GRE tunnel:

• Step 5. Specify the tunnel destination IP address. This is the IP address of the physical interface of
the destination router where the tunneled traffic will be sent to

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#ip address [Link] R2(config-if)#ip address [Link]
[Link] [Link]
R1(config-if)#tunnel source [Link] R2(config-if)#tunnel source [Link]
R1(config-if)#tunnel destination [Link] R2(config-if)#tunnel destination [Link]
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Implement GRE
Verify GRE
 Use the show ip interface brief command to verify that the tunnel interface and line protocol are up.

R1#show ip interface brief


Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 [Link] YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
Tunnel0 [Link] YES manual up up

 Use the show interface tunnel command to verify the state of the tunnel.
R1#show interface Tunnel0
Tunnel0 is up, line protocol is up (connected)
Hardware is Tunnel
Internet address is [Link]/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source [Link] (Serial0/0/0), destination [Link]
Tunnel protocol/transport GRE/IP © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Implement GRE
Working with GRE Tunnels
 After configuring the tunnel, the 2 routers will appear to have a direct connection between each
other; hence static routing or routing protocols can now be configured as if the 2 sites were just a
single contiguous LAN
 Example:

R1(config)# router ospf 1 R2(config)# router ospf 1


R1(config-router)#network [Link] R2(config-router)#network [Link]
[Link] area 0 [Link] area 0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Implement GRE
Working with GRE Tunnels
 Routing between private LANs across the Internet / 3rd party network

[Link] [Link]

[Link]/24
GRE Tunnel

[Link]/24 [Link]/24
IP GRE IP Payload

Ping Source: [Link]


[Link] Destination: [Link]

Source: [Link]
Destination: [Link] © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Implement GRE
Troubleshoot GRE
 Issues with GRE are usually due to one or more of the following:

Cause To Check

The tunnel interface IP addresses are not on show ip interface brief


the same network or the subnet masks do
not match.
The interfaces for the tunnel source and/or show ip interface brief
destination are not configured with the
correct IP address or are down.
The destination address of a tunnel is not show ip route
reachable from the local router
Static or dynamic routing is not properly show ip route or show commands specific
configured to the routing protocol used

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Questions?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Module Summary
What Did You Learn In This Module?
 VPNs are used to create a secure end-to-end private network connection over a third-party
network, such as the Internet.
 A site-to-site VPN uses a VPN gateway device at the edge of both sites. The end hosts are
unaware of the VPN and have no additional supporting software.
 A remote access VPN requires software to be installed on the individual host device that
accesses the network from a remote location.
• The two types of remote access VPNs are SSL and IPsec.
• SSL technology can provide remote access using a client’s web browser and the browser’s
native SSL encryption.
 VPNs may be self-deployed by an organization or created by an ISP, usually through MPLS

 GRE is a basic, non-secure site-to-site VPN tunneling protocol that can encapsulate a wide
variety of protocol packet types inside IP tunnels, thus allowing an organization to deliver
other protocols through an IP-based WAN.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Module 6
Virtual Private Networks
(Part 2)

ITNET04
WAN Connectivity
What You Learned
Virtual Private Networks
 VPNs are used to create an end-to-end network connection that appears to be
private over third-party networks, such as the Internet

Site-to-site VPN

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
What You Learned
Virtual Private Networks
 VPNs are used to create an end-to-end network connection that appears to be
private over third-party networks, such as the Internet

Remote Access VPN

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
What You Learned
GRE and Tunneling
 GRE is a non-secure,
site-to-site VPN tunneling
protocol. [Link] [Link]
 Tunneling encapsulates
an entire packet within [Link]/24
another packet before it's GRE Tunnel
transported over a
network
IP GRE IP Payload

Source: [Link]
Ping
Destination: [Link]
[Link]

Source: [Link]
Destination: [Link]

[Link]/24 [Link]/24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
What You Learned
GRE Configuration
 Step 1: Create the tunnel interface
 Step 2: Set the tunnel source (own external interface)
 Step 3: Set the tunnel destination (external interface of tunnel peer)
 Step 4: Configure the tunnel connection as if it were a direct point-to-point link

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0


R1(config-if)#tunnel mode gre ip R2(config-if)#tunnel mode gre ip
R1(config-if)#tunnel source [Link] R2(config-if)#tunnel source [Link]
R1(config-if)#tunnel destination [Link] R2(config-if)#tunnel destination [Link]
R1(config-if)#ip address [Link] R2(config-if)#ip address
© 2016 Cisco [Link]
and/or its affiliates. All rights reserved. Cisco Confidential 35
[Link] [Link]
3.3 IPSec

