Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Slides:

Advertisements

Similar presentations

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.

Advertisements

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

SCSC 455 Computer Security Virtual Private Network (VPN)

Guide to Network Defense and Countermeasures Second Edition

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP VPN Nikolay Scarbnik. 2 Agenda Introduction………………………………………………………….3 VPN concept definition……………………………………………..4 VPN advantages……………...…………………………………….5.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Internet Protocol Security (IPSec)

K. Salah1 Security Protocols in the Internet IPSec.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 12 Module 12 Virtual Private Networks  MModified by :Ahmad Al Ghoul  PPhiladelphia.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

NetComm Wireless VPN Functionality Feature Spotlight.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.

Worldwide Product Marketing Group United States - Spain - UK - France - Germany - Singapore - Taipei Barricade™ VPN Broadband Routers (4 and 8 port)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.

RE © 2003, Cisco Systems, Inc. All rights reserved.

1 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.

Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC

Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

Advanced Unix 25 Oct 2005 An Introduction to IPsec.

C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.

Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.

Karlstad University IP security Ge Zhang

Chapter 8: Implementing Virtual Private Networks

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.

Virtual Private Network Configuration

+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.

Network Access for Remote Users Dr John S. Graham ULCC

K. Salah1 Security Protocols in the Internet IPSec.

Virtuelne Privatne Mreže 1 Dr Milan Marković. VPN implementations  In the following sections we will discuss these popular VPN implementation methods,

Securing Access to Data Using IPsec Josh Jones Cosc352.

100% Exam Passing Guarantee & Money Back Assurance

Now you don’t need to take any stress about the Cisco Exam

100% Exam Passing Guarantee & Money Back Assurance

Chapter 18 IP Security  IP Security (IPSec)

By - Ricardo Sanchez, Ken Wolters and William Hibbard

Virtual Private Network zswu

Presentation transcript:

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting

Abbreviations AP – Access Point AH – Authentication Header AZR – Access Zone Router AGR – Aggregation Router AG – Access Gateway (e.g. Cisco SSG, Juniper ERX) CSA – Central Site Area DHCP – Dynamic Host Configuration Protocol DMVPN - Dynamic Multipoint IPsec Virtual Private Network EIGRP – Enhanced Interior Gateway Routing Protocol ESP– Encapsulating Security Payload GRE – Generic Routing Encapsulation HSA – Hotspot Area IKE – Internet Key Exchange IPSec– Internet Protocol Security NHRP – Next Hop Resolution Protocol OSPF– Open Shortest Path First (Routing Protocol) PPTP– Point-To-Point Tunneling Protocol SSG – Service Selection Gateway VPN – Virtual Private Network

AGR - Aggregation Router Interfaces –interface to AGR (there are possibilities to create connection to more then one AGR) - GRE tunnel with IPSec is configured over this link –interface to APS – typically Ethernet. –loopback Routing –The AGR participate in dynamic routing protocol. –The following networks shall be spread out: all networks to AZRs network to AG (SSG) network to management network network to other AGRs if such connection is realized –Default gateway shall be set on SSG in central configuration or on WIP in decentral configuration Multipoint IPsec –AGR may work as a hub in DMVPN (Dynamic Multipoint VPN) configuration

AZR - Access Zone Router Interfaces –interface to AGR (there are possibilities to create connection to more then one AGR) - GRE tunnel with IPSec is configured over this link –interface to APs – typically Ethernet. –loopback Routing –The AZR participate in dynamic routing protocol. –The following networks shall be spread out: Network(s) to AGR(s) networks to APs –Default gateway shall be set on AGR or AGRs in case of multiple connections Multipoint IPsec –AZR may work as a spoke in DMVPN (Dynamic Multipoint VPN) configuration

DHCP DHCP (Dynamic Host Configuration Protocol) is an open, industry-standard protocol that reduces the complexity of administering networks based on TCP/IP All DHCP messages are carried in User Datagram Protocol (UDP). Datagrams use port 67 at the server and 68 at the client. DHCP Request for an IP Address

DHCP Benefits to TCP/IP Network Administrators Simplifies problems associated with manual addressing Centralized administration of IP configuration Dynamic host configuration Seamless IP host configuration Flexibility Scalability

