Ch8 - Implementing Virtual Private Networks

CCNA Security
1
© 2009 Cisco Learning Institute.
Chapter Eight
Implementing Virtual Private Networks

Major Concepts
• Describe the purpose and operation of VPN types
• Describe the purpose and operation of GRE VPNs
• Describe the components and operations of IPsec VPNs
• Configure and verify a site-to-site IPsec VPN with pre-
2
2
2
shared key authentication using CLI
shared key authentication using SDM
• Configure and verify a Remote Access VPN

Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
3
3
3
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation

Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
4
4
4
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard
in SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard
in SDM

Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
5
5
5
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software

What is a VPN?
CSA
VPN
Mobile Worker
with a Cisco
VPN Client
Business Partner
with a Cisco Router
6
6
6
- Virtual: Information within a private network is
transported over a public network.
- Private: The traffic is encrypted to keep the
data confidential.
VPN
VPN
Firewall
Regional branch with
a VPN enabled
Cisco ISR router
SOHO with a Cisco
DSL Router
VPN
Corporate
Network
WAN
Internet

Layer 3 VPN
SOHO with a Cisco DSL
Router
VPN
Internet
IPSec
IPSec
7
7
7
• Generic routing encapsulation (GRE)
• Multiprotocol Label Switching (MPLS)
• IPSec

Types of VPN Networks
MARS
CSA
VPN
Mobile Worker
with a Cisco
VPN Client
Business Partner
with a Cisco Router
Remote-access
VPNs
8
8
8
VPN
VPN
Iron Port
Firewall
IP
S
Web
Server
Email
Server DNS
CSA
CSACSA
CSA
CSA
CSA
a VPN enabled
Cisco ISR router
SOHO with a
Cisco DSL Router
VPN
Site-to-Site
VPNs
Internet
WAN

Site-to-Site VPN
MARS
CSA
VP
Business Partner
with a Cisco
Router
Internet
Hosts send and receive normal
TCP/IP traffic through a VPN gateway
9
9
9
VPN
VPN
Iron
Port
Firewall
IP
S
Web
Server
Email
Server DNS
CS
A
CS
A
CS
A
CSA
CSA
CSA
a VPN enabled
Cisco ISR router
SOHO with a
Cisco DSL
Router
VP
N
Site-to-Site
VPNs
Internet
WAN

Remote-Access VPNs
MARS
Firewall
CSA
Mobile Worker
with a Cisco
VPN Client
Remote-access
VPNs
Internet
10
10
10
VPN
Iron Port
Firewall
IPS
Web
Server
Email
Server DNS
CSA
CSA CSA
CSA
CSA
CSA

VPN Client Software
11
11
11
R1 R1-vpn-cluster.span.com
“R1”
In a remote-access VPN, each host
typically has Cisco VPN Client software

Cisco IOS SSL VPN
• Provides remote-access
connectivity from any
Internet-enabled host
• Uses a web browser and
SSL encryption
12
12
12
SSL encryption
• Delivers two modes of
access:
- Clientless
- Thin client

Cisco VPN Product Family
Product Choice
Remote-Access
VPN
Site-to-Site VPN
Cisco VPN-Enabled Router Secondary role Primary role
Cisco PIX 500 Series Security Appliances Secondary role Primary role
13
13
13
Cisco PIX 500 Series Security Appliances Secondary role Primary role
Cisco ASA 5500 Series Adaptive Security
Appliances
Primary role Secondary role
Cisco VPN
3000 Series Concentrators
Primary role Secondary role
Home Routers Primary role

Cisco VPN-Optimized Routers
Remote Office
Cisco Router
Main Office
Cisco Router
Internet
14
14
14
Regional Office
Cisco Router
SOHO
Cisco Router
Internet
VPN Features:
• Voice and video enabled VPN (V3PN)
• IPSec stateful failover
• DMVPN
• IPSec and Multiprotocol Label Switching
(MPLS) integration
• Cisco Easy VPN

Cisco ASA 5500 Series Adaptive
Security Appliances
Intranet
Remote Site Central Site
Internet
15
15
15
• Flexible platform
• Resilient clustering
• Cisco Easy VPN
• Automatic Cisco VPN
• Cisco IOS SSL VPN
• VPN infrastructure for
contemporary applications
• Integrated web-based
management
Extranet
Business-to-Business
Remote User

