Chapter 8: Implementing Virtual Private Networks Cisco Networking Academy program Introduction to Networks Chapter 5: Ethernet CCNA Security

Chapter 8: Objectives In this chapter you will: Describe VPNs and their benefits. Identify the Cisco VPN product line and the security features of these products. Configure a site-to-site VPN GRE tunnel. Describe the IPsec protocol and its basic functions. Compare AH and ESP protocols. Describe the IKE protocol and modes. Describe IPsec negotiation and the five steps of IPsec configuration. Explain how to prepare IPsec by ensuring that ACLs are compatible with IPsec. Configure IKE policies using CLI. Configure the IPsec transform sets using CLI. Configure the crypto ACLs using CLI. Configure a crypto map using CLI. Troubleshoot the IPsec configuration. Configure IPsec using CCP. Configure a site-to-site VPN using the Quick Setup VPN Wizard in CCP. Configure a site-to-site VPN using the step-by-step VPN Wizard in CCP. Troubleshoot VPNs using CCP. Explain how the corporate landscape is changing to support telecommuting. Compare remote-access IPsec VPNs and SSL VPNs. Explain how SSL is used to establish a secure VPN connection. Describe the Cisco Easy VPN feature. Configure a VPN server using CCP. Connect a VPN client using the Cisco VPN Client software.

Chapter 8 8.0 Introduction 8.1 VPNs 8.2 GRE VPNs 8.3 IPsec VPN Components and Operation 8.4 Implementing Site-to-Site VPNs with CLI 8.5 Implementing Site-to-Site VPNs with CCP 8.6 Implementing Remote-Access VPNs 8.6 Summary

8.1 VPNs 5.1 Ethernet Protocol

VPN Overview Virtual Private Networks A Virtual Private Network (VPN) is a private network that is created via tunneling over a public network, usually the Internet. VPNs have multiple benefits, including: Compatibility with broadband technology Cost savings Security Scalability

VPN Overview Types of VPNs In the simplest sense, a VPN connects two endpoints, such as two remote offices, over a public network to form a logical connection. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model. Common examples of Layer 3 VPNs are: Generic Routing Encapsulation (GRE) Multiprotocol Label Switching (MPLS) Internet Protocol Security (IPsec)

VPN Topologies Site-to-Site VPNs Created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance. The VPN remains static and internal hosts have no knowledge that a VPN exists.

VPN Topologies Remote-Access VPNs Allows for dynamically changing connection information and can be enabled and disabled when needed. Example – A telecommuter’s PC being responsible for establishing the VPN.

VPN Topologies Remote-Access VPNs An evolution of circuit-switching networks, such as plain old telephone service (POTS) or Integrated Services for Digital Network ISDN. Support a client/server architecture. A VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge.

VPN Topologies Site-to-Site VPNs Cont. An extension of a classic WAN network. Connect remote networks to each other. A site-to-site VPN can connect a branch office network to a company headquarter network. Replaces a leased line or Frame Relay connection, because most corporations now have Internet access.

VPN Topologies VPN Client Software Operations

VPN Topologies Cisco IOS SSL VPN The Cisco IOS SSL VPN is a technology that provides remote-access connectivity from almost any Internet-enabled location with a web browser and its native SSL encryption. SSL VPN currently delivers three modes of SSL VPN access: Clientless Thin client Full client

VPN Solutions Cisco VPN Product Lines Product Choice Remote-Access VPN Site-to-Site VPN Cisco VPN-Enabled Routers and Switches Secondary role Primary role Cisco PIX 500 Series Security Appliances (Legacy) Secondary role Primary role Cisco ASA 5500 Adaptive Security Appliances Primary role Secondary role Cisco VPN 3000 Series Concentrators Primary role Secondary role SOHO Routers (Cisco 850 Series ISR and Linksys) Primary role Secondary role

VPN Solutions VPN Services with Cisco ASA

VPN Solutions Cisco IPsec Client Options Cisco remote-access VPNs can use three IPsec clients: Cisco VPN Client software - Installed on the PC or laptop of an individual. Cisco Remote Router VPN Client - A Cisco remote router (configured as a VPN client) that connects small office, home office (SOHO) LANs to the VPN. Cisco AnyConnect Secure Mobility Client - Next-generation VPN client that provides remote users with secure VPN connections to the Cisco ASA.

