ISCW10S04 IPsec.ppt

7/28/2019 ISCW10S04 IPsec.ppt

1/237

IPsec VPNs

IPsec Components and IPsec VPN Features


2/237

IPsec Overview


3/237

What Is IPsec?

IPsec is an IETF standard that employs cryptographicmechanisms on the network layer:

Authentication of every IP packet

Verification ofdata integrity for each packet

Confidentiality of packet payload

Consists of open standards for securing privatecommunications

Scales from small to very large networks

Is available in Cisco IOS software version 11.3(T) and later

Is included in PIX Firewall version 5.0 and later


4/237

IPsec Security Features

IPsec is the only standard Layer 3 technology that provides:

Confidentiality

Data integrity

Authentication

Replay detection


5/237

IPsec Protocols

IPsec uses three main protocols to create a securityframework:

Internet Key Exchange (IKE):

Provides framework for negotiation of security parameters

Establishment of authenticated keys

Encapsulating Security Payload (ESP):

Provides framework for encrypting, authenticating, andsecuring of data

Authentication Header (AH):

Provides framework for authenticating and securing ofdata


6/237

IPsec Headers

IPsec ESP provides the following:

Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP

Confidentiality (DES, 3DES, or AES) only with ESP


7/237

Peer Authentication

Peer authentication methods:

Username and password OTP (Pin/Tan)

Biometric

Preshared keys

Digital certificates


8/237

Internet Key Exchange


9/237

Internet Key Exchange

IKE solves the problems ofmanual and unscalableimplementation of IPsec byautomating the entire key

exchange process: Negotiation of SA

characteristics

Automatic key generation

Automatic key refresh Manageable manual

configuration


10/237

IKE Phases

Phase 1:

Authenticate the peers

Negotiate a bidirectional SA

Main mode or aggressive mode

Phase 1.5:

Xauth

Mode config

Phase 2:

IPsec SAs/SPIs

Quick mode


11/237

IKE Modes


12/237

IKE: Other Functions


13/237


14/237

IPsec and NAT: The Problem


15/237

IPsec NAT Traversal

Need NAT traversal with IPsec over TCP/UDP:

NAT traversal detection

NAT traversal decision

UDP encapsulation of IPsec packets

UDP encapsulated process for software engines


16/237

Mode Configuration

Mechanism used to pushattributes to IPsec VPNclients


17/237

Easy VPN

Dynamically updated:

Central servicesand security

policy Offload VPN

function fromlocal devices

Client andnetwork extensionmode

Centralized control:

Configurationand security

policy pushed atthe time of theVPN tunnelestablishment


18/237

Xauth

Mechanism used for userauthentication for VPNclients


19/237

ESP and AH


20/237

ESP and AH

IPsec protocols:

ESP or AH

ESP uses IP protocol number 50

AH uses IP protocol number 51

IPsec modes:

Tunnel or transport mode

Tunnel mode creates a new additional IP header

The Message is concatenated with a symmetric key


21/237


22/237

AH Authentication and Integrity


23/237

ESP Protocol

Provides confidentiality with encryption

Provides integrity with authentication


24/237

Tunnel and Transport Mode


25/237

Message

Authentication andIntegrity Check


26/237

Message Authentication andIntegrity Check Using Hash

A MAC is used for message authentication and integritycheck.

Hashes are widely used for this purpose (HMAC).


27/237


28/237

Symmetric vs.

AsymmetricEncryption Algorithms


29/237

Symmetric vs. AsymmetricEncryption Algorithms

Symmetric algorithm:

Secret key cryptography

Encryption anddecryption usethe same key

Typically used to

encrypt the content of amessage

Examples: DES, 3DES,AES

Asymmetric algorithm:

Public key cryptography

Encryption anddecryptionuse different keys

Typically used in digitalcertification and keymanagement

Example: RSA


30/237

Key Lengths of Symmetric vs.Asymmetric Encryption Algorithms

Symmetric Key Length Asymmetric Key Length

80 1024

112 2048

128 3072

192 7680

256 15,360

Comparable key lengths required for asymmetric keyscompared to symmetric keys


31/237


32/237

Symmetric Encryption: DES

Symmetric key encryption algorithm

Block cipher: Works on 64-bit data block, uses 56-bit key(last bit of each byte used for parity)

