VPN Ports and LAN-to-LAN Tunnels

Similar documents
Configuration of an IPSec VPN Server on RV130 and RV130W

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Virtual Tunnel Interface

Configuring the Cisco VPN 5000 Concentrator and Implementing IPSec Main Mode LAN to LAN VPN Connectivity

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Internet Key Exchange

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Sample excerpt. Virtual Private Networks. Contents

Virtual Tunnel Interface

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Service Managed Gateway TM. Configuring IPSec VPN

Table of Contents 1 IKE 1-1

Virtual Private Networks

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

IntraPort 2 and IntraPort 2+ VPN Access Server Administrator s Guide

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

VPN Overview. VPN Types

Efficient SpeedStream 5861

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

FAQ about Communication

Hillstone IPSec VPN Solution

Configuring VPNs in the EN-1000

IP Routing & Bridging

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

IPSec Transform Set Configuration Mode Commands

Configuring IPsec and ISAKMP

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Network Security CSN11111

BCRAN. Section 9. Cable and DSL Technologies

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Defining IPsec Networks and Customers

Configuring Security for VPNs with IPsec

Chapter 6 Virtual Private Networking

Configuring LAN-to-LAN IPsec VPNs

Configuring IPSec tunnels on Vocality units

IPSec Site-to-Site VPN (SVTI)

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

VPNC Scenario for IPsec Interoperability

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

IPSec Transform Set Configuration Mode Commands

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

The EN-4000 in Virtual Private Networks

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

IKE and Load Balancing

M0n0wall and IPSEC March 20, 2004 Version 1.1 Francisco Artes

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Case 1: VPN direction from Vigor2130 to Vigor2820

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Integration Guide. Oracle Bare Metal BOVPN

VPN Auto Provisioning

How to Configure IPSec Tunneling in Windows 2000

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Firepower Threat Defense Site-to-site VPNs

Greenbow VPN Client Example

Configuring WAN Backhaul Redundancy

IP Security II. Overview

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configuring a Hub & Spoke VPN in AOS

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Virtual Private Network

KB How to Configure IPSec Tunneling in Windows 2000

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Index. Numerics 3DES (triple data encryption standard), 21

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

Abstract. Avaya Solution & Interoperability Test Lab

Chapter 5 Virtual Private Networking

LAN-to-LAN IPsec VPNs

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Configuring Remote Access IPSec VPNs

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Lab 9: VPNs IPSec Remote Access VPN

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

CSCE 715: Network Systems Security

Virtual Private Cloud. User Guide. Issue 03 Date

NCP Secure Enterprise macos Client Release Notes

Configuring Internet Key Exchange Security Protocol

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

HOW TO CONFIGURE AN IPSEC VPN

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Google Cloud VPN Interop Guide

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Dynamic Multipoint VPN between CradlePoint and Cisco Router Example

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Sharing IPsec with Tunnel Protection

Transcription:

CHAPTER 6 A VPN port is a virtual port which handles tunneled traffic. Tunnels are virtual point-to-point connections through a public network such as the Internet. All packets sent through a VPN tunnel are IP-encapsulated packets, including AppleTalk, IPX and even IP packets. This encapsulation is added or removed, depending on the direction, by Tunnel Partner routers. Once a packet reaches the remote Tunnel Partner, the TCP/IP encapsulation is stripped off, leaving the original protocol. The unencapsulated packet is then handled according to the VPN port s protocol configuration settings. Networks connected via a tunnel will communicate as if they are on the same network, even though they are separated by the Internet. Add VPN Port Dialog Box This section configures VPN tunnel parameters and defines a virtual port for LAN-to-LAN tunnel traffic. VPN (Virtual Private Network) ports are added to the edit area of a device by right-clicking on any configuration item for the device, then choosing VPN Port/Add VPN Port from the popup menu. The Add VPN Port dialog box (Figure 6-1) will open in the Main Window and will allow you to select a number for the port. To delete a VPN port, right-click on the port s icon, then choose VPN Port/Delete VPN Port. These functions are also available in the File menu. Figure 6-1 Add VPN Port Dialog Box Tunnel Partner: VPN Configuration Dialog Box Once you have created a VPN port, you may access the Tunnel Partner: VPN Configuration dialog box (Figure 6-2) by clicking on the port s icon and selecting VPN Tunnel Partner. 6-1

