Documente Academic
Documente Profesional
Documente Cultură
Chapter Eight
Implementing Virtual Private Networks
Lesson Planning
This lesson should take 3-4 hours to present
The lesson should include lecture,
demonstrations, discussions and assessments
The lesson can be taught in person or using
remote instruction
Major Concepts
Describe the purpose and operation of VPN types
Describe the purpose and operation of GRE VPNs
Describe the components and operations of IPsec VPNs
Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI
Configure and verify a site-to-site IPsec VPN with preshared key authentication using SDM
Configure and verify a Remote Access VPN
Lesson Objectives
Upon completion of this lesson, the successful participant will
be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in
SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard in
SDM
Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
What is a VPN?
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client
CSA
VPN
Internet
Firewall
WAN
VPN
Corporate
Network
Layer 3 VPN
IPSec
VPN
Internet
IPSec
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client
CSA
MARS
VPN
Internet
SOHO with a
Cisco DSL Router
Site-to-Site
VPNs
Firewall
VPN
IP
S
WAN
VPN
Iron Port
CSA
CSA
Web
Email
Server Server
CSA
CSA
CSACSA
DNS
Site-to-Site VPN
Hosts send and receive normal
TCP/IP traffic through a VPN gateway
Business Partner
with a Cisco
Router
CSA
MARS
VP
N
SOHO with a
Cisco DSL
Router
Site-to-Site
VPNs
Internet
Firewall
VPN
IP
S
WAN
VPN
Iron
Port
CSA
CSA
Web
Email
Server Server
CSA
CS
CS A CS
A
A
DNS
10
Remote-Access VPNs
Remote-access
VPNs
Mobile Worker
with a Cisco
VPN Client
CSA
MARS
Internet
Firewall
VPN
Iron Port
IPS
CSA
CSA
Web
Server
2009 Cisco Learning Institute.
CSA
Email
Server
CSA
CSA CSA
DNS
11
R1
R1-vpn-cluster.span.com
R1
12
13
Site-to-Site VPN
Secondary role
Primary role
Secondary role
Primary role
Primary role
Secondary role
Cisco VPN
3000 Series Concentrators
Primary role
Secondary role
Home Routers
Primary role
Product Choice
14
Internet
Regional Office
Cisco Router
SOHO
Cisco Router
VPN Features:
Voice and video enabled VPN (V3PN)
IPSec stateful failover
DMVPN
IPSec and Multiprotocol Label Switching
(MPLS) integration
Cisco Easy VPN
15
Remote Site
Internet
Intranet
Extranet
Business-to-Business
Remote User
Flexible platform
Resilient clustering
Integrated web-based
management
16
IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec
VPN Client
Router with
Firewall and
VPN Client
Small Office
Internet
Cisco VPN
Software Client
Software loaded on a PC
Internet
Provides remote users with secure VPN connections
2009 Cisco Learning Institute.
17
18
19
Encapsulation
Encapsulated with GRE
Original IP Packet
20
Create a tunnel
interface
R1(config)# interface tunnel 0
R1(configif)# ip address 10.1.1.1 255.255.255.252
R1(configif)# tunnel source serial 0/0
R1(configif)# tunnel destination 192.168.5.5
R1(configif)# tunnel mode gre ip
R1(configif)#
Assign
the tunnel an IP address
R2(config)# interface tunnel 0
R2(configif)#
R2(configif)#
R2(configif)#
R2(configif)#
R2(configif)#
21
Using GRE
IP
Only
?
User
Traffic
Yes
No
Use
GRE
Tunnel
No
Unicast
Only?
Yes
Use
IPsec
VPN
22
IPSec Topology
Main Site
Business Partner
with a Cisco Router
IPsec
Perimeter
Router
POP
Legacy
Cisco
PIX
Firewall
Legacy
Concentrator
ASA
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
Corporate
23
IPSec Framework
Diffie-Hellman
DH7
24
Confidentiality
Least secure
Most secure
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Diffie-Hellman
Key lengths:
-128-bits
-DH7
192 bits
-256-bits
Key length:
- 160-bits
25
Integrity
Least secure
Most secure
Key length:
- 128-bits
Diffie-Hellman
Key length:
- 160-bits)
DH7
26
Authentication
Diffie-Hellman
DH7
27
At the local device, the authentication key and the identity information (device-specific
Diffie-Hellman
information)
are sent through a hash algorithm to form hash_I. One-way
DH7authentication is
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.
2009 Cisco Learning Institute.
28
RSA Signatures
At the local device, the authentication key and identity information (device-specific information)
are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local
device's private encryption key creating a digital signature. The digital signature and a digital
certificate are forwarded to the remote device. The public encryption key for decrypting the
signature is included in the digital certificate. The remote device verifies the digital signature
by decrypting it using the public encryption key. The result is hash_I.
Next, the remote device independently creates hash_I from stored information. If the
calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the
remote device authenticates the local device, the authentication process begins in the
opposite direction and all steps are repeated from the remote device to the local device.
2009 Cisco Learning Institute.
29
Diffie-Hellman
DH7
30
R2
R2
31
Authentication Header
1. The IP Header and data payload are hashed
R2
Hash
IP HDR
Authentication Data
(00ABCDEF)
IP HDR
AH
Data
Data
AH
Hash
Recomputed Received
Hash = Hash
(00ABCDEF)
(00ABCDEF)
ESP
Diffie-Hellman
DH7
33
Function of ESP
Internet
Router
Router
IP HDR
Data
New IP HDR
IP HDR
ESP HDR
IP HDR
Data
Data
ESP ESP
Trailer Auth
Encrypted
Authenticated
Provides confidentiality with encryption
Provides integrity with authentication
34
Mode Types
Data
IP HDR
Transport Mode
IP HDR
Encrypted
Data
ESP HDR
ESP ESP
Trailer Auth
Authenticated
Tunnel Mode
New IP HDR
ESP HDR
Encrypted
IP HDR
Data
ESP ESP
Trailer Auth
Authenticated
2009 Cisco Learning Institute.
35
Security Associations
36
IKE Phases
R1
Host A
R2
Host B
10.0.2.3
10.0.1.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets
Policy 10
DES
MD5
pre-share
DH1
lifetime
Policy 15
DES
MD5
pre-share
DH1
lifetime
2. DH key exchange
2. DH key exchange
37
Host A
R2
Negotiate IKE Proposals
10.0.1.3
Policy 10
DES
MD5
pre-share
DH1
lifetime
Host B
10.0.2.3
Policy 15
DES
MD5
pre-share
DH1
lifetime
Policy 20
3DES
SHA
pre-share
DH1
lifetime
38
Alice
YA
Private value, XB
Public value, YB
YB = g XBmod p
Bob
YB
XA
(YB ) mod p = K
XB
(YA ) mod p = K
39
Authenticate Peer
Corporate Office
Internet
Peer
Authentication
HR
Servers
40
Host A
R2
Host B
10.0.2.3
10.0.1.3
IKE Phase 1 Aggressive Mode Exchange
1.Send IKE policy set
and R1s DH key
Policy 10
DES
MD5
pre-share
DH1
lifetime
3.Calculate shared
secret, verify peer
identify, and confirm
with peer
Policy 15
DES
MD5
pre-share
DH1
lifetime
2.
4.
Authenticate peer
and begin Phase 2.
IKE Phase 2
R1
Host A
10.0.1.3
R2
Negotiate IPsec
Security Parameters
Host B
10.0.2.3
42
R1
R2
10.0.2.3
IKE Phase 1
IKE SA
IKE Phase 2
IPsec SA
43
Configuring IPsec
44
Task 1
Configure Compatible ACLs
Site 1
AH
ESP
IKE
10.0.1.0/24
10.0.1.3
Site 2
10.0.2.0/24
R2
R1
10.0.2.3
Internet
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.
45
Permitting Traffic
AH
ESP
IKE
Site 1
10.0.1.3
10.0.1.0/2
4
Site 2
10.0.2.0/24
R2
R1
Internet
S0/0/0
172.30.1.2
10.0.2.3
S0/0/0
172.30.2.2
46
Task 2
Configure IKE
10.0.2.0/24
10.0.1.0/24
10.0.1.3
R2
R1
10.0.2.3
Internet
Site 1
Site 2
Policy 110
DES
MD5
Preshare
86400
DH1
Tunnel
router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
2009 Cisco Learning Institute.
ISAKMP Parameters
Parameter
Keyword
Accepted Values
Default
Description
Value
encryption
des
3des
aes
aes 192
aes 256
des
Message encryption
algorithm
hash
sha
md5
sha
Message integrity
(Hash) algorithm
preshared keys
RSA encrypted nonces
RSA signatures
rsa-sig
pre-share
authenticati
rsa-encr
on
rsa-sig
group
1
2
5
lifetime
seconds
86,400 sec
(one day)
Peer authentication
method
Key exchange
parameters (DH
group identifier)
ISAKMP-established
SA lifetime
48
Multiple Policies
10.0.1.0/24
10.0.1.3
10.0.2.0/24
R2
R1
Site 1
R1(config)#
crypto isakmp policy 100
hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!
