Vpn site to site

1© 2001, Cisco Systems, Inc.

CiscoCiscoVPN SolutionsVPN Solutions

2VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn

AgendaAgenda

• Introduction to IPSecIntroduction to IPSec• IPSec VPN TopologiesIPSec VPN Topologies• Cisco Site-to-Site VPN Cisco Site-to-Site VPN

SolutionsSolutions


IPSec Design Guide

IPSecDesignGuide.pdf.lnk

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.htm


IPSec Overview

• Initiating the IPSec sessionPhase one—exchanging keysPhase two—setting up security associations

• Encrypting/decrypting packets• Rebuilding security associations

Timing out security associations• Simple IPSec configuration


Initiating the IPSec SessionPhase One—ISAKMP

• Internet Security Association Key Management Protocol (ISAKMP)• Both sides need to agree on the ISAKMP

security parameters ISAKMP parameters

Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulusGroup lifetime


Initiating the IPSec SessionPhase Two—IPSec

• Both sides need to agree on the IPSec security parameters IPSec parameters

IPSec peerEndpoint of IPSec tunnel

IPSec proxyTraffic to be encrypted/decrypted

IPSec transformEncryption and hashing

IPSec lifetimePhase two SA regeneration time


Encrypting andDecrypting Packets

• Phase one and phase two completes • Security Associations (SA) are created at both IPSec

endpoints• Using the negotiated SA information

Outbound packets are encrypted

Inbound packets are decrypted


RebuildingSecurity Associations

• To ensure that keys are not compromised they are periodically refreshed

• Security associations will be rebuilt when:

The lifetime expires, or

Data volume has been exceeded, or

Another SA is attempted with identical parameters


Simple IPSec Configuration

crypto isakmp policy 1 authentication pre-share hash md5crypto isakmp key cisco123 address 192.1.1.1crypto ipsec transform-set trans1 esp-des esp-md5-hmaccrypto map vpnmap 10 ipsec-isakmp set peer 192.1.1.1 set transform-set trans1 match address 101interface Ethernet0 ip address 10.1.2.1 255.255.255.0interface Ethernet1 ip address 200.1.1.2 255.255.255.0 crypto map vpnmapaccess-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto isakmp policy 1 authentication pre-share hash md5crypto isakmp key cisco123 address 200.1.1.2crypto ipsec transform-set trans1 esp-des esp-md5-hmaccrypto map vpnmap 10 ipsec-isakmp set peer 200.1.1.2 set transform-set trans1 match address 101interface Ethernet0 ip address 10.1.1.1 255.255.255.0interface Ethernet1 ip address 192.1.1.1 255.255.255.0 crypto map vpnmapaccess-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

IPSec Tunnel

192.1.1.1 200.1.1.210.1.1.0/24 10.1.2.0/24

Internet

http://blog.router-switch.com/2012/07/how-to-configure-ipsec-encryption-with-the-cisco-ios/


Topologies

Standard Site-to-Site IPSec Enabled VPN SolutionDesign and Engineering Guide

http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.htm

Site2SiteDesignGuide.url


GRE Over IPSec(Common Configuration

Issues)

• Apply crypto map on both the tunnel interfaces and the physical interfaces

• Specify GRE traffic as IPSec interesting traffic. access-list 101 permit gre host 200.1.1.1 host 150.1.1.1

• Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted.

http://blog.router-switch.com/2012/09/how-to-configure-gre-over-an-ipsec-tunnel-on-routers/


GRE over IPSec (Avoid Recursive Routing)

• To avoid GRE tunnel interface damping due to recursive routing, keep transport and passenger routing info. separate:

Use different routing protocols or separate routing protocol identifiersKeep tunnel IP address and actual IP network addresses ranges distinctFor tunnel interface IP address, don’t use unnumbered to loopback interface when the loopback’s IP address resides in the ISP address space


GRE over IPsec (MTU Issues)

• Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC):

ESP overhead (with authentication) : 31 ~ 38 bytesGRE header: 24 bytesIP header: 20 byes

• GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead


GRE over IPSec

InternetInterneta. Original Packetb. GRE Encapsulationc. GRE over IPSec Transport Moded. GRE over IPSec Tunnel Mode

IPSec

GRE

TCP hdr DataGRE hdrIP hdr 2ESP hdrIP hdr 3d IP Hdr 1

TCP hdr DataGRE hdrIP hdr 2 ESP hdr

DataTCP hdrIP Hdr 1

IP Hdr 1

GRE hdrIP hdr 2

IP Hdr 1 TCP hdr Dataa

b

c


GRE over IPSec (MTU Issues)

• After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0

• The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets

• The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation


GRE over IPSec (MTU issue)

• To avoid fragementation and reassembly of IPSec packets:

Set ip mtu 1420 (GRE/IPSec tunnel mode), ip mtu 1440 (GRE/IPSec transport mode) under tunnel interface.

Enable “tunnel path-mtu-discovery” (DF bit copied after GRE encapsulation) under tunnel interface.

