ipsec presentation

8/18/2019 Ipsec Presentation

1/40

Presented by

Avinash R Desai

IPSec VPN’s


2/40

AGENDA

Introduction and Motivation

IPSec Basics

Enterprise IPSec VPN

Managing VPN

rap!up

" # A


3/40

hy Do e $are%

Many organi&ations are trying to use IPSec VPN to costsand si'p(i)y ne* connections

VPN a((o*s

– Shared Internet and Enterprise access

– Reduced access line costs

– Ease of provisioning, flexibility

– Increased security


4/40

IPSec VPN and V+PN Bene)its

IPSec VPN design provides resi(iency Integrated branch routers provide ISP connection, VPN

ter'ination, IP- gate*ay, and $isco I.S /ire*a(( )unctiona(ity

-ested sca(abi(ity and per)or'ance nu'bers

Enhanced productivity and reduced support costs0 e1tend centra(site voice, video, data resources and app(ications to a(( corporate

sites

Voice, Video, data transported secure(y and transparent(y over

IPSec tunne(s *ith enab(ed "oS Standard IP -e(ephony )eatures inc(uding codecs,SRS- preserved


5/40

Agenda


IPSec Basics Enterprise IPSec VPN

Managing VPN rap!up


6/40

IPSec Basics

IPSec uses a Security Association 2SA3 and crypto 4ey to encrypt

se(ected data bet*een a pair o) sites

– This key is used with the DES, DES, or !ES for"s of encryption

to both encrypt and decrypt data

-he 4ey is auto'atica((y estab(ished, changed, and 'anaged by

IPSec devices using I5E 2Internet 5ey E1change3, a646a6 7ISA5MP8

Be)ore a 4ey can be estab(ished, I5E does authentication

– Shared secret or #ertificate !uthority are two ways to do this

$ I5E uses pub(ic 4ey crypto to secure(y do its 9ob – I%E uses public key crypto to securely do its &ob

– Diffie'(ell"an is the techni)ue used to securely exchange encryption

keys


7/40

Message :ashing

Message :ashing is used to detect a(tered 'essages

– *essage bits a secret key are co"bined into short hash code

– (ash code sent in header

– If received "essage hash doesn+t "atch, "essage was altered

– Two for"s S(! and *D-

– S(! is a bit stronger


8/40

Message :ashing

– *essage bits a secret key are co"bined into short hash code

– (ash code sent in header

– If received "essage hash doesn+t "atch, "essage was altered

– Two for"s S(! and *D-

– S(! is a bit stronger


9/40

Message :ashing

IPSec co'es in t*o )or's

– !( provides a keyed hash and authentication data

$ Ensures data co"es fro" peer router .authentication/

$ Detects alterations .keyed hash/

$ 0ut does not encrypt for confidentiality

– ES1 encrypts

$ Two sub'"odes tunnel and transport

$ In tunnel "ode, the new I1 header hides source and

destination addresses keeps server address confidential

$ %eyed hash for detecting alterations

$ !uthentication

$ Encryption


10/40

-he ; Steps o) IPSec SA Estab(ish'ent


11/40

hat to Encrypt

-he crypto 'ap you con)igure re)erences an access (ist )or

7interesting pac4ets8

– 2hat to encrypt .outbound/

– 2hat to decrypt .inbound/

– ES1 encrypts I) the router encrypts or decrypts the *rong pac4et, it gets

nonsense and a bad chec4su' discarded pac4et>


12/40

IPSec -roub(eshooting -ips

-he t*o ends have to agree on the various choices

– (ow to do I%E .I%E policy/

– !uthentication "ethod, shared secret or #!, etc3

– !( versus ES1

– Tunnel versus transport

– *essage hashing sche"e

$ ?ou need routing to be ab(e to de(iver pac4ets

IPSec source address at one end 'ust 'atch destination at the other

?ou need consistent crypto access (ists>>> – The two endpoint !#4+s need to "irror each other

$ @se the ; steps to troub(eshoot


13/40

Agenda


IPSec Basics

Enterprise IPSec VPN Managing VPN

rap!up


14/40

Design Assu'ptions

:igh avai(abi(ity and )ai(over *ith )ast convergence

Support )or dyna'ic routing

Abi(ity to carry diverse tra))ic, inc(uding IP 'u(ticast, 'u(ti!