VPN Solutions Cisco VPN Hardware Modules To enhance performance and offload the encryption task to specialized hardware. VPN Advanced Integration Module (AIM) - A broad range of Cisco routers can be equipped with VPN AIM installed inside the ISR chassis to offload encryption tasks from the router CPU. Cisco IPsec VPN Shared Port Adapter (SPA) - Delivers scalable and cost-effective VPN performance for higher-end Cisco Catalyst series switches and routers. Cisco VPN Accelerator Module 2+ (VAM2+) - Provides high performance encryption/compression and key generation services for IPsec VPN applications on Cisco 7204VXR, 7206VXR, and 7301 routers. VPN AIM

8.2 GRE VPNs 5.1 Ethernet Protocol

Configuring a Site-to-Site GRE Tunnel GRE Tunnels There are two popular site-to-site tunneling protocols: GRE IPsec When should you use GRE or IPsec? IP Only? User Traffic Yes Unicast Only? Use GRE Tunnel No Use IPsec VPN No Yes

Configuring a Site-to-Site GRE Tunnel GRE Tunnels Cont. GRE can encapsulate almost any other type of packet. Uses IP to create a virtual point-to-point link between Cisco routers Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and, therefore, routing protocols) Best suited for site-to-site multiprotocol VPNs RFC 1702 and RFC 2784

Configuring a Site-to-Site GRE Tunnel GRE Header GRE encapsulates the entire original IP packet with a standard IP header and GRE header. GRE tunnel header contains at least two 2-byte mandatory fields: GRE flag Protocol type

Configuring a Site-to-Site GRE Tunnel GRE Header Cont. GRE does not provide encryption, but it can be monitored with a protocol analyzer. While GRE and IPsec can be used together, IPsec does not support multicast/broadcast and, therefore, does not forward routing protocol packets. However, IPsec can encapsulate a GRE packet that encapsulates routing traffic (GRE over IPsec).

Configuring a Site-to-Site GRE Tunnel Configuring GRE Create a tunnel interface: interface tunnel 0 Assign the tunnel an IP address. Identify the source tunnel interface: tunnel source Identify the tunnel destination: tunnel destination (Optional) Identify the protocol to encapsulate in the GRE tunnel: tunnel mode gre ip By default, GRE is tunneled in an IP packet.

Configuring a Site-to-Site GRE Tunnel Configuring GRE Cont.

Configuring a Site-to-Site GRE Tunnel Configuring GRE Cont.

Configuring a Site-to-Site GRE Tunnel Configuring GRE Cont.

Configuring a Site-to-Site GRE Tunnel Configuring GRE Cont.

Configuring a Site-to-Site GRE Tunnel GRE with IPsec The advantage of GRE is that it can be used to tunnel non-IP traffic over an IP network. Unlike IPsec, which only supports unicast traffic, GRE supports multicast and broadcast traffic over the tunnel link. Therefore, routing protocols are supported in GRE. GRE does not provide encryption; if needed, IPsec should be configured.

8.3 IPSec VPN Components and Operation 5.1 Ethernet Protocol

Introducing IPsec IPsec As an IETF Standard A “framework” of open standards developed by the IETF to create a secure tunnel at the network (IP) layer. The IETF spells out rules for secure communications. RFC 2401 - RFC 2412 IPsec works at the network layer, protecting and authenticating IP packets between participating IPsec devices, or peers. IPsec is not bound to any specific encryption or authentication algorithms, keying technology, or security algorithms. IPsec allows newer and better algorithms to be implemented without patching the existing IPsec standards.

Introducing IPsec IPsec As an IETF Standard Cont.

Introducing IPsec IPsec As an IETF Standard Cont. The IPsec framework consists of five building blocks. The administrator selects the algorithms used to implement the security services within that framework.

Introducing IPsec IPsec as an IETF Standard Using the IPsec framework, IPsec provides these essential security functions.

Introducing IPsec Confidentiality Confidentiality is achieved through encryption.

Introducing IPsec Confidentiality Cont. Encryption algorithms and key lengths that VPNs use: DES 3DES AES Software-Optimized Encryption Algorithm (SEAL)

Introducing IPsec Integrity A method of proving data integrity is required to guarantee that the content has not been altered. A data integrity algorithm can provide this guarantee. Hashed Message Authentication Code (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value.

Introducing IPsec Integrity Cont. Two common HMAC algorithms: HMAC-Message Digest 5 (HMAC-MD5) HMAC-Secure Hash Algorithm 1 (HMAC-SHA-1)

Introducing IPsec Authentication The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two primary methods of configuring peer authentication: Pre-shared Keys (PSKs) RSA signatures

Introducing IPsec Authentication Cont.

Introducing IPsec Authentication Cont.

Introducing IPsec Secure Key Exchange Encryption algorithms, such as DES, 3DES, AES, and the MD5 and SHA-1 hashing algorithms require a symmetric, shared secret key to perform encryption and decryption. How do the encrypting and decrypting devices get the shared secret key? The Diffie-Hellman (DH) key agreement is a public key exchange method that provides a way for two peers to establish a shared secret key that only they know.

IPsec Security Protocols IPsec Framework Protocols IPsec uses two main protocols to create a security framework: AH: Authentication Header ESP: Encapsulating Security Payload

IPsec Security Protocols Authentication Header AH provides authentication and optional replay-detection services. It authenticates the sender of the data. AH operates on protocol number 51. AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms.

IPsec Security Protocols Authentication Header Cont. AH does not provide confidentiality (encryption). It is appropriate to use when confidentiality is not required or permitted. All text is transported unencrypted. It only ensures the origin of the data and verifies that the data has not been modified during transit. If the AH protocol is used alone, it provides weak protection. AH can have problems if the environment uses NAT.

IPsec Security Protocols Authentication Header Cont. The AH process occurs in this order: 1. The IP header and data payload are hashed using the shared secret key. 2. The hash builds a new AH header, which is inserted into the original packet. 3. The new packet is transmitted to the IPsec peer router. 4. The peer router hashes the IP header and data payload using the shared secret key, extracts the transmitted hash from the AH header, and compares the two hashes.

IPsec Security Protocols ESP ESP provides the same security services as AH (authentication and integrity) and encryption service. It encapsulates the data to be protected. It operates on protocol number 50.

IPsec Security Protocols ESP Cont. Please don’t use bullet formatting for single sentences. Promote the sub-bullets to level 1. ESP can also provide integrity and authentication. First, the payload is encrypted using DES (default), 3DES, AES, or SEAL. Next, the encrypted payload is hashed to provide authentication and data integrity using HMAC-MD5 or HMAC-SHA-1.

IPsec Security Protocols Transport and Tunnel Modes ESP and AH can be applied to IP packets in two different modes.

IPsec Security Protocols Transport and Tunnel Modes Cont. Security is provided only for the Transport Layer and above. It protects the payload but leaves the original IP address in plaintext. ESP transport mode is used between hosts. Transport mode works well with GRE, because GRE hides the addresses of the end devices by adding its own IP.

IPsec Security Protocols Transport and Tunnel Modes Cont. Tunnel mode provides security for the complete original IP packet. The original IP packet is encrypted and then it is encapsulated in another IP packet (IP-in-IP encryption). ESP tunnel mode is used in remote access and site-to-site implementations.

Internet Key Exchange Security Associations The IPsec VPN solution Negotiates key exchange parameters (IKE). Establishes a shared key (DH). Authenticates the peer. Negotiates the encryption parameters. The negotiated parameters between two devices are known as a security association (SA).

Internet Key Exchange Security Associations An SA is a basic building block of IPsec. Security associations are maintained within a SA database (SADB), which is established by each device. A VPN has SA entries defining the IPsec encryption parameters as well as SA entries defining the key exchange parameters. SAs represent a policy contract between two peers or hosts, and describe how the peers use IPsec security services to protect network traffic. SAs contain all the security parameters needed to securely transport packets between the peers or hosts, and practically define the security policy used in IPsec.

Internet Key Exchange Security Associations Cont.

Internet Key Exchange Security Associations Cont. IKE helps IPsec securely exchange cryptographic keys between distant devices. Combination of the ISAKMP and the Oakley Key Exchange Protocol. Key Management can be preconfigured with IKE (ISAKMP) or with a manual key configuration. IKE and ISAKMP are often used interchangeably. The IKE tunnel protects the SA negotiations.

Internet Key Exchange IKE Phase 1 and Phase 2 There are two phases in every IKE negotiation Phase 1 (Authentication) Phase 2 (Key Exchange) IKE negotiation can also occur in: Main mode Aggressive mode The difference between the two is that Main mode requires the exchange of six messages while Aggressive mode requires only three exchanges.

Internet Key Exchange IKE Phase 1 and Phase 2 Cont. IKE Phase One: Negotiates an IKE protection suite. Exchanges keying material to protect the IKE session (DH). Authenticates each other. Establishes the IKE SA. Main mode requires the exchange of six messages while Aggressive mode only uses three messages. IKE Phase Two: Negotiates IPsec security parameters, known as IPsec transform sets. Establishes IPsec SAs. Periodically renegotiates IPsec SAs to ensure security. Optionally performs an additional DH exchange.

Internet Key Exchange IKE Phase 1 and Phase 2 Cont.

Internet Key Exchange IKE Phase 1 and Phase 2 Cont.

Internet Key Exchange Five Steps of IPsec Host A sends interesting traffic destined for Host B. IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure communications channel for negotiating IPsec SAs in Phase 2. Step 2 IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the peers to protect data and messages exchanged between endpoints. Step 3 Data transfer occurs between IPsec peers based on the IPsec parameters and keys stored in the SA database. Step 4 Step 5 IPsec tunnel termination occurs by SAs through deletion or by timing out.

Internet Key Exchange Step 1 – Interesting Traffic

Internet Key Exchange Step 2 – IKE Phase 1 IKE Policy Negotiation

Internet Key Exchange Step 2 – IKE Phase 1 DH Key Exchange RouterA randomly chooses a string and sends it to RouterB. RouterB hashes the received string together with the pre-shared secret and yields a hash value. RouterA calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterB knows the pre-shared secret, and is considered authenticated. RouterB sends the result of hashing back to RouterA.

RouterA sends the result of hashing back to RouterB. Step 2 – IKE Phase 1 DH Key Exchange Now RouterB randomly chooses a different random string and sends it to RouterA. RouterA also hashes the received string together with the pre-shared secret and yields a hash value. RouterB calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterA knows the pre-shared secret, and is considered authenticated. RouterA sends the result of hashing back to RouterB.

Internet Key Exchange Step 2 – IKE Phase 1 Peer Authentication

Internet Key Exchange Step 3 – IKE Phase 2 IPsec Negotiation

Internet Key Exchange Step 3 – IKE Phase 2 Transform Set Negotiation

Internet Key Exchange Step 3 – IKE Phase 2 Security Associations

Internet Key Exchange Step 4 IPsec Session

Internet Key Exchange Step 5 Tunnel Termination

Internet Key Exchange Three Key Exchanges Three exchanges transpire during IKE Phase 1. The first exchange between the initiator and the responder. Establishes the basic security policy. Peers negotiate and agree on the algorithms and hashes that are used to secure the IKE communications. Rather than negotiate each protocol individually, the protocols are grouped into sets, called IKE policy sets. The IKE policy sets are exchanged first. Negotiate IKE Policy

Internet Key Exchange Three Key Exchanges Cont. The second exchange creates and exchanges the DH public keys between the two endpoints. Negotiate IKE Policy

Internet Key Exchange Three Key Exchanges Cont. Using the DH algorithm, each peer generates a shared secret without actually exchanging secrets.

Internet Key Exchange Three Key Exchanges Cont. In the third exchange, each end device must authenticate the other end device before the communication path is considered secure. The initiator and recipient authenticate each other using one of the three data-origin authentication methods: PSK RSA signature RSA encrypted nonce IPsec Authentication

Internet Key Exchange Aggressive Mode Aggressive Mode Phase 1 Aggressive mode is another option for IKE Phase 1. Aggressive mode is faster than Main mode due to fewer exchanges. Aggressive Mode Phase 2

Internet Key Exchange IKE Phase 2 The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be used to secure the IPsec tunnel. IKE Phase 2 is called quick mode. IKE Phase 2 can only occur after IKE has established the secure tunnel in Phase 1. Quick mode negotiates the IKE Phase 2 SAs. In this phase, the SAs that IPsec uses are unidirectional. A separate key exchange is required for each data flow. Quick Mode

8.4 Implementing Site-to-Site IPsec VPNs with CLI 5.1 Ethernet Protocol

Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation A VPN is a communications channel used to form a logical connection between two endpoints over a public network. IPsec VPN negotiation involves several steps.

Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation Cont.

Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation Cont.

Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation Cont.

Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation Cont.

Configuring a Site-to-Site IPsec VPN IPsec Configuration Tasks Some basic tasks must be completed to configure a site-to-site IPsec VPN. Task 1. Ensure that ACLs configured on interfaces are compatible with the IPsec configuration. Task 2. Create an ISAKMP (IKE) policy. Task 3. Configure the IPsec transform set. Task 4. Create a crypto ACL. Task 5. Create and apply a crypto map.

Task 1 – Configure Compatible ACLs Protocols 50 and 51 and UDP Port 500 Ensure that the ACLs are configured so that ISAKMP, ESP, and AH traffic are not blocked at the interfaces used by IPsec. ESP is assigned IP protocol number 50. AH is assigned IP protocol number 51. ISAKMP uses UDP port 500.

Task 1 – Configure Compatible ACLs Configuring Compatible ACLs Cont.