IPSec Clients
Certicom PDA IPsec
VPN Client
Internet
Router with
Firewall and
A wireless client that is loaded on a pda
16
16
16
Small Office
Internet
Cisco
AnyConnect
VPN Client
Cisco VPN
Software Client
Firewall and
VPN Client
Software loaded on a PC
A network appliance that connects SOHO LANs to the VPN
Provides remote users with secure VPN connections

Hardware Acceleration Modules
• AIM
• Cisco IPSec VPN Shared
Port Adapter (SPA)
• Cisco PIX VPN
17
17
17
• Cisco PIX VPN
Accelerator Card+ (VAC+)
• Enhanced Scalable
Encryption Processing
(SEP-E) Cisco IPsec VPN SPA

GRE VPN Overview
18
18
18

Encapsulation
Original IP Packet
Encapsulated with GRE
19
19
19

Configuring a GRE Tunnel
Create a tunnel
interface
Assign the tunnel an IP address
20
20
20
R1(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5
R1(config–if)# tunnel mode gre ip
R1(config–if)#
R2(config)# interface tunnel 0
R2(config–if)# ip address 10.1.1.2 255.255.255.252
R2(config–if)# tunnel source serial 0/0
R2(config–if)# tunnel destination 192.168.3.3
R2(config–if)# tunnel mode gre ip
R2(config–if)#
Assign the tunnel an IP address
Identify the source tunnel interface
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate

Using GRE
User
Traffic
IP
Only
?
No
No
Yes
Yes
21
21
21
Use
GRE
Tunnel
No
No
No
No Yes
Yes
Unicast
Only?
Use
IPsec
VPN
GRE does not provide encryption

IPSec Topology
Business Partner
with a Cisco Router
Legacy
Concentrator
Main Site
Perimeter
Router
Legacy
Cisco
PIX
IPsec
POP
22
22
22
• Works at the network layer, protecting and authenticating IP packets.
- It is a framework of open standards which is algorithm-independent.
- It provides data confidentiality, data integrity, and origin authentication.
Regional Office with a
Cisco PIX Firewall
SOHO with a Cisco
SDN/DSL Router
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
ASA
PIX
Firewall
POP
Corporate

IPSec Framework
23
23
23
Diffie-Hellman DH7

Confidentiality
Least secure Most secure
24
24
24
DH7
Diffie-Hellman
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key length:
- 160-bits
Key lengths:
-128-bits
-192 bits
-256-bits

Integrity
25
25
25
DH7
Diffie-Hellman
Key length:
- 128-bits
Key length:
- 160-bits)
Least secure Most secure

Authentication
26
26
26
DH7
Diffie-Hellman

Pre-shared Key (PSK)
27
27
27
DH7
Diffie-Hellman
•At the local device, the authentication key and the identity information (device-specific
information) are sent through a hash algorithm to form hash_I. One-way authentication is
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
• The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.

RSA Signatures
28
28
28
• At the local device, the authentication key and identity information (device-specific information)
are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local
device's private encryption key creating a digital signature. The digital signature and a digital
certificate are forwarded to the remote device. The public encryption key for decrypting the
signature is included in the digital certificate. The remote device verifies the digital signature by
decrypting it using the public encryption key. The result is hash_I.
• Next, the remote device independently creates hash_I from stored information. If the
calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the
remote device authenticates the local device, the authentication process begins in the opposite
direction and all steps are repeated from the remote device to the local device.

Secure Key Exchange
29
29
29
Diffie-Hellman DH7

IPSec Framework Protocols
All data is in plaintext.
R1 R2
Authentication Header
AH provides the following:
Authentication
Integrity
30
30
30
Data payload is encrypted.
R1 R2
Encapsulating Security Payload
Integrity
ESP provides the following:
Encryption
Authentication
Integrity

Authentication Header
Authentication Data
IP Header + Data + Key R2
Hash
IP Header + Data + Key
Data
AH
IP HDR
1. The IP Header and data payload are hashed
31
31
31
Authentication Data
(00ABCDEF)
R1
Recomputed
Hash
(00ABCDEF)
IP Header + Data + Key
Hash
Received
Hash
(00ABCDEF)
=
Data
AH
IP HDR
Internet
2. The hash builds a new AH
header which is prepended
to the original packet
3. The new packet is
transmitted to the
IPSec peer router
4. The peer router hashes the IP
header and data payload, extracts
the transmitted hash and compares

