7/28/2019 ISCW10S04 IPsec.ppt
1/237
IPsec VPNs
IPsec Components and IPsec VPN Features
7/28/2019 ISCW10S04 IPsec.ppt
2/237
IPsec Overview
7/28/2019 ISCW10S04 IPsec.ppt
3/237
What Is IPsec?
IPsec is an IETF standard that employs cryptographicmechanisms on the network layer:
Authentication of every IP packet
Verification ofdata integrity for each packet
Confidentiality of packet payload
Consists of open standards for securing privatecommunications
Scales from small to very large networks
Is available in Cisco IOS software version 11.3(T) and later
Is included in PIX Firewall version 5.0 and later
7/28/2019 ISCW10S04 IPsec.ppt
4/237
IPsec Security Features
IPsec is the only standard Layer 3 technology that provides:
Confidentiality
Data integrity
Authentication
Replay detection
7/28/2019 ISCW10S04 IPsec.ppt
5/237
IPsec Protocols
IPsec uses three main protocols to create a securityframework:
Internet Key Exchange (IKE):
Provides framework for negotiation of security parameters
Establishment of authenticated keys
Encapsulating Security Payload (ESP):
Provides framework for encrypting, authenticating, andsecuring of data
Authentication Header (AH):
Provides framework for authenticating and securing ofdata
7/28/2019 ISCW10S04 IPsec.ppt
6/237
IPsec Headers
IPsec ESP provides the following:
Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP
Confidentiality (DES, 3DES, or AES) only with ESP
7/28/2019 ISCW10S04 IPsec.ppt
7/237
Peer Authentication
Peer authentication methods:
Username and password OTP (Pin/Tan)
Biometric
Preshared keys
Digital certificates
7/28/2019 ISCW10S04 IPsec.ppt
8/237
Internet Key Exchange
7/28/2019 ISCW10S04 IPsec.ppt
9/237
Internet Key Exchange
IKE solves the problems ofmanual and unscalableimplementation of IPsec byautomating the entire key
exchange process: Negotiation of SA
characteristics
Automatic key generation
Automatic key refresh Manageable manual
configuration
7/28/2019 ISCW10S04 IPsec.ppt
10/237
IKE Phases
Phase 1:
Authenticate the peers
Negotiate a bidirectional SA
Main mode or aggressive mode
Phase 1.5:
Xauth
Mode config
Phase 2:
IPsec SAs/SPIs
Quick mode
7/28/2019 ISCW10S04 IPsec.ppt
11/237
IKE Modes
7/28/2019 ISCW10S04 IPsec.ppt
12/237
IKE: Other Functions
7/28/2019 ISCW10S04 IPsec.ppt
13/237
7/28/2019 ISCW10S04 IPsec.ppt
14/237
IPsec and NAT: The Problem
7/28/2019 ISCW10S04 IPsec.ppt
15/237
IPsec NAT Traversal
Need NAT traversal with IPsec over TCP/UDP:
NAT traversal detection
NAT traversal decision
UDP encapsulation of IPsec packets
UDP encapsulated process for software engines
7/28/2019 ISCW10S04 IPsec.ppt
16/237
Mode Configuration
Mechanism used to pushattributes to IPsec VPNclients
7/28/2019 ISCW10S04 IPsec.ppt
17/237
Easy VPN
Dynamically updated:
Central servicesand security
policy Offload VPN
function fromlocal devices
Client andnetwork extensionmode
Centralized control:
Configurationand security
policy pushed atthe time of theVPN tunnelestablishment
7/28/2019 ISCW10S04 IPsec.ppt
18/237
Xauth
Mechanism used for userauthentication for VPNclients
7/28/2019 ISCW10S04 IPsec.ppt
19/237
ESP and AH
7/28/2019 ISCW10S04 IPsec.ppt
20/237
ESP and AH
IPsec protocols:
ESP or AH
ESP uses IP protocol number 50
AH uses IP protocol number 51
IPsec modes:
Tunnel or transport mode
Tunnel mode creates a new additional IP header
The Message is concatenated with a symmetric key
7/28/2019 ISCW10S04 IPsec.ppt
21/237
7/28/2019 ISCW10S04 IPsec.ppt
22/237
AH Authentication and Integrity
7/28/2019 ISCW10S04 IPsec.ppt
23/237
ESP Protocol
Provides confidentiality with encryption
Provides integrity with authentication
7/28/2019 ISCW10S04 IPsec.ppt
24/237
Tunnel and Transport Mode
7/28/2019 ISCW10S04 IPsec.ppt
25/237
Message
Authentication andIntegrity Check
7/28/2019 ISCW10S04 IPsec.ppt
26/237
Message Authentication andIntegrity Check Using Hash
A MAC is used for message authentication and integritycheck.
Hashes are widely used for this purpose (HMAC).
7/28/2019 ISCW10S04 IPsec.ppt
27/237
7/28/2019 ISCW10S04 IPsec.ppt
28/237
Symmetric vs.