Mode of operation: Apply DES to encrypt blocks of data


33/237

Symmetric Encryption: 3DES

168-bit total key length

Mode of operation decides how to process DES three times

Normally: encrypt, decrypt, encrypt

3DES requires more processing than DES


34/237

Symmetric Encryption: AES

Formerly known as Rijndael

Successor to DES and 3DES

Symmetric key block cipher

Strong encryption with long expected life

AES can support 128-, 192-, and 256-bit keys; 128-bit key isconsidered safe


35/237

Asymmetric Encryption: RSA

Based on Diffie-Hellman key exchange (IKE) principles

Public key to encrypt data, and to verify digital signatures

Private key to decrypt data, and to sign with a digitalsignature

Perfect for insecure communication channels


36/237

Diffie-Hellman Key Exchange


37/237

Diffie-Hellman Key Exchange (Cont.)


38/237


39/237


40/237


41/237

X.509 v3 Certificate


42/237


43/237

PKI Credentials

How to store PKI credentials:

RSA keys and certificates

NVRAM

eToken:

Cisco 871, 1800, 2800, 3800 Series router

Cisco IOS Release 12.3(14)T image

Cisco USB eToken

A k9 image


44/237

Summary

IPsec provides a mechanism for secure data transmissionover IP networks.

The IKE protocol is a key management protocol standardused in conjunction with the IPsec standard.

IKE has some additional functions: DPD, NAT traversal,

encapsulation in UDP packet, config mode, and Xauth. The two IP protocols used in the IPsec standard are ESP and

AH.

For message authentication and integrity check, an HMAC isused.

The two types of encryption are symmetric encryption andasymmetric encryption.

PKI provides customers with a scalable, secure mechanismfor distributing, managing, and revoking encryption andidentity information in a secured data network.


45/237

IPsec VPNs

Site-to-Site IPsec VPN Operation


46/237

Site-to-Site IPsec VPNOperations


47/237

Five Steps of IPsec


48/237


49/237

Step 2: IKE Phase 1


50/237

IKE Policy

Negotiates matching IKEtransform sets to protect IKEexchange


51/237

Diffie-Hellman Key Exchange


52/237


53/237

Step 3: IKE Phase 2

Negotiates IPsec security parameters, IPsec transform sets

Establishes IPsec SAs

Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie-Hellman exchange


54/237

IPsec Transform Sets

A transform set is a combinationof algorithms and protocols thatenact a security policy for traffic.


55/237


56/237

SA Lifetime

Data transmitted-based Time-based
http://rds.yahoo.com/S=96062857/K=clocks/v=2/SID=w/TID=YS80_76/l=II/R=1/SS=i/OID=b31de637c8c1ef0e/;_ylt=A0Je5xZWEjREUc8AqBGJzbkF;_ylu=X3oDMTBwYTA5MG5kBHBvcwMxBHNlYwNzcgR2dGlkA1lTODBfNzY-/SIG=1f8vbsuk4/EXP=1144349654/*-http%3A//images.search.yahoo.com/search/images/view?back=http%3A%2F%2Fimages.search.yahoo.com%2Fsearch%2Fimages%3F_adv_prop%3Dimages%26imgsz%3Dall%26imgc%3D%26vf%3Dall%26va%3Dclocks%26fr%3Dslv1-%26ei%3DUTF-8&w=454&h=454&imgurl=www.rarity4u.com%2Fcatalog%2Fimages%2FClocks%26Watches_Wall.jpg&rurl=http%3A%2F%2Fwww.rarity4u.com%2Fcatalog%2Findex.php%2Fname%2FWall%2520Clocks%2FcPath%2F45&size=55.1kB&name=Clocks&Watches_Wall.jpg&p=clocks&type=jpeg&no=1&tt=403,320&ei=UTF-8