Configuring DHCP on Cisco router Enabling the Cisco IOS DHCP Server and Relay Agent Features Router (config)# service dhcp Excluding IP Addresses Router (config)# ip dhcp excluded-address low-address [high-address] Configuring the DHCP Address Pool Name and Entering DHCP Pool Configuration Mode Router (config)# ip dhcp pool name Configuring the DHCP Address Pool Subnet and Mask Router (dhcp-config)# network network-number [mask | /prefix-length] Configuring the Domain Name for the Client Router (dhcp-config)# domain-name domain Configuring the IP Domain Name System Servers for the Client Router (dhcp-config)# dns-server address [address2... address8] Configuring the Default Router for the Client Router (dhcp-config)# default-router address [address2... address8] Configuring the Address Lease Time Router (dhcp-config)# lease {days [hours] [minutes] | infinite}

Example of DHCP configuration on Cisco router ip dhcp excluded-address ! ip dhcp pool ZONE1 network default-router domain-name domain.i250 dns-server ! interface FastEthernet0/1 ip address

DHCP troubleshooting Router# show ip dhcp binding Router# show ip dhcp server statistics Router# show ip dhcp conflict [address] Router# clear ip dhcp binding {address | *} Router# clear ip dhcp conflict {address | *} Router# clear ip dhcp server statistics Router# debug ip dhcp server {events | packets | linkage}

Exercise 1.Configure DHCP server on AZR 2.Check if client gets ip address from DHCP server

Routing Static Routing –Advantages: Simple to configure and maintain Secure – as only defined routes can be accessed Bandwidth is not used for sending routing updates –Disadvantages Manual update of routes after network changes Explicit addition of routes for all networks Dynamic Routing –EIGRP –OSPF

Configuring static routing on Cisco devices ip route Router A ip route Router B ip route Router C ip route

Exercise 1.Configure static routing on AZR, AGR and SSG 2.Check if client can access (ping) AZR, AGR, SSG

Configuring dynamic routing on Cisco devices - EIGRP Router A router eigrp 1 network network network no auto-summary Router B router eigrp 1 network network no auto-summary Router C router eigrp 1 network network no auto-summary

Configuring dynamic routing on Cisco devices - OSPF Router A router ospf 10 network area 0 network area 0 network area 0 Router B router ospf 100 network area 0 network area 0 Router C router ospf 1 network area 0 network area 0

Exercise 1.Configure dynamic routing (EIGRP) on AZR, AGR and SSG 2.Check if client can access (ping) AZR, AGR, SSG 3.Configure dynamic routing (OSPF) on AZR, AGR and SSG 4.Check if client can access (ping) AZR, AGR, SSG

VPN Virtual Private Network GRE - Generic Routing Encapsulation PPTP- Point-to-Point Tunneling Protocol

Types of VPNs Secure VPNs - Secure VPN protocols include the following: -IPsec -SSL -PPTP -L2TP -L2TPv3 Trusted VPNs - MPLS - L2F

IPSec Functions data confidentiality (encryption) data integrity (verification) origin authentication (authentication the source of the packet) Verification that each packet is unique (not duplicated)

Type of Encryption symmetric –DES –3DES –HMAC-Message Digest 5 (MD5) –HMAC-SHA asymmetric –Rivest, Shamir, and Adelman (RSA) Type of Authentication Pre-shared keys RSA signatures RSA encrypted nonces

IPSec Protocols

IPSec Modes

VPN (DMVPN) GRE/IPsec

Standards (Cisco IOS IPSec) IPSec (RFCs ) IPSec Encapsulating Security Payload (ESP) Using DES/3DES (RFC 2406) IPSec Authentication Header (AH) using MD5 or SHA (RFCs ) Internet Key Exchange (IKE) (RFCs )

IPsec/GRE Example (basic) Phase I (IKE Policy) Internet Fa0/ Tunnel /30 AZR AGR Fa0/ tunnel /30 tunnel /30 crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address

IPsec/GRE Example (basic) Phase II (IPsec Policy) Internet Fa0/ Tunnel /30 AZR AGR Fa0/ tunnel /30 tunnel /30 crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport access-list 110 permit gre host host crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport access-list 110 permit gre host host

IPsec/GRE Example (basic) Phase II (IPsec Policy) Internet Fa0/ Tunnel /30 AZR AGR Fa0/ tunnel /30 tunnel /30 crypto map map1 local-address FastEthernet0/1 crypto map map1 10 IPsec-isakmp set peer match address 110 set transform-set name1 crypto map map1 local-address FastEthernet0/0 crypto map map1 10 IPsec-isakmp set peer match address 110 set transform-set name1

IPsec/GRE Example (basic) Phase III (tunnel) Internet Fa0/ Tunnel /30 AZR AGR Fa0/ tunnel /30 tunnel /30 interface tunnel 10 ip address tunnel source FastEthernet0/1 tunnel destination ip mtu 1440 crypto map map1 interface Fastethernet0/1 ip address crypto map map1 router eigrp 1 network no auto-summary interface tunnel 10 ip address tunnel source FastEthernet0/0 tunnel destination ip mtu 1440 crypto map map1 interface Fastethernet0/0 ip address crypto map map1 router eigrp 1 network no auto-summary

Exercise 1.Configure static IPSec/GRE tunnel between AZR and AGR 2.Check if wired client can access (ping) AGR, SSG via VPN tunnel

IPsec/GRE Example (DMVPN) Phase I (IKE Policy) Internet Fa0/ Tunnel /30 AZR (spoken) AGR (hub) Fa0/ tunnel /24 tunnel /24 crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address crypto isakmp policy 1 authentication pre-share hash md5 encryption 3des crypto isakmp key Cisco123 address

IPsec/GRE Example (DMVPN) Phase II (IPsec Policy) Internet Fa0/ Tunnel /30 AZR (spoken) AGR (hub) Fa0/ tunnel /24 tunnel /24 crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport crypto ipsec profile bwsvpnprofile1 set transform-set name1 crypto ipsec transform-set name1 esp-3des esp-md5-hmac mode transport crypto ipsec profile bwsvpnprofile1 set transform-set name1

IPsec/GRE Example (DMVPN) Phase III (tunnel) Internet Fa0/ Tunnel /30 AZR (spoken) AGR (hub) Fa0/ tunnel /24 tunnel /24 interface tunnel 0 ip address ip mtu 1400 ip nhrp authentication ciscokey ip nhrp map ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs tunnel source FastEthernet0/1 tunnel destination tunnel key 0 tunnel protection ipsec profile bwsvpnprofile1 interface tunnel 0 ip address ip mtu 1400 ip nhrp authentication Cisco123key ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 no ip split-horizon eigrp 1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 0 tunnel protection ipsec profile bwsvpnprofile1

IPsec/GRE Example (DMVPN) Phase III (interfaces) Internet Fa0/ Tunnel /30 AZR (spoken) AGR (hub) Fa0/ tunnel /24 tunnel /24 interface FastEthernet0/0 ip address router eigrp 1 network no auto-summary interface FastEthernet0/1 ip address router eigrp 1 network no auto-summary

IPsec/GRE troubleshooting Router# show ip nhrp Router# show ip interface Router# show crypto isakmp sa Router# show crypto ipsec sa Router# show crypto ipsec sa detail Router# show crypto map Router# show crypto engine connection active Router# show ip route Router# debug crypto isakmp Router# debug crypto ipsec Router# debug crypto engine

Exercise 1.Configure dynamic IPSec/GRE tunnel (DMVPN) between AZR and AGR 2.Check if wired client can access (ping) AGR, SSG via VPN tunnel

MTU configuration on interface Router (config)# access-list 101 permit udp any any Router (config)# route-map clear-df permit 10 Router (config-route-map)# much ip address 101 Router (config-route-map)# set ip df 0 Router (config-route-map)# end Router (config)# interface FastEthernet0/0 Router (config-if)# ip address Router (config-if)# ip policy route-map clear-df Router (config-if)# ip mtu 1400 Router (config-if)# end

Maintenance of Cisco devices Copying the Configuration to a TFTP Server Router# copy run tftp Address or name of remote host []? Destination filename [router-confg] ?run-confg !! 486 bytes copied in 12.2 secs (40 bytes/sec) Router# Restoring the Configuration from TFTP Server Router# copy tftp run Address or name of remote host []? Source filename []?run-confg Destination filename [running-config]?[Enter] Accessing tftp:// /run-confg... Loading run-confg from (via FastEthernet0/1): !! [OK - 486/4096 bytes] 486 bytes copied in 5.3 secs (99 bytes/sec) Router#

Exercises & troubleshooting 1.Design and connect your own network 2.Configure DHCP Server on AZR 3.Configure AZR, AGR, routing and VPN tunnel between AZR and AGR 4.Configure Cisco Access Point 5.Test your configuration This exercise assumes that SSG and was correctly configured before.