© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 2 Module 3 – Lesson 7 An Introduction to Cisco Easy VPN

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 3 Module Introduction  Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet  Cisco offers a wide range of VPN products, including VPN- optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation  This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 4 Objectives  At the completion of this seventh lesson, you will be able to: Describe the concept of ‘Easy VPN’ Describe and illustrate the deployment of ‘Easy VPN’ server and client software Explain how a VPN can be set up using ‘Easy VPN’ Configure ‘Easy VPN’ tunnels

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 5 Cisco Easy VPN  The Cisco Easy VPN Remote feature and the Cisco Easy VPN Server feature offer flexibility, scalability, and ease of use for site- to-site and remote-access VPNs  It eliminates tedious work by implementing the Cisco Unity Client protocol to allow administrators to define most VPN parameters at a Cisco IOS Easy VPN Server  The Cisco Easy VPN Remote feature allows Cisco routers running Cisco IOS Release 12.2(4)YA (or later releases), Cisco PIX firewalls, and Cisco hardware clients to act as remote VPN clients  A Cisco IOS Easy VPN Server can be a dedicated VPN device, such as a Cisco VPN 3000 Concentrator, a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 6 Cisco Easy VPN  Cisco Easy VPN simplifies deployment. When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPsec policies to the Cisco Easy VPN Remote client and creates the corresponding VPN tunnel connection  Cisco Easy VPN Remote provides for automatic management of: The negotiation of tunnel parameters, such as addresses, algorithms, and lifetime Establishment of tunnels according to the parameters that are set Network Address Translation (NAT) or Port Address Translation (PAT) and associated access control lists (ACLs) creation as needed Authentication of users (that is, ensuring that users are who they say they are) by usernames, group names, and passwords Security keys for encryption and decryption Authenticating, encrypting, and decrypting data through the tunnel

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 7 Easy VPN Components Cisco Easy VPN consists of two components: 1.Cisco Easy VPN Server Enables Cisco IOS routers, Cisco PIX Firewalls, Cisco VPN Concentrators and Cisco ASA to act as VPN head-end devices in site-to-site or remote-access VPNs, in which the remote office devices are using the Cisco Easy VPN Remote feature 2.Cisco Easy VPN Remote Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Hardware Clients or Software Clients to act as remote VPN clients

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 8 Easy VPN Components  Cisco Easy VPN Server enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs where the remote office devices use the Cisco Easy VPN Remote feature  Using this feature, the Cisco Easy VPN Server pushes security policies that are defined at the headend to the remote VPN device, ensuring that those connections have up-to-date policies in place before the connection is established  In addition, a Cisco Easy VPN Server-enabled device can terminate IPsec tunnels that are initiated by mobile remote workers running VPN Client software on PCs. This flexibility makes it possible for mobile and remote workers, such as sales staff on the road or telecommuters, to access their headquarters intranet where critical data and applications exist.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 9 Easy VPN Components  Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3002 Hardware Clients or Software Clients to act as remote VPN clients  These devices can receive security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements at the remote location  This cost-effective solution is ideal for remote offices with little IT support or for large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices This feature makes VPN configuration with Cisco Easy VPN Remote as easy as entering a password, which increases productivity and lowers costs by minimising the need for local IT support

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 10 Deployment Models  Small or Medium Business Deployment A small or medium business (SMB) using a Cisco Easy VPN Server- enabled Cisco router at the main site can securely connect small branch offices, teleworkers, and mobile workers The head-end router must have security policies configured, which determine the VPN parameters, such as encryption algorithms and authentication algorithms, to use to communicate with remote devices.  Large Enterprise Deployment A large enterprise can connect branch offices, remote offices, and teleworkers to the enterprise network using a Cisco Easy VPN Server- enabled Cisco router. The head-end router must be similarly configured as above

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 11 Small or Medium Business Deployment  When the head-end security policies are defined, Cisco devices running the Cisco Easy VPN Remote feature can be deployed to small branch offices. During VPN initialisation, the head-end router is prompted to push the security policies to the SMB devices, eliminating the need for remote users to perform ongoing configuration updates. Once the VPN is established, voice, video, and data can be safely exchanged over reliable secure connections, and individuals at the small branch offices no longer need to run VPN client software on their PCs  Teleworkers using Cisco Easy VPN Remote-enabled Cisco routers or Cisco security appliances can also access the Cisco Easy VPN Server- enabled router at the head-end through secure VPN connections. As above, the head-end security policies are pushed to the remote devices with minimal configuration  Mobile workers running VPN client software on PCs can easily establish VPN connections with the Cisco Easy VPN Server-enabled device through their ISP. This connectivity allows business travelers to securely access critical data and applications at almost any time from their ISP's points of presence

