Professional Documents
Culture Documents
1
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client Business Partner Remote-access
IPSec with a Cisco Router
VPNs
Mobile Worker
with a Cisco
VPN Client
CSA
VPN
WAN
VPN
Network Site-to-Site VPN
IP
VPNs WAN S
2
Remote-access
Business Partner
with a Cisco VPNs
Router Hosts send and receive normal
Mobile Worker
TCP/IP traffic through a VPN gateway with a Cisco
VPN Client
MARS
CSA
SSL IPSec
CSA
VPN
Iron CSA
Iron Port CSA
Port
Regional branch with CS
a VPN enabled
CSA CSA
CS A CS CSA CSA CSA CSA Encryption Moderate range of key lengths. Stronger range of longer key
A A CSA
Cisco ISR router lengths.
Web Email
Server Server DNS
Web Email
Server Server DNS
3
Remote Site Central Site Main Site
SSL IPSec
Authentication Moderate, one-way or two- Strong, two-way Business Partner
Internet with a Cisco Router IPsec Perimeter
way authentication using shared Router
authentication. secrets or digital certificates.
Intranet Legacy ASA
Concentrator Firewall
Ease of Use Very high. Moderate. Can be challenging POP
Remote User Regional Office with a ASA
for nontechnical users, and
deployment is more time
Extranet Cisco ASA Firewall
consuming.
Mobile Worker Corporate
• Flexible platform • VPN infrastructure for SOHO with a Cisco
Router
• Resilient clustering contemporary
Overall Security Moderate. Any device can Strong. Only specific devices
• Clientless applications
initially with specific configurations,
connect. such as a VPN client, can • Integrated web-based • Works at the network layer, protecting and authenticating IP packets.
connect.
• AnyConnect – It is a framework of open standards which is algorithm-independent.
management
– It provides data confidentiality, data integrity, and origin authentication.
4
Least secure Most secure
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key length:
- 128-bits
Key lengths:
Diffie-Hellman DH7 Diffie-Hellman -128-bits Key length:
DH7
-192 bits Diffie-Hellman - 160-bits) DH7
-256-bits
Key length:
- 160-bits
5
Authentication Header
R1 All data is in plaintext.
R2
6
R1 R2
Host A Host B
R1 R2
Establish DH Key
10.0.2.3 Host A Host B
10.0.1.3 Private value, XA Private value, XB
Negotiate IKE Proposals
IKE Phase 1 Exchange 10.0.1.3 10.0.2.3 Alice Public value, YA Public value, YB
Bob
YA = g XA mod p YB = gXB mod p
Policy 10 Policy 15
1. Negotiate IKE policy sets DES DES 1. Negotiate IKE policy sets
MD5 MD5 Policy 10 Policy 15
pre-share pre-share
DH1 DH1 DES DES
lifetime lifetime
MD5 MD5 YA
2. DH key exchange 2. DH key exchange
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
YB
3. Verify the peer identity 3. Verify the peer identity
Policy 20
3DES
SHA
pre-share
IKE Phase 2 Exchange DH1 XA XB
lifetime (YB ) mod p = K (YA ) mod p = K
Negotiate IPsec policy Negotiate IPsec policy
Negotiates matching IKE policies to protect IKE exchange A DH exchange is performed to establish keying material.
7
R1 R2
Host A Host B
Authenticate Peer R1 R2
10.0.1.3 10.0.2.3
Remote Office Corporate Office Host A Host B
HR
DH1
lifetime
DH1
lifetime
2. Confirm IKE policy
Servers set, calculate
Peer shared secret and
Authentication 3.Calculate shared
send R2’s DH key • IKE negotiates matching IPsec policies.
secret, verify peer
• Upon completion, unidirectional IPsec Security
Peer authentication methods identify, and confirm
with peer
4. Authenticate peer
and begin Phase 2.
• PSKs Associations(SA) are established for each protocol and
• RSA signatures IKE Phase 2 Exchange algorithm combination.
• RSA encrypted nonces
Negotiate IPsec policy Negotiate IPsec policy
8
AH
10.0.1.3 R1 R2 10.0.2.3 ESP
Site 1 IKE Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Site 1 AH
Site 2
1. Host A sends interesting traffic to Host B. ESP
Internet
10.0.1.0/24 IKE 10.0.2.0/24 S0/0/0 S0/0/0
2. R1 and R2 negotiate an IKE Phase 1 session. 10.0.2.3 172.30.1.2 172.30.2.2
10.0.1.3 R1 R2
IKE SA IKE Phase 1 IKE SA R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
Internet R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
3. R1 and R2 negotiate an IKE Phase 2 session. S0/0/0 S0/0/0 R1(config)#
172.30.1.2 172.30.2.2 R1(config)# interface Serial0/0/0
IPsec SA IKE Phase 2 IPsec SA R1(config-if)# ip address 172.30.1.2 255.255.255.0
R1(config-if)# ip access-group 102 in
!
4. Information is exchanged via IPsec tunnel. • Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) R1(config)# exit
R1#
traffic are not blocked by incoming ACLs on interfaces used by IPsec. R1# show access-lists
IPsec Tunnel access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
5. The IPsec tunnel is terminated. R1#
9
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
10
router(config)#
10.0.1.0/24
crypto isakmp key keystring address peer-address 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
router(config)#
10.0.1.0/24 10.0.2.0/24 Internet
crypto isakmp key keystring hostname hostname Site 1
10.0.1.3 R1 R2 10.0.2.3 Site 2
Internet R1(config)# crypto isakmp policy 110
Site 1 Site 2 Parameter Description R1(config–isakmp)# authentication pre-share
Policy 110 R1(config–isakmp)# encryption 3des
Preshare R1(config–isakmp)# group 2
3DES Tunnel This parameter specifies the PSK. Use any combination of alphanumeric characters R1(config–isakmp)# hash sha
SHA keystring R1(config–isakmp)# lifetime 43200
DH2
43200
R2 must have an ISAKMP policy up to 128 bytes. This PSK must be identical on both peers.
R1(config-isakmp)# exit
configured with the same parameters. R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
peer- Note:
R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100 This parameter specifies the IP address of the remote peer.
R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share
address • The keystring cisco1234 matches.
R2(config)# crypto
R2(config–isakmp)#
isakmp policy 110
authentication pre-share
R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2 R2(config–isakmp)# group 2 • The peer-address or peer-hostname can be used, but must be • The address identity method is R2(config–isakmp)# group 2
This parameter specifies the hostname of the remote peer. specified. R2(config–isakmp)# hash sha
R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200
used consistently
hostname This isbetween peers.
the peer hostname concatenated with its domain name (for example, • The ISAKMP policies are compatible. R2(config–isakmp)# lifetime 43200
R2(config-isakmp)# exit
• If the peer-hostname
myhost.domain.com).
is used, then the crypto isakmp • Default values do not have to be R2(config)# crypto isakmp key cisco123 address 172.30.1.2
configured. R2(config)#
identity hostname command must also be configured.
11
router(config)# Host A Host B Host A
R1 172.30.1.2 R2
crypto ipsec transform–set transform-set-name R1
Internet
transform1 [transform2] [transform3]] 10.0.1.3 10.0.2.3 Internet
172.30.2.2
crypto ipsec transform-set Parameters
1
transform-set ALPHA transform-set RED
Description esp-3des 2 esp-des Outbound
Command Encrypt
tunnel tunnel Traffic
3 Bypass (Plaintext)
This parameter specifies the name of the transform set 4
transform-set-name transform-set BETA transform-set BLUE
to create (or modify). esp-des, esp-md5-hmac 5 esp-des, ah-sha-hmac Permit Inbound
Traffic
tunnel 6 tunnel Bypass
7
12
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
Site 1 Site 2 Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
R1 R2
router(config)# 10.0.1.3 R1 R2 10.0.2.3
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
Internet Internet
S0/0/0 S0/0/0
[precedence precedence] [tos tos] [log] 172.30.1.2 172.30.2.2
S0/1 10.0.1.3 10.0.2.3
If the ACL statement is a permit statement, these are the networks, subnets, or hosts
between which traffic should be protected. If the ACL statement is a deny statement,
source and destination then the traffic between the specified source and destination is sent in plaintext.
