Quản trị mạng - Chapter 8: Implementing virtual private networks

Chapter 8- Implementing Virtual Private Networks CCNA Security Major Concepts • Describe the purpose and operation of VPN types • Describe the purpose and operation of GRE VPNs • Describe the components and operations of IPsec VPNs • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CLI • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CCP • Configure and verify a Remote Access VPN Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the purpose and operation of VPNs 2. Differentiate between the various types of VPNs 3. Identify the Cisco VPN product line and the security features of these products 4. Configure a site-to-site VPN GRE tunnel 5. Describe the IPSec protocol and its basic functions 6. Differentiate between AH and ESP 7. Describe the IKE protocol and modes 8. Describe the five steps of IPSec operation Lesson Objectives 9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10. Configure IKE policies using the CLI 11. Configure the IPSec transform sets using the CLI 12. Configure the crypto ACLs using the CLI 13. Configure and apply a crypto map using the CLI 14. Describe how to verify and troubleshoot the IPSec configuration 15. Describe how to configure IPSec using CCP 16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in CCP 17. Configure a site-to-site VPN using the step-by-step VPN Wizard in CCP Lesson Objectives 18. Verify, monitor and troubleshoot VPNs using CCP 19. Describe how an increasing number of organizations are offering telecommuting options to their employees 20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs 21. Describe how SSL is used to establish a secure VPN connection 22. Describe the Cisco Easy VPN feature 23. Configure a VPN Server using SDM 24. Connect a VPN client using the Cisco VPN Client software Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com What is a VPN? Refer to 8.1.1.1 • A VPN is a private network that is created via tunneling over a public network, usually the Internet. • Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organization to the remote site. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com What is a VPN? • Virtual ? • Private ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com What is a VPN? 1. What is the Tunnel ? 2. Does the VPN always include authentication and encryption ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com 3. How does a network administrator prevent eavesdropping of data in a VPN? Benefits of VPN 1. Cost savings: – VPNs eliminate expensive dedicated WAN links and modem banks. – Additionally, with the advent of cost-effective, high-bandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth. 2. Security: – Use advanced encryption and authentication protocols that protect data from unauthorized access. 3. Scalability – VPNs use the Internet infrastructure. So it is easy to add new users, corporations can add significant capacity without adding significant infrastructure 4. Compatibility with broadband technology – DSL, Cable, broadband wireless Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Layer 3 VPN Refer to 8.1.1.2 • VPN can be made at either Layer 2 or Layer 3 of the OSI model. Establishing connectivity between sites over a Layer 2 or Layer 3 is the same. This chapter focuses on Layer 3 VPN technology. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Layer 3 VPN SOHO with a Cisco DSL Router VPN Internet IPSec IPSec 1. Generic routing encapsulation (GRE): point-to-point site connections 2. Multiprotocol Label Switching (MPLS): they can establish any-to-any connectivity to many sites. 3. IPSec: point-to-point site connections Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of VPN Networks 1. Site-to-site 2. Remote-Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Site-to-Site VPN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Site-to-Site VPN • A site-to-site VPN is created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance. • The VPN remains static, and internal hosts have no knowledge that a VPN exists. • Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs. • In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500 Series Adaptive Security Appliance. • The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. • Upon receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Remote-Access VPNs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Remote-Access VPNs • A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled. • Remote-access VPNs can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. • Remote-access VPNs support a client / server architecture where a VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VPN Client Software R1 R1-vpn-cluster.span.com “R1” In a remote-access VPN, each host typically has Cisco VPN Client software Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco IOS SSL VPN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.1.2.5 Cisco IOS SSL VPN • Provides remote-access connectivity from almost any Internet-enabled host using a web browser and its native Secure Sockets Layer (SSL) encryption. • Delivers three modes of access: – Clientless: A remote client needs only an SSL-enabled web browser to access HTTP- or HTTPS- enabled web servers on the corporate LAN. – Thin client: A remote client must download a small, Java- based applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment. – Full Client • SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops. SSL VPNs are not a complete replacement for IPsec VPNs. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco VPN Product Family Product Choice Remote-Access VPN Site-to-Site VPN Cisco VPN-Enabled Router Secondary role Primary role Cisco PIX 500 Series Security Appliances Secondary role Primary role Cisco ASA 5500 Series Adaptive Security Appliances Primary role Secondary role Cisco VPN 3000 Series Concentrators Primary role Secondary role Home Routers (SOHO Routers) Primary role Secondary role Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VPN Solutions Cisco provides a suite of VPN- optimized routers. Cisco IOS software for routers combines VPN services with routing services. The Cisco VPN software adds strong security using encryption and authentication The Cisco IOS feature sets incorporate many VPN features: – Voice and Video Enabled VPN (V3PN) – Ipsec stateful failover – Dynamic Multipoint Virtual Private Network (DMVPN) – Ipsec and MPLS integration – Cisco Easy VPN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Voice and Video Enabled VPN (V3PN) - Integrates IP telephony, QoS, and IPsec, providing an end-to-end VPN service that helps ensure the timely delivery of latency-sensitive applications such as voice and video. • IPsec stateful failover - Provides fast and scalable network resiliency for VPN sessions between remote and central sites. With both stateless and stateful failover solutions available, such as Hot Standby Router Protocol (HSRP), IPsec stateful failover ensures maximum uptime of mission-critical VPN features applications. • Dynamic Multipoint Virtual Private Network (DMVPN) - Enables the auto-provisioning of site-to-site IPsec VPNs, combining three Cisco IOS software features: Next Hop Resolution Protocol (NHRP), multipoint GRE, and IPsec VPN. This combination eases the provisioning challenges for customers and provides secure connectivity between all locations. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • IPsec and MPLS integration – Enables ISPs to map IPsec sessions directly into an MPLS VPN. – This solution can be deployed on co-located edge routers that are connected to a Cisco IOS software MPLS provider edge (PE) network. • Cisco Easy VPN – Simplifies VPN deployment for remote offices and teleworkers. – The Cisco Easy VPN solution centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN VPN features deployments. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco ASA 5500 Series Adaptive Security Appliances • Cisco ASA 5500 Series Adaptive Security Appliances offer flexible technologies that deliver tailored solutions to suit remote-access and site-to-site connectivity requirements. • These appliances provide easy-to- manage IPsec and SSL VPN-based remote-access and network-aware, site-to-site VPN connectivity • These are some of the features that Cisco ASA 5500 Series Adaptive Security Appliances provide: – Flexible platform – Resilient clustering – Cisco Easy VPN – Automatic Cisco VPN Client updates – Cisco IOS SSL VPN – VPN infrastructure for contemporary applications – Integrated web-based management Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco ASA 5500 Series Adaptive Security Appliances • Each Cisco ASA 5500 Series Adaptive Security Appliance supports a number of VPN peers: – Cisco ASA 5505 - 10 IPsec VPN peers and 25 SSL VPN peers, with a Base license, and 25 VPN peers (IPsec or SSL) with the Security Plus license – Cisco ASA 5510 - 250 VPN peers – Cisco ASA 5520 - 750 VPN peers – Cisco ASA 5540 - 5000 IPsec VPN peers and 2500 SSL VPN peers – Cisco ASA 5550 - 5000 VPN peers Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IPSec Clients Refer to 8.1.3.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IPSec Clients Cisco remote-access VPNs can use four IPsec clients: • Certicom client: A wireless client that is loaded on to wireless personal digital assistants (PDAs) running the Palm or Microsoft Windows Mobile operating systems. • Cisco VPN Client software: Loaded on the PC or laptop of an individual, the Cisco VPN Client allows organizations to establish end-to- end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. • Cisco Remote Router VPN Client : A Cisco remote router, configured as a VPN client, that connects small office, home office (SOHO) LANs to the VPN. • Cisco AnyConnect VPN Client : Next-generation VPN client that provides remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance running Cisco ASA 5500 Series Software Version 8.0 and higher or Cisco ASDM Version 6.0 and higher. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Hardware Acceleration Modules To enhance performance and offload the encryption task to specialized hardware, the Cisco VPN family of devices offers hardware acceleration modules: • AIM: Advanced integration modules are installed inside the router chassis and offload encryption tasks from the router CPU. Cisco IPsec VPN SPA • Cisco IPSec VPN Shared Port Adapter (SPA): Delivers scalable and cost-effective VPN performance for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. • Cisco PIX VPN Accelerator Card+ (VAC+): The PIX Firewall VAC+ delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec encryption throughput. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com GRE VPN Overview Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Encapsulation with GRE Original IP Packet Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • Step 1. Creating a tunnel interface using the interface tunnel 0 command. • Step 2. Assigning the tunnel an IP address. • Step 3. Identifying the source tunnel interface using the tunnel source command. Configuring a GRE Tunnel • Step 4. Identifying the destination of the tunnel using the tunnel destination command. • Step 5. Configuring which protocol GRE will encapsulate using the tunnel mode gre command. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a GRE Tunnel Create a tunnel interface Assign the tunnel an IP address R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 192.168.5.5 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 192.168.3.3 R2(config–if)# tunnel mode gre ip R2(config–if)# Identify the source tunnel interface Identify the destination of the tunnel Configure what protocol GRE will encapsulate Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.2.1.3 Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com R1(config–if)# tunnel destination 192.168.5.5 R1(config–if)# tunnel mode gre ip R1(config–if)# Using GRE Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.2.1.4 IPSec Topology Business Partner with a Cisco Router Legacy Concentrator Main Site Perimeter Router Legacy Cisco IPsec POP Refer to 8.3.1 • Works at the network layer, protecting and authenticating IP packets. – It is a framework of open standards which is algorithm-independent. – It provides security: data confidentiality, data integrity, and origin authentication. Regional Office with a Cisco PIX Firewall SOHO with a Cisco SDN/DSL Router Mobile Worker with a Cisco VPN Client on a Laptop Computer ASA PIX Firewall Corporate Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Essential security of IPsec 1. Confidentiality: IPsec ensures confidentiality by using encryption. 2. Integrity: IPsec ensures that data arrives unchanged at the destination using a hash algorithm such as MD5 or SHA. 3. Authentication: IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out communication independently. IKE uses several types of authentication, including username and password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates. 4. Secure key exchange: IPsec uses the DH algorithm to provide a public key exchange method for two peers to establish a shared secret key. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IPSec Framework Why is IPSec called a framework ? Diffie-Hellman DH7 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IPSec Implementation Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Confidentiality Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.3.1.2 Integrity Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Integrity • Hashed Message Authentication Codes (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Integrity Refer to 8.3.1.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Authentication Refer to 8.3.1.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Pre-shared Key (PSK) DH7Diffie-Hellman Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com RSA Signatures Secure Key Exchange Refer to 8.3.1.5 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IPSec Framework Protocols All data is in plaintext.R1 R2 Authentication Header AH provides the following:
Authentication
Integrity Data payload is encrypted.R1 R2 Encapsulating Security Payload ESP provides the following:
Encryption
Authentication
Integrity Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Authentication Header Refer to 8.3.2.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Authentication Header Authentication Data IP Header + Data + Key R2 Hash IP Header + Data + Key DataAHIP HDR 1. The IP Header and data payload are hashed (00ABCDEF) R1 Recomputed Hash (00ABCDEF) Hash Received Hash (00ABCDEF) = DataAHIP HDR Internet 2. The hash builds a new AH header which is prepended to the original packet 3. The new packet is transmitted to the IPSec peer router 4. The peer router hashes the IP header and data payload, extracts the transmitted hash and compares Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Authentication Header • If the IP header is hashed, does that ensure to check the integrity ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com The AH function is applied to the entire packet, except for any mutable IP header fields that change in transit. For example, Time to Live (TTL) fields that are modified by the routers along the transmission path are mutable fields. Authentication Header •AH can have problems if the environment uses NAT. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Why ? ESP Refer to 8.3.2.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Function of ESP Router Router IP HDR Data IP HDR Data Internet ESP Trailer ESP Auth • Provides confidentiality with encryption • Provides integrity with authentication ESP HDRNew IP HDR IP HDR Data Authenticated Encrypted Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Function of ESP What is used for hashing ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com First, the payload is encrypted. Next, the encrypted payload is sent through a hash algorithm, HMAC-MD5 or HMAC- SHA-1. Anti-replay Protection • Anti-replay protection verifies that each packet is unique and is not duplicated Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.3.2.3 Mode Types Refer to 8.3.2.5 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Mode Types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Security Associations • The negotiated parameters between two devices are known as a security association (SA). • An SA is a basic building block of IPsec. Security associations are maintained within a SA database (SADB), which is established by each device. A VPN has SA entries defining the IPsec encryption parameters as well as SA entries defining the key exchange parameters. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Security Associations • Security Association Database (SADB) Router# show crypto ipsec sa inbound esp sas: spi: 0x19646448(426009672) transform: esp-des , in use settings ={Tunnel, } conn id: 19, flow_id: 19, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4431954/2604) IV size: 8 bytes 59 replay detection support: N Status: ACTIVE outbound esp sas: spi: 0x7AF99042(2063175746) transform: esp-des , in use settings ={Tunnel, } conn id: 20, flow_id: 20, crypto map: MYMAP sa timing: remaining key lifetime (k/sec): (4431953/2564) IV size: 8 bytes replay detection support: N Status: ACTIVE Internet Key Exchange (IKE) Protocol • IPsec uses the Internet Key Exchange (IKE) protocol to establish the key exchange process. • IKE is layered on UDP and uses UDP port 500 Refer to 8.3.3.1 to exchange IKE information between the security gateways. • IKE is a hybrid protocol (ISAKMP, Oakley, Skeme) Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Internet Key Exchange (IKE) Protocol Is ISAKMP the same as IKE ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Host A Host BR1 R2 10.0.1.3 10.0.2.3 IKE Phase 1 Exchange 1. Negotiate IKE policy sets IKE Phases Policy 15 DES MD5 Policy 10 DES MD5 1. Negotiate IKE policy sets Refer to 8.3.3.2 2. DH key exchange 3. Verify the peer identity IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy pre-share DH1 lifetime pre-share DH1 lifetime 2. DH key exchange 3. Verify the peer identity Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Policy 15 DES MD5 Policy 10 DES MD5 IKE Policy Sets Negotiate IKE Proposals Host A Host B R1 R2 10.0.1.3 10.0.2.3 IKE Phase 1 – First Exchange Negotiates matching IKE policies to protect IKE exchange pre-share DH1 lifetime pre-share DH1 lifetimePolicy 20 3DES SHA pre-share DH1 lifetime Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IKE Phase 1 – Second Exchange Private value, XA Public value, YA Private value, XB Public value, YB Alice Bob YA YB = g mod pXBYA = g mod pXA Establish DH Key (YB ) mod p = K (YA ) mod p = K XBXA YB A DH exchange is performed to establish keying material. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IKE Phase 1 – Third Exchange HR Servers Remote Office Corporate Office Internet Peer Authenticate Peer Peer authentication methods • PSKs • RSA signatures • RSA encrypted nonces Authentication A bidirectional IKE SA is now established. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IKE Phase 1 – Aggressive Mode Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com 1. First packet - The initiator packages everything needed for the SA negotiation in the first message, including its DH public key. 2. Second packet - The recipient responds with the acceptable parameters, authentication IKE Phase 1 – Aggressive Mode information, and its DH public key. 3. Third packet - The initiator then sends a confirmation that it received that information. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Negotiate IPsec Security Parameters Host A Host BR1 R2 10.0.1.3 10.0.2.3 IKE Phase 2 IKE Phase 2 performs the following functions: • Negotiates IPsec security parameters, known as IPsec transform sets • Establishes IPsec SAs • Periodically renegotiates IPsec SAs to ensure security • Optionally performs an additional DH exchange Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com IKE Phase 1IKE SA IKE SA 1. Host A sends interesting traffic to Host B. 2. R1 and R2 negotiate an IKE Phase 1 session. R1 R2 10.0.2.310.0.1.3 IPSec VPN Negotiation IKE Phase 2 IPsec SAIPsec SA 3. R1 and R2 negotiate an IKE Phase 2 session. 