chapter 8 overview.ppt - leamanleaman.org/ccna_sec/chapter_8.pdf · • configure and verify a...
TRANSCRIPT
![Page 1: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/1.jpg)
CCNA Security
1© 2009 Cisco Learning Institute.
Chapter Eight
Implementing Virtual Private Networks
![Page 2: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/2.jpg)
Major Concepts
• Describe the purpose and operation of VPN types
• Describe the purpose and operation of GRE VPNs
• Describe the components and operations of IPsec VPNs
• Configure and verify a site-to-site IPsec VPN with pre-
222© 2009 Cisco Learning Institute.
• Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using CLI
• Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM
• Configure and verify a Remote Access VPN
![Page 3: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/3.jpg)
Lesson Objectives
Upon completion of this lesson, the successful participant will be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
333© 2009 Cisco Learning Institute.
3. Identify the Cisco VPN product line and the security features of these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
![Page 4: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/4.jpg)
Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
444© 2009 Cisco Learning Institute.
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM
![Page 5: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/5.jpg)
Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs
21. Describe how SSL is used to establish a secure VPN
555© 2009 Cisco Learning Institute.
21. Describe how SSL is used to establish a secure VPN connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
![Page 6: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/6.jpg)
What is a VPN?
CSA
VPN
Mobile Worker with a Cisco VPN Client
Business Partnerwith a Cisco Router
666© 2009 Cisco Learning Institute.
- Virtual: Information within a private network is transported over a public network.
- Private: The traffic is encrypted to keep the data confidential.
VPN
VPN
Firewall
Regional branch with a VPN enabled
Cisco ISR router
SOHO with a Cisco DSL Router
VPN
Corporate Network
WAN
Internet
![Page 7: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/7.jpg)
Layer 3 VPN
SOHO with a Cisco DSL Router
VPNInternet
IPSec
IPSec
777© 2009 Cisco Learning Institute.
• Generic routing encapsulation (GRE)
• Multiprotocol Label Switching (MPLS)
• IPSec
![Page 8: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/8.jpg)
Types of VPN Networks
MARS
CSA
VPN
Mobile Worker with a Cisco VPN Client
Business Partnerwith a Cisco Router
Remote-access
VPNs
888© 2009 Cisco Learning Institute.
VPN
VPN
Iron Port
Firewall
IPS
Web Server
Email Server DNS
CSACSACSACSA
CSA
CSARegional branch with
a VPN enabled Cisco ISR router
SOHO with a Cisco DSL Router
VPN
Site-to-Site
VPNs
Internet
WAN
![Page 9: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/9.jpg)
Site-to-Site VPN
MARS
CSA
VP
Business Partnerwith a Cisco
Router
Internet
Hosts send and receive normalTCP/IP traffic through a VPN gateway
999© 2009 Cisco Learning Institute.
VPN
VPN
Iron Port
Firewall
IPS
Web Server
Email Server DNS
CSA
CSA
CSA
CSA
CSA
CSARegional branch with
a VPN enabled Cisco ISR router
SOHO with a Cisco DSL
Router
VPN
Site-to-Site
VPNs
Internet
WAN
![Page 10: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/10.jpg)
Remote-Access VPNs
MARS
Firewall
CSA
Mobile Worker with a Cisco VPN Client
Remote-access
VPNs
Internet
101010© 2009 Cisco Learning Institute.
VPN
Iron Port
Firewall
IPS
Web Server
Email Server DNS
CSACSA
CSACSA
CSA
CSA
![Page 11: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/11.jpg)
VPN Client Software
111111© 2009 Cisco Learning Institute.
R1 R1-vpn-cluster.span.com
“R1”
In a remote-access VPN, each host typically has Cisco VPN Client software
![Page 12: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/12.jpg)
Cisco IOS SSL VPN
• Provides remote-access connectivity from any Internet-enabled host
• Uses a web browser and SSL encryption
121212© 2009 Cisco Learning Institute.
SSL encryption
• Delivers two modes of access:
- Clientless
- Thin client
![Page 13: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/13.jpg)
Cisco VPN Product Family
Product ChoiceRemote-Access
VPNSite-to-Site VPN
Cisco VPN-Enabled Router Secondary role Primary role
Cisco PIX 500 Series Security Appliances Secondary role Primary role
131313© 2009 Cisco Learning Institute.
Cisco PIX 500 Series Security Appliances Secondary role Primary role
Cisco ASA 5500 Series Adaptive Security
AppliancesPrimary role Secondary role
Cisco VPN
3000 Series ConcentratorsPrimary role Secondary role
Home Routers Primary role
![Page 14: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/14.jpg)
Cisco VPN-Optimized Routers
Remote OfficeCisco Router
Main OfficeCisco Router
Internet
141414© 2009 Cisco Learning Institute.
