Network Security CSN11111

Similar documents
Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Lab 4.5.5a Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel Using CLI

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

HOME-SYD-RTR02 GETVPN Configuration

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

Configuration Example of ASA VPN with Overlapping Scenarios Contents

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Easy VPN Configuration Guide, Cisco IOS Release 15S

IPv6 over IPv4 GRE Tunnel Protection

Configuring Internet Key Exchange Security Protocol

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Configuring LAN-to-LAN IPsec VPNs

RFC 430x IPsec Support

Quick Note 060. Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x

Table of Contents 1 IKE 1-1

Configuring IPsec and ISAKMP

Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS

Sample excerpt. Virtual Private Networks. Contents

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

BCRAN. Section 9. Cable and DSL Technologies

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

VPN Ports and LAN-to-LAN Tunnels

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

LAN-to-LAN IPsec VPNs

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configuring IOS to IOS IPSec Using AES Encryption

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Sharing IPsec with Tunnel Protection

Configuring Security for VPNs with IPsec

Dynamic Site to Site IKEv2 VPN Tunnel Between Two ASAs Configuration Example

Lab 9: VPNs IPSec Remote Access VPN

Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code

Securing Networks with Cisco Routers and Switches

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

Abstract. Avaya Solution & Interoperability Test Lab

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Virtual Tunnel Interface

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

VPNs and VPN Technologies

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Internet Key Exchange

Virtual Private Network

SYSLOG Enhancements for Cisco IOS EasyVPN Server

Index. Numerics 3DES (triple data encryption standard), 21

ASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example

VPN Overview. VPN Types

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Virtual Private Networks

Configuration Summary

Configuring Remote Access IPSec VPNs

Configuring Internet Key Exchange (IKE) Features Using the IPSec VPN SPA

Site-to-Site VPN. VPN Basics

IKEv2 with Windows 7 IKEv2 Agile VPN Client and Certificate Authentication on FlexVPN

AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

IKE and Load Balancing

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

Hillstone IPSec VPN Solution

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

L2TP IPsec Support for NAT and PAT Windows Clients

Cisco - VPN Load Balancing on the CSM in Dispatched Mode Configuration Example

How to Configure the Cisco VPN Client to PIX with AES

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR)

Configuring Easy VPN Services on the ASA 5505

1.1 Configuring HQ Router as Remote Access Group VPN Server

FlexVPN Between a Router and an ASA with Next Generation Encryption Configuration Example

IPSec Site-to-Site VPN (SVTI)

Internet Key Exchange Security Protocol Commands

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Virtual Private Network. Network User Guide. Issue 05 Date

Configuring IPsec on Cisco Routers Mario Baldi Politecnico di Torino (Technical University of Torino)

Cisco ASA 5500 LAB Guide

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Configuring a Hub & Spoke VPN in AOS

IPsec Anti-Replay Window Expanding and Disabling

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

SEC _05_2001_c , Cisco Systems, Inc. All rights reserved.

Configuring Internet Key Exchange Version 2 and FlexVPN Site-to-Site

Virtual Tunnel Interface

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

ASA/PIX 8.x: Radius Authorization (ACS 4.x) for VPN Access using Downloadable ACL with CLI and ASDM Configuration Example

VPN Connection through Zone based Firewall Router Configuration Example

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T

Lab Configure a Router with the IOS Intrusion Prevention System

Configuring the VSA. Overview. Configuration Tasks CHAPTER

Transcription:

Network Security CSN11111 VPN part 2 12/11/2010 r.ludwiniak@napier.ac.uk

Five Steps of IPSec

Step 1 - Interesting Traffic Host A Router A Router B Host B 10.0.1.3 10.0.2.3 Apply IPSec Discard Bypass IPSec

Step 2 - IKE Phase 1 Host A Router A Router B Host B IKE Phase 1: 10.0.1.3 10.0.2.3 main mode exchange Negotiate the policy Diffie-Hellman exchange Verify the peer identity Negotiate the policy Diffie-Hellman exchange Verify the peer identity

