CCNAS v11 IR Chapter8

CCNA Security 1.
1
Instructional Resource
Chapter 8 Implementing Virtual Private Networks
2012 Cisco and/or its affiliates. All rights reserved.
Chapter 8: Objectives
Describe the purpose and types of VPNs and define where to use VPNs in
a network.
Describe how to configure a GRE VPN tunnel.
Describe the fundamental concepts and technologies of VPNs, and terms
that IPsec VPNs use.

Describe how to configure a site-to-site IPsec VPN.
Configure a site-to-site IPsec VPN with PSK authentication using CLI and
Cisco CCP.
Describe the two common remote network access methods used in
enterprise networks.
Describe how the Cisco VPN Client is used in an IPsec remote-access
VPN.
Describe how Secure Socket Layer (SSL) is used in a remote-access VPN.
Configure a remote-access IPsec VPN using CLI and Cisco CCP.
Chapter 8: Certification Claims

9.0 Implementing VPN Technologies
9.2 Describe VPN technologies
9.2.1 IPsec
9.2.2 SSL
9.3 Describe the building blocks of IPsec
9.3.1 IKE
9.3.2 ESP
9.3.3 AH
9.3.4 Tunnel mode
9.3.5 Transport mode
9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key

authentication
9.4.1 CCP
9.4.2 CLI
Chapter 8: Critical Concepts

A VPN is a private network that is created via tunneling over a public
network. It can deployed as a site-to-site and remote access VPN.

Generic routing encapsulation (GRE) is a tunneling protocol that is
used to create a point-to-point link, supports multiprotocol tunneling,

and can be used in combination with IPsec.
IPsec is a framework of open standards that establishes the rules for
secure communications. It relies on existing algorithms to achieve

encryption, authentication, and key exchange.
When creating a site-to-site VPN, ensure that the existing ACLs do not
block IPsec traffic, define the IKE parameters and IPsec transform set,
configure the crypto ACL and create and apply a crypto map.
Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to
create and monitor an IPsec VPN.

Remote access connections can be configured using CCP.
Chapter 8: Activities
Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS
and CCP
Part 1: Basic Router Configuration
Part 2: Configure a Site-to-Site VPN Using Cisco IOS
Part 3: Configure a Site-to-Site VPN using CCP
Chapter 8 Lab B: Configuring a Remote Access VPN Server and
Client
Part 2: Configuring a Remote Access VPN
Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN
Server and Client

Part 2: Configuring a Remote Access VPN
Chapter 8: Terms & Acronyms

VPN
Virtual Private Network
IPsec
IP Security protocol provides a framework for configuring

secure VPNs.
SSL
Secure Sockets Layer (SSL) uses TCP port 443 (HTTPS)
GRE
Generic routing encapsulation (GRE) is a tunneling protocol

that is used to create a point-to-point link, supports
multiprotocol tunneling, and can be used in combination with
IPsec.
ATM
Asynchronous Transfer Mode standard for cell relay in which

multiple service types are converted to 53 byte cells.
PVC
Permanent Virtual Circuit
MPLS
Multiprotocol Label Switching
POTS
Plain old telephone service
ISDN
Integrated Services Digital Network
Chapter 8: Terms & Acronyms (cont)

DMVPN
Dynamic Multipoint VPN enables the auto-provisioning of siteto-site IPsec VPNs, combining three Cisco IOS software
features: NHRP, multipoint GRE, and IPsec VPN.
V3PN
Voice and Video Enabled VPN
HSRP
Hot Standby Routing Protocol
NHRP
Next Hop Resolution Protocol is used by routers to

dynamically discover the MAC address of other routers
connected to an NBMA network.
Cisco VPN Client
Installed locally on host to establish a secure IPsec end-toend VPN.
Cisco AnyConnect
Installed locally on host (or smart device) to establish a

secure SSL or IPsec end-to-end VPN.
AIM
Advanced integration modules
SPA
Shared Port Adapter provides VPN support on Catalyst 6500

switches and higher end routers.
VAM2+
VPN Accelerator Module 2+

PSK
Pre-shared keys
ESP
Encapsulation Security Payload (IP protocol 50) can provide

authentication, integrity, and confidentiality using encryption.
AH
Authentication Header (IP protocol 51) provides

authentication and integrity but it does not provide data
confidentiality (encryption) of packets.
DES
Data Encryption Standard
3DES
Triple Data Encryption Standard
AES
Advanced Encryption Standard
SEAL
Software-Optimized Encryption Algorithm
HMAC
Hashed Message Authentication Codes (HMAC) is a data

integrity algorithm that guarantees the integrity of the
message using a hash value.

HMAC-MD5
HMAC-Message Digest 5 uses a 128-bit shared-secret key.

The variable-length message and 128-bit shared secret key
are combined and run through the HMAC-MD5 hash
algorithm. The output is a 128-bit hash.
HMAC-SHA-1
HMAC-Secure Hash Algorithm 1 uses a 160-bit secret key.

