Professional Documents
Culture Documents
C-08-IMPLEMENTING-VIRTUAL-PRIVATE-NETWORKS
8. IMPLEMENTING VIRTUAL PRIVATE NETWORKS
8.0. CHAPTER INTRODUCTION.
8.0.1. CHAPTER INTRODUCTION.
Secure site-to-site VPNs, between central and remote sites, can be implemented
using the IPsec protocol. IPsec can also be used in remote-access tunnels for
telecommuter access. The Cisco VPN Client is one method for establishing the
IPsec remote-access VPN. In addition to IPsec, the Secure Sockets Layer (SSL)
protocol can be used to established remote-access VPN connections.
In the first hands-on lab for the chapter, Configuring a Site-to-Site VPN Using
Cisco IOS and SDM, learners configure IPsec VPN settings with the CLI on
perimeter routers and then verify IPsec VPN operation. Another site-to-site IPsec
VPN is configured and verified using SDM.
1
DOCUMENT1
In a second hands-on lab, Configuring a Remote Access VPN Server and Client,
learners configure ZPF with SDM on a perimeter router, followed by Cisco Easy
VPN Server. Next, Cisco VPN client is installed and configured on a PC. A remote
access VPN connection is then tested.
A Packet Tracer activity, Configure and Verify a Site-to-Site IPsec VPN Using CLI,
provides learners additional practice implementing the technologies introduced
in this chapter. Learners secure and test a WAN connection between two remote
networks with a site-to-site IPsec VPN. Packet Tracer activities for CCNA Security
are found on Academy Connection at cisco.netacad.net.
Solutions, such as the various encryption methods and PKI, enable businesses
to securely extend their networks through the Internet. One way in which
businesses accomplish this extension is through Virtual Private Networks (VPNs).
A VPN is a private network that is created via tunneling over a public network,
usually the Internet. Instead of using a dedicated physical connection, a VPN
2
DOCUMENT1
uses virtual connections routed through the Internet from the organization to
the remote site. The first VPNs were strictly IP tunnels that did not include
authentication or encryption of the data. For example, Generic Routing
Encapsulation (GRE) is a tunneling protocol developed by Cisco that can
encapsulate a wide variety of Network Layer protocol packet types inside IP
tunnels. This creates a virtual point-to-point link to Cisco routers at remote
points over an IP internetwork. Other examples of VPNs that do not
automatically include security measures are Frame Relay, ATM PVCs, and
Multiprotocol Label Switching (MPLS) networks.
3
DOCUMENT1
In the simplest sense, a VPN connects two endpoints over a public network to
form a logical connection. The logical connections can be made at either Layer
2 or Layer 3 of the OSI model. VPN technologies can be classified broadly on
these logical connection models as Layer 2 VPNs or Layer 3 VPNs. Establishing
connectivity between sites over a Layer 2 or Layer 3 VPN is the same. A delivery
header is added in front of the payload to get it to the destination site. This
chapter focuses on Layer 3 VPN technology.
Common examples of Layer 3 VPNs are GRE, MPLS, and IPsec. Layer 3 VPNs can
be point-to-point site connections such as GRE and IPsec, or they can establish
any-to-any connectivity to many sites using MPLS.
Generic routing encapsulation (GRE) was originally developed by Cisco and later
standardized as RFC 1701. An IP delivery header for GRE is defined in RFC 1702.
A GRE tunnel between two sites that have IP reachability can be described as a
VPN, because the private data between the sites is encapsulated in a GRE
delivery header.
Pioneered by Cisco, MPLS was originally known as tag switching and later
standardized via the IETF as MPLS. Service providers are increasingly deploying
MPLS to offer MPLS VPN services to customers. MPLS VPNs use labels to
encapsulate the original data, or payload, to form a VPN.
4
DOCUMENT1
therefore, an IPsec VPN deployed over the public Internet can provide significant
cost savings to a corporation as compared to a leased-line VPN.
A site-to-site VPN is created when connection devices on both sides of the VPN
connection are aware of the VPN configuration in advance. The VPN remains
static, and internal hosts have no knowledge that a VPN exists. Frame Relay,
ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs.
A remote-access VPN is created when VPN information is not statically set up,
but instead allows for dynamically changing information and can be enabled and
5
DOCUMENT1
disabled. Consider a telecommuter who needs VPN access to corporate data over
the Internet. The telecommuter does not necessarily have the VPN connection
set up at all times. The telecommuter's PC is responsible for establishing the
VPN. The information required to establish the VPN connection, such as the IP
address of the telecommuter, changes dynamically depending on the location of
the telecommuter.
Site-to-Site VPN
A site-to-site VPN is an extension of a classic WAN network. Site-to-site VPNs
connect entire networks to each other, for example, they can connect a branch
office network to a company headquarters network. In the past, a leased line or
Frame Relay connection was required to connect sites, but because most
corporations now have Internet access, these connections can be replaced with
site-to-site VPNs.
In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a
VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco
ASA 5500 Series Adaptive Security Appliance. The VPN gateway is responsible
for encapsulating and encrypting outbound traffic from a particular site and
sending it through a VPN tunnel over the Internet to a peer VPN gateway at the
target site. Upon receipt, the peer VPN gateway strips the headers, decrypts the
content, and relays the packet toward the target host inside its private network.
6
DOCUMENT1
Remote-Access VPN
Remote-access VPNs are an evolution of circuit-switching networks, such as
plain old telephone service (POTS) or ISDN. Remote-access VPNs can support
the needs of telecommuters, mobile users, and extranet consumer-to-business
traffic. Remote-access VPNs support a client / server architecture where a VPN
client (remote host) requires secure access to the enterprise network via a VPN
server device at the network edge.
In the past, corporations supported remote users by using dial-in networks and
ISDN. With the advent of VPNs, a mobile user simply needs access to the
Internet to communicate with the central office. In the case of telecommuters,
their Internet connectivity is typically a broadband connection.
7
DOCUMENT1
In a remote-access VPN, each host typically has Cisco VPN client software.
Whenever the host tries to send traffic intended for the VPN, the Cisco VPN Client
software encapsulates and encrypts that traffic before sending it over the
Internet to the VPN gateway at the edge of the target network. Upon receipt,
the VPN gateway behaves as it does for site-to-site VPNs.
8
DOCUMENT1
SSL VPN currently delivers two modes of access: clientless and thin client. With
clientless SSL VPN, a remote client needs only an SSL-enabled web browser to
access HTTP- or HTTPS-enabled web servers on the corporate LAN. In a thin
client SSL VPN environment, a remote client must download a small, Java-based
applet for secure access of TCP applications that use static port numbers. UDP
is not supported in a thin client environment.
SSL VPNs are appropriate for user populations that require per-application or
per-server access control, or access from non-enterprise-owned desktops. SSL
VPNs are not a complete replacement for IPsec VPNs. IPsec VPNs allow secure
access to all of an organization's client/server applications. Additionally, SSL
VPNs do not support the same level of cryptographic security that IPsec VPNs
support. While SSL VPNs cannot replace IPsec VPNs, in many cases, they are
complementary because they solve different problems. This complementary
approach allows a single device to address all remote-access user requirements.
The primary benefit of SSL VPNs is that they are compatible with Dynamic
Multipoint VPNs (DMVPNs), Cisco IOS Firewalls, IPsec, intrusion prevention
systems (IPSs), Cisco Easy VPN, and Network Address Translation (NAT).
The primary restriction of SSL VPNs is that they are currently supported only in
software. The router CPU processes the SSL VPN connections. The onboard VPN
acceleration that is available in integrated services routers accelerates only IPsec
connections.
9
DOCUMENT1
The Cisco VPN product line includes several devices to support remote and site-
to-site VPN:
Cisco VPN-enabled routers and switches - A good option for customers
of all sizes looking to take advantage of their existing network infrastructures
to deploy VPNs and security while integrating all services into a single device
with the widest selection of WAN and LAN interfaces.
Cisco PIX 500 Series Security Appliances - Provide robust, enterprise-
class, integrated network security services, including stateful inspection
firewall, deep protocol and application inspection and IPsec VPN. PIX 500
Series Security Appliances are an excellent option for organizations whose
security policies recommend separate management of the security
infrastructure to set a clear demarcation between security and network
operation. The Cisco PIX 500 Series is End-of-Sale (EOS). This means it is no
longer being sold; however, there is a large installed base.
Cisco ASA 5500 Series Adaptive Security Appliances - All-in-one security
appliances that deliver enterprise-class security and IPsec VPN to small- and
medium-sized businesses and large enterprise networks in a modular,
purpose-built appliance. The appliances incorporate a wide range of
integrated security services, including firewall, IPS, and VPN. Cisco ASA 5500
Series Appliances are ideal for clients who are looking for a robust firewall
combined with comprehensive VPN support.
Cisco VPN 3000 Series Concentrators - Offer both IPsec and SSL VPN
connectivity on a single platform without the expense of individual feature
licensing. Cisco VPN 3000 Series Concentrators are EOS.
SOHO routers - Many newer broadband home routers such as Linksys also
support VPNs.
In most networks, devices are already in place. If this is the case, it is necessary
to verify if interoperability among the different devices is possible. For example,
a customer network might have a Cisco ASA 5500 Series Adaptive Security
Appliance at one site and a Cisco router at another. This site-to-site VPN
interoperability is possible by choosing, at a minimum, the following software
versions: Cisco IOS Release 12.2(8)T and Cisco ASA 5500 Series Adaptive
Security Appliance Version 8.0.
10
DOCUMENT1
With Cisco routers running Cisco IOS software, organizations can deploy and
scale site-to-site VPNs of any topology, from hub-and-spoke to the more
complex, fully meshed VPNs. In addition, the Cisco IOS security features
combine the VPN feature set with firewall, intrusion prevention, and extensive
Cisco IOS capabilities, including quality of service (QoS), multiprotocol,
multicast, and advanced routing support.
Cisco provides a suite of VPN-optimized routers. Cisco IOS software for routers
combines VPN services with routing services. The Cisco VPN software adds
strong security using encryption and authentication. These Cisco VPN-enabled
routers provide high performance for site-to-site, intranet, and extranet VPN
solutions.
11
DOCUMENT1
For VPN services, Cisco ASA 5500 Series Adaptive Security Appliances offer
flexible technologies that deliver tailored solutions to suit remote-access and
site-to-site connectivity requirements. These appliances provide easy-to-
manage IPsec and SSL VPN-based remote-access and network-aware, site-to-
site VPN connectivity. Businesses can create secure connections across public
networks to mobile users, remote sites, and business partners.
12
DOCUMENT1
Cisco ASA 5500 Series Adaptive Security Appliances offer other services, such
as intrusion prevention, Cisco SSL VPN, and advanced integration module (AIM)
to enhance the processing capabilities of the appliances. These are some of the
features that Cisco ASA 5500 Series Adaptive Security Appliances provide:
Flexible platform - Offers both IPsec and SSL VPN on a single platform,
eliminating the need to provide parallel solutions. In addition to VPN services,
Cisco ASA 5500 Series Adaptive Security Appliances offer application
inspection firewall and intrusion prevention services.
Resilient clustering - Allows remote-access deployments to scale cost-
effectively by evenly distributing VPN sessions across all Cisco ASA 5500
Series Adaptive Security Appliances and Cisco VPN 3000 Series
Concentrators, without requiring user intervention.
Cisco Easy VPN - Delivers scalable, cost-effective, and easy-to-manage
remote-access VPN architecture. Cisco ASA 5500 Series Adaptive Security
Appliances dynamically push the latest VPN security policies to remote VPN
devices and clients, making sure that those endpoint policies are up to date
before a connection is established.
Automatic Cisco VPN Client updates - Enables Cisco VPN Client software
operating on remote desktops to be automatically upgraded.
Cisco IOS SSL VPN - Offers Cisco SSL VPN with clientless and thin client
Cisco SSL VPN capabilities.
VPN infrastructure for contemporary applications - Enables converged
voice, video, and data across a secure IPsec network by combining robust
site-to-site VPN support with rich inspection capabilities, QoS, routing, and
stateful failover features.
Integrated web-based management - Provides management of the Cisco
ASA 5500 Series Adaptive Security Appliances using the integrated web-
based Cisco Adaptive Security Device Manager (ASDM). Cisco ASDM
manages all security and VPN functions of the appliances.
13
DOCUMENT1
14
DOCUMENT1
VPN Client supports Windows Vista, Windows XP, Windows 2000, Mac OS X
(Version 10.4 or later) on either Intel or PowerPC, and Red Hat Linux (Version
9 or later).
AIM - A broad range of Cisco routers can be equipped with AIM. Advanced
integration modules are installed inside the router chassis and offload
encryption tasks from the router CPU.
Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-
effective VPN performance for Cisco Catalyst 6500 Series Switches and Cisco
7600 Series Routers. Using the Cisco 7600 Series/Catalyst 6500 Series
Services SPA Carrier-400, each slot of the Cisco Catalyst 6500 Series Switch
or the Cisco 7600 Series Router can support up to two Cisco IPsec VPN SPAs.
Cisco PIX VPN Accelerator Card+ (VAC+) - The PIX Firewall VAC+
delivers hardware acceleration up to 425 Mb/s of DES, 3DES, or AES IPsec
encryption throughput.