57/237


58/237


59/237

Configuring IPsec

Configuration Steps for


60/237

Configuration Steps forSite-to-Site IPsec VPN

1. Establish ISAKMP policy

2. Configure IPsec transform set

3. Configure crypto ACL

4. Configure crypto map

5. Apply crypto map to the interface

6. Configure interface ACL


61/237

Site-to-Site IPsec

Configuration: Phase 1


62/237

Site-to-Site IPsec Configuration: Phase 1


63/237


64/237

Site-to-Site IPsec Configuration: Phase 2


65/237

Site-to-Site IPsec

Configuration: ApplyVPN Configuration


66/237


67/237

Site-to-Site IPsec

Configuration:Interface ACL

Site-to-Site IPsec Configuration:


68/237

gInterface ACL

When filtering at the edge, there is not much to see:

IKE: UDP port 500

ESP and AH: IP protocol numbers 50 and 51, respectively

NAT transparency enabled:

UDP port 4500

TCP (port number has to be configured)

Site-to-Site IPsec Configuration:


69/237

Router1#show access-listsaccess-list 102 permit ahp host 172.16.172.10 host 172.16.171.20access-list 102 permit esp host 172.16.172.10 host 172.16.171.20

access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp

gInterface ACL (Cont.)

Ensure that protocols 50 and 51 and UDP port 500 traffic isnot blocked on interfaces used by IPsec.


70/237

Summary

IPsec operation includes these steps: Initiation by interestingtraffic of the IPsec process, IKE Phase 1, IKE Phase 2, datatransfer, and IPsec tunnel termination.

To configure a site-to-site IPsec VPN: Configure the ISAKMPpolicy, define the IPsec transform set, create a crypto ACL,

create a crypto map, apply crypto map, and configure ACL. To define an IKE policy, use the crypto isakmp policy global

configuration command.

To define an acceptable combination of security protocolsand algorithms used for IPsec, use the crypto ipsec transform-

set global configuration command. To apply a previously defined crypto map set to an interface,

use the crypto map interface configuration command.

Configure an ACL to enable the IPsec protocols (protocol 50for ESP or 51 for AH) and IKE protocol (UDP/500).


71/237

IPsec VPNs

Configuring IPsec Site-to-Site VPN UsingSDM


72/237

Introducing the SDM

VPN Wizard Interface


73/237

Cisco Router and SDM


74/237


75/237

Cisco SDM Features

Smart wizards for these frequent router and security configurationissues:

Avoid misconfigurations with integrated routing and security

Secure the existing network infrastructure easily and cost-effectively

Uses Cisco TAC- and ICSA-recommended securityconfigurations

Startup wizard, one-step router lockdown, policy-based firewall andACL management (firewall policy), one-step VPN (site-to-site), andinline IPS

Guides untrained users through workflow


76/237

Introducing the SDM VPN Wizard Interface

2.

1. 3.

Wizards for IPsecsolutions

Individual IPseccomponents


77/237

Site-to-Site VPN

Components


78/237

Site-to-Site VPN Components

VPN wizards use two sources to create a VPN connection:

User input during the step-by-step wizard process

Preconfigured VPN components

SDM provides some default VPN components:

Two IKE policies

IPsec transform set for Quick Setup wizard

Other components are created by the VPN wizards.

Some components (e.g., PKI) must be configured before the

wizards can be used.

S S C (C )


79/237

Site-to-Site VPN Components (Cont.)

Two main components:

IPsec

IKE

Two optional components:

Group Policies for EasyVPN server functionality

Public Key Infrastructurefor IKE authenticationusing digital certificates

Individual IPseccomponents usedto build VPNs


80/237

L hi th Sit t Sit VPN Wi d


81/237

Launching the Site-to-Site VPN Wizard

1.

Launching the Site-to-SiteVPN Wi d (C t )


82/237

VPN Wizard (Cont.)

2a.

2b.

3.

Q i k S t


83/237

Quick Setup

Q i k S t (C t )


84/237

Quick Setup (Cont.)