Task 2 – Configure IKE Configuring Compatible ACLs Cont. Creating a plan in advance is mandatory to configure IPsec encryption correctly to minimize misconfiguration. Determine the following policy details: Key distribution method Authentication method IPsec peer IP addresses and hostnames IKE phase 1 policies for all peers Encryption algorithm, hash algorithm, IKE SA lifetime Goal: Minimize misconfigurations.

Task 2 – Configure IKE Configuring Compatible ACLs Cont. The second major task in configuring Cisco IOS ISAKMP support is to define the parameters within the IKE policy. Multiple ISAKMP policies can be configured on each peer participating in IPsec.

Task 2 – Configure IKE Configuring Compatible ACLs Cont. The crypto isakmp policy command invokes ISAKMP policy configuration command mode, where you can set the ISAKMP parameters.

Task 2 – Configure IKE Negotiating ISAKMP Policies Two endpoints must negotiate ISAKMP policies before they agree on the SA to use for IPsec.

Task 2 – Configure IKE Negotiating ISAKMP Policies Cont. Policy numbers are only locally significant and do not have to match between IPsec peers.

Task 2 – Configure IKE Pre-Shared Keys The key string cisco123 matches. The address identity method is specified. The ISAKMP policies are compatible. Default values do not have to be configured.

Task 3 – Configure the Transform Sets Defining the Transform Sets A transform set is a combination of individual IPsec transforms designed to enact a specific security policy for traffic. Router(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher Notes: esp-md5-hmac and esp-sha-hmac provide more data integrity. They are compatible with NAT/PAT and are used more frequently than ah-md5-hmac and ah-sha-hmac.

Task 3 – Configure the Transform Sets Configuring the Transform Sets Transform sets are negotiated during IKE Phase 2 quick mode. R1 has transform sets ALPHA, BETA, and CHARLIE configured, while R2 has RED, BLUE, and YELLOW configured. Each R1 transform set is compared against each R2 transform set in succession until a match is found. R1 R2

Task 3 – Configure the Transform Sets Configuring the Transform Sets Cont.

Task 3 – Configure the Transform Sets Configuring the Transform Sets Cont.

Task 3 – Configure the Transform Sets Configuring the Transform Sets Cont.

Task 3 – Configure the Transform Sets Configuring the Transform Sets Cont.

Task 4 – Configure the Crypto ACLs Defining Crypto ACLs Crypto ACLs identify the traffic flows to protect. Outbound crypto ACLs select outbound traffic that IPsec should protect. Traffic not selected is sent in plaintext. If desired, inbound ACLs can be created to filter and discard traffic that should have been protected by IPsec.

Task 4 – Configure the Crypto ACLs Crypto ACL Syntax Outbound crypto ACLs define the interesting traffic to be encrypted. All other traffic passes as plaintext.

Task 4 – Configure the Crypto ACLs Symmetric Crypto ACL Syntax Symmetric crypto ACLs must be configured for use by IPsec. RouterA#(config) access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 RouterB#(config) access-list 110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Task 5 – Apply the Crypto Map Defining Crypto Maps Crypto maps define: Which traffic to protect using a crypto ACL Granularity of the flow to be protected by a set of SAs Who the remote IPsec peers are Local address used for the IPsec traffic (optional) Which type of IPsec security is applied to this traffic (transform sets) Key management method SA lifetimes

Task 5 – Apply the Crypto Map Crypto Map Syntax

Task 5 – Apply the Crypto Map Crypto Map Syntax Cont.

Task 5 – Apply the Crypto Map Applying the Crypto Map

Verify and Troubleshoot the IPsec Configuration Defining Crypto Maps

Verify and Troubleshoot the IPsec Configuration IPsec Show Commands R1# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, } The show crypto map command verifies configurations and shows the SA lifetime.

Verify and Troubleshoot the IPsec Configuration IPsec Show Commands Cont. R1# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: pre-share Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature The show crypto isakmp policy command displays configured IKE policies and the default IKE policy settings.

Verify and Troubleshoot the IPsec Configuration IPsec Show Commands Cont. The show crypto ipsec transform-set command shows all configured transform sets.

Verify and Troubleshoot the IPsec Configuration Verifying Security Associations R1# show crypto isakmp sa dst src state conn-id slot 172.30.2.2 172.30.1.2 QM_IDLE 47 5 show crypto ipsec sa indicates that an SA is established, the rest of the configuration is assumed to be working.

