Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

Published byBenjamin Fisher Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys

2 © 2006 Cisco Systems, Inc. All rights reserved. Lesson 4.1 Prepare a Router for Site-to-Site VPN using Pre- shared Keys Module 4: Configuring Site to Site VPN with Pre-shared keys

3 © 2006 Cisco Systems, Inc. All rights reserved. IPSec encryption with pre-shared keys  Site-to-site IPSec VPNs can be established between any combination of routers, PIX Security Appliances, VPN concentrators, VPN clients, and other devices that are IPSec compliant.  The use of pre-shared keys for authentication of IPSec sessions is relatively easy to configure  Does not scale well for a large number of IPSec clients.

4 © 2006 Cisco Systems, Inc. All rights reserved. IPSec encryption with pre-shared keys  Configuring IKE pre-shared keys in Cisco IOS consists:  Task 1 is to prepare for IPSec. Encryption policy Hosts and networks to protect Details about the IPSec peers Needed IPSec features Ensuring existing ACLs are compatible with IPSec

5 © 2006 Cisco Systems, Inc. All rights reserved. IPSec encryption with pre-shared keys  Task 2 involves configuring IKE. Enabling IKE Creating the IKE policies Validating the configuration.  Task 3 is configuring IPSec. Defining the transform sets Creating crypto ACLs Creating crypto map entries Applying crypto map sets to interfaces.  Task 4 is to test and verify IPSec

6 © 2006 Cisco Systems, Inc. All rights reserved. IKE peer authentication pre-shared secrets  Simplest authentication to configure,  Has several serious limitations.  based on a pre-shared secret.  secret is exchanged securely out-of-band.  Peers perform a PPP CHAP-like exchange of random values, hashed with the pre-shared secret key.

7 © 2006 Cisco Systems, Inc. All rights reserved. IKE peer authentication pre-shared  IKE peer authentication using pre-shared secrets works in the following manner: Peer A randomly chooses a string and sends it to peer Peer B hashes the string together with the pre-shared Peer B sends the result of hashing back to peer A. Peer A calculates its own hash of the random string, together with the pre-shared secret And the same process for Peer B  Main limitation of pre-shared secret authentication is the requirement to base the pre-shared secret on the IP address of remote peer, not its IKE identity.  Can impose problems in an environment with dynamic peer addresses.

8 © 2006 Cisco Systems, Inc. All rights reserved. Planning the IKE and IPSec policy

9 © 2006 Cisco Systems, Inc. All rights reserved. Step 1 – Determine ISAKMP (IKE Phase 1) policy  Some planning steps include the following:  Determine the key distribution method Manually distribute keys Use a CA server  Determine the authentication method – pre-shared keys, RSA encrypted nonces, or RSA signatures  Identify IP addresses and host names of the IPSec peers  Determine ISAKMP policies for peers Encryption algorithm Hash algorithm IKE SA lifetime

10 © 2006 Cisco Systems, Inc. All rights reserved.

11

12

13 IKE Phase 1 Default Values

14 © 2006 Cisco Systems, Inc. All rights reserved. Step 2 – Determine IPSec (IKE Phase 2) policy  Policy details to determine at this stage include the following: Select IPSec algorithms and parameters for optimal security and performance Select transforms and, if necessary, transform sets Identify IPSec peer details Determine IP address and applications of hosts to be protected Select manual or IKE-initiated SAs

15 © 2006 Cisco Systems, Inc. All rights reserved.

16 IPSec Transform Sets

17 © 2006 Cisco Systems, Inc. All rights reserved.

18 Step 3 – Check the current configuration

19 © 2006 Cisco Systems, Inc. All rights reserved. Check Current configuration

20 © 2006 Cisco Systems, Inc. All rights reserved. View configured Cryto-Maps

21 © 2006 Cisco Systems, Inc. All rights reserved. View Configured Transform Sets

22 © 2006 Cisco Systems, Inc. All rights reserved. Step 4 – Ensure the network works without encryption

23 © 2006 Cisco Systems, Inc. All rights reserved. Step 5 – Ensure ACLs are compatible with IPSec  Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and AH traffic is not blocked at interfaces used by IPSec.  ISAKMP uses UDP port 500  ESP is assigned IP protocol number 50  AH is assigned IP protocol number 51

24 © 2006 Cisco Systems, Inc. All rights reserved. Q and A

25 © 2006 Cisco Systems, Inc. All rights reserved.

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys."

Similar presentations

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 5 City College.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
NetComm Wireless VPN Functionality Feature Spotlight.

NetComm Wireless VPN Functionality Feature Spotlight.

Similar presentations

Ads by Google