Deploying GET to Secure VPNs
|
|
- Pauline Strickland
- 6 years ago
- Views:
Transcription
1
2 Deploying GET to Secure VPNs Scott Wainner Distinguished Systems Engineer
3 Session Objectives and Prerequisites Session Objectives Identify VPN environments where GET is applicable Understand how GET can secure a VPN Understand how GET functions Understand how to deploy GET Understand the strategic directions for GET Pre-requisites Knowledge of IPsec Protocols Knowledge of IP VPN Technologies 3
4 Agenda Overview A Group Paradigm for Security VPN Environments GET Components and Functions GET Deployment Methods Strategic Directions for GET 4
5 A Group Paradigm for Security
6 Key Messages Security Paradigms Point-to-Point Security Paradigm Group Security Paradigm Security Policies Conditions for Group Security Challenges for Group Security 6
7 Point-to-Point Security Paradigm Routing connectivity between two crypto end-points Tunneling between two crypto end-points Routing through the crypto tunnel IP Core Routing Adjacency Overlay Routing Adjacency Crypto Session 7
8 Group Security Paradigm Routing between any network entity Securing traffic between a set of network entities Preserving the routing context between all network entities IP VPN Group Core Routing Adjacency Crypto Session 8
9 Secure Multicast Data Plane Model Premise: Sender does not know the potential recipients GM? GM GM GM 9
10 Secure Multicast Data Plane Model Premise: Sender does not know the potential recipients Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group KS GM GM GM GM 10
11 Secure Multicast Data Plane Model Premise: Sender does not know the potential recipients Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group KS GM Encrypt Multicast with IP Address Preservation Replication In the Core based on original (S,G) GM GM GM 11
12 Corollary: Secure Unicast Data Plane Premise: Receiver advertises destination prefix but does not know the potential encryption sources GM??? GM GM GM 12
13 Corollary: Secure Unicast Data Plane Premise: Receiver advertises destination prefix but does not know the potential encryption sources KS Receiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the group GM GM GM GM 13
14 Corollary: Secure Unicast Data Plane Premise: Receiver advertises destination prefix but does not know the potential encryption sources KS Receiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the group GM GM GM Receiver can authenticate the group membership GM 14
15 Group Encrypted Transport Data Plane Format Preservation of Original IP Addresses and DSCP in Encapsulating IP Packet Encapsulating Security Payload (ESP) with irrelevant Sequence Number OPTIONAL: Time-based Anti-Replay in lieu of Sequence Number IPSec Next Header identified as IANA Private Encryption (protocol = 99) Cisco Meta Data (99) carries PseudoTimeStamp for receiver verification IP Header (Outer) Preserved IP Addresses from Inner IP Header Security Parameter Index (SPI) Sequence Number (ignored by receiver for group encryption) Next Header = IP Length (0x2) Version (0x1) Reserved Len (0x1) Type 5 = Time-based Anti-Replay Reserved Pseudo Time Stamp (Time-based Anti-Replay) IP Header (Inner) IPSec Padding Original IP Payload Pad Length Authentication Tag IPSec Padding Next Header (MD 99) 15
16 VPN Environments
17 Key Messages What constitutes a VPN? Tools to create a VPN: FR, ATM, MPLS, VPLS, GRE, and IPSec Tools to secure a VPN: IPSec and GET and Other? GET uses an existing VPN; IPSec creates a VPN IPSec often creates an overlay VPN Decoupling Routing Plane and Crypto Plane Distinguishing VPN Topology from Security Perimeter Topology: Point-to-Point verses Multi-point Security Perimeter: Point-to-Point verses All-Points Perimeter Topology Point-to-Point Multi-Point IPSec Group Security 1 1 Shared crypto group for all links advised 17
18 Core VPN Infrastructure FR/ATM Hub-and-Spoke VPN Hub CE Transit for all Spokes Security Perimeter: Per Link IPSec Crypto creates Overlay VPN CE MPLS/VPLS Any-to-Any VPN Direct Flows between all CE Security Perimeter: All Sites GET Crypto Leverages Existing VPN CE SW PE MPLS VPN CE SW FR/ATM/TDM SW CE PE PE CE IPSec Point-to-Point Connection SW CE PE Group Security Flows Security Perimeter CE Security Perimeter CE 18
19 VPN Access Infrastructure Securing the VPN Access GET secures a core VPN IPSec creates VPN and secures it over Internet IPSec applied to a core VPN would create an overlay VPN Redundant Core VPN Access Dual-homed CE Site Dual-VPN CE Site Redundant CE Site Hybrid Dual-VPN CE Site Internet Redundant CE GET 2 Internet GET MPLS VPN Dual-homed GET 1 MPLS VPN1 MPLS VPN 2 Hybrid Dual-VPN Dual-VPN Hybrid Dual-VPN 19
20 Infrastructure and Access Agnostic Security Routing provides IP Paths Provides path for crypto flows Independent of crypto state GET secures IP flows Independent of network path Independent of routing state Group Security Backup (L2TP, DSL, IPSec, ) MPLS VPN FR / ATM 20
21 Crypto Policy Goals Secure Insure we encrypt traffic that MUST be encrypted Insure we do not encrypt traffic that MUST be clear-text Simplify Provisioning Consistency through policy templates Smart address management (management plane, control plane, data plane) Policy Symmetry Minimize the number of policy permutations Point-to-point policies should use IPSEC GET is best used with aggregate symmetric IP address ranges Reliability Redundant paths for control plane and data plane 21
22 Policy Permutations: Pt-to-Pt IPSec Associations Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - A1-A2 A1-B2 A1-C A1-A3 A1-B3 B1 - - B1-A2 B1-B2 B1-C B1-A3 B1-B3 Site 2 A2 A2-A1 A2-B A2-A3 A2-B3 B2 B2-A1 B2-B B2-A3 B2-B3 C C-A1 C-B C-A3 C-B3 Site 3 A3 A3-A1 A3-B1 A3-A2 A3-B2 A3-C - - B3 B3-A1 B3-B1 B3-A2 B3-B2 B3-C - - Policy Statements on Site 1: 10 Policy Statements on Site 2: 12 Policy Statements on Site 3: 10 Total Network Policy Statements: 32 Site specific policy A = B = C =
23 Policy Permutations: Asymmetric Group Disaggregate Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - A1-A2 A1-B2 A1-C A1-A3 A1-B3 B1 - - B1-A2 B1-B2 B1-C B1-A3 B1-B3 Site 2 A2 A2-A1 A2-B A2-A3 A2-B3 B2 B2-A1 B2-B B2-A3 B2-B3 C C-A1 C-B C-A3 C-B3 Site 3 A3 A3-A1 A3-B1 A3-A2 A3-B2 A3-C - - B3 B3-A1 B3-B1 B3-A2 B3-B2 B3-C - - Policy Statements on Site 1: 32 Policy Statements on Site 2: 32 Policy Statements on Site 3: 32 Total Network Policy Statements: 32 Global policy distributed to all sites 23
24 Policy Permutations: Group Asymmetric Aggregates Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - A-A A-B A-C A-A A-B B1 - - B-A B-B B-C B-A B-B Site 2 A2 A-A A-B A-A A-B B2 B-A B-B B-A B-B C C-A C-B C-A C-B Site 3 A3 A-A A-B A-A A-B A-C - - B3 B-A B-B B-A B-B B-C - - Policy Statements on Site 1: 8 Policy Statements on Site 2: 8 Policy Statements on Site 3: 8 Total Network Policy Statements: 8 Global Policy (aggregates) distributed to all sites including unused policy 24
25 Policy Permutations: Group Asymmetric Aggregates Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 - A3 B3 Site 1 A1 - - A-A A-B - A-A A-B B1 - - B-A B-B - B-A B-B Site 2 A2 A-A A-B A-A A-B B2 B-A B-B B-A B-B Site 3 A3 A-A A-B A-A A-B B3 B-A B-B B-A B-B Policy Statements on Site 1: 4 Policy Statements on Site 2: 4 Policy Statements on Site 3: 4 Total Network Policy Statements: 4 Global Policy (aggregates) distributed to all sites including unused policy 25
26 Policy Permutations: Group Symmetric Aggregate Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - any, any any, any any, any any, any any, any B1 - - any, any any, any any, any any, any any, any Site 2 A2 any, any any, any any, any any, any B2 any, any any, any any, any any, any C any, any any, any any, any any, any Site 3 A3 any, any any, any any, any any, any any, any - - B3 any, any any, any any, any any, any any, any - - Policy Statements on Site 1: 1 Policy Statements on Site 2: 1 Policy Statements on Site 3: 1 Total Network Policy Statements: 1 Global Universal Policy (aggregate): <permit ip any any> 26
27 GET Components and Functions
28 Key Messages Group Member Point of Traffic Encryption Implementation Group IPSec: Method of Security Group IPSec: Method of Resiliency Key Server Point of Control (Policy, Keys, Membership) GDOI: Method of Policy and Key Deployment COOP: Method for Control Plane Resiliency (Synchronization) Performance, Scalability, and Reliability Scale: KS Operations Performance: GM Operations Reliability: Synchronization 28
29 Group Member: Membership Management Group Member Join: Registration Immediately upon boot Immediately upon applying crypto map Protected by IKE SA (Pre-shared Keys or X.509 Certificate) Group Member Maintenance: Rekey Periodic Update Protected by Rekey SA (IKE SA expires) New Policies, Time Sync, or New Keys (TEK or KEK) Acknowledgement with Unicast Rekey Unacknowledged with Multicast Rekey 29
30 Group Member States Uninitialized Router Reboot Mis-configured Cleared Fail-Closed Blocking / Dropping Fail-Open Forwarding Registration Authenticating Group Member Forwarding / Encrypting Receiving Rekeys Expired, Retry Expiring TEK Uninitialized Router Initialize Fail-Closed 1 Authentication Fail-Closed Registration Authorization Initialize Group Member 1 Fail-Closed is a feature; it is also a crypto state 2 Fail-Open is NOT a feature; it is a crypto state Fail-Open 2 Authentication Fail-Open Registration Authorization Rekey Retry Reset 30
31 Group Member Procedures RFC-3547 Group Domain of Interpretation Definitions Initiator = Group Member (GM) Receiver = Key Server (KS) Groupkey-Pull = Registration Groupkey-Push = Rekey Group Member Protection IKE SA IKE Phase I GROUP-ID SA-POLICY SA-POLICY ACK Key Server REGISTRATION POLICY & KEYS Registration GM Authenticates with KS KS Provides Policies and Keys Rekey KS Periodically Refreshes Keys Protection: KEK X KEK,TEK,PST REKEY REKEY IKE Phase I REKEY REKEY REGISTRATION Protection IKE SA GROUP-ID 31
32 Group Member Perimeter Interfaces Crypto Map Applied Crypto Exceptions Control Plane, Management Registration Interfaces Accessible via Any Interface Always Routable to KS Secured Group Member Interface interface Serial0/0 ip address crypto map svn access-group fail-closed out Fail-closed Policy crypto map svn 10 gdoi set group secure-wan match address control_plane <- WAN ENCRYPTION <- BLOCK EVERYTHING BUT CONTROL ip access-list extended fail-closed permit esp any any <- ALLOW ENCRYPTED permit ip host host <- ALLOW ROUTE ADJACENCY permit tcp host eq ssh any <- ALLOW SECURE SHELL Crypto Map Association to Group Security <- GROUP CRYPTO MAP ENTRY <- GROUP MEMBERSHIP <- EXCLUDE ENCRYPTION Group Member Policy Exceptions ip access-list extended control_plane <- CONTROL PLANE PROTOCOLS deny ip host host <- PE-CE LINK (BGP, ICMP) deny tcp host eq ssh any <- MANAGEMENT SECURE SHELL Group Member Association crypto gdoi group secure-wan identity number 3333 server address ipv4 <ks1_address> server address ipv4 <ks2_address> <- GROUP ENCRYPTION <- MEMBER S GROUP IDENTITY <- KS ADDRESS TO REGISTER <- ALTERNATE KS REGISTRATION 32
33 Key Server: Group Management Functions Manage Group Policy and Keys Create Policy Create Keys Synchronize Policy and Keys Manage Group Membership Registration of Group Members Synchronization of Group Membership Roles Primary: Create Keys, Register GM, Distribute Keys, Notify Secondary KS Secondary: Register GM, Monitor Primary, Update Primary Primary KS GDOI Group Member GET COOP VPN GET GET Secondary KS COOP Secondary KS GDOI Group Member 33
34 Key Server States Unknown Reboot, Mis-Configured, Cleared Unknown Secondary Monitor Primary KS Announcements Accept GM Registrations Update Primary KS of GM Evaluate & Election Initialize Secondary Reset Reset Primary Announce GM, Policy, and Keys Create Policy and Keys Execute Rekey Accept GM Registrations Evaluate & Announce Promotion Primary Demote 34
35 Cooperative Key Server Protocol COOP Key Server Insertion Process ISAKMP Phase 1 Authentication Pre-shared Key or Certificate Keep-Alive Persistent COOP Processing Announcement Messages Election Processes Policy and Key Control Group Membership Primary KS - Priority 100 Primary KS GM Database Policy And Keys IKE Initialize IKE Phase I Announce (100) Announce (50) Election Announce Announce Unknown KS - Priority 50 Secondary KS - Priority 50 Secondary KS 35
36 Cooperative Key Server Protocol COOP Key Server Promotion Process Policy & Keys Periodic Announcement Primary at 20 second interval Missed Announcement Request Secondary at 30 seconds Dead Hold-Time Secondary at 60 seconds Election Initiation Secondary at 65 seconds Synchronize GM Database Primary Announce Secondary Announce Primary KS - Priority 100 GM Database Policy And Keys Primary KS Primary KS (partitioned) or Secondary KS (reboot) IKE Phase I Announce Announce Announce Announce Announce (Req.) Announce (Reply) Election Announcement Announcement Secondary KS - Priority 50 Secondary KS Announcement Missed Dead KS Hold-Time Primary KS GM Database Policy And Keys 36
37 Cooperative Key Server Protocol COOP Key Server Merge Process Peer Establishment ISAKMP Phase 1 COOP Exchange Election Initiation and Synchronization Evaluation of Peer Priority Election Executed Database Exchange Independent Rekey Primary Periodic Announcement Deprecation of Oldest Key Primary KS-1 - Priority 100 GM Database Policy And Keys Primary KS GM Database Policy And Keys GM Rekey Primary KS IKE Phase I Evaluation Announce (100) Announce (50) Update Update Announcement Primary KS-2 - Priority 50 GM Database Policy And Keys Primary KS Demoted Secondary KS GM Database Policy And Keys Rekey Secondary KS GM GM Rekey Announcement Rekey Key Roll-over GM 37
38 Key Server Configuration Crypto Group Established Policy Established Control Plane Attributes Authorized GM (GDOI) Remote Peer KS (COOP) Peer Authentication GM and KS Traditional ISAKMP Pre-shared Keys Certificates crypto gdoi group secure-wan identity number 3333 <- GROUP ID server local <- KEY SERVER rekey address ipv4 102 <- REKEY ADDRESSES REKEY rekey retransmit 40 number 3 <- REKEY RETRANSMITS rekey authentication mypubkey rsa my_rsa <- KS MSG AUTHENTICATION authorization address ipv4 member-list <- GROUP MEMBER AUTHORIZATION sa ipsec 1 <- SECURITY ASSOCIATION profile gdoi-p <- CRYPTO ATTRIBUTES SELECTION match address ipv4 lans-only <- ENCRYPTION POLICY LAN-to-LAN no replay <- NO ANTI-REPLAY address ipv4 <ks_address> <- KS ADDRESS redundancy <- ENABLING COOP peer address ipv4 <peer_ks_address> <- REMOTE KS local priority 100 <- LOCAL KS PRIORITY Rekey Profile (needed for multicast rekey only) access-list 102 permit any host ip access-list extended member-list permit <gm_ou> permit <gm_address> <- REKEY SOURCE / DESTINATION Group Member Authorization List (optional) Encryption IPsec Proxy (mandatory) <- GM AUTH LIST <- GM CERTIFICATE <- GM IP ADDRESS ip access-list extended lans-only <- ENCRYPTION POLICY deny udp any eq 848 any eq 848 <- ALLOW GDOI permit ip <- UNICAST permit ip <- MULTICAST 38
