Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtual Private Network Configuration

Similar presentations


Presentation on theme: "Virtual Private Network Configuration"— Presentation transcript:

1 Virtual Private Network Configuration
Lesson 9 Virtual Private Network Configuration © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-1

2 Secure VPNs © 2005 Cisco Systems, Inc. All rights reserved.
SNPA v4.0—11-2

3 Remote access VPN is cost-saving
VPN Overview Intranet VPN has low-cost, tunneled connections with rich VPN services, which lead to cost savings and new applications Home Office Remote Office POP Main Office VPN POP Remote access VPN is cost-saving Extranet VPN extends WANs to business partners, which leads to new applications and business models Business Partner Mobile Worker

4 IPSec Enables Security Appliance VPN Features
Internet IPSec Data confidentiality Data integrity Data authentication Anti-replay

5 What Is IPSec? Internet IPSec IETF standard that enables encrypted communication between peers Consists of open standards for securing private communications Has network layer encryption that ensures data confidentiality, integrity, and authentication Scales from small to very large networks Is included in PIX Firewall v5.0 and later

6 IPSec Standards Supported by the Security Appliance
ESP IKE DES 3DES AES DH MD5 SHA RSA Signatures CAs

7 How IPSec Works © 2005 Cisco Systems, Inc. All rights reserved.
SNPA v4.0—11-7

8 Five Steps of IPSec Host A Security Appliance A Security Appliance B Host B Interesting traffic: The VPN devices recognize the traffic to protect. IKE Phase 1: The VPN devices negotiate an IKE security policy and establish a secure channel. IKE Phase 2: The VPN devices negotiate an IPSec security policy to protect IPSec data. Data transfer: The VPN devices apply security services to traffic, then transmit the traffic. Tunnel terminated: The tunnel is torn down.

9 Step 1: Interesting Traffic
Host A Security Appliance A Security Appliance B Host B Apply IPSec Send in Clear Text

10 Step 2: IKE Phase 1 Negotiate the Policy Negotiate the Policy
Host A Security Appliance A Security Appliance B Host B IKE Phase 1: Main Mode Exchange Negotiate the Policy DH Exchange Verify the Peer Identity Negotiate the Policy DH Exchange Verify the Peer Identity

11 IKE Phase 1 Policy Sets Host A Security Appliance A Security Appliance B Host B Negotiate IKE Proposals Policy Set 10 DES MD5 Pre-share DH1 Lifetime Policy Set 15 DES MD5 Pre-share DH1 Lifetime IKE Policy Sets Policy Set 20 3DES SHA Pre-share DH1 Lifetime Negotiates matching IKE transform sets to protect IKE exchange

12 DH Key Exchange = Terry Alex Public Key B Public Key A + Private Key A
+ Private Key B Shared Secret Key (BA) Shared Secret Key (AB) = Key Key Encrypt Decrypt Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet

13 Authenticate Peer Identity
Remote Office Corporate Office Security Appliance A Security Appliance B Internet HR Servers Peer Authentication Peer authentication methods Pre-shared keys RSA Signature DSA Signature

14 Step 3: IKE Phase 2 Host A Security Appliance A Security Appliance B
Host B Negotiate IPSec Security Parameters

15 IPSec Transform Sets Host A Security Appliance A Security Appliance B Host B Negotiate Transform Sets Transform Set 30 ESP 3DES SHA Tunnel Lifetime Transform Set 55 ESP 3DES SHA Tunnel Lifetime IPSec transform sets Transform Set 40 ESP DES MD5 Tunnel Lifetime A transform set is a combination of algorithms and protocols that enacts a security policy for traffic.

16 SAs SAD SPD Internet Destination IP address SPI Protocol
B A N K SAD Destination IP address SPI Protocol SPD Encryption algorithm Algorithm Authentication Mode Key lifetime SPI–12 ESP/3DES/SHA Tunnel 28800 Internet SPI–39 ESP/DES/MD5 Tunnel 28800

17 SA Lifetime Data-Based Time-Based

18 Step 4: IPSec Session SAs are exchanged between peers.
Security Appliance A Security Appliance B Host A Host B IPSec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic.

19 Step 5: Tunnel Termination
Security Appliance A Security Appliance B Host A Host B IPSec tunnel A tunnel is terminated: By an SA lifetime timeout If the packet counter is exceeded Removes IPSec SA

20 Configure VPN Connection Parameters
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-20

21 tunnel-group Command To create and manage the database of connection-specific records for IPSec, use the tunnel-group command in global configuration mode. The tunnel-group command has the following subcommands: tunnel-group general-attributes tunnel-group ipsec-attributes firewall(config)# tunnel-group name type type fw1(config)# tunnel-group training type ipsec-l2l

22 tunnel-group general-attributes Command
The general-attribute sub-configuration mode is used to configure settings that are common to all supported tunneling protocols. The tunnel-group general-attributes command has the following subcommands: accounting-server-group address-pool authentication-server-group authorization-server-group default-group-policy dhcp-server strip-group strip-realm firewall(config)# tunnel-group name general-attributes fw1(config)# tunnel-group training general fw1(config-general)#

23 tunnel-group ipsec-attributes Command
The ipsec-attribute sub-configuration mode is used to configure settings that are specific to the IPSec tunneling protocol. The tunnel-group ipsec-attribute command has the following subcommands: authorization-dn-attributes authorization-required chain client-update isakmp keepalive peer-id-validate pre-shared-key radius-with-expiry trust-point firewall(config)# tunnel-group name ipsec-attributes fw1(config)# tunnel-group training ipsec-attributes fw1(config-ipsec)#

24 IPSec Configuration Tasks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-24

25 Configuring IPSec Encryption
Task 1: Prepare to configure VPN support. Task 2: Configure IKE parameters. Task 3: Configure IPSec parameters. Task 4: Test and verify VPN configuration.

26 Task 1: Prepare to Configure VPN Support
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-26

27 Task 1: Prepare for IKE and IPSec
Step 1: Determine the IKE (IKE Phase 1) policy. Step 2: Determine the IPSec (IKE Phase 2) policy. Step 3: Ensure that the network works without encryption. Step 4: (Optional) Implicitly permit IPSec packets to bypass security appliance ACLs and access groups.

28 Determine IKE Phase 1 Policy
Parameter Strong Stronger Encryption algorithm DES 3DES or AES Hash algorithm MD5 SHA-1 Authentication method Pre-share RSA Signature Key exchange DH Group 1 DH Group 2 or 5 IKE SA lifetime 86,400 seconds < 86,400 seconds

29 Determine IPSec (IKE Phase 2) Policy
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet e e Policy Site 1 Site 2 Transform set ESP-DES, tunnel ESP-DES, tunnel Peer security appliance IP address Encrypting hosts Traffic (packet type) to be encrypted IP IP

30 Task 2: Configure Ike Parameters
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-30

31 Task 2: Configure IKE Step 1: Enable or disable IKE.
Step 2: Configure IKE Phase 1 policy. Step 3: Configure a tunnel group. Step 4: Configure the tunnel group attributes pre-shared key. Step 5: Verify IKE Phase 1 policy.

32 Enable or Disable IKE Security Appliance 1 Security Appliance 6 Site 1 Internet Site 2 e e firewall(config)# isakmp enable interface-name Enables or disables IKE on the security appliance interfaces Disables IKE on interfaces not used for IPSec fw1(config)# isakmp enable outside

33 Configure IKE Phase 1 Policy
Security Appliance 1 Security Appliance 6 Site 1 Internet Site 2 e e fw1(config)# isakmp policy 10 encryption des fw1(config)# isakmp policy 10 hash sha fw1(config)# isakmp policy 10 authentication pre-share fw1(config)# isakmp policy 10 group 1 fw1(config)# isakmp policy 10 lifetime 86400 Creates a policy suite grouped by priority number Creates policy suites that match peers Can use default values

34 Configure a Tunnel Group
Security Appliance 1 Security Appliance 6 Site 1 Internet Site 2 Tunnel Group L2L IPSec Tunnel Group L2L IPSec firewall(config)# tunnel-group name type type Names the tunnel group Defines the type of VPN connection that is to be established fw1(config)# tunnel-group type ipsec-l2l

35 Configure Tunnel Group Attributes Pre-Shared Key
Security Appliance 1 Security Appliance 6 Site 1 Internet Site 2 Tunnel Group isakmp key cisco123 Tunnel Group isakmp key cisco123 firewall(config)# tunnel-group name [general-attributes | ipsec-attributes] Enters tunnel-group ipsec-attributes subconfiguration mode firewall(config-ipsec)# pre-shared-key key Associates a pre-shared key with the connection policy fw1(config)# tunnel-group ipsec-attributes fw1(config-ipsec)# pre-shared-key cisco123

