© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 2 Module 3 – Lesson 4 Configuring IPsec VPN using SDM

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 3 Module Introduction  Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet  Cisco offers a wide range of VPN products, including VPN- optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation  This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 4 Objectives  At the completion of this fourth lesson, you will be able to: Describe how to configure a VPN using SDM on a Cisco router Successfully configure a site to site VPN using SDM on Cisco routers

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 5 What is SDM?  The Cisco Router and Security Device Manager (SDM) is an easy-to-use, Java based, device management tool designed for configuring LAN, WAN, and security features on a router  SDM can reside in router memory or on your PC  SDM simplifies router and security configuration by using intelligent wizards to enable users to quickly and easily deploy, configure, and monitor a Cisco access router  SDM meets the needs of persons that are proficient in LAN fundamentals and basic network design but have little or no experience with the IOS CLI or may not be security experts

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 6 What is SDM (continued)  SDM can also assist more advanced users  SDM contains several other timesaving tools and wizards, including An access control list (ACL) editor, A VPN crypto map editor, A Cisco IOS CLI preview  SDM has a unique Security Audit wizard that provides a comprehensive router security audit. This uses Cisco Technical Assistance Centre (TAC) and Internet Computer Security Association (ICSA) recommended security configurations as the basis for comparisons and default settings

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 7 SDM ‘Wizards’  Other intelligent Cisco wizards are available in SDM for these three tasks: Autodetecting misconfigurations and proposing fixes Providing strong security and verifying configuration entries Using device and interface-specific defaults  Examples of SDM wizards include: Startup wizard for initial router configuration One-step router lockdown wizard to harden the router Policy-based firewall and access-list management to easily configure firewall settings based on policy rules One-step site-to-site VPN wizard

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 8 SDM Installation and Use  Use the SDM wizards to provide quick deployment A suggested workflow is given in the lower part of each wizard screen to guide untrained users through the process  Begin with configuring LAN, WAN, firewall, intrusion prevention system (IPS), and VPN, and finish with performing a security audit  SDM is embedded and factory-installed within the Cisco IOS 800–3800 Series routers and available for download for select router platforms (see next)  NB: This course focuses specifically on SDM version 2.2a. Due to the nature of the software, changes must be expected with new revisions. Although the features and screens may vary between versions of SDM, the general concepts shown here are applicable to all versions.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 9 SDM Supported Platforms

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 10 SDM Home Page About your router Configuration overview ‘Configure’ icon

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 11 VPN Configuration  To select and start a VPN wizard, follow this procedure: 1.Click the Configure icon in the top horizontal navigation bar of the Cisco SDM main page (previous) to enter the configuration page 2.Click VPN icon in the left vertical navigation bar to open the VPN page. 3.Choose one of the available VPN wizards from the list.  The example on the next slide shows the screen that appears when you choose the Site to Site VPN wizard from the list. Here you can create two types of site-to-site VPNs: classic and generic routing encapsulation (GRE) over IPsec

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 12 VPN Configuration Page Wizards for IPsec solutions Individual IPsec components

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 13 Site-to-Site VPN Components  VPN wizards use two sources to create a VPN connection: User input during the step-by-step wizard process Preconfigured VPN components  SDM provides some default VPN components: Two IKE policies IPsec transform set for Quick Setup wizard  Other components are created by the VPN wizards.  Some components (for example, PKI) must be configured before the wizards can be used.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 14 Site-to-Site VPN Components (Continued) Two main components: IPsec IKE Two optional components: Group Policies for Easy VPN Server functionality Public Key Infrastructure for IKE authentication using digital certificates Individual IPsec components used to build VPNs

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 15 Starting SDM SDM can be started on a router by entering the IP address of the router in a browser If SDM has been installed on the PC, start it by double-clicking the SDM shortcut or by choosing it from the program menu (Start > Programs > Cisco Systems > Cisco SDM) and enter the IP address of the router. SDM Launcher SDM Launch Page

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 16 SDM Home Page

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 17 Launching Site-to-Site VPN Wizard – Step 1 1.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 18 Selecting the Quick Setup or Step-by-Step Configuration Wizard – Step 2 2a. 2b. 3.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 19 Quick Setup

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 20 Quick Setup Configuration Summary

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 21 Step-by-Step Setup  Multiple steps are required to configure the VPN connection: Defining connection settings: Outside interface, peer address, authentication credentials Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression Defining traffic to protect: Single source and destination subnets, ACL Reviewing and completing the configuration

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 22 Configuring Connection Settings

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 23 Configuring IKE Proposals

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 24 Configuring the Transform Set

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 25 Defining What Traffic to Protect: Simple Mode (Single Source and Destination Subnet)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 26 Defining What Traffic to Protect: Using an ACL

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 27 Adding Rules to ACLs 1. 2.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 28 Configuring a New ACL Rule Entry

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 29 Review the Generated Configuration

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 30 Review the Generated Configuration (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 31 Test Tunnel Configuration and Operation ~ ~ ~ ~

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 32 Monitor Tunnel Operation

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 33 Test, Monitor, and Troubleshoot Tunnel Configuration and Operation show crypto isakmp sa router#  To display all current IKE security associations (SAs), use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA. show crypto ipsec sa router#  To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA (see next slide)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 34 Encryption and Decryption Statistics Router2#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mikesmap, local addr protected vrf: local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: :500 PERMIT, flags={origin_is_acl,} #pkts encaps: 15, #pkts encrypt: 15, #pkts digest 0 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 938FF981 etc etc etc……….. From a working tunnel!

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 35 Troubleshooting debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting uses the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 36