39 Resilient Key Server Functions Principles Network Resiliency COOP Associated with Loopback Interface on KS (Always Up/Up) Physically Diverse Paths (Active/Active) for COOP Protocol Key Server Processes Preemptive Rekey of New Keys and/or Policy Iterative Rekey Attempts Group Member Processes Preemptive Re-registration after Failed Rekey Iterative Re-registration Attempts 39
40 Resilient Key Server Functions Network Resiliency for Key Servers Key Server Architecture Full Mesh Peering Geographically Dispersed KS Diverse Control Plane Paths Dynamic Election of Primary KS Priority Bias of Primary KS Selection Maximum of Eight KS per Group Recommend Two KS per Group Primary KS Secondary KS Priority 50 Priority 40 VPN GET VPN Out-of-Band GET Out-of-Band Secondary KS Priority 30 COOP Protocol Diverse Paths Physical Paths 40
41 Resilient Key Server Functions Key Server Processes Retry = 1, Interval = 60 sec Rekey KS Prepositions next TEK Iteratively Pushes key to each Group Member Rekeyed in Batches of 50 GM Rekey Interval (M) in Seconds Rekey Retry Attempts (N) KS 10 % + Interval 10 % 5 % t t -420 t -360 t -180 t -30 t 0 GM Model: t 0 (M interval seconds) (N retries + 1) max( 10% of TEK lifetime seconds, 90 seconds) Example: t 0 (60 interval seconds) (0 retries + 1) max( 10% of 3600 seconds, 90 seconds) t 0 60 seconds 360 seconds t seconds 41
42 Resilience Key Server Functions Group Member Processes All GM are eligible to register to any KS serving their group Each GM will iteratively attempt to register to each KS Each GM will attempt to register to alternate KS iteratively Each GM will repeat the registration process indefinitely until policy and keys are retrieved Primary Secondary Priority 50 Priority 40 Secondary Priority 30 Member Member Member GET Member Member 42
43 Resilience Key Server Functions Group Member Processes GM Registration Invoked at boot, crypto configuration, or missed rekey Any eligible KS serving the Group GM configured order of KS Alternates Priority and Status of KS Irrelevant Primary Secondary Priority 50 Priority 40 Secondary Priority 30 Member Member Member Member GET Member 43
44 Resilience Key Server Functions Group Member Processes GM Recognizes lack of policy or current keys KS1 KS2 KS3 GM attempts registration to preferred KS (four ISAKMP attempts = 40 seconds) GM attempts registration to alternate KS (four ISAKMP attempts = 40 seconds) GM repeats KS registration attempts until successful Time Old SA Re-register Window Key Roll-over New SA T reg max (5%TEK, 60sec) 44
45 Key Server Scalability Key Server Choice: Based on Maximum Number of GM per Group ASR1K PSK or PKI 3945E PSK or PKI E PSK or PKI PSK or PKI PSK or PKI PSK or PKI PSK or PKI Peak Registration Rate: ASR1006 PSK/PKI Capability: > 85 Reg/Sec 3945E and 3925 PSK/PKI Capability: > 80 Reg/Sec 3945 PSK/PKI Capability: > 90 Reg/Sec 2951 PSK/PKI Capability: = 63 Reg/Sec 2925E PSK/PKI Capability: > 75 Reg/Sec 2921 PSK/PKI Capability: > 17 Reg/Sec 2911 PSK/PKI Capability: = 17 Reg/Sec Number of GM per Group
46 Group Member Performance ASR1000 ESP100 ASR1000 ESP40 ASR1000 ESP20 ASR1002-X ASR1000 ESP10 ASR1000 ESP10 IMIX Throughput at 70% Max CPU ASR1000 ESP5 3945E 3925 ASR1000 ESP5 CEF Load-Balancing CEF Load-Balancing 2925E Gigabits Per Second 16Gbps G 3.0 G 1.0 G 2.0 G 4.0 G 5.0 G 6.0 G 7.0 G 8.0 G 46
47 GET Deployment Methods
48 Key Messages Transition Methods GET Methods: Receive-Only and Passive-Mode Access Methods: Physical and Logical Migrations Enhanced VPN Protection Customer Group Protection Models Service Group Protection Models Segmentation Encryption Methods Hierarchical Protection Models Network Considerations MTU, NAT, Route/Crypto State Synchronization, Policy Modifications 48
49 Transitioning to GET protected VPN s
50 Methods for Transition Clear-text Transition Environment using no encryption on private WAN GET VPN conditional encryption Site-by-site transition with a single policy!!! IPsec Transition Environment with Point to Point IPSec deployed GET VPN is encryption of last resort Site-by-site migration VTI / GRE-IPSec Transition Environment using encrypted tunnel overlay GET VPN encryption of non-tunneled packets Site-by-site migration 50
51 Clear-Text Transition Passive Mode Policy Migration Receive-Only Mode Forwards packets in clear-text that match permit policy Allows decryption of packets that match permit policy Passive Mode Applies encryption of packets that match permit policy Accepts both cipher-text or clear-text of packets that match the permit policy N/A SA N/A SA clear-text clear-text clear-text cipher-text N/A SA N/A SA GM: Receive Only GM: Passive Mode 51
52 Passive Mode Policy Migration Migration Sequence Passive-Mode Used for clear-text to cipher-text network transitions Applies encryption to packets that match permit policy Allows receipt of encrypted and clear-text packets that match permit policy Crypto States of Group Members: Step 1: Enable Receive-Only on All GM RO CT RO CT RO Step 3: Remove Receive-Only from KS PM PE PM PE PE Step 2: Enable Passive-Mode on All GM PM RO PM RO PM Step 4: Remove Passive-Mode on GM s NM NM NM CT Clear-text RO Receive-Only PM Passive Mode PE Normal Mode Passive Exception NM Normal Mode 52
53 Incrementally Enabling GET VPN GM without GET GM Receive Only GM Passive GM Normal GM without GET Communication Successful Communication Successful Communication Fail Communication Fail GM Receive Only Communication Successful Communication Successful Communication Successful Communication Fail GM Passive Communication Fail Communication Successful Communication Successful Communication Successful GM Normal Communication Fail Communication Fail Communication Successful Communication Successful 53
54 Receive-only Mode: Key Server Config All sites capable of receiving and decrypting All sites default to forwarding in clear-text Specific sites configured to forward in cipher-text crypto gdoi group customer-vpn identity number 3333 server local rekey transport unicast rekey retransmit 40 number 3 rekey authentication mypubkey rsa my_rsa sa receive-only sa ipsec 1 profile gdoi-p match address ipv4 everything address ipv4 <ks_address>! ip access-list extended everything deny udp any eq 848 any eq 848 permit ip any any <- GROUP ID <- KEY SERVER <- REKEY ADDRESSES REKEY <- REKEY RETRANSMITS <- KS MSG AUTHENTICATION <- RECEIVE-ONLY <- SECURITY ASSOCIATION <- CRYPTO ATTRIBUTES SELECTION <- ENCRYPTION POLICY EVERYTHING <- KS ADDRESS <- POLICY <- ALLOW GDOI <- ENCRYPT ALL 54
55 Passive Mode: Group Member Config All sites capable of receiving and decrypting Any site capable of forwarding in clear-text Specific sites configured to forward in cipher-text crypto gdoi group customer-vpn identity number 3333 server address ipv server address ipv passive! crypto map get-customer-vpn 10 gdoi set group orange match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-customer-vpn 55
56 IPsec Transitions Crypto Map Order of Priority Goal Transition network using point to point IPsec to GET VPN Method Deploy KS with SA using global (permit ip any any) scope of encryption Incrementally add CE to GET network Incrementally remove point-to-point IPsec Assessment Pro: Easy transition of individual CE s to GET VPN Pro: Incremental deployment of GET infrastructure Con: GET can t be leveraged until point-to-point SA s are removed Con: GET must be the default encryption paradigm 56
57 IPsec Transition Traditional Hub-and-Spoke IPsec VPN established using point-to-point IPsec Security Associations Key Server introduced to IP VPN environment /24 Hub Primary Key Server / 24 IPVPN Spoke Spoke Spoke / / 24 57
58 IPsec Transition Each site configured to support GET as the default protection mechanism (last entry on the crypto map list) Point-to-point IPsec connections remain the preferred protection mechanism /24 Primary KS Group Member Hub / 24 GET Group Member Spoke / / 24 Group Member Spoke Group Member Spoke 58
59 IPsec Transition Each site configured to support GET as the last-resort protection mechanism (last entry on the crypto map list) Point-to-point IPsec connections remain the preferred protection mechanism /24 Primary KS Group Member / 24 GET Group Member Group Member / / 24 Group Member 59
60 IPsec Transition /24 GET crypto map svn 5 ipsec-isakmp set peer set transform-set ipsec match address p2p-gm2 crypto map svn 7 ipsec-isakmp set peer set transform-set ipsec match address p2p-gm3 crypto map svn 10 gdoi set group get_vpn ip access-list extended p2p-gm2 permit ip any ip access-list extended p2p-gm3 permit ip any / / 24 crypto map svn 5 ipsec-isakmp set peer set transform-set ipsec match address hub crypto map svn 10 gdoi set group get_vpn crypto map svn 7 ipsec-isakmp set peer set transform-set ipsec match address hub crypto map svn 10 gdoi set group get_vpn ip access-list extended hub permit ip any ip access-list extended hub permit ip any 60
61 Virtual Interface (VTI or GRE) Goal Transition encrypted multi-point tunnel overlay network to GET VPN Method Deploy KS with SA using global (any any) scope of encryption Exclude encryption of pre-encrypted ESP traffic Advertise CE routes to core at hub (modified metric) Incrementally deploy crypto on CE Advertise Transitioning CE routes to core Recycle Transitioning CE routes into tunnel overlay at hub Assessment Pro: Incremental deployment of crypto on CE s Pro: Independent transition of CEs to GET VPN Con: Route metric management required 61
62 Virtual Interface Transition Hub-and-Spoke tunnels (VTI / GRE) established with IPsec protection Tunnel Protection applied to Tunnel Interface Crypto Map applied to Physical Interface Key Server introduced to IP VPN / / / / /24 Hub IPVPN Key Server / 24 Spoke Spoke Spoke / / 24 62
63 Virtual Interface Transition Individual sites transitioned to GET VPN GRE Tunnel Protection: GDOI crypto map excludes ESP traffic (i.e. GRE+IPsec) Crypto Map Protection of GRE: GDOI last entry on crypto map list Routes Diverted from Tunnels Modified Spoke Tunnel Routing Metrics / / / /24 Spoke /0 Spoke / / / /24 Hub IPVPN GET Spoke Routes in Core VPN Key Server / 24 Spoke 63
64 Virtual Interface Transition Individual sites transitioned to GET VPN GRE Tunnel Protection: GDOI crypto map excludes ESP traffic (i.e. GRE+IPsec) Crypto Map Protection of GRE: GDOI last entry on crypto map list More Routes Diverted from Tunnels Modified Spoke Tunnel Routing Metrics / / / /24 Spoke /0 Spoke / / / / /24 Hub IPVPN GET Spoke Routes in Core VPN Key Server / 24 Spoke 64
65 Virtual Interface Transition Individual sites transitioned to GET VPN GRE Tunnel Protection: GDOI crypto map excludes ESP traffic (i.e. GRE+IPsec) Crypto Map Protection of GRE: GDOI last entry on crypto map list All Routes Diverted from Tunnels Modified Spoke Tunnel Routing Metrics / / / /24 Spoke /0 Spoke / / / / /24 Spoke Routes in /24 Core VPN /24 Hub IPVPN GET Key Server / 24 Spoke 65
66 Group Service Models
67 Enhanced VPN Deployment Models Multi-Group Management (Common VPN) Multi-Customer Group Management (Segregated VPN) Multi-Service Group Management (Common or Segregated VPN) 67
68 Multi-Group Management: Service Groups Shared KS Infrastructure Distinct Group per Protocol Shared Cooperative KS Model Customer uses Shared Dual-Stack VPN Only sites capable of routing IPv6 join the GET IPv6 group All sites join the IPv4 GET group All Control Plane (COOP and GDOI) must use IPv4 Service IPv6 Policy permit ipv6 <any > <any> Dual-Stack GM KS / :a:1:1::/64 gm Dual-Stack Systems permit ip <any> <any> IPv6 grp1 x 1 x 2 Service IPv4 Policy gm gm grp2 gm y 1 IPv4 / IPv6 IPv4 Dual-Stack GM gm / / / :a:1:2::/64 y 2 IPv4 GM Single-Stack Systems IPv4-only 68
69 Key Servers: Dual-Group (IPv4 and IPv6) Common VPN Your goal is to define a distinct SERVICE GROUPS for each protocol: crypto gdoi group v4vpn identity number 4444 server local sa ipsec 1 match address ipv4 ipv4-crypto crypto gdoi group ipv6 v6vpn identity number 6666 server local sa ipsec 1 match address ipv6 ipv6-crypto ip extended access-list ipv4-crypto permit ip any any ipv6 access-list ipv6-crypto! Insure link-local adjacency processes are not encrypted deny icmp fe80::/10 any deny icmp any fe80::/10 permit ipv6 any any 69
70 Group Members: Dual-Stack (IPv4 and IPv6) Common VPN Both SERVICE GROUPS rely on IPv4 as the Control Plane (GDOI) protocol: interface loopback0 ip address <v4-address> crypto gdoi group v4vpn identity number 4444 server address ipv4 <ks-address> client registration interface loopback0 crypto gdoi group ipv6 v6vpn identity number 6666 server address ipv4 <ks-address> client registration interface loopback0 70
71 Group Members: Dual-Stack (IPv4 and IPv6) Common VPN Both SERVICE GROUPS applied to interface to common VPN interface g0/0 ip address <v4-address> ipv6 address <v6-address> ipv4 crypto map v4vpn ipv6 crypto map v6vpn crypto map v4vpn 10 gdoi set group 4444 match address ipv4 ipv4-crypto crypto map v6vpn 10 gdoi set group 6666 match address ipv6 ipv6-crypto ip extended access-list ipv4-crypto deny ip <ipv4-address> <ipv4-address> ipv6 access-list ipv6-crypto deny ipv6 <ipv6-address> <ipv6-address> 71
72 Cloud-based Customer Groups GET Group per VPN Shared KS Infrastructure Group Per Customer Shared Cooperative KS Model Service granted access to each Customer VPN Customer s private IP Address spaced may be NAT d to service addresses (i.e. NAT private addresses on GM to service address assigned to GM) Service Gateway connected to each Customer VPN Customer X Policy Customer Y Policy permit ip <x*> <s> permit ip <y*> <s> permit ip <s> <x*> permit ip <s> <y*> Service Gateway KS gm Server grp1 grp2 x 1 x 2 y 1 y 2 Dual-Stack GM gm gm gm gm / / / /24 Customer: /8 Subnet X Customer: /8 Subnet Y 72
73 Cloud-based Customer Groups GET Group per VPN Your goal is to use a CUSTOMER ACL for group policy defined as follows: ip extended access-list services! access for a specific customer X to service-alpha permit ip <service-alpha-address> <customer_x> permit ip <customer_x> <service-alpha-address>! access for another customer Y to service-alpha permit ip <service-alpha-address> <customer_y> permit ip <customer_y> <service-alpha-address> 73
74 Cloud-based Customer Groups Customer GM Joins Customer Group Customer X N GM crypto gdoi group cust-x identity number 3333 server address ipv server address ipv ! crypto map get-cust-x 10 gdoi set group blue match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-cust-x Service GM Joins Each Customer Group Service GM crypto gdoi group cust-y identity number 2222 server address ipv server address ipv ! crypto gdoi group cust-x identity number 3333 server address ipv server address ipv ! crypto map get-customers 10 gdoi set group purple match address no-encryption! crypto map get-customers 20 gdoi set group blue match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial1/1 ip address crypto map get-customers 74
75 Multi-Group Management: GET Group per Service Shared KS Infrastructure Group Per Service Shared Cooperative KS Model Customer s granted access to Service VPN Customer s private IP Address spaced may be NAT d to service addresses (i.e. NAT private addresses on GM to service address assigned to GM) Service A Policy permit ip <any> <A> permit ip <A> <any> KS Dual-Stack GM /24 gm Service B Policy permit ip <any> <B> permit ip <B> <any> Service Gateway Service A gm Service B grp1 grp2 x 1 x 2 y 1 y 2 gm gm gm / / /24 Customer: /8 Customer: /8 Subnet X Subnet Y 75
