Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1. Main Mode
2. Aggressive Mode
3. Quick Mode
Main Mode
In this 6 messages are exchanged in three steps as follows:
Aggressive Mode
In this 6 messages are converted into three. The messages sent are as mentioned below:
1. Initiator will send own proposal & key to responder.
2. Responder will authenticate initiator's proposal. It also sends own proposal & key to initiator.
3. Initiator will authenticate the session.
Quick Mode
In quick mode they will recheck their attributes using SPI (Security Parameter Index). SPI is sent with
every packet by peers.
IKE Phases
IKE has the following phases:
1. Phase1
2. Phase1.5 (optional)
3. Phase2
IKE Phase 1
In Phase1 they create a single IKE bi-direction tunnel. Single key is used to authenticate the session.
Mode used depends on IPSec VPN.
IPSec Modes
IPSec has the following modes:
1. Transport mode
2. Tunnel mode
Transport Mode: - It protects layer4 & upper layer data. It is used in DMVPN.
Tunnel Mode: - It protects layer3 & upper layer data. It is used in Site-Site, Remote-Access and
GETVPN.
NAT-Traversal
It is a feature which enables us to establish VPN session through NAT device. In NAT-T VPN devices
add UDP header before ESP header, so that NAT device can perform NAT with packet.
Phase 1 in IKEv2 is IKE_SA, consisting of the message pair IKE_SA_INIT (IKEv1 Phase 1).
Phase 2 in IKEv2 is CHILD_SA is the IKE_AUTH message pair (IKEv1 Phase 2).
IKE Phase 1 tunnel, this tunnel is used only as a management tunnel so that the two routers can
securely communicate with each other directly.IKE Phase 1 tunnel is not used to encrypt or
protect the end user’s packets.The IKE Phase 2 tunnel includes the hashing and encryption
algorithms.
So, we could say we have one IKE Phase 1 bidirectionaltunnel used for management between
the two VPN peers and two IKE Phase 2 unidirectional tunnels used for encrypting and
decrypting end-user packets.
Security Association
It is a group of security parameters and policies which is agreed between two IPSec peers. Security
Association Components are Security Association Database (SAD) and Security Policy Database
(SPD)
Diffie-Hellman Key
DH allows the two parties to share a secret key over an insecure channel. Because this key forms the
basis of the rest of the VPN, it is essential that the key is kept secret.
Security Parameter Index
Both Devices create a hash of Security Policy Database. This hash is called SPI.
Configuring and Verifying IPsec
The first thing to plan is what protocols to use for IKE Phase 1 and IKE Phase 2 and to identify
which traffic should be encrypted.
show crypto isakmp policy = Verify the IKE Phase 1 policies in place on the route
show crypto map = the details of the crypto map
show crypto isakmpsa[detail] = the details for the IKE Phase 1 tunnel that is in place
show crypto ipsecsa = the details for the IKE Phase 2 tunnels that are in place
show crypto engine connections active = seeing that the encryption and decryption is working
IPsec uses two methods for encryption: tunnel and transport mode. If IPsec tunnel mode is used,
the IP header and the payload are encrypted. When transport mode is used, only the packet
payload is encrypted.
FlexVPN is a unified VPN solution that can be deployed over either public Internet connections
or a private Multiprotocol Label Switching (MPLS) VPN network.
Clientless SSL VPN feature excels when connections to only one or a few servers are needed
and the full-tunneled Cisco AnyConnect Secure Mobility Client cannot be installed on the local
computer.
Split Tunneling
Without split tunneling, all IP traffic leaving the client’s machine goes through the tunnel to the
ASA. A split tunnel addresses this issue by sending traffic down the VPN only if it is destined for
specific networks located at the headquarter site.
Troubleshooting SSL Negotiations
+ Step 1. Verify that the user’s computer can ping the Cisco ASA’s outside IP address
+ Step 2. If the user’s workstation can ping the address, issue the show running all | include ssl
command on the Cisco ASA and verify that SSL encryption is configured.
+ Step 3. If SSL encryption is properly configured, use an external sniffer to verify whether the
TCP three-way handshake is successful
AnyConnect clients will fail to establish connection if the Cisco ASAs are configured to accept
connection with SSL Server Version 3. You must use TLSv1 for AnyConnect clients. Navigate
to Configuration >Remote Access VPN > Advanced > SSL Settings to specify the SSL
encryption type and version that you want to use.
SSL Features
1. Confidentiality
i. Using Encryption algorithms like, Triple Data Encryption Standard (3DES) and
Advance Encryption Standard (AES )
2. Integrity
i. Using Hash algorithms like, Message Digest 5 (MD5) and Secure Hash
Algorithm (SHA).
3. Data Origin Authentication
i. Using Username, Passwords and RSA
SSL Modes
It has the following modes:
1. Clientless Mode
2. Thin Client Mode
3. Thick Client Mode
Clientless Mode
As the name suggest in clientless mode there is no need of any client software. In this client makes a
request to SSL gateway, which acts as a proxy and sends it to internal resources. Clientless provides
secure communication only of web based applications like HTTP, HTTPS and MS exchange Server etc.
SSL Working
1. Client will initiate a request to server
2. Server will provide a certificate to client containing public key of server.
3. Client generates a shared secret key which is encrypted by public key of server.
4. Encrypted shared secret is delivered to server. Server decrypts it using its private key.
5. Now both have same secret, bulk encryption will happen.
DMVPN is used when we want to implement secure fully mesh connectivity among multiple
branches over internet in a scalable way.
DMVPNis a Cisco solution for deploying highly scalable IPsec site-to-site VPNs. It enables
branch locations to communicate directly with each other over the Internet without requiring a
permanent VPN connection between sites
DMVPN Terminologies
1. Next Hop Resolution Protocol (NHRP)
2. Multipoint Generic Routing Encapsulation (mGRE)
Multipoint GRE
mGRE is a layer 3 protocol. It has capabilities to support multiple IPSec tunnels on a single interface.
It adds 28 bytes header as compared to GRE which adds 24 bytes header.
DMVPN Phases
1. DMVPN Phase 1
2. DMVPN Phase 2
3. DMVPN Phase 3
When we deploy DMPVN with Phase 1, client will boot up and it will register itself with the server. A
permanent tunnel is created between hub and spoke. When one spoke wants to communicate with
another spoke entire traffic goes through hub. Dynamic tunnel is not created between spokes.
DMVPN Phase 2
When we deploy DMPVN with Phase 2, client will boot up and it will register itself with the server. A
permanent tunnel is created between hub and spoke. When one spoke wants to communicate with
another spoke a dynamic tunnel is created between spokes
DMVPN Phase 3
In DMVPN Phase 3 Cisco added some commands to improve the NHRP query response. These
commands are:
ip nhrp redirect which is implemented on hub
ip nhrp shortcut which is implemented on spokes.
When we deploy DMPVN with Phase 3, client will boot up and it will register itself with the server. A
permanent tunnel is created between hub and spoke. When one spoke wants to communicate with
another spoke a dynamic tunnel is created between spokes.
Due to the extra commands mentioned above when a spoke will do query for a NBMA address to
hub. Hub will not give response of this query, hub will redirect the query to that spoke for whom
query is generated.
Flex VPN
Internet Key Exchange Version (IKEv2) is a next-generation key management protocol. It is an
enhancement of the IKE Protocol. IKEv2 is used for establishing and maintaining security
associations.
Flex VPN is Cisco's implementation of IKEv2. It combines site to site, remote access, hub and spoke
VPN topologies.