IKE Key Management Chapter 6 Remember that you must set up both ends of every tunnel. Therefore, you must repeat this setup with the remote router. Figure 6-2 Tunnel Partner: VPN Configuration Dialog Box Partner Address Enter the IP address of the remote Tunnel Partner with which this VPN port will communicate via the tunnel. This will be an interface on the remote router which has been set to route IP and will also be the remote VPN port s Bind To interface. Bind To Interface Tunnel Partner devices must know each other s IP address in order to correctly address the packets destined for the far end of the tunnel. This device s tunnel end must have an IP address so that the Tunnel Partner can address packets to it. Use the pull-down menu to select an interface on this device which has been set to route IP. Description This box allows the use to enter a description of the Tunnel Partner. The description can be an IP address or an alphanumeric name. If both Ethernet ports are being used on a VPN 5000 concentrator, the Bind To port must be set to Ethernet 1. You must enter the IP address for the interface you selected here into the Tunnel Partner dialog box of the Tunnel Partner routers. IKE Key Management Once you have created a VPN port, you may access the IKE Key Management dialog box (Figure 6-3) by clicking on the port s icon and selecting IKE Key Management. 6-2

Chapter 6 IKE Key Management Figure 6-3 IKE Key Management Dialog Box This dialog box sets the Internet Security Association Key Management Protocol/Internet Key Exchange (ISAKMP/IKE) parameters. These settings control how each tunnel partner will identify and authenticate each other. Key Manage The options for the Key Manage drop-down menu are: If Auto key management is selected, IKE will be used to allow two devices to negotiate between themselves what type of encryption and authentication to use for the tunnel. The Auto setting should only be used when the tunnel partner is another Cisco VPN 5000 series device. If Manual is selected, this Tunnel Partner will not use IKE, and the tunnel s encryption and authentication parameters must be manually set in the Manual Key Management dialog box. If Initiate is selected, this Tunnel Partner will use IKE, but will only initiate tunnel establishment. It will not respond to tunnel establishment attempts from other devices. If Respond is selected, this Tunnel Partner will use IKE, but will only respond to tunnel establishment attempts which have been initiated by other devices. It will not initiate tunnel establishment. Shared Key This is a shared alphanumeric secret between 1-255 characters long. It is used to generate session keys which are used to authenticate and/or encrypt each packet received or sent through the tunnel. Transform This list box specifies the protection types and algorithms which will be used for tunnel sessions. Each option is a protection piece which specifies the authentication and/or encryption parameters to be used. Use the Move Up and Move Down buttons to arrange the priority of the protection options. 6-3

IKE Key Management Chapter 6 Perfect Forward Secrecy Perfect Forward Secrecy (PFS) allows you to add an additional security parameter to tunnel sessions. PFS means that every time encryption and/or authentication key are computed, a new Diffie-Hellman Key Exchange is included. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt tunneled data. Adding PFS to a tunneled session greatly increases the difficulty of finding the session keys used to encrypt a VPN session. It also means that even if the keys are somehow cracked, only a portion of the traffic is recoverable. If No PFS is selected, this security parameter will not be added for this group configuration. If Phase 1 Group is selected, the group used in Phase 1 of the IKE negotiation is used as the group for the PFS Diffie-Hellman Key Exchange. This group is set (as G1, G2, or G5) in the IKE Policy dialog box. For more information on the IKE Policy dialog box, refer to Chapter 7, VPN Client Tunnels. If DH Group 1 is selected, the Diffie-Hellman Group 1 algorithm will be used for the Diffie-Hellman Key Exchange. If DH Group 2 is selected, the Diffie-Hellman Group 2 algorithm will be used for the Diffie-Hellman Key Exchange. Because larger numbers are used by the DH Group 2 algorithm, it is more secure than DH Group 1. If DH Group 5 is selected, the Diffie-Hellman Group 5 algorithm will be used for the Diffie-Hellman Key Exchange. DH Group 5 uses 1536-bit encryption. To add, remove, or edit a Transform, you must access the IKE Configuration dialog box (Figure 6-4) by selecting the Add..., Remove..., or Edit... buttons. Figure 6-4 IKE Configuration Dialog Box Authentication This set of checkboxes specifies the authentication algorithm to be used for the negotiation. MD5 is the Message-Digest 5 hash algorithm. SHA is the Secure Hash Algorithm. Choosing either of the top two checkboxes means that the Encapsulating Security Payload (ESP) header will be used to encrypt and authenticate packets. Choosing either of the bottom two checkboxes specifies that the Authentication Header (AH) will be used to authenticate packets. 6-4

Chapter 6 Manual Key Management Encryption This set of checkboxes specifies the encryption algorithm. DES (Data Encryption Standard) uses a 56-bit key to scramble the data. 3DES uses three different keys and three applications of the DES algorithm to scramble the data. You may choose only one authentication and one encryption method. The default setting of ESP (MD5,DES) is recommended for most setups. Manual Key Management Once you have created a VPN port, you may access the Manual Key Management dialog box (Figure 6-5) by clicking on the port s icon and selecting Manual Key Management. This dialog box sets encryption parameters for non-ike tunnels.. Figure 6-5 Manual Key Management Dialog Box Enable Authentication This checkbox controls whether all tunnel traffic will be authenticated. If checked, then each packet will be digitally signed before sending. The receiving end of the tunnel will check the signature before allowing the traffic onto its local network. Authentication Method If Authentication has been enabled, MD5 will appear here and packet-by-packet authentication will be done using the Authentication Secret. Authentication Secret This secret is used to generate session keys which are used to authenticate each packet received from or sent through the tunnel. The secret can be from 1 to 255 characters in length. 6-5