76 Cloud-based Service Groups GET Group per Service Your goal is to use a SERVICE ACL for group policy defined as follows: ip extended access-list services! access for any customer to service-alpha permit ip <service-alpha-address> any permit ip any <service-alpha-address>! access for any customer to service-beta permit ip <service-beta-address> any permit ip any <service-beta-address> 76
77 Service Group Policy Convergence Customer GM Joins on or more Service Groups Service GM Joins Every Service Group GM X N : Purchased Services A crypto gdoi group service-a identity number 5555 server address ipv server address ipv ! crypto map get-services 10 gdoi set group service-a match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-services GM Service: crypto gdoi group service-a identity number 4444 server address ipv server address ipv ! crypto gdoi group service-b identity number 5555 server address ipv server address ipv ! crypto map get-services 10 gdoi set group service-a match address no-encryption crypto map get-services 20 gdoi set group service-b match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial1/1 ip address crypto map get-services 77
78 Hierarchical Group Service Models
79 Hierarchical Group Management: Service Groups Shared KS Infrastructure Group Per VPN Shared Cooperative KS Segment Policies permit ip <any > <any> permit ip <any > <any> permit ip <any> <any> Model Regional VPN s Each Protected by a distinct Group Regional VPN s route through Core VPN for inter-region flows Decryption and Encryption executed on Regional Gateway ks grp1 grp2 gm Regional Gateway grp2 gm gm gm gm / / / /24 79
80 Hierarchical Service Groups Best Practice for Large-scale VPN (> 4,000 GM per group) Your goal is to use a SERVICE GROUP for each VPN Segment: group 1111 => CORE group 2222 => REGION-1 group 3333 => REGION-2 crypto gdoi group get-core identity number 1111 server local sa ipsec 1 match address ipv4 core-policy crypto gdoi group region-1 identity number 2222 server local sa ipsec 1 match address ipv4 region-1 crypto gdoi group region-2 identity number 3333 server local sa ipsec 1 match address ipv4 region-2 ip extended access-list ipv4-crypto permit ip any any ip extended access-list ipv4-crypto permit ip any any ip extended access-list ipv4-crypto permit ip any any 80
81 Hierarchical Group Management: Regional GM Joins one Service Group crypto gdoi group region-1 identity number 2222 server address ipv server address ipv ! crypto map get-region-1 10 gdoi set group region-1!... interface serial0/0 ip address crypto map get-region-1 Regional Gateway GM Joins Core and Regional Groups crypto gdoi group core identity number 1111 server address ipv server address ipv ! crypto map get-core 10 gdoi set group core! interface serial0/1 ip address crypto map get-core...! crypto gdoi group region-1 identity number 2222 server address ipv server address ipv ! crypto map get-region-1 10 gdoi set group region-1! interface serial0/2 ip address crypto map get-region-1 81
82 Multi-Group Management: NOC VPN Route Management via MPLS VPN Route-Targets Existing NOC Management VPN Distinct Customer VPN s Leveraging MPLS VPN Route-Target Exchange KS GM KS Groups Crypto Policy Crypto Policy Crypto Policy Provider Edge management-vrf Non-overlapping IP Addresses for Management and GM Identity Provider Edge customer-vrf-purple customer-vrf-blue Crypto Map - Crypto Policy - Crypto Policy GM GM GM GM Crypto Map - Crypto Policy - Crypto Policy Crypto Map - Crypto Policy Route Exchange Using Route-Targets 82
83 Multi-Group Management: Customer VPN Route Management via MPLS VPN and VLAN Segmentation Instantiation of Management VPN Extension of Distinct Customer VPN s Leveraging Distinct Routed KS Interfaces KS Groups Crypto Policy Crypto Policy KS Crypto Map - Crypto Policy Provider Edge Non-overlapping IP Addresses for Management and GM Identity Provider Edge customer-purple Crypto Map - Crypto Policy GM GM GM customer-blue GM GM Crypto Map - Crypto Policy Only Management Routes Exchanged Route Segmentation Using Route-Targets Crypto Map - Crypto Policy 83
84 Multi-Group Management: KS Configuration crypto gdoi group mgmt identity number 1111 server local authorization address ipv4 mgmt-list ipsec sa 1 profile gdoi-p match address ipv4 noc-hosts ip access-list standard mgmt-list permit <gm1-ip> permit <gm2-ip> permit <gm3-ip> permit <gm4-ip> ip access-list extended noc-hosts permit ip host <mgmt> any permit ip any host <mgmt> gm1 mgmt: gm1, gm2, gm3, gm4 grp1: gm1, gm2 grp2: gm3, gm4 ks mgmt mgmt grp1 grp2 gm4 ip access-list extended everything deny ip <control> <control> permit ip any any crypto gdoi group purple identity number 3333 server local authorization address ipv4 purple-list ipsec sa 1 profile gdoi-p match address ipv4 everything ip access-list standard purple-list permit <gm1-ip> permit <gm2-ip> gm2 crypto gdoi group blue identity number 2222 server local authorization address ipv4 blue-list ipsec sa 1 profile gdoi-p match address ipv4 everything ip access-list standard blue-list permit <gm3-ip> permit <gm4-ip> gm3 84
85 Multi-Group Management: GM Configuration Customer GM Joins Management Group and Customer Group NOC Group Member Joins Management Group Customer Purple GM crypto gdoi group purple identity number 3333 server address ipv server address ipv ! crypto gdoi group mgmt identity number 1111 server address ipv server address ipv ! crypto map get-purple 5 gdoi set group mgmt crypto map get-purple 10 gdoi set group purple match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-purple Customer Blue GM crypto gdoi group blue identity number 2222 server address ipv server address ipv ! crypto gdoi group mgmt identity number 1111 server address ipv server address ipv ! crypto map get-blue 5 gdoi set group mgmt crypto map get-blue 10 gdoi set group blue match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial1/1 ip address crypto map get-blue 85
86 Data Plane Resiliency Methods
87 Group Member Access Architecture Single Provider / VPN Single Provider w/ Bypass Dual-Homed via Alternate Aggregation Network Aggregation Methods L2TP/PPP (LAC LNS) ISDN 3G (HWIC Enterprise HA) Nested IPSec (separate h/w today) Nested IPSec (combined h/w future) IP Backup Backup Aggregator PE CE DATA CENTER PE VPN GM CE PE Backup CE / GM CE / GM 87
88 Group Member Access Architecture Dual Provider Single CE, Inter-Provider VPN Shared Policy Shared Policy PE CE / GM PE Inter-Provider Inter-AS Single CE, Dual Provider Discrete Policy PE PE CE / GM Discrete Policy 88
89 Group Member Access Architecture Dual CE, Dual Provider Dual CE, Dual Provider Dual-Homed CEF Balanced PE PE PE PE Discrete Policy CE / GM GM CE GM Discrete Segments And Policy AGG 89
90 GM Redundancy and Load Balancing Identity Availability Loopback Identity Always Up/Up Advertised via Multiple Paths Link Redundancy Diverse paths for identity and protected prefix Stateful crypto policy on both links Stateful crypto policy on both CE PE PE grp1 KS PE / /30 crypto gdoi group getvpn identity number 2222 server address ipv server address ipv ! crypto map getvpn local-address loopback0 crypto map getvpn 10 gdoi set group getvpn match address ipv4 no-encryption-acl! ip access-list extended no-encryption-acl deny udp any eq 848 any eq 848 deny ip host host ! interface Loopback 0 ip address interface Serial0/0 ip address crypto map getvpn interface FastEthernet0 ip address / /30 CE CE / / /32 90
91 Encryption GM Redundancy and Load Balancing CEF load balancing Front-End Aggregation Routers Group Member Bank Back-End Aggregation Switches Distributed Group Security Association Common Crypto State Redundancy N-for-1 IGP CEF GET VPN AGG GM IGP CEF SWITCH 91
92 Network Deployment Caveats
93 Fragmentation Objective: Fragment IP before encryption Decrypt IP fragments (no reassembly required) Original Packet H1 H2 H1 Original Packet H1 H3 Forward IP fragments to host for reassembly Post-Encryption Fragmentation Implications Reassembly of ESP Fragments Required GET VPN Device only entity capable Fragmentation Avoidance Methods H1 H2 (m) H1 H2 (m) H1 H2 H1 H2 H1 H3 H1 H3 (m) IP MTU (Maximum Transmission Unit) TCP Maximum Segment Size (MSS) H1 H2 (m) H1 H2 H1 H3 H1 H3 interface Serial0/0 ip address ip mtu 1400 crypto map get-vpn interface FastEthernet0 ip address tcp mss 1380 H1 H2 H2 H3 H1 H3 93
94 NAT Traversal Intervening NAT NAT between GM prevents the return of GET packets H1 NAT ALLOWED Pre or Post NAT Processing NAT performed before GET encryption devices or after GET decryption devices will function GET proxy idents must include the NAT d address in the policy NAT can be performed on the GET VPN device Encryption occurs after NAT on egress Decryption occurs before NAT on ingress NAT ALLOWED NO NAT ALLOWED H2 H3 94
95 Strategic Directions for GET
96 Recent Releases Feature T-Train CCO T-Train Date XE Train CCO XE Train Date GM Removal & Policy Trigger 15.2(1)T 7/29/ /30/12 GDOI MIB 15.2(1)T 7/29/ /30/12 GET IP v6 Data Plane 15.2(3)T 3/30/ /30/12 GET VPN Key Server Initial Release December /29/13 GET VPN with TrustSec 15.3(2)T 3/29/ /29/13 GET VPN Control Enhancements Phase I 15.3(2)T 3/29/ /29/13 Long Lifetime Security Association Periodic Reminder and Sync-up Rekeys Pre-Position Rekey TBAR Error Monitoring and Recovery GM Error Recovery 96
97 Recent Releases Feature T-Train CCO T-Train Date XE Train CCO XE Train Date GET VPN Traceability and Debugging Enhancements 15.3(2)T 3/29/ /29/13 GET VPN Suite B Algorithms 15.3(2)T 3/29/ /29/13 Released Execute Committed Planning 97
98 Roadmap Feature T-Train CCO T-Train Date XE Train CCO XE Train Date GET VPN Certificate Revocation List Checking 15.2(4)M 7/25/ /31/13 GET VPN Control Enhancements Phase II 15.2(4)M 7/25/ /31/13 GDOI / IKE Separation (1)T 11/30/ /27/13 VRF Aware GM 15.0(1)M 10/30/ /28/14 Announcement Message Optimization (~ 8,000 GM per Group) 15.4(2)T 3/30/ /28/14 2 GM Routing Awareness 15.4(2)T 3/30/ /28/14 2 Released Execute Committed 1 Required for introduction of IKEv2 2 Tentative Dates Pending Execute Commit Planning 98
99 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge points for each session evaluation you complete. Complete your session evaluation online now through either the mobile app or internet kiosk stations. Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in. 99
100
Cisco Group Encrypted Transport VPN
(GET VPN) is a set of features that are necessary to secure IP multicast group traffic or unicast traffic over a private WAN that originates on or flows through a Cisco IOS device. GET VPN combines the
More informationA-B I N D E X. backbone networks, fault tolerance, 174
I N D E X A-B access links fault tolerance, 175 176 multiple IKE identities, 176 182 single IKE identity with MLPPP, 188 189 with single IKE identity, 183 187 active/standby stateful failover model, 213
More informationDMVPN to Group Encrypted Transport VPN Migration
DMVPN to Group Encrypted Transport VPN Migration This document provides the steps for Dynamic Multipoint VPN (DMVPN) to Group Encrypted Transport VPN migration. DMVPN to Group Encrypted Transport VPN Migration
More informationCisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS Release 15M&T
Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408
More informationGRE and DM VPNs. Understanding the GRE Modes Page CHAPTER
CHAPTER 23 You can configure Generic Routing Encapsulation (GRE) and Dynamic Multipoint (DM) VPNs that include GRE mode configurations. You can configure IPsec GRE VPNs for hub-and-spoke, point-to-point,
More informationOperating and Monitoring the Network
CHAPTER 6 Under the Operate tab, Prime NCS (WAN) provides tools to help you monitor your network on a daily basis, as well as perform other day-to-day or ad hoc operations relating to network device inventory
More informationCisco Group Encrypted Transport VPN
Cisco Group Encrypted Transport VPN Q. What is Cisco Group Encrypted Transport VPN? A. Cisco Group Encrypted Transport is a next-generation WAN VPN solution that defines a new category of VPN, one that
More informationManaging Site-to-Site VPNs: The Basics
CHAPTER 23 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationVirtual Private Networks Advanced Technologies
Virtual Private Networks Advanced Technologies Petr Grygárek rek Agenda: Supporting Technologies (GRE, NHRP) Dynamic Multipoint VPNs (DMVPN) Group Encrypted Transport VPNs (GET VPN) Multicast VPNs (mvpn)
More informationOverview of the IPsec Features
CHAPTER 2 This chapter provides an overview of the IPsec features of the VSPA. This chapter includes the following sections: Overview of Basic IPsec and IKE Configuration Concepts, page 2-1 Configuring
More informationFlexible Dynamic Mesh VPN draft-detienne-dmvpn-00
Flexible Dynamic Mesh VPN draft-detienne-dmvpn-00 Fred Detienne, Cisco Systems Manish Kumar, Cisco Systems Mike Sullenberger, Cisco Systems What is Dynamic Mesh VPN? DMVPN is a solution for building VPNs
More informationDMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458
DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458 BRKCCIE-3003 @CCIE6458 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public About the Presenter Johnny Bass Networking industry since
More informationManaging Site-to-Site VPNs
CHAPTER 21 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationManaging Site-to-Site VPNs: The Basics
CHAPTER 21 A virtual private network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Site-to-site VPNs use tunnels
More informationVirtual Private Networks Advanced Technologies
Virtual Private Networks Advanced Technologies Petr Grygárek rek Agenda: Supporting Technologies (GRE, NHRP) Dynamic Multipoint VPNs (DMVPN) Group Encrypted Transport VPNs (GET VPN) Multicast VPNs (mvpn)
More informationGET VPN Resiliency. Finding Feature Information. Prerequisites for GET VPN Resiliency
The feature improves the resiliency of Cisco Group Encrypted Transport (GET) VPN so that data traffic disruption is prevented or minimized when errors occur. Finding Feature Information, page 1 Prerequisites
More informationHOME-SYD-RTR02 GETVPN Configuration
GETVPN OVER DMVPN Topology Details HOME-SYD-RTR02 is GETVPN KS. R2 & R3 are GETVPN Members. R2 is DMVPN Hub. R3 is DMVPN Spoke. HOME-PIX01 is Firewall between R2 and R3. IP Addressing Details HOME-SYD-RTR01
More informationGETVPN Resiliency GM - Error Detection
The GETVPN Resiliency - GM Error Detection feature detects erroneous packets in the data plane for each Group Domain of Interpretation (GDOI) group such as invalid stateful packet inspections (SPIs) or
More informationVirtual Tunnel Interface
This chapter describes how to configure a VTI tunnel. About s, on page 1 Guidelines for s, on page 1 Create a VTI Tunnel, on page 2 About s The ASA supports a logical interface called (VTI). As an alternative
More informationFlexVPN HA Dual Hub Configuration Example
FlexVPN HA Dual Hub Configuration Example Document ID: 118888 Contributed by Piotr Kupisiewicz, Wen Zhang, and Frederic Detienne, Cisco TAC Engineers. Apr 08, 2015 Contents Introduction Prerequisites Requirements
More informationDMVPN for R&S CCIE Candidates
DMVPN for R&S CCIE Candidates Johnny Bass CCIE #6458 BRKCCIE-3003 @CCIE6458 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public About the Presenter Johnny Bass Networking industry since
More informationGETVPN Resiliency GM - Error Detection
The GETVPN Resiliency - GM Error Detection feature detects erroneous packets in the data plane for each Group Domain of Interpretation (GDOI) group such as invalid stateful packet inspections (SPIs) or
More informationSecure Extension of L3 VPN s over IP-Based Wide Area Networks
White Paper Secure Extension of L3 VPN s over IP-Based Wide Area Networks Abstract Authors This paper examines how recent network-based virtualization Mark Mitch Mitchiner technology innovation can be
More informationGETVPN CRL Checking. Finding Feature Information. Information About GETVPN CRL Checking
During the Group Encrypted Transport VPN (GET VPN) process, certificates are received from a certificate authority (CA) and used as a proof of identity. Certificates may be revoked for a number of reasons,
More informationMPLS VPN. 5 ian 2010
MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process
More informationVPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist
VPN World MENOG 16 Istanbul-Turkey By Ziad Zubidah Network Security Specialist What is this Van used for?! Armed Van It used in secure transporting for valuable goods from one place to another. It is bullet
More informationIndex. Numerics 3DES (triple data encryption standard), 21
Index Numerics 3DES (triple data encryption standard), 21 A B aggressive mode negotiation, 89 90 AH (Authentication Headers), 6, 57 58 alternatives to IPsec VPN HA, stateful, 257 260 stateless, 242 HSRP,
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationGET VPN GM Removal and Policy Trigger
The feature lets you easily remove unwanted group members (GMs) from the group encrypted transport (GET) VPN network, provides a rekey triggering method to install new security associations (SAs) and remove
More informationSecurizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN
Platformă de e-learning și curriculă e-content pentru învățământul superior tehnic Securizarea Calculatoarelor și a Rețelelor 32. Tehnologia MPLS VPN MPLS VPN 5-ian-2010 What this lecture is about: IP
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationWAN Edge MPLSoL2 Service
4 CHAPTER While Layer 3 VPN services are becoming increasing popular as a primary connection for the WAN, there are a much larger percentage of customers still using Layer 2 services such Frame-Relay (FR).
More informationMigrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase
Migration Guide Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3: Why and How to Migrate to the Next Phase This guide shows how a Dynamic Multipoint VPN (DMVPN) deployment can be migrated to make
More informationL2TP IPsec Support for NAT and PAT Windows Clients
L2TP IPsec Support for NAT and PAT Windows Clients The L2TP IPsec Support for NAT and PAT Windows Clients feature allows mulitple Windows client to connect to an IPsec-enabled Cisco IOS Layer 2 Tunneling
More informationCisco Exam Questions & Answers
Cisco 300-209 Exam Questions & Answers Number: 300-209 Passing Score: 800 Time Limit: 120 min File Version: 35.4 http://www.gratisexam.com/ Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationConfiguring Security for VPNs with IPsec
This module describes how to configure basic IPsec VPNs. IPsec is a framework of open standards developed by the IETF. It provides security for the transmission of sensitive information over unprotected
More informationLARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 07 - MPLS BASED LAYER 2 SERVICES 1 by Xantaro MPLS BASED LAYER 2 VPNS USING MPLS FOR POINT-TO-POINT LAYER 2 SERVICES 2 by Xantaro Why are Layer-2
More informationImplementing IP in IP Tunnel
This chapter module provides conceptual and configuration information for IP in IP tunnels on Cisco ASR 9000 Series Router. Note For a complete description of the IP in IP tunnel commands listed in this
More informationCisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications
Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable
More informationIPsec Virtual Tunnel Interfaces
IPsec virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network IPsec VTIs simplify
More informationCisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications
Data Sheet Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building
More informationFirepower Threat Defense Site-to-site VPNs
About, on page 1 Managing, on page 3 Configuring, on page 3 Monitoring Firepower Threat Defense VPNs, on page 11 About Firepower Threat Defense site-to-site VPN supports the following features: Both IPsec
More informationVirtual Private Network. Network User Guide. Issue 05 Date
Issue 05 Date 2018-03-30 Contents Contents 1 Overview... 1 1.1 Concepts... 1 1.1.1 VPN... 1 1.1.2 IPsec VPN...1 1.2 Application Scenarios...2 1.3 Billing Standards... 3 1.4 VPN Reference Standards and
More informationConfiguring Virtual Private LAN Services
Virtual Private LAN Services (VPLS) enables enterprises to link together their Ethernet-based LANs from multiple sites via the infrastructure provided by their service provider. This module explains VPLS
More informationIP Tunneling. GRE Tunnel IP Source and Destination VRF Membership. Tunnel VRF CHAPTER
CHAPTER 27 This chapter describes IP tunneling features implemented on the Cisco 10000 series routers and includes the following topics: GRE Tunnel IP Source and Destination VRF Membership, page 27-1 Restrictions
More informationConfiguring Cache Services Using the Web Cache Communication Protocol
Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How
More informationImplementing Cisco IP Routing (ROUTE)
Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide Foundation learning for the ROUTE 642-902 Exam Diane Teare Cisco Press 800 East 96th Street Indianapolis, IN 46240 Implementing Cisco IP
More informationConfiguring MPLS and EoMPLS
37 CHAPTER This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Catalyst 3750 Metro switch. MPLS is a packet-switching technology that integrates
More informationHillstone IPSec VPN Solution
1. Introduction With the explosion of Internet, more and more companies move their network infrastructure from private lease line to internet. Internet provides a significant cost advantage over private
More informationPre-Fragmentation for IPSec VPNs
Pre-Fragmentation for IPSec VPNs Feature History Release 12.1(11b)E 12.2(13)T 12.2(14)S Modification This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(13)T. This feature
More informationConfiguring FlexVPN Spoke to Spoke
Last Published Date: March 28, 2014 The FlexVPN Spoke to Spoke feature enables a FlexVPN client to establish a direct crypto tunnel with another FlexVPN client leveraging virtual tunnel interfaces (VTI),
More informationBCRAN. Section 9. Cable and DSL Technologies
BCRAN Section 9 Cable and DSL Technologies Cable and DSL technologies have changed the remote access world dramatically. Without them, remote and Internet access would be limited to the 56 kbps typical
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationSecure Multicast Cisco Systems, Inc. All rights reserved.