St b St S t


85/237

Step-by-Step Setup

Multiple steps are used to configure the VPNconnection:

Defining connection settings: Outside interface, peeraddress, authentication credentials

Defining IKE proposals: Priority, encryption algorithm,HMAC, authentication type, Diffie-Hellman group, lifetime

Defining IPsec transform sets: Encryption algorithm, HMAC,mode of operation, compression

Defining traffic to protect: Single source and destination

subnets, ACL

Reviewing and completing the configuration


86/237

Connection Settings

C ti S tti


87/237

Connection Settings

1.

2.

3.

4.


88/237

IKE Proposals

IKE Proposals


89/237

IKE Proposals

1.

2.

3.


90/237

Transform Set

Transform Set


91/237

Transform Set

1.

2.

3.


92/237

Defining What Traffic

to Protect

Option 1: Single Sourceand Destination Subnet


93/237

and Destination Subnet

1.

2. 3.

Option 2: Using an ACL


94/237

Option 2: Using an ACL

1. 2.

3.

Option 2: Using an ACL (Cont )


95/237

Option 2: Using an ACL (Cont.)

1.

2.

Option 2: Using an ACL (Cont )


96/237

Option 2: Using an ACL (Cont.)

2.

3.

1.


97/237

Completing the

Configuration

Review the Generated Configuration


98/237


Review the Generated Configuration (Cont )


99/237

Review the Generated Configuration (Cont.)

Test Tunnel Configuration and Operation


100/237

Test Tunnel Configuration and Operation

~~ ~~


101/237

Advanced Monitoring


102/237

Advanced Monitoring

Advanced monitoring can be performed using the default Cisco IOS HTTP server interface.

Requires knowledge of Cisco IOS CLI commands.

show crypto isakmp sa

Lists active IKE sessions

show crypto ipsec sa

Lists active IPsec security

associations

router#

router#

Troubleshooting


103/237

Troubleshooting

debug crypto isakmprouter#

Debugs IKE communication

Advanced troubleshooting can be performed using the Cisco

IOS CLI Requires knowledge of Cisco IOS CLI commands


104/237


105/237


106/237

Generic Routing

Encapsulation

Generic Routing Encapsulation


107/237

Generic Routing Encapsulation

OSI Layer 3 tunneling protocol:

Uses IP for transport

Uses an additional header to support any other OSI Layer 3protocol as payload (e.g., IP, IPX, AppleTalk)

Default GRE Characteristics


108/237

Default GRE Characteristics

Tunneling of arbitrary OSI Layer 3 payload is the primarygoal of GRE

Stateless (no flow control mechanisms)

No security (no confidentiality, data authentication, orintegrity assurance)

24-byte overhead by default (20-byte IP header and 4-byteGRE header)

Optional GRE Extensions


109/237

Optional GRE Extensions

GRE can optionally contain any one or more of these fields:

Tunnel checksum

Tunnel key

Tunnel packet sequence number

GRE keepalives can be used to track tunnel path status.

GRE Configuration Example


110/237

GRE Configuration Example

GRE tunnel is up and protocol up if:

Tunnel source and destination are configured

Tunnel destination is in routing table

GRE keepalives are received (if used)

GRE is the default tunnel mode.


111/237

Introducing Secure

GRE Tunnels

Introducing Secure GRE Tunnels


112/237

g

GRE is good at tunneling: Multiprotocol support

Provides virtual point-to-point connectivity, allowingrouting protocols to be used

GRE is poor at securityonly very basic plaintextauthentication can be implemented using the tunnel key (notvery secure)

GRE cannot accommodate typical security requirements:

Confidentiality

Data source authentication

Data integrity

IPsec Characteristics


113/237

IPsec provides what GRE lacks: Confidentiality through encryption using symmetric

algorithms (e.g., 3DES or AES)

Data source authentication using HMACs (e.g., MD5 orSHA-1)

Data integrity verification using HMACs IPsec is not perfect at tunneling:

Older Cisco IOS software versions do not support IPmulticast over IPsec

IPsec was designed to tunnel IP only (no multiprotocol

support) Using crypto maps to implement IPsec does not allow the

usage of routing protocols across the tunnel

IPsec does not tunnel IP protocols; GRE does

GRE over IPsec


114/237

GRE over IPsec is typically used to do the following:

Create a logical hub-and-spoke topology of virtual point-to-point connections

Secure communication over an untrusted transport network(e.g., Internet)

GRE over IPsec Characteristics


115/237

GRE encapsulates arbitrary payload.