Regional OfficeCisco Router
SOHOCisco Router
Internet
VPN Features:• Voice and video enabled VPN (V3PN)• IPSec stateful failover• DMVPN• IPSec and Multiprotocol Label Switching
(MPLS) integration• Cisco Easy VPN
![Page 15: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/15.jpg)
Cisco ASA 5500 Series AdaptiveSecurity Appliances
Intranet
Remote Site Central Site
Internet
151515© 2009 Cisco Learning Institute.
• Flexible platform
• Resilient clustering
• Cisco Easy VPN
• Automatic Cisco VPN
• Cisco IOS SSL VPN
• VPN infrastructure for contemporary applications
• Integrated web-based management
ExtranetBusiness-to-Business
Remote User
![Page 16: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/16.jpg)
IPSec Clients
Certicom PDA IPsecVPN Client
InternetRouter withFirewall and
A wireless client that is loaded on a pda
161616© 2009 Cisco Learning Institute.
Small Office
Internet
Cisco AnyConnect VPN Client
Cisco VPNSoftware Client
Firewall andVPN Client
Software loaded on a PC
A network appliance that connects SOHO LANs to the VPN
Provides remote users with secure VPN connections
![Page 17: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/17.jpg)
Hardware Acceleration Modules
• AIM
• Cisco IPSec VPN Shared Port Adapter (SPA)
• Cisco PIX VPN
171717© 2009 Cisco Learning Institute.
• Cisco PIX VPN Accelerator Card+ (VAC+)
• Enhanced Scalable Encryption Processing (SEP-E) Cisco IPsec VPN SPA
![Page 18: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/18.jpg)
GRE VPN Overview
181818© 2009 Cisco Learning Institute.
![Page 19: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/19.jpg)
Encapsulation
Original IP Packet
Encapsulated with GRE
191919© 2009 Cisco Learning Institute.
![Page 20: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/20.jpg)
Configuring a GRE Tunnel
Create a tunnel interface
Assign the tunnel an IP address
202020© 2009 Cisco Learning Institute.
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5
R1(config–if)# tunnel mode gre ip
R1(config–if)#
R2(config)# interface tunnel 0
R2(config–if)# ip address 10.1.1.2 255.255.255.252
R2(config–if)# tunnel source serial 0/0
R2(config–if)# tunnel destination 192.168.3.3
R2(config–if)# tunnel mode gre ip
R2(config–if)#
Assign the tunnel an IP address
Identify the source tunnel interface
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate
![Page 21: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/21.jpg)
Using GRE
User Traffic
IP Only
?
NoNo
YesYes
212121© 2009 Cisco Learning Institute.
Use GRE
Tunnel
NoNo
NoNo YesYesUnicastOnly?
Use IPsec VPN
GRE does not provide encryption
![Page 22: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/22.jpg)
IPSec Topology
Business Partnerwith a Cisco Router
LegacyConcentrator
Main Site
PerimeterRouter
LegacyCisco PIX
IPsec
POP
222222© 2009 Cisco Learning Institute.
• Works at the network layer, protecting and authenticating IP packets.
- It is a framework of open standards which is algorithm-independent.
- It provides data confidentiality, data integrity, and origin authentication.
Regional Office with aCisco PIX Firewall
SOHO with a CiscoSDN/DSL Router
Mobile Worker with aCisco VPN Client
on a Laptop Computer
ASA
PIXFirewall
POP
Corporate
![Page 23: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/23.jpg)
IPSec Framework
232323© 2009 Cisco Learning Institute.
Diffie-Hellman DH7
![Page 24: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/24.jpg)
Confidentiality
Least secure Most secure
242424© 2009 Cisco Learning Institute.
DH7Diffie-Hellman
Key length: - 56-bits
Key length: - 56-bits (3 times)
Key length: - 160-bits
Key lengths: -128-bits-192 bits-256-bits
![Page 25: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/25.jpg)
Integrity
252525© 2009 Cisco Learning Institute.
DH7Diffie-Hellman
Key length: - 128-bits
Key length: - 160-bits)
Least secure Most secure
![Page 26: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/26.jpg)
Authentication
262626© 2009 Cisco Learning Institute.
DH7Diffie-Hellman
![Page 27: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/27.jpg)
Pre-shared Key (PSK)
272727© 2009 Cisco Learning Institute.
DH7Diffie-Hellman•At the local device, the authentication key and the identity information (device-specific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated.• The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.
