Quản trị mạng - Chapter 8: Implementing virtual private networks
Describe the purpose and operation of VPN types
• Describe the purpose and operation of GRE VPNs
• Describe the components and operations of IPsec VPNs
• Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI
• Configure and verify a site-to-site IPsec VPN with preshared key authentication using CCP
• Configure and verify a Remote Access VPN
124 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 911 | Lượt tải: 1
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 8: Implementing virtual private networks, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 8-
Implementing Virtual Private Networks
CCNA Security
Major Concepts
• Describe the purpose and operation of VPN types
• Describe the purpose and operation of GRE VPNs
• Describe the components and operations of IPsec VPNs
• Configure and verify a site-to-site IPsec VPN with pre-
shared key authentication using CLI
• Configure and verify a site-to-site IPsec VPN with pre-
shared key authentication using CCP
• Configure and verify a Remote Access VPN
Lesson Objectives
Upon completion of this lesson, the successful participant will
be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using CCP
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard
in CCP
17. Configure a site-to-site VPN using the step-by-step VPN Wizard
in CCP
Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using CCP
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
What is a VPN?
Refer to 8.1.1.1
• A VPN is a private network that is created via tunneling
over a public network, usually the Internet.
• Instead of using a dedicated physical connection, a VPN
uses virtual connections routed through the Internet from
the organization to the remote site.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
What is a VPN?
• Virtual ?
• Private ?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
What is a VPN?
1. What is the Tunnel ?
2. Does the VPN always include
authentication and encryption ?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
3. How does a network administrator
prevent eavesdropping of data in a
VPN?
Benefits of VPN
1. Cost savings:
– VPNs eliminate expensive dedicated WAN links and modem banks.
– Additionally, with the advent of cost-effective, high-bandwidth technologies,
such as DSL, organizations can use VPNs to reduce their connectivity costs
while simultaneously increasing remote connection bandwidth.
2. Security:
– Use advanced encryption and authentication protocols that protect data from
unauthorized access.
3. Scalability
– VPNs use the Internet infrastructure. So it is easy to add new users,
corporations can add significant capacity without adding significant
infrastructure
4. Compatibility with broadband technology
– DSL, Cable, broadband wireless
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Layer 3 VPN
Refer to 8.1.1.2
• VPN can be made at either Layer 2 or Layer 3 of the OSI
model. Establishing connectivity between sites over a
Layer 2 or Layer 3 is the same. This chapter focuses on
Layer 3 VPN technology.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Layer 3 VPN
SOHO with a Cisco DSL
Router
VPN
Internet
IPSec
IPSec
1. Generic routing encapsulation (GRE): point-to-point
site connections
2. Multiprotocol Label Switching (MPLS): they can
establish any-to-any connectivity to many sites.
3. IPSec: point-to-point site connections
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of VPN Networks
1. Site-to-site
2. Remote-Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Site-to-Site VPN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Site-to-Site VPN
• A site-to-site VPN is created when
connection devices on both sides of the VPN
connection are aware of the VPN
configuration in advance.
• The VPN remains static, and internal hosts
have no knowledge that a VPN exists.
• Frame Relay, ATM, GRE, and MPLS VPNs
are examples of site-to-site VPNs.
• In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN
gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500
Series Adaptive Security Appliance.
• The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a
particular site and sending it through a VPN tunnel over the Internet to a peer VPN
gateway at the target site.
• Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays
the packet toward the target host inside its private network
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Remote-Access VPNs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Remote-Access VPNs
• A remote-access VPN is created when VPN
information is not statically set up, but
instead allows for dynamically changing
information and can be enabled and disabled.
• Remote-access VPNs can support the needs
of telecommuters, mobile users, and extranet
consumer-to-business traffic.
• Remote-access VPNs support a client /
server architecture where a VPN client
(remote host) requires secure access to the
enterprise network via a VPN server device
at the network edge.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VPN Client Software
R1 R1-vpn-cluster.span.com
“R1”
In a remote-access VPN, each host
typically has Cisco VPN Client software
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco IOS SSL VPN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.1.2.5
Cisco IOS SSL VPN
• Provides remote-access connectivity
from almost any Internet-enabled host
using a web browser and its native
Secure Sockets Layer (SSL) encryption.