This is an example of the Main Mode error message. Verify and Troubleshoot the IPsec Configuration Troubleshooting VPN Connectivity This is an example of the Main Mode error message. The failure of Main Mode suggests that the Phase I policy does not match on both sides. Verify that the Phase I policy is on both peers and ensure that all the attributes match. Encryption: DES or 3DES Hash: MD5 or SHA Diffie-Hellman: Group 1 or 2 Authentication: rsa-sig, rsa-encr or pre-share R1# debug crypto isakmp 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 150.150.150.1

8.5 Implementing Site-to-Site IPsec VPNs with CCP 5.1 Ethernet Protocol

Configuring IPsec using CCP CCP ‘Wizards’ Other intelligent Cisco wizards are available in CCP for these three tasks: Auto detecting misconfiguration and proposing fixes. Providing strong security and verifying configuration entries. Using device and interface-specific defaults.

Configuring IPsec using CCP CCP ‘Wizards’ Cont. Examples of CCP wizards include: Startup wizard for initial router configuration LAN and WAN wizards Policy-based firewall and access-list management to easily configure firewall settings based on policy rules IPS wizard One-step site-to-site VPN wizard One-step router lockdown wizard to harden the router

To select and start a VPN wizard, follow these steps: Configuring IPsec VPN Configuration with CCP Steps for IPsec VPN Configuration with CCP In addition to configuring IPsec VPNs via CLI, it is possible to configure them using a CCP wizard. To select and start a VPN wizard, follow these steps: Step 1. Click Configure in the main toolbar. Step 2. Click the Security folder and then click the VPN subfolder. Step 3. Select a wizard from the VPN list. Step 4. Click the VPN implementation subtype. Step 5. Click Launch the selected task to start the wizard

Configuring IPsec VPN Configuration with CCP Steps for IPsec VPN Configuration with CCP Cont. Step 1. Click Configure in the main toolbar.

Configuring IPsec VPN Configuration with CCP Steps for IPsec VPN Configuration with CCP Cont. Step 2. Click the Security folder and then click the VPN subfolder.

Configuring IPsec VPN Configuration with CCP Steps for IPsec VPN Configuration with CCP Cont. Step 3. Select a wizard from the VPN list.

Configuring IPsec VPN Configuration with CCP Steps for IPsec VPN Configuration with CCP Cont. Step 4. Click the VPN implementation subtype.

Configuring IPsec VPN Configuration with CCP Steps for IPsec VPN Configuration with CCP Cont. Step 5. Click Launch the selected task to start the wizard.

Configuring IPsec VPN Configuration with CCP CCP VPN Wizards Under the VPN folder are three subfolders: The SSL VPN The GET VPN VPN components

Configuring IPsec VPN Configuration with CCP Site-to-Site VPN Wizards

Configuring IPsec VPN Configuration with CCP Quick Setup and Step-by-Step Wizard

VPN Wizard – Quick Setup Quick Setup

VPN Wizard – Quick Setup Finishing Quick Setup

VPN Wizard – Step-by-Step Setup Step-by-Step Setup Step 1. Choose the outside interface to connect to the IPsec peer over the untrusted network.

VPN Wizard – Step-by-Step Setup Step-by-Step Setup Cont. Step 2. Specify the IP address of the peer.

VPN Wizard – Step-by-Step Setup Step-by-Step Setup Cont. Step 3. Choose the authentication method and specify the credentials. Use long, random PSKs to prevent brute-force and dictionary attacks against IKE.

VPN Wizard – Step-by-Step Setup Step-by-Step Setup Cont. Step 4. Click Next.

VPN Wizard – Step-by-Step Setup IKE Proposal Step 1. Click Add to define a proposal and specify the IKE proposal priority, encryption algorithm, hashing algorithm, IKE authentication method, DH group, and IKE lifetime.

VPN Wizard – Step-by-Step Setup IKE Proposal Cont. Step 2. From the Add IKE Policy window, configure the IKE proposal specifics and click OK when done.

VPN Wizard – Step-by-Step Setup IKE Proposal Cont. Step 3. When finished with adding IKE policies, choose the proposal to use. Click Next.

VPN Wizard – Step-by-Step Setup Transform Set Step 1. Click Add to define the transform set and specify the name, integrity algorithm, encryption algorithm, mode of operation, and optional compression.

VPN Wizard – Step-by-Step Setup Transform Set Cont. Step 2. From the Add Transform Set window, configure the transform set specifics and click OK when done.

VPN Wizard – Step-by-Step Setup Transform Set Cont. Step 3. When finished adding transform sets, choose the transform set to use, and click Next to proceed to the next task.

VPN Wizard – Step-by-Step Setup Traffic to Protect – Subnet to Subnet Step 1. On the Traffic to Protect window, click the Protect all traffic between the following subnets option.

