fasttrack-7 - ipsec vpn
TRANSCRIPT
1
IPSec - VPN
2
What is VPN? VPN (Virtual Private Network) :
“Logical connections on public networks.”
Two type VPN Connections:–Layer 2 VPN: Asynchronous transfer mode (ATM) and Frame Relay –Layer 3 VPN: Generic Route Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP,
Multiprotocol Label Switching (MPLS), and IP Security (IPSec)
3
Applications of IPSec IPSec provides the capability to secure
communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:
Secure branch office connectivity over the Internet Secure remote access over the Internet
4
Application of IPSec
5
Benefits of IPSec
The benefits of IPSec include: –Strong security that can be applied to all traffic crossing the perimeter.
–Transparent to applications.
–No need to change software on a user or server system
•When IPSec is implemented in a router or firewall
–IPSec can be transparent to end users.
–There is no need to train users on security mechanisms
–IPSec can provide security for individual
6
The Scope of IPSec
IPSec provides three main facilities–An authentication-only function,
•Referred to as Authentication Header (AH)
–A combined authentication/ encryption function
•Called Encapsulating Security Payload (ESP)
–A key exchange function.
•IKE (ISAKMP / Oakley)
7
Basic IPsec Example
Internet10.1.1.0/24
10.1.2.0/24
• IKE Policy (Phase I)crypto isakmp policy 1
authentication pre-shared
hash sha
encryption 3des
crypto isakmp key cisco123isabadkey address 2.2.2.2
crypto isakmp key passwordisiabadkey address 3.3.3.3
1.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
8
Basic IPsec Example
• IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255
Internet10.1.1.0/24
10.1.2.0/241.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
9
Basic IPsec Example
• IPsec Policy (Phase II) crypto map IPSEC 20 ipsec-isakmp
set peer 2.2.2.2
match address 102
set transform-set ESP-3DES-SHA
crypto map IPSEC 30 ipsec-isakmp
set peer 3.3.3.3
match address 103
set transform-set ESP-3DES-SHA
Internet10.1.1.0/24
10.1.2.0/241.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
10
Basic IPsec Example
• Apply Crypto Map interface serial 0
crypto map IPSEC
!
ip route 10.0.0.0 255.0.0.0 serial 0
Internet10.1.1.0/24
10.1.2.0/241.1.1.1
2.2.2.2
10.1.3.0/243.3.3.3
11
Frame Relay Communication
12
Terminology The connection through the Frame Relay network between two DTEs
is called a virtual circuit (VC).
Virtual circuits may be established dynamically by sending signaling messages to the network. In this case they are called switched virtual circuits (SVCs).
Virtual circuits can be configured manually through the network. In this case they are called permanent virtual circuits (PVCs).
13
Frame Relay Concepts
14
Frame Relay Operation
15
Frame Relay ConceptsQueue
16
Frame Relay Switches
17
Frame Relay Functions
18
Virtual Circuits
19
Local Significance of DLCIsThe data-link connection identifier (DLCI) is stored in the Address field of every frame transmitted.
20
Star (Hub and Spoke)
Full Mesh
Partial Mesh
Selecting a Frame Relay Topology
21
Local Management Interface (LMI)
Three types of LMIs are supported by Cisco routers:–Cisco — The original LMI extensions –Ansi — Corresponding to the ANSI standard T1.617 Annex D –q933a — Corresponding to the ITU standard Q933 Annex A
22
Configuring Basic Frame Relay
23
Configuring a Static Frame Relay Map
24
Configuring Point-to-Point Subinterfaces
25
The show interface Command
LMI Type
LMI DLCI
LMI Status
26
The show frame-relay lmi Command
27
The show frame-relay pvc Command
28
The show frame-relay map Command
29
Troubleshooting Frame Relay The debug frame-relay lmi Command
PVC Status0x2 – Active0x0 – Inactive0x4 – Deleted
30