CCNA Security 1.1 Instructional Resource Chapter 8 Implementing Virtual Private Networks 2012 Cisco and/or its affiliates. All rights reserved. 1
Describe the purpose and types of VPNs and define where to use VPNs in a network. Describe how to configure a GRE VPN tunnel. Describe the fundamental concepts and technologies of VPNs, and terms that IPsec VPNs use. Describe how to configure a site-to-site IPsec VPN. Configure a site-to-site IPsec VPN with PSK authentication using CLI and Cisco CCP. Describe the two common remote network access methods used in enterprise networks. Describe how the Cisco VPN Client is used in an IPsec remote-access VPN. Describe how Secure Socket Layer (SSL) is used in a remote-access VPN. Configure a remote-access IPsec VPN using CLI and Cisco CCP. 2012 Cisco and/or its affiliates. All rights reserved. 2
9.0 Implementing VPN Technologies 9.2 Describe VPN technologies 9.2.1 IPsec 9.2.2 SSL 9.3 Describe the building blocks of IPsec 9.3.1 IKE 9.3.2 ESP 9.3.3 AH 9.3.4 Tunnel mode 9.3.5 Transport mode 9.4 Implement an IOS IPSec site-to-site VPN with pre-shared key authentication 9.4.1 CCP 9.4.2 CLI 2012 Cisco and/or its affiliates. All rights reserved. 3
A VPN is a private network that is created via tunneling over a public network. It can deployed as a site-to-site and remote access VPN. Generic routing encapsulation (GRE) is a tunneling protocol that is used to create a point-to-point link, supports multiprotocol tunneling, and can be used in combination with IPsec. IPsec is a framework of open standards that establishes the rules for secure communications. It relies on existing algorithms to achieve encryption, authentication, and key exchange. When creating a site-to-site VPN, ensure that the existing ACLs do not block IPsec traffic, define the IKE parameters and IPsec transform set, configure the crypto ACL and create and apply a crypto map. Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to create and monitor an IPsec VPN. Remote access connections can be configured using CCP. 2012 Cisco and/or its affiliates. All rights reserved. 4
Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP Part 1: Basic Router Configuration Part 2: Configure a Site-to-Site VPN Using Cisco IOS Part 3: Configure a Site-to-Site VPN using CCP Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client Part 1: Basic Router Configuration Part 2: Configuring a Remote Access VPN Chapter 8 Lab C: (Optional) Configuring a Remote Access VPN Server and Client Part 1: Basic Router Configuration Part 2: Configuring a Remote Access VPN 2012 Cisco and/or its affiliates. All rights reserved. 5
VPN IPsec SSL GRE ATM PVC MPLS POTS ISDN Virtual Private Network IP Security protocol provides a framework for configuring secure VPNs. Secure Sockets Layer (SSL) uses TCP port 443 (HTTPS) Generic routing encapsulation (GRE) is a tunneling protocol that is used to create a point-to-point link, supports multiprotocol tunneling, and can be used in combination with IPsec. Asynchronous Transfer Mode standard for cell relay in which multiple service types are converted to 53 byte cells. Permanent Virtual Circuit Multiprotocol Label Switching Plain old telephone service Integrated Services Digital Network 2012 Cisco and/or its affiliates. All rights reserved. 6
DMVPN V3PN HSRP NHRP Cisco VPN Client Cisco AnyConnect AIM SPA Dynamic Multipoint VPN enables the auto-provisioning of siteto-site IPsec VPNs, combining three Cisco IOS software features: NHRP, multipoint GRE, and IPsec VPN. Voice and Video Enabled VPN Hot Standby Routing Protocol Next Hop Resolution Protocol is used by routers to dynamically discover the MAC address of other routers connected to an NBMA network. Installed locally on host to establish a secure IPsec end-to-end VPN. Installed locally on host (or smart device) to establish a secure SSL or IPsec end-to-end VPN. Advanced integration modules Shared Port Adapter provides VPN support on Catalyst 6500 switches and higher end routers. VAM2+ VPN Accelerator Module 2+ 2012 Cisco and/or its affiliates. All rights reserved. 7
PSK ESP AH DES 3DES AES SEAL HMAC Pre-shared keys Encapsulation Security Payload (IP protocol 50) can provide authentication, integrity, and confidentiality using encryption. Authentication Header (IP protocol 51) provides authentication and integrity but it does not provide data confidentiality (encryption) of packets. Data Encryption Standard Triple Data Encryption Standard Advanced Encryption Standard Software-Optimized Encryption Algorithm Hashed Message Authentication Codes (HMAC) is a data integrity algorithm that guarantees the integrity of the message using a hash value. 2012 Cisco and/or its affiliates. All rights reserved. 8
HMAC-MD5 HMAC-SHA-1 RSA DH Tunnel Mode Transport Mode SA HMAC-Message Digest 5 uses a 128-bit shared-secret key. The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. HMAC-Secure Hash Algorithm 1 uses a 160-bit secret key. The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. Rivest, Shamir, and Adleman (RSA) algorithm Diffie-Hellman key agreement is a public key exchange method that provides a way for two peers to establish a shared secret key that only they know, even though they are communicating over an insecure channel. ESP tunnel mode is used between a host and a security gateway or between two security gateways. ESP transport mode is used between hosts. Transport mode works well with GRE, because GRE hides the addresses of the end devices by adding its own IP. Security Associations 2012 Cisco and/or its affiliates. All rights reserved. 9
IKE ISAKMP Oakley and Skeme IKE Phase 1 IKE Phase 2 Internet Key Exchange protocol (RFC 2409) is used by IPsec to establish the initial key exchange. IKE uses UDP port 500 to exchange IKE information between the security gateways. IKE is a hybrid protocol, combining ISAKMP and the Oakley and Skeme key exchange methods. Internet Security Association and Key Management Protocol defines the message format, the mechanics of a keyexchange protocol, and the negotiation process to build an SA for IPsec. ISAKMP does not define how keys are managed or shared between the two IPsec peers. Key exchange methods that have five defined key groups. Of these groups, Cisco routers support Group 1 (768-bit key), Group 2 (1024-bit key), and Group 5 (1536-bit key). Two IPsec peers perform the initial negotiation of SAs. The basic purpose of Phase 1 is to negotiate IKE policy sets, authenticate the peers, and set up a secure channel between the peers. It can be implemented in main mode or agressive mode. SAs are negotiated by the IKE process ISAKMP on behalf of IPsec and is referred to as quick mode. 2012 Cisco and/or its affiliates. All rights reserved. 10
Main mode Aggressive mode Quick mode QM_IDLE RRI IKE Phase 1 SA negotiation that requires three exchanges using six packets. IKE Phase 1 SA negotiation that requires one exchange using three packets. IKE Phase 2 SA negotiation that negotiate IPsec security parameters, establishes IPsec SAs, and periodically renegotiates IPsec SAs. Displayed in the output of the show crypto isakmp sa command and indicates an active IKE SA. Reverse Route Injection ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client. 2012 Cisco and/or its affiliates. All rights reserved. 11
SDM has been replaced by CCP. 2012 Cisco and/or its affiliates. All rights reserved. 12
To explain GRE use the concept of three protocols: Passenger protocol (i.e., IPv4 or IPv6) that needs to be encapsulated. Carrier protocol (i.e., GRE) that is used to encapsulate the passenger protocol. Transport protocol (i.e., IPv4 or IPv6) that is used to carry the encapsulated carrier protocol. GRE is popular to use to support routing protocols (that require broadcasts) over an IPsec VPN. 2012 Cisco and/or its affiliates. All rights reserved. 13
Example GRE configuration 2012 Cisco and/or its affiliates. All rights reserved. 14
To configure IPsec VPNs, the IOS must support crypto parameters. Usually indicated by k9 in the image name. ( k8 indicates limited crypto commands available) 2012 Cisco and/or its affiliates. All rights reserved. 15
Use the show crypto isakmp sa command to verify if the IKE Phase 1 negotiation was successful. QM_IDLE indicates success. Use the debug crypto isakmp command to display Phase 1 and 2 negotiations. 2012 Cisco and/or its affiliates. All rights reserved. 16
To verify IPsec VPN tunnel functionality, use the sequence: 1. clear crypto sa 2. Generate interesting traffic to trigger VPN link 3. show crypto ipsec sa NOTE: The output of the show crypto ipsec sa command should reveal encrypted / decrypted packets. Use extended pings to generate traffic between LANs ping {destination-ip-address} source {source-ip-address} NOTE: The first ping attempt should fail as it negotiates the initial SA. Use the debug crypto ipsec command to display Main mode negotiations. 2012 Cisco and/or its affiliates. All rights reserved. 17
Common problems encountered when troubleshooting VPNs include: Incorrect ISAKMP policies configured. Incorrect crypto keys or peer address configured. Crypto map parameters not configured accurately. Crypto map not applied to the correct interface (should usually be the outside interface). Invalid ACL statements. If pings from the router do not enable the VPN: Make sure you are using extended pings or better yet, use an actual host on the inside network. 2012 Cisco and/or its affiliates. All rights reserved. 18
CCP provides various VPN wizards by choosing Configure > Security > VPN. The wizards vary depending on the type of VPN being configured. You can also test to confirm the correct tunnel configuration by clicking the Test VPN button. Verify the VPN status by choosing Monitor > Security > VPN Status > IPsec Tunnels. 2012 Cisco and/or its affiliates. All rights reserved. 19
Remote access VPNs can be deployed using either IPsec or SSL VPNs. IPsec remote access VPNs are more secure and supports most applications but requires a client to be pre-installed on a host such as the Cisco VPN client or Cisco AnyConnect. SSL remote access VPNs is more flexible as it is accessed using a web browser but can only access web enabled applications. 2012 Cisco and/or its affiliates. All rights reserved. 20
Mobile User Requirements SSL-Based VPN Anywhere Access Any Application IPsec Remote Access VPN Categories SSL IPsec Application support Web-enabled applications, file sharing, e-mail All IP-based applications Encryption Authentication Moderate Key lengths from 40 bits to 128 bits Moderate One-way or two-way authentication Stronger Key lengths from 56 bits to 256 bits Strong Two-way authentication using shared secrets or digital certificates Ease of Use Very easy Moderately easy Overall Security Moderate Any device can connect Strong Only specific devices with specific configurations can connect 2012 Cisco and/or its affiliates. All rights reserved. 21
You will need to download the Cisco VPN client from cisco.com and provide it to students. Cisco VPN client is available for free. 2012 Cisco and/or its affiliates. All rights reserved. 22
Explain to students that this chapter now applies the cryptology topics discussed in Chapter 7. To contrast between the function of a firewall (Chapter 4) and that of a VPN, explain that a firewall inside the network and a VPN protects the data traversing the outside network (Internet). 2012 Cisco and/or its affiliates. All rights reserved. 23
Use the analogy of a ocean for the network and each LAN is an island. Without VPN tunnels, you must travel using a ferry between islands which means there is no privacy. With VPN tunnels, you have your own private submarine to go from island to island. Leased lines can be compared to building bridges between nearby islands. 2012 Cisco and/or its affiliates. All rights reserved. 24
Another analogy is that of two lovers sending mushy letters to each other. They know that letters will pass through many hands, including the postal service, organization, and perhaps even parents at either end. By setting up a secret code in advance, they can send letters without someone knowing what they re sending. 2012 Cisco and/or its affiliates. All rights reserved. 25
Refer back in history to how encryption has been used: The Spartans with the Scytale Julius Caesar for military dispatches. Enigma machine during WWII. Contrast that with how freely information now flows. Encourage discussion on how important VPNs are becoming. Ask Should we be encrypting everything we send?. Consider the overhead (and increased latency) if we did. When should we be using VPNs? 2012 Cisco and/or its affiliates. All rights reserved. 26
This chapter is best learned by applying the concepts as much as possible. Student must get their own battle scars. Encourage students to come up with their own VPN topology scenarios. 2012 Cisco and/or its affiliates. All rights reserved. 27
Cisco VPN Main page http://www.cisco.com/en/us/products/ps5743/products_sub_category_home.html Cisco IOS Software Releases 12.4 Mainline http://www.cisco.com/en/us/products/ps6350/tsd_products_support_series_h ome.html The Cisco IOS Command Reference http://www.cisco.com/en/us/products/ps6350/prod_command_reference_list. html VPN client http://www.cisco.com/en/us/products/sw/secursw/ps2308/index.html 2012 Cisco and/or its affiliates. All rights reserved. 28
2011 Cisco and/or its affiliates. All rights reserved. 29