CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks © 2012 Cisco and/or its affiliates. All rights reserved. 1 • Describe the purpose and types of VPNs and define where to use VPNs in a network. • Describe how to configure a GRE VPN tunnel. • Describe the fundamental concepts and technologies of VPNs, and terms that IPsec VPNs use. • Describe how to configure a site-to-site IPsec VPN. • Configure a site-to-site IPsec VPN with PSK authentication using CLI and Cisco CCP. • Describe the two common remote network access methods used in enterprise networks. • Describe how the Cisco VPN Client is used in an IPsec remote-access VPN. • Describe how Secure Socket Layer (SSL) is used in a remote-access VPN. • Configure a remote-access IPsec VPN using CLI and Cisco CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 2 9.0 Implementing VPN Technologies 9.2 Describe VPN technologies • 9.2.1 IPsec • 9.2.2 SSL 9.3 Describe the building blocks of IPsec • 9.3.1 IKE • 9.3.2 ESP • 9.3.3 AH • 9.3.4 Tunnel mode • 9.3.5 Transport mode 9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key authentication • 9.4.1 CCP • 9.4.2 CLI © 2012 Cisco and/or its affiliates. All rights reserved. 3 • A VPN is a private network that is created via tunneling over a public network. It can deployed as a site-to-site and remote access VPN. • Generic routing encapsulation (GRE) is a tunneling protocol that is used to create a point-to-point link, supports multiprotocol tunneling, and can be used in combination with IPsec. • IPsec is a framework of open standards that establishes the rules for secure communications. It relies on existing algorithms to achieve encryption, authentication, and key exchange. • When creating a site-to-site VPN, ensure that the existing ACLs do not block IPsec traffic, define the IKE parameters and IPsec transform set, configure the crypto ACL and create and apply a crypto map. • Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to create and monitor an IPsec VPN. • Remote access connections can be configured using CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 4 • Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP – Part 1: Basic Router Configuration – Part 2: Configure a Site-to-Site VPN Using Cisco IOS – Part 3: Configure a Site-to-Site VPN using CCP • Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client – Part 1: Basic Router Configuration – Part 2: Configuring a Remote Access VPN • Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN Server and Client – Part 1: Basic Router Configuration – Part 2: Configuring a Remote Access VPN © 2012 Cisco and/or its affiliates. All rights reserved. 5 VPN Virtual Private Network IPsec IP Security protocol provides a framework for configuring secure VPNs. SSL Secure Sockets Layer (SSL) uses TCP port 443 (HTTPS) GRE Generic routing encapsulation (GRE) is a tunneling protocol that is used to create a point-to-point link, supports multiprotocol tunneling, and can be used in combination with IPsec. ATM Asynchronous Transfer Mode standard for cell relay in which multiple service types are converted to 53 byte cells. PVC Permanent Virtual Circuit MPLS Multiprotocol Label Switching POTS Plain old telephone service ISDN Integrated Services Digital Network © 2012 Cisco and/or its affiliates. All rights reserved. 6 DMVPN Dynamic Multipoint VPN enables the auto-provisioning of siteto-site IPsec VPNs, combining three Cisco IOS software features: NHRP, multipoint GRE, and IPsec VPN. V3PN Voice and Video Enabled VPN HSRP Hot Standby Routing Protocol NHRP Next Hop Resolution Protocol is used by routers to dynamically discover the MAC address of other routers connected to an NBMA network. Cisco VPN Client Installed locally on host to establish a secure IPsec end-to-end VPN. Cisco AnyConnect Installed locally on host (or smart device) to establish a secure SSL or IPsec end-to-end VPN. AIM Advanced integration modules SPA Shared Port Adapter provides VPN support on Catalyst 6500 switches and higher end routers. VAM2+ VPN Accelerator Module 2+ © 2012 Cisco and/or its affiliates. All rights reserved. 7 PSK Pre-shared keys ESP Encapsulation Security Payload (IP protocol 50) can provide authentication, integrity, and confidentiality using encryption. AH Authentication Header (IP protocol 51) provides authentication and integrity but it does not provide data confidentiality (encryption) of packets. DES Data Encryption Standard 3DES Triple Data Encryption Standard AES Advanced Encryption Standard SEAL Software-Optimized Encryption Algorithm HMAC Hashed Message Authentication Codes (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value. © 2012 Cisco and/or its affiliates. All rights reserved. 