© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

Slides:



Advertisements
Similar presentations
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Internet Protocol Security (IP Sec)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
NetComm Wireless VPN Functionality Feature Spotlight.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Chapter 8: Implementing Virtual Private Networks
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
FreeS/WAN & VPN Cory Petkovsek VPN: Virtual Private Network – a secure tunnel through untrusted networks. IP Security (IPSec): a standardized set of authentication.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
IPSec VPN Chapter 13 of Malik.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter Eight Implementing Virtual Private Networks
Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys

© 2006 Cisco Systems, Inc. All rights reserved. Lesson 4.1 Prepare a Router for Site-to-Site VPN using Pre- shared Keys Module 4: Configuring Site to Site VPN with Pre-shared keys

© 2006 Cisco Systems, Inc. All rights reserved. IPSec encryption with pre-shared keys  Site-to-site IPSec VPNs can be established between any combination of routers, PIX Security Appliances, VPN concentrators, VPN clients, and other devices that are IPSec compliant.  The use of pre-shared keys for authentication of IPSec sessions is relatively easy to configure  Does not scale well for a large number of IPSec clients.

© 2006 Cisco Systems, Inc. All rights reserved. IPSec encryption with pre-shared keys  Configuring IKE pre-shared keys in Cisco IOS consists:  Task 1 is to prepare for IPSec. Encryption policy Hosts and networks to protect Details about the IPSec peers Needed IPSec features Ensuring existing ACLs are compatible with IPSec

© 2006 Cisco Systems, Inc. All rights reserved. IPSec encryption with pre-shared keys  Task 2 involves configuring IKE. Enabling IKE Creating the IKE policies Validating the configuration.  Task 3 is configuring IPSec. Defining the transform sets Creating crypto ACLs Creating crypto map entries Applying crypto map sets to interfaces.  Task 4 is to test and verify IPSec

© 2006 Cisco Systems, Inc. All rights reserved. IKE peer authentication pre-shared secrets  Simplest authentication to configure,  Has several serious limitations.  based on a pre-shared secret.  secret is exchanged securely out-of-band.  Peers perform a PPP CHAP-like exchange of random values, hashed with the pre-shared secret key.

© 2006 Cisco Systems, Inc. All rights reserved. IKE peer authentication pre-shared  IKE peer authentication using pre-shared secrets works in the following manner: Peer A randomly chooses a string and sends it to peer Peer B hashes the string together with the pre-shared Peer B sends the result of hashing back to peer A. Peer A calculates its own hash of the random string, together with the pre-shared secret And the same process for Peer B  Main limitation of pre-shared secret authentication is the requirement to base the pre-shared secret on the IP address of remote peer, not its IKE identity.  Can impose problems in an environment with dynamic peer addresses.

© 2006 Cisco Systems, Inc. All rights reserved. Planning the IKE and IPSec policy

© 2006 Cisco Systems, Inc. All rights reserved. Step 1 – Determine ISAKMP (IKE Phase 1) policy  Some planning steps include the following:  Determine the key distribution method Manually distribute keys Use a CA server  Determine the authentication method – pre-shared keys, RSA encrypted nonces, or RSA signatures  Identify IP addresses and host names of the IPSec peers  Determine ISAKMP policies for peers Encryption algorithm Hash algorithm IKE SA lifetime

© 2006 Cisco Systems, Inc. All rights reserved.

IKE Phase 1 Default Values

© 2006 Cisco Systems, Inc. All rights reserved. Step 2 – Determine IPSec (IKE Phase 2) policy  Policy details to determine at this stage include the following: Select IPSec algorithms and parameters for optimal security and performance Select transforms and, if necessary, transform sets Identify IPSec peer details Determine IP address and applications of hosts to be protected Select manual or IKE-initiated SAs

© 2006 Cisco Systems, Inc. All rights reserved.

IPSec Transform Sets

© 2006 Cisco Systems, Inc. All rights reserved.

Step 3 – Check the current configuration

© 2006 Cisco Systems, Inc. All rights reserved. Check Current configuration

© 2006 Cisco Systems, Inc. All rights reserved. View configured Cryto-Maps

© 2006 Cisco Systems, Inc. All rights reserved. View Configured Transform Sets

© 2006 Cisco Systems, Inc. All rights reserved. Step 4 – Ensure the network works without encryption

© 2006 Cisco Systems, Inc. All rights reserved. Step 5 – Ensure ACLs are compatible with IPSec  Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and AH traffic is not blocked at interfaces used by IPSec.  ISAKMP uses UDP port 500  ESP is assigned IP protocol number 50  AH is assigned IP protocol number 51

© 2006 Cisco Systems, Inc. All rights reserved. Q and A

© 2006 Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.