Top Banner
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003
31

Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.

Jan 11, 2016

Download

Documents

Arleen Fisher
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • Implementing VPN SolutionsLaurel Boyer, CCIE 4918Presented, June 2003

  • AgendaCost Analysis: Frame vs. VPNVPN DrawbacksVPN Equipment AlternativesUsing GRE for Dynamic RoutingImplementation ExamplesTroubleshootingQuestions/Discussion

  • Cost Analysis: Frame vs. VPN

    Premise This discussion assumes that there is a requirement to remotely connect two or more offices/locations. This discussion focuses on a Hub/Spoke architecture.Frame Relay to DSL Cost examples

    Sheet1

    Port SpeedFrame CIRFrame CostDSL Cost

    128k64k$700

    192k$155

    256k128k$875

    384k$195

    512k256k$1,180

    768k384k$1,520$289

    1544k768k$1,650$389

    Sheet2

    Sheet3

  • VPN Drawbacks VPN connections traverse the Internet, resulting in vulnerabilities due to latency and interruptions that the network administer cannot influence.DSL is normally a better choice than Cable Modem, as it does not share the broadcast mediaDSL may not be available in all areas, or may not be available at the required speeds.All DSL/ISP providers are not created equal. Ensure that provider will give you public IP addresses to manage.Ask provider where the POP is that connects to your office.Request ping times from the POP to your Hub/Destination location.Request peering information between provider and your destination.Scrutinize customer service policy.

  • VPN Equipment Alternatives PIX to PIXPIX to VPN ConcentratorPIX to Router w/ IOS Firewall/IPSECVPN Concentrator to Router w/ IOS Firewall/IPSECVPN Concentrator to VPN Concentrator Router w/ IOS Firewall/IPSEC to Router w/ IOS Firewall/IPSEC

  • VPN & GRE Example

  • Generic Steps for setting up VPNLoad Basic FW or Router ConfigSet up IPSEC TunnelSet up static routes on RoutersSet up GRE Tunnel

  • Configure IPSEC Tunnel: ISAKMPDefine Encryption Algorithm: normally DES or 3DESDefine a Hashing Algorithm: MD5 or SHADefine Authentication RSA/CA or Pre-shared KeyDefine SA (Security Association) Lifetime. Default is 86400 (1 day)

  • Configure IPSEC Tunnel: ISAKMPExample:

    crypto isakmp policy 10 hash md5 authentication pre-sharecrypto isakmp key vpn2vpn address 5.1.1.2

  • Configure IPSEC Tunnel: IPSECCreate extended ACL (Access List)Create IPSEC transform(s)Create Crypto MapApply Crypto Map to Interface

  • VPN Router Configurationcrypto isakmp policy 10 hash md5 authentication pre-sharecrypto isakmp key vpn2vpn address 5.1.1.2!crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac!crypto map vpntunnel 10 ipsec-isakmp set peer 5.1.1.2 set transform-set ESP-DES-MD5 match address vpn-tunnel!interface Ethernet0 ip address 10.1.1.254 255.255.255.0 ip nat inside!

  • VPN Router Configuration, Cont.interface Ethernet1 ip address 5.1.1.1 255.255.255.0 ip nat outside crypto map vpntunnel!ip nat inside source route-map Internet interface Ethernet1 overload!ip access-list extended Nat deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip any anyip access-list extended vpn-tunnel permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255route-map Internet permit 10 match ip address Nat

  • VPN PIX Configuration nameif ethernet0 outside security0nameif ethernet1 inside security100access-list vpn-tunnel permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0interface ethernet0 10basetinterface ethernet1 10fullip address outside 5.1.1.2 255.255.255.0ip address inside 10.1.2.254 255.255.255.0nat (inside) 0 access-list vpn-tunnelnat (inside) 1 10.0.0.0 255.0.0.0 0 0route outside 0.0.0.0 0.0.0.0 5.1.1.1 1

  • VPN PIX Configuration, Cont. sysopt connection permit-ipseccrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto map vpntunnel 1 ipsec-isakmpcrypto map vpntunnel 1 match address vpn-tunnelcrypto map vpntunnel 1 set peer 5.1.1.1crypto map vpntunnel 1 set transform-set ESP-DES-MD5crypto map vpntunnel interface outsideisakmp enable outsideisakmp key vpn2vpn address 5.1.1.1 netmask 255.255.255.255isakmp policy 1 authentication pre-shareisakmp policy 1 encryption desisakmp policy 1 hash md5isakmp policy 1 group 1isakmp policy 1 lifetime 86400

  • VPN & GRE GRE: Generic Routing Encapsulation. Used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to remote points over an IP network.

    In this instance, we use an IPSEC tunnel to create a secure/encrypted path between to public points. GRE is used to create a virtual Intranet path between two private points.

    Because GRE facilitates broadcast and multicast traffic, we can run EIGRP or other dynamic protocols, reducing the need for static routing in larger VPN topologies.

  • GRE Exampleinterface Loopback10 description Loopback for GRE tunnel ip address 10.0.1.10 255.255.255.255!interface Tunnel10 description GRE tunnel to GRE-RTR ip address 10.0.0.1 255.255.255.252 tunnel source Loopback10 tunnel destination 10.0.0.10!ip access-list extended vpn-tunnel permit ip host 10.0.1.10 host 10.0.0.10!ip route 10.0.0.10 255.255.255.255 5.1.1.2

  • Intro the VPN Concentratorhttp://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_models_comparison.html

    Cisco VPN 3005 Cisco VPN 3015 Cisco VPN 3030Cisco VPN 3060 Cisco VPN 3080 Simultaneous Users1001001,5005,00010,000Maximum LAN-to-LAN Sessions 1001005001,0001,000Encryption Throughput 4 Mbps4 Mbps50 Mbps100 Mbps100 MbpsEncryption Method SoftwareSoftwareHardwareHardwareHardwareAvailable Expansion Slots 04322Encryption (SEP) Module 00124Redundant SEP OptionOptionYesSystem Memory 3264 MB (fixed)128 MB128/256 MB256/512 MB256/512 MBClient License UnlimitedUnlimitedUnlimitedUnlimitedUnlimited

  • TroubleshootingTroubleshooting, Cont.Check IPSEC TunnelShow crypto ipsec saShow crypto isakmp saClear crypto saDebug crypto ipsec Debug crypto isakmpCheck for mismatched access-lists (most common problem!)Check for static routes - you must tell the local router/FW that the private destination is via the public interface

  • Questions ?