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
IPSec
IPsec Technologies

• Secures a path between a pair of gateways,


a pair of hosts, or a gateway and host.
• Works at the network layer, protecting and
authenticating IP packets between
participating IPsec devices.
• All implementations of IPsec have a plaintext
Layer 3 header, so there are no issues with
routing.
• Functions over all Layer 2 protocols, such as
Ethernet, ATM, or Frame Relay.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
IPSec
IPsec Technologies

• Information from a private network needs to


be securely transported over a public
network.
• Internet Protocol Security (IPSec) is a
framework of open standards that defines
how a VPN can be configured in a secure
manner using IP.
• Provides the rules for secure communications.
• Not bound to any specific encryption,
authentication, security algorithms, or keying
technology.
• Relies on existing algorithms to implement secure
communications.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
IPSec
IPsec Framework

• The IPsec framework consists of five


building blocks.
• The administrator selects the algorithms
used to implement the security services
within that framework.
• The open slots in the IPsec framework
shown in the figure can be filled with any
of the choices that are available for that
IPsec function to create a unique security
association (SA).
• New security technologies can be
integrated without updating existing
IPsec standards.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
IPSec Framework
Confidentiality with Encryption

IPSec uses symmetric key encryption to


ensure that only the intended recipient
can read the data
• DES uses a 56-bit key.
• 3DES uses three independent 56-bit
encryption keys per 64-bit block.
• AES offers three different key
lengths: 128 bits, 192 bits, and 256
bits.
• SEAL is a stream cipher, which
means it encrypts data continuously
rather than encrypting blocks of data.
SEAL uses a 160-bit key.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
IPSec Framework
Integrity with Hashing

IPSec uses the Hashed Message


Authentication Code (HMAC) to
guarantee that data has not been
changed while in transit. If tampering is
detected, the packet is dropped
• Message-Digest 5 (MD5) uses a
128-bit shared-secret key.
• The Secure Hash Algorithm (SHA)
uses a 160-bit secret key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
IPSec Framework
IPSec Authentication
Authentication is used to verify the identity
of the data source and ensure that a
connection is made with the desired host
1. Pre-shared key (PSK) -key value is
entered into each peer manually.
• Easy to configure manually
• Does not scale well
• Must be configured on every peer
2. Rivest, Shamir, and Adleman (RSA)
- authentication uses digital certificates
to authenticate the peers.
• Each peer must authenticate its opposite
peer before the tunnel is considered
secure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
IPSec Framework
IPSec Authentication (Digital Certificates)

 Digital certificates use public /


private key pairs to authenticate
device identity
 Local device derives a hash and
encrypts it with its private key to
produce a digital signature
 Digital signature will be
decrypted by the remote peer
using the local device public key

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
IPSec Framework
Secure Key Exchange with Diffie - Hellman

DH provides allows two peers to establish


a shared secret key over an insecure
channel.
Variations of the DH key exchange are
specified as DH groups:
• DH groups 1, 2, and 5 should no longer be
used.
• DH groups 14, 15, and 16 use larger key
sizes with 2048 bits, 3072 bits, and 4096
bits, respectively
• DH groups 19, 20, 21 and 24 with
respective key sizes of 256 bits, 384 bits,
521 bits, and 2048 bits support Elliptical
Curve Cryptography (ECC), which reduces
the time needed to generate keys.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
IPSec Framework
IPSec Security Protocol

Choosing the IPsec protocol


encapsulation is the first building block
of the framework.
• IPsec encapsulates packets using
Authentication Header (AH) or
Encapsulation Security Protocol
(ESP).
• The choice of AH or ESP establishes
which other building blocks are
available.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
IPSec Framework
IPSec Security Protocol
Authentication Header (AH)
 Appropriate protocol to use when
confidentiality is not required
 Provides data authentication and integrity
for IP packets that are passed between
two systems.
 Does not provide data confidentiality
(encryption) of packets.

Encapsulating Security Payload (ESP)


 A security protocol that provides
confidentiality and authentication by
encrypting the IP packet.
 Authenticates the inner IP packet and
ESP header.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
IPsec Security Protocols
Authentication Header
 Appropriate protocol to use when confidentiality is not required
 Provides data authentication and integrity for packets that are passed between two systems.
 Does not provide data confidentiality (encryption) of packets.

1. The IP header and data payload are


hashed using the shared secret key.

