What is a VPN?

advertisement
VPN
Olga Torstensson
IDE
Halmstad University
What is a VPN?
• A Virtual Private Network (VPN) is
defined as network connectivity deployed
on a shared infrastructure with the same
policies and security as a private network.
1
Virtual Private Networks (VPNs)
Why Have VPNs?
2
Tunneling and Encryption
Use VPNs with a Variety of Devices
3
VPN Types
Remote Access VPN Solutions
Site-to-Site VPN Solutions
4
Tunneling Protocols
VPN Protocols
5
Selecting Layer 3 VPN Tunnel Options
Identifying VPN and IPSec Terms
•
•
•
•
•
•
•
•
Tunnel
Encryption/Decryption
Cryptosystem
Hashing
Authentication
Authorization
Key Management
Certificate of Authority Service
6
Identifying VPN and IPSec Terms
IPSec main protocols are used to provide
protection for user data:
• Authentication Header – AH
• Encapsulating Security Payload – ESP
Internet Key Exchange – IKE
Internet Security Association Key
Management Protocol – ISAKMP
Cryptosystem Overview
7
Symmetric Encryption
Asymmetric Encryption
8
Key Exchange – Diffie-Hellman
Algorithm
Hashing
9
Tunnel Versus Transport Mode
Security Association
10
Five steps of IPSec
Task 1 – Prepare for IKE and IPSec
• Task 1 – Prepare for IKE and IPSec
– Determine IKE (IKE phase one) policy
– Determine IPSec (IKE phase two) policy
– Check the current configuration
• show running-configuration
• show crypto isakmp policy
• show crypto map
– Ensure the network works without encryption
• ping
– Ensure access lists are compatible with IPSec
• show access-lists
11
Task 1, Step 1 –
Determine IKE (IKE Phase 1) Policy
• Determine the following policy details:
–
–
–
–
Key distribution method
Authentication method
IPSec peer IP addresses and hostnames
IKE phase 1 policies for all peers
• Encryption algorithm
• Hash algorithm
• IKE SA lifetime
• Goal: Minimize misconfiguration
IKE Phase 1 Policy Parameters
12
Task 1, Step 2 –
Determine IPSec (IKE Phase 2) Policy
• Determine the following policy details:
– IPSec algorithms and parameters for optimal security
and performance
– Transforms and, if necessary, transform sets
– IPSec peer details
– IP address and applications of hosts to be protected
– Manual or IKE-initiated SAs
• Goal: Minimize misconfiguration
IPSec Transforms Supported in
Cisco IOS Software
13
Authentication Header
Encapsulating Security Payload
14
IPSec Policy Example
Identify IPSec Peers
15
Task 1, Step 3 –
Check Current Configuration
Task 1, Step 4 –
Ensure the Network Works
16
Task 1, Step 5 –
Ensure ACLs are Compatible with IPSec
Task 2 – Configure IKE
• Task 2 – Configure IKE
– Step 1 – Enable or disable IKE.
• crypto isakmp enable
– Step 2 – Create IKE policies.
• crypto isakmp policy
– Step 3 – Configure ISAKMP.
• crypto isakmp identity
– Step 4 – Configure pre-shared keys.
• crypto isakmp key
– Step 5 – Verify the IKE configuration.
• show crypto isakmp policy
17
Task 2, Step 1 –
Enable IKE
Task 2, Step 2 –
Create IKE policies
18
Create IKE Policies with the
crypto isakmp Command
IKE Policy Negotiation
19
Task 2, Step 3 –
Configure ISAKMP Identity
Task 2, Step 4 –
Configure Pre-shared Keys
20
Task 2, Step 5 –
Verify IKE Configuration
Task 3 – Configure IPSec
• Task 3 – Configure IPSec
– Step 1 – Configure transform set suites.
• crypto ipsec transform-set
– Step 2 – Configure global IPSec SA lifetimes.
• crypto ipsec security-association lifetime
– Step 3 – Create crypto ACLs using extended access
lists
– Step 4 – Configure IPSec crypto maps.
• crypto map
– Step 5 – Apply crypto maps to interfaces.
• crypto map map-name
21
Task 3, Step 1 –
Configure Transform Set Suites
Transform Set Negotiation
22
Task 3, Step 2 –
Configure Global IPSec Security
Association Lifetimes
Task 3, Step 2 –
Configure Global IPSec Security
Association Lifetimes
23
Purpose of Crypto ACLs
Task 3, Step 3 –
Create Crypto ACLs Using Extended
Access Lists
24
Task 3, Step 3 –
Create Crypto ACLs Using Extended
Access Lists
Configure Symmetrical Peer Crypto
ACLs
25
Purpose of Crypto Maps
• Crypto maps pull together the various parts
configured for IPSec, including:
–
–
–
–
–
The traffic to be protected by IPSec and a set of SAs
The local address to be used for the IPSec traffic
The destination location of IPSec-protected traffic
The IPSec type to be applied to this traffic
The method of establishing SAs, either manually or
by using RSA
– Other parameters needed to define an IPSec SA
Crypto Map Parameters
26
Task 3, Step 4 –
Configure IPSec Crypto Maps
Example Crypto Map Commands
27
Task 3, Step 5 –
Apply Crypto Maps to Interfaces
IPSec Configuration Examples
28
Task 4 – Test and Verify IPSec
– Display configured IKE policies.
• show crypto isakmp policy
• (show isakmp policy on a PIX)
– Display configured transform sets.
• show crypto ipsec transform-set
– Display phase | security associations.
• show crypto isakmp sa
• (show isakmp sa on a PIX)
29
Download