ccna_security_08.ppt
TRANSCRIPT
-
7/14/2019 CCNA_Security_08.ppt
1/135
1 2009 Cisco Learning Institute.
CCNA Security
Chapter Eight
Implementing Virtual Private Networks
-
7/14/2019 CCNA_Security_08.ppt
2/135
222 2009 Cisco Learning Institute.
Lesson Planning
This lesson should take 3-4 hours to present
The lesson should include lecture,demonstrations, discussions and assessments
The lesson can be taught in person or usingremote instruction
-
7/14/2019 CCNA_Security_08.ppt
3/135
333 2009 Cisco Learning Institute.
Major Concepts
Describe the purpose and operation of VPN types
Describe the purpose and operation of GRE VPNs
Describe the components and operations of IPsec VPNs
Configure and verify a site-to-site IPsec VPN with pre-shared key authentication using CLI
Configure and verify a site-to-site IPsec VPN with pre-
shared key authentication using SDM Configure and verify a Remote Access VPN
-
7/14/2019 CCNA_Security_08.ppt
4/135
444 2009 Cisco Learning Institute.
Lesson Objectives
Upon completion of this lesson, the successful participantwill be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features ofthese products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
-
7/14/2019 CCNA_Security_08.ppt
5/135
555 2009 Cisco Learning Institute.
Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs arecompatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizardin SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizardin SDM
-
7/14/2019 CCNA_Security_08.ppt
6/135
666 2009 Cisco Learning Institute.
Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations areoffering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions andSSL VPNs
21. Describe how SSL is used to establish a secure VPNconnection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
-
7/14/2019 CCNA_Security_08.ppt
7/135777 2009 Cisco Learning Institute.
VPNs
VPN Overview
VPN Technologies
VPN Solutions
-
7/14/2019 CCNA_Security_08.ppt
8/135888 2009 Cisco Learning Institute.
VPN Overview
What is a VPN?
Layer 3 VPNs
-
7/14/2019 CCNA_Security_08.ppt
9/135999 2009 Cisco Learning Institute.
What is a VPN?
- Virtual: Information within a private network istransported over a public network.
- Private: The traffic is encrypted to keep the
data confidential.
VPN
VPN
Firewall
CSA
Regional branch witha VPN enabled
Cisco ISR router
SOHO with a CiscoDSL Router
VPN
Mobile Workerwith a CiscoVPN Client
Business Partnerwith a Cisco Router
CorporateNetwork
WAN
Internet
-
7/14/2019 CCNA_Security_08.ppt
10/135101010 2009 Cisco Learning Institute.
Layer 3 VPN
Generic routing encapsulation (GRE)
Multiprotocol Label Switching (MPLS)
IPSec
SOHO with a Cisco DSL
Router
VPNInternet
IPSec
IPSec
-
7/14/2019 CCNA_Security_08.ppt
11/135111111 2009 Cisco Learning Institute.
VPN Technologies
Types of VPN Networks
Site-to-Site VPN
Remote-Access VPN
VPN Client Software
Cisco IOS SSL VPN
-
7/14/2019 CCNA_Security_08.ppt
12/135121212 2009 Cisco Learning Institute.
Types of VPN Networks
MARS
VPN
VPN
Iron Port
Firewall
IPS
WebServer
EmailServer DNS
CSACSACSACSA
CSA
CSA
CSA
Regional branch witha VPN enabledCisco ISR router
SOHO with aCisco DSL Router
VPN
Mobile Workerwith a CiscoVPN Client
Business Partnerwith a Cisco Router
Site-to-Site
VPNs
Remote-access
VPNs
Internet
WAN
-
7/14/2019 CCNA_Security_08.ppt
13/135131313 2009 Cisco Learning Institute.
Site-to-Site VPN
MARS
VPN
VPN
IronPort
Firewall
IPS
WebServer
EmailServer DNS
CSA
CSA
CSA
CSA
CSA
CSA
CSA
Regional branch witha VPN enabledCisco ISR router
SOHO with aCisco DSL
Router
VPN
Business Partnerwith a Cisco
Router
Site-to-Site
VPNs
Internet
WAN
Hosts send and receive normalTCP/IP traffic through a VPN gateway
-
7/14/2019 CCNA_Security_08.ppt
14/135141414 2009 Cisco Learning Institute.
Remote-Access VPNs
MARS
VPN
Iron Port
Firewall
IPS
WebServer
EmailServer DNS
CSACSA
CSACSA
CSA
CSA
CSA
Mobile Workerwith a CiscoVPN Client
Remote-accessVPNs
Internet
-
7/14/2019 CCNA_Security_08.ppt
15/135151515 2009 Cisco Learning Institute.
VPN Client Software
R1 R1-vpn-cluster.span.com
R1
In a remote-access VPN, each hosttypically has Cisco VPN Client software
-
7/14/2019 CCNA_Security_08.ppt
16/135161616 2009 Cisco Learning Institute.
Cisco IOS SSL VPN
Provides remote-accessconnectivity from anyInternet-enabled host
Uses a web browser andSSL encryption
Delivers two modes ofaccess:
- Clientless
- Thin client
-
7/14/2019 CCNA_Security_08.ppt
17/135171717 2009 Cisco Learning Institute.
VPN Solutions
Cisco VPN Product Family
Cisco VPN-Optimized Routers
Cisco ASA 5500 Series Adaptive SecurityAppliances
IPSec Clients
Hardware Acceleration Modules
-
7/14/2019 CCNA_Security_08.ppt
18/135181818 2009 Cisco Learning Institute.
Cisco VPN Product Family
Product ChoiceRemote-Access
VPNSite-to-Site VPN
Cisco VPN-Enabled Router Secondary role Primary role
Cisco PIX 500 Series Security Appliances Secondary role Primary role
Cisco ASA 5500 Series Adaptive Security
AppliancesPrimary role Secondary role
Cisco VPN
3000 Series ConcentratorsPrimary role Secondary role
Home Routers Primary role ?
-
7/14/2019 CCNA_Security_08.ppt
19/135191919 2009 Cisco Learning Institute.