• Delivers three modes of access:
– Clientless:
A remote client needs only an SSL-enabled
web browser to access HTTP- or HTTPS-
enabled web servers on the corporate
LAN.
– Thin client:
A remote client must download a small, Java-
based applet for secure access of TCP
applications that use static port numbers.
UDP is not supported in a thin client
environment.
– Full Client
• SSL VPNs are appropriate for user populations that require per-application
or per-server access control, or access from non-enterprise-owned
desktops. SSL VPNs are not a complete replacement for IPsec VPNs.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco VPN Product Family
Product Choice Remote-Access VPN Site-to-Site VPN
Cisco VPN-Enabled Router Secondary role Primary role
Cisco PIX 500 Series Security Appliances Secondary role Primary role
Cisco ASA 5500 Series Adaptive Security
Appliances Primary role Secondary role
Cisco VPN
3000 Series Concentrators Primary role Secondary role
Home Routers (SOHO Routers) Primary role Secondary role
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VPN Solutions
Cisco provides a suite of VPN-
optimized routers. Cisco IOS
software for routers combines
VPN services with routing
services. The Cisco VPN
software adds strong security
using encryption and
authentication
The Cisco IOS feature sets
incorporate many VPN features:
– Voice and Video Enabled VPN
(V3PN)
– Ipsec stateful failover
– Dynamic Multipoint Virtual Private
Network (DMVPN)
– Ipsec and MPLS integration
– Cisco Easy VPN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Voice and Video Enabled VPN (V3PN) - Integrates IP telephony, QoS,
and IPsec, providing an end-to-end VPN service that helps ensure the
timely delivery of latency-sensitive applications such as voice and video.
• IPsec stateful failover - Provides fast and scalable network resiliency for
VPN sessions between remote and central sites. With both stateless and
stateful failover solutions available, such as Hot Standby Router Protocol
(HSRP), IPsec stateful failover ensures maximum uptime of mission-critical
VPN features
applications.
• Dynamic Multipoint Virtual Private Network (DMVPN) - Enables the
auto-provisioning of site-to-site IPsec VPNs, combining three Cisco IOS
software features: Next Hop Resolution Protocol (NHRP), multipoint GRE,
and IPsec VPN. This combination eases the provisioning challenges for
customers and provides secure connectivity between all locations.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• IPsec and MPLS integration
– Enables ISPs to map IPsec sessions directly into an MPLS VPN.
– This solution can be deployed on co-located edge routers that are
connected to a Cisco IOS software MPLS provider edge (PE) network.
• Cisco Easy VPN
– Simplifies VPN deployment for remote offices and teleworkers.
– The Cisco Easy VPN solution centralizes VPN management across all
Cisco VPN devices, thus reducing the management complexity of VPN
VPN features
deployments.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500 Series Adaptive
Security Appliances offer flexible
technologies that deliver tailored
solutions to suit remote-access and
site-to-site connectivity requirements.
• These appliances provide easy-to-
manage IPsec and SSL VPN-based
remote-access and network-aware,
site-to-site VPN connectivity
• These are some of the features that Cisco ASA 5500 Series Adaptive
Security Appliances provide:
– Flexible platform
– Resilient clustering
– Cisco Easy VPN
– Automatic Cisco VPN Client updates
– Cisco IOS SSL VPN
– VPN infrastructure for contemporary applications
– Integrated web-based management
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco ASA 5500 Series Adaptive Security Appliances
• Each Cisco ASA 5500 Series Adaptive Security Appliance supports a
number of VPN peers:
– Cisco ASA 5505 - 10 IPsec VPN peers and 25 SSL VPN peers, with a Base
license, and 25 VPN peers (IPsec or SSL) with the Security Plus license
– Cisco ASA 5510 - 250 VPN peers
– Cisco ASA 5520 - 750 VPN peers
– Cisco ASA 5540 - 5000 IPsec VPN peers and 2500 SSL VPN peers
– Cisco ASA 5550 - 5000 VPN peers
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IPSec Clients
Refer to 8.1.3.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IPSec Clients
Cisco remote-access VPNs can use four IPsec
clients:
• Certicom client: A wireless client that is
loaded on to wireless personal digital
assistants (PDAs) running the Palm or
Microsoft Windows Mobile operating systems.
