Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005."— Presentation transcript:

1 Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005

2 IPsec – An Introduction  IPsec is a suite of protocols used to create virtual private networks (VPNs)  Creates encrypted tunnel between 2 private networks  Authenticates both ends of the tunnel

3 IPsec – An Introduction (Cont’d)  Can choose what traffic to encrypt and how to encrypt it  Encapsulates and encrypts IP data only (can use GRE for non-IP traffic)  IPsec is composed of the following main protocols:  Internet Key Exchange (IKE) protocol  Encapsulating Security Payload (ESP) protocol  Authentication Header (AH) protocol

4 IPsec - Fundamental Mechanisms  Packet Encapsulation Encapsulating Security Payload (ESP) - encrypts and authenticates data Authentication Header (AH) – authenticates data and header Tunnel mode - new IP header appended in front of original IP header of packet Transport mode - uses original IP header of packet  Encryption Uses symmetric key algorithms DES or 3DES  Integrity Checking Uses Message Authentication Codes using Hashing (HMAC) Hashing algorithms used are MD5 or SHA-1

5 IPsec Implementation  LAN-to-LAN IPsec VPN Also called site-to-site IPsec VPN Merges 2 private networks across a public network Appears as one virtual network with shared resources

6 IKE – An Introduction  Responsible for negotiating the details of the IPsec tunnel between the 2 peers  Main functions of IKE in IPsec: Negotiate protocol parameters Exchanging public keys Authenticate both ends Managing keys after exchange

7 How IKE Works  IKE is a two phase protocol Phase 1  Uses main mode or aggressive mode exchanges between peers  Negotiates a secure, authenticated communication channel between the IPsec peers Phase 2  Uses quick mode exchanges between peers  Negotiates security associations for the IPsec services

8 IKE - Main Mode  The main functions of the main mode (or aggressive mode) are: Agree on a set of parameters that will be used to authenticate the 2 IPsec peers Agree on a set of parameters that will be used to encrypt a part of the main mode and all of the quick mode exchange. Authenticate the 2 IPsec peers to each other Generate keys that can be used to generate the necessary data encryption keys after negotiations are done.

9 IKE - Main Mode (Cont’d)  All the information negotiated in main mode is stored as an IKE or ISAKMP security association (SA).  There is only one SA between any 2 IPsec peers.

10 IKE - Quick Mode  The main functions of the quick mode are: Agree on a set of parameters for creating the IPsec SAs used to encrypt (for ESP) the data between the 2 peers If Perfect Forward Secrecy (FPS) is being used, performs another Diffie-Hellman (DH) exchange to generate new keys for generating the data encryption keys

11 IKE Authentication Mechanisms  Preshared Keys Define the same key on both IPsec peers Simple but not scalable  Digital Signatures Uses public/private key pairs generated on both IPsec peers Public key is exchanged using a digital certificate that also contains sender info Certificate issued by a certificate authority (CA) server  Encrypted Nonces Pseudo-random numbers are encrypted and exchanged by the IPsec peers

12 IPsec Negotiation Using IKE  IKE negotiates IPsec tunnels between IPsec peers using one of three main methods: 1.Main mode using preshared key authentication followed by quick mode negotiation 2.Main mode using digital signature authentication followed by quick mode negotiation 3.Aggressive mode using preshared key authentication followed by quick mode negotiation

13 Configuration of LAN-to-LAN IPsec - Network Diagram Initiator Responder 192.1.12.5192.1.12.20 10.1.1.0/24 10.1.2.0/24  Cisco Routers R1 and R2 both running IOS version 12.2.15T11 (including support for IPsec and 3DES)  Cisco Catalyst Switch 3550-01 running IOS version 12.1.22(EA1a)

14 Configuration of LAN-to-LAN IPsec - Setup of Routers  Step 1: Ensure that IKE is enabled Router(config)# crypto isakmp enable  Step 2: Create the ISAKMP policy which defines the attributes negotiated between the peers for the IKE SA Router(config)# crypto isakmp policy 1 Router(config-isakmp)# encryption 3des Router(config-isakmp)# hash md5 Router(config-isakmp)# authentication pre-share Router(config-isakmp)# group 1 Router(config-isakmp)# lifetime 14400 priority

15 Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 3: Define the pre-shared key and the IP address of the IPsec peer Router(config)# crypto isakmp key 42DB72B3 address 192.1.12.20  Step 4: Define a transform-set for use with IPsec as follows: Router(config)# crypto ipsec transform-set myset1 esp-3des esp-md5-hmac  Step 5: Define the mode associated with the transform-set (optional) Router(cfg-crypto-tran)# mode tunnel

16 Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 6: Define an access list which specifies the interesting traffic for IPsec Can be used to specify “interesting” traffic for IPsec Router(config)# access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255  Step 7: Define a crypto map The crypto map links together all of the details of the IPsec configuration Router(config)# crypto map mymap1 ipsec-isakmp

17 Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 8: Within the identified crypto map, define the IP address of the IPsec peer Router(config-crypto-m)# set peer 192.1.12.20  Step 9: Within the identified crypto map, define which transform-set is to be used with this crypto map Router(config-crypto-m)# set transform-set myset1  Step 10: Within the identified crypto map, define which access list is to be used with this crypto map Router(config-crypto-m)# match address access-list 101

18 Configuration of LAN-to-LAN IPsec - Setup of Routers (Cont’d)  Step 11: Assign the crypto map to the specific interface of the router on which IPsec traffic will flow Router(config)# interface Ethernet 0/0 Router(config-if)# crypto map mymap1  Step 12: Verify that the defined policy, transform-set, and pre-shared key are the same on both IPsec peers

19 Configuration of LAN-to-LAN IPsec – Viewing IPsec attributes  Assigned IPsec attributes can be viewed using following commands: Router# show crypto isakmp policy Router# show crypto isakmp sa Router# show crypto isakmp key Router# show crypto ipsec transform-set Router# show crypto map Router# show crypto ipsec sa Router# show crypto ipsec security-association lifetime

20 Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 crypto

21 Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 crypto

22 Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 1 config

23 Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 1 config

24 Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 1 config

25 Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 crypto

26 Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 crypto

27 Configuration of LAN-to-LAN IPsec – Screenshot1 of Router 2 config

28 Configuration of LAN-to-LAN IPsec – Screenshot2 of Router 2 config

29 Configuration of LAN-to-LAN IPsec – Screenshot3 of Router 2 config

30 Configuration of LAN-to-LAN IPsec Debug output on router 1 (initiator)

31 Configuration of LAN-to-LAN IPsec Debug output on router 1 (cont’d)

32

33

34

35

36 Configuration of LAN-to-LAN IPsec Debug output on router 2 (responder)

37 Configuration of LAN-to-LAN IPsec Debug output on router 2 (cont’d)

38

39 References  Network Security Principles and Practices by Saadat Malik  Cisco IOS Security Configuration Guide, Release 12.2  Cisco IOS Security Command Reference, Release 12.2  Cisco IOS Configuration Fundamental Configuration Guide, Release 12.2  Cisco IOS Interface Command Reference, Release 12.2

Download ppt "Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005."

Similar presentations

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Building IPSEC VPNS Using Cisco Routers

Building IPSEC VPNS Using Cisco Routers
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

Similar presentations

Ads by Google