The variable-length message and the 160-bit shared secret
key are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash.
RSA
Rivest, Shamir, and Adleman (RSA) algorithm
DH
Diffie-Hellman key agreement is a public key exchange

method that provides a way for two peers to establish a
shared secret key that only they know, even though they are
communicating over an insecure channel.
Tunnel Mode
ESP tunnel mode is used between a host and a security

gateway or between two security gateways.
Transport Mode
ESP transport mode is used between hosts. Transport mode

works well with GRE, because GRE hides the addresses of
the end devices by adding its own IP.
SA
Security Associations

IKE
Internet Key Exchange protocol (RFC 2409) is used by IPsec

to establish the initial key exchange. IKE uses UDP port 500
to exchange IKE information between the security gateways.
IKE is a hybrid protocol, combining ISAKMP and the Oakley
and Skeme key exchange methods.
ISAKMP
Internet Security Association and Key Management Protocol

defines the message format, the mechanics of a keyexchange protocol, and the negotiation process to build an SA
for IPsec. ISAKMP does not define how keys are managed or
shared between the two IPsec peers.
Oakley and Skeme
Key exchange methods that have five defined key groups. Of

these groups, Cisco routers support Group 1 (768-bit key),
Group 2 (1024-bit key), and Group 5 (1536-bit key).
IKE Phase 1
Two IPsec peers perform the initial negotiation of SAs. The

basic purpose of Phase 1 is to negotiate IKE policy sets,
authenticate the peers, and set up a secure channel between
the peers. It can be implemented in main mode or agressive
mode.
IKE Phase 2
SAs are negotiated by the IKE process ISAKMP on behalf of

IPsec and is referred to as quick mode.
10

Main mode
IKE Phase 1 SA negotiation that requires three exchanges

using six packets.
Aggressive mode
IKE Phase 1 SA negotiation that requires one exchange using

three packets.
Quick mode
IKE Phase 2 SA negotiation that negotiate IPsec security

parameters, establishes IPsec SAs, and periodically
renegotiates IPsec SAs.
QM_IDLE
Displayed in the output of the show crypto isakmp sa

command and indicates an active IKE SA.
RRI
Reverse Route Injection ensures that a static route is created

on the Cisco Easy VPN Server for the internal IP address of
each VPN client.
11
Chapter 8: Changes From v1.0

SDM has been replaced by CCP.
12
Chapter 8: Classroom Management

To explain GRE use the concept of three protocols:
Passenger protocol (i.e., IPv4 or IPv6) that needs to be encapsulated.
Carrier protocol (i.e., GRE) that is used to encapsulate the passenger
protocol.
Transport protocol (i.e., IPv4 or IPv6) that is used to carry the encapsulated
carrier protocol.
GRE is popular to use to support routing protocols (that require
broadcasts) over an IPsec VPN.
13

Example GRE configuration
14

To configure IPsec VPNs, the IOS must support crypto
parameters.
Usually indicated by k9 in the image name. (k8 indicates limited crypto
commands available)
15

Use the show crypto isakmp sa command to verify if the IKE
Phase 1 negotiation was successful.

QM_IDLE indicates success.
Use the debug crypto isakmp command to display Phase 1 and
2 negotiations.
16

To verify IPsec VPN tunnel functionality, use the sequence:
1. clear crypto sa
2. Generate interesting traffic to trigger VPN link
3. show crypto ipsec sa
NOTE: The output of the show crypto ipsec sa command should reveal
encrypted / decrypted packets.
Use extended pings to generate traffic between LANs

. ping {destination-IP-address} source {source-IP-address}
NOTE: The first ping attempt should fail as it negotiates the initial SA.
. Use the debug crypto ipsec command to display Main
mode negotiations.
17

Common problems encountered when troubleshooting VPNs
include:
Incorrect ISAKMP policies configured.
Incorrect crypto keys or peer address configured.
Crypto map parameters not configured accurately.
Crypto map not applied to the correct interface (should usually be the outside
interface).
Invalid ACL statements.
If pings from the router do not enable the VPN:

Make sure you are using extended pings or better yet, use an actual host on
the inside network.
18

CCP provides various VPN wizards by choosing Configure >
Security > VPN.

The wizards vary depending on the type of VPN being configured.
You can also test to confirm the correct tunnel configuration by
clicking the Test VPN button.

