Sei sulla pagina 1di 106

CCNA Security

Chapter Eight
Implementing Virtual Private Networks

2009 Cisco Learning Institute.

Lesson Planning
This lesson should take 3-4 hours to present
The lesson should include lecture,
demonstrations, discussions and assessments
The lesson can be taught in person or using
remote instruction

2009 Cisco Learning Institute.

Major Concepts
Describe the purpose and operation of VPN types
Describe the purpose and operation of GRE VPNs
Describe the components and operations of IPsec VPNs
Configure and verify a site-to-site IPsec VPN with preshared key authentication using CLI
Configure and verify a site-to-site IPsec VPN with preshared key authentication using SDM
Configure and verify a Remote Access VPN

2009 Cisco Learning Institute.

Lesson Objectives
Upon completion of this lesson, the successful participant will
be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation

2009 Cisco Learning Institute.

Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in
SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard in
SDM

2009 Cisco Learning Institute.

Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software

2009 Cisco Learning Institute.

What is a VPN?
Business Partner
with a Cisco Router

Mobile Worker
with a Cisco
VPN Client

CSA

VPN

Internet

Firewall

SOHO with a Cisco


DSL Router
VPN

WAN

VPN

Regional branch with


a VPN enabled
Cisco ISR router

2009 Cisco Learning Institute.

Corporate
Network

- Virtual: Information within a private network is transported


over a public network.
- Private: The traffic is encrypted to keep the data
confidential.
7

Layer 3 VPN
IPSec
VPN

Internet

IPSec

SOHO with a Cisco DSL


Router

Generic routing encapsulation (GRE)


Multiprotocol Label Switching (MPLS)
IPSec
2009 Cisco Learning Institute.

Types of VPN Networks


Remote-access
VPNs

Business Partner
with a Cisco Router

Mobile Worker
with a Cisco
VPN Client
CSA

MARS
VPN

Internet

SOHO with a
Cisco DSL Router

Site-to-Site
VPNs

Firewall

VPN

IP
S

WAN

VPN

Regional branch with


a VPN enabled
Cisco ISR router

Iron Port

CSA

CSA

Web
Email
Server Server

2009 Cisco Learning Institute.

CSA

CSA

CSACSA

DNS

Site-to-Site VPN
Hosts send and receive normal
TCP/IP traffic through a VPN gateway

Business Partner
with a Cisco
Router

CSA

MARS
VP
N

SOHO with a
Cisco DSL
Router

Site-to-Site
VPNs

Internet

Firewall

VPN

IP
S

WAN

VPN

Regional branch with


a VPN enabled
Cisco ISR router

Iron
Port

CSA

CSA

Web
Email
Server Server

2009 Cisco Learning Institute.

CSA

CS
CS A CS
A
A

DNS

10

Remote-Access VPNs
Remote-access
VPNs
Mobile Worker
with a Cisco
VPN Client

CSA

MARS

Internet

Firewall

VPN

Iron Port

IPS

CSA

CSA

Web
Server
2009 Cisco Learning Institute.

CSA

Email
Server

CSA

CSA CSA

DNS
11

VPN Client Software

R1

R1-vpn-cluster.span.com

R1

In a remote-access VPN, each host


typically has Cisco VPN Client software
2009 Cisco Learning Institute.

12

Cisco IOS SSL VPN


Provides remote-access
connectivity from any
Internet-enabled host
Uses a web browser and
SSL encryption
Delivers two modes of
access:
- Clientless
- Thin client

2009 Cisco Learning Institute.

13

Cisco VPN Product Family


Remote-Access
VPN

Site-to-Site VPN

Cisco VPN-Enabled Router

Secondary role

Primary role

Cisco PIX 500 Series Security Appliances

Secondary role

Primary role

Cisco ASA 5500 Series Adaptive Security


Appliances

Primary role

Secondary role

Cisco VPN
3000 Series Concentrators

Primary role

Secondary role

Home Routers

Primary role

Product Choice

2009 Cisco Learning Institute.

14

Cisco VPN-Optimized Routers


Remote Office
Cisco Router
Main Office
Cisco Router

Internet
Regional Office
Cisco Router

SOHO
Cisco Router

2009 Cisco Learning Institute.

VPN Features:
Voice and video enabled VPN (V3PN)
IPSec stateful failover
DMVPN
IPSec and Multiprotocol Label Switching
(MPLS) integration
Cisco Easy VPN
15

Cisco ASA 5500 Series Adaptive


Security Appliances
Central Site

Remote Site
Internet
Intranet
Extranet
Business-to-Business

Remote User

Flexible platform

Cisco IOS SSL VPN

Resilient clustering

VPN infrastructure for


contemporary applications

Cisco Easy VPN


Automatic Cisco VPN
2009 Cisco Learning Institute.