IPsec encapsulates unicast IP packet (GRE):

Tunnel mode (default): IPsec creates a new tunnel IPpacket

Transport mode: IPsec reuses the IP header of the GRE(20 bytes less overhead)


116/237

Configuring GRE overIPsec Site-to-SiteTunnel Using SDM

Configuring GRE over IPsecSite-to-Site Tunnel Using SDM


117/237

g

5.

6.

2.

1.

3. 4.


118/237

Configuring GRE over IPsecSite-to-Site Tunnel Using SDM (Cont.)


119/237

g ( )

1.

2.

3.

4.


120/237

Backup GRE Tunnel

Information

Backup GRE Tunnel Information


121/237

1.

2.

3.

4.


122/237

VPN Authentication

Information

VPN Authentication Information


123/237

2.

1A 1B


124/237

IKE Proposals

IKE Proposals


125/237

Creating a Custom IKE Policy


126/237

Define all IKE policy parameters:

Priority

Encryption algorithm: DES, 3DES, AES

HMAC: SHA-1 or MD5

Authentication method: preshared secrets or digital certificates

Diffie-Hellman group: 1, 2, or 5

IKE lifetime


127/237

Transform Set

Transform Set


128/237

1.

2.

3.


129/237

Routing Information


130/237

Option 1: Static Routing


131/237

Option 2: Dynamic Routing Using EIGRP


132/237

1.

2.

Option 3: Dynamic Routing Using OSPF


133/237

1.

3.

2.


134/237

Completing the

Configuration



135/237



136/237


137/237


138/237

Monitor Tunnel Operation


139/237

1.

2.

3.

Advanced Monitoring


140/237





router#



associations

router#

show interfaces

Lists interface and the statisticsincluding the statistics of tunnel

interfaces

router#

Troubleshooting


141/237

debug crypto isakmp

router#


Advanced troubleshooting can be performed using the CiscoIOS CLI

Requires knowledge of Cisco IOS CLI commands

Summary


142/237

GRE is a multiprotocol tunneling technology. SDM can be used to implement GRE over IPsec site-to-site

VPNs.

Backup tunnels can be configured in addition to one primarytunnel.

Routing can be configured through the tunnel interfaces:

Static for simple sites

OSPF or EIGRP for more complex sites (more networks,multiple tunnels)

Upon completing the configuration, the SDM converts theconfiguration into the Cisco IOS CLI format.


143/237


144/237

High Availability for

Cisco IOS IPsec VPNs

Failures


145/237

IPsec VPNs can experience any one of a number of different typesof failures:

Access link failure

Remote peer failure

Device failure Path failure

IPsec should be designed and implemented with redundancy andhigh-availability mechanisms to mitigate these failures.

Redundancy


146/237

Common solutions using one or more of theseoptions:

Two access links to mitigate access-link failures

Multiple peers to mitigate peer failure

Two local VPN devices to mitigate device failures

Multiple independent paths to mitigate all path failures

Failure Detection


147/237

Native IPsec uses DPD to detect failures in the path andremote peer failure.

Any form ofGRE over IPsec typically uses a routing protocol

to detect failures (hello mechanism).

HSRP is typically used to detect failures of local devices.VRRP and GLBP have similar failure-detection functionality.


148/237


149/237

IPsec Backup Peer

IPsec Backup Peer


150/237

One HA design option is to use native IPsec and itsHA mechanisms:

DPD to detect failures Backup peers to take over new tunnels when primary peer

becomes unavailable

Configuration Example


151/237

Router will first try primary peer.

If primary peer is not available or becomes unavailable (DPD failuredetection), the router tries backup peers in order as listed in the crypto map.


152/237

Hot Standby Routing

Protocol

Hot Standby Routing Protocol


153/237

HSRP can be used at:

Headend: Two head-end IPsec devices appear as one toremote peers

Remote site: Two IPsec gateways appear as one to localdevices

Active HSRP device uses a virtual IP and MAC address.

Standby HSRP device takes over virtual IP and MAC addresswhen active HSRP device goes down.


154/237

HSRP for Head-End IPsec Routers


155/237

Remote sites peer with virtual IP address (HSRP) of the headend.

RRI or HSRP can be used on inside interface to ensure proper return path.


156/237

IPsec Stateful Failover


157/237

IPsec VPNs using DPD, HSRP, or IGPs to mitigate failuresonly provide stateless failover.

IPsec stateful failover requires:

Identical hardware and software configuration of IPsecon active and standby device

Exchange of IPsec state between active and standbydevice (i.e., complete SA information)

IPsec Stateful Failover (Cont.)


158/237

IPsec stateful failover works in combination with HSRP andSSO.

SSO is responsible to synchronize ISAKMP and IPsec SAdatabase between HSRP active and standby routers.

RRI is optionally used to inject the routes into the internal

network.

IPsec Stateful Failover Example


159/237

Configure IPC to exchange state information between head-end devices.

Enable stateful redundancy.


160/237


161/237


162/237

Summary


163/237

High availability requires two components: Redundant device, links, or paths

High availability mechanisms to detect failures andreroute

Native IPsec can be configured with backup peers in crypto

maps in combination with DPD.

HSRP can be used instead of backup peers.

IPsec stateful failover can augment HSRP to minimizedowntime upon head-end device failures.

IPsec VPNs can be used as a backup for other types ofnetworks.


164/237

IPsec VPNs

Configuring Cisco Easy VPN and Easy VPNServer Using SDM


165/237

Introducing Cisco

Easy VPN

Introducing Cisco Easy VPN


166/237

Cisco Easy VPN has two main functions: Simplify client configuration

Centralize client configuration and dynamically push theconfiguration to clients

How are these two goals achieved?

IKE Mode Config functionality is used to download someconfiguration parameters to clients.

Clients are preconfigured with a set of IKE policies andIPsec transform sets.

Cisco Easy VPN Components


167/237

Easy VPN Server: Enables Cisco IOS routers, Cisco PIXFirewalls, and Cisco VPN Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs, in whichthe remote office devices are using the Cisco Easy VPNRemote feature

Easy VPN Remote: Enables Cisco IOS routers, Cisco PIXFirewalls, and Cisco VPN Hardware Clients or SoftwareClients to act as remote VPN clients


168/237


169/237

Cisco Easy VPN RemoteConnection Process


170/237

1. The VPN client initiates the IKE Phase 1 process.2. The VPN client establishes an ISAKMP SA.

3. The Easy VPN Server accepts the SA proposal.

4. The Easy VPN Server initiates a username and passwordchallenge.

5. The mode configuration process is initiated.

6. The RRI process is initiated.

7. IPsec quick mode completes the connection.


171/237

Step 2: The VPN Client Establishesan ISAKMP SA


172/237

The VPN client attempts to establish an SA between peer IPaddresses by sending multiple ISAKMP proposals to the Easy VPNServer.

To reduce manual configuration on the VPN client, these ISAKMP

proposals include several combinations of the following:

Encryption and hash algorithms

Authentication methods

Diffie-Hellman group sizes

Step 3: The Cisco Easy VPN ServerAccepts the SA Proposal


173/237

The Easy VPN Server searches for a match:

The first proposal to match the server list is accepted (highest-priority match).

The most secure proposals are always listed at the top of theEasy VPN Server proposal list (highest priority).

The ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.

Step 4: The Cisco Easy VPN Server Initiatesa Username and Password Challenge


174/237

If the Easy VPN Server is configured for Xauth, the VPN clientwaits for a username/password challenge:

The user enters a username/password combination.

