© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks
© 2012 Cisco and/or its affiliates. All rights reserved. 2 Describe the purpose and types of VPNs and define where to use VPNs in a network. Describe how to configure a GRE VPN tunnel. Describe the fundamental concepts and technologies of VPNs, and terms that IPsec VPNs use. Describe how to configure a site-to-site IPsec VPN. Configure a site-to-site IPsec VPN with PSK authentication using CLI and Cisco CCP. Describe the two common remote network access methods used in enterprise networks. Describe how the Cisco VPN Client is used in an IPsec remote-access VPN. Describe how Secure Socket Layer (SSL) is used in a remote-access VPN. Configure a remote-access IPsec VPN using CLI and Cisco CCP.
© 2012 Cisco and/or its affiliates. All rights reserved Implementing VPN Technologies 9.2 Describe VPN technologies IPsec SSL 9.3 Describe the building blocks of IPsec IKE ESP AH Tunnel mode Transport mode 9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key authentication CCP CLI
© 2012 Cisco and/or its affiliates. All rights reserved. 4 A VPN is a private network that is created via tunneling over a public network. It can deployed as a site-to-site and remote access VPN. Generic routing encapsulation (GRE) is a tunneling protocol that is used to create a point-to-point link, supports multiprotocol tunneling, and can be used in combination with IPsec. IPsec is a framework of open standards that establishes the rules for secure communications. It relies on existing algorithms to achieve encryption, authentication, and key exchange. When creating a site-to-site VPN, ensure that the existing ACLs do not block IPsec traffic, define the IKE parameters and IPsec transform set, configure the crypto ACL and create and apply a crypto map. Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to create and monitor an IPsec VPN. Remote access connections can be configured using CCP.
© 2012 Cisco and/or its affiliates. All rights reserved. 5 Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP –Part 1: Basic Router Configuration –Part 2: Configure a Site-to-Site VPN Using Cisco IOS –Part 3: Configure a Site-to-Site VPN using CCP Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client –Part 1: Basic Router Configuration –Part 2: Configuring a Remote Access VPN Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN Server and Client –Part 1: Basic Router Configuration –Part 2: Configuring a Remote Access VPN
© 2012 Cisco and/or its affiliates. All rights reserved. 6
7
8
9
10
© 2012 Cisco and/or its affiliates. All rights reserved. 11
© 2012 Cisco and/or its affiliates. All rights reserved. 12 SDM has been replaced by CCP.
© 2012 Cisco and/or its affiliates. All rights reserved. 13 To explain GRE use the concept of three protocols: –Passenger protocol (i.e., IPv4 or IPv6) that needs to be encapsulated. –Carrier protocol (i.e., GRE) that is used to encapsulate the passenger protocol. –Transport protocol (i.e., IPv4 or IPv6) that is used to carry the encapsulated carrier protocol. GRE is popular to use to support routing protocols (that require broadcasts) over an IPsec VPN.
© 2012 Cisco and/or its affiliates. All rights reserved. 14 Example GRE configuration
© 2012 Cisco and/or its affiliates. All rights reserved. 15 To configure IPsec VPNs, the IOS must support crypto parameters. –Usually indicated by “k9” in the image name. (“k8” indicates limited crypto commands available)
© 2012 Cisco and/or its affiliates. All rights reserved. 16 Use the show crypto isakmp sa command to verify if the IKE Phase 1 negotiation was successful. –QM_IDLE indicates success. Use the debug crypto isakmp command to display Phase 1 and 2 negotiations.
© 2012 Cisco and/or its affiliates. All rights reserved. 17 To verify IPsec VPN tunnel functionality, use the sequence: 1.clear crypto sa 2.Generate interesting traffic to trigger VPN link 3.show crypto ipsec sa NOTE: The output of the show crypto ipsec sa command should reveal encrypted / decrypted packets. Use extended pings to generate traffic between LANs – ping {destination-IP-address} source {source-IP-address} NOTE: The first ping attempt should fail as it negotiates the initial SA. Use the debug crypto ipsec command to display Main mode negotiations.
© 2012 Cisco and/or its affiliates. All rights reserved. 18 Common problems encountered when troubleshooting VPNs include: – Incorrect ISAKMP policies configured. – Incorrect crypto keys or peer address configured. – Crypto map parameters not configured accurately. – Crypto map not applied to the correct interface (should usually be the outside interface). – Invalid ACL statements. If pings from the router do not enable the VPN: – Make sure you are using extended pings or better yet, use an actual host on the inside network.
© 2012 Cisco and/or its affiliates. All rights reserved. 19 CCP provides various VPN wizards by choosing Configure > Security > VPN. –The wizards vary depending on the type of VPN being configured. You can also test to confirm the correct tunnel configuration by clicking the Test VPN button. Verify the VPN status by choosing Monitor > Security > VPN Status > IPsec Tunnels.
© 2012 Cisco and/or its affiliates. All rights reserved. 20 Remote access VPNs can be deployed using either IPsec or SSL VPNs. –IPsec remote access VPNs are more secure and supports most applications but requires a client to be pre-installed on a host such as the Cisco VPN client or Cisco AnyConnect. –SSL remote access VPNs is more flexible as it is accessed using a web browser but can only access web enabled applications.
© 2012 Cisco and/or its affiliates. All rights reserved. 21 CategoriesSSLIPsec Application support Web-enabled applications, file sharing, All IP-based applications Encryption Moderate Key lengths from 40 bits to 128 bits Stronger Key lengths from 56 bits to 256 bits Authentication Moderate One-way or two-way authentication Strong Two-way authentication using shared secrets or digital certificates Ease of UseVery easyModerately easy Overall Security Moderate Any device can connect Strong Only specific devices with specific configurations can connect IPsec Remote Access VPN SSL-Based VPN Anywhere Access Any Application Mobile User Requirements
© 2012 Cisco and/or its affiliates. All rights reserved. 22 You will need to download the Cisco VPN client from cisco.com and provide it to students. –Cisco VPN client is available for free.
© 2012 Cisco and/or its affiliates. All rights reserved. 23 Explain to students that this chapter now applies the cryptology topics discussed in Chapter 7. To contrast between the function of a firewall (Chapter 4) and that of a VPN, explain that a firewall inside the network and a VPN protects the data traversing the outside network (Internet).
© 2012 Cisco and/or its affiliates. All rights reserved. 24 Use the analogy of a ocean for the network and each LAN is an island. –Without VPN tunnels, you must travel using a ferry between islands which means there is no privacy. –With VPN tunnels, you have your own private submarine to go from island to island. Leased lines can be compared to building bridges between nearby islands.
© 2012 Cisco and/or its affiliates. All rights reserved. 25 Another analogy is that of two lovers sending mushy letters to each other. –They know that letters will pass through many hands, including the postal service, organization, and perhaps even parents at either end. –By setting up a secret code in advance, they can send letters without someone knowing what they’re sending.
© 2012 Cisco and/or its affiliates. All rights reserved. 26 Refer back in history to how encryption has been used: – The Spartans with the Scytale – Julius Caesar for military dispatches. – Enigma machine during WWII. Contrast that with how freely information now flows. –Encourage discussion on how important VPNs are becoming. Ask “Should we be encrypting everything we send?”. –Consider the overhead (and increased latency) if we did. –When should we be using VPNs?
© 2012 Cisco and/or its affiliates. All rights reserved. 27 This chapter is best learned by applying the concepts as much as possible. –Student must get their own battle scars. Encourage students to come up with their own VPN topology scenarios.
© 2012 Cisco and/or its affiliates. All rights reserved. 28 Cisco VPN Main page – Cisco IOS Software Releases 12.4 Mainline – ome.htmlhttp:// ome.html The Cisco IOS Command Reference – htmlhttp:// html VPN client –
© 2011 Cisco and/or its affiliates. All rights reserved. 29