protoco( $onservative $P@ (eve(s

Router!based 2versus VPN concentrator3


15/40

5ey Design $o'ponents

$isco VPN routers as head!end VPN ter'ination

$isco access routers as branch ter'ination

@se hard*are IPSec acce(eration

IPSec ESP -unne( 'ode

GRE tunne(s, dua( star to t*o head!end routers

– !t (5 or two head'end sites for geographic diversity

Internet services )ro' an ISP


16/40

Enterprise I1Sec 617


17/40

2hy 8RE with I1Sec9

Dyna'ic routing and support o) 'u(ticast and non!IP protoco(s

Side e))ect0 si'p(er i'p(e'entation and troub(eshooting

I) you’re not bui(ding in redundancy, you can (eave out the GRE

and the dyna'ic routing and reduce overhead, at the price o)

doing a bit 'ore con)iguration


18/40

5ey Design $o'ponents

$ost 2GRE IPSec30 =; 'ore bytes o) header 2overhead3

$ -ota( headers added0 C bytes


19/40

Avoiding /rag'entation

e *ant to avoid )rag'enting the IPSec pac4ets

– They have to be re'asse"bled at the ter"ination router to be

decrypted

– Re'asse"bly is process switched

– Slow : #1; i"pact – So create frag"ents 0E

– Reduce 8RE tunnel *T; to ?@AA: 0ytes

– #onsider enabling 1ath *T; Discovery on the tunnels


20/40

Path M-@ Discovery

Path M-@ Discovery is used by current and recent @NI and indo*s servers

– They send large packets with D< set

– Intervening routers needing s"aller *T; send back I#*1 "essage with

option indicating desired fra"e siBe

Prob(e'0 so'e *eb server sites b(oc4 a(( I$MP pac4ets

– Result large web i"ages,


21/40

hich Router%

$isco tested ESP tunne(s *ith GRE to = head!end sites, =;F

branch routers

Reco''endations are based on !CH $P@ )or a speci)ic tra))ic

'i16

-his is a su''ary0 see the $isco docu'ents )or detai(s6 In

particu(ar, speci)ic 'ode(s *ithin a product )a'i(y 'ay have

(o*er per)or'ance than that sho*n6 ?our Mi(eage May Vary6


22/40

.ther Reco''endations

:ave a su''ari&ab(e addressing sche'e

– It can "akes crypto !#4+s si"pler, less of an issue with 8RE

– ;se route su""ariBation

/or centra( D:$P, use he(per addresses re'ote(y

@se IPSec -unne( Mode *ith +DES

Don’t use I5E 4eepa(ives

Base nu'ber o) head!end devices on nu'ber o) re'ote sites

and throughput

@se appropriate 2recent3 $isco I.S re(eases

Avoid IPSec through NA- points


23/40

IPSec Seuence Nu'bers

IPSec a(so uses seuence nu'bers )or anti!rep(ay protection

– =ut'of'order packets can lead to dropped packets>

– #onclusion priority )ueuing and load'balancing can lead to

drops in an I1Sec environ"ent>

$ Ma4e one GRE tunne( pri'ary *ith sing(e pre)erred path )or eachre'ote site

– Dyna"ic routing failover preserved

– #an use interface delay para"eter to prefer one 8RE tunnel

over the other .if both head end routers at sa"e site/


24/40

Service Provider


25/40

Service Provider J =

Many or even 'ost ISP’s do not honor the K+ "oS 'ar4ings

– Four voice traffic "ay experience unacceptable delay or &itter

henever possib(e, you need SKA’s

– #overing overall delay and &itter, repair ti"e, etc3

– =r for 5oS'aware service guaranteeing certain delay and &itter

levels for various classes of traffic, based on agreed'upon "arkings

– =therwise, you can deploy and later discover your I1Sec 617 isn+t

working very well no recourse>

Mu(tip(e ISP’s is harder

– S4!+s generally only apply within a single IS1+s network

Be*are0 so'e ho'e cab(e # DSK services b(oc4 IPSec un(ess

7business grade8 service is paid )or


26/40


27/40

$on)iguration Steps

Step


28/40

Enterprise I1Sec 617


29/40

Sa'p(e0 I5E Po(icy


30/40

Sa'p(e0 IPSec -rans)or' and Protoco(


31/40

Sa'p(e0 Encryption A$K’s


32/40

Sa"ple #rypto *ap


33/40

Sa'p(e0 App(y $rypto Map


34/40

Agenda


IPSec Basics


Managing VPN rap!up


35/40

#isco 617 7etwork *anage"ent Tools

$iscoor4s VPN Security Manage'ent So(ution 2VMS3 inc(udes

– *anage"ent #enter .*#/ for IDS Sensors

– *anage"ent #enter for 617 Routers

– *anage"ent #enter for 1IJ


36/40

!genda


IPSec Basics


Managing VPN

rap!up


37/40

See A(so

AVVID Enterprise Site!to!Site VPN Design

http0***6cisco6co'app(icationpd)enusguestnetso(ns


38/40


39/40


40/40

" # A

-:AN5?.@

ipsec presentation

Documents