15
DOCUMENT1
GRE tunnels are stateless. Each tunnel endpoint keeps no information about the
state or availability of the remote tunnel endpoint. This feature helps service
providers (SPs) provide IP tunnels to customers who are not concerned about
the internal tunneling architecture at the SP end. Customers then have the
flexibility to configure or reconfigure their IP architecture but still maintain
connectivity. It creates a virtual point-to-point link to routers at remote points
over an IP internetwork. GRE does not include any strong security mechanisms
to protect its payload.
16
DOCUMENT1
GRE encapsulates the entire original IP packet with a standard IP header and
GRE header. A GRE tunnel header contains at least two 2-byte mandatory fields:
GRE flag
Protocol type
GRE uses a protocol type field in the GRE header to support the encapsulation
of any OSI Layer 3 protocol. The GRE header, together with the tunneling IP
header, creates at least 24 bytes of additional overhead for tunneled packets.
17
DOCUMENT1
18
DOCUMENT1
The advantages of GRE are that it can be used to tunnel non-IP traffic over an
IP network. Unlike IPsec, which only supports unicast traffic, GRE supports
multicast and broadcast traffic over the tunnel link. Therefore, routing protocols
are supported in GRE.
GRE does not provide encryption. If that is needed, IPsec should be configured.
19
DOCUMENT1
20
DOCUMENT1
IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be
configured using the IP addressing protocol. IPsec is not bound to any specific
encryption, authentication, security algorithms, or keying technology. IPsec is a
framework of open standards that spells out the rules for secure
communications. IPsec relies on existing algorithms to implement the
encryption, authentication, and key exchange.
21
DOCUMENT1
The fourth represents how the shared secret key is established. The two
methods are pre-shared or digitally signed using RSA.
The last represents the DH algorithm group. There are four separate DH key
exchange algorithms to choose from including DH Group 1 (DH1), DH Group
2 (DH2), DH Group 5 (DH5), and DH Group 7 (DH7). The type of group
selected depends on the specific needs.
IPsec provides the framework, and the administrator chooses the algorithms that
are used to implement the security services within that framework. By not
binding IPsec to specific algorithms, it allows newer and better algorithms to be
implemented without patching the existing IPsec standards.
IPsec can secure a path between a pair of gateways, a pair of hosts, or a gateway
and host. Using the IPsec framework, IPsec provides these essential security
functions:
Confidentiality - IPsec ensures confidentiality by using encryption.
Integrity - IPsec ensures that data arrives unchanged at the destination
using a hash algorithm such as MD5 or SHA.
Authentication - IPsec uses Internet Key Exchange (IKE) to authenticate
users and devices that can carry out communication independently. IKE uses
several types of authentication, including username and password, one-time
password, biometrics, pre-shared keys (PSKs), and digital certificates.
Secure key exchange - IPsec uses the DH algorithm to provide a public key
exchange method for two peers to establish a shared secret key.
22
DOCUMENT1
Confidentiality
Confidentiality is achieved through encryption of traffic as it travels down the
VPN. The degree of security depends on the length of the key of the encryption
algorithm. If someone tries to hack the key through a brute-force attack, the
number of possibilities to try is a function of the length of the key. The time to
process all the possibilities is a function of the computer power of the attacking
device. The shorter the key, the easier it is to break. A 64-bit key can take
approximately one year to break with a relatively sophisticated computer. A 128-
bit key with the same machine can take roughly 10^19 years to decrypt.
The following are some encryption algorithms and key lengths that VPNs use:
DES - Uses a 56-bit key, ensuring high-performance encryption. DES is a
symmetric key cryptosystem.
3DES - A variant of the 56-bit DES. 3DES uses three independent 56-bit
encryption keys per 64-bit block, providing significantly stronger encryption
strength over DES. 3DES is a symmetric key cryptosystem.
AES - Provides stronger security than DES and is computationally more
efficient than 3DES. AES offers three different key lengths: 128 bits, 192 bits,
and 256 bits. AES is a symmetric key cryptosystem.
23
DOCUMENT1
24
DOCUMENT1
Integrity
The next VPN-critical function is data integrity. Assume that a check for $100 is
written to Sonya from Jeremy. The check is then mailed to Sonya but intercepted
by an attacker. The attacker changes the name and amount on the check and
attempts to cash it. Depending on the forged quality of the altered check, the
attacker could be successful.
This scenario applies to VPNs because data is transported over the public
Internet. Potentially, this data could be intercepted and modified. A method of
proving data integrity is required to guarantee that the content has not been
altered. A data integrity algorithm can provide this guarantee.
25
DOCUMENT1
26
DOCUMENT1
At the local device, the authentication key and identity information (device-
specific information) are sent through the Hash algorithm forming Hash_L.