Cisco VPN-Optimized Routers
Remote OfficeCisco Router
Regional OfficeCisco Router
SOHOCisco Router
Main OfficeCisco Router
Internet
VPN Features:
Voice and video enabled VPN (V3PN) IPSec stateful failover DMVPN IPSec and Multiprotocol Label Switching
(MPLS) integration Cisco Easy VPN
Ci ASA 5500 S i Ad ti
-
7/14/2019 CCNA_Security_08.ppt
20/135
202020 2009 Cisco Learning Institute.
Cisco ASA 5500 Series AdaptiveSecurity Appliances
Flexible platform
Resilient clustering
Cisco Easy VPN
Automatic Cisco VPN
Cisco IOS SSL VPN
VPN infrastructure forcontemporary applications
Integrated web-based
management
ExtranetBusiness-to-Business
Intranet
Remote User
Remote Site Central Site
Internet
-
7/14/2019 CCNA_Security_08.ppt
21/135
212121 2009 Cisco Learning Institute.
IPSec Clients
Small Office
Internet
CiscoAnyConnect
VPN Client
Certicom PDA IPsecVPN Client
Internet
Cisco VPNSoftware Client
Router withFirewall andVPN Client
A wireless client that is loaded on a pda
Software loaded on a PC
A network appliance that connects SOHO LANs to the VPN
Provides remote users with secure VPN connections
-
7/14/2019 CCNA_Security_08.ppt
22/135
222222 2009 Cisco Learning Institute.
Hardware Acceleration Modules
AIM
Cisco IPSec VPN SharedPort Adapter (SPA)
Cisco PIX VPNAccelerator Card+ (VAC+)
Enhanced ScalableEncryption Processing
(SEP-E) Cisco IPsec VPN SPA
-
7/14/2019 CCNA_Security_08.ppt
23/135
232323 2009 Cisco Learning Institute.
GRE VPNs
Overview
Encapsulation
Configuring a GRE Tunnel Using GRE
-
7/14/2019 CCNA_Security_08.ppt
24/135
242424 2009 Cisco Learning Institute.
Overview
-
7/14/2019 CCNA_Security_08.ppt
25/135
252525 2009 Cisco Learning Institute.
Encapsulation
Original IP Packet
Encapsulated with GRE
-
7/14/2019 CCNA_Security_08.ppt
26/135
262626 2009 Cisco Learning Institute.
Configuring a GRE Tunnel
R1(config)# interface tunnel 0
R1(configif)# ip address 10.1.1.1 255.255.255.252
R1(configif)# tunnel source serial 0/0
R1(configif)# tunnel destination 192.168.5.5
R1(configif)# tunnel mode gre ip
R1(configif)#
R2(config)# interface tunnel 0
R2(configif)# ip address 10.1.1.2 255.255.255.252
R2(configif)# tunnel source serial 0/0
R2(configif)# tunnel destination 192.168.3.3
R2(configif)# tunnel mode gre ip
R2(configif)#
Create a tunnelinterface
Assign the tunnel an IP address
Identify the source tunnel interface
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate
-
7/14/2019 CCNA_Security_08.ppt
27/135
272727 2009 Cisco Learning Institute.
Using GRE
UserTraffic
IPOnly
?
UseGRE
Tunnel
No
Yes
No YesUnicast
Only?
UseIPsecVPN
GRE does not provide encryption
IPSec VPN Components
-
7/14/2019 CCNA_Security_08.ppt
28/135
282828 2009 Cisco Learning Institute.
IPSec VPN Componentsand Operation
Introducing IPSec
IPSec Security Protocols
Internet Key Exchange (IKE)
-
7/14/2019 CCNA_Security_08.ppt
29/135
292929 2009 Cisco Learning Institute.
Introducing IPSec
IPSec Topology
- IPSec Framework
Confidentiality
Integrity
Authentication
- Pre-Shared Key- RSA Signature
Secure Key Exchange
-
7/14/2019 CCNA_Security_08.ppt
30/135
303030 2009 Cisco Learning Institute.
IPSec Topology
Works at the network layer, protecting and authenticating IP packets.
- It is a framework of open standards which is algorithm-independent.
- It provides data confidentiality, data integrity, and origin authentication.
Business Partnerwith a Cisco Router
Regional Office with aCisco PIX Firewall
SOHO with a CiscoSDN/DSL Router
Mobile Worker with aCisco VPN Client
on a Laptop Computer
ASA
LegacyConcentrator
Main Site
PerimeterRouter
Legacy
CiscoPIXFirewall
IPsec
POP
Corporate
-
7/14/2019 CCNA_Security_08.ppt
31/135
313131 2009 Cisco Learning Institute.
IPSec Framework
Diffie-Hellman DH7
-
7/14/2019 CCNA_Security_08.ppt
32/135
323232 2009 Cisco Learning Institute.
DH7Diffie-Hellman
Confidentiality
Key length:- 56-bits
Key length:- 56-bits (3 times)
Key length:- 160-bits
Key lengths:-128-bits-192 bits-256-bits
Least secure Most secure
-
7/14/2019 CCNA_Security_08.ppt
33/135
333333 2009 Cisco Learning Institute.
DH7Diffie-Hellman
Integrity
Key length:- 128-bits
Key length:- 160-bits)
Least secure Most secure
-
7/14/2019 CCNA_Security_08.ppt
34/135
343434 2009 Cisco Learning Institute.
DH7Diffie-Hellman
Authentication
-
7/14/2019 CCNA_Security_08.ppt
35/135
353535 2009 Cisco Learning Institute.
DH7Diffie-Hellman
Pre-shared Key (PSK)
At the local device, the authentication key and the identity information (device-specific
information) are sent through a hash algorithm to form hash_I. One-way authentication isestablished by sending hash_I to the remote device. If the remote device can independentlycreate the same hash, the local device is authenticated. The authentication process continues in the opposite direction. The remote devicecombines its identity information with the preshared-based authentication key and sends itthrough the hash algorithm to form hash_R. hash_R is sent to the local device. If the localdevice can independently create the same hash, the remote device is authenticated.
-
7/14/2019 CCNA_Security_08.ppt
36/135
363636 2009 Cisco Learning Institute.
RSA Signatures
At the local device, the authentication key and identity information (device-specific information)are sent through the hash algorithm forming hash_I. hash_I is encrypted using the localdevice's private encryption key creating a digital signature. The digital signature and a digitalcertificate are forwarded to the remote device. The public encryption key for decrypting thesignature is included in the digital certificate. The remote device verifies the digital signature bydecrypting it using the public encryption key. The result is hash_I.
Next, the remote device independently creates hash_I from stored information. If thecalculated hash_I equals the decrypted hash_I, the local device is authenticated. After theremote device authenticates the local device, the authentication process begins in the opposite
direction and all steps are repeated from the remote device to the local device.
-
7/14/2019 CCNA_Security_08.ppt
37/135
373737 2009 Cisco Learning Institute.
Diffie-Hellman
Secure Key Exchange
DH7
-
7/14/2019 CCNA_Security_08.ppt
38/135
383838 2009 Cisco Learning Institute.
IPSec Security Protocols
IPSec Framework Protocols
Authentication Header
ESP Function of ESP
Mode Types
-
7/14/2019 CCNA_Security_08.ppt
39/135
393939 2009 Cisco Learning Institute.
IPSec Framework Protocols
All data is in plaintext.R1 R2
Data payload is encrypted.R1 R2
Authentication Header
Encapsulating Security Payload
AH provides the following:
Authentication
Integrity
ESP provides the following:
Encryption
Authentication
Integrity
-
7/14/2019 CCNA_Security_08.ppt
40/135
404040 2009 Cisco Learning Institute.
Authentication Header
Authentication Data(00ABCDEF)
IP Header + Data + Key
R1
R2
Hash
RecomputedHash
(00ABCDEF)
IP Header + Data + Key
Hash
ReceivedHash
(00ABCDEF)=
DataAHIP HDR
DataAHIP HDR
Internet
1. The IP Header and data payload are hashed
2. The hash builds a new AHheader which is prependedto the original packet
3. The new packet istransmitted to theIPSec peer router
4. The peer router hashes the IPheader and data payload, extracts
the transmitted hash and compares
-
7/14/2019 CCNA_Security_08.ppt
41/135
414141 2009 Cisco Learning Institute.
ESP
Diffie-Hellman DH7
-
7/14/2019 CCNA_Security_08.ppt
42/135
424242 2009 Cisco Learning Institute.
Function of ESP
ESPTrailer
ESPAuth
Provides confidentiality with encryption
Provides integrity with authentication
Router Router
IP HDR Data
ESP HDRNew IP HDR IP HDR Data
Authenticated
IP HDR Data
Internet
Encrypted
-
7/14/2019 CCNA_Security_08.ppt
43/135
434343 2009 Cisco Learning Institute.
IP HDR ESP HDR Data
ESP HDR IP HDRNew IP HDR Data
Tunnel Mode
Transport Mode
ESPTrailer
ESPAuth
ESPTrailer
ESPAuth
Authenticated
Authenticated
IP HDR Data
Encrypted
Encrypted
Original data prior to selection of IPSec protocol mode
Mode Types
-
7/14/2019 CCNA_Security_08.ppt
44/135
444444 2009 Cisco Learning Institute.
Internet Key Exchange (IKE)
Security Associations
IKE Phases
IKE Phase 1
Three Exchanges
IKE Phase 1 Aggressive Mode
IKE Phase 2
-
7/14/2019 CCNA_Security_08.ppt
45/135
454545 2009 Cisco Learning Institute.
Security Associations
IPSec parameters are configured using IKE
-
7/14/2019 CCNA_Security_08.ppt
46/135
464646 2009 Cisco Learning Institute.
Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets
2. DH key exchange
3. Verify the peer identity
IKE Phases
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
Policy 15DES
MD5pre-share
DH1lifetime
Policy 10DES
MD5pre-share
DH1lifetime
1. Negotiate IKE policy sets
2. DH key exchange
3. Verify the peer identity
-
7/14/2019 CCNA_Security_08.ppt
47/135
474747 2009 Cisco Learning Institute.
Negotiates matching IKE policies to protect IKE exchange
Policy 15DES
MD5pre-shareDH1
lifetime
Policy 10DES
MD5pre-shareDH1
lifetime
IKE Policy Sets
Policy 203DESSHA
pre-share
DH1lifetime
Negotiate IKE Proposals
Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 First Exchange
-
7/14/2019 CCNA_Security_08.ppt
48/135
484848 2009 Cisco Learning Institute.
IKE Phase 1 Second Exchange
(YB )mod p = K (YA ) mod p = KXBXA
Private value, XAPublic value, YA
Private value, XBPublic value, YBAlice
Bob
YA
YB
YB = g mod pXBYA = g mod pXA
A DH exchange is performed to establish keying material.
Establish DH Key
-
7/14/2019 CCNA_Security_08.ppt
49/135
494949 2009 Cisco Learning Institute.
IKE Phase 1 Third Exchange
Peer authentication methods PSKs
RSA signatures
RSA encrypted nonces
HR
Servers
Remote Office Corporate Office
Internet
PeerAuthentication
A bidirectional IKE SA is now established.
Authenticate Peer
-
7/14/2019 CCNA_Security_08.ppt
50/135
505050 2009 Cisco Learning Institute.
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Aggressive Mode Exchange
1.Send IKE policy set
and R1s DH key
3.Calculate shared
secret, verify peer
identify, and confirm
with peer
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
Policy 15DESMD5
pre-shareDH1
lifetime
Policy 10DESMD5
pre-shareDH1
lifetime 2. Confirm IKE policy
set, calculate
shared secret and
send R2s DH key
4. Authenticate peer
and begin Phase 2.
IKE Phase 1 Aggressive Mode
-
7/14/2019 CCNA_Security_08.ppt
51/135
515151 2009 Cisco Learning Institute.
Negotiate IPsecSecurity Parameters
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 2
IKE negotiates matching IPsec policies.
Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and
algorithm combination.
-
7/14/2019 CCNA_Security_08.ppt
52/135
525252 2009 Cisco Learning Institute.
Implementing Site-to-Site IPSec VPNs
Configuring Site-to-Site IPSec VPNs
Task 1 Configure Compatible ACLs
Task 2
Configure IKE
Task 3 Configure the Transform Set
Task 4 Configure the Crypto ACLs
Task 5 Apply the Crypto Map
Verify and Troubleshoot the IPSec Configuration
-
7/14/2019 CCNA_Security_08.ppt
53/135
535353 2009 Cisco Learning Institute.