IKE Transform Sets Host A Router A Router B Host B Negotiate IKE Proposals 10.0.1.3 10.0.2.3 Transform 10 DES MD5 pre-share DH1 lifetime Transform 20 3DES SHA pre-share DH1 lifetime IKE Policy Sets Transform 15 DES MD5 pre-share DH1 lifetime Negotiates matching IKE transform sets to protect IKE exchange

Diffie-Hellman Key Exchange Terry public key B + private key A shared secret key (BA) Key = Key Alex public key A + private key B shared secret key (AB) Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars Encrypt Decrypt Pay to Terry Smith $100.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Internet 4ehIDx67NMop9eR U78IOPotVBn45TR

Authenticate Peer Identity Remote office Corporate office Internet HR servers Peer authentication Peer authentication methods Pre-shared keys RSA signatures RSA encrypted nonces

Step 3 - IKE Phase 2 Host A Router A Router B Host B 10.0.1.3 10.0.2.3 Negotiate IPSec security parameters

IPSec Transform Sets Host A Router A Router B Host B Negotiate transform sets 10.0.1.3 10.0.2.3 Transform set 30 ESP 3DES SHA Tunnel Lifetime IPSec Transform Sets Transform set 55 ESP 3DES SHA Tunnel Lifetime Transform set 40 ESP DES MD5 Tunnel Lifetime A transform set is a combination of algorithms and protocols that enact a security policy for traffic.

Security Association

Security Association Lifetime Data-based Time-based

Step 4 - IPSec Session Host A Router A Router B Host B IPSec session SAs are exchanged between peers. The negotiated security services are applied to the traffic.

Step 5 - Tunnel Termination Host A Router A Router B Host B IPSec tunnel A tunnel is terminated By an SA lifetime timeout If the packet counter is exceeded Removes IPSec SA

Site-to-Site VPN using Pre-shared Keys

Tasks to Configure IPSec Encryption Task 1 - Prepare for IKE and IPSec. Task 2 - Configure IKE. Task 3 - Configure IPSec. Task 4 - Test and Verify IPSec.

Task 1 - Prepare for IKE and IPSec Step 1 Determine IKE (IKE phase one) policy. Step 2 Determine IPSec (IKE phase two) policy. Step 3 Check the current configuration. show running-configuration show crypto isakmp policy show crypto map Step 4 Ensure the network works without encryption. ping Step 5 Ensure access lists are compatible with IPSec. show access-lists

Step 1 - Determine IKE (IKE Phase One) Policy Determine the following policy details: Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers Encryption algorithm Hash algorithm IKE SA lifetime Goal: Minimize misconfiguration.

Step 2 - Determine IPSec (IKE Phase Two) Policy Determine the following policy details: IPSec algorithms and parameters for optimal security and performance Transforms and, if necessary, transform sets IPSec peer details IP address and applications of hosts to be protected Manual or IKE-initiated SAs Goal: Minimize misconfiguration.

Step 3 - Check Current Configuration Site 1 Site 2 router# show running-config View router configuration for existing IPSec policies. router# RouterA 10.0.1.3 10.0.2.3 172.30.1.2 172.30.2.2 show crypto isakmp policy A Internet RouterB View default and any configured IKE phase one policies. RouterA# show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman Group: #1 (768 bit) lifetime: 86400 seconds, no volume limit B

Step 4 - Ensure the Network Works Cisco RouterB 172.30.2.2 Remote user with Cisco Unified VPN client Cisco PIX Firewall Cisco router Other vendor s IPSec peers Cisco RouterA 172.30.1.2 CA server RouterA# ping 172.30.2.2

Step 5 - Ensure Access Lists are Compatible with IPSec IKE AH ESP Site 1 Site 2 RouterA A Internet RouterB 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 B RouterA# show access-lists access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2 access-list 102 permit esp host 172.30.2.2 host 172.30.1.2 access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp Ensure protocols 50 and 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.