AsymmetricEncryption Algorithms
7/28/2019 ISCW10S04 IPsec.ppt
29/237
Symmetric vs. AsymmetricEncryption Algorithms
Symmetric algorithm:
Secret key cryptography
Encryption anddecryption usethe same key
Typically used to
encrypt the content of amessage
Examples: DES, 3DES,AES
Asymmetric algorithm:
Public key cryptography
Encryption anddecryptionuse different keys
Typically used in digitalcertification and keymanagement
Example: RSA
7/28/2019 ISCW10S04 IPsec.ppt
30/237
Key Lengths of Symmetric vs.Asymmetric Encryption Algorithms
Symmetric Key Length Asymmetric Key Length
80 1024
112 2048
128 3072
192 7680
256 15,360
Comparable key lengths required for asymmetric keyscompared to symmetric keys
7/28/2019 ISCW10S04 IPsec.ppt
31/237
7/28/2019 ISCW10S04 IPsec.ppt
32/237
Symmetric Encryption: DES
Symmetric key encryption algorithm
Block cipher: Works on 64-bit data block, uses 56-bit key(last bit of each byte used for parity)
Mode of operation: Apply DES to encrypt blocks of data
7/28/2019 ISCW10S04 IPsec.ppt
33/237
Symmetric Encryption: 3DES
168-bit total key length
Mode of operation decides how to process DES three times
Normally: encrypt, decrypt, encrypt
3DES requires more processing than DES
7/28/2019 ISCW10S04 IPsec.ppt
34/237
Symmetric Encryption: AES
Formerly known as Rijndael
Successor to DES and 3DES
Symmetric key block cipher
Strong encryption with long expected life
AES can support 128-, 192-, and 256-bit keys; 128-bit key isconsidered safe
7/28/2019 ISCW10S04 IPsec.ppt
35/237
Asymmetric Encryption: RSA
Based on Diffie-Hellman key exchange (IKE) principles
Public key to encrypt data, and to verify digital signatures
Private key to decrypt data, and to sign with a digitalsignature
Perfect for insecure communication channels
7/28/2019 ISCW10S04 IPsec.ppt
36/237
Diffie-Hellman Key Exchange
7/28/2019 ISCW10S04 IPsec.ppt
37/237
Diffie-Hellman Key Exchange (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
38/237
7/28/2019 ISCW10S04 IPsec.ppt
39/237
7/28/2019 ISCW10S04 IPsec.ppt
40/237
7/28/2019 ISCW10S04 IPsec.ppt
41/237
X.509 v3 Certificate
7/28/2019 ISCW10S04 IPsec.ppt
42/237
7/28/2019 ISCW10S04 IPsec.ppt
43/237
PKI Credentials
How to store PKI credentials:
RSA keys and certificates
NVRAM
eToken:
Cisco 871, 1800, 2800, 3800 Series router
Cisco IOS Release 12.3(14)T image
Cisco USB eToken
A k9 image
7/28/2019 ISCW10S04 IPsec.ppt
44/237
Summary
IPsec provides a mechanism for secure data transmissionover IP networks.
The IKE protocol is a key management protocol standardused in conjunction with the IPsec standard.
IKE has some additional functions: DPD, NAT traversal,
encapsulation in UDP packet, config mode, and Xauth. The two IP protocols used in the IPsec standard are ESP and
AH.
For message authentication and integrity check, an HMAC isused.
The two types of encryption are symmetric encryption andasymmetric encryption.
PKI provides customers with a scalable, secure mechanismfor distributing, managing, and revoking encryption andidentity information in a secured data network.
7/28/2019 ISCW10S04 IPsec.ppt
45/237
IPsec VPNs
Site-to-Site IPsec VPN Operation
7/28/2019 ISCW10S04 IPsec.ppt
46/237
Site-to-Site IPsec VPNOperations
7/28/2019 ISCW10S04 IPsec.ppt
47/237
Five Steps of IPsec
7/28/2019 ISCW10S04 IPsec.ppt
48/237
7/28/2019 ISCW10S04 IPsec.ppt
49/237
Step 2: IKE Phase 1
7/28/2019 ISCW10S04 IPsec.ppt
50/237
IKE Policy
Negotiates matching IKEtransform sets to protect IKEexchange
7/28/2019 ISCW10S04 IPsec.ppt
51/237
Diffie-Hellman Key Exchange
7/28/2019 ISCW10S04 IPsec.ppt
52/237
7/28/2019 ISCW10S04 IPsec.ppt
53/237
Step 3: IKE Phase 2
Negotiates IPsec security parameters, IPsec transform sets
Establishes IPsec SAs
Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie-Hellman exchange
7/28/2019 ISCW10S04 IPsec.ppt
54/237
IPsec Transform Sets
A transform set is a combinationof algorithms and protocols thatenact a security policy for traffic.
7/28/2019 ISCW10S04 IPsec.ppt
55/237
7/28/2019 ISCW10S04 IPsec.ppt
56/237
SA Lifetime
Data transmitted-based Time-based
http://rds.yahoo.com/S=96062857/K=clocks/v=2/SID=w/TID=YS80_76/l=II/R=1/SS=i/OID=b31de637c8c1ef0e/;_ylt=A0Je5xZWEjREUc8AqBGJzbkF;_ylu=X3oDMTBwYTA5MG5kBHBvcwMxBHNlYwNzcgR2dGlkA1lTODBfNzY-/SIG=1f8vbsuk4/EXP=1144349654/*-http%3A//images.search.yahoo.com/search/images/view?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3F_adv_prop%3Dimages%26imgsz%3Dall%26imgc%3D%26vf%3Dall%26va%3Dclocks%26fr%3Dslv1-%26ei%3DUTF-8&w=454&h=454&imgurl=www.rarity4u.com%2Fcatalog%2Fimages%2FClocks%26Watches_Wall.jpg&rurl=http%3A%2F%2Fwww.rarity4u.com%2Fcatalog%2Findex.php%2Fname%2FWall%2520Clocks%2FcPath%2F45&size=55.1kB&name=Clocks&Watches_Wall.jpg&p=clocks&type=jpeg&no=1&tt=403,320&ei=UTF-87/28/2019 ISCW10S04 IPsec.ppt
57/237
7/28/2019 ISCW10S04 IPsec.ppt
58/237
7/28/2019 ISCW10S04 IPsec.ppt
59/237
Configuring IPsec
Configuration Steps for
7/28/2019 ISCW10S04 IPsec.ppt
60/237
Configuration Steps forSite-to-Site IPsec VPN
1. Establish ISAKMP policy
2. Configure IPsec transform set
3. Configure crypto ACL
4. Configure crypto map
5. Apply crypto map to the interface
6. Configure interface ACL
7/28/2019 ISCW10S04 IPsec.ppt
61/237
Site-to-Site IPsec
Configuration: Phase 1
7/28/2019 ISCW10S04 IPsec.ppt
62/237
Site-to-Site IPsec Configuration: Phase 1
7/28/2019 ISCW10S04 IPsec.ppt
63/237
7/28/2019 ISCW10S04 IPsec.ppt
64/237
Site-to-Site IPsec Configuration: Phase 2
7/28/2019 ISCW10S04 IPsec.ppt
65/237
Site-to-Site IPsec
Configuration: ApplyVPN Configuration
7/28/2019 ISCW10S04 IPsec.ppt
66/237
7/28/2019 ISCW10S04 IPsec.ppt
67/237
Site-to-Site IPsec
Configuration:Interface ACL
Site-to-Site IPsec Configuration:
7/28/2019 ISCW10S04 IPsec.ppt
68/237
gInterface ACL
When filtering at the edge, there is not much to see:
IKE: UDP port 500
ESP and AH: IP protocol numbers 50 and 51, respectively
NAT transparency enabled:
UDP port 4500
TCP (port number has to be configured)
Site-to-Site IPsec Configuration:
7/28/2019 ISCW10S04 IPsec.ppt
69/237
Router1#show access-listsaccess-list 102 permit ahp host 172.16.172.10 host 172.16.171.20access-list 102 permit esp host 172.16.172.10 host 172.16.171.20
access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp
gInterface ACL (Cont.)
Ensure that protocols 50 and 51 and UDP port 500 traffic isnot blocked on interfaces used by IPsec.
7/28/2019 ISCW10S04 IPsec.ppt
70/237
Summary
IPsec operation includes these steps: Initiation by interestingtraffic of the IPsec process, IKE Phase 1, IKE Phase 2, datatransfer, and IPsec tunnel termination.
To configure a site-to-site IPsec VPN: Configure the ISAKMPpolicy, define the IPsec transform set, create a crypto ACL,
create a crypto map, apply crypto map, and configure ACL. To define an IKE policy, use the crypto isakmp policy global
configuration command.
To define an acceptable combination of security protocolsand algorithms used for IPsec, use the crypto ipsec transform-
set global configuration command. To apply a previously defined crypto map set to an interface,
use the crypto map interface configuration command.
Configure an ACL to enable the IPsec protocols (protocol 50for ESP or 51 for AH) and IKE protocol (UDP/500).
7/28/2019 ISCW10S04 IPsec.ppt
71/237
IPsec VPNs
Configuring IPsec Site-to-Site VPN UsingSDM
7/28/2019 ISCW10S04 IPsec.ppt
72/237
Introducing the SDM
VPN Wizard Interface
7/28/2019 ISCW10S04 IPsec.ppt
73/237
Cisco Router and SDM
7/28/2019 ISCW10S04 IPsec.ppt
74/237
7/28/2019 ISCW10S04 IPsec.ppt
75/237
Cisco SDM Features
Smart wizards for these frequent router and security configurationissues:
Avoid misconfigurations with integrated routing and security
Secure the existing network infrastructure easily and cost-effectively
Uses Cisco TAC- and ICSA-recommended securityconfigurations
Startup wizard, one-step router lockdown, policy-based firewall andACL management (firewall policy), one-step VPN (site-to-site), andinline IPS
Guides untrained users through workflow
7/28/2019 ISCW10S04 IPsec.ppt
76/237
Introducing the SDM VPN Wizard Interface
2.
1. 3.
Wizards for IPsecsolutions
Individual IPseccomponents
7/28/2019 ISCW10S04 IPsec.ppt
77/237
Site-to-Site VPN
Components
7/28/2019 ISCW10S04 IPsec.ppt
78/237
Site-to-Site VPN Components
VPN wizards use two sources to create a VPN connection:
User input during the step-by-step wizard process
Preconfigured VPN components
SDM provides some default VPN components:
Two IKE policies
IPsec transform set for Quick Setup wizard
Other components are created by the VPN wizards.
Some components (e.g., PKI) must be configured before the
wizards can be used.
S S C (C )
7/28/2019 ISCW10S04 IPsec.ppt
79/237
Site-to-Site VPN Components (Cont.)
Two main components:
IPsec
IKE
Two optional components:
Group Policies for EasyVPN server functionality
Public Key Infrastructurefor IKE authenticationusing digital certificates
Individual IPseccomponents usedto build VPNs
7/28/2019 ISCW10S04 IPsec.ppt
80/237
L hi th Sit t Sit VPN Wi d
7/28/2019 ISCW10S04 IPsec.ppt
81/237
Launching the Site-to-Site VPN Wizard
1.
Launching the Site-to-SiteVPN Wi d (C t )
7/28/2019 ISCW10S04 IPsec.ppt
82/237
VPN Wizard (Cont.)
2a.
2b.
3.
Q i k S t
7/28/2019 ISCW10S04 IPsec.ppt
83/237
Quick Setup
Q i k S t (C t )
7/28/2019 ISCW10S04 IPsec.ppt
84/237
Quick Setup (Cont.)
St b St S t
7/28/2019 ISCW10S04 IPsec.ppt
85/237
Step-by-Step Setup
Multiple steps are used to configure the VPNconnection:
Defining connection settings: Outside interface, peeraddress, authentication credentials
Defining IKE proposals: Priority, encryption algorithm,HMAC, authentication type, Diffie-Hellman group, lifetime
Defining IPsec transform sets: Encryption algorithm, HMAC,mode of operation, compression
Defining traffic to protect: Single source and destination
subnets, ACL
Reviewing and completing the configuration
7/28/2019 ISCW10S04 IPsec.ppt
86/237
Connection Settings
C ti S tti
7/28/2019 ISCW10S04 IPsec.ppt
87/237
Connection Settings
1.