Interoperability Settings Dialog Box Chapter 6 Enable Encryption This checkbox controls whether all tunnel traffic will be encrypted. If checked, each packet will be digitally scrambled before sending. The receiving end of the tunnel will unscramble the data using a shared key before allowing the traffic onto its local network. Encryption Method This pull-down menu allows an encryption method to be specified. If None is selected, the tunnel session will be sent in the clear in both directions. If Fixed is selected, Personal Level Encryption will be used to scramble the data using a fixed key. If PLE is selected, Personal Level Encryption will be used to scramble the data using a key generated from the encryption secret. If DES56 is selected, the DES algorithm will be used. DES provides better security than PLE, but also requires more time to operate. If 3DES is selected, the Triple DES algorithm will be used. In Triple DES, the data is processed three times, each time with a different 56-bit key. Some VPN devices may not allow 3DES as an option. Encryption Secret This secret is used to generate session keys which are used to encrypt/decrypt each packet received from or sent through the tunnel. The secret can be from 1 to 255 characters in length. PLE, DES56 and 3DES all require that the same Encryption Secret be configured for each end of the tunnel. Interoperability Settings Dialog Box This dialog box (Figure 6-6) enables the concentrator to interoperate with other vendors devices. If the remote Tunnel Partner is a Cisco VPN 5000 series device, it is not necessary to configure these settings. Interoperability settings are individually set for each tunnel partner. To access this dialog box, select VPN Port #/Interoperability Settings from the Device View. 6-6

Chapter 6 Interoperability Settings Dialog Box Figure 6-6 Interoperability Settings Dialog Box Mode This pull-down menu set the IKE Phase 1 negotiation mode between the devices. Phase 1 controls how the two devices identify and authenticate each other so that tunnel sessions can be established. Main and Aggressive are the two IPsec standard methods for performing the Phase 1 negotiation. This setting must match the Phase 1 negotiation mode of the remote peer. Other vendors may support only the Main mode. Local and Peer Settings As part of their interoperability function, the following settings specify access from one area behind a VPN device to another area behind a VPN device. The Local settings specify what local subnets, hosts, ports and/or protocols will be reachable via the tunnel. The Peer settings specify which remote subnets, hosts, ports and/or protocols will be reachable via the tunnel. The remote tunnel partner (i.e., peer) must have a matching policy in order for traffic to be successfully tunneled. Local / Access This is used to specify a local host or subnet which will be reachable by the tunnel. It is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address (i.e., 192.168.41.9/32). To allow access to only a single host, specify 32 in the bits portion. Local / Protocol The pull-down menu is used to specify an IP protocol which will accepted by this end of the tunneled. The default of 0 will allow all protocols. Accepted IP Protocol numbers are: 6-7

Interoperability Settings Dialog Box Chapter 6 1 - ICMP (Internet Control Message Protocol) 6 - TCP (Transmission Control Protocol) 17 - UDP (User Diagram Protocol) 47 - GRE (Generic Routing Encapsulation) 50 - ESP (Encapsulating Security Protocol) 51 - AH (Authentication Header) 89 - OSPF (Open Shortest Path First) Local / Port The is used to specify a local port number which will be reachable via the tunnel. The default of 0 will allow all ports. Refer to the IP Filter Name section in the Text Based Configuration and Command Line Management Reference Guide for more information on commonly used ports and their numbers. Peer / Access This is used to specify a host or subnet behind the remote tunnel partner which will be reachable via the tunnel. It is entered as an IP address followed by a slash followed by the number of significant bits in the entered IP address (i.e., 192.168.41.9/32). To tunnel to only a single host, specify 32 in the bits portion. Peer / Protocol This pull-down menu is used to specify an IP protocol which will be tunneled. If a protocol number is specified, then only traffic of that protocol type will be tunneled. The default of 0 will allow all protocols. Accepted IP Protocol numbers are: 1 - ICMP (Internet Control Message Protocol) 6 - TCP (Transmission Control Protocol) 17 - UDP (User Diagram Protocol) 47 - GRE (Generic Routing Encapsulation) 50 - ESP (Encapsulating Security Protocol) 51 - AH (Authentication Header) 89 - OSPF (Open Shortest Path First) Peer / Port This is used to specify a port number. If a Peer Port number is specified, then only traffic destined for that particular port will be tunneled. The default of 0 will allow all ports. Refer to the IP Filter Name section in the Text Based Configuration and Command Line Management Reference Guide for more information on commonly used ports and their numbers. 6-8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback