Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC

Published byCory Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC"— Presentation transcript:

1 Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC johng@nosc.ja.net

2 Review of Technologies Remote Site –Private Leased Lines Kilostream or Megastream Circuits LES –ISDN –EPS8/9 –ISP Remote User –Private Dialup Service –ISP

3 Summary of Installations Remote Site –Guildhall School of Music and Drama –Southgate and Capel Manor Colleges Remote Users –Conservatoire of Dance and Drama

4 Traditional Dialup Service  High Costs  Support Burden  Limited to 56K Analogue Dialup  Limited Service Security Guaranteed

5 Virtual Private Network Highly Flexible Solution Uses Existing Infrastructure  Complex Security Issues

6 IPSec Protocols Sequence Number Authentication Data SPI Next Header Payload Length Reserved Authentication Header (51) Encapsulating Security Protocol (50) Sequence Number SPI Authentication Data Data Pad Length Pad IV Next Header

7 IPSec Modes Tunnel Mode Transport Mode IP AH/ESP TCPIPData AH/ESP TCPIPData

8 Crypto Route Map Crypto map –Static or Dynamic IKE Policy Additional Optional Steps –User authentication –Peer configuration Integrate with overall router config

9 IKE Policies Algorithms to be offered Authentication method –Pre-shared key –X.509 certificates –RSA encrypted nonces Diffie-Hellman Group

10 GSMD Physical Installation Remote SiteMain Campus

11 GSMD: Equipment at Remote Site ‘Wires Only’ ADSL Connection –One Static IP Address Splitter Cisco 827H Router –Ethernet hub (4 ports) plus ATM port

12 Static Crypto Components Create Crypto Map –Define trigger (ACL) –Peer Identity (IP address or FQDN) –Define transform Mode (tunnel or transport) List of algorithms that will be offered to peer –Lifetime of SA Bind crypto map to external interface

13 Authentication of Known Peers One-to-one mappings between: –Peer IP addresses –Shared secret (unique to each peer) IKE Phase I Main Mode exchanges: 1.Negotiate IKE SA and exchange cookies 2.Diffie-Hellman public values and pseudo- random nonces 3.Peers identify themselves and exchange authenticating hash

14 IKE Main Mode Hdr, SA Proposals Hdr, Chosen Proposal Hdr, KE, Nonce Hdr, IDii, Hash_I Hdr, IDir, Hash_R IKE SA Established InitiatorResponder

15 Coexistence of NAT and IPSec IPSec Precedes NAT –AH fails because source and/or destination addresses have changed –Transport-mode ESP invalidates TCP checksums –Invalidates IKE authentication exchange NAT Precedes IPSec –Crypto triggers do not fire when expected

16 Dynamic NAT vs Crypto A1 A2 B1 B2 B3 Dialer ACL Ethernet NAT IPSec Tunnel Crypto

17 Southgate and Capel Manor Shared student records database at Southgate Database queries & updates over high- speed WAN with crypto. Back-up interface using ISDN

18 Integrating Crypto and Routing 1.Create GRE tunnel interface 2.Routing protocol receives updates over T1 & T2 3.Bind crypto map to T1 and T2 4.Watch out for double fragmentations!

19 Fragmentation Hell

20 CDD and Physical Installation

21 CDD: Logical Installation Remote peer IP not known –Dynamic crypto –IKE Phase 1 uses aggressive mode Insecure shared secret –IKE extended authentication (XAuth) Central control of remote peer’s config –IPSec Mode-configuration (MODECFG)

22 Authentication of Unknown Peers Pre-shared secret not indexed by IP address IKE Phase I Aggressive Mode Exchange Supplementary authentication of user credentials

23 IKE Aggressive Mode Hdr, SA, KE, Nonce, IDii Hdr, SA, KE, Nonce, IDir, Hash_R Hdr, Hash_I IKE SA Established InitiatorResponder

24 CDD: IKE XAuth Router  PC –ISAKMP_CFG_REQUEST PC  Router –ISAKMP_CFG_REPLY Router  PC –ISAKMP_CFG_SET PC  Router –ISAKMP_CFG_ACK

25 CDD: Mode Configuration Remote station configured by router with: a private IP address and mask a list of local prefixes that will be tunnelled a list of local domains and their associated resolvers

26 Selective Static NAT ip nat inside source static 10.0.0.5 212.219.240.225 route-map selective-nat ! access-list 100 deny ip host 10.0.0.5 192.168.0.0 0.0.0.255 ! route-map selective-nat permit 10 match ip address 100

27 Windows Gotchas Domain Logons Over Tunnel –Kerberos not tunnelled Shared secret not supported –Registry hack

28

Download ppt "Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC"

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Similar presentations

Ads by Google