2.
3.
4.
7/28/2019 ISCW10S04 IPsec.ppt
88/237
IKE Proposals
IKE Proposals
7/28/2019 ISCW10S04 IPsec.ppt
89/237
IKE Proposals
1.
2.
3.
7/28/2019 ISCW10S04 IPsec.ppt
90/237
Transform Set
Transform Set
7/28/2019 ISCW10S04 IPsec.ppt
91/237
Transform Set
1.
2.
3.
7/28/2019 ISCW10S04 IPsec.ppt
92/237
Defining What Traffic
to Protect
Option 1: Single Sourceand Destination Subnet
7/28/2019 ISCW10S04 IPsec.ppt
93/237
and Destination Subnet
1.
2. 3.
Option 2: Using an ACL
7/28/2019 ISCW10S04 IPsec.ppt
94/237
Option 2: Using an ACL
1. 2.
3.
Option 2: Using an ACL (Cont )
7/28/2019 ISCW10S04 IPsec.ppt
95/237
Option 2: Using an ACL (Cont.)
1.
2.
Option 2: Using an ACL (Cont )
7/28/2019 ISCW10S04 IPsec.ppt
96/237
Option 2: Using an ACL (Cont.)
2.
3.
1.
7/28/2019 ISCW10S04 IPsec.ppt
97/237
Completing the
Configuration
Review the Generated Configuration
7/28/2019 ISCW10S04 IPsec.ppt
98/237
Review the Generated Configuration
Review the Generated Configuration (Cont )
7/28/2019 ISCW10S04 IPsec.ppt
99/237
Review the Generated Configuration (Cont.)
Test Tunnel Configuration and Operation
7/28/2019 ISCW10S04 IPsec.ppt
100/237
Test Tunnel Configuration and Operation
~~ ~~
7/28/2019 ISCW10S04 IPsec.ppt
101/237
Advanced Monitoring
7/28/2019 ISCW10S04 IPsec.ppt
102/237
Advanced Monitoring
Advanced monitoring can be performed using the default Cisco IOS HTTP server interface.
Requires knowledge of Cisco IOS CLI commands.
show crypto isakmp sa
Lists active IKE sessions
show crypto ipsec sa
Lists active IPsec security
associations
router#
router#
Troubleshooting
7/28/2019 ISCW10S04 IPsec.ppt
103/237
Troubleshooting
debug crypto isakmprouter#
Debugs IKE communication
Advanced troubleshooting can be performed using the Cisco
IOS CLI Requires knowledge of Cisco IOS CLI commands
7/28/2019 ISCW10S04 IPsec.ppt
104/237
7/28/2019 ISCW10S04 IPsec.ppt
105/237
7/28/2019 ISCW10S04 IPsec.ppt
106/237
Generic Routing
Encapsulation
Generic Routing Encapsulation
7/28/2019 ISCW10S04 IPsec.ppt
107/237
Generic Routing Encapsulation
OSI Layer 3 tunneling protocol:
Uses IP for transport
Uses an additional header to support any other OSI Layer 3protocol as payload (e.g., IP, IPX, AppleTalk)
Default GRE Characteristics
7/28/2019 ISCW10S04 IPsec.ppt
108/237
Default GRE Characteristics
Tunneling of arbitrary OSI Layer 3 payload is the primarygoal of GRE
Stateless (no flow control mechanisms)
No security (no confidentiality, data authentication, orintegrity assurance)
24-byte overhead by default (20-byte IP header and 4-byteGRE header)
Optional GRE Extensions
7/28/2019 ISCW10S04 IPsec.ppt
109/237
Optional GRE Extensions
GRE can optionally contain any one or more of these fields:
Tunnel checksum
Tunnel key
Tunnel packet sequence number
GRE keepalives can be used to track tunnel path status.
GRE Configuration Example
7/28/2019 ISCW10S04 IPsec.ppt
110/237
GRE Configuration Example
GRE tunnel is up and protocol up if:
Tunnel source and destination are configured
Tunnel destination is in routing table
GRE keepalives are received (if used)
GRE is the default tunnel mode.
7/28/2019 ISCW10S04 IPsec.ppt
111/237
Introducing Secure
GRE Tunnels
Introducing Secure GRE Tunnels
7/28/2019 ISCW10S04 IPsec.ppt
112/237
g
GRE is good at tunneling: Multiprotocol support
Provides virtual point-to-point connectivity, allowingrouting protocols to be used
GRE is poor at securityonly very basic plaintextauthentication can be implemented using the tunnel key (notvery secure)
GRE cannot accommodate typical security requirements:
Confidentiality
Data source authentication
Data integrity
IPsec Characteristics
7/28/2019 ISCW10S04 IPsec.ppt
113/237
IPsec provides what GRE lacks: Confidentiality through encryption using symmetric
algorithms (e.g., 3DES or AES)
Data source authentication using HMACs (e.g., MD5 orSHA-1)
Data integrity verification using HMACs IPsec is not perfect at tunneling:
Older Cisco IOS software versions do not support IPmulticast over IPsec
IPsec was designed to tunnel IP only (no multiprotocol
support) Using crypto maps to implement IPsec does not allow the
usage of routing protocols across the tunnel
IPsec does not tunnel IP protocols; GRE does
GRE over IPsec
7/28/2019 ISCW10S04 IPsec.ppt
114/237
GRE over IPsec is typically used to do the following:
Create a logical hub-and-spoke topology of virtual point-to-point connections
Secure communication over an untrusted transport network(e.g., Internet)
GRE over IPsec Characteristics
7/28/2019 ISCW10S04 IPsec.ppt
115/237
GRE encapsulates arbitrary payload.