VPN Wizard – Step-by-Step Setup Traffic to Protect – Subnet to Subnet Cont. Step 2. Define the IP address and subnet mask of the local network where IPsec traffic originates.

VPN Wizard – Step-by-Step Setup Traffic to Protect – Subnet to Subnet Cont. Step 3. Define the IP address and subnet mask of the remote network where IPsec traffic is sent.

VPN Wizard – Step-by-Step Setup Traffic to Protect – Custom ACL Step 1. On the Traffic to Protect window, click the Create/Select an access-list for IPsec traffic option.

VPN Wizard – Step-by-Step Setup Traffic to Protect – Custom ACL Cont. Step 2. Click the ellipsis (...) button to choose an existing ACL or to create a new one.

VPN Wizard – Step-by-Step Setup Traffic to Protect – Custom ACL Cont. Step 3. To use an existing ACL, select the Select an existing rule (ACL) option. To create a new ACL, select the Create a new rule (ACL) and select option.

VPN Wizard – Step-by-Step Setup Configuration Summary – Add a Rule Step 1. Give the access rule a name and description. Step 2.Click Add button to start adding rule entries.

VPN Wizard – Step-by-Step Setup Configuration Summary – Add an Entry Step 1. From the Select an action drop-down list, select an action and enter a description of the rule entry in the Description text box.

VPN Wizard – Step-by-Step Setup Configuration Summary – Add an Entry Cont. Step 2. Define the source hosts or networks in the Source Host/Network pane, and the destination hosts or networks in the Destination Host/Network pane. Each rule entry defines one pair of source and destination addresses or networks. Be sure to use wildcard bits and not the subnet mask bits in the Wildcard Mask field.

VPN Wizard – Step-by-Step Setup Configuration Summary – Add an Entry Cont. Step 3. (Optional) To provide protection for a specific protocol, choose the desired protocol radio button (TCP, UDP, or ICMP) and the port numbers. If IP is selected as the protocol, the rule applies to all IP traffic.

VPN Wizard – Step-by-Step Setup Configuration Summary – Summary At the end of the configuration, the wizard presents a summary of the configured parameters. To modify the configuration, click Back. Click Finish button to complete the configuration.

Verifying, Monitoring, and Troubleshooting VPNs Testing the Tunnel Click Generate Mirror to generate a mirroring configuration that is required on the other end of the tunnel. This is useful if the other router does not have CCP and must use the CLI to configure the tunnel. Click Configure > Security > VPN > Site- to-Site VPN > Edit Site to Site VPN>Test Tunnel.

Verifying, Monitoring, and Troubleshooting VPNs View IPsec Tunnels To view all IPsec tunnels, their parameters, and status, on the Cisco Configuration Professional window, click Monitor>Security >VPN Status> IPsec Tunnels.

8.6 Implementing Remote-Access VPNs 5.1 Ethernet Protocol

Shift to Telecommuting Advantages of Telecommuting Organizational benefits: Continuity of operations Increased responsiveness Secure, reliable, and manageable access to information Cost-effective integration of data, voice, video, and applications Increased employee productivity, satisfaction, and retention. Social benefits: Increased employment opportunities for marginalized groups Less travel and commuter related issues. Environmental benefits: Reduced carbon footprints, both for individual workers and organizations

Shift to Telecommuting Benefits of Telecommuting Telecommuting offers organizational, social, and environmental benefits. Studies have shown that telecommuting improves employee lifestyles by decreasing job-related stresses. There may be some drawbacks. Example - telecommuters working from home can experience distractions that they would not have at work.

Introducing Remote Access VPNs Remote-Access VPN Options There are two primary methods for deploying remote-access VPNs, as shown in the figure: IPsec SSL IPsec Remote Access VPN SSL-Based VPN Any Application Anywhere Access

IPsec exceeds SSL in many significant ways: Introducing Remote Access VPNs Access Requirements Determine Remote-Access VPNs IPsec exceeds SSL in many significant ways: Number of applications that are supported Strength of encryption Strength of authentication Overall security

SSL VPNs Cisco IOS SSL VPN Technology Cisco SSL VPN deliver many remote-access connectivity features and benefits: Web-based clientless access and full network access without preinstalled desktop software. Protection against viruses, worms, spyware, and hackers on a VPN connection by integrating network and endpoint security in the Cisco SSL VPN platform. Simple, flexible, and cost-effective licensing. SSL uses a single license. Single device for both SSL VPN and IPsec VPN.