ESP
32
32
32
Diffie-Hellman DH7

Function of ESP
Router Router
IP HDR Data IP HDR Data
Internet
33
33
33
ESP
Trailer
ESP
Auth
• Provides confidentiality with encryption
• Provides integrity with authentication
ESP HDR
New IP HDR IP HDR Data
Authenticated
Encrypted

IP HDR ESP HDR Data
Transport Mode
ESP
Trailer
ESP
Auth
IP HDR Data
Encrypted
Original data prior to selection of IPSec protocol mode
Mode Types
34
34
34
IP HDR ESP HDR Data
ESP HDR IP HDR
New IP HDR Data
Tunnel Mode
Trailer Auth
ESP
Trailer
ESP
Auth
Authenticated
Authenticated
Encrypted

Security Associations
35
35
35
IPSec parameters are configured using IKE

Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange
1. Negotiate IKE policy sets
IKE Phases
Policy 15
DES
MD5
pre-share
Policy 10
DES
MD5
pre-share
1. Negotiate IKE policy sets
36
36
36
2. DH key exchange
3. Verify the peer identity
Negotiate IPsec policy Negotiate IPsec policy
pre-share
DH1
lifetime
pre-share
DH1
lifetime
2. DH key exchange
3. Verify the peer identity

Policy 15
DES
MD5
pre-share
Policy 10
DES
MD5
pre-share IKE Policy Sets
Negotiate IKE Proposals
Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 – First Exchange
37
37
37
Negotiates matching IKE policies to protect IKE exchange
pre-share
DH1
lifetime
pre-share
DH1
lifetime
IKE Policy Sets
Policy 20
3DES
SHA
pre-share
DH1
lifetime

IKE Phase 1 – Second Exchange
Private value, XA
Public value, YA
Private value, XB
Public value, YB
Alice
Bob
Y
YA
A
YB = g mod p
XB
Y
YA
A = g mod p
XA
Establish DH Key
38
38
38
(
(YB ) mod p = K (YA ) mod p = K
XB
XA
Y
YA
A
Y
YB
B
A DH exchange is performed to establish keying material.

IKE Phase 1 – Third Exchange
HR
Servers
Remote Office Corporate Office
Internet
Peer
Authenticate Peer
39
39
39
Peer authentication methods
• PSKs
• RSA signatures
• RSA encrypted nonces
Peer
Authentication
A bidirectional IKE SA is now established.

Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 1 Aggressive Mode Exchange
1.Send IKE policy set
and R1’s DH key
Policy 15
DES
MD5
pre-share
DH1
Policy 10
DES
MD5
pre-share
DH1
2. Confirm IKE policy
IKE Phase 1 – Aggressive Mode
40
40
40
and R1’s DH key
3.Calculate shared
secret, verify peer
identify, and confirm
with peer
Negotiate IPsec policy Negotiate IPsec policy
DH1
lifetime
DH1
lifetime 2. Confirm IKE policy
set, calculate
shared secret and
send R2’s DH key
4. Authenticate peer
and begin Phase 2.

Negotiate IPsec
Security Parameters
Host A Host B
R1 R2
10.0.1.3 10.0.2.3
IKE Phase 2
41
41
41
• IKE negotiates matching IPsec policies.
• Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and
algorithm combination.

IKE Phase 1
IKE SA IKE SA
1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session.
R1 R2 10.0.2.3
10.0.1.3
IPSec VPN Negotiation
42
42
42
IKE Phase 1
IKE Phase 2
IKE SA IKE SA
IPsec SA
IPsec SA
3. R1 and R2 negotiate an IKE Phase 2 session.
4. Information is exchanged via IPsec tunnel.
5. The IPsec tunnel is terminated.
IPsec Tunnel

Configuring IPsec
Task 1: Ensure that ACLs are compatible with IPsec.
Task 2: Create ISAKMP (IKE) policy.
Tasks to Configure IPsec:
43
43
43
Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.

