Documente Academic
Documente Profesional
Documente Cultură
Internet Remote
site
Central site
Remote access client
DSL
cable POP
Telecommuter Internet
Router
POP
Mobile
Extranet
Consumer-to-business
Remote
office
1700/2600
Series Main office
7100/7200/7400
Series
Regional
office
3600/3700 Internet
Series
Small office/
home office
800/900 Series
Cisco 3745
Cisco 3725
Cisco 3600
Cisco 2600XM/2691
Cisco 1760
Cisco 1700
Cisco 800
Cat 6500
Cisco 7200/400
Cisco 7400
Cisco 7204/225
Cisco 7140
Cisco 7120
Large Enterprise
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.09-10
Small to Mid-SizeCisco VPN
Routers
Performance
0.384 6 4 12 15 10 18 40
(Mbps)
CAT
7120 7140 7140 7200 7400 7200
6500
Performance
50 85 145 90 120 145 1.9G
(Mbps)
Hardware
ISM ISM VAM ISA VAM VAM Yes
encryption
Main site
Business partner
with a Cisco router
IPSec Perimeter
router
Concentrator PIX
POP Firewall
Regional office with
a PIX Firewall
Mobile worker with a
Cisco VPN Client
SOHO with a Cisco on a laptop computer Corporate
ISDN/DSL router
Confidentiality
Data integrity
Origin authentication
Anti-replay protection
15%
by
s off
ing
Server Ea
rn
Internet
Hmmm . . . .
Pay to Terry Smith $100.00 I cannot Pay to Terry Smith $100.00
Terry Alex
public key B public key A
+ private key A + private key B
shared secret shared secret
key (BA)
Key = Key
key (AB)
4ehIDx67NMop9eR 4ehIDx67NMop9eR
U78IOPotVBn45TR
Internet U78IOPotVBn45TR
Peer A Peer B
Local Remote
Key Key
Remotes Remotes
public key private key
KJklzeAidJfdlwiej47
DlItfd578MNSbXoE
One Hundred and xx/100 Dollars One Hundred and xx/100 Dollars
4ehIDx67NMop9eR
U78IOPotVBn45TR
Encryption algorithms
DES
3DES
AES
RSA
Yes, I am
Alex Jones
Internet
4ehIDx67NMop9 12ehqPx67NMoX
Match = No changes
No match = Alterations
Local Remote
Shared
Variable-length Received
secret key
input message message
Pay to Terry Smith $100.00
Shared Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars One Hundred and xx/100 Dollars
secret key
1
Hash Hash
function function
Hash
HMAC algorithms
function
HMAC-MD5
HMAC-SHA-1
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
4ehIDx67NMop9 4ehIDx67NMop9
4ehIDx67NMop9 4ehIDx67NMop9
Match
Encryption Decryption
algorithm Hash
algorithm
Private
key Public
Hash
key
Hash
algorithm
Remote office
Corporate Office
Internet
HR
servers
Peer
authentication
Internet Hash
Authenticating hash
(Hash_L)
Computed
hash
(Hash)
=
Received
hash
(Hash_L)
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.09-27
RSA Signatures
Local Remote
Auth. key + ID
Information
Auth. key + ID
Information
Hash
Hash
Digital
2
Hash_I signature
Private
Hash
key
1
Encryption Internet =
algorithm Decryption
algorithm Hash_I
Public Digital
Digital Digital
cert + signature
key cert
Local Remote
Auth. key
+ ID
Information
Auth. key + ID
Information
Hash
Internet Hash
Authenticating hash
(Hash_I)
Computed
hash
(Hash_I)
=
Received
hash
(Hash_I)
Router A Router B
All data in clear text
Received Re-computed
hash hash
Router A (00ABCDEF) = (00ABCDEF)
Router A Router B
Data payload is encrypted
Internet
Router Router
IP HDR Data IP HDR Data
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
IP HDR Data
Transport mode
ESP ESP
IP HDR ESP HDR Data Trailer Auth
Encrypted
Authenticated
Tunnel mode
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
Internet
HR
servers
Tunnel mode
Internet
HR
servers
Tunnel mode
IPSec
Framework
Choices:
Encryption 3
DES AES
DES
Host A Host B
Router A Router B
10.0.1.3 10.0.2.3
Apply IPSec
Bypass IPSec
Send in cleartext
Host A Host B
Router A Router B
IKE Phase 1:
10.0.1.3 10.0.2.3
main mode exchange
DH exchange DH exchange
Host A Host B
Router A Router B
Transform 10 Transform 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Transform 20
3DES
SHA
pre-share
DH1
lifetime
Terry Alex
public key B public key A
+ private key A + private key B
shared secret shared secret
key (BA)
Key = Key
key (AB)
4ehIDx67NMop9eR 4ehIDx67NMop9eR
U78IOPotVBn45TR Internet U78IOPotVBn45TR
Remote office
Corporate office
Internet
HR
servers
Peer
authentication
Host A Host B
Router A Router B
Host A Host B
Router A Router B
Transform set 40
ESP
A transform set is a
DES
MD5
combination of algorithms
Tunnel
Lifetime
and protocols that enact a
security policy for traffic.
BAN K
SA
SA Db
Destination IP address
192.168.2.1
SPI
SPI12 Protocol (ESP or AH)
ESP/3DES/SHA
tunnel Security Policy Db
28800 Encryption Algorithm
Authentication Algorithm
Internet
Mode
Key lifetime
192.168.12.1
SPI39
ESP/DES/MD5
tunnel
28800
Data-based Time-based
Host A Host B
Router A Router B
IPSec session
IPSec tunnel
A tunnel is terminated
By an SA lifetime timeout
If the packet counter is
exceeded
Removes IPSec SA
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.09-51
Configuring IPSec Encryption
Cisco router
Other vendors
CA server
IPSec peers
router#
show crypto map
View any configured crypto maps.
