Suche senden
Hochladen
Chapter 8 overview
•
Als PPT, PDF herunterladen
•
3 gefällt mir
•
1,451 views
ali raza
Folgen
Bildung
Technologie
Diashow-Anzeige
Melden
Teilen
Diashow-Anzeige
Melden
Teilen
1 von 106
Jetzt herunterladen
Empfohlen
Private VLANs
Private VLANs
NetProtocol Xpert
1000 Ccna Questions And Answers
1000 Ccna Questions And Answers
CCNAResources
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9
Nil Menon
Cisco router basic
Cisco router basic
Tapan Khilar
CCNAv5 - S1: Chapter 2 - Configuring a network operating system
CCNAv5 - S1: Chapter 2 - Configuring a network operating system
Vuz Dở Hơi
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
Mitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
Empfohlen
Private VLANs
Private VLANs
NetProtocol Xpert
1000 Ccna Questions And Answers
1000 Ccna Questions And Answers
CCNAResources
CCNA 2 Routing and Switching v5.0 Chapter 9
CCNA 2 Routing and Switching v5.0 Chapter 9
Nil Menon
Cisco router basic
Cisco router basic
Tapan Khilar
CCNAv5 - S1: Chapter 2 - Configuring a network operating system
CCNAv5 - S1: Chapter 2 - Configuring a network operating system
Vuz Dở Hơi
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
Mitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
Ether channel fundamentals
Ether channel fundamentals
Edgardo Scrimaglia
Differences of the Cisco Operating Systems
Differences of the Cisco Operating Systems
美兰 曾
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Bruno Teixeira
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk
STP (spanning tree protocol)
STP (spanning tree protocol)
Netwax Lab
Basic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
Chapter 6 : Network layer
Chapter 6 : Network layer
teknetir
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
Access control list [1]
Access control list [1]
Summit Bisht
IAB-5039 : MQTT: A Protocol for the Internet of Things (InterConnect 2015)
IAB-5039 : MQTT: A Protocol for the Internet of Things (InterConnect 2015)
PeterNiblett
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11
Nil Menon
Cisco Unified Wireless Network and Converged access – Design session
Cisco Unified Wireless Network and Converged access – Design session
Cisco Russia
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6
Nil Menon
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
Ccnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
Nil Menon
Asa sslvpn security
Asa sslvpn security
Jack Melson
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1
Irsandi Hasan
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
VPN Security
VPN Security
dromerotrejo
IPsec
IPsec
slow love
Weitere ähnliche Inhalte
Was ist angesagt?
Ether channel fundamentals
Ether channel fundamentals
Edgardo Scrimaglia
Differences of the Cisco Operating Systems
Differences of the Cisco Operating Systems
美兰 曾
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Bruno Teixeira
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk
STP (spanning tree protocol)
STP (spanning tree protocol)
Netwax Lab
Basic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
Chapter 6 : Network layer
Chapter 6 : Network layer
teknetir
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
Access control list [1]
Access control list [1]
Summit Bisht
IAB-5039 : MQTT: A Protocol for the Internet of Things (InterConnect 2015)
IAB-5039 : MQTT: A Protocol for the Internet of Things (InterConnect 2015)
PeterNiblett
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11
Nil Menon
Cisco Unified Wireless Network and Converged access – Design session
Cisco Unified Wireless Network and Converged access – Design session
Cisco Russia
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6
Nil Menon
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
Ccnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
Nil Menon
Asa sslvpn security
Asa sslvpn security
Jack Melson
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1
Irsandi Hasan
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
Was ist angesagt?
(20)
Ether channel fundamentals
Ether channel fundamentals
Differences of the Cisco Operating Systems
Differences of the Cisco Operating Systems
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Cisco Live! :: Introduction to IOS XR for Enterprises and Service Providers
Barry Hesk: Cisco Unified Communications Manager training deck 1
Barry Hesk: Cisco Unified Communications Manager training deck 1
STP (spanning tree protocol)
STP (spanning tree protocol)
Basic BGP Configuration
Basic BGP Configuration
Chapter 6 : Network layer
Chapter 6 : Network layer
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Access control list [1]
Access control list [1]
IAB-5039 : MQTT: A Protocol for the Internet of Things (InterConnect 2015)
IAB-5039 : MQTT: A Protocol for the Internet of Things (InterConnect 2015)
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11
Cisco Unified Wireless Network and Converged access – Design session
Cisco Unified Wireless Network and Converged access – Design session
CCNA 1 Routing and Switching v5.0 Chapter 6
CCNA 1 Routing and Switching v5.0 Chapter 6
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
Ccnp workbook network bulls
Ccnp workbook network bulls
CCNA 1 Routing and Switching v5.0 Chapter 1
CCNA 1 Routing and Switching v5.0 Chapter 1
Asa sslvpn security
Asa sslvpn security
CCNA Exploration 2 - Chapter 1
CCNA Exploration 2 - Chapter 1
CCNP Security-Firewall
CCNP Security-Firewall
Andere mochten auch
VPN Security
VPN Security
dromerotrejo
IPsec
IPsec
slow love
Chapter 5
Chapter 5
ali raza
Chapter 7
Chapter 7
ali raza
Chapter 6 overview
Chapter 6 overview
ali raza
Chapter 8
Chapter 8
ali raza
IPsec with AH
IPsec with AH
jtlevesque
Chapter 9 overview
Chapter 9 overview
ali raza
Chapter 5 overview
Chapter 5 overview
ali raza
Chapter 3
Chapter 3
ali raza
Chapter 6
Chapter 6
ali raza
Chapter 2
Chapter 2
ali raza
Cisco orientation
Cisco orientation
ali raza
Chapter 4
Chapter 4
ali raza
Chapter 4 overview
Chapter 4 overview
ali raza
Chapter 1
Chapter 1
ali raza
Chapter 1 overview
Chapter 1 overview
ali raza
Chapter 7 overview
Chapter 7 overview
ali raza
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
Irsandi Hasan
Chapter 3 overview
Chapter 3 overview
ali raza
Andere mochten auch
(20)
VPN Security
VPN Security
IPsec
IPsec
Chapter 5
Chapter 5
Chapter 7
Chapter 7
Chapter 6 overview
Chapter 6 overview
Chapter 8
Chapter 8
IPsec with AH
IPsec with AH
Chapter 9 overview
Chapter 9 overview
Chapter 5 overview
Chapter 5 overview
Chapter 3
Chapter 3
Chapter 6
Chapter 6
Chapter 2
Chapter 2
Cisco orientation
Cisco orientation
Chapter 4
Chapter 4
Chapter 4 overview
Chapter 4 overview
Chapter 1
Chapter 1
Chapter 1 overview
Chapter 1 overview
Chapter 7 overview
Chapter 7 overview
CCNA Discovery 4 - Chapter 7
CCNA Discovery 4 - Chapter 7
Chapter 3 overview
Chapter 3 overview
Ähnlich wie Chapter 8 overview
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
ytrui
ENSA_Module_8.pptx
ENSA_Module_8.pptx
SkyBlue659156
CCNA Security - Chapter 8
CCNA Security - Chapter 8
Irsandi Hasan
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
Shannon McFarland
Ip tunneling and vpns
Ip tunneling and vpns
DAVID RAUDALES
Ip tunnelling and_vpn
Ip tunnelling and_vpn
Rajesh Porwal
CCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
Vpn security agenda by cover our privacy
Vpn security agenda by cover our privacy
Eric Fedewa
CV
CV
Debabrata Mitra
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
KdpKumar
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Canada
VPN
VPN
Swarup Kumar Mall
Vp ns
Vp ns
Swarup Kumar Mall
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Cisco DevNet
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
Fab Fusaro
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Ahmed Habib
Device Programmability with Cisco Plug-n-Play Solution
Device Programmability with Cisco Plug-n-Play Solution
Cisco DevNet
Ccna security
Ccna security
umesh patil
Ccna security
Ccna security
sanjay joshi
Ähnlich wie Chapter 8 overview
(20)
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
7256 ccna security_chapter_8_vpn_dl3_oz_20130409031455
ENSA_Module_8.pptx
ENSA_Module_8.pptx
CCNA Security - Chapter 8
CCNA Security - Chapter 8
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
Ip tunneling and vpns
Ip tunneling and vpns
Ip tunnelling and_vpn
Ip tunnelling and_vpn
CCNP Security-VPN
CCNP Security-VPN
Vpn security agenda by cover our privacy
Vpn security agenda by cover our privacy
CV
CV
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
10 Protocols of VPN IPSec, PPTP, L2TP, MPLS etc. ⋆ IPCisco.pdf
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
Cisco Connect Vancouver 2017 - Understanding Cisco next gen SD-WAN
VPN
VPN
Vp ns
Vp ns
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Device Programmability with Cisco Plug-n-Play Solution
Device Programmability with Cisco Plug-n-Play Solution
Ccna security
Ccna security
Ccna security
Ccna security
Kürzlich hochgeladen
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
Mebane Rash
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
bronxfugly43
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
Poonam Aher Patil
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
VishalSingh1417
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Celine George
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
Understanding Accommodations and Modifications
Understanding Accommodations and Modifications
MJDuyan
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
Admir Softic
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
Celine George
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
PoojaSen20
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
Nguyen Thanh Tu Collection
Spatium Project Simulation student brief
Spatium Project Simulation student brief
Association for Project Management
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
camerronhm
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
agholdier
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
AreebaZafar22
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
VishalSingh1417
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
Celine George
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
PoojaSen20
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
TechSoup
Kürzlich hochgeladen
(20)
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
Understanding Accommodations and Modifications
Understanding Accommodations and Modifications
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
Spatium Project Simulation student brief
Spatium Project Simulation student brief
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
Chapter 8 overview
1.
1© 2009 Cisco
Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks
2.
222© 2009 Cisco
Learning Institute. Lesson Planning • This lesson should take 3-4 hours to present • The lesson should include lecture, demonstrations, discussions and assessments • The lesson can be taught in person or using remote instruction
3.
333© 2009 Cisco
Learning Institute. Major Concepts • Describe the purpose and operation of VPN types • Describe the purpose and operation of GRE VPNs • Describe the components and operations of IPsec VPNs • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using CLI • Configure and verify a site-to-site IPsec VPN with pre- shared key authentication using SDM • Configure and verify a Remote Access VPN
4.
444© 2009 Cisco
Learning Institute. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the purpose and operation of VPNs 2. Differentiate between the various types of VPNs 3. Identify the Cisco VPN product line and the security features of these products 4. Configure a site-to-site VPN GRE tunnel 5. Describe the IPSec protocol and its basic functions 6. Differentiate between AH and ESP 7. Describe the IKE protocol and modes 8. Describe the five steps of IPSec operation
5.
555© 2009 Cisco
Learning Institute. Lesson Objectives 9. Describe how to prepare IPSec by ensuring that ACLs are compatible with IPSec 10. Configure IKE policies using the CLI 11. Configure the IPSec transform sets using the CLI 12. Configure the crypto ACLs using the CLI 13. Configure and apply a crypto map using the CLI 14. Describe how to verify and troubleshoot the IPSec configuration 15. Describe how to configure IPSec using SDM 16. Configure a site-to-site VPN using the Quick Setup VPN Wizard in SDM 17. Configure a site-to-site VPN using the step-by-step VPN Wizard in SDM
6.
