1 © 2001, Cisco Systems, Inc. Cisco Cisco VPN Solutions VPN Solutions
Nov 19, 2014
1© 2001, Cisco Systems, Inc.
CiscoCiscoVPN SolutionsVPN Solutions
2VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
AgendaAgenda
• Introduction to IPSecIntroduction to IPSec• IPSec VPN TopologiesIPSec VPN Topologies• Cisco Site-to-Site VPN Cisco Site-to-Site VPN
SolutionsSolutions
3VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
IPSec Design Guide
IPSecDesignGuide.pdf.lnk
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.htm
4VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
IPSec Overview
• Initiating the IPSec sessionPhase one—exchanging keysPhase two—setting up security associations
• Encrypting/decrypting packets• Rebuilding security associations
Timing out security associations• Simple IPSec configuration
5VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Initiating the IPSec SessionPhase One—ISAKMP
• Internet Security Association Key Management Protocol (ISAKMP)• Both sides need to agree on the ISAKMP
security parameters ISAKMP parameters
Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulusGroup lifetime
6VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Initiating the IPSec SessionPhase Two—IPSec
• Both sides need to agree on the IPSec security parameters IPSec parameters
IPSec peerEndpoint of IPSec tunnel
IPSec proxyTraffic to be encrypted/decrypted
IPSec transformEncryption and hashing
IPSec lifetimePhase two SA regeneration time
7VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Encrypting andDecrypting Packets
• Phase one and phase two completes • Security Associations (SA) are created at both IPSec
endpoints• Using the negotiated SA information
Outbound packets are encrypted
Inbound packets are decrypted
8VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
RebuildingSecurity Associations
• To ensure that keys are not compromised they are periodically refreshed
• Security associations will be rebuilt when:
The lifetime expires, or
Data volume has been exceeded, or
Another SA is attempted with identical parameters
9VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Simple IPSec Configuration
crypto isakmp policy 1 authentication pre-share hash md5crypto isakmp key cisco123 address 192.1.1.1crypto ipsec transform-set trans1 esp-des esp-md5-hmaccrypto map vpnmap 10 ipsec-isakmp set peer 192.1.1.1 set transform-set trans1 match address 101interface Ethernet0 ip address 10.1.2.1 255.255.255.0interface Ethernet1 ip address 200.1.1.2 255.255.255.0 crypto map vpnmapaccess-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto isakmp policy 1 authentication pre-share hash md5crypto isakmp key cisco123 address 200.1.1.2crypto ipsec transform-set trans1 esp-des esp-md5-hmaccrypto map vpnmap 10 ipsec-isakmp set peer 200.1.1.2 set transform-set trans1 match address 101interface Ethernet0 ip address 10.1.1.1 255.255.255.0interface Ethernet1 ip address 192.1.1.1 255.255.255.0 crypto map vpnmapaccess-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
IPSec Tunnel
192.1.1.1 200.1.1.210.1.1.0/24 10.1.2.0/24
Internet
10VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Topologies
Standard Site-to-Site IPSec Enabled VPN SolutionDesign and Engineering Guide
http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.htm
Site2SiteDesignGuide.url
11VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE Over IPSec(Common Configuration
Issues)
• Apply crypto map on both the tunnel interfaces and the physical interfaces
• Specify GRE traffic as IPSec interesting traffic. access-list 101 permit gre host 200.1.1.1 host 150.1.1.1
• Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted.
12VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE over IPSec (Avoid Recursive Routing)
• To avoid GRE tunnel interface damping due to recursive routing, keep transport and passenger routing info. separate:
Use different routing protocols or separate routing protocol identifiersKeep tunnel IP address and actual IP network addresses ranges distinctFor tunnel interface IP address, don’t use unnumbered to loopback interface when the loopback’s IP address resides in the ISP address space
13VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE over IPsec (MTU Issues)
• Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC):
ESP overhead (with authentication) : 31 ~ 38 bytesGRE header: 24 bytesIP header: 20 byes
• GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead
14VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE over IPSec
InternetInterneta. Original Packetb. GRE Encapsulationc. GRE over IPSec Transport Moded. GRE over IPSec Tunnel Mode
IPSec
GRE
TCP hdr DataGRE hdrIP hdr 2ESP hdrIP hdr 3d IP Hdr 1
TCP hdr DataGRE hdrIP hdr 2 ESP hdr
DataTCP hdrIP Hdr 1
IP Hdr 1
GRE hdrIP hdr 2
IP Hdr 1 TCP hdr Dataa
b
c
15VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE over IPSec (MTU Issues)
• After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0
• The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets
• The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation
16VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE over IPSec (MTU issue)
• To avoid fragementation and reassembly of IPSec packets:
Set ip mtu 1420 (GRE/IPSec tunnel mode), ip mtu 1440 (GRE/IPSec transport mode) under tunnel interface.
Enable “tunnel path-mtu-discovery” (DF bit copied after GRE encapsulation) under tunnel interface.
• Use “show ip int switching” to verify switching path
17VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE IPSec Config
crypto isakmp policy 1 encr 3des hash md5 authentication pre-share
crypto isakmp key cisco123 address 172.18.45.1 crypto isakmp key cisco123 address 172.18.45.2
crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport
18VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE IPSEC Config continued
crypto map vpn 10 ipsec-isakmp
set peer 172.18.45.1
set transform-set myset
match address 101
crypto map vpn 20 ipsec-isakmp
set peer 172.18.45.2
set transform-set myset
match address 102
19VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE IPSEC Config continuedinterface Tunnel0ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map vpn
interface Tunnel1 ip address 10.4.2.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.2 crypto map vpn
interface Serial0ip address 172.18.31.1 255.255.255.0 crypto map vpn
20VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
GRE IPSEC Config continued
ip eigrp 100 network 10.0.0.0
ip route 172.18.0.0 255.255.0.0 serial0
ip access-list extended 101 permit gre host 172.18.31.1 host 172.18.45.1
ip access-list extended 102 permit gre host 172.18.31.1 host 172.18.45.2
21VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Preventing Traffic Injection
• ACL on the physical interface
• Even better, VRF lite !
Interface serial 0/0 ip access-group Only_ESP in
ip access-list extended Only_ESP permit esp host 193.193.193.1 any permit udp host 193.193.193.1 eq 500 any deny ip any any log-input
22VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN Types and ApplicationsVPN Types and Applications
Type Application As Alternative To
Site-to-Site Site-to-Site VPNVPN
ExtranetExtranetVPNVPN
Benefits
Site-to-SiteSite-to-Site
InternalInternal
ConnectivityConnectivity
Extend ConnectivityExtend ConnectivityIncreased BandwidthIncreased Bandwidth
Lower CostLower Cost
Leased LineLeased Line
Frame RelayFrame Relay
ATMATM
RemoteRemoteAccess Access
VPNVPN
Remote Dial Remote Dial
ConnectivityConnectivity
Dedicated Dedicated Dial Dial
ISDNISDN
Ubiquitous AccessUbiquitous AccessLower CostLower Cost
Biz-to-BizBiz-to-Biz
External External
ConnectivityConnectivity
FaxFax
MailMail
EDIEDI
FacilitatesFacilitates E-CommerceE-Commerce
23VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN Requirements Vary By VPN Requirements Vary By ApplicationApplication
Central Site
Site-to-SiteRemote Office
ExtranetBusiness Partner
POP
DSLCable
Mobile User
Home Telecommuter
VPNInternet
Remote Access VPN Site-to-Site VPN• Evolution away from dial• Per-user manageability• Multi-OS (desktop) support• Deployment scalability
• Extension of classic WAN• Compatibility with diverse network traffic types
• Integration with routing• Deployment scalability
24VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN Application Large Enterprise Medium Enterprise
Site-to-SiteSite-to-SiteIOS RoutersIOS Routers
Firewall-BasedFirewall-BasedVPNVPN
Pix FirewallPix Firewall
RemoteRemoteAccess Access
Cisco VPN 3000Cisco VPN 3000
VPN 3080VPN 3080VPN 3060VPN 3060
ConcentratorsConcentrators
VPN 3030VPN 3030ConcentratorConcentrator
VPN 3015VPN 3015VPN 3005VPN 3005
ConcentratorsConcentrators
Small Biz/Branch SOHO
VPN 3002VPN 3002Hardware ClientHardware Client
VPN 3000VPN 3000Software ClientSoftware Client
7200720071007100
7100710036003600
360036002600260017001700
900900800800
Pix 535Pix 535Pix 525Pix 525
Pix 525Pix 525Pix 515Pix 515
Pix 515Pix 515Pix 506Pix 506 Pix 506Pix 506
Cisco VPN PortfolioCisco VPN PortfolioPurpose-Built for Specific VPN EnvironmentsPurpose-Built for Specific VPN Environments
New
25VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN Product Function MatrixVPN Product Function MatrixSite-to-Site VPN Remote Access VPN
IOS VPN Routers •Primary role•All encompassing site-to-site connectivity features
•Provides routing, QoS, WAN interfaces, multicast and multiprotocol support
•Basic remote access functionality
PIX Firewalls •Solution for security organizations that prefer operating firewalls
•Provides full firewall features
•Basic site-to-site functionality
•Provides most remote access features
•Solution for security organizations that prefer operating firewalls
•Provides full firewall features
VPN 3000 Concentrators •Basic site-to-site functionality
•Primary role•Full featured remote access solution
26VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
FWFW
Cisco IOS SoftwareCisco IOS SoftwareEnhanced VPN Software FeaturesEnhanced VPN Software Features
• Quality of ServiceQuality of Service– Application-aware packet classificationApplication-aware packet classification– Congestion management and packet queuing Congestion management and packet queuing – Traffic shaping and policingTraffic shaping and policing
• Stateful IOS FirewallStateful IOS Firewall– Per application content filtering and Java blockingPer application content filtering and Java blocking– Denial of service protection and intrusion detectionDenial of service protection and intrusion detection– Time-based ACLsTime-based ACLs
• VPN ResiliencyVPN Resiliency– Dynamic Route Recovery - using routing protocols Dynamic Route Recovery - using routing protocols
through IPSec secured GRE tunnelthrough IPSec secured GRE tunnel– Dynamic Tunnel Recovery - IPSec Keep-AlivesDynamic Tunnel Recovery - IPSec Keep-Alives
• Full Layer 3 Routing and Broad Interface SupportFull Layer 3 Routing and Broad Interface Support– EIGRP, BGP, OSPF, and othersEIGRP, BGP, OSPF, and others– Numerous LAN and WAN interfaces Numerous LAN and WAN interfaces
BGPBGP
QoSQoS
IPSecIPSec
GREGRE
27VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Cisco Site-to-Site VPN SolutionsScalability for Every Site
Main Office
Small Office/Home Office
RemoteOffice
InternetRegionalOffice
Cisco 1700 SeriesCisco 1700 Series•VPN-optimized router connecting remote offices remote offices at T1/E1 speedsat T1/E1 speeds
Cisco 800 & 900 SeriesCisco 800 & 900 Series•VPN-optimized routers for ISDN, ISDN, DSL, and cable connectivityDSL, and cable connectivity
Cisco 2600 & 3600 SeriesCisco 2600 & 3600 Series•VPN-optimized routers connecting branch and branch and regional offices at regional offices at nxT1/E1 speedsnxT1/E1 speeds
Cisco 7100 & 7200 SeriesCisco 7100 & 7200 Series•7100 for dedicated VPN head-end•7200 for hybrid private WAN + VPN connectivity
28VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN-Enabled Broadband VPN-Enabled Broadband RoutersRouters
806 827/804 905Simultaneous Tunnels 50 50 50Performance 384 kbps 384 kbps 6 MbpsHardware Acceleration None None (built-in)WAN Interfaces Ethernet DSL/ISDN CableLAN Interfaces 4xEthernet 1xEthernet 4xEthernet
29VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN-Enabled RoutersVPN-Enabled Routers
1710 1720/1750 2611/2621 2651 3620/3640Simultaneous Tunnels 100 100 300 800 800Performance (Mbps) 4 4 10/12 14 10/19Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MPWAN Interfaces 1xEtherne
t(varies) (varies) (varies) (varies)
LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies)
30VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN-Enabled RoutersVPN-Enabled Routers
3660 7120 7140 7140 7200Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000Performance (Mbps) 40 50 90 140 145Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAMWAN Interfaces (varies) (varies) (varies) None (varies)LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies)
31VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
2650 Enhanced Performance VPN Module
• AIM-VPN/EP Enhanced Performance Module Delivers 14 Mbps 3DES performance
New AIM-VPN/EP is specially designed to take advantage of the 2650 High Performance Router
This VPN Module is being offered in addition to our present AIM-VPN/BP (Base Performance Module)
Supported on all 2600 platforms
New!
32VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN Acceleration Module VPN Acceleration Module (VAM) for 7100/7200(VAM) for 7100/7200
Greater than DS3 encryption performanceGreater than DS3 encryption performance145 Mbps 3DES IPSec performance for 145 Mbps 3DES IPSec performance for
scalable site-to-site encryptionscalable site-to-site encryption
Allows large number of VPN TunnelsAllows large number of VPN Tunnels5000 simultaneous IPSec sessions5000 simultaneous IPSec sessions
Fast VPN tunnel setup timeFast VPN tunnel setup timeHardware acceleration for RSA: Tunnel setup Hardware acceleration for RSA: Tunnel setup
& key generation& key generation
Compression for bandwidth conservationCompression for bandwidth conservation Hardware acceleration for IPPCP LZS Hardware acceleration for IPPCP LZS
compressioncompression
New!
SA-VAM for 7200SA-VAM for 7200
SM-VAM for 7100SM-VAM for 7100
33VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
VPN ManagementVPN Management
• VPN Device ManagerEmbedded web single device policy manager
• VPN Management SolutionsEnterprise VPN monitoring & policy manager
• Cisco Secure Policy ManagerCentralized, intelligent security policy management for firewall and VPN
• Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs
34VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
Site-to-Site VPN Platform Site-to-Site VPN Platform SummarySummary
• Comprehensive Suite of Site-to-Site VPN FeaturesSupports the most diverse VPN environments
• High Performance VPNUp to 145 Mbps 3DES/HMAC-SHA1 IPSecUp to 5,000 simultaneous tunnels
• Site Specific VPN ScalabilityDSL, Cable, & ISDN VPN routersEthernet-to-Ethernet broadband routers
• Network Management Tailored for Site-to-Site Applications
35VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn
For More Information...For More Information...
Blog.router-switch.com•News, tutorials, tips, info & thoughts on Developments in the Cisco, Cisco network, IT, Software & Network Hardware Industry
36Presentation_ID © 1999, Cisco Systems, Inc.