The username/password information is checked againstauthentication entities using AAA.

All Easy VPN Servers should be configured to enforce userauthentication.

Step 5: The Mode ConfigurationProcess Is Initiated


175/237

If the Easy VPN Server indicates successful authentication, the VPNclient requests the remaining configuration parameters from theEasy VPN Server:

Mode configuration starts.

The remaining system parameters (IP address, DNS, splittunneling information, and so on) are downloaded to the VPNclient.

Remember that the IP address is the only required parameter in agroup profile; all other parameters are optional.

Step 6: The RRI Process Is Initiated


176/237

RRI should be used when the following conditions occur:

More than one VPN server is used

Per-client static IP addresses are used with some clients (insteadof using per-VPN-server IP pools)

RRI ensures the creation of static routes.

Redistributing static routes into an IGP allows the servers siterouters to find the appropriate Easy VPN Server for return traffic toclients.

Step 7: IPsec Quick ModeCompletes the Connection


177/237

After the configuration parameters have been successfullyreceived by the VPN client, IPsec quick mode is initiated tonegotiate IPsec SA establishment.

After IPsec SA establishment, the VPN connection iscomplete.


178/237

Cisco Easy VPNServer Configuration

Tasks


179/237

Cisco Easy VPN Server ConfigurationTasks for the Easy VPN Server Wizard


180/237

The Easy VPN server wizard includes these tasks: Selecting the interface on which to terminate IPsec

IKE policies

Group policy lookup method

User authentication Local group policies

IPsec transform set


181/237

Configuring Easy VPN

Server

Configuring Easy VPN Server


182/237

Use a browser to connect to the Easy VPN Server router. Click on the link to the SDM.

Prepare a design before implementing the VPN server:

IKE authentication method

User authentication method

IP addressing and routing for clients

Install all prerequisite services (depending on the chosendesign), for example:

RADIUS/TACACS+ server

CA and enrollment with the CA

DNS resolution for the VPN server addresses

VPN Wizards


183/237

1.

2.

3.

Enabling AAA


184/237

1.

2.

Local User Management


185/237

1.

2.

3.

Creating Users


186/237

1.

2.

3.

4.

5.

6.

8.

7.

Enabling AAA


187/237

1.

2.

Starting the Easy VPN Server Wizard


188/237


189/237


190/237

IKE Proposals

IKE Proposals


191/237

1.

2.

3.


192/237

Transform Set

Transform Set


193/237

3.

2.

1.

4.


194/237

Option 1: Local Router Configuration


195/237

1.

2.

Option 2: External Location via RADIUS


196/237

1.

2.

Option 2: External Locationvia RADIUS (Cont.)


197/237

3.

1.

2.

4.


198/237

User Authentication

Option 1: Local User Database


199/237

2.

3.

1.

Local User DatabaseAdding Users


200/237

1.

2.

3.

4.

5.

6.

Option 2: External UserDatabase via RADIUS


201/237

2.

3.

1.


202/237

Local Group Policies

Local Group Policies


203/237

General Parameters


204/237

1.

2.

3A. 3B.

Domain Name System


205/237

1.

2.

Split Tunneling


206/237

1.

3.

4.

2.

5.

Advanced Options


207/237

1.

2.

3.

4.

Xauth Options


208/237

1.

2.

3.

4.


209/237

Completing theConfiguration



210/237



211/237

Verify the Easy VPN Server Configuration


212/237

1.

3.

2.

Verify the Easy VPNServer Configuration (Cont.)


213/237

Monitoring Easy VPN Server

1.


214/237

2.

3.

5.

4.

Advanced Monitoring

router#


215/237







associations

#

router#

Troubleshooting

debug crypto isakmp

router#


216/237

Advanced troubleshooting can be performed using the CiscoIOS CLI.


debug crypto isakmp


debug aaa authentication

router#

Debugs user authentication via local user database or RADIUS

debug aaa authorizationrouter#

Debugs IKE Mode Config

debug radius

router#

Debugs RADIUS communication

Summary

Cisco Easy VPN consists of two components: Easy VPN


217/237

Cisco Easy VPN consists of two components: Easy VPN

Server and Easy VPN Remote.

