ccna security 08ver2

8/13/2019 CCNA Security 08ver2

1/136

1 2009 Cisco Learning Institute.

CCNA Security

Chapter Eight

Implementing Virtual Private Networks


2/136


Lesson Planning

This lesson should take 3-4 hours to present

The lesson should include lecture,demonstrations, discussions and assessments

The lesson can be taught in person or usingremote instruction


3/136


Major Concepts

Describe the purpose and operation of VPN types

Describe the purpose and operation of GRE VPNs

Describe the components and operations of IPsec VPNs

Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using CLI

Configure and verify a site-to-site IPsec VPN with pre-

shared key authentication using SDM Configure and verify a Remote Access VPN


4/136


Lesson Objectives

Upon completion of this lesson, the successful participantwill be able to:

1. Describe the purpose and operation of VPNs

2. Differentiate between the various types of VPNs

3. Identify the Cisco VPN product line and the security features ofthese products

4. Configure a site-to-site VPN GRE tunnel

5. Describe the IPSec protocol and its basic functions

6. Differentiate between AH and ESP

7. Describe the IKE protocol and modes

8. Describe the five steps of IPSec operation


5/136


Lesson Objectives

9. Describe how to prepare IPSec by ensuring that ACLs arecompatible with IPSec

10. Configure IKE policies using the CLI

11. Configure the IPSec transform sets using the CLI

12. Configure the crypto ACLs using the CLI13. Configure and apply a crypto map using the CLI

14. Describe how to verify and troubleshoot the IPSec configuration

15. Describe how to configure IPSec using SDM

16. Configure a site-to-site VPN using the Quick Setup VPN Wizardin SDM

17. Configure a site-to-site VPN using the step-by-step VPN Wizardin SDM


6/136


Lesson Objectives

18. Verify, monitor and troubleshoot VPNs using SDM

19. Describe how an increasing number of organizations areoffering telecommuting options to their employees

20. Differentiate between Remote Access IPSec VPN solutions andSSL VPNs

21. Describe how SSL is used to establish a secure VPNconnection

22. Describe the Cisco Easy VPN feature

23. Configure a VPN Server using SDM

24. Connect a VPN client using the Cisco VPN Client software


7/136777 2009 Cisco Learning Institute.

VPNs

VPN Overview

VPN Technologies

VPN Solutions



VPN Overview

What is a VPN?

Layer 3 VPNs



What is a VPN?

- Virtual:Information within a private network istransported over a public network.

- Private:The traffic is encrypted to keep the

data confidential.

VPN

VPN

Firewall

CSA

Regional branch witha VPN enabled

Cisco ISR router

SOHO with a CiscoDSL Router

VPN

Mobile Workerwith a CiscoVPN Client

Business Partnerwith a Cisco Router

CorporateNetwork

WAN

Internet



Layer 3 VPN

Generic routing encapsulation (GRE)

Multiprotocol Label Switching (MPLS)

IPSec

SOHO with a Cisco DSL

Router

VPNInternet

IPSec

IPSec



VPN Technologies

Types of VPN Networks

Site-to-Site VPN

Remote-Access VPN

VPN Client Software

Cisco IOS SSL VPN



Types of VPN Networks

MARS

VPN

VPN

Iron Port

Firewall

IPS

WebServer

EmailServer DNS

CSACSACSACSA

CSA

CSA

CSA

Regional branch witha VPN enabledCisco ISR router

SOHO with aCisco DSL Router

VPN



Site-to-Site

VPNs

Remote-access

VPNs

Internet

WAN



Site-to-Site VPN

MARS

VPN

VPN

IronPort

Firewall

IPS

WebServer

EmailServer DNS

CSA

CSA

CSA

CSA

CSA

CSA

CSA

Regional branch witha VPN enabledCisco ISR router

SOHO with aCisco DSL

Router

VPN

Business Partnerwith a Cisco

Router

Site-to-Site

VPNs

Internet

WAN

Hosts send and receive normalTCP/IP traffic through a VPN gateway



Remote-Access VPNs

MARS

VPN

Iron Port

Firewall

IPS

WebServer

EmailServer DNS

CSACSA

CSACSA

CSA

CSA

CSA


Remote-accessVPNs

Internet



VPN Client Software

R1 R1-vpn-cluster.span.com

R1

In a remote-access VPN, each hosttypically has Cisco VPN Client software



Cisco IOS SSL VPN

Provides remote-accessconnectivity from anyInternet-enabled host

Uses a web browser andSSL encryption

Delivers two modes ofaccess:

- Clientless

- Thin client



VPN Solutions

Cisco VPN Product Family

Cisco VPN-Optimized Routers

Cisco ASA 5500 Series Adaptive SecurityAppliances

IPSec Clients

Hardware Acceleration Modules



Cisco VPN Product Family

Product ChoiceRemote-Access

VPNSite-to-Site VPN

Cisco VPN-Enabled Router Secondary role Primary role

Cisco PIX 500 Series Security Appliances Secondary role Primary role

Cisco ASA 5500 Series Adaptive Security

AppliancesPrimary role Secondary role

Cisco VPN

3000 Series ConcentratorsPrimary role Secondary role

Home Routers Primary role ?