Task 1
Configure Compatible ACLs
AH
ESP
IKE
Site 1 Site 2
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
10.0.2.0/24
44
44
44
• Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2

AH
ESP
IKE
Site 1 Site 2
10.0.1.3 10.0.2.3
R1 R2
Internet
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
10.0.1.0/24 10.0.2.0/24
Permitting Traffic
45
45
45
R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1(config)#
R1(config)# interface Serial0/0/0
R1(config-if)# ip address 172.30.1.2 255.255.255.0
R1(config-if)# ip access-group 102 in
!
R1(config)# exit
R1#
R1# show access-lists
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#

Tunnel
Policy 110
DES
MD5
Preshare
86400
DH1
Site 1 Site 2
10.0.1.3 10.0.2.3
R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
Task 2
Configure IKE
46
46
46
Defines the parameters within the IKE policy
crypto isakmp policy priority
router(config)#
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption des
R1(config–isakmp)# group 1
R1(config–isakmp)# hash md5
R1(config–isakmp)# lifetime 86400
DH1

ISAKMP Parameters
Parameter Keyword Accepted Values
Default
Value
Description
encryption
des
3des
aes
aes 192
aes 256
56-bit Data Encryption Standard
Triple DES
128-bit AES
192-bit AES
256-bit AES
des
Message encryption
algorithm
47
47
47
hash
sha
md5
SHA-1 (HMAC variant)
MD5 (HMAC variant)
sha
Message integrity
(Hash) algorithm
authenticati
on
pre-share
rsa-encr
rsa-sig
preshared keys
RSA encrypted nonces
RSA signatures
rsa-sig
Peer authentication
method
group
1
2
5
768-bit Diffie-Hellman (DH)
1024-bit DH
1536-bit DH
1
Key exchange
parameters (DH
group identifier)
lifetime seconds
Can specify any number of
seconds
86,400 sec
(one day)
ISAKMP-established
SA lifetime

Multiple Policies
crypto isakmp policy 100
hash md5
hash md5
R1(config)# R2(config)#
Site 1 Site 2
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
48
48
48
hash md5
authentication pre-share
!
hash sha
authentication rsa-sig
!
hash md5
hash md5
!
hash sha
!
hash md5

Site 1 Site 2
10.0.1.3 10.0.2.3
R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
R1 attempts to establish a VPN tunnel with
R2 and sends its IKE policy parameters
Policy Negotiations
49
49
49
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# hash sha
Policy 110
Preshare
3DES
SHA
DH2
43200
R2 must have an ISAKMP policy
configured with the same parameters.
Tunnel
Site 1 Site 2

Crypto ISAKMP Key
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname
router(config)#
Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
50
50
50
• The peer-address or peer-hostname can be used, but must be
used consistently between peers.
• If the peer-hostname is used, then the crypto isakmp
identity hostname command must also be configured.
keystring This parameter specifies the PSK. Use any combination of alphanumeric characters
up to 128 bytes. This PSK must be identical on both peers.
peer-
address
This parameter specifies the IP address of the remote peer.
hostname
This parameter specifies the hostname of the remote peer.
This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).

Site 1 Site 2
10.0.1.3 10.0.2.3
R1 R2
Internet
10.0.1.0/24 10.0.2.0/24
Sample Configuration
51
51
51
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
R2(config-isakmp)# exit
R2(config)#
Note:
• The keystring cisco1234 matches.
• The address identity method is
specified.
• The ISAKMP policies are compatible.
• Default values do not have to be
configured.

router(config)#
crypto ipsec transform–set transform-set-name
transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
Command
Description
Task 3
Configure the Transform Set
52
52
52
transform-set-name
This parameter specifies the name of the transform set
to create (or modify).
transform1,
transform2, transform3
Type of transform set. You may specify up to four
transforms: one Authentication Header (AH), one
Encapsulating Security Payload (ESP) encryption, one
ESP authentication. These transforms define the IP
Security (IPSec) security protocols and algorithms.
A transform set is a combination of IPsec transforms that enact a
security policy for traffic.

Transform Sets
Host B
10.0.1.3 10.0.2.3
R1 R2
Host A
transform-set ALPHA
esp-3des
tunnel
transform-set RED
esp-des
tunnel
Internet
1
2
3
172.30.2.2
172.30.1.2
53
53
53
• Transform sets are negotiated during IKE Phase 2.
• The 9th attempt found matching transform sets (CHARLIE - YELLOW).
transform-set BETA
esp-des, esp-md5-hmac
tunnel
transform-set CHARLIE
esp-3des, esp-sha-hmac
tunnel
transform-set BLUE
esp-des, ah-sha-hmac
tunnel
transform-set YELLOW
esp-3des, esp-sha-hmac
tunnel
Match
3
4
5
6
7
8
9

Site 1 Site 2
A B
10.0.1.3 10.0.2.3
R1 R2
Internet
R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#
172.30.2.2
172.30.1.2
54
54
54
R1(config)#
R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
Note:
• Peers must share the
same transform set
settings.
• Names are only locally
significant.

