Top Banner

Click here to load reader

Implementing VPN Solutions

Nov 19, 2014





  • 1. Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003

2. AgendaCost Analysis: Frame vs. VPNVPN DrawbacksVPN Equipment AlternativesUsing GRE for Dynamic RoutingImplementation ExamplesTroubleshootingQuestions/Discussion 3. Cost Analysis: Frame vs. VPN Premise This discussion assumes that there is arequirement to remotely connect two or moreoffices/locations. This discussion focuses on a Hub/Spokearchitecture.Frame Relay to DSL Cost examplesPort Speed Frame CIR Frame Cost DSL Cost 128k 64k$700 192k $155 256k128k$875 384k $195 512k256k $1,180 768k384k $1,520$2891544k768k $1,650$389 4. VPN DrawbacksVPN connections traverse the Internet, resulting invulnerabilities due to latency and interruptions that thenetwork administer cannot influence.DSL is normally a better choice than Cable Modem, as itdoes not share the broadcast mediaDSL may not be available in all areas, or may not beavailable at the required speeds.All DSL/ISP providers are not created equal. Ensure that provider will give you public IP addresses to manage. Ask provider where the POP is that connects to your office. Request ping times from the POP to your Hub/Destinationlocation. Request peering information between provider and yourdestination. Scrutinize customer service policy. 5. VPN Equipment AlternativesPIX to PIXPIX to VPN ConcentratorPIX to Router w/ IOS Firewall/IPSECVPN Concentrator to Router w/ IOS Firewall/IPSECVPN Concentrator to VPN ConcentratorRouter w/ IOS Firewall/IPSEC to Router w/ IOSFirewall/IPSEC 6. VPN & GRE ExampleVPN 7. Generic Steps for setting up VPN1. Load Basic FW or Router Config 2. Set up IPSEC Tunnel 3. Set up static routes on Routers 4. Set up GRE Tunnel 8. Configure IPSEC Tunnel: ISAKMP1. Define Encryption Algorithm: normallyDES or 3DES 2. Define a Hashing Algorithm: MD5 orSHA 3. Define Authentication RSA/CA or Pre-shared Key 4. Define SA (Security Association)Lifetime. Default is 86400 (1 day) 9. Configure IPSEC Tunnel: ISAKMPExample:crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn2vpn address 10. Configure IPSEC Tunnel: IPSEC1. Create extended ACL (Access List) 2. Create IPSEC transform(s) 3. Create Crypto Map 4. Apply Crypto Map to Interface 11. VPN Router Configuration crypto isakmp policy 10hash md5authentication pre-share crypto isakmp key vpn2vpn address ! crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ! crypto map vpntunnel 10 ipsec-isakmpset peer transform-set ESP-DES-MD5match address vpn-tunnel ! interface Ethernet0ip address nat inside ! 12. VPN Router Configuration, Cont. interface Ethernet1ip address nat outsidecrypto map vpntunnel ! ip nat inside source route-map Internet interface Ethernet1 overload ! ip access-list extended Natdeny ip ip any any ip access-list extended vpn-tunnelpermit ip route-map Internet permit 10match ip address Nat 13. VPN PIX Configurationnameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list vpn-tunnel permit ip interface ethernet0 10baset interface ethernet1 10full ip address outside ip address inside nat (inside) 0 access-list vpn-tunnel nat (inside) 1 0 0 route outside 1 14. VPN PIX Configuration, Cont. sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map vpntunnel 1 ipsec-isakmp crypto map vpntunnel 1 match address vpn-tunnel crypto map vpntunnel 1 set peer crypto map vpntunnel 1 set transform-set ESP-DES-MD5 crypto map vpntunnel interface outside isakmp enable outside isakmp key vpn2vpn address netmask isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 15. VPN & GREGRE: Generic Routing Encapsulation. Used toencapsulate a wide variety of protocol packet types insideIP tunnels, creating a virtual point-to-point link to remotepoints over an IP network. In this instance, we use an IPSEC tunnel to create asecure/encrypted path between to public points. GRE isused to create a virtual Intranet path between two privatepoints. Because GRE facilitates broadcast and multicast traffic, wecan run EIGRP or other dynamic protocols, reducing theneed for static routing in larger VPN topologies. 16. GRE Example interface Loopback10description Loopback for GRE tunnelip address ! interface Tunnel10description GRE tunnel to GRE-RTRip address source Loopback10tunnel destination ! ip access-list extended vpn-tunnelpermit ip host host ! ip route 17. Intro the VPN Concentrator Cisco VPN Cisco VPN Cisco VPNCisco VPN Cisco VPN 300530153030 30603080 Simultaneous Users1001001,5005,000 10,000 Maximum LAN-to-LAN100100 500 1,000 1,000Sessions Encryption Throughput 4 Mbps 4 Mbps 50 Mbps 100 Mbps100 MbpsEncryption MethodSoftwareSoftwareHardware HardwareHardwareAvailable Expansion Slots0 43 2 2 Encryption (SEP)0 01 2 4 Module Redundant SEPOptionOption Yes3264 MB128/256 256/512 256/512System Memory 128 MB (fixed)MBMBMBClient LicenseUnlimited Unlimited UnlimitedUnlimited Unlimited 18. TroubleshootingTroubleshooting, Cont. Check IPSEC Tunnel Show crypto ipsec sa Show crypto isakmp sa Clear crypto sa Debug crypto ipsec Debug crypto isakmp Check for mismatched access-lists (most common problem!) Check for static routes - you must tell the local router/FW that the private destination is via the public interface 19. Questions ?