Vpnsitetosite 120927014704 Phpapp01

Cisco
VPN Solutions
2001, Cisco Systems, Inc.
Agenda
Introduction to IPSec
IPSec VPN Topologies
Cisco Site-to-Site VPN
Solutions
VPN Overview
www.cisco.com/go/vpn
IPSec Design Guide

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.ht
m
IPSecDesignGuide.pdf.lnk
VPN Overview
IPSec Overview
Initiating the IPSec session
Phase oneexchanging keys
Phase twosetting up security associations
Encrypting/decrypting packets
Rebuilding security associations
Timing out security associations
Simple IPSec configuration
VPN Overview
Initiating the IPSec Session

Phase OneISAKMP
Internet Security Association Key Management Protocol (ISAKMP)
Both sides need to agree on the ISAKMP
security parameters
ISAKMP parameters
Encryption algorithm
Hash algorithm
Authentication method
Diffie-Hellman modulus
Group lifetime
VPN Overview
Initiating the IPSec Session

Phase TwoIPSec
Both sides need to agree on the IPSec security parameters
IPSec parameters
IPSec peer
Endpoint of IPSec tunnel
IPSec proxy
Traffic to be encrypted/decrypted
IPSec transform
Encryption and hashing
IPSec lifetime
Phase two SA regeneration time
VPN Overview
Encrypting and
Decrypting Packets
Phase one and phase two completes
Security Associations (SA) are created at both IPSec
endpoints
Using the negotiated SA information
Outbound packets are encrypted
Inbound packets are decrypted
VPN Overview
Rebuilding
Security Associations
To ensure that keys are not compromised they are
periodically refreshed
Security associations will be rebuilt when:
The lifetime expires, or
Data volume has been exceeded, or
Another SA is attempted with identical parameters
VPN Overview
Simple IPSec Configuration

10.1.1.0/24
10.1.2.0/24
200.1.1.2
192.1.1.1
Internet
IPSec Tunnel
crypto isakmp policy 1

authentication pre-share
hash md5
crypto isakmp key cisco123 address 200.1.1.2
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
set peer 200.1.1.2
set transform-set trans1
match address 101
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
interface Ethernet1
ip address 192.1.1.1 255.255.255.0
crypto map vpnmap
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
VPN Overview

hash md5
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp
set peer 192.1.1.1
set transform-set trans1
match address 101
interface Ethernet0
ip address 10.1.2.1 255.255.255.0
interface Ethernet1
ip address 200.1.1.2 255.255.255.0
crypto map vpnmap
access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
Topologies
Standard Site-to-Site IPSec Enabled VPN Solution
Design and Engineering Guide
http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.ht
m
Site2SiteDesignGuide.url
VPN Overview
10
GRE Over IPSec

(Common Configuration
Issues)
Apply crypto map on both the tunnel interfaces and
the physical interfaces
Specify GRE traffic as IPSec interesting traffic.
access-list 101 permit gre host 200.1.1.1 host 150.1.1.1
Static or dynamic routing is needed to send VPN

traffic to the GRE tunnel before it gets encrypted.
VPN Overview
11
GRE over IPSec

(Avoid Recursive Routing)
To avoid GRE tunnel interface damping due to recursive
routing, keep transport and passenger routing info.
separate:
Use different routing protocols or separate routing
protocol identifiers
Keep tunnel IP address and actual IP network
addresses ranges distinct
For tunnel interface IP address, dont use unnumbered
to loopback interface when the loopbacks IP address
resides in the ISP address space
VPN Overview
12
GRE over IPsec (MTU Issues)

Overhead calculation of GRE over IPSec (assume
ESP-DES & ESP-MD5-HMAC):
ESP overhead (with authentication) : 31 ~ 38 bytes
GRE header: 24 bytes
IP header: 20 byes
GRE over IPSec with tunnel mode introduces ~75
bytes overhead, GRE over IPSec with transport mode
introduces ~55 bytes overhead
VPN Overview
13
GRE over IPSec

c
IPSe
GRE
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a
d
VPN Overview
IP Hdr 1
TCP hdr
Data
IP hdr 2
GRE hdr
IP Hdr 1
TCP hdr
Data
IP hdr 2
ESP hdr
GRE hdr
IP Hdr 1
TCP hdr
Data
IP hdr 3
ESP hdr
IP hdr 2
GRE hdr
IP Hdr 1
TCP hdr
Data
14
GRE over IPSec (MTU Issues)