Task 2 - Configure IKE Step 1 Enable or disable IKE. crypto isakmp enable Step 2 Create IKE policies. crypto isakmp policy Step 3 Configure pre-shared keys. crypto isakmp key Step 4 Verify the IKE configuration. show crypto isakmp policy

Step 1 - Enable or Disable IKE Site 1 Site 2 10.0.1.3 10.0.2.3 172.30.1.2 172.30.2.2 router(config)# RouterA [no] crypto isakmp enable A Internet RouterB B RouterA(config)# no crypto isakmp enable RouterA(config)# crypto isakmp enable Globally enables or disables IKE at your router. IKE is enabled by default. IKE is enabled globally for all interfaces at the router. Use the no form of the command to disable IKE. An ACL can be used to block IKE on a particular interface.

Step 2 - Create IKE Policies RouterA A Internet RouterB 10.0.1.3 10.0.2.3 172.30.1.2 172.30.2.2 B router(config)# crypto isakmp policy priority Defines an IKE policy, which is a set of parameters used during IKE negotiation. Invokes the config-isakmp command mode. RouterA(config)# crypto isakmp policy 110

router(config)# Create IKE Policies with the crypto isakmp Command Site 1 Site 2 RouterA A 10.0.1.3 10.0.2.3 172.30.2.2 Policy 110 DES MD5 Pre-Share 86400 Internet Tunnel crypto isakmp policy priority RouterB RouterA(config)# crypto isakmp policy 110 RouterA(config-isakmp)# authentication pre-share RouterA(config-isakmp)# encryption des RouterA(config-isakmp)# group 1 RouterA(config-isakmp)# hash md5 RouterA(config-isakmp)# lifetime 86400 B

Step 3 - Configure Pre-Shared Keys Site 1 Site 2 router(config)# crypto isakmp key keystring address peer-address router(config)# RouterA A Internet RouterB 10.0.1.3 10.0.2.3 Pre-shared key Cisco1234 172.30.2.2 crypto isakmp key keystring hostname hostname B RouterA(config)# crypto isakmp key cisco1234 address 172.30.2.2 Assigns a keystring and the peer address. The peer s IP address or host name can be used.

Step 4 - Verify the IKE Configuration Site 1 Site 2 RouterA A Internet RouterB 10.0.1.3 10.0.2.3 B RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Displays configured and default IKE policies.

Task 3 - Configure IPSec Step 1 Configure transform set suites. crypto ipsec transform-set Step 2 Configure global IPSec SA lifetimes. crypto ipsec security-association lifetime Step 3 Create crypto access lists. access-list Step 4 Create crypto maps. crypto map Step 5 Apply crypto maps to interfaces. interface serial0 crypto map

Step 1- Configure Transform Set Suites Site 1 Site 2 router(config)# RouterA A 10.0.1.3 10.0.2.3 Mine esp-des Tunnel Internet RouterB crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] router(cfg-crypto-trans)# B RouterA(config)# crypto ipsec transform-set mine des A transform set is a combination of IPSec transforms that enact a security policy for traffic. Sets are limited to up to one AH and up to two ESP transforms.

Step 2 - Configure Global IPSec Security Association Lifetimes Site 1 Site 2 router(config)# RouterA A Internet RouterB 10.0.1.3 10.0.2.3 crypto ipsec security-association lifetime {seconds seconds kilobytes kilobytes} RouterA(config)# crypto ipsec security-association lifetime 86400 Configures global IPSec SA lifetime values used when negotiating IPSec security associations. IPSec SA lifetimes are negotiated during IKE phase two. Can optionally configure interface specific IPSec SA lifetimes in crypto maps. IPSec SA lifetimes in crypto maps override global IPSec SA lifetimes. B

Step 3 - Create Crypto ACLs Site 1 Site 2 router(config)# RouterA access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny permit} protocol source source-wildcard destination destination-wildcard [precedence precedence][tos tos] [log] RouterA(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 Define which IP traffic will be protected by crypto. Permit = encrypt / Deny = do not encrypt. A Internet 10.0.1.3 10.0.2.3 Encrypt RouterB 10.0.1.0 10.0.2.0 B

Purpose of Crypto Access Lists RouterA A Internet Outbound traffic Encrypt Bypass (clear text) Permit Bypass Inbound traffic Discard (clear text) Outbound Indicate the data flow to be protected by IPSec. Inbound filter out and discard traffic that should have been protected by IPSec.

Configure Symmetrical Peer Crypto Access Lists Site 1 Site 2 RouterA 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 RouterA(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 A Internet You must configure mirror image ACLs. RouterB B RouterB(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Step 4 - Create Crypto Maps Site 1 Site 2 RouterA A Internet RouterB 10.0.1.3 10.0.2.3 B router(config)# crypto map map-name seq-num ipsec-manual crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] RouterA(config)# crypto map mymap 110 ipsec-isakmp Use a different sequence number for each peer. Multiple peers can be specified in a single crypto map for redundancy. One crypto map per interface

Purpose of Crypto Maps Crypto maps pull together the various parts configured for IPSec, including Which traffic should be protected by IPSec. The granularity of the traffic to be protected by a set of SAs. Where IPSec-protected traffic should be sent. The local address to be used for the IPSec traffic. What IPSec type should be applied to this traffic. Whether SAs are established (manually or via IKE). Other parameters needed to define an IPSec SA.

Crypto Map Parameters Site 1 Site 2 RouterA A Internet RouterB 10.0.1.3 10.0.2.3 B Crypto maps define the following: The access list to be used. Remote VPN peers. Transform-set to be used. Key management method. Security-association lifetimes. Crypto map Router interface Encrypted traffic

Step 5 - Apply Crypto Maps to Interfaces Site 1 Site 2 RouterA Internet RouterB A 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 mymap router(config-if)# crypto map map-name RouterA(config)# interface ethernet0/1 RouterA(config-if)# crypto map mymap Apply the crypto map to outgoing interface Activates the IPSec policy B

IPSec Configuration Examples Site 1 Site 2 RouterA A Internet RouterB 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 B RouterA# show running config crypto ipsec transform-set mine esp-des! crypto map mymap 10 ipsec-isakmp set peer 172.30.2.2 set transform-set mine match address 110! interface Ethernet 0/1 ip address 172.30.1.2 255.255.255.0 no ip directed-broadcast crypto map mymap! access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 RouterB# show running config crypto ipsec transform-set mine esp-des! crypto map mymap 10 ipsec-isakmp set peer 172.30.1.2 set transform-set mine match address 101! interface Ethernet 0/1 ip address 172.30.2.2 255.255.255.0 no ip directed-broadcast crypto map mymap! access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Task 4 - Test and Verify IPSec Display your configured IKE policies. show crypto isakmp policy Display your configured transform sets. show crypto ipsec transform set Display the current state of your IPSec SAs. show crypto ipsec sa Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp

The show crypto isakmp policy Command Site 1 Site 2 router# RouterA show crypto isakmp policy A Internet RouterB 10.0.1.3 10.0.2.3 RouterA# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Rivest-Shamir-Adleman Encryption Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit B

The show crypto ipsec transform-set Command Site 1 Site 2 RouterA A Internet RouterB 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 B router# show crypto ipsec transform-set RouterA# show crypto ipsec transform-set Transform set mine: { esp-des } will negotiate = { Tunnel, }, View the currently defined transform sets.