Cisco VPN-Optimized Routers

Remote OfficeCisco Router

Regional OfficeCisco Router

SOHOCisco Router

Main OfficeCisco Router

Internet

VPN Features:

Voice and video enabled VPN (V3PN) IPSec stateful failover DMVPN IPSec and Multiprotocol Label Switching

(MPLS) integration Cisco Easy VPN


20/136


IPSec Clients

Small Office

Internet

CiscoAnyConnect

VPN Client

Certicom PDA IPsecVPN Client

Internet

Cisco VPNSoftware Client

Router withFirewall andVPN Client

A wireless client that is loaded on a pda

Software loaded on a PC

A network appliance that connects SOHO LANs to the VPN

Provides remote users with secure VPN connections


21/136


Hardware Acceleration Modules

AIM

Cisco IPSec VPN SharedPort Adapter (SPA)

Cisco PIX VPNAccelerator Card+ (VAC+)

Enhanced ScalableEncryption Processing

(SEP-E) Cisco IPsec VPN SPA


22/136


GRE VPNs

Overview

Encapsulation

Configuring a GRE Tunnel Using GRE


23/136


Overview


24/136


Encapsulation

Original IP Packet

Encapsulated with GRE


25/136


Configuring a GRE Tunnel

R1(config)# interface tunnel 0

R1(configif)# ip address 10.1.1.1 255.255.255.252

R1(configif)# tunnel source serial 0/0

R1(configif)# tunnel destination 192.168.5.5

R1(configif)# tunnel mode gre ip

R1(configif)#

R2(config)# interface tunnel 0

R2(configif)# ip address 10.1.1.2 255.255.255.252

R2(configif)# tunnel source serial 0/0

R2(configif)# tunnel destination 192.168.3.3

R2(configif)# tunnel mode gre ip

R2(configif)#

Create a tunnelinterface

Assign the tunnel an IP address

Identify the source tunnel interface

Identify the destination of the tunnel

Configure what protocol GRE will encapsulate


26/136


Using GRE

UserTraffic

IPOnly

?

UseGRE

Tunnel

No

Yes

No YesUnicast

Only?

UseIPsecVPN

GRE does not provide encryption

IPSec VPN Components


27/136


IPSec VPN Componentsand Operation

Introducing IPSec

IPSec Security Protocols

Internet Key Exchange (IKE)


28/136


Introducing IPSec

IPSec Topology

- IPSec Framework

Confidentiality

Integrity

Authentication

- Pre-Shared Key- RSA Signature

Secure Key Exchange


29/136


IPSec Topology

Works at the network layer, protecting and authenticating IP packets.

- It is a framework of open standards which is algorithm-independent.

- It provides data confidentiality, data integrity, and origin authentication.


Regional Office with aCisco PIX Firewall

SOHO with a CiscoSDN/DSL Router

Mobile Worker with aCisco VPN Client

on a Laptop Computer

ASA

LegacyConcentrator

Main Site

PerimeterRouter

Legacy

CiscoPIXFirewall

IPsec

POP

Corporate


30/136


IPSec Framework

Diffie-Hellman DH7


31/136


DH7Diffie-Hellman

Confidentiality

Key length:- 56-bits

Key length:- 56-bits (3 times)


Key lengths:-128-bits-192 bits-256-bits

Least secure Most secure


32/136


DH7Diffie-Hellman

Integrity


Key length:- 160-bits)

Least secure Most secure


33/136


DH7Diffie-Hellman

Authentication


34/136


DH7Diffie-Hellman

Pre-shared Key (PSK)

At the local device, the authentication key and the identity information (device-specific

information) are sent through a hash algorithm to form hash_I. One-way authentication isestablished by sending hash_I to the remote device. If the remote device can independentlycreate the same hash, the local device is authenticated.The authentication process continues in the opposite direction. The remote devicecombines its identity information with the preshared-based authentication key and sends itthrough the hash algorithm to form hash_R. hash_R is sent to the local device. If the localdevice can independently create the same hash, the remote device is authenticated.


35/136


RSA Signatures

At the local device, the authentication key and identity information (device-specific information)are sent through the hash algorithm forming hash_I. hash_I is encrypted using the localdevice's private encryption key creating a digital signature. The digital signature and a digitalcertificate are forwarded to the remote device. The public encryption key for decrypting thesignature is included in the digital certificate. The remote device verifies the digital signature bydecrypting it using the public encryption key. The result is hash_I.

Next, the remote device independently creates hash_I from stored information. If thecalculated hash_I equals the decrypted hash_I, the local device is authenticated. After theremote device authenticates the local device, the authentication process begins in the opposite

direction and all steps are repeated from the remote device to the local device.


36/136


Diffie-Hellman

Secure Key Exchange

DH7


37/136


IPSec Security Protocols

IPSec Framework Protocols

Authentication Header

ESP Function of ESP

Mode Types


38/136


IPSec Framework Protocols

All data is in plaintext.R1 R2

Data payload is encrypted.R1 R2


Encapsulating Security Payload

AH provides the following:

Authentication

Integrity

ESP provides the following:

Encryption

Authentication

Integrity


39/136



Authentication Data(00ABCDEF)

IP Header + Data + Key

R1

R2

Hash

RecomputedHash

(00ABCDEF)

IP Header + Data + Key

Hash

ReceivedHash

(00ABCDEF)=

DataAHIP HDR

DataAHIP HDR

Internet

1. The IP Header and data payload are hashed

2.The hash builds a new AHheader which is prependedto the original packet

3.The new packet istransmitted to theIPSec peer router

4.The peer router hashes the IPheader and data payload, extracts

the transmitted hash and compares


40/136


ESP

Diffie-Hellman DH7


41/136


Function of ESP

ESPTrailer

ESPAuth

Provides confidentiality with encryption

Provides integrity with authentication

Router Router

IP HDR Data

ESP HDRNew IP HDR IP HDR Data

Authenticated

IP HDR Data

Internet

Encrypted


42/136


IP HDR ESP HDR Data

ESP HDR IP HDRNew IP HDR Data

Tunnel Mode

Transport Mode

ESPTrailer

ESPAuth

ESPTrailer

ESPAuth

Authenticated

Authenticated

IP HDR Data

Encrypted

Encrypted

Original data prior to selection of IPSec protocol mode

Mode Types


43/136


Internet Key Exchange (IKE)

Security Associations

IKE Phases

IKE Phase 1 Three Exchanges IKE Phase 1 Aggressive Mode

IKE Phase 2


44/136


Security Associations

IPSec parameters are configured using IKE


45/136


Host A Host B

R1 R2

10.0.1.3 10.0.2.3

IKE Phase 1 Exchange

1. Negotiate IKE policy sets

2. DH key exchange

3. Verify the peer identity

IKE Phases


Negotiate IPsec policy Negotiate IPsec policy

Policy15DES

MD5pre-share

DH1lifetime

Policy 10DES

MD5pre-share

DH1lifetime

1. Negotiate IKE policy sets

2. DH key exchange

3. Verify the peer identity


46/136


Negotiates matching IKE policies to protect IKE exchange

Policy15DES

MD5pre-shareDH1

lifetime

Policy 10DES

MD5pre-shareDH1

lifetime

IKE Policy Sets

Policy 203DESSHA

pre-share

DH1lifetime

Negotiate IKE Proposals

Host A Host B

R1 R2

10.0.1.3 10.0.2.3

IKE Phase 1 First Exchange


47/136


IKE Phase 1 Second Exchange

(YB )mod p = K (YA ) mod p = KXBXA

Private value, XAPublic value, YA

Private value, XBPublic value, YBAlice

Bob

YA

YB

YB = g mod pXBYA = g mod pXA

A DH exchange is performed to establish keying material.

Establish DH Key


48/136


IKE Phase 1 Third Exchange

Peer authentication methods PSKs

RSA signatures

RSA encrypted nonces

HR

Servers

Remote Office Corporate Office

Internet

PeerAuthentication

A bidirectional IKE SA is now established.

Authenticate Peer


49/136


Host A Host B

R1 R2

10.0.1.3 10.0.2.3

IKE Phase 1 Aggressive Mode Exchange

1.Send IKE policy set

and R1s DH key

3.Calculate shared

secret, verify peer

identify, and confirm

with peer


Negotiate IPsec policy Negotiate IPsec policy

Policy15DESMD5

pre-shareDH1

lifetime

Policy 10DESMD5

pre-shareDH1

lifetime 2. Confirm IKE policy

set, calculate

shared secret and

send R2s DH key

4. Authenticate peer

and begin Phase 2.

IKE Phase 1 Aggressive Mode


50/136


Negotiate IPsecSecurity Parameters

Host A Host BR1 R2

10.0.1.3 10.0.2.3

IKE Phase 2

IKE negotiates matching IPsec policies.

Upon completion, unidirectional IPsec Security

Associations(SA) are established for each protocol and

algorithm combination.


51/136


Implementing Site-to-Site IPSec VPNs

Configuring Site-to-Site IPSec VPNs

Task 1 Configure Compatible ACLs

Task 2

Configure IKE

Task 3 Configure the Transform Set

Task 4 Configure the Crypto ACLs

Task 5 Apply the Crypto Map

Verify and Troubleshoot the IPSec Configuration


52/136


Configuring Site-to-Site IPSec VPN

IPSec VPN Negotiation

Summary of Tasks


53/136


IKE Phase 1

IKE Phase 2

IKE SA IKE SA

IPsec SAIPsec SA

1. Host A sends interesting traffic to Host B.

2. R1 and R2 negotiate an IKE Phase 1 session.

3. R1 and R2 negotiate an IKE Phase 2 session.

4. Information is exchanged via IPsec tunnel.

5. The IPsec tunnel is terminated.

R1 R2 10.0.2.3

IPsec Tunnel

10.0.1.3

IPSec VPN Negotiation


54/136


Summary of Tasks

Task 1: Ensure that ACLs are compatible with IPsec.Task 2: Create ISAKMP (IKE) policy.

