fasttrack-7 - ipsec vpn

1

IPSec - VPN

2

What is VPN? VPN (Virtual Private Network) :

“Logical connections on public networks.”

Two type VPN Connections:–Layer 2 VPN: Asynchronous transfer mode (ATM) and Frame Relay –Layer 3 VPN: Generic Route Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP,

Multiprotocol Label Switching (MPLS), and IP Security (IPSec)

3

Applications of IPSec IPSec provides the capability to secure

communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:

Secure branch office connectivity over the Internet Secure remote access over the Internet

4

Application of IPSec

5

Benefits of IPSec

The benefits of IPSec include: –Strong security that can be applied to all traffic crossing the perimeter.

–Transparent to applications.

–No need to change software on a user or server system

•When IPSec is implemented in a router or firewall

–IPSec can be transparent to end users.

–There is no need to train users on security mechanisms

–IPSec can provide security for individual

6

The Scope of IPSec

IPSec provides three main facilities–An authentication-only function,

•Referred to as Authentication Header (AH)

–A combined authentication/ encryption function

•Called Encapsulating Security Payload (ESP)

–A key exchange function.

•IKE (ISAKMP / Oakley)

7

Basic IPsec Example

Internet10.1.1.0/24

10.1.2.0/24

• IKE Policy (Phase I)crypto isakmp policy 1

authentication pre-shared

hash sha

encryption 3des

crypto isakmp key cisco123isabadkey address 2.2.2.2

crypto isakmp key passwordisiabadkey address 3.3.3.3

1.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3

8

Basic IPsec Example

• IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

Internet10.1.1.0/24

10.1.2.0/241.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3

9

Basic IPsec Example

• IPsec Policy (Phase II) crypto map IPSEC 20 ipsec-isakmp

set peer 2.2.2.2

match address 102

set transform-set ESP-3DES-SHA

crypto map IPSEC 30 ipsec-isakmp

set peer 3.3.3.3

match address 103

set transform-set ESP-3DES-SHA

Internet10.1.1.0/24

10.1.2.0/241.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3

10

Basic IPsec Example

• Apply Crypto Map interface serial 0

crypto map IPSEC

!

ip route 10.0.0.0 255.0.0.0 serial 0

Internet10.1.1.0/24

10.1.2.0/241.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3

11

Frame Relay Communication

12

Terminology The connection through the Frame Relay network between two DTEs

is called a virtual circuit (VC).

Virtual circuits may be established dynamically by sending signaling messages to the network. In this case they are called switched virtual circuits (SVCs).

Virtual circuits can be configured manually through the network. In this case they are called permanent virtual circuits (PVCs).

13

Frame Relay Concepts

14

Frame Relay Operation

15

Frame Relay ConceptsQueue

16

Frame Relay Switches

17

Frame Relay Functions

18

Virtual Circuits

19

Local Significance of DLCIsThe data-link connection identifier (DLCI) is stored in the Address field of every frame transmitted.

20

Star (Hub and Spoke)

Full Mesh

Partial Mesh

Selecting a Frame Relay Topology

21

Local Management Interface (LMI)

Three types of LMIs are supported by Cisco routers:–Cisco — The original LMI extensions –Ansi — Corresponding to the ANSI standard T1.617 Annex D –q933a — Corresponding to the ITU standard Q933 Annex A

22

Configuring Basic Frame Relay

23

Configuring a Static Frame Relay Map

24

Configuring Point-to-Point Subinterfaces

25

The show interface Command

LMI Type

LMI DLCI

LMI Status

26

The show frame-relay lmi Command

27

The show frame-relay pvc Command

28

The show frame-relay map Command

29

Troubleshooting Frame Relay The debug frame-relay lmi Command

PVC Status0x2 – Active0x0 – Inactive0x4 – Deleted

30