Integrated web-based
management
16

IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec
VPN Client

Router with
Firewall and
VPN Client

Small Office

Internet
Cisco VPN
Software Client

Software loaded on a PC

A network appliance that connects SOHO LANs to the VPN


Cisco
AnyConnect
VPN Client

Internet
Provides remote users with secure VPN connections
2009 Cisco Learning Institute.

17

Hardware Acceleration Modules


AIM
Cisco IPSec VPN Shared
Port Adapter (SPA)
Cisco PIX VPN
Accelerator Card+ (VAC+)
Enhanced Scalable
Encryption Processing
(SEP-E)

2009 Cisco Learning Institute.

Cisco IPsec VPN SPA

18

GRE VPN Overview

2009 Cisco Learning Institute.

19

Encapsulation
Encapsulated with GRE
Original IP Packet

2009 Cisco Learning Institute.

20

Configuring a GRE Tunnel

Create a tunnel
interface
R1(config)# interface tunnel 0
R1(configif)# ip address 10.1.1.1 255.255.255.252
R1(configif)# tunnel source serial 0/0
R1(configif)# tunnel destination 192.168.5.5
R1(configif)# tunnel mode gre ip
R1(configif)#

Assign
the tunnel an IP address
R2(config)# interface tunnel 0
R2(configif)#
R2(configif)#
R2(configif)#
R2(configif)#
R2(configif)#

ip address 10.1.1.2 255.255.255.252


tunnel source serial 0/0
tunnel destination 192.168.3.3
tunnel mode gre ip

Identify the source tunnel interface

Identify the destination of the tunnel


Configure what protocol GRE will encapsulate

2009 Cisco Learning Institute.

21

Using GRE

IP
Only
?

User
Traffic

Yes

No

Use
GRE
Tunnel

No

Unicast
Only?

Yes

Use
IPsec
VPN

GRE does not provide encryption


2009 Cisco Learning Institute.

22

IPSec Topology
Main Site
Business Partner
with a Cisco Router

Regional Office with a


Cisco PIX Firewall

IPsec

Perimeter
Router

POP

SOHO with a Cisco


SDN/DSL Router

Legacy
Cisco
PIX
Firewall

Legacy
Concentrator
ASA
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer

Corporate

Works at the network layer, protecting and authenticating IP packets.


- It is a framework of open standards which is algorithm-independent.
- It provides data confidentiality, data integrity, and origin authentication.
2009 Cisco Learning Institute.

23

IPSec Framework

Diffie-Hellman

2009 Cisco Learning Institute.

DH7

24

Confidentiality

Least secure

Most secure

Key length:
- 56-bits
Key length:
- 56-bits (3 times)

Diffie-Hellman

Key lengths:
-128-bits
-DH7
192 bits
-256-bits
Key length:
- 160-bits

2009 Cisco Learning Institute.

25

Integrity

Least secure

Most secure

Key length:
- 128-bits

Diffie-Hellman

2009 Cisco Learning Institute.

Key length:
- 160-bits)

DH7

26

Authentication

Diffie-Hellman

2009 Cisco Learning Institute.

DH7

27

Pre-shared Key (PSK)

At the local device, the authentication key and the identity information (device-specific
Diffie-Hellman
information)
are sent through a hash algorithm to form hash_I. One-way
DH7authentication is
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.
2009 Cisco Learning Institute.

28

RSA Signatures

At the local device, the authentication key and identity information (device-specific information)
are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local
device's private encryption key creating a digital signature. The digital signature and a digital
certificate are forwarded to the remote device. The public encryption key for decrypting the
signature is included in the digital certificate. The remote device verifies the digital signature
by decrypting it using the public encryption key. The result is hash_I.
Next, the remote device independently creates hash_I from stored information. If the
calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the
remote device authenticates the local device, the authentication process begins in the
opposite direction and all steps are repeated from the remote device to the local device.
2009 Cisco Learning Institute.

29

Secure Key Exchange

Diffie-Hellman

2009 Cisco Learning Institute.

DH7

30

IPSec Framework Protocols


Authentication Header
R1

All data is in plaintext.

R2

AH provides the following:


Authentication
Integrity

Encapsulating Security Payload


R1

Data payload is encrypted.

R2

ESP provides the following:


Encryption
Authentication
Integrity
2009 Cisco Learning Institute.

31

Authentication Header
1. The IP Header and data payload are hashed

IP Header + Data + Key

R2

Hash

IP HDR

Authentication Data
(00ABCDEF)

IP HDR

AH

Data

Data

IP Header + Data + Key


3. The new packet is
Internet
transmitted
to the
IPSec peer router

2. The hash builds a new AH


header which is prepended
to theR1original packet

2009 Cisco Learning Institute.

AH

Hash
Recomputed Received
Hash = Hash
(00ABCDEF)

(00ABCDEF)

4. The peer router hashes the IP


header and data payload, extracts
the transmitted hash and compares
32

ESP

Diffie-Hellman

2009 Cisco Learning Institute.

DH7

33

Function of ESP

Internet
Router

Router
IP HDR

Data

New IP HDR

IP HDR

ESP HDR

IP HDR

Data

Data

ESP ESP
Trailer Auth

Encrypted
Authenticated
Provides confidentiality with encryption
Provides integrity with authentication

2009 Cisco Learning Institute.

34

Mode Types
Data

IP HDR

Original data prior to selection of IPSec protocol mode

Transport Mode
IP HDR

Encrypted
Data

ESP HDR

ESP ESP
Trailer Auth

Authenticated

Tunnel Mode
New IP HDR

ESP HDR

Encrypted
IP HDR

Data

ESP ESP
Trailer Auth

Authenticated
2009 Cisco Learning Institute.

35

Security Associations

IPSec parameters are configured using IKE


2009 Cisco Learning Institute.

36

IKE Phases
R1

Host A

R2

Host B
10.0.2.3

10.0.1.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets

Policy 10
DES
MD5
pre-share
DH1
lifetime

Policy 15
DES
MD5
pre-share
DH1
lifetime

1. Negotiate IKE policy sets

2. DH key exchange

2. DH key exchange

3. Verify the peer identity

3. Verify the peer identity

IKE Phase 2 Exchange


Negotiate IPsec policy

2009 Cisco Learning Institute.

Negotiate IPsec policy

37

IKE Phase 1 First Exchange


R1

Host A

R2
Negotiate IKE Proposals

10.0.1.3
Policy 10
DES
MD5
pre-share
DH1
lifetime

IKE Policy Sets

Host B
10.0.2.3

Policy 15
DES
MD5
pre-share
DH1
lifetime

Policy 20
3DES
SHA
pre-share
DH1
lifetime

Negotiates matching IKE policies to protect IKE exchange

2009 Cisco Learning Institute.

38

IKE Phase 1 Second Exchange


Establish DH Key
Private value, XA
Public value, YA
YA = g XA mod p

Alice

YA

Private value, XB
Public value, YB
YB = g XBmod p

Bob

YB
XA

(YB ) mod p = K

XB

(YA ) mod p = K

A DH exchange is performed to establish keying material.

2009 Cisco Learning Institute.

39

IKE Phase 1 Third Exchange


Remote Office

Authenticate Peer
Corporate Office

Internet
Peer
Authentication

HR
Servers

Peer authentication methods


PSKs
RSA signatures
RSA encrypted nonces

A bidirectional IKE SA is now established.


2009 Cisco Learning Institute.

40

IKE Phase 1 Aggressive Mode


R1

Host A

R2

Host B
10.0.2.3

10.0.1.3
IKE Phase 1 Aggressive Mode Exchange
1.Send IKE policy set
and R1s DH key

Policy 10
DES
MD5
pre-share
DH1
lifetime

3.Calculate shared
secret, verify peer
identify, and confirm
with peer

Policy 15
DES
MD5
pre-share
DH1
lifetime

2.

Confirm IKE policy


set, calculate
shared secret and
send R2s DH key

4.

Authenticate peer
and begin Phase 2.

IKE Phase 2 Exchange


Negotiate IPsec policy

2009 Cisco Learning Institute.

Negotiate IPsec policy


41

IKE Phase 2

R1

Host A
10.0.1.3

R2
Negotiate IPsec
Security Parameters

Host B
10.0.2.3

IKE negotiates matching IPsec policies.


Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and
algorithm combination.

2009 Cisco Learning Institute.

42

IPSec VPN Negotiation


10.0.1.3

R1

R2

10.0.2.3

1. Host A sends interesting traffic to Host B.


2. R1 and R2 negotiate an IKE Phase 1 session.
IKE SA

IKE Phase 1

IKE SA

3. R1 and R2 negotiate an IKE Phase 2 session.


IPsec SA

IKE Phase 2

IPsec SA

4. Information is exchanged via IPsec tunnel.


IPsec Tunnel

5. The IPsec tunnel is terminated.


2009 Cisco Learning Institute.

43

Configuring IPsec

Tasks to Configure IPsec:

Task 1: Ensure that ACLs are compatible with IPsec.


Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.

2009 Cisco Learning Institute.

44

Task 1
Configure Compatible ACLs
Site 1

AH
ESP
IKE

10.0.1.0/24
10.0.1.3

Site 2
10.0.2.0/24
R2

R1

10.0.2.3

Internet
S0/0/0
172.30.1.2

S0/0/0
172.30.2.2

Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.

2009 Cisco Learning Institute.

45

Permitting Traffic
AH
ESP
IKE

Site 1

10.0.1.3

10.0.1.0/2
4

Site 2
10.0.2.0/24
R2

R1

Internet

S0/0/0
172.30.1.2

10.0.2.3

S0/0/0
172.30.2.2

R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2


R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1(config)#
R1(config)# interface Serial0/0/0
R1(config-if)# ip address 172.30.1.2 255.255.255.0
R1(config-if)# ip access-group 102 in
!
R1(config)# exit
R1#
R1# show access-lists
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#

2009 Cisco Learning Institute.

46

Task 2
Configure IKE
10.0.2.0/24

10.0.1.0/24
10.0.1.3

R2

R1

10.0.2.3

Internet

Site 1

Site 2
Policy 110
DES
MD5
Preshare
86400
DH1

Tunnel

router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
2009 Cisco Learning Institute.

isakmp policy 110


authentication pre-share
encryption des
group 1
hash md5
lifetime 86400
47

ISAKMP Parameters
Parameter

Keyword

Accepted Values

Default
Description
Value

encryption

des
3des
aes
aes 192
aes 256

56-bit Data Encryption Standard


Triple DES
128-bit AES
192-bit AES
256-bit AES

des

Message encryption
algorithm

hash

sha
md5

SHA-1 (HMAC variant)


MD5 (HMAC variant)

sha

Message integrity
(Hash) algorithm

preshared keys
RSA encrypted nonces
RSA signatures

rsa-sig

pre-share
authenticati
rsa-encr
on
rsa-sig
group

1
2
5

768-bit Diffie-Hellman (DH)


1024-bit DH
1536-bit DH

lifetime

seconds

Can specify any number of


seconds

86,400 sec
(one day)

2009 Cisco Learning Institute.

Peer authentication
method

Key exchange
parameters (DH
group identifier)
ISAKMP-established
SA lifetime
48

Multiple Policies
10.0.1.0/24

10.0.1.3

10.0.2.0/24
R2

R1

Site 1
R1(config)#
crypto isakmp policy 100
hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!
crypto isakmp policy 300
hash md5
authentication pre-share

2009 Cisco Learning Institute.

Internet

10.0.2.3

Site 2
R2(config)#
crypto isakmp policy 100
hash md5
authentication pre-share
!
crypto isakmp policy 200
hash sha
authentication rsa-sig
!
crypto isakmp policy 300
hash md5
authentication rsa-sig

49

Policy Negotiations
R1 attempts to establish a VPN tunnel with
R2 and sends its IKE policy parameters
10.0.1.0/24
10.0.1.3

Site 1

10.0.2.0/24

2009 Cisco Learning Institute.

10.0.2.3

Internet

Site 2

Policy 110
Preshare
3DES
SHA
DH2
43200

R1(config)# crypto
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#

R2

R1

Tunnel

isakmp policy 110


authentication pre-share
encryption 3des
group 2
hash sha
lifetime 43200

R2 must have an ISAKMP policy


configured with the same parameters.
R2(config)# crypto
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#

isakmp policy 100


authentication pre-share
encryption 3des
group 2
hash sha
lifetime 43200

50

Crypto ISAKMP Key


router(config)#
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname
Parameter
keystring
peeraddress
hostname

Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
up to 128 bytes. This PSK must be identical on both peers.
This parameter specifies the IP address of the remote peer.
This parameter specifies the hostname of the remote peer.
This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).

The peer-address or peer-hostname can be used, but must be


used consistently between peers.
If the peer-hostname is used, then the crypto isakmp
identity hostname command must also be configured.
2009 Cisco Learning Institute.

51

Sample Configuration
10.0.1.0/24

10.0.2.0/24

Internet

Site 1
R1(config)# crypto
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(configisakmp)#
R1(config-isakmp)#
R1(config)# crypto
R1(config)#

10.0.2.3

Site 2

isakmp policy 110


authentication pre-share
encryption 3des
group 2
hash sha
lifetime 43200
exit
isakmp key cisco123 address 172.30.2.2

Note:
The keystring cisco1234 matches.
The address identity method is
specified.
The ISAKMP policies are compatible.
Default values do not have to be
configured.
2009 Cisco Learning Institute.

R2

R1

10.0.1.3

R2(config)# crypto
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(configisakmp)#
R2(config-isakmp)#
R2(config)# crypto
R2(config)#

isakmp policy 110


authentication pre-share
encryption 3des
group 2
hash sha
lifetime 43200
exit
isakmp key cisco123 address 172.30.1.2

52

Task 3
Configure the Transform Set
router(config)#
crypto ipsec transformset transform-set-name
transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
Command
transform-set-name

Description
This parameter specifies the name of the transform set
to create (or modify).

Type of transform set. You may specify up to four


"transforms": one Authentication Header (AH), one
transform1,
transform2, transform3 Encapsulating Security Payload (ESP) encryption, one
ESP authentication. These transforms define the IP
Security (IPSec) security protocols and algorithms.

A transform set is a combination of IPsec transforms that enact a


security policy for traffic.
2009 Cisco Learning Institute.

53

Transform Sets
Host A

R1

transform-set ALPHA
esp-3des
tunnel

R2

172.30.1.2

Internet

10.0.1.3

Host B

172.30.2.2

10.0.2.3

transform-set RED
esp-des
tunnel

2
3

transform-set BETA
esp-des, esp-md5-hmac
tunnel

transform-set BLUE
esp-des, ah-sha-hmac
tunnel

5
6
7

transform-set CHARLIE
esp-3des, esp-sha-hmac
tunnel

8
9

Match

transform-set YELLOW
esp-3des, esp-sha-hmac
tunnel

Transform sets are negotiated during IKE Phase 2.


The 9th attempt found matching transform sets (CHARLIE - YELLOW).
2009 Cisco Learning Institute.

54

Sample Configuration
Site 1
10.0.1.3

R1
A

Site 2

R2

172.30.1.2

Internet

172.30.2.2

10.0.2.3

R1(config)# crypto isakmp key cisco123 address 172.30.2.2


R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#

Note:
Peers must share the
same transform set
settings.

R2(config)# crypto isakmp key cisco123 address 172.30.1.2


R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit

Names are only locally


significant.

2009 Cisco Learning Institute.

55

Task 4
Configure the Crypto ACLs
Host A

R1

Internet

Outbound
Traffic

Encrypt
Bypass (Plaintext)
Inbound
Traffic

Permit
Bypass

Discard (Plaintext)

Outbound indicates the data flow to be protected by IPsec.


Inbound filters and discards traffic that should have been
protected by IPsec.
2009 Cisco Learning Institute.

56

Command Syntax
Site 1

Site 2

10.0.1.0/24

10.0.2.0/24

R2

R1

10.0.1.3

S0/0/0
172.30.1.2

10.0.2.3

Internet
S0/0/0
172.30.2.2

router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]

access-list access-list-number Parameters


access-list access-list-number
Command
permit
deny

Description
This option causes all IP traffic that matches the specified conditions to be protected by
cryptography, using the policy described by the corresponding crypto map entry.
This option instructs the router to route traffic in plaintext.

protocol

This option specifies which traffic to protect by cryptography based on the protocol,
such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.

source and destination

If the ACL statement is a permit statement, these are the networks, subnets, or hosts
between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.

2009 Cisco Learning Institute.

57

Symmetric Crypto ACLs


Site 2

Site 1

10.0.1.0/24

10.0.1.3

10.0.2.0/24

R2

R1

Internet
S0/0/0
172.30.1.2

10.0.2.3

S0/0/0
172.30.2.2

S0/1

Applied to R1 S0/0/0 outbound traffic:


R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic source: 10.0.2.0, destination: 10.0.1.0)

Applied to R2 S0/0/0 outbound traffic:


R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)

2009 Cisco Learning Institute.

58

Task 5
Apply the Crypto Map
Site 1

Site 2
R2

R1

Internet
10.0.1.3

10.0.2.3

Crypto maps define the following:


ACL to be used
Remote VPN peers
Transform set to be used
Key management method
SA lifetimes

2009 Cisco Learning Institute.

Encrypted Traffic

Router
Interface
or Subinterface

59

Crypto Map Command


router(config)#
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
crypto map Parameters
Command Parameters

Description

map-name

Defines the name assigned to the crypto map set or indicates the name of the crypto
map to edit.

seq-num

The number assigned to the crypto map entry.

ipsec-manual

Indicates that ISAKMP will not be used to establish the IPsec SAs.

ipsec-isakmp

Indicates that ISAKMP will be used to establish the IPsec SAs.

cisco

(Default value) Indicates that CET will be used instead of IPsec for protecting the
traffic.

dynamic

(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.

dynamic-map-name

(Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.

2009 Cisco Learning Institute.

60

Crypto Map Configuration


Mode Commands
Command

Description
set

peer [hostname | ipaddress]


pfs [group1 | group2]
transform-set
[set_name(s)]
security-association
lifetime
match address [accesslist-id | name]
no
exit
2009 Cisco Learning Institute.

Used with the peer, pfs, transform-set, and security-association


commands.
Specifies the allowed IPsec peer by IP address or hostname.

Specifies DH Group 1 or Group 2.


Specify list of transform sets in priority order. When the ipsec-manual
parameter is used with the crypto map command, then only one transform set
can be defined. When the ipsec-isakmp parameter or the dynamic
parameter is used with the crypto map command, up to six transform sets can
be specified.
Sets SA lifetime parameters in seconds or kilobytes.
Identifies the extended ACL by its name or number. The value should match
the access-list-number or name argument of a previously defined IP-extended
ACL being matched.
Used to delete commands entered with the set command.
Exits crypto map configuration mode.

61

Sample Configuration
Site 1
10.0.1.0/24

10.0.1.3

Site 2
R2

R1

Internet

10.0.2.0/24

10.0.2.3

S0/0/0
172.30.2.2

R3
S0/0/0
172.30.3.2

R1(config)# crypto map


R1(config-crypto-map)#
R1(config-crypto-map)#
R1(config-crypto-map)#
R1(config-crypto-map)#
R1(config-crypto-map)#
R1(config-crypto-map)#

MYMAP 10 ipsec-isakmp
match address 110
set peer 172.30.2.2 default
set peer 172.30.3.2
set pfs group1
set transform-set mine
set security-association lifetime seconds 86400

Multiple peers can be specified for redundancy.


2009 Cisco Learning Institute.

62

Assign the Crypto Map Set


Site 1

Site 2

10.0.1.0/24

10.0.2.0/24

R2

R1

10.0.1.3

S0/0/0
172.30.1.2

10.0.2.3

Internet
S0/0/0
172.30.2.2

MYMAP
router(config-if)#

crypto map map-name


R1(config)# interface serial0/0/0
R1(config-if)# crypto map MYMAP

Applies the crypto map to outgoing interface


Activates the IPsec policy

2009 Cisco Learning Institute.

63

CLI Commands
Show Command

Description

show crypto map

Displays configured crypto maps

show crypto isakmp policy

Displays configured IKE policies

show crypto ipsec sa


show crypto ipsec
transform-set
debug crypto isakmp
debug crypto ipsec

2009 Cisco Learning Institute.

Displays established IPsec tunnels


Displays configured IPsec transform
sets
Debugs IKE events
Debugs IPsec events

64

show crypto map


Site 1

Site 2

10.0.1.0/24

10.0.1.3

10.0.2.0/24

R2

R1
S0/0/0
172.30.1.2

10.0.2.3

Internet
S0/0/0
172.30.2.2

router#
show crypto map
Displays the currently configured crypto maps
R1# show crypto map
Crypto Map MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }

2009 Cisco Learning Institute.

65

show crypto isakmp policy


Site 1

Site 2

10.0.1.0/24

10.0.1.3

router#

10.0.2.0/24

R2

R1
S0/0/0
172.30.1.2

10.0.2.3

Internet
S0/0/0
172.30.2.2

show crypto isakmp policy

R1# show crypto isakmp policy


Protection suite of priority 110
encryption algorithm:
3DES - Data Encryption Standard (168 bit keys).
hash algorithm:
Secure Hash Standard
authentication method: preshared
Diffie-Hellman group:
#2 (1024 bit)
lifetime:
86400 seconds, no volume limit
Default protection suite
encryption algorithm:
DES - Data Encryption Standard (56 bit keys).
hash algorithm:
Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group:
#1 (768 bit)
lifetime:
86400 seconds, no volume limit

2009 Cisco Learning Institute.

66

show crypto ipsec transform-set


Site 1

Site 2

10.0.1.0/24

10.0.1.3

10.0.2.0/24

R2

R1
S0/0/0
172.30.1.2

10.0.2.3

Internet
S0/0/0
172.30.2.2

show crypto ipsec transform-set


Displays the currently defined transform sets
R1# show crypto ipsec transform-set
Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },

2009 Cisco Learning Institute.

67

show crypto ipsec sa


Site 1

Site 2

10.0.1.0/24

10.0.1.3

10.0.2.0/24

R2

R1
S0/0/0
172.30.1.2

10.0.2.3

Internet
S0/0/0
172.30.2.2

R1# show crypto ipsec sa


Interface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C

2009 Cisco Learning Institute.

68

debug crypto isakmp


router#
debug crypto isakmp
1d00h:
offers
1d00h:
1d00h:

ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
accepted!
ISAKMP (0:1): SA not acceptable!
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2

This is an example of the Main Mode error message.


The failure of Main Mode suggests that the Phase I policy
does not match on both sides.
Verify that the Phase I policy is on both peers and ensure that
all the attributes match.
2009 Cisco Learning Institute.

69

Starting a VPN Wizard


1. Click Configure in main toolbar
1
3
2
2. Click the VPN button
to open the VPN page

Wizards for IPsec


Solutions, includes
type of VPNs and
Individual IPsec
components

3. Choose a wizard
4. Click the VPN
implementation subtype
4

VPN implementation
Subtypes. Vary based
On VPN wizard chosen.

5
5. Click the Launch the
Selected Task button
2009 Cisco Learning Institute.

70

VPN Components
VPN Wizards
SSL VPN parameters
Individual IPsec
components used
to build VPNs

Easy VPN server parameters

VPN Components

Public key certificate


parameters
Encrypt VPN passwords

2009 Cisco Learning Institute.

71

Configuring a Site-to-Site VPN


Choose Configure > VPN > Site-to-Site VPN

Click the Create a Site-to-Site VPN

Click the Launch the Selected Task button

2009 Cisco Learning Institute.

72

Site-to-Site VPN Wizard

Choose the wizard mode

Click Next to proceed to the configuration of parameters.

2009 Cisco Learning Institute.

73

Quick Setup

Configure the parameters


Interface to use
Peer identity information
Authentication method
Traffic to encrypt

2009 Cisco Learning Institute.

74

Verify Parameters

2009 Cisco Learning Institute.

75

Step-by-Step Wizard
Choose the outside
interface that is used
1 to connect to the
IPSec peer
2 Specify the IP
address of the peer

3
Choose the authentication
method and specify the
credentials

4 Click Next
2009 Cisco Learning Institute.

76

Creating a Custom IKE Proposal


Make the selections to configure
2 the IKE Policy and click OK

1
Click Add to define a proposal

2009 Cisco Learning Institute.

3 Click Next

77

Creating a Custom IPSec


Transform Set
Define and specify the transform
set name, integrity algorithm,
encryption algorithm, mode of
operation and optional compression

1
Click Add

2009 Cisco Learning Institute.

Click Next

78

Protecting Traffic
Subnet to Subnet

Click Protect All Traffic Between the Following subnets


1
2
Define the IP address
and subnet mask of the
local network

2009 Cisco Learning Institute.

3
Define the IP address
and subnet mask of the
remote network

79

Protecting Traffic
Custom ACL

Click the ellipses button


to choose an existing ACL
or create a new one
1

Click the Create/Select an Access-List


for IPSec Traffic radio button

To use an existing ACL, choose the Select an Existing


Rule (ACL) option. To create a new ACL, choose the
Create a New Rule (ACL) and Select option
2009 Cisco Learning Institute.

80

Add a Rule

Give the access rule a


name and description

2009 Cisco Learning Institute.

2
Click Add

81

Configuring a New Rule Entry


Choose an action and enter a description of the rule entry
1

2
Define the source hosts or networks in the Source Host/Network pane
and the destination hosts or network in the Destination/Host Network pane
3

(Optional) To provide protection for specific protocols, choose


the specific protocol radio box and desired port numbers
2009 Cisco Learning Institute.

82

Configuration Summary

Click Back to modify the configuration.


Click Finish to complete the configuration.
2009 Cisco Learning Institute.

83

Verify VPN Configuration


Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN

Check VPN status.

Create a mirroring configuration if


no Cisco SDM is available on the
peer.

Test the VPN


configuration.