36 Verify IKE Phase 1 Policy
Security Appliance 1 Security Appliance 6 Site 1 Internet Site 2 fw1# show run crypto isakmp isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 Displays configured and default IKE protection suites

37 Task 3: Configure IPSec Parameters
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-37

38 Task 3: Configure IPSec Step 1: Configure interesting traffic: NAT 0 and ACL. access-list 101 permit nat 0 Step 2: Configure IPSec transform set suites. crypto ipsec transform-set Step 3: Configure the crypto map. crypto map Step 4: Apply the crypto map. crypto map map-name interface interface-name

39 Configure Interesting Traffic
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet X Encrypt X Encrypt fw1(config)# access-list 101 permit ip permit = encrypt deny = do not encrypt

40 Example: Crypto ACLs Site 1 Site 2 Internet Security Appliance 1
Lists are symmetrical. Security Appliance 1 (fw1) fw1# show run access-list access-list 101 permit ip Security Appliance 6 (fw6) fw6# show run access-list access-list 101 permit ip

41 Configure Interesting Traffic: NAT 0
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet Do Not Translate Do Not Translate fw1(config)# nat (inside) 0 access-list 101

42 Configure an IPSec Transform Set
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet e e firewall(config)# crypto ipsec transform-set transform-set-name transform1 [transform2] Sets are limited to two transforms Default mode is tunnel Configures matching sets between IPSec peers fw1(config)# crypto ipsec transform-set fw6 esp-des esp-md5-hmac

43 Available IPSec Transforms
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet e e esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-aes ESP transform using AES-128 cipher esp-aes-192 ESP transform using AES-192 cipher esp-aes-256 ESP transform using AES-256 cipher esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-none ESP no authentication esp-null ESP null encryption

44 Configure the Crypto Map
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet e e fw1(config)# crypto map FW1MAP 10 match address 101 fw1(config)# crypto map FW1MAP 10 set peer fw1(config)# crypto map FW1MAP 10 set transform-set pix6 fw1(config)# crypto map FW1MAP 10 set security-association lifetime seconds 28800 Specifies IPSec (IKE Phase 2) parameters Maps names and sequence numbers of group entries into a policy

45 Apply the Crypto Map to an Interface
Security Appliance 1 Security Appliance 6 Site 1 Site 2 Internet e e firewall(config)# crypto map map-name interface interface-name Applies the crypto map to an interface Activates IPSec policy fw1(config)# crypto map FW1MAP interface outside

46 Example: Crypto Map for Security Appliance 1
Site 1 Site 2 Internet e e Security Appliance 1 (fw1) fw1# show run crypto map crypto map FW1MAP 10 match address 101 crypto map FW1MAP 10 set peer crypto map FW1MAP 10 set transform-set pix6 crypto map FW1MAP interface outside

47 Example: Crypto Map for Security Appliance 6
Site 1 Site 2 Internet e e Security Appliance 1 (fw6) fw6# show run crypto map crypto map FW1MAP 10 match address 101 crypto map FW1MAP 10 set peer crypto map FW1MAP 10 set transform-set pix1 crypto map FW1MAP interface outside

48 Task 4: Test and Verify VPN Configuration
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-48

49 Task 4: Test and Verify VPN Configuration
Verify ACLs and interesting traffic. show run access-list Verify correct IKE configuration. show run isakmp show run tunnel-group Verify correct IPSec configuration. show run ipsec

50 Task 4: Test and Verify VPN Configuration (Cont.)
Verify correct crypto map configuration. show run crypto map Clear IPSec SA. clear crypto ipsec sa Clear IKE SA. clear crypto isakmp sa Debug IKE and IPSec traffic through the security appliance. debug crypto ipsec debug crypto isakmp

51 Scale Security Appliance VPNs
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—11-51

52 CA Server Fulfilling Requests from IPSec Peers
Each IPSec peer individually enrolls with the CA server.

53 Enroll a Security Appliance with a CA
CA Server The security appliance generates public and private key pair. The security appliance obtains public key and certificate from the CA. The security appliance requests signed certificate from the CA. The CA administrator verifies request and sends signed certificate.

54 Summary A VPN is a service that offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. Cisco security appliances enable a secure VPN. IPSec configuration tasks include configuring IKE and IPSec parameters. CAs enable scaling to a large number of IPSec peers.


Download ppt "Virtual Private Network Configuration"

Similar presentations


Ads by Google