Hash_L is encrypted using the local device's private encryption key creating a
digital signature. The digital signature and a digital certificate are forwarded
to the remote device. The public encryption key for decrypting the signature
is included in the digital certificate. The remote device verifies the digital
signature by decrypting it using the public encryption key. The result is
Hash_L. Next, the remote device independently creates a hash from stored
information. If the calculated hash equals the decrypted Hash_L, the local
27
DOCUMENT1
device is authenticated. After the remote device authenticates the local device,
the authentication process begins in the opposite direction and all steps are
repeated from the remote device to the local device.
Authentication
When conducting business over long distance, it is necessary to know
(authenticate) the individual at the other end of the phone, email, or fax. The
same is true of VPN networks. The device on the other end of the VPN tunnel
must be authenticated before the communication path is considered secure.
28
DOCUMENT1
Email, courier, or overnight express can be used to send the shared secret keys
to the administrators of the devices. But the easiest key exchange method is a
public key exchange method between the encrypting and decrypting devices.
The Diffie-Hellman (DH) key agreement is a public key exchange method that
provides a way for two peers to establish a shared secret key that only they
know, even though they are communicating over an insecure channel.
29
DOCUMENT1
IPsec is a framework of open standards. IPsec spells out the messaging to secure
the communications but relies on existing algorithms. The two main IPsec
framework protocols are AH and ESP. The IPsec protocol is the first building
block of the framework. The choice of AH or ESP establishes which other building
blocks are available:
Authentication Header (AH) - AH, which is IP protocol 51, is the
appropriate protocol to use when confidentiality is not required or permitted.
It ensures that the origin of the data is either R1 or R2 and verifies that the
data has not been modified during transit. AH does not provide data
confidentiality (encryption) of packets. All text is transported unencrypted. If
the AH protocol is used alone, it provides weak protection.
Encapsulating Security Payload (ESP) - ESP, which is IP protocol 50, can
provide confidentiality and authentication. It provides confidentiality by
performing encryption on the IP packet. IP packet encryption conceals the
30
DOCUMENT1
data payload and the identities of the ultimate source and destination. ESP
provides authentication for the inner IP packet and ESP header.
Authentication provides data origin authentication and data integrity.
Although both encryption and authentication are optional in ESP, at a
minimum, one of them must be selected.
Authentication Header
AH achieves authenticity by applying a keyed one-way hash function to the
packet to create a hash or message digest. The hash is combined with the text
and is transmitted. The receiver detects changes in any part of the packet that
occur during transit by performing the same one-way hash function on the
received packet and comparing the result to the value of the message digest
that the sender supplied. The fact that the one-way hash also involves a shared
secret key between the two systems means that authenticity is assured.
The AH function is applied to the entire packet, except for any mutable IP header
fields that change in transit. For example, Time to Live (TTL) fields that are
modified by the routers along the transmission path are mutable fields.
31
DOCUMENT1
The hashes must match exactly. If one bit is changed in the transmitted packet,
the hash output on the received packet changes and the AH header will not
match.
ESP
32
DOCUMENT1
ESP can also provide integrity and authentication. First, the payload is
encrypted. Next, the encrypted payload is sent through a hash algorithm, HMAC-
MD5 or HMAC-SHA-1. The hash provides authentication and data integrity for
the data payload.
33
DOCUMENT1
The original data is well protected by ESP because the entire original IP datagram
and ESP trailer are encrypted. With ESP authentication, the encrypted IP
datagram and trailer, and the ESP header, are included in the hashing process.
Last, a new IP header is attached to the authenticated payload. The new IP
address is used to route the packet through the Internet.
34
DOCUMENT1
ESP and AH can be applied to IP packets in two different modes, transport mode
and tunnel mode.
Transport Mode
In transport mode, security is provided only for the Transport Layer of the OSI
model and above. Transport mode protects the payload of the packet but leaves
35
DOCUMENT1
the original IP address in plaintext. The original IP address is used to route the
packet through the Internet.
ESP transport mode is used between hosts. Transport mode works well with
GRE, because GRE hides the addresses of the end devices by adding its own IP.
Tunnel Mode
Tunnel mode provides security for the complete original IP packet. The original
IP packet is encrypted and then it is encapsulated in another IP packet. This is
known as IP-in-IP encryption. The IP address on the outside IP packet is used
to route the packet through the Internet.
ESP tunnel mode is used between a host and a security gateway or between two
security gateways. For gateway-to-gateway applications, rather than load IPsec
on all of the computers at the remote and corporate offices, it is easier to have
the security gateways perform the IP-in-IP encryption and encapsulation.
ESP tunnel mode is used in the IPsec remote-access application. A home office
might not have a router to perform the IPsec encapsulation and encryption. In
this case, an IPsec client running on the PC performs the IPsec IP-in-IP
encapsulation and encryption. At the corporate office, the router de-
encapsulates and decrypts the packet.
The VPN process involves selecting and applying many parameters. How does
IPsec actually negotiate these security parameters?
36
DOCUMENT1
Security Associations
An SA is a basic building block of IPsec. Security associations are maintained
within a SA database (SADB), which is established by each device. A VPN has
SA entries defining the IPsec encryption parameters as well as SA entries
defining the key exchange parameters.
All cryptographic systems, including the Caesar cipher, Vigenere cipher, Enigma
machine, to modern encryption algorithms, must deal with key management
issues. Diffie-Hellman (DH) is used to create the shared secret key. However,
IPsec uses the Internet Key Exchange (IKE) protocol to establish the key
exchange process.
37
DOCUMENT1
IKE is layered on UDP and uses UDP port 500 to exchange IKE information
between the security gateways. UDP port 500 packets must be permitted on any
IP interface involved in connecting a security gateway peer.
IKE combines these protocols to build secure IPsec connections between devices.
It establishes SAs that are mutually agreeable to each peer. Each peer must
have identical ISAKMP and IPsec parameters to establish an operational and
secure VPN. Note that the terms ISAKMP and IKE are commonly used by industry
people to refer to IKE.
38
DOCUMENT1
In Phase 1, the transform sets, hash methods, and other parameters are
determined. An IKE session begins with a router (the initiator) sending a
proposals to another router (the responder). The proposal sent by the initiator
defines which encryption and authentication protocols are acceptable, how long
keys should remain active, and whether perfect forward secrecy (PFS) should be
enforced. PFS is a property that states that keys used to protect data are not
used to derive any other keys. PFS ensures that if one key is compromised,
previous and subsequent keys remain secure.
Three exchanges transpire during IKE Phase 1. These are referred to as the first,
second, and third exchanges.
39
DOCUMENT1
First Exchange
The first exchange between the initiator and the responder establishes the basic
security policy. Peers negotiate and agree on the algorithms and hashes that are
used to secure the IKE communications. Rather than negotiate each protocol
individually, the protocols are grouped into sets, called IKE policy sets. The IKE
policy sets are exchanged first.
The initiator first transmits proposals for the encryption and authentication
schemes to be used. The responder looks for a matching ISAKMP policy. The
responder chooses a proposal that is best suited to the security situation and
then sends that proposal to the initiator. If a policy match is found between the
peers, IKE Phase 1 continues. If no match is found, the tunnel is torn down.
Policy set numbers are only locally significant to a VPN device. The policy set
numbers do not have to match between two VPN peers. In a point-to-point
application, each end might need only a single IKE policy set to be defined. In a
hub-and-spoke environment, the central site might require multiple IKE policy
sets to satisfy all the remote peers.
Second Exchange
40
DOCUMENT1
The second exchange creates and exchanges the DH public keys between the
two endpoints. DH allows two parties that have no prior knowledge of each other
to establish a shared secret key over an insecure communications channel.
The two peers run the DH key exchange protocol to acquire the keying material
that is needed by the various encryption and hashing algorithms upon which IKE
and IPsec will ultimately agree.
It is important to have sufficient keying material for the algorithms chosen. Using
the DH algorithm, each peer generates a shared secret without actually
exchanging secrets. All further negotiations are encrypted using the DH-
generated secret key.
41
DOCUMENT1
Third Exchange
Each end device must authenticate the other end device before the
communication path is considered secure. The last exchange of IKE Phase 1
authenticates the remote peer.
The initiator and recipient authenticate each other using one of the three data-
origin authentication methods:
PSK
RSA signature
RSA encrypted nonce
The Phase 1 SA negotiations are bidirectional, which means that data can be
sent and received using the same encryption key. Even if the SA negotiation
data stream between the two IPsec peers is compromised, there is little chance
that the encryption keys could be decrypted.
42
DOCUMENT1
The three exchanges of IKE Phase 1 transpire in what is called main mode. The
outcome of main mode is a secure communication path for subsequent
exchanges between the peers.
Aggressive mode negotiation is quicker, and the initiator and responder IDs pass
in plaintext.
43
DOCUMENT1
The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that
will be used to secure the IPsec tunnel.
