Download presentation
Presentation is loading. Please wait.
Published byCory Thomas Modified over 9 years ago
1
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC johng@nosc.ja.net
2
Review of Technologies Remote Site –Private Leased Lines Kilostream or Megastream Circuits LES –ISDN –EPS8/9 –ISP Remote User –Private Dialup Service –ISP
3
Summary of Installations Remote Site –Guildhall School of Music and Drama –Southgate and Capel Manor Colleges Remote Users –Conservatoire of Dance and Drama
4
Traditional Dialup Service High Costs Support Burden Limited to 56K Analogue Dialup Limited Service Security Guaranteed
5
Virtual Private Network Highly Flexible Solution Uses Existing Infrastructure Complex Security Issues
6
IPSec Protocols Sequence Number Authentication Data SPI Next Header Payload Length Reserved Authentication Header (51) Encapsulating Security Protocol (50) Sequence Number SPI Authentication Data Data Pad Length Pad IV Next Header
7
IPSec Modes Tunnel Mode Transport Mode IP AH/ESP TCPIPData AH/ESP TCPIPData
8
Crypto Route Map Crypto map –Static or Dynamic IKE Policy Additional Optional Steps –User authentication –Peer configuration Integrate with overall router config
9
IKE Policies Algorithms to be offered Authentication method –Pre-shared key –X.509 certificates –RSA encrypted nonces Diffie-Hellman Group
10
GSMD Physical Installation Remote SiteMain Campus
11
GSMD: Equipment at Remote Site ‘Wires Only’ ADSL Connection –One Static IP Address Splitter Cisco 827H Router –Ethernet hub (4 ports) plus ATM port
12
Static Crypto Components Create Crypto Map –Define trigger (ACL) –Peer Identity (IP address or FQDN) –Define transform Mode (tunnel or transport) List of algorithms that will be offered to peer –Lifetime of SA Bind crypto map to external interface
13
Authentication of Known Peers One-to-one mappings between: –Peer IP addresses –Shared secret (unique to each peer) IKE Phase I Main Mode exchanges: 1.Negotiate IKE SA and exchange cookies 2.Diffie-Hellman public values and pseudo- random nonces 3.Peers identify themselves and exchange authenticating hash
14
IKE Main Mode Hdr, SA Proposals Hdr, Chosen Proposal Hdr, KE, Nonce Hdr, IDii, Hash_I Hdr, IDir, Hash_R IKE SA Established InitiatorResponder
15
Coexistence of NAT and IPSec IPSec Precedes NAT –AH fails because source and/or destination addresses have changed –Transport-mode ESP invalidates TCP checksums –Invalidates IKE authentication exchange NAT Precedes IPSec –Crypto triggers do not fire when expected
16
Dynamic NAT vs Crypto A1 A2 B1 B2 B3 Dialer ACL Ethernet NAT IPSec Tunnel Crypto
17
Southgate and Capel Manor Shared student records database at Southgate Database queries & updates over high- speed WAN with crypto. Back-up interface using ISDN
18
Integrating Crypto and Routing 1.Create GRE tunnel interface 2.Routing protocol receives updates over T1 & T2 3.Bind crypto map to T1 and T2 4.Watch out for double fragmentations!
19
Fragmentation Hell
20
CDD and Physical Installation
21
CDD: Logical Installation Remote peer IP not known –Dynamic crypto –IKE Phase 1 uses aggressive mode Insecure shared secret –IKE extended authentication (XAuth) Central control of remote peer’s config –IPSec Mode-configuration (MODECFG)
22
Authentication of Unknown Peers Pre-shared secret not indexed by IP address IKE Phase I Aggressive Mode Exchange Supplementary authentication of user credentials
23
IKE Aggressive Mode Hdr, SA, KE, Nonce, IDii Hdr, SA, KE, Nonce, IDir, Hash_R Hdr, Hash_I IKE SA Established InitiatorResponder
24
CDD: IKE XAuth Router PC –ISAKMP_CFG_REQUEST PC Router –ISAKMP_CFG_REPLY Router PC –ISAKMP_CFG_SET PC Router –ISAKMP_CFG_ACK
25
CDD: Mode Configuration Remote station configured by router with: a private IP address and mask a list of local prefixes that will be tunnelled a list of local domains and their associated resolvers
26
Selective Static NAT ip nat inside source static 10.0.0.5 212.219.240.225 route-map selective-nat ! access-list 100 deny ip host 10.0.0.5 192.168.0.0 0.0.0.255 ! route-map selective-nat permit 10 match ip address 100
27
Windows Gotchas Domain Logons Over Tunnel –Kerberos not tunnelled Shared secret not supported –Registry hack
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.