Secure Multicast 1 Agenda Why IP Multicast? IP Multicast Security Challenges Secure IP Multicast Solution and Benefits Technical Details Platform Support and Useful Links 2 Why IP Multicast? 3 Unicast
More informationPacket Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI
Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Port G0/0 192.168.1.1 255.255.255.0
More informationHUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date
HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or
More informationCisco Multicloud Portfolio: Cloud Connect
Design and Deployment Guide Cisco Multicloud Portfolio: Cloud Connect Design and Deployment Guide for Private Data Center to AWS VPC October 2018 2018 Cisco and/or its affiliates. All rights reserved.
More informationSD-WAN Deployment Guide (CVD)
SD-WAN Deployment Guide (CVD) All Cisco Meraki security appliances are equipped with SD-WAN capabilities that enable administrators to maximize network resiliency and bandwidth efficiency. This guide introduces
More informationSharing IPsec with Tunnel Protection
The feature allows sharing an IPsec security association database (SADB) between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared tunnel interfaces
More informationIke Sa Manually Delete. To 'clear Crypto Sa Peer
Ike Sa Manually Delete. To 'clear Crypto Sa Peer IKE SA, IKE Child SA, and Configuration Backend on Diag, All others on Control pre-shared key peer configs matching 192.0.2.74..192.0.2.90(someid) charon:
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationSecurity for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S
Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
More informationConfiguring Additional VPDN Features
This module documents concepts and tasks associated with configuring the following additional virtual private dialup network (VPDN) features: The following optional feature can be configured in isolation,
More informationARCHIVED DOCUMENT. - The topics in the document are now covered by more recent content.
ARCHIVED DOCUMENT This document is archived and should only be used as a historical reference and should not be used for new deployments for one of the following reasons: - The topics in the document are
More informationSSL VPN - IPv6 Support
The feature implements support for IPv6 transport over IPv4 SSL VPN session between a client, such as Cisco AnyConnect Mobility Client, and SSL VPN. Finding Feature Information, on page 1 Prerequisites
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More informationipv6 mobile home-agent (global configuration)
ipv6 mobile home-agent (global configuration) ipv6 mobile home-agent (global configuration) To enter home agent configuration mode, use the ipv6 mobile home-agent command in global configuration mode.
More informationForeword xxiii Preface xxvii IPv6 Rationale and Features
Contents Foreword Preface xxiii xxvii 1 IPv6 Rationale and Features 1 1.1 Internet Growth 1 1.1.1 IPv4 Addressing 1 1.1.2 IPv4 Address Space Utilization 3 1.1.3 Network Address Translation 5 1.1.4 HTTP
More information8K GM Scale Improvement
The feature supports optimization of the Cooperative Protocol (COOP) announcement messages by increasing the number of Group Members (GM) to 8000. Finding Feature Information, page 1 Prerequisites for,
More informationImplementing Cisco Secure Mobility Solutions
Implementing Cisco Secure Mobility Solutions Dumps Available Here at: /cisco-exam/300-209-dumps.html Enrolling now you will get access to 269 questions in a unique set of 300-209 dumps Question 1 Which
More informationSSL VPN - IPv6 Support
The feature implements support for IPv6 transport over IPv4 SSL VPN session between a client, such as Cisco AnyConnect Mobility Client, and SSL VPN. Finding Feature Information, page 1 Prerequisites for,
More informationVPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009
VPN and IPsec Network Administration Using Linux Virtual Private Network and IPSec 04/2009 What is VPN? VPN is an emulation of a private Wide Area Network (WAN) using shared or public IP facilities. A
More informationInterchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT The Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT feature supports the forwarding of packets from a standby
More informationDynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T
Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationRouter 6000 R17 Training Programs. Catalog of Course Descriptions
Router 6000 R7 Training Programs Catalog of Course Descriptions Catalog of Course Descriptions INTRODUCTION... 3 IP NETWORKING... 4 IP OVERVIEW & FUNDAMENTALS... 8 IP ROUTING OVERVIEW & FUNDAMENTALS...0
More informationQuestion: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)
Volume: 217 Questions Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) A. the process ID B. the hello interval C. the subnet mask D. authentication E.
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationConfiguring Virtual Private LAN Service (VPLS) and VPLS BGP-Based Autodiscovery
Configuring Virtual Private LAN Service (VPLS) and VPLS BGP-Based Autodiscovery Finding Feature Information, page 1 Configuring VPLS, page 1 Configuring VPLS BGP-based Autodiscovery, page 17 Finding Feature
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationEIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example
EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example Document ID: 116346 Contributed by Michal Garcarz and Olivier Pelerin, Cisco TAC Engineers. Sep 18, 2013
More informationIntelligent WAN Deployment Guide
Cisco Validated design Intelligent WAN Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deployment Details...1 Configuring DMVPN Hub Router...2
More informationIdentity Firewall. About the Identity Firewall
This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History
More informationMPLS VPN--Inter-AS Option AB
The feature combines the best functionality of an Inter-AS Option (10) A and Inter-AS Option (10) B network to allow a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) service provider
More informationAn Overview of Site-to- Site VPN Technologies Nisha Kuruvilla Technical Leader, Services Hector Mendoza Jr. Technical Leader, Services BRKSEC-1050
An Overview of Site-to- Site VPN Technologies Nisha Kuruvilla Technical Leader, Services Hector Mendoza Jr. Technical Leader, Services BRKSEC-1050 Agenda VPN Technology Positioning SVTI, DVTI, DMVPN, GETVPN,
More informationBGP-MVPN SAFI 129 IPv6
Subsequent Address Family Identifier (SAFI) 129, known as VPN Multicast SAFI, provides the capability to support multicast routing in the service provider's core IPv6 network. Border Gateway Protocol (BGP)
More informationLocator ID Separation Protocol (LISP) Overview
Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address: Endpoint identifiers (EIDs) assigned to end hosts.
More informationVirtual Tunnel Interface
This chapter describes how to configure a VTI tunnel. About s, on page 1 Guidelines for s, on page 1 Create a VTI Tunnel, on page 2 About s The ASA supports a logical interface called (VTI). As an alternative
More informationScalability Considerations
3 CHAPTER This chapter presents the following steps to selecting Cisco products for a VPN solution: Sizing the headend Choosing Cisco products that can be deployed for headend devices Product sizing and
More informationAdvanced Concepts of DMVPN (Dynamic Multipoint VPN)
Advanced Concepts of DMVPN (Dynamic Multipoint VPN) Mike Sullenberger Distinguished Engineer Agenda DMVPN Design Overview DMVPN General IWAN Specific NHRP Details NHRP Overview NHRP Registrations/Resolutions/Redirects
More informationHow to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationConfiguring MPLS, MPLS VPN, MPLS OAM, and EoMPLS
CHAPTER 43 Configuring MPLS, MPLS VPN, MPLS OAM, and EoMPLS This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Cisco ME 3800X and ME 3600X
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationIPv6 Switching: Provider Edge Router over MPLS
Multiprotocol Label Switching (MPLS) is deployed by many service providers in their IPv4 networks. Service providers want to introduce IPv6 services to their customers, but changes to their existing IPv4
More informationCustomer IPv6 Delivery
Customer IPv6 Delivery The Nextgen Experience Chris Chaundy, Nextgen Networks October 2011 Agenda Nextgen Network s strategy Just get a prefix and turn it on!?!? Scope of the project Hardware considerations
More informationGoogle Cloud VPN Interop Guide
Google Cloud VPN Interop Guide Using Cloud VPN With Cisco ASA Courtesy of Cisco Systems, Inc. Unauthorized use not permitted. Cisco is a registered trademark or trademark of Cisco Systems, Inc. and/or
More informationHIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson
HIP Host Identity Protocol October 2007 Patrik Salmela Ericsson Agenda What is the Host Identity Protocol (HIP) What does HIP try to solve HIP basics Architecture The HIP base exchange HIP basic features
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationContents. Configuring EVI 1
Contents Configuring EVI 1 Overview 1 Layer 2 connectivity extension issues 1 Network topologies 2 Terminology 3 Working mechanism 4 Placement of Layer 3 gateways 6 ARP flood suppression 7 Selective flood
More information