2. The hash builds a new AH header,


which is inserted into the original packet.

3. The new packet is transmitted to the


IPsec peer router.

4. The peer router hashes the IP header


and data payload using the shared secret
key, extracts the transmitted hash from
the AH header, and compares the two
hashes.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
IPsec Security Protocols
Encapsulating Security Payload

 ESP provides confidentiality and


authentication by encrypting the
IP packet.
• First, the payload is
encrypted using DES
(default), 3DES, AES, or
SEAL.
• Encrypted payload is hashed
to provide authentication and
data integrity using HMAC-
MD5 or HMAC-SHA-1.
 Authenticates the inner IP packet
and ESP header.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
IPSec
Internet Key Exchange
 Internet Key Exchange (IKE) is the protocol used to help IPSec exchange
cryptographic keys and negotiate IPSec parameters (Security Associations)
 Security Association (SAs)
• The negotiated parameters between two devices.
• Represent a policy contract between two peers or hosts, and describe how the
peers use IPsec security services to protect network traffic.
• An IPSec VPN has SA entries defining the key exchange parameters as well as SA
entries defining the IPsec encryption parameters

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Internet Key Exchange
IKE Phase 1 and Phase 2
• There are two phases in every IKE negotiation

• IKE Phase One: Authentication


• Establishes how to protect negotiation of security
associations (SA) using ISAKMP
• Used to exchange identities and authenticate each other
• Exchange of shared temporal key using Diffie Helman to
protect negotiations
• Establishes the IKE SA and creates the first tunnel, which
protects later negotiation messages

• IKE Phase Two: Key Exchange


• Negotiates IPsec security parameters (IPsec transform
sets)
• Establishes IPsec SAs and creates the tunnel that
protects the data
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Configuring a Site-to-Site IPsec VPN
IPsec Configuration Tasks
Some basic tasks must be completed to configure a site-to-site IPsec VPN.
• Task 1. Ensure that ACLs configured on interfaces are compatible with the IPsec configuration.
• Task 2. Create an ISAKMP (IKE phase 1) policy.
• Task 3. Identify peers and configure pre-shared key
• Task 4. Configure the IPsec transform set.
• Task 5. Create a crypto ACL.
• Task 6. Create and apply a crypto map.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Configuring a Site-to-Site IPsec VPN
Task 1: Configure Compatible ACLs
Ensure that any ACL configured on the external router interfaces do not block ISAKMP (IKE), ESP,
and AH traffic
• ESP uses IP protocol number 50.
• AH uses IP protocol number 51.
• ISAKMP (IKE) uses UDP port 500.

R1(config)# access-list 100 permit ahp host [Link] host [Link]


R1(config)# access-list 100 permit esp host [Link] host [Link]
R1(config)# access-list 100 permit udp host [Link] host [Link] eq isakmp
R1(config)# interface S0/0/0
R1(config-if)# ip access-group 100 in

R2(config)# access-list 101 permit ahp host [Link] host [Link]


R2(config)# access-list 101 permit esp host [Link] host [Link]
R2(config)# access-list 101 permit udp host [Link] host [Link] eq isakmp
R2(config)# interface S0/0/0
R2(config-if)# ip access-group 101 in
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Configuring a Site-to-Site IPsec VPN
Task 2: Create an ISAKMP Policy

• The second major task is to define the


parameters within the ISAKMP policy.
Each policy specifies the encryption
algorithm, integrity algorithm, key
exchange algorithm and peer
authentication method

Router(config)#crypto isakmp policy pol_num


Router(config-isakmp)#encryption encrypt_option
Router(config-isakmp)#hash hash_option
Router(config-isakmp)#group dh_option
Router(config-isakmp)#authentication auth_method

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Configuring a Site-to-Site IPsec VPN
Task 2: Create an ISAKMP (IKE) Policy

• Multiple ISAKMP policies may be configured on each router, but at least 1 policy must have
parameters that match exactly between 2 routers before the IKE phase 1 tunnel is successfully
established

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Configuring a Site-to-Site IPsec VPN
Task 2: Create an ISAKMP (IKE) Policy
R2(config)#crypto isakmp policy 100
Policy numbers are only R2(config-isakmp)# encryption 3des
locally significant and do R2(config-isakmp)# hash sha
not have to match R2(config-isakmp)# group 2
between IPsec peers. R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# exit

3DES 3DES
SHA SHA
DH2 DH2
PSK PSK

R1(config)#crypto isakmp policy 110


R1(config-isakmp)# encryption 3des
R1(config-isakmp)# hash sha
R1(config-isakmp)# group 2
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# exit © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Configuring a Site-to-Site IPsec VPN
Task 3: Identify Peers and Configure PSK
• When using PSK authentication, the peer router and the shared key must be configured using
the command Router(config)#crypto isakmp key psk_val address peer_rtr
• Pre-shared key must match between the peer routers

R2(config)#crypto isakmp key pass123 address [Link]

R1(config)#crypto isakmp key pass123 address [Link]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Configuring a Site-to-Site IPsec VPN
Task 4: Configure IPSec Transform Set
• A transform set is a combination of security protocols and algorithms that define how the router
protects data and is negotiated during IKE phase 2 to establish the parameters that will be used
the IPSec tunnel
• A transform set defines the IPSec security protocol, encryption algorithm (if using ESP) and the
hashing algorithm (both AH and ESP) to be used

Router(config)#
Router(config)# crypto
crypto ipsec
ipsec transform-set
transform-set transform-set-
transform-set-
name ?
name ?
ah-md5-hmac
ah-md5-hmac AH-HMAC-MD5
AH-HMAC-MD5 transform
transform
ah-sha-hmac
ah-sha-hmac AH-HMAC-SHA
AH-HMAC-SHA transform
transform
esp-3des
esp-3des ESP
ESP transform using
transform using 3DES(EDE)
3DES(EDE) cipher
cipher (168
(168 bits)
bits)
esp-des
esp-des ESP transform using DES cipher (56 bits)
ESP transform using DES cipher (56 bits)
esp-md5-hmac
esp-md5-hmac ESP transform
ESP transform using
using HMAC-MD5
HMAC-MD5 auth
auth
esp-sha-hmac ESP transform using HMAC-SHA
esp-sha-hmac ESP transform using HMAC-SHA authauth
esp-null
esp-null ESP
ESP transform
transform w/o
w/o cipher
cipher

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Configuring a Site-to-Site IPsec VPN
Task 4: Configure IPSec Transform Set
Similar to ISAKMP policies, a router may have multiple transform sets configured; 1 of which
must match a transform set on the peer so that the phase 2 tunnel can be established

transform-set ALPHA transform-set RED


esp-3des esp-des
tunnel tunnel

transform-set BETA transform-set BLUE


esp-3des, esp-md5-hmac esp-des, ah-sha-hmac
tunnel tunnel

transform-set CHARLIE transform-set YELLOW


Match  esp-3des, esp-sha-hmac esp-3des, esp-sha-hmac
 Match
tunnel tunnel
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Configuring a Site-to-Site IPsec VPN
Task 4: Configure IPSec Transform Set
Ex: To create an IPSec transform sets that will result in a security association between R1 and R2
that uses ESP with 3DES encryption and SHA hashing

R2(config)#crypto ipsec transform-set R2SET esp-3des esp-sha-hmac

R2(config)#crypto ipsec transform-set R1SET esp-3des esp-sha-hmac

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Configuring a Site-to-Site IPsec VPN
Task 5: Define Crypto ACLs
• Crypto ACLs identify the traffic flows to protected using
the IPSec VPN.
• Crypto ACLs define which traffic needs to be encrypted.
All other traffic passes as plaintext.
• Example: To specify that all traffic between the Site 1
and Site 2 LAN must pass through the VPN:

R1(config)#access-list 110 permit ip [Link] [Link] [Link] [Link]

R2(config)#access-list 110 permit ip [Link] [Link] [Link] [Link]


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Configuring a Site-to-Site IPsec VPN
Task 6: Create and Apply Crypto Map
• Crypto maps define:
• Which traffic to protect using a crypto ACL
• Who the remote IPsec peers are
• Which type of IPsec security is applied to this traffic (transform sets)

• In global config mode:

Router(config)# crypto map map-name seq-num ipsec-isakmp


Router(config-crypto-map)# match address acl_id
Router(config-crypto-map)# set peer peer_address
Router(config-crypto-map)# set transform-set transform_set_name
• Apply the crypto map under interface config mode

Router(config)# interface int_id


Router(config-if)# crypto map map-name

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Configuring a Site-to-Site IPsec VPN
Task 6: Create and Apply Crypto Map

R1(config)# crypto map R1MAP 10 ipsec-isakmp R2(config)# crypto map MYMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address 110 R2(config-crypto-map)# match address 110
R1(config-crypto-map)# set peer [Link] R2(config-crypto-map)# set peer [Link]
R1(config-crypto-map)# set transform-set R1SET R2(config-crypto-map)# set transform-set R2SET
R1(config-crypto-map)# exit R2(config-crypto-map)# exit
R1(config)# interface S0/0/0 R2(config)# interface S0/0/0
R1(config-if) crypto map R1MAP R2(config-if) crypto map MYMAP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Configuring a Site-to-Site IPsec VPN
Verifying IPSec
 The show crypto map command verifies crypto map details and shows the SA lifetime.

