-
Chapter
Germn Bastidas, Ing. Universidad San Francisco de Quito
8
Implementing Virtual Private Networks
CCNA Security 1.0 Implementing Network Security Cisco Networking
Academy
-
Overview
-
VPN
-
VPN Overview
A VPN is a private network that is created via tunneling over a
public network, usually the Internet.
VPNs have many benefits: Cost savings Security Scalability
Compatibility with broadband technology
-
Types of VPN Networks
Site-to-site. Devices on both sides of the VPN connection are
aware of the VPN configuration in advance. The VPN remains static,
and internal hosts have no knowledge that a VPN exists. Frame
Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site
VPNs.
Remote-access. VPN information is not statically set up, but
instead allows for dynamically changing information and can be
enabled and disabled.
-
Cisco VPN Client Software The Cisco VPN Client software
encapsulates and encrypts that traffic before sending it over the
Internet to the VPN gateway at the edge of the target network
-
Cisco IOS SSL VPN SSL VPNs allow users to access web pages and
services, including the ability to access files, send and receive
email, and run TCP-based applications without IPsec VPN Client
software.
The primary restriction of SSL VPNs is that they are currently
supported only in software.
-
SSL VPN Modes of Access
Clientless SSL VPN. A remote client needs only an SSL-enabled
web browser to access HTTP- or HTTPS-enabled web servers on the
corporate LAN.
Client SSL VPN. A remote client must download a small,
Java-based applet for secure access of TCP applications that use
static port numbers. UDP is not supported in a thin client
environment.
-
VPN Solutions
-
VPN Specialized Hardware
AIM - A broad range of Cisco routers can be equipped with AIM.
Advanced integration modules are installed inside the router
chassis and offload encryption tasks from the router CPU. Cisco
IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and
cost-effective VPN performance for Cisco Catalyst 6500 Series
Switches and Cisco 7600 Series Routers.
Cisco IPsec VPN SPA
-
GRE VPN
-
Generic Routing Encapsulation (GRE)
GRE does not include any strong security mechanisms to protect
its payload.
-
GRE Tunnel Header The GRE header, together with the tunneling IP
header, creates at least 24 bytes of additional overhead for
tunneled packets.
-
Configuring a Site-to-Site GRE Tunnel
-
When To Use GRE
-
IPSEC VPN COMPONENTS AND OPERATION
-
IPsec
IETF standard (RFC 2401-2412) that defines how a VPN can be
configured using the IP addressing protocol.
IPsec is not bound to any specific encryption, authentication,
security algorithms, or keying technology.
IPsec is a framework of open standards that spells out the rules
for secure communications.
IPsec relies on existing algorithms to implement the encryption,
authentication, and key exchange.
-
IPsec Framework
-
Confidentiality
-
Integrity
-
Authentication - PSK
-
Authentication - RSA
-
Secure Key Exchange
The Diffie-Hellman (DH) key agreement is a public key exchange
method that provides a way for two peers to establish a shared
secret key that only they know, even though they are communicating
over an insecure channel.
There are four DH groups: 1, 2, 5, and 7. DH groups 1, 2, and 5
support exponentiation over a prime
modulus with a key size of 768 bits, 1024 bits, and 1536 bits,
respectively.
Cisco 3000 clients support DH groups 1, 2, and 5. DES and 3DES
encryption support DH groups 1 and 2.
AES encryption supports DH groups 2 and 5. The Certicom
movianVPN client supports group 7. Group 7 supports Elliptical
Curve Cryptography (ECC), which
reduces the time needed to generate keys.
-
IPsec Framework Protocols
IP protocol 51
IP protocol 50
-
Transport Mode and Tunnel Mode
-
Internet Key Exchange (IKE)
Protocol used to set up a Security Association (SA)
An SA is a basic building block of IPsec. Security associations
are maintained within a SA database (SADB).
IKE uses UDP port 500.
An alternative to using IKE is to manually configure all
parameters required to establish a secure IPsec connection.
-
IKE Phase 1 Main Mode
-
IKE Phase 1 Aggressive Mode
-
IKE Phase 2 (Quick Mode)
The purpose of IKE Phase 2 is to negotiate the IPsec security
parameters that will be used to secure the IPsec tunnel.
IKE Phase 2 performs the following functions:
Negotiates IPsec security parameters, known as IPsec transform
sets
Establishes IPsec SAs
Periodically renegotiates IPsec SAs to ensure security
Optionally performs an additional DH exchange
-
IMPLEMENTING SITE-TO-SITE IPSEC VPN WITH CLI
-
IPsec VPN Steps
-
Task to Configure IPsec
Task 1. Ensure that ACLs configured on the Interface are
compatible with IPsec configuration. Usually there are restrictions
on the interface that the VPN traffic uses; for example, block all
traffic that is not IPsec or IKE.
Task 2. Create an ISAKMP policy to determine the ISAKMP
parameters that will be used to establish the tunnel.
Task 3. Define the IPsec transform set. The definition of the
transform set defines the parameters that the IPsec tunnel uses.
The set can include the encryption and integrity algorithms.
Task 4. Create a crypto ACL. The crypto ACL defines which
traffic is sent through the IPsec tunnel and protected by the IPsec
process.
Task 5. Create and apply a crypto map. The crypto map groups the
previously configured parameters together and defines the IPsec
peer devices. The crypto map is applied to the outgoing interface
of the VPN device.
-
Task 1
-
Task 1 - Configuration
-
Task 2. Create an ISAKMP policy
Use an integer from 1 to 10,000, with 1 being the highest
priority and 10,000 the lowest.
-
ISAKMP Parameters
-
Task 2. Configure a PSK
-
Task 3 Configure the Transform Sets
-
Transform Combinations
-
Transform Sets Negotiation Example
-
Transform Sets Configuration Example
-
Task 4 Configure the Crypto ACL
-
Task 5 Create the Crypto Map
-
Crypto Map Command
-
Crypto Map Configuration Mode Commands
-
Task 5 Configuration Example
-
Task 5 Apply the Crypto Map
-
Verify and Troubleshoot IPsec Configuration
-
Configure IPsec with SDM
-
IMPLEMENTING REMOTE-ACCESS VPNS
-
Teleworking Benefits
-
Methods for Deploying Remote-Access VPNs
-
IPsec vs SSL Remote-Access VPNs
-
Establishing an SSL Session
-
Cisco Easy VPN
-
Establishing an IPsec Remote-Access Session
-
Configure a VPN Server with SDM
-
Connect with a VPN Client