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 12 Small or Medium Business Deployment Mobile Worker With VPN Software Client On Laptop Teleworker With DSL Or Cable Modem & Cisco 806 or uBR900 With Easy VPN Remote Support Nontechnical Users Can Use CRWS GUI To Set Up Easy VPNs Internet Remote Office With Cisco 800 or Cisco 1700 Series Router With Easy VPN Remote Support Company Main Site Cisco 1700, Cisco 2600 Or Cisco 3600 Series Router With Support To Terminate Cisco VPN Clients VPN Tunnels

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 13 Large Enterprise Deployment  When the head-end security policies have been defined, branch offices can deploy Cisco Easy VPN Remote-enabled devices. During VPN initialisation, the head-end device is prompted to push security policies to the small branch offices, eliminating the need for extensive local configuration. Voice, video, and data can be safely exchanged over reliable secure connections, and individuals at the branch offices no longer need to run VPN client software on their PCs  Remote office workers and teleworkers using Cisco Easy VPN Remote-enabled devices can also access the Cisco Easy VPN Server-enabled enterprise head-end through secure VPN connections. As with the SBO scenario, the head-end security policies are pushed to the remote devices with minimal configuration. Additionally, non-technical users in remote sites can easily set up the VPN connections without an on-site technician  The net effect of using the Cisco Easy VPN Remote and Server is increased productivity, as remote workers spend less time configuring network devices

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 14 Large Enterprise Deployment Mobile Worker With VPN Software Client On Laptop Teleworker With DSL Or Cable Modem & Cisco 806 Or uBR900 With Easy VPN Remote Support Nontechnical Users Can Use CRWS GUI To Set Up Easy VPNs Internet Branch Office With Cisco 1700 DSL Router Running Easy VPN Remote Cisco IOS Router With Support For Terminating Cisco VPN Clients Or Cisco VPN Concentrator VPN Tunnels

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 15 Requirements and Restrictions for Cisco Easy VPN Remote  Cisco Easy VPN Remote can be enabled on a variety of platforms See curriculum for full list and details  The Cisco Easy VPN Remote feature requires that the destination peer on the network is a Cisco IOS Easy VPN Server or VPN concentrator that supports the Cisco Easy VPN Server feature. Currently (APR 07), the available servers and concentrators include a number of platforms when running the required software releases See curriculum for full list and details

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 16 Requirements and Restrictions for Cisco Easy VPN Remote

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 17 Limitations  DH Group The Cisco Unity Client protocol supports only ISAKMP policies that use DH Group 2 (1024-bit) IKE negotiation. Therefore, the Cisco Easy VPN Server being used with the Cisco Easy VPN Remote feature must be configured for a Group 2 ISAKMP policy The Easy VPN Server cannot be configured for ISAKMP Group 1 or Group 5 when the server is being used with a Cisco Easy VPN client  Transform Sets Supported To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication (esp-des and esp-3des) or transform sets that provide authentication without encryption (esp-null esp-sha-hmac and esp-null esp-md5-hmac) The Cisco Unity Client protocol does not support Authentication Header (AH) authentication but does support Encapsulating Security Payload (ESP)  Dial Backup for Easy VPN Remotes Line status-based backup is not supported in this feature  NAT Interoperability Support NAT interoperability is not supported in client mode with split tunneling

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 18 Easy VPN Server and Easy VPN Remote Operation Step 1The VPN client initiates the IKE Phase 1 process Step 2The VPN client establishes an ISAKMP SA Step 3The Easy VPN Server accepts the SA proposal Step 4The Easy VPN Server initiates a username and password challenge Step 5The mode configuration process is initiated Step 6The RRI process is initiated Step 7IPsec quick mode completes the connection

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 19 Step 1: The VPN Client Initiates the IKE Phase 1 Process Using pre-shared keys? Initiate aggressive mode. Using digital certificates? Initiate main mode.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 20 Step 2: The VPN Client Establishes an ISAKMP SA The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following: Encryption and hash algorithms Authentication methods Diffie-Hellman group sizes

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 21 Step 3: The Cisco Easy VPN Server Accepts the SA Proposal The Easy VPN Server searches for a match: The first proposal to match the server list is accepted (highest- priority match). The most secure proposals are always listed at the top of the Easy VPN Server proposal list (highest priority). The ISAKMP SA is successfully established. Device authentication ends and user authentication begins.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 22 Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge If the Easy VPN Server is configured for Xauth, the VPN client waits for a username and password challenge: The user enters a username and password combination. The username and password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 23 Step 5: The Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server: Mode configuration starts. The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 24 Step 6: The RRI Process Is Initiated RRI should be used when the following conditions occur: More than one VPN server is used Per-client static IP addresses are used with some clients (instead of using per-VPN-server IP pools) RRI ensures the creation of static routes. Redistributing static routes into an IGP allows the server site routers to find the appropriate Easy VPN Server to use for return traffic to clients.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 25 Step 7: IPsec Quick Mode Completes the Connection After the configuration parameters have been successfully received by the VPN client, IPsec quick mode is initiated to negotiate IPsec SA establishment. After IPsec SA establishment, the VPN connection is complete.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 26