netts_iscw10s04 ipsec.ppt
TRANSCRIPT
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
1/57
IPsec VPNs
IPsec Components and IPsec VPN Features
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
2/57
IPsec Overview
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
3/57
What Is IPsec?
IPsec is an IETF standard that employs cryptographicmechanisms on the network layer:
Authentication of every IP packet
Verification ofdata integrity for each packet
Confidentiality of packet payload
Consists of open standards for securing privatecommunications
Scales from small to very large networks
Is available in Cisco IOS software version 11.3(T) and later
Is included in PIX Firewall version 5.0 and later
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
4/57
IPsec Security Features
IPsec is the only standard Layer 3 technology that provides:
Confidentiality
Data integrity
Authentication
Replay detection
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
5/57
IPsec Protocols
IPsec uses three main protocols to create a securityframework:
Internet Key Exchange (IKE):
Provides framework for negotiation of security parameters
Establishment of authenticated keys
Encapsulating Security Payload (ESP):
Provides framework for encrypting, authenticating, andsecuring of data
Authentication Header (AH):
Provides framework for authenticating and securing ofdata
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
6/57
IPsec Headers
IPsec ESP provides the following:
Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP
Confidentiality (DES, 3DES, or AES) only with ESP
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
7/57
Peer Authentication
Peer authentication methods:
Username and password OTP (Pin/Tan)
Biometric
Preshared keys
Digital certificates
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
8/57
IPsec VPNs
Site-to-Site IPsec VPN Operation
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
9/57
Site-to-Site IPsec VPNOperations
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
10/57
Five Steps of IPsec
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
11/57
Step 1: Interesting Traffic
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
12/57
Step 2: IKE Phase 1
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
13/57
IKE Policy
Negotiates matching IKEtransform sets to protect IKEexchange
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
14/57
Authenticate Peer Identity
Peer authentication methods:
Preshared keys
RSA signatures
RSA encrypted nonces
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
15/57
Step 3: IKE Phase 2
Negotiates IPsec security parameters, IPsec transform sets
Establishes IPsec SAs
Periodically renegotiates IPsec SAs to ensure security
Optionally, performs an additional Diffie-Hellman exchange
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
16/57
IPsec Transform Sets
A transform set is a combinationof algorithms and protocols thatenact a security policy for traffic.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
17/57
Security Associations
SA database:
Destination IPaddress
SPI
Protocol (ESP orAH)
Security policydatabase:
Encryptionalgorithm
Authenticationalgorithm
Mode
Key lifetime
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
18/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
19/57
Site-to-Site IPsecConfiguration: Phase 1
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
20/57
Site-to-Site IPsec Configuration: Phase 1
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
21/57
Site-to-Site IPsecConfiguration: Phase 2
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
22/57
Site-to-Site IPsec Configuration: Phase 2
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
23/57
Site-to-Site IPsec
Configuration: ApplyVPN Configuration
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
24/57
Site-to-Site IPsec Configuration:Apply VPN Configuration
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
25/57
Site-to-Site IPsec
Configuration:Interface ACL
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
26/57
Site-to-Site IPsec Configuration:Interface ACL
When filtering at the edge, there is not much to see:
IKE: UDP port 500
ESP and AH: IP protocol numbers 50 and 51, respectively
NAT transparency enabled:
UDP port 4500
TCP (port number has to be configured)
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
27/57
Router1#show access-listsaccess-list 102 permit ahp host 172.16.172.10 host 172.16.171.20access-list 102 permit esp host 172.16.172.10 host 172.16.171.20
access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp
Site-to-Site IPsec Configuration:Interface ACL (Cont.)
Ensure that protocols 50 and 51 and UDP port 500 traffic isnot blocked on interfaces used by IPsec.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
28/57
Summary
IPsec operation includes these steps: Initiation by interestingtraffic of the IPsec process, IKE Phase 1, IKE Phase 2, datatransfer, and IPsec tunnel termination.
To configure a site-to-site IPsec VPN: Configure the ISAKMPpolicy, define the IPsec transform set, create a crypto ACL,
create a crypto map, apply crypto map, and configure ACL.
To define an IKE policy, use the crypto isakmp policy globalconfiguration command.
To define an acceptable combination of security protocolsand algorithms used for IPsec, use the crypto ipsec transform-
set global configuration command. To apply a previously defined crypto map set to an interface,
use the crypto map interface configuration command.
Configure an ACL to enable the IPsec protocols (protocol 50for ESP or 51 for AH) and IKE protocol (UDP/500).
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
29/57
IPsec VPNs
Configuring IPsec Site-to-Site VPN UsingSDM
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
30/57
Introducing the SDMVPN Wizard Interface
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
31/57
Cisco Router and SDM
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
32/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
33/57
Introducing the SDM VPN Wizard Interface
2.
1.3.
Wizards for IPsecsolutions
Individual IPseccomponents
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
34/57
Site-to-Site VPN Components (Cont.)
Two main components:
IPsec
IKE
Two optional components:
Group Policies for EasyVPN server functionality
Public Key Infrastructurefor IKE authenticationusing digital certificates
Individual IPsec
components usedto build VPNs
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
35/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
36/57
Launching the Site-to-Site VPN Wizard
1.
L hi th Sit t Sit
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
37/57
Launching the Site-to-SiteVPN Wizard (Cont.)
2a.
2b.
3.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
38/57
Quick Setup
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
39/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
40/57
Step-by-Step Setup
Multiple steps are used to configure the VPNconnection:
Defining connection settings: Outside interface, peeraddress, authentication credentials
Defining IKE proposals: Priority, encryption algorithm,HMAC, authentication type, Diffie-Hellman group, lifetime
Defining IPsec transform sets: Encryption algorithm, HMAC,mode of operation, compression
Defining traffic to protect: Single source and destinationsubnets, ACL
Reviewing and completing the configuration
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
41/57
Connection Settings
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
42/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
43/57
IKE Proposals
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
44/57
IKE Proposals
1.
2.
3.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
45/57
Transform Set
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
46/57
Transform Set
1.
2.
3.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
47/57
Defining What Trafficto Protect
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
48/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
49/57
Option 2: Using an ACL
1. 2.
3.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
50/57
Option 2: Using an ACL (Cont.)
1.
2.
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
51/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
52/57
Completing the
Configuration
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
53/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
54/57
Review the Generated Configuration (Cont.)
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
55/57
Test Tunnel Configuration and Operation
~~ ~~
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
56/57
-
7/28/2019 Netts_ISCW10S04 IPsec.ppt
57/57