2009 Cisco Learning Institute.

84

Monitor
Choose Monitor > VPN Status > IPSec Tunnels

1
Lists all IPsec tunnels, their
parameters, and status.

2009 Cisco Learning Institute.

85

Telecommuting
Flexibility in working
location and working
hours
Employers save on realestate, utility and other
overhead costs
Succeeds if program is
voluntary, subject to
management discretion,
and operationally feasible

2009 Cisco Learning Institute.

86

Telecommuting Benefits
Organizational benefits:
- Continuity of operations
- Increased responsiveness
- Secure, reliable, and manageable access to information
- Cost-effective integration of data, voice, video, and applications
- Increased employee productivity, satisfaction, and retention

Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress

Environmental benefits:
- Reduced carbon footprints, both for individual workers and
organizations

2009 Cisco Learning Institute.

87

Implementing Remote Access

2009 Cisco Learning Institute.

88

Methods for Deploying


Remote Access

IPsec Remote
Access VPN

2009 Cisco Learning Institute.

Any
Application

Anywhere
Access

SSL-Based
VPN

89

Comparison of SSL and IPSec


SSL

IPsec

Applications

Web-enabled applications, file sharing, email

All IP-based applications

Encryption

Moderate
Key lengths from 40 bits to 128 bits

Stronger
Key lengths from 56 bits to 256 bits

Authentication

Moderate
One-way or two-way authentication

Strong
Two-way authentication using shared secrets
or digital certificates

Ease of Use

Very high

Moderate
Can be challenging to nontechnical users

Overall Security

Moderate
Any device can connect

Strong
Only specific devices with specific
configurations can connect

2009 Cisco Learning Institute.

90

SSL VPNs
Integrated security and routing
Browser-based full network SSL VPN access
SSL VPN

Internet
Headquarters

SSL VPN
Tunnel

2009 Cisco Learning Institute.

Workplace
Resources

91

Types of Access

2009 Cisco Learning Institute.

92

Full Tunnel Client Access Mode

2009 Cisco Learning Institute.

93

Establishing an SSL Session

User using
SSL client

2009 Cisco Learning Institute.

User makes a connection


to TCP port 443
Router replies with a
digitally signed public key
User software creates a
shared-secret key

SSL VPN
enabled ISR
router

Shared-secret key, encrypted


with public key of the server, is
sent to the router
Bulk encryption occurs using the
shared-secret key with a
symmetric encryption algorithm

94

SSL VPN Design Considerations


User connectivity
Router feature
Infrastructure planning
Implementation scope

2009 Cisco Learning Institute.

95

Cisco Easy VPN


Negotiates tunnel parameters
Establishes tunnels according to
set parameters
Automatically creates a NAT /
PAT and associated ACLs
Authenticates users by
usernames, group names,
and passwords
Manages security keys for
encryption and decryption
Authenticates, encrypts, and
decrypts data through the tunnel

2009 Cisco Learning Institute.

96

Cisco Easy VPN

2009 Cisco Learning Institute.

97

Securing the VPN


1

Initiate IKE Phase 1

Establish ISAKMP
SA

Accept Proposal1

Username/Password
Challenge
Username/Password

System Parameters Pushed


6

2009 Cisco Learning Institute.

Reverse Router Injection


(RRI) adds a static route
entry on the router for the
remote clients IP address

Initiate IKE Phase 2: IPsec


IPsec SA

98

Configuring Cisco Easy VPN Server


1
4
3

2009 Cisco Learning Institute.

99

Configuring IKE Proposals

Specify required parameters

Click Add

2009 Cisco Learning Institute.

Click OK

100

Creating an IPSec Transform Set

3
1

2
4

2009 Cisco Learning Institute.

101

Group Authorization and Group


Policy Lookup

Select the location where


Easy VPN group policies
can be stored
2
5

Click Next

Click Add

Click Next
Configure the local
group policies

2009 Cisco Learning Institute.

102

Summary of Configuration
Parameters

2009 Cisco Learning Institute.

103

VPN Client Overview

R1
R1

R1-vpn-cluster.span.com

R1-vpn-cluster.span.com

Establishes end-to-end, encrypted VPN tunnels for secure


connectivity
Compatible with all Cisco VPN products
Supports the innovative Cisco Easy VPN capabilities

2009 Cisco Learning Institute.

104

Establishing a Connection
R1-vpn-cluster.span.com

Once
authenticated,
status changes to
connected.

R1

R1-vpn-cluster.span.com

R1

2009 Cisco Learning Institute.

105

2009 Cisco Learning Institute.

106