RouterA# show crypto map
Crypto Map "mymap" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 102
access-list 102 permit ip host 172.30.1.2 host 172.30.2.2
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ mine, }
router#
show crypto ipsec transform-set
View any configured transform sets.
Cisco RouterB
172.30.2.2
Cisco RouterA
172.30.1.2
Other vendors
CA server
IPSec peers
IKE
AH
ESP
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
E0/1 172.30.1.2 E0/1 172.30.2.2
Ensure protocols 50 and 51, and UDP port 500 traffic are
not blocked at interfaces used by IPSec.
router(config)#
[no] crypto isakmp enable
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
172.30.1.2 172.30.2.2
router(config)#
crypto isakmp policy priority
Defines an IKE policy, which is a set of parameters used
during IKE negotiation.
Invokes the config-isakmp command mode.
router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy 110.
RouterA(config)# crypto isakmp policy 110
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# encryption des
RouterA(config-isakmp)# group 1
RouterA(config-isakmp)# hash md5
RouterA(config-isakmp)# lifetime 86400
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.09-72
IKE Policy Negotiation
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
RouterA(config)# RouterB(config)#
crypto isakmp policy 100 crypto isakmp policy 100
hash md5 hash md5
authentication pre-share authentication pre-share
crypto isakmp policy 200 crypto isakmp policy 200
authentication rsa-sig authentication rsa-sig
hash sha hash sha
crypto isakmp policy 300 crypto isakmp policy 300
authentication pre-share authentication rsa-sig
hash md5 hash md5
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
172.30.1.2 172.30.2.2
router(config)#
crypto isakmp identity {address | hostname}
Defines whether ISAKMP identity is done by IP address
or hostname.
Use consistently across ISAKMP peers.
router(config)#
crypto isakmp key keystring hostname hostname
transform-set 10 transform-set 40
esp-3des esp-des
tunnel tunnel
transform-set 20 transform-set 50
esp-des, esp-md5-hmac esp-des, ah-sha-hmac
tunnel tunnel
transform-set 30 transform-set 60
esp-3des, esp-sha-hmac Match esp-3des, esp-sha-hmac
tunnel tunnel
Outbound
Encrypt
traffic
Bypass (clear text)
Permit Inbound
Bypass (clear text) traffic
router(config)#
access-list access-list-number [dynamic dynamic-name
[timeout minutes]] {deny | permit} protocol source
source-wildcard destination destination-wildcard
[precedence precedence][tos tos] [log]
RouterA(config)# RouterB(config)#
access-list 110 access-list 101
permit tcp permit tcp
10.0.1.0 10.0.2.0
0.0.0.255 0.0.0.255
10.0.2.0 10.0.1.0
0.0.0.255 0.0.0.255
You must configure mirror image ACLs.
2003, Cisco Systems, Inc. All rights reserved. SECUR 1.09-89
Step 4Create Crypto Maps
router(config)#
crypto map map-name seq-num ipsec-manual
A B
10.0.1.3 10.0.2.3
Internet 172.30.2.2
RouterC
172.30.3.2
RouterA(config)# crypto map mymap 110 ipsec-isakmp
RouterA(config-crypto-map)# match address 110
RouterA(config-crypto-map)# set peer 172.30.2.2
RouterA(config-crypto-map)# set peer 172.30.3.2
RouterA(config-crypto-map)# set pfs group1
RouterA(config-crypto-map)# set transform-set mine
RouterA(config-crypto-map)# set security-association lifetime 86400
Multiple peers can be specified for redundancy.
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
E0/1 172.30.1.2 E0/1 172.30.2.2
mymap
router(config-if)#
crypto map map-name
RouterA(config)# interface ethernet0/1
RouterA(config-if)# crypto map mymap
Apply the crypto map to outgoing interface
Activates the IPSec policy
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
E0/1 172.30.1.2 E0/1 172.30.2.2
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
router#
show crypto isakmp policy
RouterA# show crypto isakmp policy
Protection suite of priority 110
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Encryption
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
E0/1 172.30.1.2 E0/1 172.30.2.2
router#
show crypto ipsec transform-set
Site 1 Site 2
RouterA RouterB
Internet
A B
10.0.1.3 10.0.2.3
E0/1 172.30.1.2 E0/1 172.30.2.2
router#
show crypto map
View the currently configured crypto maps.
RouterA# show crypto map
Crypto Map "mymap" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 102
access-list 102 permit ip host 172.30.1.2 host
172.30.2.2
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ mine, }
router#
debug crypto ipsec
router#
debug crypto isakmp
router(config-crypto-map)#
set security-association inbound|outbound ah spi
hex-key-string
.50
172.26.26.0
.150
PODS 1-5 .1 .1 PODS 6-10
RBB
172.30.P.0 172.30.Q.0
.2 .2
ROUTER ROUTER
.2 .2
RTS RTS
.100 10.0.P.0 10.0.Q.0 .100
.10 .10
WEB WEB
FTP FTP
WEB/FTP WEB/FTP
CSACS CSACS
STUDENT PC STUDENT PC
REMOTE: 10.1.P.12 REMOTE: 10.1.Q.12
LOCAL: 10.0.P.12 LOCAL: 10.0.Q.12