• Cisco VPN Client software: Loaded on the
PC or laptop of an individual, the Cisco VPN
Client allows organizations to establish end-to-
end, encrypted VPN tunnels for secure
connectivity for mobile employees or
teleworkers.
• Cisco Remote Router VPN Client : A Cisco remote router, configured as a VPN
client, that connects small office, home office (SOHO) LANs to the VPN.
• Cisco AnyConnect VPN Client : Next-generation VPN client that provides remote
users with secure VPN connections to the Cisco 5500 Series Adaptive Security
Appliance running Cisco ASA 5500 Series Software Version 8.0 and higher or Cisco
ASDM Version 6.0 and higher.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Hardware Acceleration Modules
To enhance performance and offload the
encryption task to specialized hardware, the
Cisco VPN family of devices offers hardware
acceleration modules:
• AIM: Advanced integration modules are installed
inside the router chassis and offload encryption
tasks from the router CPU.
Cisco IPsec VPN SPA
• Cisco IPSec VPN Shared Port Adapter (SPA): Delivers scalable and
cost-effective VPN performance for Cisco Catalyst 6500 Series Switches and
Cisco 7600 Series Routers.
• Cisco PIX VPN Accelerator Card+ (VAC+): The PIX Firewall VAC+
delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec
encryption throughput.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
GRE VPN Overview
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Encapsulation with GRE
Original IP Packet
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Step 1. Creating a tunnel interface using the
interface tunnel 0 command.
• Step 2. Assigning the tunnel an IP address.
• Step 3. Identifying the source tunnel interface
using the tunnel source command.
Configuring a GRE Tunnel
• Step 4. Identifying the destination of the tunnel
using the tunnel destination command.
• Step 5. Configuring which protocol GRE will
encapsulate using the tunnel mode gre
command.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a GRE Tunnel
Create a tunnel
interface
Assign the tunnel an IP address
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5
R1(config–if)# tunnel mode gre ip
R1(config–if)#
R2(config)# interface tunnel 0
R2(config–if)# ip address 10.1.1.2 255.255.255.252
R2(config–if)# tunnel source serial 0/0
R2(config–if)# tunnel destination 192.168.3.3
R2(config–if)# tunnel mode gre ip
R2(config–if)#
Identify the source tunnel interface
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.2.1.3
Configuring a GRE Tunnel
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1
255.255.255.252
R1(config–if)# tunnel source serial 0/0
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
R1(config–if)# tunnel destination
192.168.5.5
R1(config–if)# tunnel mode gre ip
R1(config–if)#
Using GRE
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.2.1.4
IPSec Topology
Business Partner
with a Cisco Router
Legacy
Concentrator
Main Site
Perimeter
Router
Legacy
Cisco
IPsec
POP
Refer to 8.3.1
• Works at the network layer, protecting and authenticating IP
packets.
– It is a framework of open standards which is algorithm-independent.
– It provides security: data confidentiality, data integrity, and origin
authentication.
Regional Office with a
Cisco PIX Firewall
SOHO with a Cisco
SDN/DSL Router
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
ASA PIX
Firewall
Corporate
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Essential security of IPsec
1. Confidentiality: IPsec ensures confidentiality by using
encryption.
2. Integrity: IPsec ensures that data arrives unchanged at
the destination using a hash algorithm such as MD5 or
SHA.
3. Authentication: IPsec uses Internet Key Exchange
(IKE) to authenticate users and devices that can carry
out communication independently. IKE uses several
types of authentication, including username and
password, one-time password, biometrics, pre-shared
keys (PSKs), and digital certificates.
4. Secure key exchange: IPsec uses the DH algorithm to
provide a public key exchange method for two peers to
establish a shared secret key.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IPSec Framework
Why is IPSec called a framework ?
