LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

  • View
    216

  • Download
    0

Embed Size (px)

Text of LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    1/16

    LIP06 - Confguring

    Site-to-Site IPsec VPNs with the IOS CLI

    V 1.0

    1

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    2/16

     Learning Objectives 1.Confgure EIGRP on the routers 2.Understand the main terms used in IPSec Tunnel 3.Understand Phase I & Phase II in the !eration o" an IPSec  Tunnel

    #.Create a site$to$site IPsec %P using IS '.See the encr(!tion o" IP tra)c in data communication

    LIP06 - Confguring Site-to-Site IPsec VPNs with the IOS CLI

    2

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    3/16

    IPSec Internet Protocol Securit( VPN %irtual Pri*ate et+or, I!" Internet -e( Echange S# Securit( /ssociation IS#!$P Internet Securit( /ssociation and -e( 0anagement Protocol

    %"S ata Encr(!tion Standard &%"S Tri!le ata Encr(!tion Standard #"S /d*anced Encr(!tion Standard S"#L So"t+are $ !timied Encr(!tion /lgorithm 'C( Ri*est Ci!hers # 'S# Ri*est Shamir and /dleman %) i)e$4ellman

    %S# igital Signature /lgorithm "CC Elli!tic Cur*e Cr(!togra!h( S)#-1 Secure 4ash /lgorithm $ 1 $%-* 0essage igest ' "SP Enca!sulating Securit( Pa(load #) /uthentication 4eader

    )$#C 4ash$5ased 0essage /uthentication Code

    #C'ON+$O,S

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    3

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    4/16

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    $$$$$$

    IN"'N" !"+ "C)#N/"

    #

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    5/16

    IN"'N" !"+ "C)#N/"

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    $$$$$$ '

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    6/16

    #uthentication /uthentication is used to ensure that the users are +ho the( sa( the( are and hel!s secure the de*ice that is 5eing !rotected.

    •Pre$Shared -e( •Ri*est$Shamir$/dleman Encr(!tion •Ri*est$Shamir$/dleman Signature

    #uthoriation /s stated earlier (ou can use authoriation to defne +hat commands can 5e used 7in the case o" T/C/CS89 or "or other methods +hat t(!es o" access are defned.

    #ccounting o+ +e get to the third  A o"  AAA  +hich is accounting. /ccounting allo+s (ou to !ro*ide audit trails o" +hat is done on the net+or, and also to 5ill "or the usage o" ser*ices.

    ### Services Overwiew

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    7/16

    In cr(!togra!h( encryption is the !rocess o" encoding messages or in"ormation in such a +a( that onl(

    authoried !arties can read it.

    ;hat

    ;ith s(mmetric encr(!tion (ou use the same ,e( to encr(!t and decr(!t. ;ith as(mmetric encr(!tion

    (ou use a ,e( !air. The ,e(s are di=erent? one ,e( is !u5lic and the other is !ri*ate.

    S(mmetric encr(!tion is "aster 5ut as(mmetric encr(!tion is 5etter "or communication 5et+een !arties +ho are not ,no+n to each other 5ecause there is no need to share a secret ,e( +ith an

    un,no+n !erson.

    "ncr2tion Overview

    S(metr(c Encr(!tion

    •ES •3ES •/ES •SE/@ •Ri*est Ci!her

    /s(metr(c Encr(!tion

    •RS/ •4 •S/ •ECC •ElGamal

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    8/16

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    $$$$$$

    %i3e-)e445an a4gorith5 si524ife78

    B

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    9/16

    )ashing Overview

    / hash "unction is a mathematical !rogram that can 5e

    used to ma! data o" ar5itrar( sie to data o" fed sie.  The *alues returned 5( a hash "unction are called hash  *alues hash codes hash sums or sim!l( hashes. ne use is a data structure called a hash ta5le +idel( used in com!uter so"t+are "or ra!id data loo,u!.

    In this la5 +e +ill tal, a5out the mathematical

    com!utations used to create the hashing algorithms.  The t+o s!ecifc hashing algorithms +e +ill discuss are 0essage igest ' 70'9 and Secure 4ash /lgorithm

    7S4/ $ 19.

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    10/16

    )ash $essage #uthentication Co7e

    Hash Message Authentication Code (HMAC) is a +a( to "urther secure a hash. 40/C is not a hash "unction reDuirement 5ut has its !lace +hen +e tal, a5out securing the hash "unction. ecause some !o!ular hash algorithms ha*e 5een sho+n not to 5e com!letel( collision resistant it is im!ortant to add ne+er techniDues to *alidate the integrit( o" a hash. 40/C accom!lishes this 5( adding another la(er o" data into the hashing mi. This la(er is called a secret key . The secret ,e( is ,no+n onl( 5( the sender and recei*er and it !ro*ides authentication to 40/C. In the 40/C !rocess the in!ut data is ta,en and a secret ,e( is added. oth the in!ut data and secret ,e( are !ut through the hashing algorithm. This !roduces an HMAC hash . The sie o" the 40/C hash is the same as that o" the corres!onding hashing algorithm. 7The t+o main t(!es o"

    40/C hashes are 40/C $ 0' +hich !roduces a 12B $ 5it hash and 40/C $ S4/ $1 +hich !roduces a 1:F $ 5it hash.9

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1F

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    11/16

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    #uthentication )ea7er

    11

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    12/16

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    "nca2su4ating Securit Protoco4

    12

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    13/16

    unne4 $o7e versus rans2ort $o7e

    13

  • 8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

    14/16

    otas6

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    IS#!$P 9 Pha

Search related