Configuring Site-to-Site IPSec VPN
IPSec VPN Negotiation
Summary of Tasks
-
7/14/2019 CCNA_Security_08.ppt
54/135
545454 2009 Cisco Learning Institute.
IKE Phase 1
IKE Phase 2
IKE SA IKE SA
IPsec SAIPsec SA
1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session.
3. R1 and R2 negotiate an IKE Phase 2 session.
4. Information is exchanged via IPsec tunnel.
5. The IPsec tunnel is terminated.
R1 R2 10.0.2.3
IPsec Tunnel
10.0.1.3
IPSec VPN Negotiation
-
7/14/2019 CCNA_Security_08.ppt
55/135
555555 2009 Cisco Learning Institute.
Summary of Tasks
Task 1: Ensure that ACLs are compatible with IPsec.Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.
Tasks to Configure IPsec:
Task 1
-
7/14/2019 CCNA_Security_08.ppt
56/135
565656 2009 Cisco Learning Institute.
Configure Compatible ACLs
Overview
Permitting Traffic
-
7/14/2019 CCNA_Security_08.ppt
57/135
575757 2009 Cisco Learning Institute.
Overview
Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.
AHESPIKE
Site 1 Site 2
10.0.1.310.0.2.3
R1 R2
InternetS0/0/0172.30.1.2
S0/0/0172.30.2.2
10.0.1.0/2410.0.2.0/24
ff
-
7/14/2019 CCNA_Security_08.ppt
58/135
585858 2009 Cisco Learning Institute.
R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmpR1(config)#R1(config)# interface Serial0/0/0R1(config-if)# ip address 172.30.1.2 255.255.255.0R1(config-if)# ip access-group 102 in!
R1(config)# exitR1#R1# show access-lists
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2access-list 102 permit esp host 172.30.2.2 host 172.30.1.2access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#
AH
ESPIKESite 1 Site 2
10.0.1.3 10.0.2.3R1 R2
InternetS0/0/0172.30.1.2
S0/0/0172.30.2.2
10.0.1.0/24 10.0.2.0/24
Permitting Traffic
Task 2
-
7/14/2019 CCNA_Security_08.ppt
59/135
595959 2009 Cisco Learning Institute.
Configure IKE
Overview
ISAKMP Parameters
Multiple Policies
Policy Negotiations
Crypto ISAKMP Key
Sample Configuration
-
7/14/2019 CCNA_Security_08.ppt
60/135
606060 2009 Cisco Learning Institute.
Defines the parameters within the IKE policy
crypto isakmp policypriority
router(config)#
R1(config)# crypto isakmp policy 110R1(configisakmp)# authentication pre-shareR1(configisakmp)# encryption desR1(configisakmp)# group 1R1(configisakmp)# hash md5R1(configisakmp)# lifetime 86400
Tunnel
Policy 110DESMD5
Preshare
86400DH1
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
Overview
ISAKMP P t
-
7/14/2019 CCNA_Security_08.ppt
61/135
616161 2009 Cisco Learning Institute.
ISAKMP Parameters
Parameter Keyword Accepted Values
Default
Value Description
encryption
des
3des
aes
aes 192
aes 256
56-bit Data Encryption Standard
Triple DES
128-bit AES
192-bit AES
256-bit AES
desMessage encryption
algorithm
hashsha
md5SHA-1 (HMAC variant)
MD5 (HMAC variant)sha
Message integrity
(Hash) algorithm
authenticati
on
pre-share
rsa-encr
rsa-sig
preshared keys
RSA encrypted nonces
RSA signatures
rsa-sigPeer authentication
method
group
1
2
5
768-bit Diffie-Hellman (DH)
1024-bit DH
1536-bit DH
1
Key exchange
parameters (DH
group identifier)
lifetime secondsCan specify any number of
seconds
86,400 sec
(one day)
ISAKMP-established
SA lifetime
M lti l P li i
-
7/14/2019 CCNA_Security_08.ppt
62/135
626262 2009 Cisco Learning Institute.
Multiple Policies
crypto isakmp policy 100hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!crypto isakmp policy 300
hash md5
authentication rsa-sig
crypto isakmp policy 100hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!crypto isakmp policy 300
hash md5
authentication pre-share
R1(config)# R2(config)#
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
P li N ti ti
-
7/14/2019 CCNA_Security_08.ppt
63/135
636363 2009 Cisco Learning Institute.
R1(config)# crypto isakmp policy 110R1(configisakmp)# authentication pre-share
R1(configisakmp)# encryption 3des
R1(configisakmp)# group 2
R1(configisakmp)# hash sha
R1(configisakmp)# lifetime 43200
Policy 110Preshare
3DESSHADH2
43200
R2(config)# crypto isakmp policy 100R2(configisakmp)# authentication pre-share
R2(configisakmp)# encryption 3des
R2(configisakmp)# group 2
R2(configisakmp)# hash sha
R2(configisakmp)# lifetime 43200
R2 must have an ISAKMP policyconfigured with the same parameters.
Tunnel
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
R1 attempts to establish a VPN tunnel withR2 and sends its IKE policy parameters
Policy Negotiations
C t ISAKMP K
-
7/14/2019 CCNA_Security_08.ppt
64/135
646464 2009 Cisco Learning Institute.
Crypto ISAKMP Key
The peer-address or peer-hostname can be used, but must beused consistently between peers.
If the peer-hostname is used, then the crypto isakmpidentity hostnamecommand must also be configured.
crypto isakmp key keystringaddresspeer-address
router(config)#
crypto isakmp key keystringhostname hostname
router(config)#
Parameter Description
keystring This parameter specifies the PSK. Use any combination of alphanumeric charactersup to 128 bytes. This PSK must be identical on both peers.
peer-
addressThis parameter specifies the IP address of the remote peer.
hostnameThis parameter specifies the hostname of the remote peer.
This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).
S l C fi ti
-
7/14/2019 CCNA_Security_08.ppt
65/135
656565 2009 Cisco Learning Institute.