![Page 28: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/28.jpg)
RSA Signatures
282828© 2009 Cisco Learning Institute.
• At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I.
• Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.
![Page 29: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/29.jpg)
Secure Key Exchange
292929© 2009 Cisco Learning Institute.
Diffie-Hellman DH7
![Page 30: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/30.jpg)
IPSec Framework Protocols
All data is in plaintext.R1 R2
Authentication Header
AH provides the following:
� Authentication
� Integrity
303030© 2009 Cisco Learning Institute.
Data payload is encrypted.R1 R2
Encapsulating Security Payload
� Integrity
ESP provides the following:
� Encryption
� Authentication
� Integrity
![Page 31: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/31.jpg)
Authentication Header
Authentication Data
IP Header + Data + Key R2
Hash
IP Header + Data + Key
DataAHIP HDR
1. The IP Header and data payload are hashed
313131© 2009 Cisco Learning Institute.
Authentication Data (00ABCDEF)
R1
RecomputedHash
(00ABCDEF)
IP Header + Data + Key
Hash
ReceivedHash
(00ABCDEF)=
DataAHIP HDR
Internet
2. The hash builds a new AH header which is prependedto the original packet
3. The new packet is transmitted to the IPSec peer router
4. The peer router hashes the IP header and data payload, extracts the transmitted hash and compares
![Page 32: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/32.jpg)
ESP
323232© 2009 Cisco Learning Institute.
Diffie-Hellman DH7
![Page 33: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/33.jpg)
Function of ESP
Router Router
IP HDR Data IP HDR Data
Internet
333333© 2009 Cisco Learning Institute.
ESP Trailer
ESP Auth
• Provides confidentiality with encryption
• Provides integrity with authentication
ESP HDRNew IP HDR IP HDR Data
AuthenticatedEncrypted
![Page 34: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/34.jpg)
IP HDR ESP HDR Data
Transport ModeESP Trailer
ESP Auth
IP HDR Data
Encrypted
Original data prior to selection of IPSec protocol mode
Mode Types
343434© 2009 Cisco Learning Institute.
IP HDR ESP HDR Data
ESP HDR IP HDRNew IP HDR Data
Tunnel Mode
Trailer Auth
ESP Trailer
ESP Auth
Authenticated
Authenticated
Encrypted
![Page 35: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/35.jpg)
Security Associations
353535© 2009 Cisco Learning Institute.
IPSec parameters are configured using IKE
![Page 36: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/36.jpg)
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets
IKE Phases
Policy 15DESMD5
pre-share
Policy 10DESMD5
pre-share
1. Negotiate IKE policy sets
363636© 2009 Cisco Learning Institute.
2. DH key exchange
3. Verify the peer identity
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
pre-shareDH1
lifetime
pre-shareDH1
lifetime
2. DH key exchange
3. Verify the peer identity
![Page 37: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/37.jpg)
Policy 15DESMD5
pre-share
Policy 10DESMD5
pre-share IKE Policy Sets
Negotiate IKE Proposals
Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 – First Exchange
373737© 2009 Cisco Learning Institute.
Negotiates matching IKE policies to protect IKE exchange
pre-shareDH1
lifetime
pre-shareDH1
lifetime
IKE Policy Sets
Policy 203DESSHA
pre-shareDH1
lifetime
![Page 38: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/38.jpg)
IKE Phase 1 – Second Exchange
Private value, XA
Public value, YA
Private value, XB
Public value, YBAliceBob
YYAA
YB = g mod pXBYYAA = g mod pXA
Establish DH Key
383838© 2009 Cisco Learning Institute.
((YB ) mod p = K (YA ) mod p = KXB
XA
YYAA
YYBB
A DH exchange is performed to establish keying material.
![Page 39: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/39.jpg)
IKE Phase 1 – Third Exchange
HR Servers
Remote Office Corporate Office
Internet
Peer
Authenticate Peer
393939© 2009 Cisco Learning Institute.
Peer authentication methods• PSKs
• RSA signatures
• RSA encrypted nonces
PeerAuthentication
A bidirectional IKE SA is now established.
![Page 40: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/40.jpg)
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Aggressive Mode Exchange
1.Send IKE policy set
and R1’s DH key
Policy 15DESMD5
pre-shareDH1
Policy 10DESMD5
pre-shareDH1
2. Confirm IKE policy
IKE Phase 1 – Aggressive Mode
404040© 2009 Cisco Learning Institute.
and R1’s DH key
3.Calculate shared
secret, verify peer
identify, and confirm
with peer
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
DH1lifetime
DH1lifetime 2. Confirm IKE policy
set, calculate
shared secret and
send R2’s DH key
4. Authenticate peer
and begin Phase 2.
![Page 41: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/41.jpg)
Negotiate IPsec Security Parameters
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 2
414141© 2009 Cisco Learning Institute.
• IKE negotiates matching IPsec policies.
• Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and
algorithm combination.
![Page 42: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/42.jpg)
IKE Phase 1IKE SA IKE SA
1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session.
R1 R2 10.0.2.310.0.1.3
IPSec VPN Negotiation
424242© 2009 Cisco Learning Institute.
IKE Phase 1
IKE Phase 2
IKE SA IKE SA
IPsec SAIPsec SA
3. R1 and R2 negotiate an IKE Phase 2 session.
4. Information is exchanged via IPsec tunnel.
5. The IPsec tunnel is terminated.
IPsec Tunnel
![Page 43: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/43.jpg)
Configuring IPsec
Task 1: Ensure that ACLs are compatible with IPsec.
Task 2: Create ISAKMP (IKE) policy.
Tasks to Configure IPsec:
434343© 2009 Cisco Learning Institute.
Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.
![Page 44: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/44.jpg)
Task 1Configure Compatible ACLs
AH ESPIKE
Site 1 Site 2
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/2410.0.2.0/24
444444© 2009 Cisco Learning Institute.
• Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec.
S0/0/0172.30.1.2
S0/0/0172.30.2.2
![Page 45: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/45.jpg)
AH ESPIKESite 1 Site 2
10.0.1.3 10.0.2.3R1 R2
InternetS0/0/0172.30.1.2
S0/0/0172.30.2.2
10.0.1.0/24 10.0.2.0/24
Permitting Traffic
454545© 2009 Cisco Learning Institute.
R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmpR1(config)#
R1(config)# interface Serial0/0/0R1(config-if)# ip address 172.30.1.2 255.255.255.0R1(config-if)# ip access-group 102 in!
R1(config)# exitR1#
R1# show access-listsaccess-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#
![Page 46: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/46.jpg)
Tunnel
Policy 110DESMD5
Preshare86400DH1
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
Task 2Configure IKE
464646© 2009 Cisco Learning Institute.
Defines the parameters within the IKE policy
crypto isakmp policy priority
router(config)#
R1(config)# crypto isakmp policy 110R1(config–isakmp)# authentication pre-shareR1(config–isakmp)# encryption desR1(config–isakmp)# group 1R1(config–isakmp)# hash md5R1(config–isakmp)# lifetime 86400
DH1
![Page 47: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/47.jpg)
ISAKMP Parameters
Parameter Keyword Accepted Values Default Value
Description
encryption
des
3des
aes
aes 192
aes 256
56-bit Data Encryption Standard
Triple DES
128-bit AES
192-bit AES
256-bit AES
desMessage encryption
algorithm
474747© 2009 Cisco Learning Institute.
hashsha
md5SHA-1 (HMAC variant)
MD5 (HMAC variant)sha
Message integrity
(Hash) algorithm
authenticati
on
pre-share
rsa-encr
rsa-sig
preshared keys
RSA encrypted nonces
RSA signatures
rsa-sigPeer authentication
method
group
1
2
5
768-bit Diffie-Hellman (DH)
1024-bit DH
1536-bit DH
1Key exchange
parameters (DH
group identifier)
lifetime secondsCan specify any number of
seconds
86,400 sec
(one day)
ISAKMP-established
SA lifetime
![Page 48: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/48.jpg)
Multiple Policies
crypto isakmp policy 100
hash md5
crypto isakmp policy 100
hash md5
R1(config)# R2(config)#
Site 1 Site 2
10.0.1.310.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
484848© 2009 Cisco Learning Institute.
hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!
crypto isakmp policy 300
hash md5
authentication rsa-sig
hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!
crypto isakmp policy 300
hash md5
authentication pre-share
![Page 49: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/49.jpg)
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
R1 attempts to establish a VPN tunnel withR2 and sends its IKE policy parameters
Policy Negotiations
494949© 2009 Cisco Learning Institute.
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
Policy 110Preshare
3DESSHADH2
43200
R2(config)# crypto isakmp policy 100
R2(config–isakmp)# authentication pre-share
R2(config–isakmp)# encryption 3des
R2(config–isakmp)# group 2
R2(config–isakmp)# hash sha
R2(config–isakmp)# lifetime 43200
R2 must have an ISAKMP policy configured with the same parameters.
Tunnel
Site 1 Site 2
![Page 50: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/50.jpg)
Crypto ISAKMP Key
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname
router(config)#
Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
505050© 2009 Cisco Learning Institute.