• Use “show ip int switching” to verify switching path


GRE IPSec Config

crypto isakmp policy 1 encr 3des hash md5 authentication pre-share

crypto isakmp key cisco123 address 172.18.45.1 crypto isakmp key cisco123 address 172.18.45.2

crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport


GRE IPSEC Config continued

crypto map vpn 10 ipsec-isakmp

set peer 172.18.45.1

set transform-set myset

match address 101

crypto map vpn 20 ipsec-isakmp

set peer 172.18.45.2

set transform-set myset

match address 102


GRE IPSEC Config continuedinterface Tunnel0ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map vpn

interface Tunnel1 ip address 10.4.2.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.2 crypto map vpn

interface Serial0ip address 172.18.31.1 255.255.255.0 crypto map vpn


GRE IPSEC Config continued

ip eigrp 100 network 10.0.0.0

ip route 172.18.0.0 255.255.0.0 serial0

ip access-list extended 101 permit gre host 172.18.31.1 host 172.18.45.1

ip access-list extended 102 permit gre host 172.18.31.1 host 172.18.45.2


Preventing Traffic Injection

• ACL on the physical interface

• Even better, VRF lite !

Interface serial 0/0 ip access-group Only_ESP in

ip access-list extended Only_ESP permit esp host 193.193.193.1 any permit udp host 193.193.193.1 eq 500 any deny ip any any log-input


VPN Types and ApplicationsVPN Types and Applications

Type Application As Alternative To

Site-to-Site Site-to-Site VPNVPN

ExtranetExtranetVPNVPN

Benefits

Site-to-SiteSite-to-Site

InternalInternal

ConnectivityConnectivity

Extend ConnectivityExtend ConnectivityIncreased BandwidthIncreased Bandwidth

Lower CostLower Cost

Leased LineLeased Line

Frame RelayFrame Relay

ATMATM

RemoteRemoteAccess Access

VPNVPN

Remote Dial Remote Dial


Dedicated Dedicated Dial Dial

ISDNISDN

Ubiquitous AccessUbiquitous AccessLower CostLower Cost

Biz-to-BizBiz-to-Biz

External External


FaxFax

MailMail

EDIEDI

FacilitatesFacilitates E-CommerceE-Commerce


VPN Requirements Vary By VPN Requirements Vary By ApplicationApplication

Central Site

Site-to-SiteRemote Office

ExtranetBusiness Partner

POP

DSLCable

Mobile User

Home Telecommuter

VPNInternet

Remote Access VPN Site-to-Site VPN• Evolution away from dial• Per-user manageability• Multi-OS (desktop) support• Deployment scalability

• Extension of classic WAN• Compatibility with diverse network traffic types

• Integration with routing• Deployment scalability


VPN Application Large Enterprise Medium Enterprise

Site-to-SiteSite-to-SiteIOS RoutersIOS Routers

Firewall-BasedFirewall-BasedVPNVPN

Pix FirewallPix Firewall

RemoteRemoteAccess Access

Cisco VPN 3000Cisco VPN 3000

VPN 3080VPN 3080VPN 3060VPN 3060

ConcentratorsConcentrators

VPN 3030VPN 3030ConcentratorConcentrator

VPN 3015VPN 3015VPN 3005VPN 3005

ConcentratorsConcentrators

Small Biz/Branch SOHO

VPN 3002VPN 3002Hardware ClientHardware Client

VPN 3000VPN 3000Software ClientSoftware Client

7200720071007100

7100710036003600

360036002600260017001700

900900800800

Pix 535Pix 535Pix 525Pix 525

Pix 525Pix 525Pix 515Pix 515

Pix 515Pix 515Pix 506Pix 506 Pix 506Pix 506

Cisco VPN PortfolioCisco VPN PortfolioPurpose-Built for Specific VPN EnvironmentsPurpose-Built for Specific VPN Environments

New


VPN Product Function MatrixVPN Product Function MatrixSite-to-Site VPN Remote Access VPN

IOS VPN Routers •Primary role•All encompassing site-to-site connectivity features

•Provides routing, QoS, WAN interfaces, multicast and multiprotocol support

•Basic remote access functionality

PIX Firewalls •Solution for security organizations that prefer operating firewalls

•Provides full firewall features

•Basic site-to-site functionality

•Provides most remote access features

•Solution for security organizations that prefer operating firewalls

•Provides full firewall features

VPN 3000 Concentrators •Basic site-to-site functionality

•Primary role•Full featured remote access solution


FWFW

Cisco IOS SoftwareCisco IOS SoftwareEnhanced VPN Software FeaturesEnhanced VPN Software Features

• Quality of ServiceQuality of Service– Application-aware packet classificationApplication-aware packet classification– Congestion management and packet queuing Congestion management and packet queuing – Traffic shaping and policingTraffic shaping and policing

• Stateful IOS FirewallStateful IOS Firewall– Per application content filtering and Java blockingPer application content filtering and Java blocking– Denial of service protection and intrusion detectionDenial of service protection and intrusion detection– Time-based ACLsTime-based ACLs

