LIP06 - Configuring

Site-to-Site IPsec
VPNs with the IOS CLI
V 1.0

LIP06 - Configuring Site-to-Site IPsec VPNs

with the IOS CLI

Learning Objectives
1.Configure EIGRP on the routers
2.Understand the main terms used in IPSec Tunnel
3.Understand Phase I & Phase II in the Operation of an IPSec
Tunnel
4.Create a site-to-site IPsec VPN using IOS
5.See the encryption of IP traffic in data communication

ACRONYMOUS
IPSec: Internet Protocol Security
VPN: Virtual Private Network
IKE: Internet Key Exchange
SA: Security Association
ISAKMP: Internet Security Association and Key
Management Protocol
DES: Data Encryption Standard
3DES: Triple Data Encryption Standard
AES: Advanced Encryption Standard
SEAL: Software - Optimized Encryption Algorithm
RC4: Rivest Ciphers 4
RSA: Rivest, Shamir, and Adleman
DH: Diffie-Hellman
DSA: Digital Signature Algorithm
ECC: Elliptic Curve Cryptography
SHA-1: Secure Hash Algorithm - 1
MD-5: Message Digest 5
ESP: Encapsulating Security Payload
AH: Authentication Header
HMAC: Hash-based Message Authentication Code

Notas:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------3
------

INTERNET KEY EXCHANGE

Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------4

INTERNET KEY EXCHANGE

Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------5

AAA Services Overwiew

Notas:
Authentication
Authentication is used to ensure that the
users are who they say they are and helps
secure the device that is being protected.
Pre-Shared Key
Rivest-Shamir-Adleman Encryption
Rivest-Shamir-Adleman Signature
Authorization
As stated earlier you can use authorization to
define what commands can be used (in the
case of TACACS+) or, for other methods,
what types of access are defined.
Accounting
Now we get to the third A of AAA , which is
accounting. Accounting allows you to provide
audit trails of what is done on the network
and also to bill for the usage of services.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------6

--------------------------------------

Encryption Overview
In cryptography, encryption is the process of encoding
messages or information in such a way that only
authorized parties can read it.

Notas:

-------------------------------------Whats the difference between symmetric and -----asymmetric encryption?

With symmetric encryption, you use the same key to
encrypt and decrypt. With asymmetric encryption,
you use a key pair. The keys are different; one key is
public and the other is private.

-------------------------------------------------------------------------------------

Symmetric encryption is faster, but asymmetric

encryption is better for communication between -------------------------------------parties who are not known to each other, because
Symetryc
there
is no Encryption
need to share aAsymetryc
secret key Encryption
with an -----unknown person.

DES
3DES
AES
SEAL
Rivest Cipher

RSA
DH
DSA
ECC
ElGamal

------------------------------------------------------------------------------------7

--------------------------------------

Diffie-Hellman algorithm simplified

Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------8

Hashing Overview
A hash function is a mathematical program that can be
used to map data of arbitrary size to data of fixed size.
The values returned by a hash function are called hash
values, hash codes, hash sums, or simply hashes. One
use is a data structure called a hash table, widely used
in computer software for rapid data lookup.
In this lab we will talk about the mathematical
computations used to create the hashing algorithms.
The two specific hashing algorithms we will discuss are
Message Digest 5 (MD5) and Secure Hash Algorithm
(SHA - 1).

Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------9

--------------------------------------

Hash Message Authentication Code

Hash Message Authentication Code (HMAC) is a way to
further secure a hash. HMAC is not a hash function
requirement but has its place when we talk about securing
the hash function. Because some popular hash algorithms
have been shown not to be completely collision resistant, it
is important to add newer techniques to validate the
integrity of a hash. HMAC accomplishes this by adding
another layer of data into the hashing mix. This layer is
called a secret key . The secret key is known only by the
sender and receiver, and it provides authentication to
HMAC.
In the HMAC process, the input data is taken and a secret
key is added. Both the input data and secret key are put
through the hashing algorithm. This produces an HMAC
hash . The size of the HMAC hash is the same as that of the
corresponding hashing algorithm. (The two main types of
HMAC hashes are HMAC - MD5, which produces a 128 - bit
hash, and HMAC - SHA -1, which produces a 160 - bit hash.)

Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------10

-------------------------------

Authentication Header
Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------11

-------------------------------

Encapsulating Security Protocol

Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------12

-------------------------------

Tunnel Mode versus

Transport Mode

13

ISAKMP Phase I & Phase

II
Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------14

-------------------------------

AUTHENTICATION HEADER
& ESP
Notas:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------15

-------------------------------

AUTHENTICATION HEADER
FORMAT

Notas:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

------------------------------http://slideplayer.com/slide/3082688/ -----16