Task 4
Configure the Crypto ACLs
Host A
R1
Internet
Outbound
Traffic
Encrypt
Bypass (Plaintext)
55
55
55
• Outbound indicates the data flow to be protected by IPsec.
• Inbound filters and discards traffic that should have been
protected by IPsec.
Inbound
Traffic
Bypass (Plaintext)
Permit
Bypass
Discard (Plaintext)

10.0.1.3
10.0.2.3
R1 R2
Internet
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
Command Syntax
56
56
56
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
access-list access-list-number Parameters
access-list access-list-number
Command
Description
permit This option causes all IP traffic that matches the specified conditions to be protected by
cryptography, using the policy described by the corresponding crypto map entry.
deny This option instructs the router to route traffic in plaintext.
protocol
This option specifies which traffic to protect by cryptography based on the protocol,
such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
source and destination
If the ACL statement is a permit statement, these are the networks, subnets, or hosts
between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.

S0/1
10.0.1.3 10.0.2.3
R1 R2
Internet
Site 2
Applied to R1 S0/0/0 outbound traffic:
S0/0/0
172.30.2.2
S0/0/0
172.30.1.2
10.0.1.0/24
Site 1
10.0.2.0/24
Symmetric Crypto ACLs
57
57
57
R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0)
R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)

Task 5
Apply the Crypto Map
Crypto maps define the following:
Site 1
10.0.1.3
R1 R2
10.0.2.3
Site 2
Internet
58
58
58
ACL to be used
Remote VPN peers
Transform set to be used
Key management method
SA lifetimes
Encrypted Traffic
Router
Interface
or Subinterface

crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
router(config)#
crypto map Parameters
Command Parameters Description
Defines the name assigned to the crypto map set or indicates the name of the crypto
Crypto Map Command
59
59
59
map-name
Defines the name assigned to the crypto map set or indicates the name of the crypto
map to edit.
seq-num The number assigned to the crypto map entry.
ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.
cisco
(Default value) Indicates that CET will be used instead of IPsec for protecting the
traffic.
dynamic
(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
available.
dynamic-map-name
(Optional) Specifies the name of the dynamic crypto map set that should be used as
the policy template.

Crypto Map Configuration
Mode Commands
Command Description
set Used with the peer, pfs, transform-set, and security-association
commands.
peer [hostname | ip-
address]
Specifies the allowed IPsec peer by IP address or hostname.
pfs [group1 | group2] Specifies DH Group 1 or Group 2.
Specify list of transform sets in priority order. When the ipsec-manual
60
60
60
transform-set
[set_name(s)]
Specify list of transform sets in priority order. When the ipsec-manual
parameter is used with the crypto map command, then only one transform set
can be defined. When the ipsec-isakmp parameter or the dynamic parameter
is used with the crypto map command, up to six transform sets can be
specified.
security-association
lifetime
Sets SA lifetime parameters in seconds or kilobytes.
match address [access-
list-id | name]
Identifies the extended ACL by its name or number. The value should match
the access-list-number or name argument of a previously defined IP-extended
ACL being matched.
no Used to delete commands entered with the set command.
exit Exits crypto map configuration mode.

R3
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.2.2
61
61
61
Multiple peers can be specified for redundancy.
S0/0/0
172.30.3.2
R1(config)# crypto map MYMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# set peer 172.30.2.2 default
R1(config-crypto-map)# set peer 172.30.3.2
R1(config-crypto-map)# set pfs group1
R1(config-crypto-map)# set transform-set mine
R1(config-crypto-map)# set security-association lifetime seconds 86400

MYMAP
Assign the Crypto Map Set
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
62
62
62
• Applies the crypto map to outgoing interface
• Activates the IPsec policy
crypto map map-name
R1(config)# interface serial0/0/0
R1(config-if)# crypto map MYMAP
router(config-if)#
MYMAP