IPsec encapsulates unicast IP packet (GRE):
Tunnel mode (default): IPsec creates a new tunnel IPpacket
Transport mode: IPsec reuses the IP header of the GRE(20 bytes less overhead)
7/28/2019 ISCW10S04 IPsec.ppt
116/237
Configuring GRE overIPsec Site-to-SiteTunnel Using SDM
Configuring GRE over IPsecSite-to-Site Tunnel Using SDM
7/28/2019 ISCW10S04 IPsec.ppt
117/237
g
5.
6.
2.
1.
3. 4.
7/28/2019 ISCW10S04 IPsec.ppt
118/237
Configuring GRE over IPsecSite-to-Site Tunnel Using SDM (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
119/237
g ( )
1.
2.
3.
4.
7/28/2019 ISCW10S04 IPsec.ppt
120/237
Backup GRE Tunnel
Information
Backup GRE Tunnel Information
7/28/2019 ISCW10S04 IPsec.ppt
121/237
1.
2.
3.
4.
7/28/2019 ISCW10S04 IPsec.ppt
122/237
VPN Authentication
Information
VPN Authentication Information
7/28/2019 ISCW10S04 IPsec.ppt
123/237
2.
1A 1B
7/28/2019 ISCW10S04 IPsec.ppt
124/237
IKE Proposals
IKE Proposals
7/28/2019 ISCW10S04 IPsec.ppt
125/237
Creating a Custom IKE Policy
7/28/2019 ISCW10S04 IPsec.ppt
126/237
Define all IKE policy parameters:
Priority
Encryption algorithm: DES, 3DES, AES
HMAC: SHA-1 or MD5
Authentication method: preshared secrets or digital certificates
Diffie-Hellman group: 1, 2, or 5
IKE lifetime
7/28/2019 ISCW10S04 IPsec.ppt
127/237
Transform Set
Transform Set
7/28/2019 ISCW10S04 IPsec.ppt
128/237
1.
2.
3.
7/28/2019 ISCW10S04 IPsec.ppt
129/237
Routing Information
7/28/2019 ISCW10S04 IPsec.ppt
130/237
Option 1: Static Routing
7/28/2019 ISCW10S04 IPsec.ppt
131/237
Option 2: Dynamic Routing Using EIGRP
7/28/2019 ISCW10S04 IPsec.ppt
132/237
1.
2.
Option 3: Dynamic Routing Using OSPF
7/28/2019 ISCW10S04 IPsec.ppt
133/237
1.
3.
2.
7/28/2019 ISCW10S04 IPsec.ppt
134/237
Completing the
Configuration
Review the Generated Configuration
7/28/2019 ISCW10S04 IPsec.ppt
135/237
Review the Generated Configuration (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
136/237
7/28/2019 ISCW10S04 IPsec.ppt
137/237
7/28/2019 ISCW10S04 IPsec.ppt
138/237
Monitor Tunnel Operation
7/28/2019 ISCW10S04 IPsec.ppt
139/237
1.
2.
3.
Advanced Monitoring
7/28/2019 ISCW10S04 IPsec.ppt
140/237
Advanced monitoring can be performed using the default Cisco IOS HTTP server interface.
Requires knowledge of Cisco IOS CLI commands.
show crypto isakmp sa
Lists active IKE sessions
router#
show crypto ipsec sa
Lists active IPsec security
associations
router#
show interfaces
Lists interface and the statisticsincluding the statistics of tunnel
interfaces
router#
Troubleshooting
7/28/2019 ISCW10S04 IPsec.ppt
141/237
debug crypto isakmp
router#
Debugs IKE communication
Advanced troubleshooting can be performed using the CiscoIOS CLI
Requires knowledge of Cisco IOS CLI commands
Summary
7/28/2019 ISCW10S04 IPsec.ppt
142/237
GRE is a multiprotocol tunneling technology. SDM can be used to implement GRE over IPsec site-to-site
VPNs.
Backup tunnels can be configured in addition to one primarytunnel.
Routing can be configured through the tunnel interfaces:
Static for simple sites
OSPF or EIGRP for more complex sites (more networks,multiple tunnels)
Upon completing the configuration, the SDM converts theconfiguration into the Cisco IOS CLI format.
7/28/2019 ISCW10S04 IPsec.ppt
143/237
7/28/2019 ISCW10S04 IPsec.ppt
144/237
High Availability for
Cisco IOS IPsec VPNs
Failures
7/28/2019 ISCW10S04 IPsec.ppt
145/237
IPsec VPNs can experience any one of a number of different typesof failures:
Access link failure
Remote peer failure
Device failure Path failure
IPsec should be designed and implemented with redundancy andhigh-availability mechanisms to mitigate these failures.
Redundancy
7/28/2019 ISCW10S04 IPsec.ppt
146/237
Common solutions using one or more of theseoptions:
Two access links to mitigate access-link failures
Multiple peers to mitigate peer failure
Two local VPN devices to mitigate device failures
Multiple independent paths to mitigate all path failures
Failure Detection
7/28/2019 ISCW10S04 IPsec.ppt
147/237
Native IPsec uses DPD to detect failures in the path andremote peer failure.
Any form ofGRE over IPsec typically uses a routing protocol
to detect failures (hello mechanism).
HSRP is typically used to detect failures of local devices.VRRP and GLBP have similar failure-detection functionality.
7/28/2019 ISCW10S04 IPsec.ppt
148/237
7/28/2019 ISCW10S04 IPsec.ppt
149/237
IPsec Backup Peer
IPsec Backup Peer
7/28/2019 ISCW10S04 IPsec.ppt
150/237
One HA design option is to use native IPsec and itsHA mechanisms:
DPD to detect failures Backup peers to take over new tunnels when primary peer
becomes unavailable
Configuration Example
7/28/2019 ISCW10S04 IPsec.ppt
151/237
Router will first try primary peer.
If primary peer is not available or becomes unavailable (DPD failuredetection), the router tries backup peers in order as listed in the crypto map.
7/28/2019 ISCW10S04 IPsec.ppt
152/237
Hot Standby Routing
Protocol
Hot Standby Routing Protocol
7/28/2019 ISCW10S04 IPsec.ppt
153/237
HSRP can be used at:
Headend: Two head-end IPsec devices appear as one toremote peers
Remote site: Two IPsec gateways appear as one to localdevices
Active HSRP device uses a virtual IP and MAC address.
Standby HSRP device takes over virtual IP and MAC addresswhen active HSRP device goes down.
7/28/2019 ISCW10S04 IPsec.ppt
154/237
HSRP for Head-End IPsec Routers
7/28/2019 ISCW10S04 IPsec.ppt
155/237
Remote sites peer with virtual IP address (HSRP) of the headend.
RRI or HSRP can be used on inside interface to ensure proper return path.
7/28/2019 ISCW10S04 IPsec.ppt
156/237
IPsec Stateful Failover
7/28/2019 ISCW10S04 IPsec.ppt
157/237
IPsec VPNs using DPD, HSRP, or IGPs to mitigate failuresonly provide stateless failover.
IPsec stateful failover requires:
Identical hardware and software configuration of IPsecon active and standby device
Exchange of IPsec state between active and standbydevice (i.e., complete SA information)
IPsec Stateful Failover (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
158/237
IPsec stateful failover works in combination with HSRP andSSO.
SSO is responsible to synchronize ISAKMP and IPsec SAdatabase between HSRP active and standby routers.
RRI is optionally used to inject the routes into the internal
network.
IPsec Stateful Failover Example
7/28/2019 ISCW10S04 IPsec.ppt
159/237
Configure IPC to exchange state information between head-end devices.
Enable stateful redundancy.
7/28/2019 ISCW10S04 IPsec.ppt
160/237
7/28/2019 ISCW10S04 IPsec.ppt
161/237
7/28/2019 ISCW10S04 IPsec.ppt
162/237
Summary
7/28/2019 ISCW10S04 IPsec.ppt
163/237
High availability requires two components: Redundant device, links, or paths
High availability mechanisms to detect failures andreroute
Native IPsec can be configured with backup peers in crypto
maps in combination with DPD.
HSRP can be used instead of backup peers.
IPsec stateful failover can augment HSRP to minimizedowntime upon head-end device failures.
IPsec VPNs can be used as a backup for other types ofnetworks.
7/28/2019 ISCW10S04 IPsec.ppt
164/237
IPsec VPNs
Configuring Cisco Easy VPN and Easy VPNServer Using SDM
7/28/2019 ISCW10S04 IPsec.ppt
165/237
Introducing Cisco
Easy VPN
Introducing Cisco Easy VPN
7/28/2019 ISCW10S04 IPsec.ppt
166/237
Cisco Easy VPN has two main functions: Simplify client configuration
Centralize client configuration and dynamically push theconfiguration to clients
How are these two goals achieved?
IKE Mode Config functionality is used to download someconfiguration parameters to clients.
Clients are preconfigured with a set of IKE policies andIPsec transform sets.
Cisco Easy VPN Components
7/28/2019 ISCW10S04 IPsec.ppt
167/237
Easy VPN Server: Enables Cisco IOS routers, Cisco PIXFirewalls, and Cisco VPN Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs, in whichthe remote office devices are using the Cisco Easy VPNRemote feature
Easy VPN Remote: Enables Cisco IOS routers, Cisco PIXFirewalls, and Cisco VPN Hardware Clients or SoftwareClients to act as remote VPN clients
7/28/2019 ISCW10S04 IPsec.ppt
168/237
7/28/2019 ISCW10S04 IPsec.ppt
169/237
Cisco Easy VPN RemoteConnection Process
7/28/2019 ISCW10S04 IPsec.ppt
170/237
1. The VPN client initiates the IKE Phase 1 process.2. The VPN client establishes an ISAKMP SA.
3. The Easy VPN Server accepts the SA proposal.
4. The Easy VPN Server initiates a username and passwordchallenge.
5. The mode configuration process is initiated.
6. The RRI process is initiated.
7. IPsec quick mode completes the connection.
7/28/2019 ISCW10S04 IPsec.ppt
171/237
Step 2: The VPN Client Establishesan ISAKMP SA
7/28/2019 ISCW10S04 IPsec.ppt
172/237
The VPN client attempts to establish an SA between peer IPaddresses by sending multiple ISAKMP proposals to the Easy VPNServer.
To reduce manual configuration on the VPN client, these ISAKMP
proposals include several combinations of the following:
Encryption and hash algorithms
Authentication methods
Diffie-Hellman group sizes
Step 3: The Cisco Easy VPN ServerAccepts the SA Proposal
7/28/2019 ISCW10S04 IPsec.ppt
173/237
The Easy VPN Server searches for a match:
The first proposal to match the server list is accepted (highest-priority match).
The most secure proposals are always listed at the top of theEasy VPN Server proposal list (highest priority).
The ISAKMP SA is successfully established.
Device authentication ends and user authentication begins.
Step 4: The Cisco Easy VPN Server Initiatesa Username and Password Challenge
7/28/2019 ISCW10S04 IPsec.ppt
174/237
If the Easy VPN Server is configured for Xauth, the VPN clientwaits for a username/password challenge:
The user enters a username/password combination.
The username/password information is checked againstauthentication entities using AAA.
All Easy VPN Servers should be configured to enforce userauthentication.
Step 5: The Mode ConfigurationProcess Is Initiated
7/28/2019 ISCW10S04 IPsec.ppt
175/237
If the Easy VPN Server indicates successful authentication, the VPNclient requests the remaining configuration parameters from theEasy VPN Server:
Mode configuration starts.
