CCNA Security 1.1
Instructional Resource
Chapter 8 – Implementing Virtual Private Networks
© 2012 Cisco and/or its affiliates. All rights reserved.
1
• Describe the purpose and types of VPNs and define where to use VPNs
in a network.
• Describe how to configure a GRE VPN tunnel.
• Describe the fundamental concepts and technologies of VPNs, and
terms that IPsec VPNs use.
• Describe how to configure a site-to-site IPsec VPN.
• Configure a site-to-site IPsec VPN with PSK authentication using CLI
and Cisco CCP.
• Describe the two common remote network access methods used in
enterprise networks.
• Describe how the Cisco VPN Client is used in an IPsec remote-access
VPN.
• Describe how Secure Socket Layer (SSL) is used in a remote-access
VPN.
• Configure a remote-access IPsec VPN using CLI and Cisco CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
2
9.0 Implementing VPN Technologies
9.2 Describe VPN technologies
•
9.2.1 IPsec
•
9.2.2 SSL
9.3 Describe the building blocks of IPsec
•
9.3.1 IKE
•
9.3.2 ESP
•
9.3.3 AH
•
9.3.4 Tunnel mode
•
9.3.5 Transport mode
9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key
authentication
•
9.4.1 CCP
•
9.4.2 CLI
© 2012 Cisco and/or its affiliates. All rights reserved.
3
• A VPN is a private network that is created via tunneling over a public
network. It can deployed as a site-to-site and remote access VPN.
• Generic routing encapsulation (GRE) is a tunneling protocol that is used
to create a point-to-point link, supports multiprotocol tunneling, and can
be used in combination with IPsec.
• IPsec is a framework of open standards that establishes the rules for
secure communications. It relies on existing algorithms to achieve
encryption, authentication, and key exchange.
• When creating a site-to-site VPN, ensure that the existing ACLs do not
block IPsec traffic, define the IKE parameters and IPsec transform set,
configure the crypto ACL and create and apply a crypto map.
• Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to
create and monitor an IPsec VPN.
• Remote access connections can be configured using CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
4
• Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS
and CCP
– Part 1: Basic Router Configuration
– Part 2: Configure a Site-to-Site VPN Using Cisco IOS
– Part 3: Configure a Site-to-Site VPN using CCP
• Chapter 8 Lab B: Configuring a Remote Access VPN Server and
Client
– Part 1: Basic Router Configuration
– Part 2: Configuring a Remote Access VPN
• Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN
Server and Client
– Part 1: Basic Router Configuration
– Part 2: Configuring a Remote Access VPN
© 2012 Cisco and/or its affiliates. All rights reserved.
5
VPN
Virtual Private Network
IPsec
IP Security protocol provides a framework for configuring
secure VPNs.
SSL
Secure Sockets Layer (SSL) uses TCP port 443 (HTTPS)
GRE
Generic routing encapsulation (GRE) is a tunneling protocol
that is used to create a point-to-point link, supports
multiprotocol tunneling, and can be used in combination with
IPsec.
ATM
Asynchronous Transfer Mode standard for cell relay in which
multiple service types are converted to 53 byte cells.
PVC
Permanent Virtual Circuit
MPLS
Multiprotocol Label Switching
POTS
Plain old telephone service
ISDN
Integrated Services Digital Network
© 2012 Cisco and/or its affiliates. All rights reserved.
6
DMVPN
Dynamic Multipoint VPN enables the auto-provisioning of siteto-site IPsec VPNs, combining three Cisco IOS software
features: NHRP, multipoint GRE, and IPsec VPN.
V3PN
Voice and Video Enabled VPN
HSRP
Hot Standby Routing Protocol
NHRP
Next Hop Resolution Protocol is used by routers to
dynamically discover the MAC address of other routers
connected to an NBMA network.
Cisco VPN Client
Installed locally on host to establish a secure IPsec end-to-end
VPN.
Cisco AnyConnect
Installed locally on host (or smart device) to establish a secure
SSL or IPsec end-to-end VPN.
AIM
Advanced integration modules
SPA
Shared Port Adapter provides VPN support on Catalyst 6500
switches and higher end routers.
VAM2+
VPN Accelerator Module 2+
© 2012 Cisco and/or its affiliates. All rights reserved.
7
PSK
Pre-shared keys
ESP
Encapsulation Security Payload (IP protocol 50) can provide
authentication, integrity, and confidentiality using encryption.
AH
Authentication Header (IP protocol 51) provides authentication
and integrity but it does not provide data confidentiality
(encryption) of packets.
DES
Data Encryption Standard
3DES
Triple Data Encryption Standard
AES
Advanced Encryption Standard
SEAL
Software-Optimized Encryption Algorithm
HMAC
Hashed Message Authentication Codes (HMAC) is a data
integrity algorithm that guarantees the integrity of the message
using a hash value.
© 2012 Cisco and/or its affiliates. All rights reserved.
8
HMAC-MD5
HMAC-Message Digest 5 uses a 128-bit shared-secret key.
The variable-length message and 128-bit shared secret key
are combined and run through the HMAC-MD5 hash
algorithm. The output is a 128-bit hash.
HMAC-SHA-1
HMAC-Secure Hash Algorithm 1 uses a 160-bit secret key.
The variable-length message and the 160-bit shared secret
key are combined and run through the HMAC-SHA-1 hash
algorithm. The output is a 160-bit hash.
RSA
Rivest, Shamir, and Adleman (RSA) algorithm
DH
Diffie-Hellman key agreement is a public key exchange
method that provides a way for two peers to establish a
shared secret key that only they know, even though they are
communicating over an insecure channel.
Tunnel Mode
ESP tunnel mode is used between a host and a security
gateway or between two security gateways.
Transport Mode
ESP transport mode is used between hosts. Transport mode
works well with GRE, because GRE hides the addresses of
the end devices by adding its own IP.
SA
Security Associations
© 2012 Cisco and/or its affiliates. All rights reserved.
9
IKE
Internet Key Exchange protocol (RFC 2409) is used by IPsec
to establish the initial key exchange. IKE uses UDP port 500 to
exchange IKE information between the security gateways. IKE
is a hybrid protocol, combining ISAKMP and the Oakley and
Skeme key exchange methods.
ISAKMP
Internet Security Association and Key Management Protocol
defines the message format, the mechanics of a keyexchange protocol, and the negotiation process to build an SA
for IPsec. ISAKMP does not define how keys are managed or
shared between the two IPsec peers.
Oakley and Skeme
Key exchange methods that have five defined key groups. Of
these groups, Cisco routers support Group 1 (768-bit key),
Group 2 (1024-bit key), and Group 5 (1536-bit key).
IKE Phase 1
Two IPsec peers perform the initial negotiation of SAs. The
basic purpose of Phase 1 is to negotiate IKE policy sets,
authenticate the peers, and set up a secure channel between
the peers. It can be implemented in main mode or agressive
mode.
IKE Phase 2
SAs are negotiated by the IKE process ISAKMP on behalf of
IPsec and is referred to as quick mode.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
Main mode
IKE Phase 1 SA negotiation that requires three exchanges
using six packets.
Aggressive mode
IKE Phase 1 SA negotiation that requires one exchange using
three packets.
Quick mode
IKE Phase 2 SA negotiation that negotiate IPsec security
parameters, establishes IPsec SAs, and periodically
renegotiates IPsec SAs.
QM_IDLE
Displayed in the output of the show crypto isakmp sa
command and indicates an active IKE SA.
RRI
Reverse Route Injection ensures that a static route is created
on the Cisco Easy VPN Server for the internal IP address of
each VPN client.
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• SDM has been replaced by CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
• To explain GRE use the concept of three protocols:
– Passenger protocol (i.e., IPv4 or IPv6) that needs to be encapsulated.
– Carrier protocol (i.e., GRE) that is used to encapsulate the passenger
protocol.
– Transport protocol (i.e., IPv4 or IPv6) that is used to carry the encapsulated
carrier protocol.
• GRE is popular to use to support routing protocols (that require
broadcasts) over an IPsec VPN.
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• Example GRE configuration
© 2012 Cisco and/or its affiliates. All rights reserved.
14
• To configure IPsec VPNs, the IOS must support crypto
parameters.
– Usually indicated by “k9” in the image name. (“k8” indicates limited crypto
commands available)
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• Use the show crypto isakmp sa command to verify if the IKE
Phase 1 negotiation was successful.
– QM_IDLE indicates success.