CLI Commands
Show Command Description
show crypto map Displays configured crypto maps
show crypto isakmp policy Displays configured IKE policies
63
63
63
show crypto ipsec sa Displays established IPsec tunnels
show crypto ipsec
transform-set
Displays configured IPsec transform
sets
debug crypto isakmp Debugs IKE events
debug crypto ipsec
Debugs IPsec events

show crypto map
router#
show crypto map
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
64
64
64
R1# show crypto map
Crypto Map “MYMAP 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }
Displays the currently configured crypto maps

show crypto isakmp policy
router#
show crypto isakmp policy
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
65
65
65
R1# show crypto isakmp policy
Protection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: preshared
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

show crypto ipsec transform-set
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
66
66
66
Displays the currently defined transform sets
R1# show crypto ipsec transform-set
Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },

show crypto ipsec sa
10.0.1.3
10.0.2.3
R1 R2
Internet
10.0.1.0/24
Site 1
10.0.2.0/24
Site 2
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
67
67
67
R1# show crypto ipsec sa
Interface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C

debug crypto isakmp
router#
debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
68
68
68
• This is an example of the Main Mode error message.
• The failure of Main Mode suggests that the Phase I policy
does not match on both sides.
• Verify that the Phase I policy is on both peers and ensure that
all the attributes match.
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2

Starting a VPN Wizard
Wizards for IPsec
Solutions, includes
type of VPNs and
Individual IPsec
components
1
2
3
1. Click Configure in main toolbar
3. Choose a wizard
69
69
69
2
4
5
VPN implementation
Subtypes. Vary based
On VPN wizard chosen.
2. Click the VPN button
to open the VPN page
4. Click the VPN
implementation subtype
5. Click the Launch the
Selected Task button

VPN Components
Individual IPsec
components used
to build VPNs
VPN Wizards
SSL VPN parameters
70
70
70
Easy VPN server parameters
Public key certificate
parameters
Encrypt VPN passwords
VPN Components

Configuring a Site-to-Site VPN
Choose Configure VPN Site-to-Site VPN
71
71
71
Click the Launch the Selected Task button
Click the Create a Site-to-Site VPN

Site-to-Site VPN Wizard
Choose the wizard mode
72
72
72
Click Next to proceed to the configuration of parameters.

Quick Setup
Configure the parameters
• Interface to use
73
73
73
• Interface to use
• Peer identity information
• Authentication method
• Traffic to encrypt

Verify Parameters
74
74
74

1
2
Step-by-Step Wizard
Choose the outside
interface that is used
to connect to the
IPSec peer
Specify the IP
address of the peer
75
75
75
3
4
Choose the authentication
method and specify the
credentials
Click Next

Creating a Custom IKE Proposal
2
Make the selections to configure
the IKE Policy and click OK
76
76
76
1
3
Click Add to define a proposal Click Next

2
Creating a Custom IPSec
Transform Set
Define and specify the transform
set name, integrity algorithm,
encryption algorithm, mode of
operation and optional compression
77
77
77
1
3 Click Next
Click Add

1
Protecting Traffic
Subnet to Subnet
Click Protect All Traffic Between the Following subnets
78
78
78
2 3
Define the IP address
and subnet mask of the
local network
Define the IP address
and subnet mask of the
remote network

Protecting Traffic
Custom ACL
79
79
79
2
3
1
Click the Create/Select an Access-List
for IPSec Traffic radio button
Click the ellipses button
to choose an existing ACL
or create a new one
To use an existing ACL, choose the Select an Existing
Rule (ACL) option. To create a new ACL, choose the
Create a New Rule (ACL) and Select option

Add a Rule
1
2
Give the access rule a
80
80
80
2
Give the access rule a
name and description
Click Add

Configuring a New Rule Entry
1
2
Choose an action and enter a description of the rule entry
81
81
81
3
Define the source hosts or networks in the Source Host/Network pane
and the destination hosts or network in the Destination/Host Network pane
(Optional) To provide protection for specific protocols, choose
the specific protocol radio box and desired port numbers

Configuration Summary
82
82
82
• Click Back to modify the configuration.
• Click Finish to complete the configuration.

Verify VPN Configuration
Choose Configure VPN Site-to-Site VPN Edit Site-to-Site VPN
83
83
83
Check VPN status.
Create a mirroring configuration if
no Cisco SDM is available on the
peer.
Test the VPN
configuration.

Lists all IPsec tunnels, their
parameters, and status.
1
Monitor
Choose Monitor VPN Status IPSec Tunnels
84
84
84
parameters, and status.

Telecommuting
• Flexibility in working
location and working
hours
• Employers save on real-
estate, utility and other
85
85
85
estate, utility and other
overhead costs
• Succeeds if program is
voluntary, subject to
management discretion,
and operationally feasible

Telecommuting Benefits
• Organizational benefits:
- Continuity of operations
- Increased responsiveness
- Secure, reliable, and manageable access to information
- Cost-effective integration of data, voice, video, and applications
- Increased employee productivity, satisfaction, and retention
86
86
86
- Increased employee productivity, satisfaction, and retention
• Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress
• Environmental benefits:
- Reduced carbon footprints, both for individual workers and
organizations

Implementing Remote Access
87
87
87

Methods for Deploying
Remote Access
88
88
88
IPsec Remote
Access VPN
SSL-Based
VPN
Any
Application
Anywhere
Access

Comparison of SSL and IPSec
SSL IPsec
Applications Web-enabled applications, file sharing, e-mail All IP-based applications
Encryption
Moderate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
89
89
89
Authentication
Moderate
One-way or two-way authentication
Strong
Two-way authentication using shared secrets
or digital certificates
Ease of Use Very high
Moderate
Can be challenging to nontechnical users
Overall Security
Moderate
Any device can connect
Strong
Only specific devices with specific
configurations can connect

SSL VPNs
• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
Headquarters
Internet
90
90
90
Workplace
Resources
Headquarters
SSL VPN
Tunnel

Types of Access
91
91
91

Full Tunnel Client Access Mode
92
92
92

User using
SSL client
Establishing an SSL Session
User makes a connection
to TCP port 443
Router replies with a
digitally signed public key
User software creates a
1
2
3
SSL VPN
enabled ISR
router
93
93
93
Shared-secret key, encrypted
with public key of the server, is
sent to the router
Bulk encryption occurs using the
shared-secret key with a
symmetric encryption algorithm
User software creates a
shared-secret key
3
4
5
router

SSL VPN Design Considerations
• User connectivity
• Router feature
• Infrastructure planning
94
94
94
• Implementation scope

Cisco Easy VPN
• Negotiates tunnel parameters
• Establishes tunnels according to
set parameters
• Automatically creates a NAT /
PAT and associated ACLs
95
95
95
PAT and associated ACLs
• Authenticates users by
usernames, group names,
and passwords
• Manages security keys for
encryption and decryption
• Authenticates, encrypts, and
decrypts data through the tunnel

Cisco Easy VPN
96
96
96

Securing the VPN
Initiate IKE Phase 1
Establish ISAKMP
SA
Accept Proposal1
Username/Password
Challenge
1
2
3
4
97
97
97
Challenge
Username/Password
System Parameters Pushed
Reverse Router Injection
(RRI) adds a static route
entry on the router for the
remote clients IP address
Initiate IKE Phase 2: IPsec
IPsec SA
5
6
7

Configuring Cisco Easy VPN Server
1
2
3
4
98
98
98
5

Configuring IKE Proposals
Specify required parameters
99
99
99
1
2
3
Click Add
Specify required parameters
Click OK

Creating an IPSec Transform Set
1
3
100
100
100
2
4

Group Authorization and Group
Policy Lookup
1
3
Select the location where
Easy VPN group policies
can be stored
Click Add
101
101
101
2 4
5
Click Next
Click Next
Configure the local
group policies

Summary of Configuration
Parameters
102
102
102

VPN Client Overview
103
103
103
• Establishes end-to-end, encrypted VPN tunnels for
secure connectivity
• Compatible with all Cisco VPN products
• Supports the innovative Cisco Easy VPN capabilities

Establishing a Connection
R1-vpn-cluster.span.com
Once
authenticated,
status changes to
connected.
104
104
104
“R1”

105
105
105

Ch8 - Implementing Virtual Private Networks

More Related Content

Similar to Ch8 - Implementing Virtual Private Networks (20)

More from OhmRon (16)

Recently uploaded (20)

Ch8 - Implementing Virtual Private Networks