• VPN ResiliencyVPN Resiliency– Dynamic Route Recovery - using routing protocols Dynamic Route Recovery - using routing protocols

through IPSec secured GRE tunnelthrough IPSec secured GRE tunnel– Dynamic Tunnel Recovery - IPSec Keep-AlivesDynamic Tunnel Recovery - IPSec Keep-Alives

• Full Layer 3 Routing and Broad Interface SupportFull Layer 3 Routing and Broad Interface Support– EIGRP, BGP, OSPF, and othersEIGRP, BGP, OSPF, and others– Numerous LAN and WAN interfaces Numerous LAN and WAN interfaces

BGPBGP

QoSQoS

IPSecIPSec

GREGRE


Cisco Site-to-Site VPN SolutionsScalability for Every Site

Main Office

Small Office/Home Office

RemoteOffice

InternetRegionalOffice

Cisco 1700 SeriesCisco 1700 Series•VPN-optimized router connecting remote offices remote offices at T1/E1 speedsat T1/E1 speeds

Cisco 800 & 900 SeriesCisco 800 & 900 Series•VPN-optimized routers for ISDN, ISDN, DSL, and cable connectivityDSL, and cable connectivity

Cisco 2600 & 3600 SeriesCisco 2600 & 3600 Series•VPN-optimized routers connecting branch and branch and regional offices at regional offices at nxT1/E1 speedsnxT1/E1 speeds

Cisco 7100 & 7200 SeriesCisco 7100 & 7200 Series•7100 for dedicated VPN head-end•7200 for hybrid private WAN + VPN connectivity


VPN-Enabled Broadband VPN-Enabled Broadband RoutersRouters

806 827/804 905Simultaneous Tunnels 50 50 50Performance 384 kbps 384 kbps 6 MbpsHardware Acceleration None None (built-in)WAN Interfaces Ethernet DSL/ISDN CableLAN Interfaces 4xEthernet 1xEthernet 4xEthernet


VPN-Enabled RoutersVPN-Enabled Routers

1710 1720/1750 2611/2621 2651 3620/3640Simultaneous Tunnels 100 100 300 800 800Performance (Mbps) 4 4 10/12 14 10/19Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MPWAN Interfaces 1xEtherne

t(varies) (varies) (varies) (varies)

LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies)


VPN-Enabled RoutersVPN-Enabled Routers

3660 7120 7140 7140 7200Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000Performance (Mbps) 40 50 90 140 145Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAMWAN Interfaces (varies) (varies) (varies) None (varies)LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies)


2650 Enhanced Performance VPN Module

• AIM-VPN/EP Enhanced Performance Module Delivers 14 Mbps 3DES performance

New AIM-VPN/EP is specially designed to take advantage of the 2650 High Performance Router

This VPN Module is being offered in addition to our present AIM-VPN/BP (Base Performance Module)

Supported on all 2600 platforms

New!


VPN Acceleration Module VPN Acceleration Module (VAM) for 7100/7200(VAM) for 7100/7200

Greater than DS3 encryption performanceGreater than DS3 encryption performance145 Mbps 3DES IPSec performance for 145 Mbps 3DES IPSec performance for

scalable site-to-site encryptionscalable site-to-site encryption

Allows large number of VPN TunnelsAllows large number of VPN Tunnels5000 simultaneous IPSec sessions5000 simultaneous IPSec sessions

Fast VPN tunnel setup timeFast VPN tunnel setup timeHardware acceleration for RSA: Tunnel setup Hardware acceleration for RSA: Tunnel setup

& key generation& key generation

Compression for bandwidth conservationCompression for bandwidth conservation Hardware acceleration for IPPCP LZS Hardware acceleration for IPPCP LZS

compressioncompression

New!

SA-VAM for 7200SA-VAM for 7200

SM-VAM for 7100SM-VAM for 7100


VPN ManagementVPN Management

• VPN Device ManagerEmbedded web single device policy manager

• VPN Management SolutionsEnterprise VPN monitoring & policy manager

• Cisco Secure Policy ManagerCentralized, intelligent security policy management for firewall and VPN

• Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs


Site-to-Site VPN Platform Site-to-Site VPN Platform SummarySummary

• Comprehensive Suite of Site-to-Site VPN FeaturesSupports the most diverse VPN environments

• High Performance VPNUp to 145 Mbps 3DES/HMAC-SHA1 IPSecUp to 5,000 simultaneous tunnels

• Site Specific VPN ScalabilityDSL, Cable, & ISDN VPN routersEthernet-to-Ethernet broadband routers

• Network Management Tailored for Site-to-Site Applications


For More Information...For More Information...

Blog.router-switch.com•News, tutorials, tips, info & thoughts on Developments in the Cisco, Cisco network, IT, Software & Network Hardware Industry

http://blog.router-switch.com/

36Presentation_ID © 1999, Cisco Systems, Inc.

Vpn site to site

Technology

ipsec overview

site ipsec

ipsec overhead

cisco systems

gre packets

hmac crypto ipsec

gre tunnel interface

tunnel ip address