The show crypto ipsec sa Command Site 1 Site 2 router# RouterA 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 show crypto ipsec sa A Internet RouterB RouterA# show crypto ipsec sa interface: Ethernet0/1 Crypto map tag: mymap, local addr. 172.30.1.2 local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0) current_peer: 172.30.2.2 PERMIT, flags={origin_is_acl,} #pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0 #pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2 path mtu 1500, media mtu 1500 current outbound spi: 8AE1C9C B

The show crypto map Command Site 1 Site 2 10.0.1.3 10.0.2.3 E0/1 172.30.1.2 E0/1 172.30.2.2 router# show crypto map RouterA A Internet View the currently configured crypto maps. RouterB B RouterA# show crypto map Crypto Map "mymap" 10 ipsec-isakmp Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ mine, }

debug crypto Commands router# debug crypto ipsec Displays debug messages about all IPSec actions. router# debug crypto isakmp Displays debug messages about all ISAKMP actions.

Crypto System Error Messages for ISAKMP %CRYPTO-6-IKMP_SA_NOT_AUTH: Cannot accept Quick Mode exchange from %15i if SA is not authenticated! ISAKMP SA with the remote peer was not authenticated. %CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %15i responded with attribute [chars] not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP.

Cisco Easy VPN The Cisco Easy VPN Remote feature and the Cisco Easy VPN Server feature offer flexibility, scalability, and ease of use for site-to-site and remote-accessvpns It eliminates tedious work by implementing the Cisco Unity Client protocol to allow administrators to define most VPN parameters at a Cisco IOS Easy VPN Server The Cisco Easy VPN Remote feature allows Cisco routers running Cisco IOS Release 12.2(4)YA (or later releases), Cisco PIX firewalls, and Cisco hardware clients to act as remotevpn clients A Cisco IOS Easy VPN Server can be a dedicated VPN device, such as a Cisco VPN 3000 Concentrator, a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol

Cisco Easy VPN Cisco Easy VPN simplifies deployment. When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPSec policies to the Cisco Easy VPN Remote client and creates the corresponding VPN tunnel connection Cisco EasyVPN Remote provides for automatic management of: The negotiation of tunnel parameters, such as addresses, algorithms, and lifetime Establishment of tunnels according to the parameters that are set Network Address Translation (NAT) or Port Address Translation (PAT) and associated access control lists (ACLs) creation as needed Authentication of users (that is, ensuring that users are who they say they are) by usernames, group names, and passwords Security keys for encryption and decryption Authenticating, encrypting, and decrypting data through the tunnel

Easy VPN Components Cisco EasyVPN Server Enables Cisco IOS routers, Cisco PIX Firewalls, Cisco VPN Concentrators and Cisco ASA to act as VPN head-end devices in siteto-site or remote-access VPNs, in which the remote office devices are using the Cisco EasyVPN Remote feature Cisco EasyVPN Remote Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Hardware Clients or Software Clients to act as remotevpn clients

Easy VPN Components Cisco Easy VPN Server enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs where the remote office devices use the Cisco Easy VPN Remote feature Using this feature, the Cisco Easy VPN Server pushes security policies that are defined at the head-end to the remote VPN device, ensuring that those connections have up-to-date policies in place before the connection is established In addition, a Cisco Easy VPN Server-enabled device can terminate IPSec tunnels that are initiated by mobile remote workers runningvpn Client software on PCs. This flexibility makes it possible for mobile and remote workers, such as sales staff on the road or telecommuters, to access their headquarters intranet where critical data and applications exist.

Easy VPN Components Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3002 Hardware Clients or Software Clients to act as remotevpn clients These devices can receive security policies from a Cisco Easy VPN Server, minimizingvpn configuration requirements at the remote location This cost-effective solution is ideal for remote offices with little IT support or for large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices This feature makes VPN configuration with Cisco Easy VPN Remote as easy as entering a password, which increases productivity and lowers costs by minimizing the need for local IT support

Deployment Models Small or Medium Business Deployment A small or medium business (SMB) using a Cisco Easy VPN Server-enabled Cisco router at the main site can securely connect small branch offices, teleworkers, and mobile workers The head-end router must have security policies configured, which determine the VPN parameters, such as encryption algorithms and authentication algorithms, to use to communicate with remote devices. Large Enterprise Deployment A large enterprise can connect branch offices, remote offices, and teleworkers to the enterprise network using a Cisco EasyVPN Server-enabled Cisco router. The head-end router must be similarly configured as above

Small or Medium Business Deployment

Large Enterprise Deployment

Limitations DH Group The Cisco Unity Client protocol supports only ISAKMP policies that use DH Group 2 (1024-bit) IKE negotiation. Therefore, the Cisco Easy VPN Server being used with the Cisco Easy VPN Remote feature must be configured for a Group 2 ISAKMP policy The Easy VPN Server cannot be configured for ISAKMP Group 1 or Group 5 when the server is being used with a Cisco Easy VPN client Transform Sets Supported To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication (esp-des and esp-3des) or transform sets that provide authentication without encryption (esp-null esp-sha-hmac and esp-null espmd5-hmac) Dial Backup for Easy VPN Remotes Line status-based backup is not supported in this feature NAT Interoperability Support NAT interoperability is not supported in client mode with split tunneling

Easy VPN Server and Easy VPN Remote Operation Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 The VPN client initiates the IKE Phase 1 process The VPN client establishes an ISAKMP SA The Easy VPN Server accepts the SA proposal The Easy VPN Server initiates a username and password challenge The mode configuration process is initiated The RRI process is initiated IPSec quick mode completes the connection

Step 1: The VPN Client Initiates the IKE Phase 1 Process Using pre-shared keys? Initiate aggressive mode. Using digital certificates? Initiate main mode.

Step 2: The VPN Client Establishes an ISAKMP SA The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following: Encryption and hash algorithms Authentication methods Diffie-Hellman group sizes

Step 3: The Cisco Easy VPN Server Accepts the SA Proposal The Easy VPN Server searches for a match: The first proposal to match the server list is accepted (highest-priority match). The most secure proposals are always listed at the top of the Easy VPN Server proposal list (highest priority). The ISAKMP SA is successfully established. Device authentication ends and user authentication begins.

Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge If the Easy VPN Server is configured for Xauth, the VPN client waits for a username and password challenge: The user enters a username and password combination. The username and password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication.

Step 5: The Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server: Mode configuration starts. The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.

Step 6: The RRI Process Is Initiated RRI should be used when the following conditions occur: More than one VPN server is used Per-client static IP addresses are used with some clients (instead of using per- VPN-server IP pools) RRI ensures the creation of static routes. Redistributing static routes into an IGP allows the server site routers to find the appropriate Easy VPN Server to use for return traffic to clients.

Step 7: IPSec Quick Mode Completes the Connection After the configuration parameters have been successfully received by the VPN client, IPSec quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete.

Cisco VPN Client The Cisco VPN Client is simple to deploy and operate It allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers The thin design IPSec-implementation is compatible with all Cisco VPN products

Cisco VPN Client When the Cisco VPN Client is preconfigured for mass deployments, initial logins require little user intervention. Cisco VPN Client supports the innovative Cisco Easy VPN capabilities, delivering a uniquely scalable, costeffective, and easy-to-manage remote access VPN architecture that eliminates the operational costs associated with maintaining a consistent policy and key management method The Cisco Easy VPN feature allows the Cisco VPN Client to receive security policies on a VPN tunnel connection from the central site VPN device (Cisco Easy VPN Server), minimizing configuration requirements at the remote location This simple and highly scalable solution is ideal for large remote access deployments where it is impractical to configure policies individually for multiple remote PCs

Cisco VPN Client Configuration Tasks 1. Install Cisco VPN Client 2. Create a new client connection entry 3. Configure the client authentication properties 4. Configure transparent tunneling 5. Enable and add backup servers 6. Configure a connection to the Internet through dialup networking

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback