© 2007 Cisco Systems, Inc. All rights reserved. ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN
Dec 24, 2015
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1
Network Security 2
Module 6 – Configure Remote Access VPN
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 2
Lesson 6.1 An Introduction to Cisco Easy VPN
Module 6 – Configure Remote Access VPN
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 3
Module Introduction
Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet
Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation
This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 4
Cisco Easy VPN
Eliminates tedious work by implementing the Cisco Unity Client protocol to allow administrators to define most VPN parameters at a Cisco IOS Easy VPN Server
Cisco Easy VPN Remote allows devices to act as remote VPN clients
– Routers running IOS Release 12.2(4)YA (or later)
– PIX firewalls
– Cisco hardware clients
Cisco IOS Easy VPN Server can be these devices that supports the Cisco Unity Client protocol
– VPN 3000 Concentrator
– PIX Firewall
– IOS router
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 5
Cisco Easy VPN
Cisco Easy VPN simplifies deployment.
When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPsec policies to the Cisco Easy VPN Remote client and creates the corresponding VPN tunnel connection
Cisco Easy VPN Remote provides for automatic management of:
The negotiation of tunnel parameters
Establishment of tunnels
NAT or PAT and ACLs creation as needed
Authentication of users by usernames, group names, and passwords
Security keys for encryption and decryption
Authenticating, encrypting, and decrypting data through the tunnel
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 6
Easy VPN Components
Cisco Easy VPN Server
The Cisco Easy VPN Server pushes security policies that are defined at the headend to the remote VPN device
Cisco Easy VPN Server-enabled device can terminate IPsec tunnels that are initiated by mobile remote workers running VPN Client software on PCs.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 7
Easy VPN Components
Cisco Easy VPN Remote
These devices can receive security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements at the remote location
This cost-effective solution is ideal for remote offices with little IT support
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 8
Requirements and Restrictions for Cisco Easy VPN Server
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 9
Limitations
DH Group
The Cisco Unity Client protocol supports only ISAKMP policies that use DH Group 2 (1024-bit)
Transform Sets SupportedThe Cisco Unity Client protocol does not support Authentication Header (AH) authentication but does support Encapsulating Security Payload (ESP)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 10
Easy VPN Server and Easy VPN Remote Operation
Step 1The VPN client initiates the IKE Phase 1 process
Step 2The VPN client establishes an SA
Step 3The Easy VPN Server accepts the SA proposal
Step 4The Easy VPN Server initiates a username and password challenge
Step 5The mode configuration process is initiated
Step 6The RRI process is initiated
Step 7IPsec quick mode completes the connection
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 11
Step 1: The VPN Client Initiates the IKE Phase 1 Process
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 12
Step 2: The VPN Client Establishes an ISAKMP SA
The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.
To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following:
Encryption and hash algorithms
Authentication methods
Diffie-Hellman group sizes
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 13
Step 3: The Cisco Easy VPN Server Accepts the SA Proposal
The Easy VPN Server searches for a match:
The first proposal to match the server list is accepted (highest-priority match).
The ISAKMP SA is successfully established.
Device authentication ends and user authentication begins.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 14
Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge
If the Easy VPN Server is configured for Xauth, the VPN client waits for a username and password challenge:
The username and password information is checked against authentication entities using AAA.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 15
Step 5: The Mode Configuration Process Is Initiated
If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server:
Mode configuration starts.
The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client.
IP address is the only required parameter in a group profile. All other parameters are optional
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 16
Step 6: The RRI Process Is Initiated
RRI ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client
RRI is used
• when per-user IP addresses are used
• when more than one Easy VPN Server is used
Redistributing static routes into an IGP allows the server site routers to find the appropriate Easy VPN Server to use for return traffic to clients.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 17
Step 7: IPsec Quick ModeCompletes the Connection
After the configuration parameters have been successfully received by the VPN client, IPsec quick mode is initiated to negotiate IPsec SA establishment.
After IPsec SA establishment, the VPN connection is complete.