666© 2009 Cisco
Learning Institute. Lesson Objectives 18. Verify, monitor and troubleshoot VPNs using SDM 19. Describe how an increasing number of organizations are offering telecommuting options to their employees 20. Differentiate between Remote Access IPSec VPN solutions and SSL VPNs 21. Describe how SSL is used to establish a secure VPN connection 22. Describe the Cisco Easy VPN feature 23. Configure a VPN Server using SDM 24. Connect a VPN client using the Cisco VPN Client software
7.
777© 2009 Cisco
Learning Institute. What is a VPN? - Virtual: Information within a private network is transported over a public network. - Private: The traffic is encrypted to keep the data confidential. VPN VPN Firewall CSA Regional branch with a VPN enabled Cisco ISR router SOHO with a Cisco DSL Router VPN Mobile Worker with a Cisco VPN Client Business Partner with a Cisco Router Corporate NetworkWAN Internet
8.
888© 2009 Cisco
Learning Institute. Layer 3 VPN • Generic routing encapsulation (GRE) • Multiprotocol Label Switching (MPLS) • IPSec SOHO with a Cisco DSL Router VPN Internet IPSec IPSec
9.
999© 2009 Cisco
Learning Institute. Types of VPN Networks MARS VPN VPN Iron Port Firewall IP S Web Server Email Server DNS CSA CSACSACSA CSA CSA CSA Regional branch with a VPN enabled Cisco ISR router SOHO with a Cisco DSL Router VPN Mobile Worker with a Cisco VPN Client Business Partner with a Cisco Router Site-to-Site VPNs Remote-access VPNs Internet WAN
10.
101010© 2009 Cisco
Learning Institute. Site-to-Site VPN MARS VPN VPN Iron Port Firewall IP S Web Server Email Server DNS CS A CS A CS A CSA CSA CSA CSA Regional branch with a VPN enabled Cisco ISR router SOHO with a Cisco DSL Router VP N Business Partner with a Cisco Router Site-to-Site VPNs Internet WAN Hosts send and receive normal TCP/IP traffic through a VPN gateway
11.
111111© 2009 Cisco
Learning Institute. Remote-Access VPNs MARS VPN Iron Port Firewall IPS Web Server Email Server DNS CSA CSA CSACSA CSA CSA CSA Mobile Worker with a Cisco VPN Client Remote-access VPNs Internet
12.
121212© 2009 Cisco
Learning Institute. VPN Client Software R1 R1-vpn-cluster.span.com “R1” In a remote-access VPN, each host typically has Cisco VPN Client software
13.
131313© 2009 Cisco
Learning Institute. Cisco IOS SSL VPN • Provides remote-access connectivity from any Internet-enabled host • Uses a web browser and SSL encryption • Delivers two modes of access: - Clientless - Thin client
14.
141414© 2009 Cisco
Learning Institute. Cisco VPN Product Family Product Choice Remote-Access VPN Site-to-Site VPN Cisco VPN-Enabled Router Secondary role Primary role Cisco PIX 500 Series Security Appliances Secondary role Primary role Cisco ASA 5500 Series Adaptive Security Appliances Primary role Secondary role Cisco VPN 3000 Series Concentrators Primary role Secondary role Home Routers Primary role
15.
151515© 2009 Cisco
Learning Institute. Cisco VPN-Optimized Routers Remote Office Cisco Router Regional Office Cisco Router SOHO Cisco Router Main Office Cisco Router Internet VPN Features: •Voice and video enabled VPN (V3PN) •IPSec stateful failover •DMVPN •IPSec and Multiprotocol Label Switching (MPLS) integration •Cisco Easy VPN
16.
161616© 2009 Cisco
Learning Institute. Cisco ASA 5500 Series Adaptive Security Appliances • Flexible platform • Resilient clustering • Cisco Easy VPN • Automatic Cisco VPN • Cisco IOS SSL VPN • VPN infrastructure for contemporary applications • Integrated web-based management Extranet Business-to-Business Intranet Remote User Remote Site Central Site Internet
17.
171717© 2009 Cisco
Learning Institute. IPSec Clients Small Office Internet Cisco AnyConnect VPN Client Certicom PDA IPsec VPN Client Internet Cisco VPN Software Client Router with Firewall and VPN Client A wireless client that is loaded on a pda Software loaded on a PC A network appliance that connects SOHO LANs to the VPN Provides remote users with secure VPN connections
18.
181818© 2009 Cisco
Learning Institute. Hardware Acceleration Modules • AIM • Cisco IPSec VPN Shared Port Adapter (SPA) • Cisco PIX VPN Accelerator Card+ (VAC+) • Enhanced Scalable Encryption Processing (SEP-E) Cisco IPsec VPN SPA
19.
191919© 2009 Cisco
Learning Institute. GRE VPN Overview
20.
202020© 2009 Cisco
Learning Institute. Encapsulation Original IP Packet Encapsulated with GRE
21.
212121© 2009 Cisco
Learning Institute. Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 192.168.5.5 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 192.168.3.3 R2(config–if)# tunnel mode gre ip R2(config–if)# Create a tunnel interface Assign the tunnel an IP address Identify the source tunnel interface Identify the destination of the tunnel Configure what protocol GRE will encapsulate
22.
222222© 2009 Cisco
Learning Institute. Using GRE User Traffic IP Only ? Use GRE Tunnel NoNo YesYes NoNo YesYes Unicast Only? Use IPsec VPN GRE does not provide encryption
23.
232323© 2009 Cisco
Learning Institute. IPSec Topology • Works at the network layer, protecting and authenticating IP packets. - It is a framework of open standards which is algorithm-independent. - It provides data confidentiality, data integrity, and origin authentication. Business Partner with a Cisco Router Regional Office with a Cisco PIX Firewall SOHO with a Cisco SDN/DSL Router Mobile Worker with a Cisco VPN Client on a Laptop Computer ASA Legacy Concentrator Main Site Perimeter Router Legacy Cisco PIX Firewall IPsec POP Corporate
24.
242424© 2009 Cisco
Learning Institute. IPSec Framework Diffie-Hellman DH7
25.
252525© 2009 Cisco
Learning Institute. DH7Diffie-Hellman Confidentiality Key length: - 56-bits Key length: - 56-bits (3 times) Key length: - 160-bits Key lengths: -128-bits -192 bits -256-bits Least secure Most secure
26.
262626© 2009 Cisco
Learning Institute. DH7Diffie-Hellman Integrity Key length: - 128-bits Key length: - 160-bits) Least secure Most secure
27.
272727© 2009 Cisco
Learning Institute. DH7Diffie-Hellman Authentication
28.
282828© 2009 Cisco
Learning Institute. DH7Diffie-Hellman Pre-shared Key (PSK) •At the local device, the authentication key and the identity information (device-specific information) are sent through a hash algorithm to form hash_I. One-way authentication is established by sending hash_I to the remote device. If the remote device can independently create the same hash, the local device is authenticated. • The authentication process continues in the opposite direction. The remote device combines its identity information with the preshared-based authentication key and sends it through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local device can independently create the same hash, the remote device is authenticated.
29.
292929© 2009 Cisco
Learning Institute. RSA Signatures • At the local device, the authentication key and identity information (device-specific information) are sent through the hash algorithm forming hash_I. hash_I is encrypted using the local device's private encryption key creating a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is hash_I. • Next, the remote device independently creates hash_I from stored information. If the calculated hash_I equals the decrypted hash_I, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.
30.
303030© 2009 Cisco
Learning Institute. Diffie-Hellman Secure Key Exchange DH7
31.
313131© 2009 Cisco
Learning Institute. IPSec Framework Protocols All data is in plaintext. R1 R2 Data payload is encrypted. R1 R2 Authentication Header Encapsulating Security Payload AH provides the following: Authentication Integrity ESP provides the following: Encryption Authentication Integrity
32.
323232© 2009 Cisco
Learning Institute. Authentication Header Authentication Data (00ABCDEF) IP Header + Data + Key R1 R2 Hash Recomputed Hash (00ABCDEF) IP Header + Data + Key Hash Received Hash (00ABCDEF)= DataAHIP HDR DataAHIP HDR Internet 1. The IP Header and data payload are hashed 2. The hash builds a new AH header which is prepended to the original packet 3. The new packet is transmitted to the IPSec peer router 4. The peer router hashes the IP header and data payload, extracts the transmitted hash and compares
33.
333333© 2009 Cisco
Learning Institute. ESP Diffie-Hellman DH7
34.
343434© 2009 Cisco
Learning Institute. Function of ESP ESP Trailer ESP Auth • Provides confidentiality with encryption • Provides integrity with authentication Router Router IP HDR Data ESP HDRNew IP HDR IP HDR Data Authenticated IP HDR Data Internet Encrypted
35.
353535© 2009 Cisco
Learning Institute. IP HDR ESP HDR Data ESP HDR IP HDRNew IP HDR Data Tunnel Mode Transport Mode ESP Trailer ESP Auth ESP Trailer ESP Auth Authenticated Authenticated IP HDR Data Encrypted Encrypted Original data prior to selection of IPSec protocol mode Mode Types
36.
363636© 2009 Cisco
Learning Institute. Security Associations IPSec parameters are configured using IKE
37.
373737© 2009 Cisco
Learning Institute. Host A Host B R1 R2 10.0.1.3 10.0.2.3 IKE Phase 1 Exchange 1. Negotiate IKE policy sets 2. DH key exchange 3. Verify the peer identity IKE Phases IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy Policy 15 DES MD5 pre-share DH1 lifetime Policy 10 DES MD5 pre-share DH1 lifetime 1. Negotiate IKE policy sets 2. DH key exchange 3. Verify the peer identity
38.
383838© 2009 Cisco
Learning Institute. Negotiates matching IKE policies to protect IKE exchange Policy 15 DES MD5 pre-share DH1 lifetime Policy 10 DES MD5 pre-share DH1 lifetime IKE Policy Sets Policy 20 3DES SHA pre-share DH1 lifetime Negotiate IKE Proposals Host A Host B R1 R2 10.0.1.3 10.0.2.3 IKE Phase 1 – First Exchange
39.
393939© 2009 Cisco
Learning Institute. IKE Phase 1 – Second Exchange ((YB ) mod p = K (YA ) mod p = K XB XA Private value, XA Public value, YA Private value, XB Public value, YBAlice Bob YYAA YYBB YB = g mod pXBYYAA = g mod pXA A DH exchange is performed to establish keying material. Establish DH Key
40.
404040© 2009 Cisco
Learning Institute. IKE Phase 1 – Third Exchange Peer authentication methods • PSKs • RSA signatures • RSA encrypted nonces HR Servers Remote Office Corporate Office Internet Peer Authentication A bidirectional IKE SA is now established. Authenticate Peer
41.
414141© 2009 Cisco
Learning Institute. Host A Host B R1 R2 10.0.1.3 10.0.2.3 IKE Phase 1 Aggressive Mode Exchange 1.Send IKE policy set and R1’s DH key 3.Calculate shared secret, verify peer identify, and confirm with peer IKE Phase 2 Exchange Negotiate IPsec policy Negotiate IPsec policy Policy 15 DES MD5 pre-share DH1 lifetime Policy 10 DES MD5 pre-share DH1 lifetime 2. Confirm IKE policy set, calculate shared secret and send R2’s DH key 4. Authenticate peer and begin Phase 2. IKE Phase 1 – Aggressive Mode
42.
424242© 2009 Cisco
Learning Institute. Negotiate IPsec Security Parameters Host A Host B R1 R2 10.0.1.3 10.0.2.3 IKE Phase 2 • IKE negotiates matching IPsec policies. • Upon completion, unidirectional IPsec Security Associations(SA) are established for each protocol and algorithm combination.
43.
434343© 2009 Cisco
Learning Institute. IKE Phase 1 IKE Phase 2 IKE SA IKE SA IPsec SAIPsec SA 1. Host A sends interesting traffic to Host B. 2. R1 and R2 negotiate an IKE Phase 1 session. 3. R1 and R2 negotiate an IKE Phase 2 session. 4. Information is exchanged via IPsec tunnel. 5. The IPsec tunnel is terminated. R1 R2 10.0.2.3 IPsec Tunnel 10.0.1.3 IPSec VPN Negotiation
44.
444444© 2009 Cisco
Learning Institute. Configuring IPsec Task 1: Ensure that ACLs are compatible with IPsec. Task 2: Create ISAKMP (IKE) policy. Task 3: Configure IPsec transform set. Task 4: Create a crypto ACL. Task 5: Create and apply the crypto map. Tasks to Configure IPsec:
45.
454545© 2009 Cisco
Learning Institute. Task 1 Configure Compatible ACLs • Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP) traffic are not blocked by incoming ACLs on interfaces used by IPsec. AH ESP IKE Site 1 Site 2 10.0.1.3 10.0.2.3 R1 R2 Internet S0/0/0 172.30.1.2 S0/0/0 172.30.2.2 10.0.1.0/24 10.0.2.0/24
46.
464646© 2009 Cisco
Learning Institute. R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1(config)# R1(config)# interface Serial0/0/0 R1(config-if)# ip address 172.30.1.2 255.255.255.0 R1(config-if)# ip access-group 102 in ! R1(config)# exit R1# R1# show access-lists access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp R1# AH ESP IKESite 1 Site 2 10.0.1.3 10.0.2.3R1 R2 Internet S0/0/0 172.30.1.2 S0/0/0 172.30.2.2 10.0.1.0/2 4 10.0.2.0/24 Permitting Traffic
47.
474747© 2009 Cisco
Learning Institute. Defines the parameters within the IKE policy crypto isakmp policy priority router(config)# R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption des R1(config–isakmp)# group 1 R1(config–isakmp)# hash md5 R1(config–isakmp)# lifetime 86400 Tunnel Policy 110 DES MD5 Preshare 86400 DH1 Site 1 Site 2 10.0.1.3 10.0.2.3R1 R2 Internet 10.0.1.0/24 10.0.2.0/24 Task 2 Configure IKE
48.
484848© 2009 Cisco
Learning Institute. ISAKMP Parameters Parameter Keyword Accepted Values Default Value Description encryption des 3des aes aes 192 aes 256 56-bit Data Encryption Standard Triple DES 128-bit AES 192-bit AES 256-bit AES des Message encryption algorithm hash sha md5 SHA-1 (HMAC variant) MD5 (HMAC variant) sha Message integrity (Hash) algorithm authenticati on pre-share rsa-encr rsa-sig preshared keys RSA encrypted nonces RSA signatures rsa-sig Peer authentication method group 1 2 5 768-bit Diffie-Hellman (DH) 1024-bit DH 1536-bit DH 1 Key exchange parameters (DH group identifier) lifetime seconds Can specify any number of seconds 86,400 sec (one day) ISAKMP-established SA lifetime
49.
494949© 2009 Cisco
Learning Institute. Multiple Policies crypto isakmp policy 100 hash md5 authentication pre-share ! crypto isakmp policy 200 hash sha authentication rsa-sig ! crypto isakmp policy 300 hash md5 authentication rsa-sig crypto isakmp policy 100 hash md5 authentication pre-share ! crypto isakmp policy 200 hash sha authentication rsa-sig ! crypto isakmp policy 300 hash md5 authentication pre-share R1(config)# R2(config)# Site 1 Site 2 10.0.1.3 10.0.2.3R1 R2 Internet 10.0.1.0/24 10.0.2.0/24
50.
505050© 2009 Cisco
Learning Institute. R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption 3des R1(config–isakmp)# group 2 R1(config–isakmp)# hash sha R1(config–isakmp)# lifetime 43200 Policy 110 Preshare 3DES SHA DH2 43200 R2(config)# crypto isakmp policy 100 R2(config–isakmp)# authentication pre-share R2(config–isakmp)# encryption 3des R2(config–isakmp)# group 2 R2(config–isakmp)# hash sha R2(config–isakmp)# lifetime 43200 R2 must have an ISAKMP policy configured with the same parameters. Tunnel Site 1 Site 2 10.0.1.3 10.0.2.3R1 R2 Internet 10.0.1.0/24 10.0.2.0/24 R1 attempts to establish a VPN tunnel with R2 and sends its IKE policy parameters Policy Negotiations
51.
515151© 2009 Cisco
Learning Institute. Crypto ISAKMP Key • The peer-address or peer-hostname can be used, but must be used consistently between peers. • If the peer-hostname is used, then the crypto isakmp identity hostname command must also be configured. crypto isakmp key keystring address peer-address router(config)# crypto isakmp key keystring hostname hostname router(config)# Parameter Description keystring This parameter specifies the PSK. Use any combination of alphanumeric characters up to 128 bytes. This PSK must be identical on both peers. peer- address This parameter specifies the IP address of the remote peer. hostname This parameter specifies the hostname of the remote peer. This is the peer hostname concatenated with its domain name (for example, myhost.domain.com).
52.
525252© 2009 Cisco
Learning Institute. R1(config)# crypto isakmp policy 110 R1(config–isakmp)# authentication pre-share R1(config–isakmp)# encryption 3des R1(config–isakmp)# group 2 R1(config–isakmp)# hash sha R1(config–isakmp)# lifetime 43200 R1(config-isakmp)# exit R1(config)# crypto isakmp key cisco123 address 172.30.2.2 R1(config)# R2(config)# crypto isakmp policy 110 R2(config–isakmp)# authentication pre-share R2(config–isakmp)# encryption 3des R2(config–isakmp)# group 2 R2(config–isakmp)# hash sha R2(config–isakmp)# lifetime 43200 R2(config-isakmp)# exit R2(config)# crypto isakmp key cisco123 address 172.30.1.2 R2(config)# Note: • The keystring cisco1234 matches. • The address identity method is specified. • The ISAKMP policies are compatible. • Default values do not have to be configured. Site 1 Site 2 10.0.1.3 10.0.2.3R1 R2 Internet 10.0.1.0/24 10.0.2.0/24 Sample Configuration
53.
535353© 2009 Cisco
Learning Institute. router(config)# crypto ipsec transform–set transform-set-name transform1 [transform2] [transform3]] crypto ipsec transform-set Parameters Command Description transform-set-name This parameter specifies the name of the transform set to create (or modify). transform1, transform2, transform3 Type of transform set. You may specify up to four "transforms": one Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication. These transforms define the IP Security (IPSec) security protocols and algorithms. A transform set is a combination of IPsec transforms that enact a security policy for traffic. Task 3 Configure the Transform Set
54.
545454© 2009 Cisco
Learning Institute. Transform Sets • Transform sets are negotiated during IKE Phase 2. • The 9th attempt found matching transform sets (CHARLIE - YELLOW). Host B 10.0.1.3 10.0.2.3 R1 R2Host A transform-set ALPHA esp-3des tunnel transform-set BETA esp-des, esp-md5-hmac tunnel transform-set CHARLIE esp-3des, esp-sha-hmac tunnel transform-set RED esp-des tunnel transform-set BLUE esp-des, ah-sha-hmac tunnel transform-set YELLOW esp-3des, esp-sha-hmac tunnel Match Internet 1 2 3 4 5 6 7 8 9 172.30.2.2 172.30.1.2
55.
555555© 2009 Cisco
Learning Institute. Site 1 Site 2 A B 10.0.1.3 10.0.2.3 R1 R2 Internet R1(config)# crypto isakmp key cisco123 address 172.30.2.2 R1(config)# crypto ipsec transform-set MYSET esp-aes 128 R1(cfg-crypto-trans)# exit R1(config)# R2(config)# crypto isakmp key cisco123 address 172.30.1.2 R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128 R2(cfg-crypto-trans)# exit 172.30.2.2 172.30.1.2 Note: • Peers must share the same transform set settings. • Names are only locally significant. Sample Configuration
56.
565656© 2009 Cisco
Learning Institute. Task 4 Configure the Crypto ACLs • Outbound indicates the data flow to be protected by IPsec. • Inbound filters and discards traffic that should have been protected by IPsec. Host A R1 Internet Outbound Traffic Inbound Traffic Encrypt Bypass (Plaintext) Permit Bypass Discard (Plaintext)
57.
575757© 2009 Cisco
Learning Institute. 10.0.1.3 10.0.2.3 R1 R2 Internet router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] access-list access-list-number Parameters access-list access-list-number Command Description permit This option causes all IP traffic that matches the specified conditions to be protected by cryptography, using the policy described by the corresponding crypto map entry. deny This option instructs the router to route traffic in plaintext. protocol This option specifies which traffic to protect by cryptography based on the protocol, such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches that permit statement is encrypted. source and destination If the ACL statement is a permit statement, these are the networks, subnets, or hosts between which traffic should be protected. If the ACL statement is a deny statement, then the traffic between the specified source and destination is sent in plaintext. 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.1.2 S0/0/0 172.30.2.2 Command Syntax
58.
585858© 2009 Cisco
Learning Institute. S0/1 10.0.1.3 10.0.2.3R1 R2 Internet Site 2 Applied to R1 S0/0/0 outbound traffic: R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 (when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0) S0/0/0 172.30.2.2 S0/0/0 172.30.1.2 Applied to R2 S0/0/0 outbound traffic: R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255 (when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0) 10.0.1.0/24 Site 1 10.0.2.0/24 Symmetric Crypto ACLs
59.
595959© 2009 Cisco
Learning Institute. Task 5 Apply the Crypto Map Crypto maps define the following: ACL to be used Remote VPN peers Transform set to be used Key management method SA lifetimes Site 1 10.0.1.3 R1 R2 10.0.2.3 Site 2 Internet Encrypted Traffic Router Interface or Subinterface
60.
606060© 2009 Cisco
Learning Institute. crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] router(config)# crypto map Parameters Command Parameters Description map-name Defines the name assigned to the crypto map set or indicates the name of the crypto map to edit. seq-num The number assigned to the crypto map entry. ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs. ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs. cisco (Default value) Indicates that CET will be used instead of IPsec for protecting the traffic. dynamic (Optional) Specifies that this crypto map entry references a preexisting static crypto map. If this keyword is used, none of the crypto map configuration commands are available. dynamic-map-name (Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template. Crypto Map Command
61.
616161© 2009 Cisco
Learning Institute. Crypto Map Configuration Mode Commands Command Description set Used with the peer, pfs, transform-set, and security-association commands. peer [hostname | ip- address] Specifies the allowed IPsec peer by IP address or hostname. pfs [group1 | group2] Specifies DH Group 1 or Group 2. transform-set [set_name(s)] Specify list of transform sets in priority order. When the ipsec-manual parameter is used with the crypto map command, then only one transform set can be defined. When the ipsec-isakmp parameter or the dynamic parameter is used with the crypto map command, up to six transform sets can be specified. security-association lifetime Sets SA lifetime parameters in seconds or kilobytes. match address [access- list-id | name] Identifies the extended ACL by its name or number. The value should match the access-list-number or name argument of a previously defined IP-extended ACL being matched. no Used to delete commands entered with the set command. exit Exits crypto map configuration mode.
62.
626262© 2009 Cisco
Learning Institute. Multiple peers can be specified for redundancy. R3 S0/0/0 172.30.3.2 R1(config)# crypto map MYMAP 10 ipsec-isakmp R1(config-crypto-map)# match address 110 R1(config-crypto-map)# set peer 172.30.2.2 default R1(config-crypto-map)# set peer 172.30.3.2 R1(config-crypto-map)# set pfs group1 R1(config-crypto-map)# set transform-set mine R1(config-crypto-map)# set security-association lifetime seconds 86400 10.0.1.3 10.0.2.3 R1 R2 Internet Sample Configuration 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.2.2
63.
636363© 2009 Cisco
Learning Institute. • Applies the crypto map to outgoing interface • Activates the IPsec policy crypto map map-name R1(config)# interface serial0/0/0 R1(config-if)# crypto map MYMAP router(config-if)# MYMAP Assign the Crypto Map Set 10.0.1.3 10.0.2.3 R1 R2 Internet 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
64.
646464© 2009 Cisco
Learning Institute. CLI Commands Show Command Description show crypto map Displays configured crypto maps show crypto isakmp policy Displays configured IKE policies show crypto ipsec sa Displays established IPsec tunnels show crypto ipsec transform-set Displays configured IPsec transform sets debug crypto isakmp Debugs IKE events debug crypto ipsec Debugs IPsec events
65.
656565© 2009 Cisco
Learning Institute. R1# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 110 access-list 102 permit ip host 10.0.1.3 host 10.0.2.3 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MYSET, } show crypto map Displays the currently configured crypto maps router# show crypto map 10.0.1.3 10.0.2.3 R1 R2 Internet 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
66.
666666© 2009 Cisco
Learning Institute. show crypto isakmp policy R1# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: 3DES - Data Encryption Standard (168 bit keys). hash algorithm: Secure Hash Standard authentication method: preshared Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit router# show crypto isakmp policy 10.0.1.3 10.0.2.3 R1 R2 Internet 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
67.
676767© 2009 Cisco
Learning Institute. show crypto ipsec transform-set Displays the currently defined transform sets R1# show crypto ipsec transform-set Transform set AES_SHA: { esp-128-aes esp-sha-hmac } will negotiate = { Tunnel, }, show crypto ipsec transform-set 10.0.1.3 10.0.2.3 R1 R2 Internet 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
68.
686868© 2009 Cisco
Learning Institute. show crypto ipsec sa R1# show crypto ipsec sa Interface: Serial0/0/0 Crypto map tag: MYMAP, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flacs={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2 path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C 10.0.1.3 10.0.2.3 R1 R2 Internet 10.0.1.0/24 Site 1 10.0.2.0/24 Site 2 S0/0/0 172.30.1.2 S0/0/0 172.30.2.2
69.
696969© 2009 Cisco
Learning Institute. debug crypto isakmp router# debug crypto isakmp • This is an example of the Main Mode error message. • The failure of Main Mode suggests that the Phase I policy does not match on both sides. • Verify that the Phase I policy is on both peers and ensure that all the attributes match. 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
70.
707070© 2009 Cisco
Learning Institute. Starting a VPN Wizard Wizards for IPsec Solutions, includes type of VPNs and Individual IPsec components 1 2 4 5 3 VPN implementation Subtypes. Vary based On VPN wizard chosen. 1. Click Configure in main toolbar 2. Click the VPN button to open the VPN page 3. Choose a wizard 4. Click the VPN implementation subtype 5. Click the Launch the Selected Task button
71.
717171© 2009 Cisco
Learning Institute. VPN Components Individual IPsec components used to build VPNs VPN Wizards SSL VPN parameters Easy VPN server parameters Public key certificate parameters Encrypt VPN passwords VPN Components
72.
727272© 2009 Cisco
Learning Institute. Configuring a Site-to-Site VPN Click the Launch the Selected Task button Choose Configure > VPN > Site-to-Site VPN Click the Create a Site-to-Site VPN
73.
737373© 2009 Cisco
Learning Institute. Site-to-Site VPN Wizard Choose the wizard mode Click Next to proceed to the configuration of parameters.
74.
747474© 2009 Cisco
Learning Institute. Quick Setup Configure the parameters •Interface to use •Peer identity information •Authentication method •Traffic to encrypt
75.
757575© 2009 Cisco
Learning Institute. Verify Parameters
76.
767676© 2009 Cisco
Learning Institute. 1 2 3 4 Step-by-Step Wizard Choose the outside interface that is used to connect to the IPSec peer Specify the IP address of the peer Choose the authentication method and specify the credentials Click Next
77.
777777© 2009 Cisco
Learning Institute. Creating a Custom IKE Proposal 1 2 3Click Add to define a proposal Make the selections to configure the IKE Policy and click OK Click Next
78.
787878© 2009 Cisco
Learning Institute. 1 2 3 Creating a Custom IPSec Transform Set Click NextClick Add Define and specify the transform set name, integrity algorithm, encryption algorithm, mode of operation and optional compression
79.
797979© 2009 Cisco
Learning Institute. 1 2 3 Protecting Traffic Subnet to Subnet Click Protect All Traffic Between the Following subnets Define the IP address and subnet mask of the local network Define the IP address and subnet mask of the remote network
80.
808080© 2009 Cisco
Learning Institute. 2 3 1 Protecting Traffic Custom ACL Click the Create/Select an Access-List for IPSec Traffic radio button Click the ellipses button to choose an existing ACL or create a new one To use an existing ACL, choose the Select an Existing Rule (ACL) option. To create a new ACL, choose the Create a New Rule (ACL) and Select option
81.