• The peer-address or peer-hostname can be used, but must be used consistently between peers.
• If the peer-hostname is used, then the crypto isakmp identity hostname command must also be configured.
keystringThis parameter specifies the PSK. Use any combination of alphanumeric characters
up to 128 bytes. This PSK must be identical on both peers.
peer-
addressThis parameter specifies the IP address of the remote peer.
hostnameThis parameter specifies the hostname of the remote peer.
This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).
![Page 51: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/51.jpg)
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
Sample Configuration
515151© 2009 Cisco Learning Institute.
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
R2(config)# crypto isakmp policy 110
R2(config–isakmp)# authentication pre-share
R2(config–isakmp)# encryption 3des
R2(config–isakmp)# group 2
R2(config–isakmp)# hash sha
R2(config–isakmp)# lifetime 43200
R2(config-isakmp)# exit
R2(config)# crypto isakmp key cisco123 address 172.30.1.2
R2(config)#
Note:
• The keystring cisco1234 matches.
• The address identity method is specified.
• The ISAKMP policies are compatible.
• Default values do not have to be configured.
![Page 52: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/52.jpg)
router(config)#
crypto ipsec transform–set transform-set-name transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
CommandDescription
Task 3Configure the Transform Set
525252© 2009 Cisco Learning Institute.
transform-set-nameThis parameter specifies the name of the transform set
to create (or modify).
transform1,
transform2, transform3
Type of transform set. You may specify up to four
"transforms": one Authentication Header (AH), one
Encapsulating Security Payload (ESP) encryption, one
ESP authentication. These transforms define the IP
Security (IPSec) security protocols and algorithms.
A transform set is a combination of IPsec transforms that enact a security policy for traffic.
![Page 53: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/53.jpg)
Transform Sets
Host B
10.0.1.3 10.0.2.3
R1 R2Host A
transform-set ALPHAesp-3destunnel
transform-set REDesp-destunnel
Internet
1
2
3
172.30.2.2
172.30.1.2
535353© 2009 Cisco Learning Institute.
• Transform sets are negotiated during IKE Phase 2.
• The 9th attempt found matching transform sets (CHARLIE - YELLOW).
transform-set BETAesp-des, esp-md5-hmactunnel
transform-set CHARLIEesp-3des, esp-sha-hmactunnel
transform-set BLUEesp-des, ah-sha-hmactunnel
transform-set YELLOWesp-3des, esp-sha-hmactunnel
Match
3
4
5
6
7
8
9
![Page 54: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/54.jpg)
Site 1 Site 2
A B10.0.1.3 10.0.2.3
R1 R2
Internet
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#
172.30.2.2
172.30.1.2
Sample Configuration
545454© 2009 Cisco Learning Institute.
R1(config)#
R2(config)# crypto isakmp key cisco123 address 172.30.1.2
R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
Note:
• Peers must share the same transform set settings.
• Names are only locally significant.
![Page 55: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/55.jpg)
Task 4Configure the Crypto ACLs
Host A
R1
Internet
OutboundTraffic
Encrypt
Bypass (Plaintext)
555555© 2009 Cisco Learning Institute.
• Outbound indicates the data flow to be protected by IPsec.
• Inbound filters and discards traffic that should have been protected by IPsec.
InboundTraffic
Bypass (Plaintext)
Permit
Bypass
Discard (Plaintext)
![Page 56: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/56.jpg)
10.0.1.310.0.2.3
R1 R2
Internet
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit} protocol source source-wildcard destination destination-wildcard
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
Command Syntax
565656© 2009 Cisco Learning Institute.
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
access-list access-list-number Parameters
access-list access-list-number
CommandDescription
permitThis option causes all IP traffic that matches the specified conditions to be protected by
cryptography, using the policy described by the corresponding crypto map entry.
deny This option instructs the router to route traffic in plaintext.
protocolThis option specifies which traffic to protect by cryptography based on the protocol,
such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
source and destinationIf the ACL statement is a permit statement, these are the networks, subnets, or hosts
between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.
![Page 57: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/57.jpg)
S0/1
10.0.1.3 10.0.2.3R1 R2
Internet
Site 2
Applied to R1 S0/0/0 outbound traffic:
S0/0/0172.30.2.2
S0/0/0 172.30.1.2
10.0.1.0/24
Site 110.0.2.0/24
Symmetric Crypto ACLs
575757© 2009 Cisco Learning Institute.
Applied to R1 S0/0/0 outbound traffic:
R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0)
Applied to R2 S0/0/0 outbound traffic:
R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)
![Page 58: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/58.jpg)
Task 5Apply the Crypto Map
Crypto maps define the following:
Site 1
10.0.1.3
R1 R2
10.0.2.3
Site 2
Internet
585858© 2009 Cisco Learning Institute.
� ACL to be used
� Remote VPN peers
� Transform set to be used
� Key management method
� SA lifetimes
Encrypted Traffic
Router Interface
or Subinterface
![Page 59: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/59.jpg)
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
router(config)#
crypto map Parameters
Command Parameters Description
Defines the name assigned to the crypto map set or indicates the name of the crypto
Crypto Map Command
595959© 2009 Cisco Learning Institute.
map-nameDefines the name assigned to the crypto map set or indicates the name of the crypto
map to edit.
seq-num The number assigned to the crypto map entry.
ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.
cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the
traffic.
dynamic(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.
dynamic-map-name(Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.
![Page 60: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/60.jpg)
Crypto Map Configuration Mode Commands
Command Description
setUsed with the peer, pfs, transform-set, and security-association commands.
peer [hostname | ip-
address]Specifies the allowed IPsec peer by IP address or hostname.
pfs [group1 | group2] Specifies DH Group 1 or Group 2.
Specify list of transform sets in priority order. When the ipsec-manual
606060© 2009 Cisco Learning Institute.
transform-set
[set_name(s)]
Specify list of transform sets in priority order. When the ipsec-manual parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto map command, up to six transform sets can be specified.
security-association
lifetimeSets SA lifetime parameters in seconds or kilobytes.
match address [access-
list-id | name]
Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched.
no Used to delete commands entered with the set command.
exit Exits crypto map configuration mode.
![Page 61: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/61.jpg)
R3
10.0.1.310.0.2.3
R1 R2
Internet
Sample Configuration
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0172.30.2.2
616161© 2009 Cisco Learning Institute.
Multiple peers can be specified for redundancy.
S0/0/0172.30.3.2
R1(config)# crypto map MYMAP 10 ipsec-isakmpR1(config-crypto-map)# match address 110R1(config-crypto-map)# set peer 172.30.2.2 defaultR1(config-crypto-map)# set peer 172.30.3.2R1(config-crypto-map)# set pfs group1R1(config-crypto-map)# set transform-set mineR1(config-crypto-map)# set security-association lifetime seconds 86400
![Page 62: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/62.jpg)
MYMAP
Assign the Crypto Map Set
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
626262© 2009 Cisco Learning Institute.
• Applies the crypto map to outgoing interface• Activates the IPsec policy
crypto map map-name
R1(config)# interface serial0/0/0R1(config-if)# crypto map MYMAP
router(config-if)#
MYMAP
![Page 63: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/63.jpg)
CLI Commands
Show Command Description
show crypto map Displays configured crypto maps
show crypto isakmp policy Displays configured IKE policies
636363© 2009 Cisco Learning Institute.
show crypto ipsec sa Displays established IPsec tunnels
show crypto ipsec
transform-setDisplays configured IPsec transform
sets
debug crypto isakmp Debugs IKE events
debug crypto ipsecDebugs IPsec events
![Page 64: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/64.jpg)
show crypto map
router#
show crypto map
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
646464© 2009 Cisco Learning Institute.
R1# show crypto mapCrypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }
Displays the currently configured crypto maps
![Page 65: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/65.jpg)
show crypto isakmp policy
router#
show crypto isakmp policy
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
656565© 2009 Cisco Learning Institute.
R1# show crypto isakmp policy Protection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: preshared
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
![Page 66: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/66.jpg)
show crypto ipsec transform-set
show crypto ipsec transform-set
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
666666© 2009 Cisco Learning Institute.
show crypto ipsec transform-set
Displays the currently defined transform sets
R1# show crypto ipsec transform-setTransform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },
![Page 67: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/67.jpg)
show crypto ipsec sa
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
676767© 2009 Cisco Learning Institute.
R1# show crypto ipsec saInterface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C
![Page 68: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/68.jpg)
debug crypto isakmp
router#
debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
686868© 2009 Cisco Learning Institute.
• This is an example of the Main Mode error message. • The failure of Main Mode suggests that the Phase I policy
does not match on both sides. • Verify that the Phase I policy is on both peers and ensure that
all the attributes match.
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
![Page 69: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/69.jpg)
Starting a VPN Wizard
Wizards for IPsecSolutions, includes type of VPNs andIndividual IPsec components
1
2
3
1. Click Configure in main toolbar
3. Choose a wizard
696969© 2009 Cisco Learning Institute.
2
4
5
VPN implementationSubtypes. Vary basedOn VPN wizard chosen.
2. Click the VPN buttonto open the VPN page
4. Click the VPN implementation subtype
5. Click the Launch theSelected Task button
![Page 70: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/70.jpg)
VPN Components
Individual IPsec components used to build VPNs
VPN Wizards
SSL VPN parameters
707070© 2009 Cisco Learning Institute.
Easy VPN server parameters
Public key certificateparameters
Encrypt VPN passwords
VPN Components
![Page 71: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/71.jpg)
Configuring a Site-to-Site VPN
Choose Configure > VPN > Site-to-Site VPN
717171© 2009 Cisco Learning Institute.
Click the Launch the Selected Task button
Click the Create a Site-to-Site VPN
![Page 72: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/72.jpg)
Site-to-Site VPN Wizard
Choose the wizard mode
727272© 2009 Cisco Learning Institute.
Click Next to proceed to the configuration of parameters.
![Page 73: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/73.jpg)
Quick Setup
Configure the parameters• Interface to use
737373© 2009 Cisco Learning Institute.
• Interface to use• Peer identity information• Authentication method• Traffic to encrypt
![Page 74: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/74.jpg)
Verify Parameters
747474© 2009 Cisco Learning Institute.
![Page 75: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/75.jpg)
1
2
Step-by-Step Wizard
Choose the outsideinterface that is usedto connect to the IPSec peer
Specify the IPaddress of the peer
757575© 2009 Cisco Learning Institute.
3
4
Choose the authenticationmethod and specify thecredentials
Click Next
![Page 76: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/76.jpg)
Creating a Custom IKE Proposal
2
Make the selections to configurethe IKE Policy and click OK
767676© 2009 Cisco Learning Institute.
1
3Click Add to define a proposal Click Next
![Page 77: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/77.jpg)
2
Creating a Custom IPSec Transform Set
Define and specify the transformset name, integrity algorithm,encryption algorithm, mode of operation and optional compression
777777© 2009 Cisco Learning Institute.
1
3 Click NextClick Add
![Page 78: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/78.jpg)
1
Protecting TrafficSubnet to Subnet
Click Protect All Traffic Between the Following subnets
787878© 2009 Cisco Learning Institute.
2 3
Define the IP address and subnet mask of the local network
Define the IP addressand subnet mask of the remote network
![Page 79: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/79.jpg)
Protecting TrafficCustom ACL
797979© 2009 Cisco Learning Institute.
2
3
1
Click the Create/Select an Access-Listfor IPSec Traffic radio button
Click the ellipses buttonto choose an existing ACLor create a new one
To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option
![Page 80: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/80.jpg)
Add a Rule
1
2Give the access rule a
808080© 2009 Cisco Learning Institute.
2Give the access rule aname and description
Click Add
![Page 81: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/81.jpg)
Configuring a New Rule Entry
1
2
Choose an action and enter a description of the rule entry
818181© 2009 Cisco Learning Institute.
3
Define the source hosts or networks in the Source Host/Network paneand the destination hosts or network in the Destination/Host Network pane
(Optional) To provide protection for specific protocols, choosethe specific protocol radio box and desired port numbers
![Page 82: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/82.jpg)
Configuration Summary
828282© 2009 Cisco Learning Institute.
• Click Back to modify the configuration.
• Click Finish to complete the configuration.
![Page 83: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/83.jpg)
Verify VPN Configuration
Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
838383© 2009 Cisco Learning Institute.
Check VPN status.
Create a mirroring configuration if no Cisco SDM is available on the
peer.
Test the VPN configuration.
![Page 84: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/84.jpg)
Lists all IPsec tunnels, their parameters, and status.
1
Monitor
Choose Monitor > VPN Status > IPSec Tunnels
848484© 2009 Cisco Learning Institute.
parameters, and status.
![Page 85: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/85.jpg)
Telecommuting
• Flexibility in working location and working hours
• Employers save on real-estate, utility and other
858585© 2009 Cisco Learning Institute.
estate, utility and other overhead costs
• Succeeds if program is voluntary, subject to management discretion, and operationally feasible
![Page 86: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/86.jpg)
Telecommuting Benefits
• Organizational benefits:
- Continuity of operations
- Increased responsiveness
- Secure, reliable, and manageable access to information
- Cost-effective integration of data, voice, video, and applications
- Increased employee productivity, satisfaction, and retention
868686© 2009 Cisco Learning Institute.
- Increased employee productivity, satisfaction, and retention
• Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress
• Environmental benefits:
- Reduced carbon footprints, both for individual workers and organizations
![Page 87: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/87.jpg)
Implementing Remote Access
878787© 2009 Cisco Learning Institute.
![Page 88: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/88.jpg)
Methods for Deploying Remote Access
888888© 2009 Cisco Learning Institute.
IPsec Remote Access VPN
SSL-BasedVPN
Any Application
Anywhere Access
![Page 89: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/89.jpg)
Comparison of SSL and IPSec
SSL IPsec
Applications Web-enabled applications, file sharing, e-mail All IP-based applications
EncryptionModerate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
898989© 2009 Cisco Learning Institute.
AuthenticationModerate
One-way or two-way authentication
Strong
Two-way authentication using shared secrets
or digital certificates
Ease of Use Very highModerate
Can be challenging to nontechnical users
Overall SecurityModerate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
![Page 90: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/90.jpg)
SSL VPNs
• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
Headquarters
Internet
909090© 2009 Cisco Learning Institute.
WorkplaceResources
Headquarters
SSL VPNTunnel
![Page 91: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/91.jpg)
Types of Access
919191© 2009 Cisco Learning Institute.
![Page 92: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/92.jpg)
Full Tunnel Client Access Mode
929292© 2009 Cisco Learning Institute.
![Page 93: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/93.jpg)
User using SSL client
Establishing an SSL Session
User makes a connection to TCP port 443
Router replies with a digitally signed public key
User software creates a
1
2
3
SSL VPN enabled ISR
router
939393© 2009 Cisco Learning Institute.
Shared-secret key, encrypted with public key of the server, is
sent to the router
Bulk encryption occurs using the shared-secret key with a
symmetric encryption algorithm
User software creates a shared-secret key
3
4
5
router
![Page 94: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/94.jpg)
SSL VPN Design Considerations
• User connectivity
• Router feature
• Infrastructure planning
949494© 2009 Cisco Learning Institute.
• Implementation scope
![Page 95: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/95.jpg)
Cisco Easy VPN
• Negotiates tunnel parameters
• Establishes tunnels according to set parameters
• Automatically creates a NAT / PAT and associated ACLs
959595© 2009 Cisco Learning Institute.
PAT and associated ACLs
• Authenticates users by usernames, group names, and passwords
• Manages security keys for encryption and decryption
• Authenticates, encrypts, and decrypts data through the tunnel
![Page 96: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/96.jpg)
Cisco Easy VPN
969696© 2009 Cisco Learning Institute.
![Page 97: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/97.jpg)
Securing the VPN
Initiate IKE Phase 1
Establish ISAKMP SA
Accept Proposal1
Username/Password Challenge
1
2
3
4
979797© 2009 Cisco Learning Institute.
ChallengeUsername/Password
System Parameters Pushed
Reverse Router Injection (RRI) adds a static route
entry on the router for the remote clients IP address
Initiate IKE Phase 2: IPsec
IPsec SA
5
6
7
![Page 98: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/98.jpg)
Configuring Cisco Easy VPN Server
1
2
3
4
989898© 2009 Cisco Learning Institute.
5
![Page 99: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/99.jpg)
Configuring IKE Proposals
Specify required parameters
999999© 2009 Cisco Learning Institute.
1
2
3Click Add
Specify required parameters
Click OK
![Page 100: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/100.jpg)
Creating an IPSec Transform Set
1
3
100100100© 2009 Cisco Learning Institute.
2
4
![Page 101: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/101.jpg)
Group Authorization and Group Policy Lookup
1
3
Select the location whereEasy VPN group policiescan be stored
Click Add
101101101© 2009 Cisco Learning Institute.
2 45
Click NextClick Next
Configure the localgroup policies
![Page 102: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/102.jpg)
Summary of Configuration Parameters
102102102© 2009 Cisco Learning Institute.
![Page 103: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/103.jpg)
VPN Client Overview
R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
103103103© 2009 Cisco Learning Institute.
• Establishes end-to-end, encrypted VPN tunnels for secure connectivity
• Compatible with all Cisco VPN products
• Supports the innovative Cisco Easy VPN capabilities
![Page 104: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/104.jpg)
Establishing a Connection
R1-vpn-cluster.span.com Once authenticated, status changes to connected.
104104104© 2009 Cisco Learning Institute.
R1 R1-vpn-cluster.span.com
“R1”
![Page 105: Chapter 8 Overview.ppt - Leamanleaman.org/ccna_sec/Chapter_8.pdf · • Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using SDM • Configure and](https://reader033.vdocuments.us/reader033/viewer/2022050813/5a701f967f8b9aa2538bb73e/html5/thumbnails/105.jpg)
105105105© 2009 Cisco Learning Institute.