13
router(config)#
crypto map map-name seq-num ipsec-manual Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
R1 R2
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] Command Description 10.0.1.3
10.0.2.3
Internet
Used with the peer, pfs, transform-set, and security-association S0/0/0
crypto map Parameters
set commands. 172.30.2.2
Indicates that ISAKMP will not be used to establish the IPsec SAs. R1(config)# crypto map MYMAP 10 ipsec-isakmp
ipsec-manual Specify list of transform sets in priority order. When the ipsec-manual R1(config-crypto-map)# match address 110
transform-set parameter is used with the crypto map command, then only one transform set
R1(config-crypto-map)# set peer 172.30.2.2 default
Indicates that ISAKMP will be used to establish the IPsec SAs. can be defined. When the ipsec-isakmp parameter or the dynamic parameter
ipsec-isakmp [set_name(s)] is used with the crypto map command, up to six transform sets can be R1(config-crypto-map)# set peer 172.30.3.2
specified. R1(config-crypto-map)# set pfs group1
(Default value) Indicates that CET will be used instead of IPsec for protecting the
cisco R1(config-crypto-map)# set transform-set mine
traffic.
R1(config-crypto-map)# set security-association lifetime seconds 86400
(Optional) Specifies that this crypto map entry references a preexisting static crypto
map. If this keyword is used, none of the crypto map configuration commands are
security-association
dynamic Sets SA lifetime parameters in seconds or kilobytes.
available. lifetime Multiple peers can be specified for redundancy.
(Optional) Specifies the name of the dynamic crypto map set that should be used as
dynamic-map-name the policy template. match address [access- Identifies the extended ACL by its name or number. The value should match
the access-list-number or name argument of a previously defined IP-extended
list-id | name] ACL being matched.
14
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Site 1 Site 2 Internet
10.0.1.0/24 10.0.2.0/24 S0/0/0 S0/0/0
R1 R2 Show Command Description 172.30.1.2 172.30.2.2
10.0.1.3
10.0.2.3 router#
Internet show crypto map Displays configured crypto maps
S0/0/0
172.30.1.2
S0/0/0
172.30.2.2
show crypto map
show crypto isakmp policy Displays configured IKE policies Displays the currently configured crypto maps
MYMAP R1# show crypto map
Crypto Map “MYMAP" 10 ipsec-isakmp
router(config-if)# show crypto ipsec sa Displays established IPsec tunnels Peer = 172.30.2.2
Extended IP access list 110
crypto map map-name
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
show crypto ipsec Displays configured IPsec transform Current peer: 172.30.2.2
R1(config)# interface serial0/0/0 transform-set sets Security association lifetime: 4608000 kilobytes/3600 seconds
R1(config-if)# crypto map MYMAP PFS (Y/N): N
Transform sets={ MYSET, }
debug crypto isakmp Debugs IKE events
• Applies the crypto map to outgoing interface
• Activates the IPsec policy
Debugs IPsec events
debug crypto ipsec
15
Site 1 Site 2 Site 1 Site 2
10.0.1.0/24 10.0.2.0/24 Site 1 Site 2 10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3 10.0.1.3 R1 R2 10.0.2.3
Internet 10.0.2.3 Internet
router#
S0/0/0
172.30.1.2
S0/0/0 Internet S0/0/0 S0/0/0
172.30.2.2 S0/0/0 S0/0/0 172.30.1.2 172.30.2.2
172.30.1.2 172.30.2.2
show crypto isakmp policy
16
router#
debug crypto isakmp
• Integrated security and routing
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable! • Browser-based full network SSL VPN access
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
SSL VPN
Internet
• This is an example of the Main Mode error message. Headquarters
• The failure of Main Mode suggests that the Phase I policy
does not match on both sides.
• Verify that the Phase I policy is on both peers and ensure that
SSL VPN
all the attributes match.
Tunnel
Workplace
Resources
17
18
• Negotiates tunnel parameters
• Establishes tunnels according to set parameters
• Automatically creates a NAT / PAT and associated ACLs
• Authenticates users by usernames, group names,
and passwords
• Manages security keys for encryption and decryption
• Authenticates, encrypts, and decrypts data through the tunnel
19
• Packet Tracer labs up on Moodle • Test Week
• Covers content of all 5 weeks
• ~10 questions on each week
• Pass – 70% for Certificate of Completion
20