© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
1
Technical Development Program
VPN basics
November 5, 2014
• Buenos Aires, Argentina
• 32 Years old
• +10 Years in Telecom/Networking
• 3+ in AT&T
• Soccer
• Music
• Drumming
• Golf
Martín Bratina
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
3
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
Agenda
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
4
Agenda
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
What is a VPN?
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Internet
Site A Site B
• Establish a connection between networks over an untrusted network provided via a tunnel
VPN
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
6
Agenda
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
Types of VPNs
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Site to Site
• Remote Access
Types of VPNs
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Site to Site
• Remote Access
Internet
Site A Site B
Data A-B Data A-BData A-B Data A-BData A-B Data A-B
Internet
Types of VPNs
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Site to Site
• Remote Access
Site A
User 1
User 2
User n
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
10
Agenda
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
Commonly used VPNs
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• L2 VPNs
L2TP
MPLS VPN. VPLS
• L3 VPNs
IPSec
MPLS VPN. Routed
GRE
• L5/L6 VPNs
SSL-TLS
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
12
Agenda
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
IPSec VPN
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• IP Security.
• RFC: A lot!. Starts at 2401
• Works at IP Layer (L3)
• Supports ONLY unicast traffic
• 2 modes
Tunnel mode
Transport mode
• 2 protocols
ESP. Encapsulation Security Payload
AH. Authentication Header
• 2 Phases
Phase 1: Establishes a secure connection channel for Phase 2
Phase 2: Establishes a secure connection channel for IPSec
IPSec VPN: Benefits
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Anti Replay
• Confidentiality
• Integrity
• Authentication
© 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
• ESP. Tunnel mode
• ESP. Transport mode
• AH. Tunnel mode
• AH. Transport mode
IPSec encapsulation
IPSec VPN: Phase 1
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Builds on ISAKMP and OAKLEY protocols
• Internet Key Exchange (IKE) protocol
• Protocol UDP, port 500
• 2 Modes:
Main
Aggressive
• Parameters
Encryption
Integrity
Diffie-Hellman group
Timeout
Authentication
IPSec VPN: Phase 2
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• IPSec Parameters
Protocol: ESP or AH
Encryption: Transform set
Integrity: Transform set
Proxy: interesting traffic
Lifetime: SA regeneration time
Peer: endpoint
Optional: Perfect Forward Secrecy (PFS)
IPSec VPN: concepts
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Encryption
• Integrity
• Keys
Encryption Process
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Encryption AlgorithmData: www.att.com Data: das$s.1O9&f
Encryption key Encryption key
Hash Process. (HMAC)
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
If the hash values match, the data is good
5
2
3
4
1
If the hash values match, the data is good
Data
HASHData
Sender Receiver
HASHData
HASH
HASH
HASH
DataHash Algorithm
Hash Algorithm
Symmetric key encryption
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Symmetric keys are faster and used for bulk data encryption
• Typical key size vary from 40bits to 2048 bits
• Examples: DES, 3DES, AES
1
2
3
Sender Receiver
+ +Original data
Encrypted data
Encrypted data
Original data
Public key encryption
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Public and Private key scheme
• Slow when used for data encryption
• Examples: RSA, DH
Pub
Priv
1
+2 +
4
Pub
Pub
Sender Receiver
Original data
Original dataEncrypted data
Encrypted data
3
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
23
Agenda
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
Internet
LAB
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Site B192.168.1.0/24
• Site to site IPSec VPN
• Pre shared key authentication
Site A10.10.1.0/24
1.1.1.2 2.2.2.2
2.2.2.11.1.1.1
© 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
LAB config: Cisco ASA v8.4
!
!PHASE 1
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567890
!
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
!!PHASE 2!access-list cptomap_vpn_siteb extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0!crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac!crypto map cptomap_outside 10 match address cptomap_vpn_sitebcrypto map cptomap_outside 10 set peer 2.2.2.2crypto map cptomap_outside 10 set transform-set ESP-3DES-MD5!crypto map cptomap_outside interface outside!
© 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
LAB config: Cisco IOS v15.1
!
!PHASE 1
!
crypto isakmp policy 10
encryption aes 128
hash md5
group 2
authentication pre-share
lifetime 86400
!
crypto isakmp key 1234567890 address 1.1.1.2
!
!!PHASE 2!ip access-list extended cptomap_vpn_siteapermit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255!crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmacmode tunnel!crypto map cptomap_outside local-address fastethernet 0/0crypto map cptomap_outside 10 ipsec-isakmpmatch address cptomap_vpn_siteaset peer 1.1.1.2set transform-set ESP-3DES-MD5!interface fastethernet 0/0crypto map cptomap_outside!
© 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
LAB config: Verification commands
!
! PHASE 1
!
Show crypto ikev1 sa
Show crypto ikev1 sa detail
!
!PHASE 2
!
Show crypto ipsec sa
Show crypto ipsec sa detail
Show crypto condition peer x.x.x.x
Show crypto session (IOS)
!
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
28
Agenda
1. What is a VPN?
2. Types of VPNs
3. Commonly used VPNs
4. IPSec VPNs
5. Lab
6. Real scenario troubleshooting
7. Q&A
Troubleshooting
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
• Check Pre shared key
• Check ACLs
• Check Phase 1 parameters
• Check Phase 2 parameters
• Check routes to remote network
• Verify that ISAKMP-IKE/crypto map is enabled on interfaces
• Verify that ISAKMP and ESP traffic is allowed
• Debug
• Check internal port openings
• Check NAT translations
• Don’t assume, CHECK. Check the config, and RE CHECK the config again! Be prepared for guiding the other end through the verification/debug process
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
30
Q&A
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
31
Thank You!