8 HMAC-MD5 HMAC-Message Digest 5 uses a 128-bit shared-secret key. The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. HMAC-SHA-1 HMAC-Secure Hash Algorithm 1 uses a 160-bit secret key. The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. RSA Rivest, Shamir, and Adleman (RSA) algorithm DH Diffie-Hellman key agreement is a public key exchange method that provides a way for two peers to establish a shared secret key that only they know, even though they are communicating over an insecure channel. Tunnel Mode ESP tunnel mode is used between a host and a security gateway or between two security gateways. Transport Mode ESP transport mode is used between hosts. Transport mode works well with GRE, because GRE hides the addresses of the end devices by adding its own IP. SA Security Associations © 2012 Cisco and/or its affiliates. All rights reserved. 9 IKE Internet Key Exchange protocol (RFC 2409) is used by IPsec to establish the initial key exchange. IKE uses UDP port 500 to exchange IKE information between the security gateways. IKE is a hybrid protocol, combining ISAKMP and the Oakley and Skeme key exchange methods. ISAKMP Internet Security Association and Key Management Protocol defines the message format, the mechanics of a keyexchange protocol, and the negotiation process to build an SA for IPsec. ISAKMP does not define how keys are managed or shared between the two IPsec peers. Oakley and Skeme Key exchange methods that have five defined key groups. Of these groups, Cisco routers support Group 1 (768-bit key), Group 2 (1024-bit key), and Group 5 (1536-bit key). IKE Phase 1 Two IPsec peers perform the initial negotiation of SAs. The basic purpose of Phase 1 is to negotiate IKE policy sets, authenticate the peers, and set up a secure channel between the peers. It can be implemented in main mode or agressive mode. IKE Phase 2 SAs are negotiated by the IKE process ISAKMP on behalf of IPsec and is referred to as quick mode. © 2012 Cisco and/or its affiliates. All rights reserved. 10 Main mode IKE Phase 1 SA negotiation that requires three exchanges using six packets. Aggressive mode IKE Phase 1 SA negotiation that requires one exchange using three packets. Quick mode IKE Phase 2 SA negotiation that negotiate IPsec security parameters, establishes IPsec SAs, and periodically renegotiates IPsec SAs. QM_IDLE Displayed in the output of the show crypto isakmp sa command and indicates an active IKE SA. RRI Reverse Route Injection ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client. © 2012 Cisco and/or its affiliates. All rights reserved. 11 • SDM has been replaced by CCP. © 2012 Cisco and/or its affiliates. All rights reserved. 12 • To explain GRE use the concept of three protocols: – Passenger protocol (i.e., IPv4 or IPv6) that needs to be encapsulated. – Carrier protocol (i.e., GRE) that is used to encapsulate the passenger protocol. – Transport protocol (i.e., IPv4 or IPv6) that is used to carry the encapsulated carrier protocol. • GRE is popular to use to support routing protocols (that require broadcasts) over an IPsec VPN. © 2012 Cisco and/or its affiliates. All rights reserved. 13 • Example GRE configuration © 2012 Cisco and/or its affiliates. All rights reserved. 14 • To configure IPsec VPNs, the IOS must support crypto parameters. – Usually indicated by “k9” in the image name. (“k8” indicates limited crypto commands available) © 2012 Cisco and/or its affiliates. All rights reserved. 15 • Use the show crypto isakmp sa command to verify if the IKE Phase 1 negotiation was successful. – QM_IDLE indicates success. • Use the debug crypto isakmp command to display Phase 1 and 2 negotiations. © 2012 Cisco and/or its affiliates. All rights reserved. 16 • To verify IPsec VPN tunnel functionality, use the sequence: 1. clear crypto sa 2. Generate interesting traffic to trigger VPN link 3. show crypto ipsec sa NOTE: The output of the show crypto ipsec sa command should reveal encrypted / decrypted packets. • Use extended pings to generate traffic between LANs – ping {destination-IP-address} source {source-IP-address} NOTE: The first ping attempt should fail as it negotiates the initial SA. • Use the debug crypto ipsec command to display Main mode negotiations. © 2012 Cisco and/or its affiliates. All rights reserved. 