Task 3: Configure IPsec transform set.

Task 4: Create a crypto ACL.

Task 5: Create and apply the crypto map.

Tasks to Configure IPsec:


55/136


ISAKMP

ISAKMP (Internet Security Association and Key ManagementProtocol) is a protocol for establishing Security Associations(SA)and cryptographic keys in an Internet environment. The protocolis defined by RFC 2408.ISAKMP defines the procedures for authenticating a communicating peer, creationand management of Security Associations, key generationtechniques, and threat

mitigation (e.g. denial of service and replay attacks). ISAKMP typically utilizes IKEfor key exchange, although other methods can be implemented. Preliminary SA isformed using this protocol; later a fresh keying is done.ISAKMP defines procedures and packet formats to establish, negotiate, modifyand delete Security Associations. SAs contain all the information required forexecution of various network security services, such as the IP layer services(such as header authentication and payload encapsulation), transport or

application layer services, or self-protection of negotiation traffic. ISAKMP definespayloads for exchanging key generation and authentication data. These formatsprovide a consistent framework for transferring key and authentication data whichis independent of the key generation technique, encryption algorithm andauthentication mechanism.
http://en.wikipedia.org/wiki/Security_associationhttp://tools.ietf.org/html/rfc2408http://en.wikipedia.org/wiki/Security_associationhttp://en.wikipedia.org/wiki/Key_generationhttp://en.wikipedia.org/wiki/Internet_Key_Exchangehttp://en.wikipedia.org/wiki/Internet_Key_Exchangehttp://en.wikipedia.org/wiki/Key_generationhttp://en.wikipedia.org/wiki/Security_associationhttp://tools.ietf.org/html/rfc2408http://en.wikipedia.org/wiki/Security_association


56/136


ISAKMP

ISAKMP is distinct from key exchange protocolsin order tocleanly separate the details of security association management(and key management) from the details of key exchange. Theremay be many different key exchange protocols, each withdifferent security properties. However, a common framework isrequired for agreeing to the format of SA attributes, and for

negotiating, modifying, and deleting SAs. ISAKMP serves as thiscommon framework.

ISAKMP can be implemented over any transport protocol. Allimplementations must include send and receive capability forISAKMP using UDPon port 500. Additionally, UDP port 4500 must

also be allowed at the destination if the source interface IPaddress undergoes network address translation from natural(assigned) IP address to a public IP address for connection to theinternet.

Task 1
http://en.wikipedia.org/wiki/Key-agreement_protocolhttp://en.wikipedia.org/wiki/User_Datagram_Protocolhttp://en.wikipedia.org/wiki/User_Datagram_Protocolhttp://en.wikipedia.org/wiki/Key-agreement_protocol


57/136


Configure Compatible ACLs

Overview

Permitting Traffic


58/136


Overview

Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)

traffic are not blocked by incoming ACLs on interfaces used by IPsec.

AHESPIKE

Site 1 Site 2

10.0.1.310.0.2.3

R1 R2

InternetS0/0/0172.30.1.2

S0/0/0172.30.2.2

10.0.1.0/2410.0.2.0/24

ff


59/136


R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmpR1(config)#R1(config)# interface Serial0/0/0R1(config-if)# ip address 172.30.1.2 255.255.255.0R1(config-if)# ip access-group 102 in!

R1(config)# exitR1#R1#show access-lists

access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2access-list 102 permit esp host 172.30.2.2 host 172.30.1.2access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp

R1#

AH

ESPIKESite 1 Site 2

10.0.1.3 10.0.2.3R1 R2

InternetS0/0/0172.30.1.2

S0/0/0172.30.2.2

10.0.1.0/24 10.0.2.0/24

Permitting Traffic

Task 2


60/136


Configure IKE

Overview

ISAKMP Parameters

Multiple Policies

Policy Negotiations

Crypto ISAKMP Key

Sample Configuration


61/136


Defines the parameters within the IKE policy

crypto isakmp policypriority

router(config)#

R1(config)# crypto isakmp policy 110R1(configisakmp)# authentication pre-shareR1(configisakmp)# encryption desR1(configisakmp)# group 1R1(configisakmp)# hash md5R1(configisakmp)# lifetime 86400

Tunnel

Policy 110DESMD5

Preshare

86400DH1

Site 1 Site 2

10.0.1.3 10.0.2.3R1 R2

Internet

10.0.1.0/24 10.0.2.0/24

Overview

ISAKMP P t


62/136


ISAKMP Parameters

Parameter Keyword Accepted Values

Default

Value Description

encryption

des

3des

aes

aes 192

aes 256

56-bit Data Encryption Standard

Triple DES

128-bit AES

192-bit AES

256-bit AES

desMessage encryption

algorithm

hashsha

md5SHA-1 (HMAC variant)

MD5 (HMAC variant)sha

Message integrity

(Hash) algorithm

authenticati

on

pre-share

rsa-encr

rsa-sig

preshared keys

RSA encrypted nonces

RSA signatures

rsa-sigPeer authentication

method

group

1

2

5

768-bit Diffie-Hellman (DH)

1024-bit DH

1536-bit DH

1

Key exchange

parameters (DH

group identifier)

lifetime secondsCan specify any number of

seconds

86,400 sec

(one day)

ISAKMP-established

SA lifetime

M lti l P li i


63/136


Multiple Policies

crypto isakmp policy 100hash md5

authentication pre-share

!

crypto isakmp policy 200

hash sha

authentication rsa-sig

!crypto isakmp policy 300

hash md5


crypto isakmp policy 100hash md5


!

crypto isakmp policy 200

hash sha


!crypto isakmp policy 300

hash md5


R1(config)# R2(config)#

Site 1 Site 2

10.0.1.3 10.0.2.3R1 R2

Internet

10.0.1.0/24 10.0.2.0/24

P li N ti ti


64/136


R1(config)# crypto isakmp policy 110R1(configisakmp)# authentication pre-share

R1(configisakmp)# encryption 3des

R1(configisakmp)# group 2

R1(configisakmp)# hash sha

R1(configisakmp)# lifetime 43200

Policy 110Preshare

3DESSHADH2

43200

R2(config)# crypto isakmp policy 100R2(configisakmp)# authentication pre-share





R2 must have an ISAKMP policyconfigured with the same parameters.

Tunnel

Site 1 Site 2

10.0.1.3 10.0.2.3R1 R2

Internet

10.0.1.0/24 10.0.2.0/24

R1 attempts to establish a VPN tunnel withR2 and sends its IKE policy parameters

Policy Negotiations

C t ISAKMP K


65/136


Crypto ISAKMP Key

Thepeer-address orpeer-hostname can be used, but must beused consistently between peers.

If thepeer-hostname is used, then the crypto isakmpidentity hostnamecommand must also be configured.

crypto isakmp key keystringaddresspeer-address

router(config)#

crypto isakmp key keystringhostname hostname

router(config)#

Parameter Description

keystring This parameter specifies the PSK. Use any combination of alphanumeric charactersup to 128 bytes. This PSK must be identical on both peers.

peer-

addressThis parameter specifies the IP address of the remote peer.

hostnameThis parameter specifies the hostname of the remote peer.

This is the peer hostname concatenated with its domain name (for example,

myhost.domain.com).

S l C fi ti


66/136


R1(config)# crypto isakmp policy 110

R1(configisakmp)# authentication pre-share





R1(config-isakmp)# exit

R1(config)# crypto isakmp key cisco123 address 172.30.2.2

R1(config)#

R2(config)# crypto isakmp policy 110

R2(configisakmp)# authentication pre-share





R2(config-isakmp)# exit


R2(config)#

Note: The keystring cisco1234 matches.

The address identity method isspecified.

The ISAKMP policies are compatible.

Default values do not have to beconfigured.

Site 1 Site 2

10.0.1.3 10.0.2.3R1 R2

Internet

10.0.1.0/24 10.0.2.0/24


Task 3f h f


67/136


Configure the Transform Set

Overview

Transform Sets


O


68/136


router(config)#

crypto ipsec transformset transform-set-name

transform1 [transform2] [transform3]]

crypto ipsec transform-set Parameters

Command

Description

transform-set-nameThis parameter specifies the name of the transform set

to create (or modify).

transform1,

transform2, transform3

Type of transform set. You may specify up to four

"transforms": one Authentication Header (AH), one

Encapsulating Security Payload (ESP) encryption, one

ESP authentication. These transforms define the IPSecurity (IPSec) security protocols and algorithms.

A transform set is a combination of IPsec transforms that enact asecurity policy for traffic.

Overview

Transform Sets


69/136


Transform Sets

Transform sets are negotiated during IKE Phase 2.

The 9thattempt found matching transform sets (CHARLIE - YELLOW).

Host B

10.0.1.3 10.0.2.3

R1 R2Host A

transform-set ALPHAesp-3des

tunnel

transform-set BETAesp-des, esp-md5-hmactunnel

transform-set CHARLIE

esp-3des, esp-sha-hmactunnel

transform-set REDesp-des

tunnel

transform-set BLUEesp-des, ah-sha-hmactunnel

transform-set YELLOW

esp-3des, esp-sha-hmactunnel

Match

Internet

1

2

3

4

5

6

7

8

9

172.30.2.2

172.30.1.2



70/136


Site 1 Site 2

A B10.0.1.3 10.0.2.3

R1 R2

Internet


R1(config)# crypto ipsec transform-set MYSET esp-aes 128

R1(cfg-crypto-trans)# exit

R1(config)#

R2(config)# crypto isakmp key cisco123 address 172.30.1.2R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128

R2(cfg-crypto-trans)# exit

172.30.2.2

172.30.1.2

Note:

Peers must share thesame transform setsettings.

Names are only locallysignificant.


Task 4C fi th C t ACL


71/136


Configure the Crypto ACLs

Overview

Command Syntax

Symmetric Crypto ACLs

Overview


72/136


Overview

Outbound indicates the data flow to be protected by IPsec.

Inbound filters and discards traffic that should have beenprotected by IPsec.

Host A

R1

Internet

Outbound

Traffic

InboundTraffic

Encrypt

Bypass (Plaintext)

Permit

Bypass

Discard (Plaintext)

Command Syntax


73/136


10.0.1.3 10.0.2.3R1R2

Internet

router(config)#

access-list access-list-number[dynamic dynamic-name [timeout minutes]]{deny |

permit}protocolsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence] [tos tos] [log]

access-list access-list-number Parameters

access-list access-list-number

Command

Description

permit

This option causes all IP traffic that matches the specified conditions to be protected by

cryptography, using the policy described by the corresponding crypto map entry.

deny This option instructs the router to route traffic in plaintext.

protocolThis option specifies which traffic to protect by cryptography based on the protocol,

such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches

that permit statement is encrypted.

sourceand destinationIf the ACL statement is a permit statement, these are the networks, subnets, or hosts

between which traffic should be protected. If the ACL statement is a deny statement,

then the traffic between the specified source and destination is sent in plaintext.

10.0.1.0/24

Site 110.0.2.0/24

Site 2

S0/0/0172.30.1.2

S0/0/0172.30.2.2

Command Syntax



74/136


S0/1

10.0.1.3 10.0.2.3R1 R2

Internet

Site 2

Applied to R1 S0/0/0 outbound traffic:

R1(config)#access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

(when evaluating inbound trafficsource: 10.0.2.0, destination: 10.0.1.0)

S0/0/0172.30.2.2

S0/0/0172.30.1.2

Applied to R2 S0/0/0 outbound traffic:

R2(config)#access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

(when evaluating inbound traffic-source: 10.0.1.0, destination: 10.0.2.0)

10.0.1.0/24

Site 110.0.2.0/24


Task 5Apply the Crypto Map


75/136


Apply the Crypto Map

Overview

Crypto Map Command

Crypto Map Configuration Mode Commands


Assign the Crypto Map Set

Overview


76/136


Overview

Crypto maps define the following: ACL to be used

Remote VPN peers

Transform set to be used

Key management method SA lifetimes

Site 1

10.0.1.3

R1 R2

10.0.2.3

Site 2

Internet

Encrypted Traffic

RouterInterfaceor Subinterface

Crypto Map Command


77/136


crypto map map-nameseq-numipsec-manual

crypto map map-name seq-numipsec-isakmp [dynamicdynamic-map-name]

router(config)#

crypto map Parameters

Command Parameters Description

map-nameDefines the name assigned to the crypto map set or indicates the name of the crypto

map to edit.

seq-num The number assigned to the crypto map entry.

ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.

ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.

cisco (Default value) Indicates that CET will be used instead of IPsec for protecting thetraffic.

dynamic(Optional) Specifies that this crypto map entry references a preexisting static crypto

map. If this keyword is used, none of the crypto map configuration commands are

available.

dynamic-map-name(Optional) Specifies the name of the dynamic crypto map set that should be used as

the policy template.

Crypto Map Command

Crypto Map ConfigurationMode Commands


78/136


Mode Commands

Command Descriptionset

Used with the peer, pfs, transform-set, andsecurity-associationcommands.

peer [hostname|ip-

address]Specifies the allowed IPsec peer by IP address or hostname.

pfs [group1 |group2] Specifies DH Group 1 or Group 2.

transform-set

[set_name(s)]

Specify list of transform sets in priority order. When the ipsec-manualparameter is used with thecrypto map command, then only one transform setcan be defined. When the ipsec-isakmp parameter or the dynamic parameter

is used with the crypto map command, up to six transform sets can be

specified.

security-association

lifetimeSets SA lifetime parameters in seconds or kilobytes.

match address [access-list-id| name]

Identifies the extended ACL by its name or number. The value should matchthe access-list-number or name argument of a previously defined IP-extended

ACL being matched.

no Used to delete commands entered with the set command.

exit Exits crypto map configuration mode.



79/136


Multiple peers can be specified for redundancy.

R3

S0/0/0172.30.3.2

R1(config)#crypto map MYMAP 10 ipsec-isakmpR1(config-crypto-map)#match address 110R1(config-crypto-map)#set peer 172.30.2.2 defaultR1(config-crypto-map)#set peer 172.30.3.2R1(config-crypto-map)#set pfs group1R1(config-crypto-map)#set transform-set mineR1(config-crypto-map)#set security-association lifetime seconds 86400

10.0.1.310.0.2.3

R1 R2

Internet


10.0.1.0/24Site 1 10.0.2.0/24Site 2

S0/0/0172.30.2.2



80/136


Applies the crypto map to outgoing interfaceActivates the IPsec policy

crypto map map-name

R1(config)# interface serial0/0/0

R1(config-if)# crypto map MYMAP

router(config-if)#

MYMAP


10.0.1.310.0.2.3

R1 R2

Internet

10.0.1.0/24

Site 1

10.0.2.0/24

Site 2

S0/0/0172.30.1.2

S0/0/0172.30.2.2

Verify and Troubleshoot theIPSec Configuration


81/136


IPSec Configuration

CLI Command Summary

show crypto map

show crypto isakmp policy

show crypto ipsec transform-set

show crypto ipsec sa

debug crypto isakmp

CLI Commands


82/136


CLI Commands

Show Command Description

show crypto map Displays configured crypto maps

show crypto isakmp policy Displays configured IKE policies

show crypto ipsec sa Displays established IPsec tunnels

show crypto ipsec

transform-setDisplays configured IPsec transform

sets

debug crypto isakmp Debugs IKE events

debug crypto ipsecDebugs IPsec events

show crypto map


83/136


R1# show crypto mapCrypto Map MYMAP" 10 ipsec-isakmp

Peer = 172.30.2.2

Extended IP access list 110

access-list 102 permit ip host 10.0.1.3 host 10.0.2.3Current peer: 172.30.2.2

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={ MYSET, }

show crypto map

Displays the currently configured crypto maps

router#

show crypto map

10.0.1.310.0.2.3

R1 R2

Internet

10.0.1.0/24

Site 110.0.2.0/24

Site 2

S0/0/0172.30.1.2

S0/0/0172.30.2.2



84/136



R1# show crypto isakmp policyProtection suite of priority 110

encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).hash algorithm: Secure Hash Standardauthentication method: presharedDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limit

Default protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

router#


10.0.1.310.0.2.3

R1 R2

Internet

10.0.1.0/24

Site 110.0.2.0/24

Site 2

S0/0/0172.30.1.2

S0/0/0172.30.2.2



85/136



Displays the currently defined transform sets

R1# show crypto ipsec transform-setTransform set AES_SHA: { esp-128-aes esp-sha-hmac }

will negotiate = { Tunnel, },

show crypto ipsec transform set

10.0.1.310.0.2.3

R1 R2

Internet

10.0.1.0/24

Site 110.0.2.0/24

Site 2

S0/0/0172.30.1.2

S0/0/0172.30.2.2


86/136

debug crypto isakmp


87/136


debug crypto isakmp

router#

debug crypto isakmp

This is an example of the Main Mode error message. The failure of Main Mode suggests that the Phase I policy

does not match on both sides. Verify that the Phase I policy is on both peers and ensure that

all the attributes match.

1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); nooffers accepted!1d00h: ISAKMP (0:1): SA not acceptable!

1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2

Implementing Site-to-Site IPSecVPNs Using SDM


88/136


VPNs Using SDM

Configuring IPSec Using SDM

VPN Wizard-Quick Setup

VPN Wizard-Step-by-Step Setup

Verifying, Monitoring, and Troubleshooting VPNs



89/136



Starting a VPN Wizard

VPN Components

Configuring a Site-to-Site VPN

Site-to-Site VPN Wizard



90/136



Wizards for IPsecSolutions, includestype of VPNs andIndividual IPseccomponents

1

2

4

5

3

VPN implementationSubtypes. Vary basedOn VPN wizard chosen.

1. Click Configure in main toolbar

2.Click the VPN buttonto open the VPN page

3.Choose a wizard

4. Click the VPNimplementation subtype

5.Click the Launch theSelected Task button

VPN Components


91/136


VPN Components

Individual IPseccomponents usedto build VPNs

VPN Wizards

SSL VPN parameters

Easy VPN server parameters

Public key certificateparameters

Encrypt VPN passwords

VPN Components

Configuring a Site-to-Site VPN


92/136


Configuring a Site to Site VPN

Click the Launch the Selected Taskbutton

Choose Configure > VPN > Site-to-Site VPN

Click the Create a Site-to-Site VPN

Site-to-Site VPN Wizard


93/136


Site to Site VPN Wizard

Choose the wizard mode

Click Nextto proceed to the configuration of parameters.

VPN Wizard-Quick Setup


94/136


a d Qu c Setup

Quick Setup

Verify Parameters

Quick Setup


95/136


Q p

Configure the parameters Interface to use Peer identity informationAuthentication method Traffic to encrypt

Verify Parameters


96/136


y

VPN Wizard-Step-by-Step Setup


97/136


p y p p

Step-by-Step Wizard

Creating a Custom IKE Proposal

Creating a Custom IPSec Transform Set

Protecting Traffic - Subnet to Subnet

Protecting Traffic - Custom ACL

Add a Rule

Configuring a New Rule Entry

Configuration Summary

Step-by-Step Wizard


98/136


1

2

3

4

p y p

Choose the outside

interface that is usedto connect to theIPSec peer

Specify the IPaddress of the peer

Choose the authenticationmethod and specify thecredentials

Click Next


99/136

Creating a Custom IPSecTransform Set


100/136


1

2

3 Click NextClick Add

Define and specify the transform

set name, integrity algorithm,encryption algorithm, mode ofoperation and optional compression

Protecting TrafficSubnet to Subnet


101/136


1

2 3

Click Protect All Traffic Between the Following subnets

Define the IP addressand subnet mask of the

local network

Define the IP address

and subnet mask of theremote network

Protecting TrafficCustom ACL


102/136


2

3

1

Click the Create/Select an Access-Listfor IPSec Traffic radio button

Click the ellipses buttonto choose an existing ACLor create a new one

To use an existing ACL, choose the Select an ExistingRule (ACL) option. To create a new ACL, choose theCreate a New Rule (ACL) and Select option

Add a Rule


103/136


1

2Give the access rule aname and descriptionClick Add


104/136


105/136

Verifying, Monitoring, andTroubleshooting VPNs


106/136


Verify VPN Configuration

Monitor

Verify VPN Configuration


107/136


Check VPN status.

Create a mirroring configuration ifno Cisco SDM is available on the

peer.

Test the VPNconfiguration.

Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN

Monitor


108/136


Lists all IPsec tunnels, their

parameters, and status.

1

Choose Monitor > VPN Status > IPSec Tunnels

Implementing A Remote Access VPN


109/136


The Changing Corporate Landscape

Introduction to Remote Access

SSL VPNs

Cisco Easy VPN

Configure a VPN Server Using SDM

Connect with a VPN Client

The Changing Corporate Landscape


110/136


Telecommuting

Telecommuting Benefits

Telecommuting Requirements

Telecommuting


111/136


Flexibility in workinglocation and workinghours

Employers save on real-

estate, utility and otheroverhead costs

Succeeds if program isvoluntary, subject to

management discretion,and operationally feasible

Telecommuting Benefits


112/136


Organizational benefits:

- Continuity of operations- Increased responsiveness

- Secure, reliable, and manageable access to information

- Cost-effective integration of data, voice, video, and applications

- Increased employee productivity, satisfaction, and retention Social benefits:

- Increased employment opportunities for marginalized groups

- Less travel and commuter related stress

Environmental benefits:- Reduced carbon footprints, both for individual workers and

organizations

Telecommuting Requirements


113/136


Introduction to Remote Access


114/136


Methods for Deploying Remote Access

Comparison of SSL and IPSec

Methods for DeployingRemote Access


115/136


IPsec RemoteAccess VPN

SSL-BasedVPN

Any

Application

Anywhere

Access

Comparison of SSL and IPSec


116/136


SSL IPsec

Applications Web-enabled applications, file sharing, e-mail All IP-based applications

EncryptionModerate

Key lengths from 40 bits to 128 bits

Stronger

Key lengths from 56 bits to 256 bits

AuthenticationModerate

One-way or two-way authentication

Strong

Two-way authentication using shared secrets

or digital certificates

Ease of Use VeryhighModerate

Can be challenging to nontechnical users

Overall SecurityModerate

Any device can connect

Strong

Only specific devices with specific

configurations can connect

SSL VPNs


117/136


Overview

Types of Access

Full Tunnel Client Access Mode

Establishing an SSL Session

Design Considerations

Overview


118/136


Integrated security and routing

Browser-based full network SSL VPN access

SSL VPN

WorkplaceResources

Headquarters

Internet

SSL VPNTunnel

Types of Access


119/136


Full Tunnel Client Access Mode


120/136


Establishing an SSL Session


121/136


User usingSSL client

User makes a connectionto TCP port 443

Router replies with adigitally signed public key

Shared-secret key, encryptedwith public key of the server, is

sent to the router

Bulk encryption occurs using theshared-secret key with a

symmetric encryption algorithm

User software creates ashared-secret key

1

2

3

4

5

SSL VPNenabled ISR

router

SSL VPN Design Considerations


122/136


User connectivity

Router feature

Infrastructure planning

Implementation scope

Cisco Easy VPN


123/136


Overview

Components

Securing the VPN

Overview


124/136


Negotiates tunnel parameters

Establishes tunnels according toset parameters

Automatically creates a NAT /

PAT and associated ACLsAuthenticates users by

usernames, group names,and passwords

Manages security keys for

encryption and decryption

Authenticates, encrypts, anddecrypts data through the tunnel

Components


125/136


Securing the VPN


126/136


Initiate IKE Phase 1

Establish ISAKMPSA

Accept Proposal1

Username/Password

ChallengeUsername/Password

System Parameters Pushed

Reverse Router Injection(RRI) adds a static route

entry on the router for theremote clients IP address

Initiate IKE Phase 2: IPsec

IPsec SA

1

2

3

4

5

6

7

Configuring a VPN Server Using SDM


127/136


Configuring Cisco Easy VPN Server

Configuring IKE Proposals

Creating an IPSec Transform Set

Group Authorization and Group Policy Lookup

Summary of Configuration Parameters

Configuring Cisco Easy VPN Server


128/136


1

2

3

4

5

Configuring IKE Proposals


129/136


1

2

3Click Add

Specify required parameters

Click OK

Creating an IPSec Transform Set


130/136


1

2

3

4

Group Authorization and GroupPolicy Lookup


131/136


1

2

3

45

Select the location whereEasy VPN group policiescan be stored

Click Next

Click Add

Click Next

Configure the localgroup policies


132/136


133/136

VPN Client Overview


134/136


Establishes end-to-end, encrypted VPN tunnels forsecure connectivity

Compatible with all Cisco VPN products

Supports the innovative Cisco Easy VPN capabilities



Establishing a Connection


135/136


R1-vpn-cluster.span.com


R1

Onceauthenticated,status changes toconnected.


136/136

ccna security 08ver2

Documents