IKE Phase 2 is called quick mode and can only occur after IKE has established
the secure tunnel in Phase 1.
SAs are negotiated by the IKE process ISAKMP on behalf of IPsec, which needs
encryption keys for operation.
Quick mode negotiates the IKE Phase 2 SAs.
In this phase, the SAs that IPsec uses are unidirectional; therefore, a separate
key exchange is required for each data flow.
Quick mode also renegotiates a new IPsec SA when the IPsec SA lifetime expires.
Basically, quick mode refreshes the keying material that creates the shared
secret key based on the keying material that is derived from the DH exchange
in Phase 1.
44
DOCUMENT1
IPsec VPN negotiation involves several steps, which include Phase 1 and Phase
2 of IKE negotiation.
1. An IPsec tunnel is initiated when host A sends "interesting" traffic to host B.
Traffic is considered interesting when it travels between the IPsec peers and
meets the criteria that is defined in the crypto access control list (ACL).
2. IKE Phase 1 begins. The IPsec peers negotiate the established IKE security
association (SA) policy. When the peers are authenticated, a secure tunnel is
created using Internet Security Association and Key Management Protocol
(ISAKMP).
3. IKE Phase 2 begins. The IPsec peers use the authenticated secure tunnel to
negotiate IPsec SA transforms. The negotiation of the shared policy determines
how the IPsec tunnel is established.
4. The IPsec tunnel is created and data is transferred between the IPsec peers
based on the IPsec parameters that are configured in the IPsec transform sets.
5. The IPsec tunnel terminates when the IPsec SAs are deleted or when their
lifetime expires.
45
DOCUMENT1
Task 1. Ensure that ACLs configured on the Interface are compatible with IPsec
configuration. Usually there are restrictions on the interface that the VPN traffic
uses; for example, block all traffic that is not IPsec or IKE.
Task 2. Create an ISAKMP policy to determine the ISAKMP parameters that will
be used to establish the tunnel.
Task 3. Define the IPsec transform set. The definition of the transform set
defines the parameters that the IPsec tunnel uses. The set can include the
encryption and integrity algorithms.
Task 4. Create a crypto ACL. The crypto ACL defines which traffic is sent through
the IPsec tunnel and protected by the IPsec process.
Task 5. Create and apply a crypto map. The crypto map groups the previously
configured parameters together and defines the IPsec peer devices. The crypto
map is applied to the outgoing interface of the VPN device.
46
DOCUMENT1
The first step in configuring Cisco IOS ISAKMP is to ensure that the existing ACLs
on perimeter routers, firewalls, or other routers do not block IPsec traffic.
Perimeter routers typically implement a restrictive security policy with ACLs,
where only specific traffic is permitted, and all other traffic is denied.
Such a restrictive policy blocks IPsec traffic.
Therefore, specific permit statements must be added to the ACL.
Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security
Payload (ESP), and Authentication Header (AH) traffic is not blocked at the
interfaces used by IPsec.
47
DOCUMENT1
To permit AH, ESP, and ISAKMP on an IPsec interface while denying any other
unnecessary traffic, an existing ACL must be edited or a new ACL created.
To permit AH traffic, use the access-list acl permit ahp source wildcard
destination wildcard command.
To permit ESP traffic, use the access-list acl permit esp source wildcard
destination wildcard command.
To permit ISAKMP traffic, use the access-list acl permit udp source
wildcard destination wildcard eq isakmp command.
48
DOCUMENT1
49
DOCUMENT1
The second major task in configuring Cisco IOS ISAKMP support is to define the
parameters within the IKE policy. IKE uses these parameters during negotiation
to establish ISAKMP peering between two IPsec endpoints.
50
DOCUMENT1
Two endpoints must negotiate ISAKMP policies before they agree on the SA to
use for IPsec.
51
DOCUMENT1
When the ISAKMP negotiation begins in IKE Phase 1 main mode, the peer that
initiates the negotiation sends all its policies to the remote peer, and the remote
peer tries to find a match with its own policies.
The remote peer looks for a match by comparing its own highest priority policy
against the policies it received from the other peer.
The remote peer checks each of its policies in order of its priority (highest priority
first) until a match is found.
A match is made when both policies from the two peers contain the same
encryption, hash, authentication, DH parameter values, and when the policy of
the remote peer specifies a lifetime less than or equal to the lifetime of the
policy that is being compared.
If the lifetimes are not identical, the shorter lifetime from the remote peer policy
is used.
Assign the most secure policy the smallest available priority number so that the
most secure policy finds a match before any less secure policies are configured.
