Implementing VPN Solutions

Laurel Boyer, CCIE 4918Presented, June 2003

Agenda Cost Analysis: Frame vs. VPN VPN Drawbacks VPN Equipment Alternatives Using GRE for Dynamic Routing Implementation Examples Troubleshooting Questions/Discussion

Cost Analysis: Frame vs. VPN

Premise – This discussion assumes that there is a requirement to remotely connect two or more offices/locations. This discussion focuses on a Hub/Spoke architecture.

Frame Relay to DSL Cost examples Port Speed Frame CIR Frame Cost DSL Cost

128k 64k $700192k $155256k 128k $875384k $195512k 256k $1,180768k 384k $1,520 $289

1544k 768k $1,650 $389

VPN Drawbacks VPN connections traverse the Internet, resulting in

vulnerabilities due to latency and interruptions that the network administer cannot influence.

DSL is normally a better choice than Cable Modem, as it does not share the broadcast media

DSL may not be available in all areas, or may not be available at the required speeds.

All DSL/ISP providers are not created equal. – Ensure that provider will give you public IP addresses to manage.– Ask provider where the POP is that connects to your office.– Request ping times from the POP to your Hub/Destination

location.– Request peering information between provider and your

destination.– Scrutinize customer service policy.

VPN Equipment Alternatives PIX to PIX PIX to VPN Concentrator PIX to Router w/ IOS Firewall/IPSEC VPN Concentrator to Router w/ IOS Firewall/IPSEC VPN Concentrator to VPN Concentrator Router w/ IOS Firewall/IPSEC to Router w/ IOS

Firewall/IPSEC

VPN & GRE Example

VPN

10.1.1.0 10.1.2.0

4.1.1.1 5.1.1.1

Generic Steps for setting up VPN

1. Load Basic FW or Router Config

2. Set up IPSEC Tunnel

3. Set up static routes on Routers

4. Set up GRE Tunnel

Configure IPSEC Tunnel: ISAKMP

1. Define Encryption Algorithm: normally DES or 3DES

2. Define a Hashing Algorithm: MD5 or SHA

3. Define Authentication RSA/CA or Pre-shared Key

4. Define SA (Security Association) Lifetime. Default is 86400 (1 day)

Configure IPSEC Tunnel: ISAKMP

Example:

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key vpn2vpn address 5.1.1.2

Configure IPSEC Tunnel: IPSEC

1. Create extended ACL (Access List)

2. Create IPSEC transform(s)

3. Create Crypto Map

4. Apply Crypto Map to Interface

VPN Router Configurationcrypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key vpn2vpn address 5.1.1.2

!

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

!

crypto map vpntunnel 10 ipsec-isakmp

set peer 5.1.1.2

set transform-set ESP-DES-MD5

match address vpn-tunnel

!

interface Ethernet0

ip address 10.1.1.254 255.255.255.0

ip nat inside!

VPN Router Configuration, Cont.interface Ethernet1 ip address 5.1.1.1 255.255.255.0 ip nat outside crypto map vpntunnel!ip nat inside source route-map Internet interface Ethernet1 overload!ip access-list extended Nat deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip any anyip access-list extended vpn-tunnel permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255route-map Internet permit 10 match ip address Nat

VPN PIX Configuration

nameif ethernet0 outside security0nameif ethernet1 inside security100access-list vpn-tunnel permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0interface ethernet0 10basetinterface ethernet1 10fullip address outside 5.1.1.2 255.255.255.0ip address inside 10.1.2.254 255.255.255.0nat (inside) 0 access-list vpn-tunnelnat (inside) 1 10.0.0.0 255.0.0.0 0 0route outside 0.0.0.0 0.0.0.0 5.1.1.1 1

VPN PIX Configuration, Cont.

sysopt connection permit-ipseccrypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto map vpntunnel 1 ipsec-isakmpcrypto map vpntunnel 1 match address vpn-tunnelcrypto map vpntunnel 1 set peer 5.1.1.1crypto map vpntunnel 1 set transform-set ESP-DES-MD5crypto map vpntunnel interface outsideisakmp enable outsideisakmp key vpn2vpn address 5.1.1.1 netmask 255.255.255.255isakmp policy 1 authentication pre-shareisakmp policy 1 encryption desisakmp policy 1 hash md5isakmp policy 1 group 1isakmp policy 1 lifetime 86400

VPN & GRE GRE: Generic Routing Encapsulation. Used to

encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to remote points over an IP network.

In this instance, we use an IPSEC tunnel to create a secure/encrypted path between to public points. GRE is used to create a virtual Intranet path between two private points.

Because GRE facilitates broadcast and multicast traffic, we can run EIGRP or other dynamic protocols, reducing the need for static routing in larger VPN topologies.

GRE Exampleinterface Loopback10 description Loopback for GRE tunnel ip address 10.0.1.10 255.255.255.255!interface Tunnel10 description GRE tunnel to GRE-RTR ip address 10.0.0.1 255.255.255.252 tunnel source Loopback10 tunnel destination 10.0.0.10!ip access-list extended vpn-tunnel permit ip host 10.0.1.10 host 10.0.0.10!ip route 10.0.0.10 255.255.255.255 5.1.1.2

Intro the VPN ConcentratorCisco VPN 3005

Cisco VPN 3015

Cisco VPN 3030

Cisco VPN 3060

Cisco VPN 3080

Simultaneous Users 100 100 1,500 5,000 10,000

Maximum LAN-to-LAN Sessions

100 100 500 1,000 1,000

Encryption Throughput 4 Mbps 4 Mbps 50 Mbps 100 Mbps 100 Mbps

Encryption Method Software Software Hardware Hardware Hardware

Available Expansion Slots 0 4 3 2 2

Encryption (SEP) Module

0 0 1 2 4

Redundant SEP Option Option Yes

System Memory 3264 MB (fixed)

128 MB128/256 MB

256/512 MB

256/512 MB

Client License UnlimitedUnlimited

Unlimited Unlimited Unlimited

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_models_comparison.html

TroubleshootingTroubleshooting, Cont. Check IPSEC Tunnel

– Show crypto ipsec sa

– Show crypto isakmp sa

– Clear crypto sa

– Debug crypto ipsec

– Debug crypto isakmp

Check for mismatched access-lists (most common problem!)

Check for static routes - you must tell the local router/FW that the private destination is via the public interface

Questions ?