Cisco Easy VPN Server can be configured using SDM.

If you are using a local IP address pool, you need toconfigure that pool for use with Easy VPN.

AAA is enabled for policy lookup.

ISAKMP policies are configured for VPN clients.

Summary (Cont.)

The steps for defining group policy include configuring the


218/237

The steps for defining group policy include configuring the

following:

Policy profile of the group that will be defined

Preshared key

DNS servers

WINS servers

DNS domain

Local IP address pool

Verify the Easy VPN operation.


219/237

IPsec VPNs

Implementing the Cisco VPN Client


220/237

Cisco VPN ClientConfiguration Tasks

Cisco VPN Client Configuration Tasks

1. Install Cisco VPN Client.


221/237

1. Install Cisco VPN Client.

2. Create a new client connection entry.

3. Configure the client authentication properties.

4. Configure transparent tunneling.

5. Enable and add backup servers.

6. Configure a connection to the Internet through dial-upnetworking.


222/237

Use the Cisco VPNClient to Establish anRA VPN Connection

and Verify theConnection Status


223/237

Task 1: Install Cisco VPN Client


224/237

Task 2: Create a New ClientConnection Entry

1.


225/237

2.

Task 2: Create a New ClientConnection Entry (Cont.)


226/237

4.

6.

3.

5.

Task 3: Configure ClientAuthentication Properties


227/237

Authentication options:

Group preshared secrets (group name and group secret)

Mutual authentication (import CA certificate first; group name and secret)

Digital certificates (enroll with the CA first; select the certificate)

1.

2.

3.

4.

Mutual Group Authentication


228/237

1.

2.

Mutual authentication should be used instead of group presharedsecrets.

Group preshared secrets are vulnerable to man-in-the-middleattacks if the attacker knows the group preshared secret.

Task 4: Configure Transparent Tunneling


229/237

1.

2.

On by default.

NAT-T enables IPsec and IKE over a standard UDP port 4500,allowing the VPN Client to be behind a NAT or PAT device.


230/237

Task 5: Enable and Add Backup Servers


231/237

List backup VPN servers to be used in case the primary VPNserver is not reachable.

1.2.

3.

Task 6: Configure Connection to theInternet Through Dial-Up Networking


232/237

Optionally, tie a VPN connection to a dial-up connectiondefined in the Networking section of Windows.

Summary

You can install the VPN Client on your system through either


233/237

of two different applications: InstallShield and MSI.

Connection entries include:

The VPN device (the remote server) to access

Preshared keys

Certificates

Optional parameters

Authentication methods include:

Group authentication

Mutual group authentication

Certificate authentication


234/237

Module Summary

The IKE protocol is a key management protocol standard


235/237

used in conjunction with the IPsec standard.

IPsec is used to create secure remote access VPNs.

GRE is used to support non-IP protocols.

GRE can be run inside IPsec for added security.

SDM is an easy-to-use Internet browser-based devicemanagement tool that is embedded within the Cisco IOS 8003800 Series access routers at no cost.

SDM has a unique Security Audit wizard that provides acomprehensive router security audit.

Module Summary (Cont.)

GRE is a tunneling protocol initially developed by Cisco that


236/237

can encapsulate a wide variety of protocol packet typesinside IP tunnels, creating a virtual point-to-point link toCisco routers at remote points over an IP internetwork.

The multiprotocol functionality is provided by adding anadditional GRE header between the payload and thetunneling IP header.

IPsec VPNs requiring high availability should be designedand implemented with redundancy in order to survive singlefailures.

Cisco Easy VPN consists of two components: Cisco EasyVPN Server (can be configured using SDM) and Cisco Easy

VPN Remote. The Cisco VPN client software can be used to enable

Microsoft Windows operating systems to use native IPsec.


237/237

ISCW10S04 IPsec.ppt

Documents