Add to collection(s) Add to saved
  1. No category

CCNASv2_InstructorPPT_CH8

Chapter 8:
Implementing Virtual Private
Networks
CCNA Security v2.0
8.0 Introduction
8.1 VPNs
8.2 IPsec VPN Components and
Operations
8.3 Implementing Site-to-Site
IPsec VPNs with CLI
8.4 Summary
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Upon completion of this section, you should be able to:
• Describe VPNs and their benefits.
• Compare site-to-site and remote-access VPNs.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
VPN Benefits:
• Cost Savings
• Security
• Scalability
• Compatibility
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
6
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Remote-Access VPN
Site-to-Site VPN
Access
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
8
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Upon completion of this section, you should be able to:
• Describe the IPsec protocol and its basic functions.
• Compare AH and ESP protocols.
• Describe the IKE protocol.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
IPsec Framework
© 2013 Cisco and/or its affiliates. All rights reserved.
IPsec Implementation
Examples
Cisco Public
13
Confidentiality with Encryption:
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
Encryption Algorithms:
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
Hash Algorithms
Security of Hash Algorithms
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Peer Authentication Methods
PSK
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
RSA
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
Diffie-Hellman Key Exchange
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
AH Protocols
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Router Creates Hash and Transmits
to Peer
Peer Router Compares Recomputed
Hash to Received Hash
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Apply ESP and AH in Two Modes
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
ESP Tunnel Mode
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
Upon completion of this section, you should be able to:
• Describe IPsec negotiation and the five steps of IPsec configuration.
• Configure the ISAKMP policy.
• Configure the IPsec policy.
• Configure and apply a crypto map.
• Verify the IPsec VPN.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
IPsec VPN Negotiation:
Step 1 - Host A sends
interesting traffic to Host B.
IPsec VPN Negotiation:
Step 2 - R1 and R2
negotiate an IKE Phase 1
session.
IPsec VPN Negotiation:
Step 3 - R1 and R2
negotiate an IKE Phase
2 session.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
IPsec VPN Negotiation:
Step 4 - Information is
exchanged via IPsec tunnel.
IPsec VPN Negotiation:
Step 5 - The IPsec
tunnel is terminated.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
XYZCORP Security Policy
Configuration Tasks
Encrypt traffic with AES 256 and SHA
1. Configure the ISAKMP policy for IKE Phase 1
Authentication with PSK
2. Configure the IPsec policy for IKE Phase 2
Exchange keys with group 24
3. Configure the crypto map for IPsec policy
ISAKMP tunnel lifetime is 1 hour
4. Apply the IPsec policy
IPsec tunnel uses ESP with a 15-min. lifetime
5. Verify the IPsec tunnel is operational
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
ACL Syntax for
IPsec Traffic
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Permitting Traffic for IPsec Negotiations
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
The crypto isakmp key Command
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Pre-Shared Key Configuration
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
The IKE Phase 1 Tunnel Does Not Exist Yet
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Configure an ACL to Define Interesting Traffic
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
The crypto ipsec transform-set Command
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
The crypto ipsec transform-set Command
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
51
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
Crypto Map Configuration Commands
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
Crypto Map Configuration:
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
Crypto Map Configuration:
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
Use Extended Ping to Send Interesting Traffic
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Verify the ISAKMP Tunnel is Established
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60
Verify the IPsec Tunnel is Established
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
Chapter Objectives:
• Explain the purpose of VPNs.
• Explain how IPsec VPNs operate.
• Configure a site-to-site IPsec VPN, with pre-shared key authentication,
using the CLI.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
62
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page.
(https://www.netacad.com)
1
2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Related documents
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Download