R1#
R1# show
show crypto
crypto map
map
Crypto
Crypto Map “R1MAP" 10
Map “R1MAP" 10 ipsec-isakmp
ipsec-isakmp
Peer = [Link]
Peer = [Link]
Extended
Extended IPIP access
access list
list 110
110
access-list
access-list 110 permit ip
110 permit ip [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link]
Current
Current peer:
peer: [Link]
[Link]
Security
Security association
association lifetime:
lifetime: 4608000
4608000 kilobytes/3600
kilobytes/3600 seconds
seconds
PFS
PFS (Y/N):
(Y/N): NN
Transform
Transform sets={
sets={
R1SET,
R1SET,
}}
Interfaces
Interfaces using
using crypto
crypto map
map R1MAP:
R1MAP:
Serial0/0/0
Serial0/0/0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Configuring a Site-to-Site IPsec VPN
Verifying IPSec
 The show crypto isakmp policy command displays configured IKE policies

R1#
R1# show
show crypto
crypto isakmp
isakmp policy
policy
Global
Global IKE
IKE policy
policy
Protection
Protection suite
suite of
of priority
priority 11
encryption
encryption algorithm:
algorithm: Three
Three key
key triple
triple DES
DES
hash
hash algorithm:
algorithm: Secure Hash Standard
Secure Hash Standard
authentication
authentication method:
method: Pre-Shared
Pre-Shared Key
Key
Diffie-Hellman
Diffie-Hellman group:
group: #2
#2 (1024
(1024 bit)
bit)
lifetime:
lifetime: 86400
86400 seconds,
seconds, no
no volume
volume limit
limit
Default
Default protection
protection suite
suite
encryption
encryption algorithm:
algorithm: DES
DES -- Data
Data Encryption
Encryption Standard
Standard (56
(56 bit
bit keys).
keys).
hash
hash algorithm:
algorithm: Secure
Secure Hash
Hash Standard
Standard
authentication
authentication method:
method: Rivest-Shamir-Adleman
Rivest-Shamir-Adleman Signature
Signature
Diffie-Hellman
Diffie-Hellman group:
group: #1
#1 (768
(768 bit)
bit)
lifetime:
lifetime: 86400
86400 seconds,
seconds, no
no volume
volume limit
limit

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Configuring a Site-to-Site IPsec VPN
Verifying IPSec
 The show crypto isakmp sa displays currently active IKE Phase 1 security associations

R1#
R1# show
show crypto
crypto isakmp
isakmp sa
sa
IPv4
IPv4 Crypto
Crypto ISAKMP
ISAKMP SA
SA
dst
dst src
src state
state conn-id
conn-id slot
slot status
status
[Link]
[Link] [Link]
[Link] QM_IDLE
QM_IDLE 1074
1074 00 ACTIVE
ACTIVE

 The show crypto ipsec transform-set command shows all configured transform sets.

R1#
R1# show
show crypto
crypto ipsec
ipsec transform-set
transform-set
Transform
Transform set
set R1SET:
R1SET: {{ {{ esp-3des
esp-3des esp-sha-hmac
esp-sha-hmac }}
will
will negotiate
negotiate == {{ Tunnel,
Tunnel, },},

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Configuring a Site-to-Site R1#
R1# show
show crypto
crypto ipsec
ipsec sa
sa
interface:
interface: Serial0/0/0
Serial0/0/0
IPsec VPN Crypto
Crypto map
map tag:
tag: R1MAP,
R1MAP, local
local addr
addr [Link]
[Link]

