Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

Slides:



Advertisements
Similar presentations
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Internet Protocol Security (IP Sec)
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Building IPSEC VPNS Using Cisco Routers
Security at the Network Layer: IPSec
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
RE © 2003, Cisco Systems, Inc. All rights reserved.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Chapter 8: Implementing Virtual Private Networks
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Hands-On Microsoft Windows Server 2003 Networking Chapter 9 IP Security.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Analysis of secured VoIP services
UNIT.4 IP Security.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter Eight Implementing Virtual Private Networks
Presentation transcript:

Creating an IPsec VPN using IOS command syntax

What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPsec based VPN, is made up by two parts: Internet Key Exchange protocol (IKE) IPsec protocols (AH/ESP/both)

Internet Key Exchange protocol (IKE) This is the initial negotiation phase, where the two VPN endpoints agree on which methods will be used to provide security for the underlying IP traffic. IKE is used to manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are unidirectional, so there will be at least two SAs per IPsec connection.

IPsec Protocols (ESP/AH). The other part is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways; by using IPsec protocols ESP, AH, or a combination of both. Encapsulation Security Payload - ESP Authentication Header - AH

Flow of events 1.IKE negotiates how IKE should be protected 2.IKE negotiates how IPsec should be protected 3.IPsec moves data in the VPN

IKE - Internet Key Exchange IKE has three main tasks: 1.Provide a means for the endpoints to authenticate each other 2.Establish new IPsec connections (create SA pairs) 3.Manage existing connections IKE keeps track of connections by assigning a bundle of Security Associations, SAs, to each connection.

IKE Negotiation IKE Phase-1 Negotiate how IKE should be protected IKE Phase-2 Negotiate how IPsec should be protected Derive some fresh keying material from the key exchange in phase-1, to provide session keys to be used in the encryption and authentication of the VPN data flow

IKE Phase-1 - IKE Security Negotiation The first phase, phase-1, is used to authenticate the two VPN gateways or VPN Clients to each other, by confirming that the remote gateway has a matching Pre-Shared Key. However since we do not want to publish too much of the negotiation in plain text, we first agree upon a way of protecting the rest of the IKE negotiation.

1 -Create IKE Policies IKE will need to be enabled for IPsec to work. IKE is enabled by default on IOS images with cryptographic feature sets. (ISAKMP - Internet Security Association and Key Management Protocol) If it is disabled for some reason, you can enable it with the command crypto isakmp enable. R1(config)# crypto isakmp enable

Issue the crypto isakmp policy number command in global configuration mode. This initiates the ISAKMP policy configuration mode. Once in this mode, you can view the various IKE parameters available by typing ?. Enter into this configuration mode on R1 for policy 10, and view some of the possible settings. R1(config)# crypto isakmp policy 10 R1(config-isakmp)# ? ISAKMP commands: authentication – Set authentication method for protection suite default - Set a command to its defaults Encryption - Set encryption algorithm for protection suite exit - Exit from ISAKMP protection suite configuration mode group - Set the Diffie-Hellman group hash -Set hash algorithm for protection suite lifetime -Set lifetime for ISAKMP security association no - Negate a command or set its defaults

R1(config)# crypto isakmp policy 10 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# encryption aes 256 R1(config-isakmp)# hash sha R1(config-isakmp)# group 5 R1(config-isakmp)# lifetime 3600 R3(config)# crypto isakmp policy 10 R3(config-isakmp)# authentication pre-share R3(config-isakmp)# encryption aes 256 R3(config-isakmp)# hash sha R3(config-isakmp)# group 5 R3(config-isakmp)# lifetime 3600

R1# show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 3600 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit

2 -Configure Pre-Shared Keys We must configure a key on each router corresponding to the other VPN endpoint. These keys must match up for authentication to be successful and for the IKE peering to be completed. Each IP address that is used to configure the IKE peers are also referred to as the IP address of the remote VPN endpoint. R1(config)# crypto isakmp key cisco address R3(config)# crypto isakmp key cisco address

3 - Configure the IPsec Transform Set and Lifetimes R1(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac R3(config)# crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ah-sha-hmac ec_Cisco_IOS

4 - Define Interesting Traffic R1(config)# access-list 101 permit ip R3(config)# access-list 101 permit ip

5- Create and Apply Crypto Maps A crypto map is a mapping that associates traffic matching an access list (like the one we created earlier) to a peer and various IKE and IPsec settings. R1(config)# crypto map MYMAP 10 ipsec-isakmp NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured R1(config-crypto-map)# match address 101

Use the set command R1(config-crypto-map)# set peer R1(config-crypto-map)# set pfs group5 R1(config-crypto-map)# set transform-set 50 R1(config-crypto-map)# set security-association lifetime seconds 900 (Note do mirror image on R3)

6 - Apply the map to the interface R1(config)# interface fastethernet0/0 R1(config-if)# crypto map MYMAP *Jan 17 04:09:09.150: %CRYPTO-6- ISAKMP_ON_OFF: ISAKMP is ON

7- Verify IPsec Configuration – We already used the show crypto isakmp policy command to show the configured ISAKMP policies on the router. – Similarly, the show crypto ipsec transform-set command displays the configured IPsec policies in the form of the transport sets.

R1# show crypto ipsec transform-set Transform set 50: { ah-sha-hmac } will negotiate = { Tunnel, }, { esp-256-aes esp-sha-hmac } will negotiate = { Tunnel, },

R1# show crypto map Crypto Map "MYMAP" 10 ipsec-isakmp Peer = Extended IP access list 101 access-list 101 permit ip Current peer: Security association lifetime: kilobytes/900 seconds PFS (Y/N): Y DH group: group5 Transform sets={ 50, } Interfaces using crypto map MYMAP: FastEthernet0/0

8- Verify if encryption works R1# show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr protected vrf: (none) local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress fail

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.