FACT SHEET VPN IPSEC (Cisco based)

1. Understanding VPN components IPSec and

encryption (data integrity)
a. Defining a VPN
b. Understanding the need for encryption
c. Types of encryption
2. VPN benefits
a. Cheaper connections
b. Available anywhere
c. Heavily encrypted and secure
d. Many to many connection
3. The world of IPSec
a. Authentication
b. Data Integrity
c. Confidentiality
d. Anti-Replay
4. IPSec components
a. Negotiation protocol AH, ESP
b. Encryption DES, 3DES, AES
c. Authentication MD5, SHA-1
d. Protection DH1, 2,5,7
5. IPSec modes of communication
a. Transport mode
b. Tunnel mode
6. Two types of encryption keys
a. Symmetric and asymmetric keys.
b. Security over public network.
c. Mixed approach.
d. Encryption algorithms used today.
i. DES(64/56), 3DES(168),
AES(128,192,256), RSA(512, 768,
1024) and DH(768, 1024, 1536).
7. Key IPSec negotiation protocol
a. AH Authentication, data integrity
b. ESP Encryption, authentication, data
integrity.
8. IPSec Negotiation process
a. Interesting traffic triggers VPN
b. IKE phase1
c. IKE phase2
d. Data transfer
e. VPN teardown
9. Interesting traffic decision
a. Encrypt using IPSec
b. Send in clear text
c. Discard.
10. IKE Phase1
a. Exchange the negotiation policy (Policy list
[pres, dh, aes])
b. Exchange DH keys
c. Identity verification
11. IKE phase2

a. IPSec transform set and encryption keys

negotiated and exchanged.
b. Lifetime.
12. Designing IKE phase1 (IKE phase 1 focuses on
establishing authentication and a secure tunnel for
IKE phase2 exchange)
a. Required elements
i. Remote peer IP or hostname
ii. Key distribution method
iii. Authentication method
iv. Encryption algorithm
v. Hash algorithm
vi. Lifetime

Side A IKE1
Parameters

Side B IKE1
Parameters

Encryption

AES-128

Encryption

Hashing

SHA-1

Hashing

Authentication

Pre-Shared

Authentication

DH Level
Lifetime

2
86400

DH Level
Lifetime

AES128
SHA-1
PreShare
d
2
86400

13. Designing IKE Phase2 policy (IKE2 focuses on

establishing secure IPSec tunnel for data transfer).
a. Required elements
i. Transform set
ii. Interesting traffic designation.
iii. IPSec crypto-map

A
Side A IKE2
Parameters
Encryption
Hashing

ESP-AES
ESP-SHAHMAC

Side B IKE2
Parameters
Encryption
Hashing

ESP-AES
ESP-SHAHMAC

14. IKE1 configurations.

a. Enable ISAKMP: Router(config)#crypto
isakmp enable
b. Create ISAKMP Policy: Router(config)#crypto
isakmp policy <1-10000>
c. Router(config)#crypto isakmp policy 100
i. Router(config-isakmp)#encryption aes
128
ii. Router(config-isakmp)#authentication
pre-share
iii. Router(config-isakmp)#group 2
iv. Router(config-isakmp)#hash sha

d. Configure ISAKMP Identity:

Router(config)#crypto isakmp identity
<address/hostname>
e. Configure pre-shared keys:
Router(config)#crypto isakmp key <key>
address <remote_ip>
15. IKE2 Configurations.
a. Create transform sets: Router(config)#crypto
ipsec transform-set <name> <methods>
i. Router(config)#crypto ipsec transformset AIRTEL esp-aes 128 esp-shahmac
b. (optional) Configure IPSec lifetime: :
Router(config)#crypto ipsec
<seconds/kilobytes> <value>
c. Create mirrored ACLs defining traffic to be
encrypted and the traffic expected to be
received encrypted
d. Set up IPSec crypto-map:
Router(config)#crypto isakmp map <name>
<seq> ipsec-isakmp
i. Router(config)#crypto map BHARTI
100 ipsec-isakmp
1. Router(config-cryptomap)#match address <acl>
2. Router(config-cryptomap)#set peer <remote_ip>
3. Router(config-cryptomap)#set pfs <group1/2/5>
4. Router(config-cryptomap)#set transform-set <set>
16. Verification commands
a. show crypto isakmp policy
b. show crypto ipsec transform-set
c. show crypto ipsec sa
d. show crypto map
e. debug crypto isakmp
f. debug crypto ipsec
Comments: