implementing secure converged wide area networks (iscw) module 3.3
TRANSCRIPT
![Page 1: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/1.jpg)
Implementing Secure Converged Wide Area Networks (ISCW)
Module 3.3
![Page 2: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/2.jpg)
Multiple peers can be specified for redundancy.
R3
S0/0/0172.30.3.2
R1(config)# crypto map MYMAP 10 ipsec-isakmpR1(config-crypto-map)# match address 110R1(config-crypto-map)# set peer 172.30.2.2 defaultR1(config-crypto-map)# set peer 172.30.3.2R1(config-crypto-map)# set pfs group1R1(config-crypto-map)# set transform-set mineR1(config-crypto-map)# set security-association lifetime seconds 86400
10.0.1.3 10.0.2.3R1 R2
Internet
Sample Configuration
10.0.1.0/24Site 1
10.0.2.0/24Site 2
S0/0/0172.30.2.2
![Page 3: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/3.jpg)
• Applies the crypto map to outgoing interface• Activates the IPsec policy
crypto map map-name
R1(config)# interface serial0/0/0R1(config-if)# crypto map MYMAP
router(config-if)#
MYMAP
Assign the Crypto Map Set
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24Site 1
10.0.2.0/24Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
![Page 4: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/4.jpg)
CLI Commands
Show Command Description
show crypto map Displays configured crypto maps
show crypto isakmp policy Displays configured IKE policies
show crypto ipsec sa Displays established IPsec tunnels
show crypto ipsec transform-set
Displays configured IPsec transform sets
debug crypto isakmp Debugs IKE events
debug crypto ipsecDebugs IPsec events
![Page 5: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/5.jpg)
R1# show crypto mapCrypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2 Extended IP access list 110 access-list 102 permit ip host 10.0.1.3 host 10.0.2.3 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, }
show crypto map
Displays the currently configured crypto maps
router#
show crypto map10.0.1.3
10.0.2.3R1 R2
Internet
10.0.1.0/24Site 1
10.0.2.0/24Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
![Page 6: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/6.jpg)
show crypto isakmp policy
R1# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: 3DES - Data Encryption Standard (168 bit keys). hash algorithm: Secure Hash Standard authentication method: preshared Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
router#
show crypto isakmp policy
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24Site 1
10.0.2.0/24Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
![Page 7: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/7.jpg)
show crypto ipsec transform-set
Displays the currently defined transform sets
R1# show crypto ipsec transform-set Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },
show crypto ipsec transform-set
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24Site 1
10.0.2.0/24Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
![Page 8: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/8.jpg)
show crypto ipsec sa
R1# show crypto ipsec saInterface: Serial0/0/0 Crypto map tag: MYMAP, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flacs={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2path mtu 1500, media mtu 1500current outbound spi: 8AE1C9C
10.0.1.310.0.2.3
R1 R2
Internet
10.0.1.0/24Site 1
10.0.2.0/24Site 2
S0/0/0 172.30.1.2
S0/0/0172.30.2.2
![Page 9: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/9.jpg)
debug crypto isakmp
router#
debug crypto isakmp
•This is an example of the Main Mode error message. •The failure of Main Mode suggests that the Phase I policy does not
match on both sides. •Verify that the Phase I policy is on both peers and ensure that all
the attributes match.
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
![Page 10: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/10.jpg)
Starting a VPN Wizard
Wizards for IPsecSolutions, includes type of VPNs andIndividual IPsec components
1
2
4
5
3
VPN implementationSubtypes. Vary basedOn VPN wizard chosen.
1. Click Configure in main toolbar
2. Click the VPN buttonto open the VPN page
3. Choose a wizard
4. Click the VPN implementation subtype
5. Click the Launch theSelected Task button
![Page 11: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/11.jpg)
VPN Components
Individual IPsec components used to build VPNs
VPN Wizards
SSL VPN parameters
Easy VPN server parameters
Public key certificateparameters
Encrypt VPN passwords
VPN Components
![Page 12: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/12.jpg)
Configuring a Site-to-Site VPN
Click the Launch the Selected Task button
Choose Configure > VPN > Site-to-Site VPN
Click the Create a Site-to-Site VPN
![Page 13: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/13.jpg)
Site-to-Site VPN Wizard
Choose the wizard mode
Click Next to proceed to the configuration of parameters.
![Page 14: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/14.jpg)
Quick Setup
Configure the parameters•Interface to use•Peer identity information•Authentication method•Traffic to encrypt
![Page 15: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/15.jpg)
Verify Parameters
![Page 16: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/16.jpg)
1
2
3
4
Step-by-Step WizardChoose the outsideinterface that is usedto connect to the IPSec peer
Specify the IPaddress of the peer
Choose the authenticationmethod and specify thecredentials
Click Next
![Page 17: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/17.jpg)
Creating a Custom IKE Proposal
1
2
3Click Add to define a proposal
Make the selections to configurethe IKE Policy and click OK
Click Next
![Page 18: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/18.jpg)
1
2
3
Creating a Custom IPSec Transform Set
Click NextClick Add
Define and specify the transformset name, integrity algorithm,encryption algorithm, mode of operation and optional compression
![Page 19: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/19.jpg)
1
2 3
Protecting TrafficSubnet to Subnet
Click Protect All Traffic Between the Following subnets
Define the IP address and subnet mask of the local network
Define the IP addressand subnet mask of the remote network
![Page 20: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/20.jpg)
2
3
1
Protecting TrafficCustom ACL
Click the Create/Select an Access-Listfor IPSec Traffic radio button
Click the ellipses buttonto choose an existing ACLor create a new one
To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option
![Page 21: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/21.jpg)
Add a Rule
1
2Give the access rule aname and description
Click Add
![Page 22: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/22.jpg)
Configuring a New Rule Entry
1
2
3
Choose an action and enter a description of the rule entry
Define the source hosts or networks in the Source Host/Network paneand the destination hosts or network in the Destination/Host Network pane
(Optional) To provide protection for specific protocols, choosethe specific protocol radio box and desired port numbers
![Page 23: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/23.jpg)
• Click Back to modify the configuration.• Click Finish to complete the configuration.
Configuration Summary
![Page 24: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/24.jpg)
Check VPN status.
Create a mirroring configuration if no Cisco SDM is available on the peer.
Test the VPN configuration.
Verify VPN ConfigurationChoose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
![Page 25: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/25.jpg)
Lists all IPsec tunnels, their parameters, and status.
1
Monitor Choose Monitor > VPN Status > IPSec Tunnels
![Page 26: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/26.jpg)
Telecommuting
• Flexibility in working location and working hours
• Employers save on real-estate, utility and other overhead costs
• Succeeds if program is voluntary, subject to management discretion, and operationally feasible
![Page 27: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/27.jpg)
Telecommuting Benefits• Organizational benefits:
– Continuity of operations– Increased responsiveness– Secure, reliable, and manageable access to information– Cost-effective integration of data, voice, video, and applications– Increased employee productivity, satisfaction, and retention
• Social benefits:– Increased employment opportunities for marginalized groups– Less travel and commuter related stress
• Environmental benefits:– Reduced carbon footprints, both for individual workers and organizations
![Page 28: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/28.jpg)
Implementing Remote Access
![Page 29: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/29.jpg)
Methods for Deploying Remote Access
IPsec Remote Access VPN
SSL-BasedVPN
Any Application
Anywhere Access
![Page 30: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/30.jpg)
Comparison of SSL and IPSec
SSL IPsec
ApplicationsWeb-enabled applications, file sharing, e-
mailAll IP-based applications
EncryptionModerate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
AuthenticationModerate
One-way or two-way authentication
Strong
Two-way authentication using shared secrets or digital certificates
Ease of Use Very highModerate
Can be challenging to nontechnical users
Overall SecurityModerate
Any device can connect
Strong
Only specific devices with specific configurations can connect
![Page 31: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/31.jpg)
SSL VPNs• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
WorkplaceResources
HeadquartersInternet
SSL VPNTunnel
![Page 32: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/32.jpg)
Types of Access
![Page 33: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/33.jpg)
Full Tunnel Client Access Mode
![Page 34: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/34.jpg)
User using SSL client
Establishing an SSL SessionUser makes a connection to
TCP port 443
Router replies with a digitally signed public key
Shared-secret key, encrypted with public key of the server, is sent to the
router
Bulk encryption occurs using the shared-secret key with a symmetric
encryption algorithm
User software creates a shared-secret key
1
2
3
4
5
SSL VPN enabled ISR router
![Page 35: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/35.jpg)
SSL VPN Design Considerations
• User connectivity• Router feature• Infrastructure planning• Implementation scope
![Page 36: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/36.jpg)
Cisco Easy VPN• Negotiates tunnel parameters• Establishes tunnels according to
set parameters• Automatically creates a NAT / PAT
and associated ACLs• Authenticates users by usernames,
group names, and passwords
• Manages security keys for encryption and decryption
• Authenticates, encrypts, and decrypts data through the tunnel
![Page 37: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/37.jpg)
Cisco Easy VPN
![Page 38: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/38.jpg)
Securing the VPNInitiate IKE Phase 1
Establish ISAKMP SA
Accept Proposal1
Username/Password Challenge
Username/Password
System Parameters Pushed
Reverse Router Injection (RRI) adds a static route entry on the router for the remote clients IP
address
Initiate IKE Phase 2: IPsec IPsec SA
1
2
3
4
5
6
7
![Page 39: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/39.jpg)
Configuring Cisco Easy VPN Server1
2
3
4
5
![Page 40: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/40.jpg)
Configuring IKE Proposals
1
2
3Click Add
Specify required parameters
Click OK
![Page 41: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/41.jpg)
Creating an IPSec Transform Set
1
2
3
4
![Page 42: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/42.jpg)
Group Authorization and Group Policy Lookup
1
2
3
45
Select the location whereEasy VPN group policiescan be stored
Click Next
Click Add
Click Next
Configure the localgroup policies
![Page 43: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/43.jpg)
Summary of Configuration Parameters
![Page 44: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/44.jpg)
VPN Client Overview
• Establishes end-to-end, encrypted VPN tunnels for secure connectivity
• Compatible with all Cisco VPN products• Supports the innovative Cisco Easy VPN capabilities
R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
![Page 45: Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3](https://reader036.vdocument.in/reader036/viewer/2022062314/56649f4a5503460f94c6bba0/html5/thumbnails/45.jpg)
Establishing a Connection
R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
“R1”
Once authenticated, status changes to connected.