Diffie-Hellman DH7
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IPSec Implementation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Confidentiality
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.3.1.2
Integrity
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Integrity
• Hashed Message Authentication Codes (HMAC) is a data integrity
algorithm that guarantees the integrity of the message using a hash
value.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Integrity
Refer to 8.3.1.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication
Refer to 8.3.1.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Pre-shared Key (PSK)
DH7Diffie-Hellman
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
RSA Signatures
Secure Key Exchange
Refer to 8.3.1.5
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IPSec Framework Protocols
All data is in plaintext.R1 R2
Authentication Header
AH provides the following:
Authentication
Integrity
Data payload is encrypted.R1 R2
Encapsulating Security Payload
ESP provides the following:
Encryption
Authentication
Integrity
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication Header
Refer to 8.3.2.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication Header
Authentication Data
IP Header + Data + Key R2
Hash
IP Header + Data + Key
DataAHIP HDR
1. The IP Header and data payload are hashed
(00ABCDEF)
R1
Recomputed
Hash
(00ABCDEF)
Hash
Received
Hash
(00ABCDEF)
=
DataAHIP HDR
Internet
2. The hash builds a new AH
header which is prepended
to the original packet
3. The new packet is
transmitted to the
IPSec peer router
4. The peer router hashes the IP
header and data payload, extracts
the transmitted hash and compares
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication Header
• If the IP header is hashed, does
that ensure to check the integrity
?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
The AH function is applied to the entire packet,
except for any mutable IP header fields that
change in transit. For example, Time to Live
(TTL) fields that are modified by the routers
along the transmission path are mutable fields.
Authentication Header
•AH can have problems if the
environment uses NAT.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Why ?
ESP
Refer to 8.3.2.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Function of ESP
Router Router
IP HDR Data IP HDR Data
Internet
ESP
Trailer
ESP
Auth
• Provides confidentiality with encryption
• Provides integrity with authentication
ESP HDRNew IP HDR IP HDR Data
Authenticated
Encrypted
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Function of ESP
What is used for hashing ?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
First, the payload is encrypted. Next, the
encrypted payload is sent through a hash
algorithm, HMAC-MD5 or HMAC-
SHA-1.
Anti-replay Protection
• Anti-replay protection verifies that each
packet is unique and is not duplicated
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.3.2.3
Mode Types
Refer to 8.3.2.5
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mode Types
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Security Associations
• The negotiated parameters
between two devices are
known as a security
association (SA).
• An SA is a basic building
block of IPsec. Security
associations are maintained
within a SA database
(SADB), which is established
by each device. A VPN has
SA entries defining the IPsec
encryption parameters as
well as SA entries defining
the key exchange
parameters.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Security Associations
• Security Association Database (SADB)
Router# show crypto ipsec sa
inbound esp sas:
spi: 0x19646448(426009672)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 19, flow_id: 19, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4431954/2604)
IV size: 8 bytes
59
replay detection support: N
Status: ACTIVE
outbound esp sas:
spi: 0x7AF99042(2063175746)
transform: esp-des ,
in use settings ={Tunnel, }
conn id: 20, flow_id: 20, crypto map: MYMAP
sa timing: remaining key lifetime (k/sec): (4431953/2564)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE
Internet Key Exchange (IKE) Protocol
• IPsec uses the Internet
Key Exchange (IKE)
protocol to establish the
key exchange process.
• IKE is layered on UDP
and uses UDP port 500
Refer to 8.3.3.1
to exchange IKE
information between the
security gateways.
• IKE is a hybrid protocol
(ISAKMP, Oakley,
Skeme)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Internet Key Exchange (IKE) Protocol
Is ISAKMP the same as IKE
?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets
IKE Phases
Policy 15
DES
MD5
Policy 10
DES
MD5
1. Negotiate IKE policy sets
Refer to 8.3.3.2
2. DH key exchange
3. Verify the peer identity
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
pre-share
DH1
lifetime
pre-share
DH1
lifetime 2. DH key exchange
3. Verify the peer identity
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Policy 15
DES
MD5
Policy 10
DES
MD5 IKE Policy Sets
Negotiate IKE Proposals
Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 – First Exchange
Negotiates matching IKE policies to protect IKE exchange
pre-share
DH1
lifetime
pre-share
DH1
lifetimePolicy 20
3DES
SHA
pre-share
DH1
lifetime
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IKE Phase 1 – Second Exchange
Private value, XA
Public value, YA
Private value, XB
Public value, YB
Alice Bob
YA
YB = g mod pXBYA = g mod pXA
Establish DH Key
(YB ) mod p = K (YA ) mod p = K
XBXA
YB
A DH exchange is performed to establish keying material.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IKE Phase 1 – Third Exchange
HR Servers
Remote Office Corporate Office
Internet
Peer
Authenticate Peer
Peer authentication methods
• PSKs
• RSA signatures
• RSA encrypted nonces
Authentication
A bidirectional IKE SA is now established.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IKE Phase 1 – Aggressive Mode
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
1. First packet - The initiator packages
everything needed for the SA negotiation in the
first message, including its DH public key.