17 • Common problems encountered when troubleshooting VPNs include: – Incorrect ISAKMP policies configured. – Incorrect crypto keys or peer address configured. – Crypto map parameters not configured accurately. – Crypto map not applied to the correct interface (should usually be the outside interface). – Invalid ACL statements. • If pings from the router do not enable the VPN: – Make sure you are using extended pings or better yet, use an actual host on the inside network. © 2012 Cisco and/or its affiliates. All rights reserved. 18 • CCP provides various VPN wizards by choosing Configure > Security > VPN. – The wizards vary depending on the type of VPN being configured. • You can also test to confirm the correct tunnel configuration by clicking the Test VPN button. • Verify the VPN status by choosing Monitor > Security > VPN Status > IPsec Tunnels. © 2012 Cisco and/or its affiliates. All rights reserved. 19 • Remote access VPNs can be deployed using either IPsec or SSL VPNs. – IPsec remote access VPNs are more secure and supports most applications but requires a client to be pre-installed on a host such as the Cisco VPN client or Cisco AnyConnect. – SSL remote access VPNs is more flexible as it is accessed using a web browser but can only access web enabled applications. © 2012 Cisco and/or its affiliates. All rights reserved. 20 Mobile User Requirements SSL-Based VPN Categories Anywhere Access Any Application IPsec Remote Access VPN SSL IPsec Web-enabled applications, file sharing, e-mail All IP-based applications Encryption Moderate Key lengths from 40 bits to 128 bits Stronger Key lengths from 56 bits to 256 bits Authentication Moderate One-way or two-way authentication Strong Two-way authentication using shared secrets or digital certificates Very easy Moderately easy Moderate Any device can connect Strong Only specific devices with specific configurations can connect Application support Ease of Use Overall Security © 2012 Cisco and/or its affiliates. All rights reserved. 21 • You will need to download the Cisco VPN client from cisco.com and provide it to students. – Cisco VPN client is available for free. © 2012 Cisco and/or its affiliates. All rights reserved. 22 • Explain to students that this chapter now applies the cryptology topics discussed in Chapter 7. • To contrast between the function of a firewall (Chapter 4) and that of a VPN, explain that a firewall inside the network and a VPN protects the data traversing the outside network (Internet). © 2012 Cisco and/or its affiliates. All rights reserved. 23 • Use the analogy of a ocean for the network and each LAN is an island. – Without VPN tunnels, you must travel using a ferry between islands which means there is no privacy. – With VPN tunnels, you have your own private submarine to go from island to island. • Leased lines can be compared to building bridges between nearby islands. © 2012 Cisco and/or its affiliates. All rights reserved. 24 • Another analogy is that of two lovers sending mushy letters to each other. – They know that letters will pass through many hands, including the postal service, organization, and perhaps even parents at either end. – By setting up a secret code in advance, they can send letters without someone knowing what they’re sending. © 2012 Cisco and/or its affiliates. All rights reserved. 25 • Refer back in history to how encryption has been used: – The Spartans with the Scytale – Julius Caesar for military dispatches. – Enigma machine during WWII. • Contrast that with how freely information now flows. – Encourage discussion on how important VPNs are becoming. • Ask “Should we be encrypting everything we send?”. – Consider the overhead (and increased latency) if we did. – When should we be using VPNs? © 2012 Cisco and/or its affiliates. All rights reserved. 26 • This chapter is best learned by applying the concepts as much as possible. – Student must get their own battle scars. • Encourage students to come up with their own VPN topology scenarios. © 2012 Cisco and/or its affiliates. All rights reserved. 27 • Cisco VPN Main page – http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home .html • Cisco IOS Software Releases 12.4 Mainline – http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_h ome.html • The Cisco IOS Command Reference – http://www.cisco.com/en/US/products/ps6350/prod_command_reference_list. html • VPN client – http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html © 2012 Cisco and/or its affiliates. All rights reserved. 28 © 2011 Cisco and/or its affiliates. All rights reserved. 29