• Use the debug crypto isakmp command to display Phase 1 and
2 negotiations.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
• To verify IPsec VPN tunnel functionality, use the sequence:
1. clear crypto sa
2. Generate interesting traffic to trigger VPN link
3. show crypto ipsec sa
NOTE: The output of the show crypto ipsec sa command should reveal
encrypted / decrypted packets.
• Use extended pings to generate traffic between LANs
– ping {destination-IP-address} source {source-IP-address}
NOTE: The first ping attempt should fail as it negotiates the initial SA.
• Use the debug crypto ipsec command to display Main
mode negotiations.
© 2012 Cisco and/or its affiliates. All rights reserved.
17
• Common problems encountered when troubleshooting VPNs
include:
– Incorrect ISAKMP policies configured.
– Incorrect crypto keys or peer address configured.
– Crypto map parameters not configured accurately.
– Crypto map not applied to the correct interface (should usually be the outside
interface).
– Invalid ACL statements.
• If pings from the router do not enable the VPN:
– Make sure you are using extended pings or better yet, use an actual host on
the inside network.
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• CCP provides various VPN wizards by choosing Configure >
Security > VPN.
– The wizards vary depending on the type of VPN being configured.
• You can also test to confirm the correct tunnel configuration by
clicking the Test VPN button.
• Verify the VPN status by choosing Monitor > Security > VPN
Status > IPsec Tunnels.
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• Remote access VPNs can be deployed using either IPsec or SSL
VPNs.
– IPsec remote access VPNs are more secure and supports most applications
but requires a client to be pre-installed on a host such as the Cisco VPN client
or Cisco AnyConnect.
– SSL remote access VPNs is more flexible as it is accessed using a web
browser but can only access web enabled applications.
© 2012 Cisco and/or its affiliates. All rights reserved.
20
Mobile User Requirements
SSL-Based
VPN
Categories
Anywhere
Access
Any
Application
IPsec Remote
Access VPN
SSL
IPsec
Web-enabled applications, file
sharing, e-mail
All IP-based applications
Encryption
Moderate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
Authentication
Moderate
One-way or two-way authentication
Strong
Two-way authentication using
shared secrets or digital certificates
Very easy
Moderately easy
Moderate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
Application support
Ease of Use
Overall Security
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• You will need to download the Cisco VPN client from cisco.com
and provide it to students.
– Cisco VPN client is available for free.
© 2012 Cisco and/or its affiliates. All rights reserved.
22
• Explain to students that this chapter now applies the cryptology
topics discussed in Chapter 7.
• To contrast between the function of a firewall (Chapter 4) and that
of a VPN, explain that a firewall inside the network and a VPN
protects the data traversing the outside network (Internet).
© 2012 Cisco and/or its affiliates. All rights reserved.
23
• Use the analogy of a ocean for the network and each LAN is an
island.
– Without VPN tunnels, you must travel using a ferry between islands which
means there is no privacy.
– With VPN tunnels, you have your own private submarine to go from island to
island.
• Leased lines can be compared to building bridges between
nearby islands.
© 2012 Cisco and/or its affiliates. All rights reserved.
24
• Another analogy is that of two lovers sending mushy letters to
each other.
– They know that letters will pass through many hands, including the postal
service, organization, and perhaps even parents at either end.
– By setting up a secret code in advance, they can send letters without
someone knowing what they’re sending.
© 2012 Cisco and/or its affiliates. All rights reserved.
25
• Refer back in history to how encryption has been used:
– The Spartans with the Scytale
– Julius Caesar for military dispatches.
– Enigma machine during WWII.
• Contrast that with how freely information now flows.
– Encourage discussion on how important VPNs are becoming.
• Ask “Should we be encrypting everything we send?”.
– Consider the overhead (and increased latency) if we did.
– When should we be using VPNs?
© 2012 Cisco and/or its affiliates. All rights reserved.
26
• This chapter is best learned by applying the concepts as much as
possible.
– Student must get their own battle scars.
• Encourage students to come up with their own VPN topology
scenarios.
© 2012 Cisco and/or its affiliates. All rights reserved.
27
• Cisco VPN Main page
– http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home
.html
• Cisco IOS Software Releases 12.4 Mainline
– http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_h
ome.html
• The Cisco IOS Command Reference
– http://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.
html
• VPN client
– http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
© 2012 Cisco and/or its affiliates. All rights reserved.
28
© 2011 Cisco and/or its affiliates. All rights reserved.
29