SSL VPNs Types of SSL VPN Access SSL VPNs provide different types of access: Clientless Thin client Full client

SSL VPNs Steps to Establishing SSL VPN

SSL VPN design considerations: SSL VPNs SSL VPN Design SSL VPN design considerations: User connectivity Router feature Router hardware Infrastructure planning Implementation scope

Cisco Easy VPN Cisco Easy VPN Cisco Easy VPN consists of three components: Cisco Easy VPN Server - A Cisco IOS router or Cisco ASA Firewall acting as the VPN head-end device in site-to-site or remote-access VPNs. Cisco Easy VPN Remote - A Cisco IOS router or Cisco ASA Firewall acting as a remote VPN client. Cisco VPN Client - An application supported on a PC used to access a Cisco VPN server.

Cisco Easy VPN Cisco Easy VPN Cont.

Cisco Easy VPN Cisco Easy VPN Endpoints

Cisco Easy VPN Cisco Easy VPN Connection Steps

Configuring a VPN Server with CCP CCP Tasks for Cisco Easy VPN Server Configuring Cisco Easy VPN Server functionality using CCP consists of two major tasks: Task 1. Configure prerequisites, such as AAA, privileged users, and the enable secret password, based on the chosen VPN design. Task 2. Configure the Cisco Easy VPN Server.

Configuring a VPN Server with CCP CCP Tasks for Cisco Easy VPN Server On the CCP main window, click Configure, click the Security folder, click the VPN subfolder, and then select the Easy VPN Server option.

Configuring a VPN Server with CCP Initial Easy VPN Server Steps Specify the router interface where the VPN connection will terminate and the authentication method (e.g., pre-shared keys, digital certificates, or both). Click Next to display the IKE Proposals window.

Configuring a VPN Server with CCP Initial Easy VPN Server Steps Cont. When configuring IKE proposals, use the default policy that is predefined by CCP or add a custom IKE Policy.

Configuring a VPN Server with CCP Selecting the Transform Set

Configuring a VPN Server with CCP Group Authorization & Group Policy Lookup Easy VPN group policies can be stored: Local - All groups are in the router configuration in NVRAM. RADIUS - The router uses the RADIUS server for group authorization. RADIUS and Local - The router can look up policies stored in an AAA server database that can be reached via RADIUS.

Configure the Group Authorization parameters Configuring a VPN Server with CCP Group Authorization & Group Policy Lookup Cont. Configure the Group Authorization parameters

Configuring a VPN Server with CCP Easy VPN Server Summary After all the steps are completed, the Easy VPN Server wizard displays a summary of the configured parameters.

Configuring a VPN Server with CCP Easy VPN Server Summary Cont.

Configuring a VPN Server with CCP Easy VPN Server Summary Cont.

Connecting with a VPN Client Cisco VPN Client The Cisco VPN Client is simple to deploy and operate. It allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or telecommuters.

Connecting with a VPN Client Connection Status When the Cisco VPN client is installed, open the Cisco VPN client window to start an IPsec VPN connection on a PC. The application lists the available preconfigured sites.

Summary A VPN is a private network that is created via tunneling over a public network, usually the Internet. Organizations typically deploy site-to-site VPNs and remote access VPNs. GRE is a tunneling protocol that is used to create a point-to-point link to Cisco routers. GRE supports multiprotocol tunneling, including IP. IPsec only supports unicast traffic and, therefore, does not support routing protocols, because they require multicast or broadcasts. GRE supports multicast or broadcast traffic and is, therefore, often used in combination with IPsec.

Summary Cont. VPNs require the use of modern encryption techniques to ensure secure transport of information. IPsec is a framework of open standards that establishes the rules for secure communications. IPsec relies on existing algorithms to achieve encryption, authentication, and key exchange. IPsec can encapsulate a packet using either Authentication Header (AAH) or the more secure option, ESP.

Summary Cont. IPsec uses the IKE protocol to establish the key exchange process. There are several tasks required to create a site-to-site VPN: Ensure that the existing ACLs on perimeter routers, firewalls, or other routers do not block IPsec traffic. Define the parameters within the IKE policy, which are used during negotiation to establish ISAKMP peering. Define the IPsec transform set, which consists of a combination of an AH transform, an ESP transform, and the IPsec mode. Configure the crypto ACL to define which traffic is protected through the IPsec tunnel. Create and apply a crypto map that specifies the parameters of the IPsec SAs.

Summary Cont. More organizations offer telecommuting options to their employees. Remote access connections can be provided using a remote access IPsec VPN solution or an SSL VPN. SSL VPN is a technology that provides remote-access connectivity from almost any Internet-enabled location with a web browser and its native SSL encryption.