818181© 2009 Cisco
Learning Institute. Add a Rule 1 2Give the access rule a name and description Click Add
82.
828282© 2009 Cisco
Learning Institute. Configuring a New Rule Entry 1 2 3 Choose an action and enter a description of the rule entry Define the source hosts or networks in the Source Host/Network pane and the destination hosts or network in the Destination/Host Network pane (Optional) To provide protection for specific protocols, choose the specific protocol radio box and desired port numbers
83.
838383© 2009 Cisco
Learning Institute. • Click Back to modify the configuration. • Click Finish to complete the configuration. Configuration Summary
84.
848484© 2009 Cisco
Learning Institute. Check VPN status. Create a mirroring configuration if no Cisco SDM is available on the peer. Test the VPN configuration. Verify VPN Configuration Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
85.
858585© 2009 Cisco
Learning Institute. Lists all IPsec tunnels, their parameters, and status. 1 Monitor Choose Monitor > VPN Status > IPSec Tunnels
86.
868686© 2009 Cisco
Learning Institute. Telecommuting • Flexibility in working location and working hours • Employers save on real- estate, utility and other overhead costs • Succeeds if program is voluntary, subject to management discretion, and operationally feasible
87.
878787© 2009 Cisco
Learning Institute. Telecommuting Benefits • Organizational benefits: - Continuity of operations - Increased responsiveness - Secure, reliable, and manageable access to information - Cost-effective integration of data, voice, video, and applications - Increased employee productivity, satisfaction, and retention • Social benefits: - Increased employment opportunities for marginalized groups - Less travel and commuter related stress • Environmental benefits: - Reduced carbon footprints, both for individual workers and organizations
88.
888888© 2009 Cisco
Learning Institute. Implementing Remote Access
89.
898989© 2009 Cisco
Learning Institute. Methods for Deploying Remote Access IPsec Remote Access VPN SSL-Based VPN Any Application Anywhere Access
90.
909090© 2009 Cisco
Learning Institute. Comparison of SSL and IPSec SSL IPsec Applications Web-enabled applications, file sharing, e- mail All IP-based applications Encryption Moderate Key lengths from 40 bits to 128 bits Stronger Key lengths from 56 bits to 256 bits Authentication Moderate One-way or two-way authentication Strong Two-way authentication using shared secrets or digital certificates Ease of Use Very high Moderate Can be challenging to nontechnical users Overall Security Moderate Any device can connect Strong Only specific devices with specific configurations can connect
91.
919191© 2009 Cisco
Learning Institute. SSL VPNs • Integrated security and routing • Browser-based full network SSL VPN access SSL VPN Workplace Resources Headquarters Internet SSL VPN Tunnel
92.
929292© 2009 Cisco
Learning Institute. Types of Access
93.
939393© 2009 Cisco
Learning Institute. Full Tunnel Client Access Mode
94.
949494© 2009 Cisco
Learning Institute. User using SSL client Establishing an SSL Session User makes a connection to TCP port 443 Router replies with a digitally signed public key Shared-secret key, encrypted with public key of the server, is sent to the router Bulk encryption occurs using the shared-secret key with a symmetric encryption algorithm User software creates a shared-secret key 1 2 3 4 5 SSL VPN enabled ISR router
95.
959595© 2009 Cisco
Learning Institute. SSL VPN Design Considerations • User connectivity • Router feature • Infrastructure planning • Implementation scope
96.
969696© 2009 Cisco
Learning Institute. Cisco Easy VPN • Negotiates tunnel parameters • Establishes tunnels according to set parameters • Automatically creates a NAT / PAT and associated ACLs • Authenticates users by usernames, group names, and passwords • Manages security keys for encryption and decryption • Authenticates, encrypts, and decrypts data through the tunnel
97.
979797© 2009 Cisco
Learning Institute. Cisco Easy VPN
98.
989898© 2009 Cisco
Learning Institute. Securing the VPN Initiate IKE Phase 1 Establish ISAKMP SA Accept Proposal1 Username/Password Challenge Username/Password System Parameters Pushed Reverse Router Injection (RRI) adds a static route entry on the router for the remote clients IP address Initiate IKE Phase 2: IPsec IPsec SA 1 2 3 4 5 6 7
99.
999999© 2009 Cisco
Learning Institute. Configuring Cisco Easy VPN Server 1 2 3 4 5
100.
100100100© 2009 Cisco
Learning Institute. Configuring IKE Proposals 1 2 3Click Add Specify required parameters Click OK
101.
101101101© 2009 Cisco
Learning Institute. Creating an IPSec Transform Set 1 2 3 4
102.
102102102© 2009 Cisco
Learning Institute. Group Authorization and Group Policy Lookup 1 2 3 4 5 Select the location where Easy VPN group policies can be stored Click Next Click Add Click Next Configure the local group policies
103.
103103103© 2009 Cisco
Learning Institute. Summary of Configuration Parameters
104.
104104104© 2009 Cisco
Learning Institute. VPN Client Overview • Establishes end-to-end, encrypted VPN tunnels for secure connectivity • Compatible with all Cisco VPN products • Supports the innovative Cisco Easy VPN capabilities R1 R1-vpn-cluster.span.com R1 R1-vpn-cluster.span.com
105.
105105105© 2009 Cisco
Learning Institute. Establishing a Connection R1-vpn-cluster.span.com R1 R1-vpn-cluster.span.com “R1” Once authenticated, status changes to connected.
106.
106106106© 2009 Cisco
Learning Institute.
Hinweis der Redaktion
Note: Actual parameters vary based on IOS image.
Notice however, that policy numbers are only locally significant and do not have to match between IPsec peers.
A transform set can have one AH transform and up to two ESP transforms
Jetzt herunterladen