52
DOCUMENT1
53
DOCUMENT1
Configure a PSK with the crypto isakmp key global configuration command.
This key must be configured if the authentication pre-share command was
configured in the ISAKMP policy.
54
DOCUMENT1
To define a transform set, specify one to four transforms using the crypto ipsec
transform-set global configuration command.
This command invokes crypto-transform configuration mode.
55
DOCUMENT1
Each transform represents an IPsec security protocol (AH or ESP) plus the
associated algorithm.
These protocols and algorithms are specified within the crypto-transform
configuration mode.
In a transform set, specify the AH protocol, the ESP protocol, or both.
If an ESP protocol is specified in a transform set, an ESP encryption
transform set or an ESP encryption transform set and an ESP
authentication transform set must be specified.
During the negotiation, the peers search for a transform set that has the same
criteria (the combination of protocols, algorithms, and other settings) at both
peers.
When a transform set is found, it is selected and applied to the protected traffic
as part of the IPsec SAs of both peers.
When ISAKMP is not used to establish SAs, a single transform set must be used.
In this instance, the transform set is not negotiated.
56
DOCUMENT1
57
DOCUMENT1
When configuring multiple transform sets, configure the transforms from most
to least secure, according to the network security policy.
IPsec peers search for a transform set that matches at both ends and agree on
one unidirectional transform proposal per SA.
For example, assume R1 and R2 are negotiating a transform set.
R1 has transform sets ALPHA, BETA, and CHARLIE configured, while R2 has RED,
BLUE, and YELLOW configured.
Each R1 transform set is compared against each R2 transform set in succession.
R1 transform sets ALPHA, BETA, and CHARLIE are compared to R2 transform set
RED. The result is no match.
All the R1 transform sets are then compared against R2 transform set BLUE.
Finally, the R1 transform sets are compared to R2 transform set YELLOW.
YELLOW is matched against the R1 transform set CHARLIE. When a transform
set match is found, it is selected and applied to the protected traffic as part of
the IPsec SAs of both peers.
58
DOCUMENT1
If desired, inbound ACLs can be created to filter and discard traffic that should
have been protected by IPsec.
The command syntax for the basic form of an extended IP ACL is:
Outbound crypto ACLs define the interesting traffic to be encrypted. All other
traffic passes as plaintext.
59
DOCUMENT1
Inbound crypto ACLs inform the router of which traffic should be received as
encrypted traffic.
When traffic matches the permit statement, the router expects that traffic to be
encrypted.
If inbound plaintext traffic is received that matches a permit statement in the
crypto ACL, that traffic is dropped.
This drop occurs because the plaintext traffic was expected to be protected by
IPsec and encrypted, but was not.
The crypto ACL is associated with a crypto map, which in turn is assigned to
a specific interface.
60
DOCUMENT1
For example, assume that for Site 1, IPsec protection is applied to traffic
between hosts on the 10.0.1.0/24 network as the data exits the R1 S0/0/0
interface in route to Site 2 hosts on the 10.0.2.0/24 network. For traffic from
Site 1 hosts on the 10.0.1.0/24 network to Site 2 hosts on the 10.0.2.0/24
network, the ACL entry on R1 is evaluated as follows:
For incoming traffic from Site 2 hosts on the 10.0.2.0/24 network to Site 1 hosts
on the 10.0.1.0/24 network, that same ACL entry on R1 is evaluated as follows:
61
DOCUMENT1
Crypto map entries that are created for IPsec combine the needed configuration
parameters of IPsec SAs, including the following parameters:
Which traffic to protect using a crypto ACL
Granularity of the flow to be protected by a set of SAs
Who the remote IPsec peer is, which determines where the IPsec-protected
traffic is sent
Local address used for the IPsec traffic (optional)
Which type of IPsec security is applied to this traffic, choosing from a list of
one or more transform sets
Crypto map entries with the same crypto map name but different map sequence
numbers are grouped into a crypto map set.
62
DOCUMENT1
Create multiple crypto map entries for a given interface if any of these conditions
exist:
Separate IPsec peers handle different data flows.
Different IPsec security must be applied to different types of traffic (to the
same or separate IPsec peers). For example, if traffic between one set of
subnets needs to be authenticated, and traffic between another set of
subnets needs to be both authenticated and encrypted. In this case, define
the different types of traffic in two separate ACLs, and create a separate
crypto map entry for each crypto ACL.
IKE is not used to establish a particular set of SAs, and multiple ACL entries
must be specified, create separate ACLs (one per permit entry) and specify
a separate crypto map entry for each ACL.
63
DOCUMENT1
64
DOCUMENT1
65