VPN Olga Torstensson IDE Halmstad University What is a VPN? • A Virtual Private Network (VPN) is defined as network connectivity deployed on a shared infrastructure with the same policies and security as a private network. 1 Virtual Private Networks (VPNs) Why Have VPNs? 2 Tunneling and Encryption Use VPNs with a Variety of Devices 3 VPN Types Remote Access VPN Solutions Site-to-Site VPN Solutions 4 Tunneling Protocols VPN Protocols 5 Selecting Layer 3 VPN Tunnel Options Identifying VPN and IPSec Terms • • • • • • • • Tunnel Encryption/Decryption Cryptosystem Hashing Authentication Authorization Key Management Certificate of Authority Service 6 Identifying VPN and IPSec Terms IPSec main protocols are used to provide protection for user data: • Authentication Header – AH • Encapsulating Security Payload – ESP Internet Key Exchange – IKE Internet Security Association Key Management Protocol – ISAKMP Cryptosystem Overview 7 Symmetric Encryption Asymmetric Encryption 8 Key Exchange – Diffie-Hellman Algorithm Hashing 9 Tunnel Versus Transport Mode Security Association 10 Five steps of IPSec Task 1 – Prepare for IKE and IPSec • Task 1 – Prepare for IKE and IPSec – Determine IKE (IKE phase one) policy – Determine IPSec (IKE phase two) policy – Check the current configuration • show running-configuration • show crypto isakmp policy • show crypto map – Ensure the network works without encryption • ping – Ensure access lists are compatible with IPSec • show access-lists 11 Task 1, Step 1 – Determine IKE (IKE Phase 1) Policy • Determine the following policy details: – – – – Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers • Encryption algorithm • Hash algorithm • IKE SA lifetime • Goal: Minimize misconfiguration IKE Phase 1 Policy Parameters 12 Task 1, Step 2 – Determine IPSec (IKE Phase 2) Policy • Determine the following policy details: – IPSec algorithms and parameters for optimal security and performance – Transforms and, if necessary, transform sets – IPSec peer details – IP address and applications of hosts to be protected – Manual or IKE-initiated SAs • Goal: Minimize misconfiguration IPSec Transforms Supported in Cisco IOS Software 13 Authentication Header Encapsulating Security Payload 14 IPSec Policy Example Identify IPSec Peers 15 Task 1, Step 3 – Check Current Configuration Task 1, Step 4 – Ensure the Network Works 16 Task 1, Step 5 – Ensure ACLs are Compatible with IPSec Task 2 – Configure IKE • Task 2 – Configure IKE – Step 1 – Enable or disable IKE. • crypto isakmp enable – Step 2 – Create IKE policies. • crypto isakmp policy – Step 3 – Configure ISAKMP. • crypto isakmp identity – Step 4 – Configure pre-shared keys. • crypto isakmp key – Step 5 – Verify the IKE configuration. • show crypto isakmp policy 17 Task 2, Step 1 – Enable IKE Task 2, Step 2 – Create IKE policies 18 Create IKE Policies with the crypto isakmp Command IKE Policy Negotiation 19 Task 2, Step 3 – Configure ISAKMP Identity Task 2, Step 4 – Configure Pre-shared Keys 20 Task 2, Step 5 – Verify IKE Configuration Task 3 – Configure IPSec • Task 3 – Configure IPSec – Step 1 – Configure transform set suites. • crypto ipsec transform-set – Step 2 – Configure global IPSec SA lifetimes. • crypto ipsec security-association lifetime – Step 3 – Create crypto ACLs using extended access lists – Step 4 – Configure IPSec crypto maps. • crypto map – Step 5 – Apply crypto maps to interfaces. • crypto map map-name 21 Task 3, Step 1 – Configure Transform Set Suites Transform Set Negotiation 22 Task 3, Step 2 – Configure Global IPSec Security Association Lifetimes Task 3, Step 2 – Configure Global IPSec Security Association Lifetimes 23 Purpose of Crypto ACLs Task 3, Step 3 – Create Crypto ACLs Using Extended Access Lists 24 Task 3, Step 3 – Create Crypto ACLs Using Extended Access Lists Configure Symmetrical Peer Crypto ACLs 25 Purpose of Crypto Maps • Crypto maps pull together the various parts configured for IPSec, including: – – – – – The traffic to be protected by IPSec and a set of SAs The local address to be used for the IPSec traffic The destination location of IPSec-protected traffic The IPSec type to be applied to this traffic The method of establishing SAs, either manually or by using RSA – Other parameters needed to define an IPSec SA Crypto Map Parameters 26 Task 3, Step 4 – Configure IPSec Crypto Maps Example Crypto Map Commands 27 Task 3, Step 5 – Apply Crypto Maps to Interfaces IPSec Configuration Examples 28 Task 4 – Test and Verify IPSec – Display configured IKE policies. • show crypto isakmp policy • (show isakmp policy on a PIX) – Display configured transform sets. • show crypto ipsec transform-set – Display phase | security associations. • show crypto isakmp sa • (show isakmp sa on a PIX) 29