2. Second packet - The recipient responds with
the acceptable parameters, authentication
IKE Phase 1 – Aggressive Mode
information, and its DH public key.
3. Third packet - The initiator then sends a
confirmation that it received that information.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Negotiate IPsec
Security Parameters
Host A Host BR1 R2
10.0.1.3 10.0.2.3
IKE Phase 2
IKE Phase 2 performs the following functions:
• Negotiates IPsec security parameters, known as IPsec transform sets
• Establishes IPsec SAs
• Periodically renegotiates IPsec SAs to ensure security
• Optionally performs an additional DH exchange
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
IKE Phase 1IKE SA IKE SA
1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session.
R1 R2 10.0.2.310.0.1.3
IPSec VPN Negotiation
IKE Phase 2 IPsec SAIPsec SA
3. R1 and R2 negotiate an IKE Phase 2 session.
4. Information is exchanged via IPsec tunnel.
5. The IPsec tunnel is terminated.
IPsec Tunnel
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.4.1.1
PFS
Perfect forward secrecy (PFS) is a
property that states that keys used to
protect data are not used to derive any
other keys.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
PFS ensures that if one key is
compromised, previous and subsequent
keys remain secure.
Internet Key Exchange (IKE) Protocol
What is an alternative to using IKE
?
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Manual IPSec
Manual IPSec
72
Configuring IPsec
Task 1: Ensure that ACLs are compatible with IPsec.
Task 2: Create ISAKMP (IKE) policy.
Tasks to Configure IPsec:
Refer to 8.4.2
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Task 1: Configure Compatible ACLs
AH
ESP
IKE
Site 1 Site 2
10.0.1.3 10.0.2.3R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
• Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Permitting Traffic
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Task 2: Configure IKE
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ISAKMP Parameters
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Multiple Policies
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Policy Negotiations
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Crypto ISAKMP Key
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Sample Configuration
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Task 3: Configure the Transform Set
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Task 3: Configure the Transform Set
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Transform Sets
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Sample Configuration
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Task 4: Configure the Crypto ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Command Syntax
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Symmetric Crypto ACLs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Task 5: Apply the Crypto Map
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
router(config)#
crypto map Parameters
Command Parameters Description
Defines the name assigned to the crypto map set or indicates the name of the crypto
Crypto Map Command
map-name
map to edit.
seq-num The number assigned to the crypto map entry.
ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.
cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the
traffic.
dynamic
(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.
dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Crypto Map Configuration- Mode Commands
Command Description
set Used with the peer, pfs, transform-set, and security-association commands.
peer [hostname | ip-
address] Specifies the allowed IPsec peer by IP address or hostname.
pfs [group1 | group2] Specifies DH Group 1 or Group 2.
Specify list of transform sets in priority order. When the ipsec-manual
transform-set
[set_name(s)]
parameter is used with the crypto map command, then only one transform set
can be defined. When the ipsec-isakmp parameter or the dynamic parameter
is used with the crypto map command, up to six transform sets can be
specified.
security-association
lifetime Sets SA lifetime parameters in seconds or kilobytes.
match address [access-
list-id | name]
Identifies the extended ACL by its name or number. The value should match
the access-list-number or name argument of a previously defined IP-extended
ACL being matched.
no Used to delete commands entered with the set command.
