Netts_ISCW10S04 IPsec.ppt

7/28/2019 Netts_ISCW10S04 IPsec.ppt

1/57

IPsec VPNs

IPsec Components and IPsec VPN Features


2/57

IPsec Overview


3/57

What Is IPsec?

IPsec is an IETF standard that employs cryptographicmechanisms on the network layer:

Authentication of every IP packet

Verification ofdata integrity for each packet

Confidentiality of packet payload

Consists of open standards for securing privatecommunications

Scales from small to very large networks

Is available in Cisco IOS software version 11.3(T) and later

Is included in PIX Firewall version 5.0 and later


4/57

IPsec Security Features

IPsec is the only standard Layer 3 technology that provides:

Confidentiality

Data integrity

Authentication

Replay detection


5/57

IPsec Protocols

IPsec uses three main protocols to create a securityframework:

Internet Key Exchange (IKE):

Provides framework for negotiation of security parameters

Establishment of authenticated keys

Encapsulating Security Payload (ESP):

Provides framework for encrypting, authenticating, andsecuring of data

Authentication Header (AH):

Provides framework for authenticating and securing ofdata


6/57

IPsec Headers

IPsec ESP provides the following:

Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP

Confidentiality (DES, 3DES, or AES) only with ESP


7/57

Peer Authentication

Peer authentication methods:

Username and password OTP (Pin/Tan)

Biometric

Preshared keys

Digital certificates


8/57

IPsec VPNs

Site-to-Site IPsec VPN Operation


9/57

Site-to-Site IPsec VPNOperations


10/57

Five Steps of IPsec


11/57

Step 1: Interesting Traffic


12/57

Step 2: IKE Phase 1


13/57

IKE Policy

Negotiates matching IKEtransform sets to protect IKEexchange


14/57

Authenticate Peer Identity

Peer authentication methods:

Preshared keys

RSA signatures

RSA encrypted nonces


15/57

Step 3: IKE Phase 2

Negotiates IPsec security parameters, IPsec transform sets

Establishes IPsec SAs

Periodically renegotiates IPsec SAs to ensure security

Optionally, performs an additional Diffie-Hellman exchange


16/57

IPsec Transform Sets

A transform set is a combinationof algorithms and protocols thatenact a security policy for traffic.


17/57

Security Associations

SA database:

Destination IPaddress

SPI

Protocol (ESP orAH)

Security policydatabase:

Encryptionalgorithm

Authenticationalgorithm

Mode

Key lifetime


18/57


19/57

Site-to-Site IPsecConfiguration: Phase 1


20/57

Site-to-Site IPsec Configuration: Phase 1


21/57

Site-to-Site IPsecConfiguration: Phase 2


22/57

Site-to-Site IPsec Configuration: Phase 2


23/57

Site-to-Site IPsec

Configuration: ApplyVPN Configuration


24/57

Site-to-Site IPsec Configuration:Apply VPN Configuration


25/57

Site-to-Site IPsec

Configuration:Interface ACL


26/57

Site-to-Site IPsec Configuration:Interface ACL

When filtering at the edge, there is not much to see:

IKE: UDP port 500

ESP and AH: IP protocol numbers 50 and 51, respectively

NAT transparency enabled:

UDP port 4500

TCP (port number has to be configured)


27/57

Router1#show access-listsaccess-list 102 permit ahp host 172.16.172.10 host 172.16.171.20access-list 102 permit esp host 172.16.172.10 host 172.16.171.20

access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp

Site-to-Site IPsec Configuration:Interface ACL (Cont.)

Ensure that protocols 50 and 51 and UDP port 500 traffic isnot blocked on interfaces used by IPsec.


28/57

Summary

IPsec operation includes these steps: Initiation by interestingtraffic of the IPsec process, IKE Phase 1, IKE Phase 2, datatransfer, and IPsec tunnel termination.

To configure a site-to-site IPsec VPN: Configure the ISAKMPpolicy, define the IPsec transform set, create a crypto ACL,

create a crypto map, apply crypto map, and configure ACL.

To define an IKE policy, use the crypto isakmp policy globalconfiguration command.

To define an acceptable combination of security protocolsand algorithms used for IPsec, use the crypto ipsec transform-

set global configuration command. To apply a previously defined crypto map set to an interface,

use the crypto map interface configuration command.

Configure an ACL to enable the IPsec protocols (protocol 50for ESP or 51 for AH) and IKE protocol (UDP/500).


29/57

IPsec VPNs

Configuring IPsec Site-to-Site VPN UsingSDM


30/57

Introducing the SDMVPN Wizard Interface


31/57

Cisco Router and SDM


32/57


33/57

Introducing the SDM VPN Wizard Interface

2.

1.3.

Wizards for IPsecsolutions

Individual IPseccomponents


34/57

Site-to-Site VPN Components (Cont.)

Two main components:

IPsec

IKE

Two optional components:

Group Policies for EasyVPN server functionality

Public Key Infrastructurefor IKE authenticationusing digital certificates

Individual IPsec

components usedto build VPNs


35/57


36/57

Launching the Site-to-Site VPN Wizard

1.

L hi th Sit t Sit


37/57

Launching the Site-to-SiteVPN Wizard (Cont.)

2a.

2b.

3.


38/57

Quick Setup


39/57


40/57

Step-by-Step Setup

Multiple steps are used to configure the VPNconnection:

Defining connection settings: Outside interface, peeraddress, authentication credentials

Defining IKE proposals: Priority, encryption algorithm,HMAC, authentication type, Diffie-Hellman group, lifetime

Defining IPsec transform sets: Encryption algorithm, HMAC,mode of operation, compression

Defining traffic to protect: Single source and destinationsubnets, ACL

Reviewing and completing the configuration


41/57

Connection Settings


42/57


43/57

IKE Proposals


44/57

IKE Proposals

1.

2.

3.


45/57

Transform Set


46/57

Transform Set

1.

2.

3.


47/57

Defining What Trafficto Protect


48/57


49/57

Option 2: Using an ACL

1. 2.

3.


50/57

Option 2: Using an ACL (Cont.)

1.

2.


51/57


52/57

Completing the

Configuration


53/57


54/57

Review the Generated Configuration (Cont.)


55/57

Test Tunnel Configuration and Operation

~~ ~~


56/57


57/57

Netts_ISCW10S04 IPsec.ppt

Documents