After GRE tunnel encapsulation, the packets will be
sent to physical interface with DF bit set to 0
The GRE packets will then be encrypted at physical
interface; if IPSec overhead causes final IPSec
packets to be bigger than the interface MTU, the
router will fragment the packets
The remote router will need to reassemble the
fragmented IPSec packets (process switched) which
causes performance degradation
VPN Overview
15
GRE over IPSec (MTU issue)

To avoid fragementation and reassembly of IPSec
packets:
Set ip mtu 1420 (GRE/IPSec tunnel mode),
ip mtu 1440 (GRE/IPSec transport mode) under
tunnel interface.
Enable tunnel path-mtu-discovery (DF bit copied
after GRE encapsulation) under tunnel interface.
Use show ip int switching to verify switching path
VPN Overview
16
GRE IPSec Config

encr 3des
hash md5
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport
VPN Overview
17
GRE IPSEC Config continued

crypto map vpn 10 ipsec-isakmp
set peer 172.18.45.1
set transform-set myset
match address 101
crypto map vpn 20 ipsec-isakmp

set peer 172.18.45.2
set transform-set myset
match address 102
VPN Overview
18

interface Tunnel0
ip address 10.4.1.1 255.255.255.0
tunnel source 172.18.31.1
tunnel destination 172.18.45.1
crypto map vpn
interface Tunnel1
ip address 10.4.2.1 255.255.255.0
tunnel source 172.18.31.1
tunnel destination 172.18.45.2
crypto map vpn
interface Serial0
ip address 172.18.31.1 255.255.255.0
crypto map vpn
VPN Overview
19

ip eigrp 100
network 10.0.0.0
ip route 172.18.0.0 255.255.0.0 serial0
ip access-list extended 101 permit gre
host 172.18.31.1 host 172.18.45.1
ip access-list extended 102 permit gre
host 172.18.31.1 host 172.18.45.2
VPN Overview
20
Preventing Traffic Injection

ACL on the physical interface
Interface serial 0/0
ip access-group Only_ESP in
ip access-list extended Only_ESP
permit esp host 193.193.193.1 any
permit udp host 193.193.193.1 eq 500 any
deny
ip any any log-input
Even better, VRF lite !
VPN Overview
21
VPN Types and Applications

Type
Application
Remote
Access
VPN
Remote Dial
Site-to-Site
VPN
Extranet
VPN
VPN Overview
Connectivity
As Alternative To
Dedicated
Dial
ISDN
Site-to-Site
Leased Line
Internal
Frame Relay
Connectivity
ATM
Biz-to-Biz
Fax
External
Mail
Connectivity
EDI
Benefits
Ubiquitous Access
Lower Cost
Extend Connectivity
Increased Bandwidth
Lower Cost
Facilitates
E-Commerce
22
VPN Requirements Vary By

Application
Extranet
Business Partner
Mobile User
POP
Internet
VPN
DSL
Cable
Central Site
Home Telecommuter
Site-to-Site
Remote Office
Remote Access VPN
Site-to-Site VPN
Evolution away from dial
Extension of classic WAN
Per-user manageability
Compatibility with diverse network traffic

types
Multi-OS (desktop) support

Deployment scalability
VPN Overview
Integration with routing

Deployment scalability
23
Cisco VPN Portfolio
Purpose-Built for Specific VPN Environments
VPN Application
Large Enterprise Medium Enterprise
Small Biz/Branch
SOHO
New
VPN 3002
Hardware Client
VPN 3000
Software Client
Remote
Access
Cisco VPN 3000
VPN 3080
VPN 3060
Concentrators
VPN 3030
Concentrator
VPN 3015
VPN 3005
Concentrators
Site-to-Site
IOS Routers
7200
7100
7100
3600
3600
2600
1700
900
800
Firewall-Based
VPN
Pix Firewall
Pix 535
Pix 525
Pix 525
Pix 515
Pix 515
Pix 506
Pix 506
VPN Overview
24
VPN Product Function Matrix

Site-to-Site VPN
IOS VPN Routers
Primary role
All encompassing site-tosite connectivity features
Remote Access VPN

Basic remote access
functionality
Provides routing, QoS,

WAN interfaces,
multicast and
multiprotocol support
PIX Firewalls
VPN 3000 Concentrators
VPN Overview
Solution for security

organizations that prefer
operating firewalls
Provides most remote

access features
Provides full firewall

features
Solution for security

organizations that prefer
operating firewalls
Basic site-to-site
functionality
Provides full firewall

features
Basic site-to-site
functionality
Primary role
Full featured remote

access solution
25
Cisco IOS Software
Enhanced VPN Software Features

Quality
Qualityof
ofService
Service
Application-aware
Application-awarepacket
packetclassification
classification
Congestion
Congestionmanagement
managementand
andpacket
packetqueuing
queuing
Traffic
Trafficshaping
shapingand
andpolicing
policing
Stateful
StatefulIOS
IOSFirewall
Firewall
Per
Perapplication
applicationcontent
contentfiltering
filteringand
andJava
Javablocking
blocking
Denial
Denialof
ofservice
serviceprotection
protectionand
andintrusion
intrusiondetection
detection
GRE
Time-based
Time-basedACLs
ACLs
VPN
VPNResiliency
Resiliency
QoS
Dynamic
DynamicRoute
RouteRecovery
Recovery- -using
usingrouting
routingprotocols
protocols
through
IPSec
secured
GRE
tunnel
through IPSec secured GRE tunnel
Dynamic
DynamicTunnel
TunnelRecovery
Recovery- -IPSec
IPSecKeep-Alives
Keep-Alives
Full
FullLayer
Layer33Routing
Routingand
andBroad
BroadInterface
InterfaceSupport
Support
EIGRP,
EIGRP,BGP,
BGP,OSPF,
OSPF,and
andothers
others
Numerous
NumerousLAN
LANand
andWAN
WANinterfaces
interfaces
VPN Overview
BGP
FW
IPSec
26
Cisco Site-to-Site VPN Solutions

Scalability for Every Site
Cisco1700
1700Series
Series
Cisco
VPN-optimizedrouter
router
VPN-optimized
connectingremote
remoteoffices
offices
connecting
T1/E1speeds
speeds
atatT1/E1
Cisco
Cisco7100
7100&&7200
7200Series
Series
7100
for
dedicated
7100 for dedicatedVPN
VPNhead-end
head-end
7200
7200for
forhybrid
hybridprivate
privateWAN
WAN++VPN
VPN
connectivity
connectivity
Remote
Office
Main Office
Regional
Office
Cisco
Cisco2600
2600&&3600
3600Series
Series
VPN-optimized
VPN-optimizedrouters
routers
connecting
branch
connecting branchand
and
regional
offices
at
regional offices at
nxT1/E1
nxT1/E1speeds
speeds
VPN Overview
Internet
Small Office/
Home Office
Cisco800
800&&900
900Series
Series
Cisco
VPN-optimizedrouters
routersfor
forISDN,
ISDN,
VPN-optimized
DSL,and
andcable
cableconnectivity
connectivity
DSL,
27
VPN-Enabled Broadband
Routers
806
827/804
905
50
50
50
384 kbps
384 kbps
6 Mbps
None
None
(built-in)
WAN Interfaces
Ethernet
DSL/ISDN
Cable
LAN Interfaces
4xEthernet
1xEthernet
4xEthernet
Simultaneous Tunnels
Performance
Hardware Acceleration
VPN Overview
28
VPN-Enabled Routers
1710
1720/1750
2611/2621
2651
3620/3640
100
100
300
800
800
10/12
14
10/19
(built-in)
VPN Module
AIM-VPN/BP
AIM-VPN/EP
NM-VPN/MP
WAN Interfaces
1xEtherne
t
(varies)
(varies)
(varies)
(varies)
LAN Interfaces
1xFE
1xFE
2xFE
2xFE
(varies)
Performance (Mbps)
VPN Overview
29
VPN-Enabled Routers
3660
7120
7140
7140
7200
1,300
2,000
2,000
3,000
5,000
40
50
90
140
145
AIM-VPN/HP
ISM
ISM
ISM & ISA
SA-VAM
WAN Interfaces
(varies)
(varies)
(varies)
None
(varies)
LAN Interfaces
1xFE
2xFE
2xFE
2xFE
(varies)
Performance (Mbps)
VPN Overview
30
2650 Enhanced Performance

VPN Module
New!
AIM-VPN/EP Enhanced Performance Module
Delivers 14 Mbps 3DES performance
New AIM-VPN/EP is specially designed to take advantage of
the 2650 High Performance Router
This VPN Module is being offered in addition to our present
AIM-VPN/BP (Base Performance Module)
Supported on all 2600 platforms
VPN Overview
31
VPN Acceleration Module

(VAM) for 7100/7200
New!
Greater than DS3 encryption performance

145 Mbps 3DES IPSec performance for
scalable site-to-site encryption
Allows large number of VPN Tunnels

5000 simultaneous IPSec sessions
Fast VPN tunnel setup time
SA-VAM for 7200
Hardware acceleration for RSA: Tunnel setup

& key generation
Compression for bandwidth conservation

Hardware acceleration for IPPCP LZS
compression
SM-VAM for 7100

VPN Overview
32
VPN Management
VPN Device Manager
Embedded web single device policy manager
VPN Management Solutions

Enterprise VPN monitoring & policy manager
Cisco Secure Policy Manager

Centralized, intelligent security policy
management for firewall and VPN
Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs
VPN Overview
33
Site-to-Site VPN Platform

Summary
Comprehensive Suite of Site-to-Site VPN Features
Supports the most diverse VPN environments
High Performance VPN

Up to 145 Mbps 3DES/HMAC-SHA1 IPSec
Up to 5,000 simultaneous tunnels
Site Specific VPN Scalability

DSL, Cable, & ISDN VPN routers
Ethernet-to-Ethernet broadband routers
Network Management Tailored for Site-to-Site

Applications
VPN Overview
34
For More Information...
Blog.router-switch.com
News, tutorials, tips, info & thoughts on
Developments in the Cisco, Cisco network, IT,
Software & Network Hardware Industry
VPN Overview
35
Presentation_ID
36

Vpnsitetosite 120927014704 Phpapp01

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Vpnsitetosite 120927014704 Phpapp01

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco

2001, Cisco Systems, Inc.

2001, Cisco Systems, Inc.

IPSec Design Guide

2001, Cisco Systems, Inc.

2001, Cisco Systems, Inc.

Initiating the IPSec Session

2001, Cisco Systems, Inc.

Initiating the IPSec Session

2001, Cisco Systems, Inc.

2001, Cisco Systems, Inc.

2001, Cisco Systems, Inc.

Simple IPSec Configuration

crypto isakmp policy 1

2001, Cisco Systems, Inc.

crypto isakmp policy 1

2001, Cisco Systems, Inc.

GRE Over IPSec

Static or dynamic routing is needed to send VPN

2001, Cisco Systems, Inc.

GRE over IPSec

2001, Cisco Systems, Inc.

GRE over IPsec (MTU Issues)

2001, Cisco Systems, Inc.

GRE over IPSec

2001, Cisco Systems, Inc.

GRE over IPSec (MTU Issues)

2001, Cisco Systems, Inc.

GRE over IPSec (MTU issue)

2001, Cisco Systems, Inc.

GRE IPSec Config

2001, Cisco Systems, Inc.

GRE IPSEC Config continued

crypto map vpn 20 ipsec-isakmp

2001, Cisco Systems, Inc.

GRE IPSEC Config continued

2001, Cisco Systems, Inc.

GRE IPSEC Config continued

2001, Cisco Systems, Inc.

Preventing Traffic Injection

2001, Cisco Systems, Inc.

VPN Types and Applications

2001, Cisco Systems, Inc.

VPN Requirements Vary By

Remote Access VPN

Evolution away from dial

Extension of classic WAN

Compatibility with diverse network traffic

Multi-OS (desktop) support

2001, Cisco Systems, Inc.

Integration with routing

Cisco VPN Portfolio

Purpose-Built for Specific VPN Environments

Large Enterprise Medium Enterprise

2001, Cisco Systems, Inc.

VPN Product Function Matrix

Remote Access VPN

Provides routing, QoS,

VPN 3000 Concentrators

2001, Cisco Systems, Inc.

Solution for security

Provides most remote