The remaining system parameters (IP address, DNS, splittunneling information, and so on) are downloaded to the VPNclient.
Remember that the IP address is the only required parameter in agroup profile; all other parameters are optional.
Step 6: The RRI Process Is Initiated
7/28/2019 ISCW10S04 IPsec.ppt
176/237
RRI should be used when the following conditions occur:
More than one VPN server is used
Per-client static IP addresses are used with some clients (insteadof using per-VPN-server IP pools)
RRI ensures the creation of static routes.
Redistributing static routes into an IGP allows the servers siterouters to find the appropriate Easy VPN Server for return traffic toclients.
Step 7: IPsec Quick ModeCompletes the Connection
7/28/2019 ISCW10S04 IPsec.ppt
177/237
After the configuration parameters have been successfullyreceived by the VPN client, IPsec quick mode is initiated tonegotiate IPsec SA establishment.
After IPsec SA establishment, the VPN connection iscomplete.
7/28/2019 ISCW10S04 IPsec.ppt
178/237
Cisco Easy VPNServer Configuration
Tasks
7/28/2019 ISCW10S04 IPsec.ppt
179/237
Cisco Easy VPN Server ConfigurationTasks for the Easy VPN Server Wizard
7/28/2019 ISCW10S04 IPsec.ppt
180/237
The Easy VPN server wizard includes these tasks: Selecting the interface on which to terminate IPsec
IKE policies
Group policy lookup method
User authentication Local group policies
IPsec transform set
7/28/2019 ISCW10S04 IPsec.ppt
181/237
Configuring Easy VPN
Server
Configuring Easy VPN Server
7/28/2019 ISCW10S04 IPsec.ppt
182/237
Use a browser to connect to the Easy VPN Server router. Click on the link to the SDM.
Prepare a design before implementing the VPN server:
IKE authentication method
User authentication method
IP addressing and routing for clients
Install all prerequisite services (depending on the chosendesign), for example:
RADIUS/TACACS+ server
CA and enrollment with the CA
DNS resolution for the VPN server addresses
VPN Wizards
7/28/2019 ISCW10S04 IPsec.ppt
183/237
1.
2.
3.
Enabling AAA
7/28/2019 ISCW10S04 IPsec.ppt
184/237
1.
2.
Local User Management
7/28/2019 ISCW10S04 IPsec.ppt
185/237
1.
2.
3.
Creating Users
7/28/2019 ISCW10S04 IPsec.ppt
186/237
1.
2.
3.
4.
5.
6.
8.
7.
Enabling AAA
7/28/2019 ISCW10S04 IPsec.ppt
187/237
1.
2.
Starting the Easy VPN Server Wizard
7/28/2019 ISCW10S04 IPsec.ppt
188/237
7/28/2019 ISCW10S04 IPsec.ppt
189/237
7/28/2019 ISCW10S04 IPsec.ppt
190/237
IKE Proposals
IKE Proposals
7/28/2019 ISCW10S04 IPsec.ppt
191/237
1.
2.
3.
7/28/2019 ISCW10S04 IPsec.ppt
192/237
Transform Set
Transform Set
7/28/2019 ISCW10S04 IPsec.ppt
193/237
3.
2.
1.
4.
7/28/2019 ISCW10S04 IPsec.ppt
194/237
Option 1: Local Router Configuration
7/28/2019 ISCW10S04 IPsec.ppt
195/237
1.
2.
Option 2: External Location via RADIUS
7/28/2019 ISCW10S04 IPsec.ppt
196/237
1.
2.
Option 2: External Locationvia RADIUS (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
197/237
3.
1.
2.
4.
7/28/2019 ISCW10S04 IPsec.ppt
198/237
User Authentication
Option 1: Local User Database
7/28/2019 ISCW10S04 IPsec.ppt
199/237
2.
3.
1.
Local User DatabaseAdding Users
7/28/2019 ISCW10S04 IPsec.ppt
200/237
1.
2.
3.
4.
5.
6.
Option 2: External UserDatabase via RADIUS
7/28/2019 ISCW10S04 IPsec.ppt
201/237
2.
3.
1.
7/28/2019 ISCW10S04 IPsec.ppt
202/237
Local Group Policies
Local Group Policies
7/28/2019 ISCW10S04 IPsec.ppt
203/237
General Parameters
7/28/2019 ISCW10S04 IPsec.ppt
204/237
1.
2.
3A. 3B.
Domain Name System
7/28/2019 ISCW10S04 IPsec.ppt
205/237
1.
2.
Split Tunneling
7/28/2019 ISCW10S04 IPsec.ppt
206/237
1.
3.
4.
2.
5.
Advanced Options
7/28/2019 ISCW10S04 IPsec.ppt
207/237
1.
2.
3.
4.
Xauth Options
7/28/2019 ISCW10S04 IPsec.ppt
208/237
1.
2.
3.
4.
7/28/2019 ISCW10S04 IPsec.ppt
209/237
Completing theConfiguration
Review the Generated Configuration
7/28/2019 ISCW10S04 IPsec.ppt
210/237
Review the Generated Configuration (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
211/237
Verify the Easy VPN Server Configuration
7/28/2019 ISCW10S04 IPsec.ppt
212/237
1.
3.
2.
Verify the Easy VPNServer Configuration (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
213/237
Monitoring Easy VPN Server
1.
7/28/2019 ISCW10S04 IPsec.ppt
214/237
2.
3.
5.
4.
Advanced Monitoring
router#
7/28/2019 ISCW10S04 IPsec.ppt
215/237
Advanced monitoring can be performed using the default Cisco IOS HTTP server interface.