crypto isakmp policy 300
hash md5
authentication pre-share
Internet
10.0.2.3
Site 2
R2(config)#
crypto isakmp policy 100
hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!
crypto isakmp policy 300
hash md5
authentication rsa-sig
49
Policy Negotiations
R1 attempts to establish a VPN tunnel with
R2 and sends its IKE policy parameters
10.0.1.0/24
10.0.1.3
Site 1
10.0.2.0/24
10.0.2.3
Internet
Site 2
Policy 110
Preshare
3DES
SHA
DH2
43200
R1(config)# crypto
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R2
R1
Tunnel
50
Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
up to 128 bytes. This PSK must be identical on both peers.
This parameter specifies the IP address of the remote peer.
This parameter specifies the hostname of the remote peer.
This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).
51
Sample Configuration
10.0.1.0/24
10.0.2.0/24
Internet
Site 1
R1(config)# crypto
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(config-isakmp)#
R1(config)# crypto
R1(config)#
10.0.2.3
Site 2
Note:
The keystring cisco1234 matches.
The address identity method is
specified.
The ISAKMP policies are compatible.
Default values do not have to be
configured.
2009 Cisco Learning Institute.
R2
R1
10.0.1.3
R2(config)# crypto
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(config-isakmp)#
R2(config)# crypto
R2(config)#
52
Task 3
Configure the Transform Set
router(config)#
crypto ipsec transformset transform-set-name
transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
Command
transform-set-name
Description
This parameter specifies the name of the transform set
to create (or modify).
53
Transform Sets
Host A
R1
transform-set ALPHA
esp-3des
tunnel
R2
172.30.1.2
Internet
10.0.1.3
Host B
172.30.2.2
10.0.2.3
transform-set RED
esp-des
tunnel
2
3
transform-set BETA
esp-des, esp-md5-hmac
tunnel
transform-set BLUE
esp-des, ah-sha-hmac
tunnel
5
6
7
transform-set CHARLIE
esp-3des, esp-sha-hmac
tunnel
8
9
Match
transform-set YELLOW
esp-3des, esp-sha-hmac
tunnel
54
Sample Configuration
Site 1
10.0.1.3
R1
A
Site 2
R2
172.30.1.2
Internet
172.30.2.2
10.0.2.3
Note:
Peers must share the
same transform set
settings.
55
Task 4
Configure the Crypto ACLs
Host A
R1
Internet
Outbound
Traffic
Encrypt
Bypass (Plaintext)
Inbound
Traffic
Permit
Bypass
Discard (Plaintext)
56
Command Syntax
Site 1
Site 2
10.0.1.0/24
10.0.2.0/24
R2
R1
10.0.1.3
S0/0/0
172.30.1.2
10.0.2.3
Internet
S0/0/0
172.30.2.2
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
Description
This option causes all IP traffic that matches the specified conditions to be protected by
cryptography, using the policy described by the corresponding crypto map entry.
This option instructs the router to route traffic in plaintext.
protocol
This option specifies which traffic to protect by cryptography based on the protocol,
such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
If the ACL statement is a permit statement, these are the networks, subnets, or hosts
between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.
57
Site 1
10.0.1.0/24
10.0.1.3
10.0.2.0/24
R2
R1
Internet
S0/0/0
172.30.1.2
10.0.2.3
S0/0/0
172.30.2.2
S0/1
58
Task 5
Apply the Crypto Map
Site 1
Site 2
R2
R1
Internet
10.0.1.3
10.0.2.3
Encrypted Traffic
Router
Interface
or Subinterface
59
Description
map-name
Defines the name assigned to the crypto map set or indicates the name of the crypto
map to edit.
seq-num
ipsec-manual
Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp
cisco
(Default value) Indicates that CET will be used instead of IPsec for protecting the
traffic.
dynamic
(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.
dynamic-map-name
(Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.
60
Description
set
61
Sample Configuration
Site 1
10.0.1.0/24
10.0.1.3
Site 2
R2
R1
Internet
10.0.2.0/24
10.0.2.3
S0/0/0
172.30.2.2
R3
S0/0/0
172.30.3.2
MYMAP 10 ipsec-isakmp
match address 110
set peer 172.30.2.2 default
set peer 172.30.3.2
set pfs group1
set transform-set mine
set security-association lifetime seconds 86400
62
Site 2
10.0.1.0/24
10.0.2.0/24
R2
R1
10.0.1.3
S0/0/0
172.30.1.2
10.0.2.3
Internet
S0/0/0
172.30.2.2
MYMAP
router(config-if)#
63
CLI Commands
Show Command
Description
64
Site 2
10.0.1.0/24
10.0.1.3
10.0.2.0/24
R2
R1
S0/0/0
172.30.1.2
10.0.2.3
Internet
S0/0/0
172.30.2.2
router#
show crypto map
Displays the currently configured crypto maps
R1# show crypto map
Crypto Map MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }
65
Site 2
10.0.1.0/24
10.0.1.3
router#
10.0.2.0/24
R2
R1
S0/0/0
172.30.1.2
10.0.2.3
Internet
S0/0/0
172.30.2.2
66
Site 2
10.0.1.0/24
10.0.1.3
10.0.2.0/24
R2
R1
S0/0/0
172.30.1.2
10.0.2.3
Internet
S0/0/0
172.30.2.2
67
Site 2
10.0.1.0/24
10.0.1.3
10.0.2.0/24
R2
R1
S0/0/0
172.30.1.2
10.0.2.3
Internet
S0/0/0
172.30.2.2
68
ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
accepted!
ISAKMP (0:1): SA not acceptable!
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
69
3. Choose a wizard
4. Click the VPN
implementation subtype
4
VPN implementation
Subtypes. Vary based
On VPN wizard chosen.
5
5. Click the Launch the
Selected Task button
2009 Cisco Learning Institute.
70
VPN Components
VPN Wizards
SSL VPN parameters
Individual IPsec
components used
to build VPNs
VPN Components
71
72
73
Quick Setup
74
Verify Parameters
75
Step-by-Step Wizard
Choose the outside
interface that is used
1 to connect to the
IPSec peer
2 Specify the IP
address of the peer
3
Choose the authentication
method and specify the
credentials
4 Click Next
2009 Cisco Learning Institute.
76
1
Click Add to define a proposal
3 Click Next
77
1
Click Add
Click Next
78
Protecting Traffic
Subnet to Subnet
3
Define the IP address
and subnet mask of the
remote network
79
Protecting Traffic
Custom ACL
80
Add a Rule
2
Click Add
81
2
Define the source hosts or networks in the Source Host/Network pane
and the destination hosts or network in the Destination/Host Network pane
3
82
Configuration Summary
83
84
Monitor
Choose Monitor > VPN Status > IPSec Tunnels
1
Lists all IPsec tunnels, their
parameters, and status.
85
Telecommuting
Flexibility in working
location and working
hours
Employers save on realestate, utility and other
overhead costs
Succeeds if program is
voluntary, subject to
management discretion,
and operationally feasible
86
Telecommuting Benefits
Organizational benefits:
- Continuity of operations
- Increased responsiveness
- Secure, reliable, and manageable access to information
- Cost-effective integration of data, voice, video, and applications
- Increased employee productivity, satisfaction, and retention
Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress
Environmental benefits:
- Reduced carbon footprints, both for individual workers and
organizations
87
88
IPsec Remote
Access VPN
Any
Application
Anywhere
Access
SSL-Based
VPN
89
IPsec
Applications
Encryption
Moderate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
Authentication
Moderate
One-way or two-way authentication
Strong
Two-way authentication using shared secrets
or digital certificates
Ease of Use
Very high
Moderate
Can be challenging to nontechnical users
Overall Security
Moderate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
90
SSL VPNs
Integrated security and routing
Browser-based full network SSL VPN access
SSL VPN
Internet
Headquarters
SSL VPN
Tunnel
Workplace
Resources
91
Types of Access
92
93
User using
SSL client
SSL VPN
enabled ISR
router
94
95
96
97
Establish ISAKMP
SA
Accept Proposal1
Username/Password
Challenge
Username/Password
98
99
Click Add
Click OK
100
3
1
2
4
101
Click Next
Click Add
Click Next
Configure the local
group policies
102
Summary of Configuration
Parameters
103
R1
R1
R1-vpn-cluster.span.com
R1-vpn-cluster.span.com
104
Establishing a Connection
R1-vpn-cluster.span.com
Once
authenticated,
status changes to
connected.
R1
R1-vpn-cluster.span.com
R1
105
106