Download pdf - LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI

1/16

LIP06 - Confguring

Site-to-Site IPsecVPNs with the IOS CLI

V 1.0

1


2/16

Learning Objectives1.Confgure EIGRP on the routers2.Understand the main terms used in IPSec Tunnel3.Understand Phase I & Phase II in the !eration o" an IPSec Tunnel

#.Create a site$to$site IPsec %P using IS'.See the encr(!tion o" IP tra)c in data communication

LIP06 - Confguring Site-to-Site IPsec VPNswith the IOS CLI

2


3/16

IPSec Internet Protocol Securit(VPN %irtual Pri*ate et+or,I!" Internet -e( EchangeS# Securit( /ssociationIS#!$P Internet Securit( /ssociation and -e(0anagement Protocol

%"S ata Encr(!tion Standard&%"S Tri!le ata Encr(!tion Standard#"S /d*anced Encr(!tion StandardS"#L So"t+are $ !timied Encr(!tion /lgorithm'C( Ri*est Ci!hers #'S# Ri*est Shamir and /dleman%) i)e$4ellman

%S# igital Signature /lgorithm"CC Elli!tic Cur*e Cr(!togra!h(S)#-1 Secure 4ash /lgorithm $ 1$%-* 0essage igest '"SP Enca!sulating Securit( Pa(load#) /uthentication 4eader

)$#C 4ash$5ased 0essage /uthentication Code

#C'ON+$O,S

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

3


4/16

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$

IN"'N" !"+ "C)#N/"

#


5/16

IN"'N" !"+ "C)#N/"

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$ '


6/16

#uthentication/uthentication is used to ensure that theusers are +ho the( sa( the( are and hel!ssecure the de*ice that is 5eing !rotected.

•Pre$Shared -e(•Ri*est$Shamir$/dleman Encr(!tion•Ri*est$Shamir$/dleman Signature

#uthoriation/s stated earlier (ou can use authoriation todefne +hat commands can 5e used 7in thecase o" T/C/CS89 or "or other methods+hat t(!es o" access are defned.

#ccountingo+ +e get to the third A o" AAA +hich isaccounting. /ccounting allo+s (ou to !ro*ideaudit trails o" +hat is done on the net+or,and also to 5ill "or the usage o" ser*ices.

### Services Overwiew

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:


7/16

In cr(!togra!h( encryption is the !rocess o" encodingmessages or in"ormation in such a +a( that onl(

authoried !arties can read it.

;hat

;ith s(mmetric encr(!tion (ou use the same ,e( toencr(!t and decr(!t. ;ith as(mmetric encr(!tion

(ou use a ,e( !air. The ,e(s are di=erent? one ,e( is!u5lic and the other is !ri*ate.

S(mmetric encr(!tion is "aster 5ut as(mmetricencr(!tion is 5etter "or communication 5et+een!arties +ho are not ,no+n to each other 5ecausethere is no need to share a secret ,e( +ith an

un,no+n !erson.

"ncr2tion Overview

S(metr(c Encr(!tion

•ES•3ES•/ES•SE/@•Ri*est Ci!her

/s(metr(c Encr(!tion

•RS/•4•S/•ECC•ElGamal

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$A


8/16

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$

%i3e-)e445an a4gorith5 si524ife78

B


9/16

)ashing Overview

/ hash "unction is a mathematical !rogram that can 5e

used to ma! data o" ar5itrar( sie to data o" fed sie. The *alues returned 5( a hash "unction are called hash *alues hash codes hash sums or sim!l( hashes. neuse is a data structure called a hash ta5le +idel( usedin com!uter so"t+are "or ra!id data loo,u!.

In this la5 +e +ill tal, a5out the mathematical

com!utations used to create the hashing algorithms. The t+o s!ecifc hashing algorithms +e +ill discuss are0essage igest ' 70'9 and Secure 4ash /lgorithm

7S4/ $ 19.

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$


10/16

)ash $essage #uthentication Co7e

Hash Message Authentication Code (HMAC) is a +a( to"urther secure a hash. 40/C is not a hash "unctionreDuirement 5ut has its !lace +hen +e tal, a5out securingthe hash "unction. ecause some !o!ular hash algorithmsha*e 5een sho+n not to 5e com!letel( collision resistant itis im!ortant to add ne+er techniDues to *alidate theintegrit( o" a hash. 40/C accom!lishes this 5( addinganother la(er o" data into the hashing mi. This la(er iscalled a secret key . The secret ,e( is ,no+n onl( 5( thesender and recei*er and it !ro*ides authentication to40/C.In the 40/C !rocess the in!ut data is ta,en and a secret,e( is added. oth the in!ut data and secret ,e( are !utthrough the hashing algorithm. This !roduces an HMAChash . The sie o" the 40/C hash is the same as that o" thecorres!onding hashing algorithm. 7The t+o main t(!es o"

40/C hashes are 40/C $ 0' +hich !roduces a 12B $ 5ithash and 40/C $ S4/ $1 +hich !roduces a 1:F $ 5it hash.9

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$1F


11/16

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

#uthentication )ea7er

11


12/16

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

"nca2su4ating Securit Protoco4

12


13/16

unne4 $o7e versusrans2ort $o7e

13


14/16

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

IS#!$P 9 Phase I : PhaseII

1#


15/16

otas6

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

#,)"NIC#ION )"#%"': "SP

1'


16/16

htt2;;s4i7e24aer.co5;s4i7e;&0