Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

What is a VPN?

advertisement 
VPN
Olga Torstensson
IDE
Halmstad University
What is a VPN?
• A Virtual Private Network (VPN) is
defined as network connectivity deployed
on a shared infrastructure with the same
policies and security as a private network.
1
Virtual Private Networks (VPNs)
Why Have VPNs?
2
Tunneling and Encryption
Use VPNs with a Variety of Devices
3
VPN Types
Remote Access VPN Solutions
Site-to-Site VPN Solutions
4
Tunneling Protocols
VPN Protocols
5
Selecting Layer 3 VPN Tunnel Options
Identifying VPN and IPSec Terms
•
•
•
•
•
•
•
•
Tunnel
Encryption/Decryption
Cryptosystem
Hashing
Authentication
Authorization
Key Management
Certificate of Authority Service
6
Identifying VPN and IPSec Terms
IPSec main protocols are used to provide
protection for user data:
• Authentication Header – AH
• Encapsulating Security Payload – ESP
Internet Key Exchange – IKE
Internet Security Association Key
Management Protocol – ISAKMP
Cryptosystem Overview
7
Symmetric Encryption
Asymmetric Encryption
8
Key Exchange – Diffie-Hellman
Algorithm
Hashing
9
Tunnel Versus Transport Mode
Security Association
10
Five steps of IPSec
Task 1 – Prepare for IKE and IPSec
• Task 1 – Prepare for IKE and IPSec
– Determine IKE (IKE phase one) policy
– Determine IPSec (IKE phase two) policy
– Check the current configuration
• show running-configuration
• show crypto isakmp policy
• show crypto map
– Ensure the network works without encryption
• ping
– Ensure access lists are compatible with IPSec
• show access-lists
11
Task 1, Step 1 –
Determine IKE (IKE Phase 1) Policy
• Determine the following policy details:
–
–
–
–
Key distribution method
Authentication method
IPSec peer IP addresses and hostnames
IKE phase 1 policies for all peers
• Encryption algorithm
• Hash algorithm
• IKE SA lifetime
• Goal: Minimize misconfiguration
IKE Phase 1 Policy Parameters
12
Task 1, Step 2 –
Determine IPSec (IKE Phase 2) Policy
• Determine the following policy details:
– IPSec algorithms and parameters for optimal security
and performance
– Transforms and, if necessary, transform sets
– IPSec peer details
– IP address and applications of hosts to be protected
– Manual or IKE-initiated SAs
• Goal: Minimize misconfiguration
IPSec Transforms Supported in
Cisco IOS Software
13
Authentication Header
Encapsulating Security Payload
14
IPSec Policy Example
Identify IPSec Peers
15
Task 1, Step 3 –
Check Current Configuration
Task 1, Step 4 –
Ensure the Network Works
16
Task 1, Step 5 –
Ensure ACLs are Compatible with IPSec
Task 2 – Configure IKE
• Task 2 – Configure IKE
– Step 1 – Enable or disable IKE.
• crypto isakmp enable
– Step 2 – Create IKE policies.
• crypto isakmp policy
– Step 3 – Configure ISAKMP.
• crypto isakmp identity
– Step 4 – Configure pre-shared keys.
• crypto isakmp key
– Step 5 – Verify the IKE configuration.
• show crypto isakmp policy
17
Task 2, Step 1 –
Enable IKE
Task 2, Step 2 –
Create IKE policies
18
Create IKE Policies with the
crypto isakmp Command
IKE Policy Negotiation
19
Task 2, Step 3 –
Configure ISAKMP Identity
Task 2, Step 4 –
Configure Pre-shared Keys
20
Task 2, Step 5 –
Verify IKE Configuration
Task 3 – Configure IPSec
• Task 3 – Configure IPSec
– Step 1 – Configure transform set suites.
• crypto ipsec transform-set
– Step 2 – Configure global IPSec SA lifetimes.
• crypto ipsec security-association lifetime
– Step 3 – Create crypto ACLs using extended access
lists
– Step 4 – Configure IPSec crypto maps.
• crypto map
– Step 5 – Apply crypto maps to interfaces.
• crypto map map-name
21
Task 3, Step 1 –
Configure Transform Set Suites
Transform Set Negotiation
22
Task 3, Step 2 –
Configure Global IPSec Security
Association Lifetimes
Task 3, Step 2 –
Configure Global IPSec Security
Association Lifetimes
23
Purpose of Crypto ACLs
Task 3, Step 3 –
Create Crypto ACLs Using Extended
Access Lists
24
Task 3, Step 3 –
Create Crypto ACLs Using Extended
Access Lists
Configure Symmetrical Peer Crypto
ACLs
25
Purpose of Crypto Maps
• Crypto maps pull together the various parts
configured for IPSec, including:
–
–
–
–
–
The traffic to be protected by IPSec and a set of SAs
The local address to be used for the IPSec traffic
The destination location of IPSec-protected traffic
The IPSec type to be applied to this traffic
The method of establishing SAs, either manually or
by using RSA
– Other parameters needed to define an IPSec SA
Crypto Map Parameters
26
Task 3, Step 4 –
Configure IPSec Crypto Maps
Example Crypto Map Commands
27
Task 3, Step 5 –
Apply Crypto Maps to Interfaces
IPSec Configuration Examples
28
Task 4 – Test and Verify IPSec
– Display configured IKE policies.
• show crypto isakmp policy
• (show isakmp policy on a PIX)
– Display configured transform sets.
• show crypto ipsec transform-set
– Display phase | security associations.
• show crypto isakmp sa
• (show isakmp sa on a PIX)
29
Related documents
PT Lab Doc
PT Lab Doc
Establishment of the VPN connection with the
Establishment of the VPN connection with the
R1(config-crypto-map)
R1(config-crypto-map)
Configuring IPSec VPN
Configuring IPSec VPN
Configuring the Cisco VPN 3000 Concentrator to the PIX Firewall
Configuring the Cisco VPN 3000 Concentrator to the PIX Firewall
PSK Cracking using IKE Aggressive Mode
PSK Cracking using IKE Aggressive Mode
2tcloud-site-to-site-vpn-ipsec
2tcloud-site-to-site-vpn-ipsec
Đây là một cấu hình từ CCO (not tested) 1. Yêu cầu:
Đây là một cấu hình từ CCO (not tested) 1. Yêu cầu:
Network Connectivity Options
Network Connectivity Options
crypto-user
crypto-user
IPSec and TLS
IPSec and TLS
Configuring IPSec on PIX
Configuring IPSec on PIX
IOS IPSec PSK using CLI
IOS IPSec PSK using CLI
crypto map MYMAP
crypto map MYMAP
Download
advertisement