Verify the VPN status by choosing Monitor > Security > VPN
Status > IPsec Tunnels.
19

Remote access VPNs can be deployed using either IPsec or SSL
VPNs.
IPsec remote access VPNs are more secure and supports most applications
but requires a client to be pre-installed on a host such as the Cisco VPN client
or Cisco AnyConnect.
SSL remote access VPNs is more flexible as it is accessed using a web
browser but can only access web enabled applications.
20

Mobile User Requirements
SSL-Based
VPN
Categories
Anywhere
Access
Any
Application
IPsec Remote
Access VPN
SSL
IPsec
Web-enabled applications, file

sharing, e-mail
All IP-based applications
Encryption
Moderate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
Authentication
Moderate
One-way or two-way authentication
Strong
Two-way authentication using
shared secrets or digital certificates
Very easy
Moderately easy
Moderate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
Application support
Ease of Use
Overall Security
21

You will need to download the Cisco VPN client from cisco.com
and provide it to students.

Cisco VPN client is available for free.
22
Chapter 8: Teaching Analogies

Explain to students that this chapter now applies the cryptology
topics discussed in Chapter 7.

To contrast between the function of a firewall (Chapter 4) and that
of a VPN, explain that a firewall inside the network and a VPN

protects the data traversing the outside network (Internet).
23

Use the analogy of a ocean for the network and each LAN is an
island.
Without VPN tunnels, you must travel using a ferry between islands which
means there is no privacy.
With VPN tunnels, you have your own private submarine to go from island to
island.
Leased lines can be compared to building bridges between
nearby islands.
24

Another analogy is that of two lovers sending mushy letters to
each other.
They know that letters will pass through many hands, including the postal
service, organization, and perhaps even parents at either end.
By setting up a secret code in advance, they can send letters without
someone knowing what theyre sending.
25
Chapter 8: Classroom Discussion

Refer back in history to how encryption has been used:
The Spartans with the Scytale
Julius Caesar for military dispatches.
Enigma machine during WWII.
Contrast that with how freely information now flows.

Encourage discussion on how important VPNs are becoming.
Ask Should we be encrypting everything we send?.

Consider the overhead (and increased latency) if we did.
When should we be using VPNs?
26
Chapter 8: Best Practices

This chapter is best learned by applying the concepts as much as
possible.
Student must get their own battle scars.
Encourage students to come up with their own VPN topology
scenarios.
27
Chapter 8: Additional Reading

Cisco VPN Main page
http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home
.html
Cisco IOS Software Releases 12.4 Mainline

http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_h
ome.html
The Cisco IOS Command Reference

http://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.h
tml
VPN client
http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
28
29

CCNAS v11 IR Chapter8

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CCNAS v11 IR Chapter8

Caricato da

Copyright:

Formati disponibili

CCNA Security 1.

2012 Cisco and/or its affiliates. All rights reserved.

that IPsec VPNs use.

Chapter 8: Certification Claims

9.3 Describe the building blocks of IPsec

9.3.4 Tunnel mode

9.3.5 Transport mode

9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8: Critical Concepts

network. It can deployed as a site-to-site and remote access VPN.

used to create a point-to-point link, supports multiprotocol tunneling,

secure communications. It relies on existing algorithms to achieve

create and monitor an IPsec VPN.

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8 Lab B: Configuring a Remote Access VPN Server and

Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN

Server and Client

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8: Terms & Acronyms

Virtual Private Network

IP Security protocol provides a framework for configuring

Secure Sockets Layer (SSL) uses TCP port 443 (HTTPS)

Generic routing encapsulation (GRE) is a tunneling protocol

Asynchronous Transfer Mode standard for cell relay in which

Permanent Virtual Circuit

Multiprotocol Label Switching

Plain old telephone service

Integrated Services Digital Network

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8: Terms & Acronyms (cont)

Voice and Video Enabled VPN

Hot Standby Routing Protocol

Next Hop Resolution Protocol is used by routers to

Cisco VPN Client

Installed locally on host to establish a secure IPsec end-toend VPN.

Installed locally on host (or smart device) to establish a

Advanced integration modules

Shared Port Adapter provides VPN support on Catalyst 6500

VPN Accelerator Module 2+

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8: Terms & Acronyms (cont)

Encapsulation Security Payload (IP protocol 50) can provide

Authentication Header (IP protocol 51) provides

Data Encryption Standard

Triple Data Encryption Standard

Advanced Encryption Standard

Software-Optimized Encryption Algorithm

Hashed Message Authentication Codes (HMAC) is a data

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8: Terms & Acronyms (cont)

HMAC-Message Digest 5 uses a 128-bit shared-secret key.

HMAC-Secure Hash Algorithm 1 uses a 160-bit secret key.

Rivest, Shamir, and Adleman (RSA) algorithm

Diffie-Hellman key agreement is a public key exchange

ESP tunnel mode is used between a host and a security

ESP transport mode is used between hosts. Transport mode

2012 Cisco and/or its affiliates. All rights reserved.

Chapter 8: Terms & Acronyms (cont)

Internet Key Exchange protocol (RFC 2409) is used by IPsec

Internet Security Association and Key Management Protocol

Oakley and Skeme

Key exchange methods that have five defined key groups. Of