Requires knowledge of Cisco IOS CLI commands.
show crypto isakmp sa
Lists active IKE sessions
show crypto ipsec sa
Lists active IPsec security
associations
#
router#
Troubleshooting
debug crypto isakmp
router#
7/28/2019 ISCW10S04 IPsec.ppt
216/237
Advanced troubleshooting can be performed using the CiscoIOS CLI.
Requires knowledge of Cisco IOS CLI commands.
debug crypto isakmp
Debugs IKE communication
debug aaa authentication
router#
Debugs user authentication via local user database or RADIUS
debug aaa authorizationrouter#
Debugs IKE Mode Config
debug radius
router#
Debugs RADIUS communication
Summary
Cisco Easy VPN consists of two components: Easy VPN
7/28/2019 ISCW10S04 IPsec.ppt
217/237
Cisco Easy VPN consists of two components: Easy VPN
Server and Easy VPN Remote.
Cisco Easy VPN Server can be configured using SDM.
If you are using a local IP address pool, you need toconfigure that pool for use with Easy VPN.
AAA is enabled for policy lookup.
ISAKMP policies are configured for VPN clients.
Summary (Cont.)
The steps for defining group policy include configuring the
7/28/2019 ISCW10S04 IPsec.ppt
218/237
The steps for defining group policy include configuring the
following:
Policy profile of the group that will be defined
Preshared key
DNS servers
WINS servers
DNS domain
Local IP address pool
Verify the Easy VPN operation.
7/28/2019 ISCW10S04 IPsec.ppt
219/237
IPsec VPNs
Implementing the Cisco VPN Client
7/28/2019 ISCW10S04 IPsec.ppt
220/237
Cisco VPN ClientConfiguration Tasks
Cisco VPN Client Configuration Tasks
1. Install Cisco VPN Client.
7/28/2019 ISCW10S04 IPsec.ppt
221/237
1. Install Cisco VPN Client.
2. Create a new client connection entry.
3. Configure the client authentication properties.
4. Configure transparent tunneling.
5. Enable and add backup servers.
6. Configure a connection to the Internet through dial-upnetworking.
7/28/2019 ISCW10S04 IPsec.ppt
222/237
Use the Cisco VPNClient to Establish anRA VPN Connection
and Verify theConnection Status
7/28/2019 ISCW10S04 IPsec.ppt
223/237
Task 1: Install Cisco VPN Client
7/28/2019 ISCW10S04 IPsec.ppt
224/237
Task 2: Create a New ClientConnection Entry
1.
7/28/2019 ISCW10S04 IPsec.ppt
225/237
2.
Task 2: Create a New ClientConnection Entry (Cont.)
7/28/2019 ISCW10S04 IPsec.ppt
226/237
4.
6.
3.
5.
Task 3: Configure ClientAuthentication Properties
7/28/2019 ISCW10S04 IPsec.ppt
227/237
Authentication options:
Group preshared secrets (group name and group secret)
Mutual authentication (import CA certificate first; group name and secret)
Digital certificates (enroll with the CA first; select the certificate)
1.
2.
3.
4.
Mutual Group Authentication
7/28/2019 ISCW10S04 IPsec.ppt
228/237
1.
2.
Mutual authentication should be used instead of group presharedsecrets.
Group preshared secrets are vulnerable to man-in-the-middleattacks if the attacker knows the group preshared secret.
Task 4: Configure Transparent Tunneling
7/28/2019 ISCW10S04 IPsec.ppt
229/237
1.
2.
On by default.
NAT-T enables IPsec and IKE over a standard UDP port 4500,allowing the VPN Client to be behind a NAT or PAT device.
7/28/2019 ISCW10S04 IPsec.ppt
230/237
Task 5: Enable and Add Backup Servers
7/28/2019 ISCW10S04 IPsec.ppt
231/237
List backup VPN servers to be used in case the primary VPNserver is not reachable.
1.2.
3.
Task 6: Configure Connection to theInternet Through Dial-Up Networking
7/28/2019 ISCW10S04 IPsec.ppt
232/237
Optionally, tie a VPN connection to a dial-up connectiondefined in the Networking section of Windows.
Summary
You can install the VPN Client on your system through either
7/28/2019 ISCW10S04 IPsec.ppt
233/237
of two different applications: InstallShield and MSI.
Connection entries include:
The VPN device (the remote server) to access
Preshared keys
Certificates
Optional parameters
Authentication methods include:
Group authentication
Mutual group authentication
Certificate authentication
7/28/2019 ISCW10S04 IPsec.ppt
234/237
Module Summary
The IKE protocol is a key management protocol standard
7/28/2019 ISCW10S04 IPsec.ppt
235/237
used in conjunction with the IPsec standard.
IPsec is used to create secure remote access VPNs.
GRE is used to support non-IP protocols.
GRE can be run inside IPsec for added security.
SDM is an easy-to-use Internet browser-based devicemanagement tool that is embedded within the Cisco IOS 8003800 Series access routers at no cost.
SDM has a unique Security Audit wizard that provides acomprehensive router security audit.
Module Summary (Cont.)
GRE is a tunneling protocol initially developed by Cisco that
7/28/2019 ISCW10S04 IPsec.ppt
236/237
can encapsulate a wide variety of protocol packet typesinside IP tunnels, creating a virtual point-to-point link toCisco routers at remote points over an IP internetwork.
The multiprotocol functionality is provided by adding anadditional GRE header between the payload and thetunneling IP header.
IPsec VPNs requiring high availability should be designedand implemented with redundancy in order to survive singlefailures.
Cisco Easy VPN consists of two components: Cisco EasyVPN Server (can be configured using SDM) and Cisco Easy
VPN Remote. The Cisco VPN client software can be used to enable
Microsoft Windows operating systems to use native IPsec.
7/28/2019 ISCW10S04 IPsec.ppt
237/237