R1(config)# crypto isakmp policy 110
R1(configisakmp)# authentication pre-share
R1(configisakmp)# encryption 3des
R1(configisakmp)# group 2
R1(configisakmp)# hash sha
R1(configisakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
R2(config)# crypto isakmp policy 110
R2(configisakmp)# authentication pre-share
R2(configisakmp)# encryption 3des
R2(configisakmp)# group 2
R2(configisakmp)# hash sha
R2(configisakmp)# lifetime 43200
R2(config-isakmp)# exit
R2(config)# crypto isakmp key cisco123 address 172.30.1.2
R2(config)#
Note: The keystring cisco1234 matches.
The address identity method isspecified.
The ISAKMP policies are compatible.
Default values do not have to beconfigured.
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
Sample Configuration
Task 3
-
7/14/2019 CCNA_Security_08.ppt
66/135
666666 2009 Cisco Learning Institute.
Configure the Transform Set
Overview
Transform Sets
Sample Configuration
-
7/14/2019 CCNA_Security_08.ppt
67/135
676767 2009 Cisco Learning Institute.
router(config)#
crypto ipsec transformset transform-set-name
transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
Command
Description
transform-set-nameThis parameter specifies the name of the transform set
to create (or modify).
transform1,
transform2, transform3
Type of transform set. You may specify up to four
"transforms": one Authentication Header (AH), one
Encapsulating Security Payload (ESP) encryption, one
ESP authentication. These transforms define the IPSecurity (IPSec) security protocols and algorithms.
A transform set is a combination of IPsec transforms that enact asecurity policy for traffic.
Overview
T ansfo m Sets
-
7/14/2019 CCNA_Security_08.ppt
68/135
686868 2009 Cisco Learning Institute.
Transform Sets
Transform sets are negotiated during IKE Phase 2.
The 9th attempt found matching transform sets (CHARLIE - YELLOW).
Host B
10.0.1.3 10.0.2.3
R1 R2Host A
transform-set ALPHAesp-3des
tunnel
transform-set BETAesp-des, esp-md5-hmactunnel
transform-set CHARLIEesp-3des, esp-sha-hmactunnel
transform-set REDesp-des
tunnel
transform-set BLUEesp-des, ah-sha-hmactunnel
transform-set YELLOW
esp-3des, esp-sha-hmactunnel
Match
Internet
1
2
3
4
5
6
7
8
9
172.30.2.2
172.30.1.2
Sample Configuration
-
7/14/2019 CCNA_Security_08.ppt
69/135
696969 2009 Cisco Learning Institute.
Site 1 Site 2
A B10.0.1.3 10.0.2.3
R1 R2
Internet
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#
R2(config)# crypto isakmp key cisco123 address 172.30.1.2R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
172.30.2.2
172.30.1.2
Note:
Peers must share thesame transform setsettings.
Names are only locallysignificant.
Sample Configuration
Task 4C fi th C t ACL
-
7/14/2019 CCNA_Security_08.ppt
70/135
707070 2009 Cisco Learning Institute.
Configure the Crypto ACLs
Overview
Command Syntax
Symmetric Crypto ACLs
Overview
-
7/14/2019 CCNA_Security_08.ppt
71/135
717171 2009 Cisco Learning Institute.
Overview
Outbound indicates the data flow to be protected by IPsec.
Inbound filters and discards traffic that should have beenprotected by IPsec.
Host A
R1
Internet
Outbound
Traffic
InboundTraffic
Encrypt
Bypass (Plaintext)
Permit
Bypass
Discard (Plaintext)
Command Syntax
-
7/14/2019 CCNA_Security_08.ppt
72/135
727272 2009 Cisco Learning Institute.
10.0.1.3 10.0.2.3R1R2
Internet
router(config)#
access-list access-list-number[dynamic dynamic-name [timeout minutes]]{deny |
permit}protocolsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence] [tos tos] [log]
access-list access-list-number Parameters
access-list access-list-number
Command
Description
permit
This option causes all IP traffic that matches the specified conditions to be protected by
cryptography, using the policy described by the corresponding crypto map entry.
deny This option instructs the router to route traffic in plaintext.
protocolThis option specifies which traffic to protect by cryptography based on the protocol,
such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
sourceanddestinationIf the ACL statement is a permit statement, these are the networks, subnets, or hosts
between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0172.30.1.2
S0/0/0172.30.2.2
Command Syntax
Symmetric Crypto ACLs
-
7/14/2019 CCNA_Security_08.ppt
73/135
737373 2009 Cisco Learning Institute.
S0/1
10.0.1.3 10.0.2.3R1 R2
Internet
Site 2
Applied to R1 S0/0/0 outbound traffic:
R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic source: 10.0.2.0, destination: 10.0.1.0)
S0/0/0172.30.2.2
S0/0/0172.30.1.2
Applied to R2 S0/0/0 outbound traffic:
R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)
10.0.1.0/24
Site 110.0.2.0/24
Symmetric Crypto ACLs
Task 5Apply the Crypto Map
-
7/14/2019 CCNA_Security_08.ppt
74/135
747474 2009 Cisco Learning Institute.
Apply the Crypto Map
Overview
Crypto Map Command
Crypto Map Configuration Mode Commands
Sample Configuration
Assign the Crypto Map Set
Overview
-
7/14/2019 CCNA_Security_08.ppt
75/135
757575 2009 Cisco Learning Institute.
Overview
Crypto maps define the following: ACL to be used
Remote VPN peers
Transform set to be used
Key management method SA lifetimes
Site 1
10.0.1.3
R1 R2
10.0.2.3
Site 2
Internet
Encrypted Traffic
RouterInterfaceor Subinterface
Crypto Map Command
-
7/14/2019 CCNA_Security_08.ppt
76/135
767676 2009 Cisco Learning Institute.
crypto map map-nameseq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
router(config)#
crypto map Parameters
Command Parameters Description
map-nameDefines the name assigned to the crypto map set or indicates the name of the crypto
map to edit.
seq-num The number assigned to the crypto map entry.
ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.
cisco (Default value) Indicates that CET will be used instead of IPsec for protecting thetraffic.
dynamic(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.
dynamic-map-name(Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.
Crypto Map Command
Crypto Map ConfigurationMode Commands
-
7/14/2019 CCNA_Security_08.ppt
77/135
777777 2009 Cisco Learning Institute.
Mode Commands
Command Descriptionset
Used with the peer, pfs, transform-set, and security-associationcommands.
peer [hostname |ip-
address]Specifies the allowed IPsec peer by IP address or hostname.
pfs [group1 | group2] Specifies DH Group 1 or Group 2.
transform-set
[set_name(s)]
Specify list of transform sets in priority order. When the ipsec-manualparameter is used with the crypto map command, then only one transform setcan be defined. When the ipsec-isakmp parameter or the dynamic parameter
is used with the crypto map command, up to six transform sets can be
specified.
security-association
lifetimeSets SA lifetime parameters in seconds or kilobytes.
match address [access-list-id| name]
Identifies the extended ACL by its name or number. The value should matchthe access-list-number or name argument of a previously defined IP-extended
ACL being matched.
no Used to delete commands entered with the set command.
exit Exits crypto map configuration mode.
Sample Configuration
-
7/14/2019 CCNA_Security_08.ppt
78/135
787878 2009 Cisco Learning Institute.
Multiple peers can be specified for redundancy.
R3
S0/0/0172.30.3.2
R1(config)# crypto map MYMAP 10 ipsec-isakmpR1(config-crypto-map)# match address 110R1(config-crypto-map)# set peer 172.30.2.2 defaultR1(config-crypto-map)# set peer 172.30.3.2R1(config-crypto-map)# set pfs group1R1(config-crypto-map)# set transform-set mineR1(config-crypto-map)# set security-association lifetime seconds 86400
10.0.1.310.0.2.3
R1 R2
Internet
Sample Configuration
10.0.1.0/24Site 1 10.0.2.0/24Site 2
S0/0/0172.30.2.2
Assign the Crypto Map Set
-
7/14/2019 CCNA_Security_08.ppt
79/135
797979 2009 Cisco Learning Institute.
Applies the crypto map to outgoing interfaceActivates the IPsec policy
crypto map map-name
R1(config)# interface serial0/0/0
R1(config-if)# crypto map MYMAP
router(config-if)#
MYMAP
Assign the Crypto Map Set
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0172.30.1.2
S0/0/0172.30.2.2
Verify and Troubleshoot theIPSec Configuration
-
7/14/2019 CCNA_Security_08.ppt
80/135
808080 2009 Cisco Learning Institute.
IPSec Configuration
CLI Command Summary
show crypto map
show crypto isakmp policy show crypto ipsec transform-set
show crypto ipsec sa
debug crypto isakmp
CLI Commands
-
7/14/2019 CCNA_Security_08.ppt
81/135
818181 2009 Cisco Learning Institute.
CLI Commands
Show Command Description
show crypto map Displays configured crypto maps
show crypto isakmp policy Displays configured IKE policies
show crypto ipsec sa Displays established IPsec tunnels
show crypto ipsec
transform-setDisplays configured IPsec transform
sets
debug crypto isakmp Debugs IKE events
debug crypto ipsecDebugs IPsec events
show crypto map
-
7/14/2019 CCNA_Security_08.ppt
82/135
828282 2009 Cisco Learning Institute.
R1# show crypto mapCrypto Map MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }
show crypto map
Displays the currently configured crypto maps
router#
show crypto map
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0172.30.1.2
S0/0/0172.30.2.2
show crypto isakmp policy
-
7/14/2019 CCNA_Security_08.ppt
83/135
838383 2009 Cisco Learning Institute.
show crypto isakmp policy
R1# show crypto isakmp policyProtection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).hash algorithm: Secure Hash Standardauthentication method: presharedDiffie-Hellman group: #2 (1024 bit)lifetime: 86400 seconds, no volume limit
Default protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman SignatureDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
router#
show crypto isakmp policy
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0172.30.1.2
S0/0/0172.30.2.2
show crypto ipsec transform-set
-
7/14/2019 CCNA_Security_08.ppt
84/135
848484 2009 Cisco Learning Institute.
show crypto ipsec transform-set
Displays the currently defined transform sets
R1# show crypto ipsec transform-setTransform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },
show crypto ipsec transform set
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 110.0.2.0/24
Site 2
S0/0/0172.30.1.2
S0/0/0172.30.2.2
show crypto ipsec sa
-
7/14/2019 CCNA_Security_08.ppt
85/135
858585 2009 Cisco Learning Institute.
show crypto ipsec sa
R1# show crypto ipsec saInterface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)current_peer: 172.30.2.2PERMIT, flacs={origin_is_acl,}#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0#send errors 0, #recv errors 0local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2path mtu 1500, media mtu 1500current outbound spi: 8AE1C9C
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24Site 1 10.0.2.0/24Site 2
S0/0/0172.30.1.2
S0/0/0172.30.2.2
debug crypto isakmp
-
7/14/2019 CCNA_Security_08.ppt
86/135
868686 2009 Cisco Learning Institute.
debug crypto isakmp
router#
debug crypto isakmp
This is an example of the Main Mode error message. The failure of Main Mode suggests that the Phase I policy
does not match on both sides. Verify that the Phase I policy is on both peers and ensure that
all the attributes match.
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); nooffers accepted!1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
Implementing Site-to-Site IPSecVPNs Using SDM
-
7/14/2019 CCNA_Security_08.ppt
87/135
878787 2009 Cisco Learning Institute.
VPNs Using SDM
Configuring IPSec Using SDM
VPN Wizard-Quick Setup
VPN Wizard-Step-by-Step Setup
Verifying, Monitoring, and Troubleshooting VPNs
Configuring IPSec Using SDM
-
7/14/2019 CCNA_Security_08.ppt
88/135
888888 2009 Cisco Learning Institute.
Configuring IPSec Using SDM
Starting a VPN Wizard
VPN Components
Configuring a Site-to-Site VPN
Site-to-Site VPN Wizard
Starting a VPN Wizard
-
7/14/2019 CCNA_Security_08.ppt
89/135
898989 2009 Cisco Learning Institute.
Starting a VPN Wizard
Wizards for IPsecSolutions, includestype of VPNs andIndividual IPseccomponents
1
2
4
5
3
VPN implementationSubtypes. Vary basedOn VPN wizard chosen.
1. Click Configure in main toolbar
2. Click the VPN buttonto open the VPN page
3. Choose a wizard
4. Click the VPNimplementation subtype
5. Click the Launch theSelected Task button
VPN Components
-
7/14/2019 CCNA_Security_08.ppt
90/135
909090 2009 Cisco Learning Institute.
VPN Components
Individual IPseccomponents usedto build VPNs
VPN Wizards
SSL VPN parameters
Easy VPN server parameters
Public key certificateparameters
Encrypt VPN passwords
VPN Components
Configuring a Site-to-Site VPN
-
7/14/2019 CCNA_Security_08.ppt
91/135
919191 2009 Cisco Learning Institute.
Configuring a Site to Site VPN
Click the Launch the Selected Task button
Choose Configure > VPN > Site-to-Site VPN
Click the Create a Site-to-Site VPN
Site-to-Site VPN Wizard
-
7/14/2019 CCNA_Security_08.ppt
92/135
929292 2009 Cisco Learning Institute.
Site to Site VPN Wizard
Choose the wizard mode
Click Next to proceed to the configuration of parameters.
VPN Wizard-Quick Setup
-
7/14/2019 CCNA_Security_08.ppt
93/135
939393 2009 Cisco Learning Institute.
VPN Wizard Quick Setup
Quick Setup
Verify Parameters
Quick Setup
-
7/14/2019 CCNA_Security_08.ppt
94/135
949494 2009 Cisco Learning Institute.
Qu c Setup
Configure the parameters Interface to use Peer identity informationAuthentication method Traffic to encrypt
Verify Parameters
-
7/14/2019 CCNA_Security_08.ppt
95/135
959595 2009 Cisco Learning Institute.
y
VPN Wizard-Step-by-Step Setup
-
7/14/2019 CCNA_Security_08.ppt
96/135
969696 2009 Cisco Learning Institute.
p y p p
Step-by-Step Wizard
Creating a Custom IKE Proposal
Creating a Custom IPSec Transform Set
Protecting Traffic - Subnet to Subnet
Protecting Traffic - Custom ACL
Add a Rule
Configuring a New Rule Entry
Configuration Summary
Step-by-Step Wizard
-
7/14/2019 CCNA_Security_08.ppt
97/135
979797 2009 Cisco Learning Institute.
1
2
3
4
p y p
Choose the outside
interface that is usedto connect to theIPSec peer
Specify the IPaddress of the peer
Choose the authenticationmethod and specify thecredentials
Click Next
Creating a Custom IKE Proposal
-
7/14/2019 CCNA_Security_08.ppt
98/135
989898 2009 Cisco Learning Institute.
g p
1
2
3Click Add to define a proposal
Make the selections to configurethe IKE Policy and click OK
Click Next
Creating a Custom IPSecTransform Set
-
7/14/2019 CCNA_Security_08.ppt
99/135
999999 2009 Cisco Learning Institute.
1
2
3 Click NextClick Add
Define and specify the transform
set name, integrity algorithm,encryption algorithm, mode ofoperation and optional compression
Protecting TrafficSubnet to Subnet
-
7/14/2019 CCNA_Security_08.ppt
100/135
100100100 2009 Cisco Learning Institute.
1
2 3
Click Protect All Traffic Between the Following subnets
Define the IP addressand subnet mask of the
local network
Define the IP address
and subnet mask of theremote network
Protecting TrafficCustom ACL
-
7/14/2019 CCNA_Security_08.ppt
101/135
101101101 2009 Cisco Learning Institute.
2
3
1
Click the Create/Select an Access-Listfor IPSec Traffic radio button
Click the ellipses buttonto choose an existing ACLor create a new one
To use an existing ACL, choose the Select an ExistingRule (ACL) option. To create a new ACL, choose theCreate a New Rule (ACL) and Select option
Add a Rule
-
7/14/2019 CCNA_Security_08.ppt
102/135
102102102 2009 Cisco Learning Institute.
1
2Give the access rule aname and descriptionClick Add
Configuring a New Rule Entry
-
7/14/2019 CCNA_Security_08.ppt
103/135
103103103 2009 Cisco Learning Institute.
g g y
1
2
3
Choose an action and enter a description of the rule entry
Define the source hosts or networks in the Source Host/Network paneand the destination hosts or network in the Destination/Host Network pane
(Optional) To provide protection for specific protocols, choosethe specific protocol radio box and desired port numbers
Configuration Summary
-
7/14/2019 CCNA_Security_08.ppt
104/135
104104104 2009 Cisco Learning Institute.
Click Back to modify the configuration.
Click Finish to complete the configuration.
Verifying, Monitoring, andTroubleshooting VPNs
-
7/14/2019 CCNA_Security_08.ppt
105/135
105105105 2009 Cisco Learning Institute.
Verify VPN Configuration
Monitor
Verify VPN Configuration
-
7/14/2019 CCNA_Security_08.ppt
106/135
106106106 2009 Cisco Learning Institute.
Check VPN status.
Create a mirroring configuration ifno Cisco SDM is available on the
peer.
Test the VPNconfiguration.
Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
Monitor
-
7/14/2019 CCNA_Security_08.ppt
107/135
107107107 2009 Cisco Learning Institute.
Lists all IPsec tunnels, their
parameters, and status.
1
Choose Monitor > VPN Status > IPSec Tunnels
Implementing A Remote Access VPN
-
7/14/2019 CCNA_Security_08.ppt
108/135
108108108 2009 Cisco Learning Institute.
The Changing Corporate Landscape
Introduction to Remote Access
SSL VPNs
Cisco Easy VPN
Configure a VPN Server Using SDM
Connect with a VPN Client
The Changing Corporate Landscape
-
7/14/2019 CCNA_Security_08.ppt
109/135
109109109 2009 Cisco Learning Institute.
Telecommuting
Telecommuting Benefits
Telecommuting Requirements
Telecommuting
-
7/14/2019 CCNA_Security_08.ppt
110/135
110110110 2009 Cisco Learning Institute.
Flexibility in workinglocation and workinghours
Employers save on real-
estate, utility and otheroverhead costs
Succeeds if program isvoluntary, subject to
management discretion,and operationally feasible
Telecommuting Benefits
-
7/14/2019 CCNA_Security_08.ppt
111/135
111111111 2009 Cisco Learning Institute.
Organizational benefits:
- Continuity of operations- Increased responsiveness
- Secure, reliable, and manageable access to information
- Cost-effective integration of data, voice, video, and applications
- Increased employee productivity, satisfaction, and retention Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress
Environmental benefits:- Reduced carbon footprints, both for individual workers and
organizations
Telecommuting Requirements
-
7/14/2019 CCNA_Security_08.ppt
112/135
112112112 2009 Cisco Learning Institute.
Introduction to Remote Access
-
7/14/2019 CCNA_Security_08.ppt
113/135
113113113 2009 Cisco Learning Institute.
Methods for Deploying Remote Access
Comparison of SSL and IPSec
Methods for DeployingRemote Access
-
7/14/2019 CCNA_Security_08.ppt
114/135
114114114 2009 Cisco Learning Institute.
IPsec RemoteAccess VPN
SSL-BasedVPN
Any
Application
Anywhere
Access
Comparison of SSL and IPSec
-
7/14/2019 CCNA_Security_08.ppt
115/135
115115115 2009 Cisco Learning Institute.
SSL IPsec
Applications Web-enabled applications, file sharing, e-mail All IP-based applications
EncryptionModerate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
AuthenticationModerate
One-way or two-way authentication
Strong
Two-way authentication using shared secrets
or digital certificates
Ease of Use VeryhighModerate
Can be challenging to nontechnical users
Overall SecurityModerate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
SSL VPNs
-
7/14/2019 CCNA_Security_08.ppt
116/135
116116116 2009 Cisco Learning Institute.
Overview
Types of Access
Full Tunnel Client Access Mode
Establishing an SSL Session
Design Considerations
Overview
-
7/14/2019 CCNA_Security_08.ppt
117/135
117117117 2009 Cisco Learning Institute.
Integrated security and routing
Browser-based full network SSL VPN access
SSL VPN
WorkplaceResources
Headquarters
Internet
SSL VPNTunnel
Types of Access
-
7/14/2019 CCNA_Security_08.ppt
118/135
118118118 2009 Cisco Learning Institute.
Full Tunnel Client Access Mode
-
7/14/2019 CCNA_Security_08.ppt
119/135
119119119 2009 Cisco Learning Institute.
Establishing an SSL Session
-
7/14/2019 CCNA_Security_08.ppt
120/135
120120120 2009 Cisco Learning Institute.
User usingSSL client
User makes a connectionto TCP port 443
Router replies with adigitally signed public key
Shared-secret key, encryptedwith public key of the server, is
sent to the router
Bulk encryption occurs using theshared-secret key with a
symmetric encryption algorithm
User software creates ashared-secret key
1
2
3
4
5
SSL VPNenabled ISR
router
SSL VPN Design Considerations
-
7/14/2019 CCNA_Security_08.ppt
121/135
121121121 2009 Cisco Learning Institute.
User connectivity
Router feature
Infrastructure planning
Implementation scope
Cisco Easy VPN
-
7/14/2019 CCNA_Security_08.ppt
122/135
122122122 2009 Cisco Learning Institute.
Overview
Components
Securing the VPN
Overview
-
7/14/2019 CCNA_Security_08.ppt
123/135
123123123 2009 Cisco Learning Institute.
Negotiates tunnel parameters
Establishes tunnels according toset parameters
Automatically creates a NAT /
PAT and associated ACLsAuthenticates users by
usernames, group names,and passwords
Manages security keys for
encryption and decryption
Authenticates, encrypts, anddecrypts data through the tunnel
Components
-
7/14/2019 CCNA_Security_08.ppt
124/135
124124124 2009 Cisco Learning Institute.
Securing the VPN
-
7/14/2019 CCNA_Security_08.ppt
125/135
125125125 2009 Cisco Learning Institute.
Initiate IKE Phase 1
Establish ISAKMPSA
Accept Proposal1
Username/Password
ChallengeUsername/Password
System Parameters Pushed
Reverse Router Injection(RRI) adds a static route
entry on the router for theremote clients IP address
Initiate IKE Phase 2: IPsec
IPsec SA
1
2
3
4
5
6
7
Configuring a VPN Server Using SDM
-
7/14/2019 CCNA_Security_08.ppt
126/135
126126126 2009 Cisco Learning Institute.
Configuring Cisco Easy VPN Server
Configuring IKE Proposals
Creating an IPSec Transform Set
Group Authorization and Group Policy Lookup
Summary of Configuration Parameters
Configuring Cisco Easy VPN Server
-
7/14/2019 CCNA_Security_08.ppt
127/135
127127127 2009 Cisco Learning Institute.
1
2
3
4
5
Configuring IKE Proposals
-
7/14/2019 CCNA_Security_08.ppt
128/135
128128128 2009 Cisco Learning Institute.
1
2
3Click Add
Specify required parameters
Click OK
Creating an IPSec Transform Set
-
7/14/2019 CCNA_Security_08.ppt
129/135
129129129 2009 Cisco Learning Institute.
1
2
3
4
Group Authorization and GroupPolicy Lookup
-
7/14/2019 CCNA_Security_08.ppt
130/135
130130130 2009 Cisco Learning Institute.
1
2
3
45
Select the location whereEasy VPN group policiescan be stored
Click Next
Click Add
Click Next
Configure the localgroup policies
Summary of ConfigurationParameters
-
7/14/2019 CCNA_Security_08.ppt
131/135
131131131 2009 Cisco Learning Institute.
Connecting with a VPN Client
-
7/14/2019 CCNA_Security_08.ppt
132/135
132132132 2009 Cisco Learning Institute.
Overview
Establishing a Connection
VPN Client Overview
-
7/14/2019 CCNA_Security_08.ppt
133/135
133133133 2009 Cisco Learning Institute.
Establishes end-to-end, encrypted VPN tunnels forsecure connectivity
Compatible with all Cisco VPN products
Supports the innovative Cisco Easy VPN capabilities
R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
Establishing a Connection
-
7/14/2019 CCNA_Security_08.ppt
134/135
134134134 2009 Cisco Learning Institute.
R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
R1
Onceauthenticated,status changes toconnected.
-
7/14/2019 CCNA_Security_08.ppt
135/135