exit Exits crypto map configuration mode.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Sample Configuration
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Assign the Crypto Map Set
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
CLI Commands
Show Command Description
show crypto map Displays configured crypto maps
show crypto isakmp policy Displays configured IKE policies
show crypto ipsec sa Displays established IPsec tunnels
show crypto ipsec
transform-set
Displays configured IPsec transform
sets
debug crypto isakmp Debugs IKE events
debug crypto ipsec Debugs IPsec events
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show crypto map
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show crypto isakmp policy
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show crypto ipsec transform-set
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
show crypto ipsec sa
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
debug crypto isakmp
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Implementing Site-to-Site Ipsec VPNs with CCP
Refer to 8.5
Implementing Remote-Access VPNs
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Telecommuting
• Flexibility in working
location and working hours
• Employers save on real-
estate, utility and other
overhead costs
• Succeeds if program is
voluntary, subject to
management discretion,
and operationally feasible
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Telecommuting Benefits
• Organizational benefits:
– Continuity of operations
– Increased responsiveness
– Secure, reliable, and manageable access to information
– Cost-effective integration of data, voice, video, and applications
– Increased employee productivity, satisfaction, and retention
• Social benefits:
– Increased employment opportunities for marginalized groups
– Less travel and commuter related stress
• Environmental benefits:
– Reduced carbon footprints, both for individual workers and
organizations
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Implementing Remote Access
Refer to 8.6.1.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Methods for Deploying Remote Access
IPsec Remote
Access VPN
SSL-Based
VPN
Any
Application
Anywhere
Access
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Comparison of SSL and IPSec
SSL IPsec
Applications Web-enabled applications, file sharing, e-mail All IP-based applications
Encryption ModerateKey lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
Authentication ModerateOne-way or two-way authentication
Strong
Two-way authentication using shared secrets
or digital certificates
Ease of Use Very high ModerateCan be challenging to nontechnical users
Overall Security ModerateAny device can connect
Strong
Only specific devices with specific
configurations can connect
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SSL VPNs
• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
Headquarters
Internet
Workplace
Resources
SSL VPN
Tunnel
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Types of Access
Refer to 8.6.3.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Full Tunnel Client Access Mode
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.6.3.3
User using SSL
client
Establishing an SSL Session
User makes a connection to
TCP port 443
Router replies with a
digitally signed public key
User software creates a
1
2
3
SSL VPN
enabled ISR
router
Shared-secret key, encrypted with
public key of the server, is sent to
the router
Bulk encryption occurs using the
shared-secret key with a symmetric
encryption algorithm
shared-secret key
4
5
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
SSL VPN Design Considerations
• User connectivity
• Router feature
• Infrastructure planning
• Implementation scope
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer to 8.6.3.5
Cisco Easy VPN
Refer to 8.6.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Easy VPN
1. Negotiates tunnel parameters
2. Establishes tunnels according to set
parameters
3. Automatically creates a NAT / PAT and
associated ACLs
4. Authenticates users by usernames, group
names,
and passwords
5. Manages security keys for encryption and
decryption
6. Authenticates, encrypts, and decrypts data
through the tunnel
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Easy VPN
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Securing the VPN
Initiate IKE Phase 1
Establish ISAKMP SA
Accept Proposal1
Username/Password Challenge
1
2
3
4
Refer to 8.6.4.3
Username/Password
System Parameters Pushed
Reverse Router Injection (RRI)
adds a static route entry on the
router for the remote clients IP
address
Initiate IKE Phase 2: IPsec
IPsec SA
5
6
7
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring a VPN Server with CCP
Refer to 8.6.5
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
VPN Client Overview
R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
Refer to 8.6.6
• Establishes end-to-end, encrypted VPN tunnels for
secure connectivity
• Compatible with all Cisco VPN products
• Supports the innovative Cisco Easy VPN capabilities
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Establishing a Connection
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
• A VPN is a private network that is created via tunneling over a public network,
usually the Internet.
• There are site-to-site VPNs and remote access VPNs.
• VPNs require the use of modern encryption techniques to ensure secure
transport of information.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• IPsec is a framework of open
standards that establishes the
rules for secure
communications.
• IPsec relies on existing
algorithms to achieve
encryption, authentication, and
key exchange.
Summary
• IPsec can encapsulate a
packet using either
Authentication Header (AH) or
the more secure Encapsulation
Security Protocol (ESP).
• IPsec uses the Internet Key
Exchange (IKE) protocol to
establish the key exchange
process.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- ccna_security_chapter_8_vpn_495_9496.pdf