Verifying IPSec protected


protected vrf:
vrf: (none)
(none)
local
local ident (addr/mask/prot/port):
ident (addr/mask/prot/port): ([Link]/[Link]/0/0)
([Link]/[Link]/0/0)
remote
remote ident
ident (addr/mask/prot/port):
(addr/mask/prot/port): ([Link]/[Link]/0/0)
([Link]/[Link]/0/0)
current_peer
current_peer [Link]
[Link] port
port 500
500
PERMIT,
PERMIT, flags={origin_is_acl,}
flags={origin_is_acl,}
 The show crypto ipsec #pkts
#pkts encaps: 1,
encaps: 1, #pkts
#pkts encrypt:
encrypt: 1, 1, #pkts
#pkts digest: digest: 00
#pkts
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 00
decaps: 1, #pkts decrypt: 1, #pkts verify:
sa displays currently ...
...
active IKE Phase 2 security inbound
inbound esp
esp sas:
sas:
spi:
spi: 0xE7468816(3880159254)
associations 0xE7468816(3880159254)
transform:
transform: esp-3des
esp-3des esp-sha-hmac
esp-sha-hmac ,,
in
in use
use settings
settings ={Tunnel,
={Tunnel, }}
conn
conn id:
id: 2008,
2008, flow_id:
flow_id: FPGA:1,
FPGA:1, crypto crypto map: map: R1MAP R1MAP
sa
sa timing: remaining key lifetime (k/sec): (4525504/3188)
timing: remaining key lifetime (k/sec): (4525504/3188)
IV
IV size:
size: 16
16 bytes
bytes
replay
replay detection
detection support:
support: NN
Status:
Status: ACTIVE
ACTIVE
...
...
outbound
outbound esp
esp sas:
sas:
spi: 0xC2F004B4(3270509748)
spi: 0xC2F004B4(3270509748)
transform:
transform: esp-3des
esp-3des esp-sha-hmac
esp-sha-hmac ,,
in
in use settings ={Tunnel, }}
use settings ={Tunnel,
conn
conn id:
id: 2009,
2009, flow_id:
flow_id: FPGA:1,
FPGA:1, crypto crypto map: map: R1MAP R1MAP
sa
sa timing:
timing: remaining
remaining key
key lifetime
lifetime (k/sec): (k/sec): (4525504/3188) (4525504/3188)
IV
IV size:
size: 16
16 bytes
bytes
replay
replay detection
detection support: NN Cisco and/or its affiliates. All rights reserved. Cisco Confidential
support:© 2016 66
Status: ACTIVE
Status: ACTIVE
...
Site-to-Site VPN
User Traffic
GRE vs IPSec
• GRE
No
• Advantage: can tunnel non-IP, multicast and broadcast Need to Use GRE
traffic over an IP network (supports routing protocols). secure? Tunnel

• Disadvantage: no security
Yes
• IPsec
No
• Advantage: traffic is secured Use GRE over
IP only?
IPSec
• Disadvantage: supports unicast IP only

• What to do if we need to secure routing protocol or Yes


non-IP traffic over an unsecured connection?
• Use GRE to tunnel No
Unicast
• Encrypt the GRE tunnel using IPSec (GRE over IPSec) only?

• Crypto ACL must be adjusted to target the GRE traffic


Yes
between peer routers instead of IP traffic between LAN
hosts
Use IPsec
VPN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Questions?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Module Summary
What Did You Learn In This Module?
 VPNs are used to create a secure end-to-end private network connection over a third-party
network, such as the Internet.
 A site-to-site VPN uses a VPN gateway device at the edge of both sites. The end hosts are
unaware of the VPN and have no additional supporting software.
 A remote access VPN requires software to be installed on the individual host device that
accesses the network from a remote location.
• The two types of remote access VPNs are SSL and IPsec.
• SSL technology can provide remote access using a client’s web browser and the browser’s
native SSL encryption.
 VPNs may be self-deployed by an organization or created by an ISP, usually through MPLS

 GRE is a basic, non-secure site-to-site VPN tunneling protocol that can encapsulate a wide
variety of protocol packet types inside IP tunnels, thus allowing an organization to deliver
other protocols through an IP-based WAN.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Module Summary
What Did You Learn In This Module?
 IPsec, an IETF standard, is a framework that defines how to establish a secure tunnel
operating at Layer 3 of the OSI model that can protect and authenticate IP packets between
IPsec peers.
• It can provide confidentiality by using encryption, data integrity, authentication, and anti-replay
protection.
• Data integrity is provided by using a hash algorithm, such as MD5 or SHA.
• Authentication is provided by the PSK or RSA peer authentication method.
 IPsec uses IKE to establish a secure tunnel between peers. The process involves 2 phases:

• Phase 1 authenticates peers negotiates the parameters of a secure tunnel that will be used to
exchange keys
• Phase 2 exchanges keys in order to establish the secure tunnel that will be used to transport
user data


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70

You might also like