Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Advertisements

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Header and Payload Formats
Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
K. Salah1 Security Protocols in the Internet IPSec.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.
RE © 2003, Cisco Systems, Inc. All rights reserved.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
TCP/IP Protocols Contains Five Layers
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
strongSwan Workshop for Siemens
Karlstad University IP security Ge Zhang
Chapter 8: Implementing Virtual Private Networks
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol draft-kivinen-mobike-protocol-00.txt Tero Kivinen
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Virtual Private Network Configuration
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
Security Data Transmission and Authentication Lesson 9.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
Practice Test Questions QUESTION 1 Which two actions must you perform to enable and use window scaling on a router? (Choose two.) A. Execute the.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
CSE 4905 IPsec II.
IT443 – Network Security Administration Instructor: Bo Sheng
Chapter 4: Access Control Lists (ACLs)
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
CSE 5/7349 – February 15th 2006 IPSec.
Presentation transcript:

Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should see ISAKMP initiate. Check “show crypto isakmp sa” to see if an entry is created for us to the remote peer. The router should send a UDP/500 packet towards the other peer. i.e. (IOS) IPv4 Crypto ISAKMP SA dst src state conn-id status MM_NO_STATE 0 ACTIVE MM1 Check that the responder actually receives that UDP/500 packet. via: packet capture on the interface Hits on an permit entry for an interface ACL Inbound Netflow counters on the interface PROTOCOL FLOW

The responder should receive the MM1 packet and also create an entry in it’s table. Check the table and see if there is an entry. At this point the responder should send back UDP/500 Main Mode Message 2. You can see that with “show cry isakmp sa” i.e. (ASA) 1 IKE Peer: Type : user Role : responder Rekey : no State : MM_WAIT_MSG3 The responder should process the packet and negotiate which ISAKMP policy to choose. “debug crypto isakmp 128” should show you this. If not successful you’ll [IKEv1 DEBUG]IP = , All SA proposals found unacceptable If successful you’ll see : [IKEv1 DEBUG]IP = , IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5 MM2 PROTOCOL FLOW

The initiator should receive the MM2 packet (UDP/500) process it. The responder should get the MM3 packet (UDP/500) and Return MM4 (UDP/500) Debugs on IOS show: *Feb 1 21:44:23.314: ISAKMP (0): received packet from dport 500 sport 500 Global (I) MM_NO_STATE *Feb 1 21:44:23.314: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 The initiator should then send back MM3 (UDP/500) Debugs on IOS show: *Feb 1 21:44:23.315: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_SA_SETUP *Feb 1 21:44:23.315: ISAKMP:(0):Sending an IKE IPv4 Packet. *Feb 1 21:44:23.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 *Feb 1 21:44:23.315: (0): received packet from dport 500 sport 500 Global (I) MM_SA_SETUP *Feb 1 21:44:23.315: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 1 21:44:23.315: (0):Old State = IKE_I_MM3 New State = IKE_I_MM4 PROTOCOL FLOW MM3 MM4

R100#show cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id status MM_KEY_EXCH 1006 ACTIVE At this point the Initiator has enough information to determine whether either of the peers are behind NAT. If they are not communication remains to occur on UDP/500, however if they are then it switches to UDP/4500 * Feb 1 21:44:23.315: ISAKMP:(1002):Total payload length: 12 *Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (I) MM_KEY_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 The initiator should send Main Mode message 5. MM5 PROTOCOL FLOW The Responder should receive MM5 and authenticate the Initiator. If responder successfully authenticates the peer it will send back MM6. If it fails the authentication the responder will re-transmit the last successful packet (i.e. MM4) back to the initiator.

*Feb 1 21:44:23.315: ISAKMP (1002): received packet from dport 500 sport 500 Global (I) MM_KEY_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002): processing ID payload. message ID = 0 *Feb 1 21:44:23.315: ISAKMP (1002): ID payload next-payload : 8 type : 1 address : protocol : 17 port : 500 length : 12 *Feb 1 21:44:23.315: ISAKMP:(0):: peer matches *none* of the profiles *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = 0 *Feb 1 21:44:23.315: ISAKMP:(1002):SA authentication status: authenticated *Feb 1 21:44:23.315: ISAKMP:(1002):SA has been authenticated with *Feb 1 21:44:23.315: ISAKMP: Trying to insert a peer / /500/, and inserted successfully 52F9320. *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE PROTOCOL FLOW MM6 Phase 1 COMPLETE The Phase 1 SA negotiation is complete and the initiator will now propose a phase 2 to protect traffic.

PROTOCOL FLOWQM1 The initiator will send QM1 which contains the requested IPsec SA parameters. *Feb 1 21:44:24.315: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of *Feb 1 21:44:24.315: ISAKMP:(1002):QM Initiator gets spi *Feb 1 21:44:24.315: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Feb 1 21:44:24.315: ISAKMP:(1002):Node , Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Feb 1 21:44:24.315: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 The responder will validate the proposal. It will check the proposed SA against it’s ACL, peer, and transform configuration. It will send back QM2 to notify whether the proposal was accepted or not. If successful: *Feb 1 21:44:24.315: ISAKMP (1002): received packet from dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:24.315: ISAKMP:(1002): processing HASH payload. message ID = *Feb 1 21:44:24.315: ISAKMP:(1002): processing SA payload. message ID = *Feb 1 21:44:24.315: ISAKMP:(1002):Checking IPSec proposal 1 *Feb 1 21:44:24.315: ISAKMP: transform 1, ESP_3DES *Feb 1 21:44:24.315: ISAKMP: attributes in transform: *Feb 1 21:44:24.315: ISAKMP: encaps is 2 (Transport) *Feb 1 21:44:24.315: ISAKMP: SA life type in seconds *Feb 1 21:44:24.315: ISAKMP: SA life duration (basic) of 3600 *Feb 1 21:44:24.315: ISAKMP: SA life type in kilobytes *Feb 1 21:44:24.315: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Feb 1 21:44:24.315: ISAKMP: authenticator is HMAC-MD5 *Feb 1 21:44:24.315: ISAKMP:(1002):atts are acceptable.

PROTOCOL FLOW QM2 If not successful: *Feb 1 21:44:23.315: ISAKMP (1002): received packet from dport 500 sport 500 Global (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP: set new node to QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002): processing HASH payload. message ID = *Feb 1 21:44:23.315: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi , message ID = , sa = 4990F28 *Feb 1 21:44:23.315: ISAKMP:(1002): deleting spi message ID = *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node error TRUE reason "Delete Larval" *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node error FALSE reason "Informational (in) state 1" *Feb 1 21:44:23.315: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE The initiator will the acknowledge the acceptance with QM3 and complete the phase 2 installation. Phase 2 COMPLETE QM3 *Feb 1 21:44:23.315: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE *Feb 1 21:44:23.315: ISAKMP:(1002):Sending an IKE IPv4 Packet. *Feb 1 21:44:23.315: ISAKMP:(1002):deleting node error FALSE reason "No Error" *Feb 1 21:44:23.315: ISAKMP:(1002):Node , Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Feb 1 21:44:23.315: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.