4. Information is exchanged via IPsec tunnel. 5. The IPsec tunnel is terminated. IPsec Tunnel Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.4.1.1 PFS Perfect forward secrecy (PFS) is a property that states that keys used to protect data are not used to derive any other keys. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com PFS ensures that if one key is compromised, previous and subsequent keys remain secure. Internet Key Exchange (IKE) Protocol What is an alternative to using IKE ? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Manual IPSec Manual IPSec 72 Configuring IPsec Task 1: Ensure that ACLs are compatible with IPsec. Task 2: Create ISAKMP (IKE) policy. Tasks to Configure IPsec: Refer to 8.4.2 Task 3: Configure IPsec transform set. Task 4: Create a crypto ACL. Task 5: Create and apply the crypto map. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Task 1: Configure Compatible ACLs AH ESP IKE Site 1 Site 2 10.0.1.3 10.0.2.3R1 R2 Internet 10.0.1.0/24 10.0.2.0/24 • Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec. S0/0/0 172.30.1.2 S0/0/0 172.30.2.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Permitting Traffic Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Task 2: Configure IKE Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com ISAKMP Parameters Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Multiple Policies Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Policy Negotiations Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Crypto ISAKMP Key Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Sample Configuration Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Task 3: Configure the Transform Set Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Task 3: Configure the Transform Set Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Transform Sets Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Sample Configuration Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Task 4: Configure the Crypto ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Command Syntax Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Symmetric Crypto ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Task 5: Apply the Crypto Map Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] router(config)# crypto map Parameters Command Parameters Description Defines the name assigned to the crypto map set or indicates the name of the crypto Crypto Map Command map-name map to edit. seq-num The number assigned to the crypto map entry. ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs. ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs. cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the traffic. dynamic (Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword is used, none of the crypto map configuration commands are available. dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Crypto Map Configuration- Mode Commands Command Description set Used with the peer, pfs, transform-set, and security-association commands. peer [hostname | ip- address] Specifies the allowed IPsec peer by IP address or hostname. pfs [group1 | group2] Specifies DH Group 1 or Group 2. Specify list of transform sets in priority order. When the ipsec-manual transform-set [set_name(s)] parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto map command, up to six transform sets can be specified. security-association lifetime Sets SA lifetime parameters in seconds or kilobytes. match address [access- list-id | name] Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched. no Used to delete commands entered with the set command. exit Exits crypto map configuration mode. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Sample Configuration Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Assign the Crypto Map Set Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com CLI Commands Show Command Description show crypto map Displays configured crypto maps show crypto isakmp policy Displays configured IKE policies show crypto ipsec sa Displays established IPsec tunnels show crypto ipsec transform-set Displays configured IPsec transform sets debug crypto isakmp Debugs IKE events debug crypto ipsec Debugs IPsec events Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show crypto map Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show crypto isakmp policy Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show crypto ipsec transform-set Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com show crypto ipsec sa Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com debug crypto isakmp Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Implementing Site-to-Site Ipsec VPNs with CCP Refer to 8.5 Implementing Remote-Access VPNs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Telecommuting • Flexibility in working location and working hours • Employers save on real- estate, utility and other overhead costs • Succeeds if program is voluntary, subject to management discretion, and operationally feasible Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Telecommuting Benefits • Organizational benefits: – Continuity of operations – Increased responsiveness – Secure, reliable, and manageable access to information – Cost-effective integration of data, voice, video, and applications – Increased employee productivity, satisfaction, and retention • Social benefits: – Increased employment opportunities for marginalized groups – Less travel and commuter related stress • Environmental benefits: – Reduced carbon footprints, both for individual workers and organizations Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Implementing Remote Access Refer to 8.6.1.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Methods for Deploying Remote Access IPsec Remote Access VPN SSL-Based VPN Any Application Anywhere Access Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Comparison of SSL and IPSec SSL IPsec Applications Web-enabled applications, file sharing, e-mail All IP-based applications Encryption ModerateKey lengths from 40 bits to 128 bits Stronger Key lengths from 56 bits to 256 bits Authentication ModerateOne-way or two-way authentication Strong Two-way authentication using shared secrets or digital certificates Ease of Use Very high ModerateCan be challenging to nontechnical users Overall Security ModerateAny device can connect Strong Only specific devices with specific configurations can connect Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SSL VPNs • Integrated security and routing • Browser-based full network SSL VPN access SSL VPN Headquarters Internet Workplace Resources SSL VPN Tunnel Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Types of Access Refer to 8.6.3.2 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Full Tunnel Client Access Mode Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.6.3.3 User using SSL client Establishing an SSL Session User makes a connection to TCP port 443 Router replies with a digitally signed public key User software creates a 1 2 3 SSL VPN enabled ISR router Shared-secret key, encrypted with public key of the server, is sent to the router Bulk encryption occurs using the shared-secret key with a symmetric encryption algorithm shared-secret key 4 5 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com SSL VPN Design Considerations • User connectivity • Router feature • Infrastructure planning • Implementation scope Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer to 8.6.3.5 Cisco Easy VPN Refer to 8.6.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Easy VPN 1. Negotiates tunnel parameters 2. Establishes tunnels according to set parameters 3. Automatically creates a NAT / PAT and associated ACLs 4. Authenticates users by usernames, group names, and passwords 5. Manages security keys for encryption and decryption 6. Authenticates, encrypts, and decrypts data through the tunnel Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Cisco Easy VPN Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Securing the VPN Initiate IKE Phase 1 Establish ISAKMP SA Accept Proposal1 Username/Password Challenge 1 2 3 4 Refer to 8.6.4.3 Username/Password System Parameters Pushed Reverse Router Injection (RRI) adds a static route entry on the router for the remote clients IP address Initiate IKE Phase 2: IPsec IPsec SA 5 6 7 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring a VPN Server with CCP Refer to 8.6.5 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com VPN Client Overview R1 R1-vpn-cluster.span.com R1 R1-vpn-cluster.span.com Refer to 8.6.6 • Establishes end-to-end, encrypted VPN tunnels for secure connectivity • Compatible with all Cisco VPN products • Supports the innovative Cisco Easy VPN capabilities Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Establishing a Connection Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary • A VPN is a private network that is created via tunneling over a public network, usually the Internet. • There are site-to-site VPNs and remote access VPNs. • VPNs require the use of modern encryption techniques to ensure secure transport of information. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com • IPsec is a framework of open standards that establishes the rules for secure communications. • IPsec relies on existing algorithms to achieve encryption, authentication, and key exchange. Summary • IPsec can encapsulate a packet using either Authentication Header (AH) or the more secure Encapsulation Security Protocol (ESP). • IPsec uses the Internet Key Exchange (IKE) protocol to establish the key exchange process. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Summary Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com