VPN
Virtual Private Network: VPN establishing private network connection over the public network.
Two Types of VPN: Site to Site and Remote Access VPN
Site to Site: Connect branch office to Head Office.
Branch office users can use the resource such as email files, printer, shared Files are located in the Head Office. Site to Site VPN use IPSEC to provide data Authentication and confidentially.
Remote Access VPN: Remote access VPN provides secure Connectivity to remote users.
User has a software VPN client on his system or laptop and access the head office resource from a remote location. Once connected to the remote access vpn the user has a network connection to the head office and access resources.
Remote Access VPN types
Two Types of Remote Access VPN:
1. Client Base & 2. Clientless.
Client Based: (Traditional Method)
User system must have the IPSEC client software through that software you can connect to the head office.
Clientless: (New Method) - Web VPN or SSLVPN
Internet explorer or fire fox browsers to act as a client. Instant of IPSEC here SSL Secure Socket Layer. Connect to the secure gateway and then access the resource from the head office.
Different between IPSEC VPN (Client base) & SSL (clientless)
IPSEC VPN - Full access vpn client installed in PC or Laptop. IPSEC initiate by VPN Client software.
SSL VPN - initiate via browser https://ASA address it will ask username and password. Cookies should be enable mode.
SITE TO SITE VPN Notes
IP Sec: Set of rules for securing data communication across a public, untrusted network such as the Internet.
Encryption: DES 3DES (Data encryption Standard) AES
Advanced Encryption Standard
Symmetric: Symmetric keys uses the same values to both encrypt and decrypt the data.
Asymmetric: Asymmetric keys use one value to encrypt the data and another one to decrypt it.Hell-man
Authentication: hash-based msg authentication codes (HMAC) combines a hash function.
MD5 or SHA1 (Secure Hash Algorithm) with Shared Key.
IP sec Header
Authentication Header: Authenticate the packet include the ip header. ip Port no 51
Encrypts packet payloads and can optional authenticates. It adds a header and a trailer to the packet. The packet is encrypted first and then put through the hash mechanism. IP Port no 50
IP sec Mode: Transport Mode or tunnel mode.
Headers difference only.
Transport mode: uses the original IP header. The data payload can be encrypted. Transport mode is often used with Generic routing encapsulation (GRE).
Tunnel Mode: Replace the original IP header with a tunnel header. The ESP header is placed after the new header before the original one.
The original ip header can be encrypted along with the data payload and the packet can be authenticated from the ESP header back.
When IPSec establishes a VPN between two peers, it sets up a Security Association (SA) between them.
The Internet Security Association and Key Management Protocol (ISAKMP) defines how SA is created and deleted.
Internet Key Exchange (IKE) Mode: Main and Aggressive
Configuring a Site to Site VPN
1. Configure the ISAKMP Policy
2. Configure the IPSec transform Set or sets.
3. Configure the crypto access control list (ACL)
4. Configure the crypto Map.
5. Apply the Crypto Map to the outgoing interface.
6. Optionally configure and apply an ACL that permits only IPSec or IKE traffic.
IKE Phase 1 (Internet Key Exchange Phase 1)
Setup Secure Communication channel between peers. A Basic setup of security services are negotiated and agreed between peers. The security service protects all the sub sequent communication between peers.
IKE Phases 2
IKE negotiation IPSEC Security Association (SA) Parameters and setup matching IPSEC SA in the peers. The security parameters are used to protect data and msg that are exchange between endpoints.
Site to Site VPN Configuration Router 2811
Bangalore router
Banglore#config t
Banglore (config)#crypto isakmp enable (Enable IPSEC)
Banglore (config)#crypto isakmp policy 1 (New Policy Number)
Banglore (config-isakmp)#authentication pre-share (Authentication Method)
Banglore (config-isakmp)#encryption des (Encryption symmetric )
Banglore (config-isakmp)#hash md5 (Hash function –for Data integrity)
Banglore (config-isakmp)#group 2 (Diffie Helman algorithm)
Banglore (config-isakmp)#exit
Banglore (config)#crypto isakmp key 123 address 172.16.1.1 0.0.0.0
(123 shared key, remote site Public ip address and subnet mask… (Packet tracer we are using 0.0.0.0 instead of subnet mask)
Banglore (config)#crypto ipsec transform-set vpnset esp-des esp-md5-hmac (transform set name –vpnset)
Banglore(config)#crypto ipsec security-association lifetime seconds 86400
(key expire after this second)
Banglore(config)#crypto map datamap 10 ipsec-isakmp
Banglore(config-crypto-map)#set peer 172.16.1.1 (Remote site public IP)
Banglore(config-crypto-map)#set transform-set vpnset
Banglore(config-crypto-map)#match address blr (access-list name)
Banglore(config-crypto-map)#exit
Banglore(config)#ip access-list extended blr
Banglore(config-ext-nacl)#permit ip 10.2.1.0 0.0.0.255 192.168.1.0 0.0.0.255
(Which traffic will use for vpn tunnel)
Banglore(config-ext-nacl)#exit
Banglore(config)#interface fastEthernet 0/0
Banglore(config-if)#crypto map datamap (apply crypto map to public ip interface)
Datacenter Configuration
datacenter (config)#crypto isakmp enable (Enable IPSEC)
datacenter (config)#crypto isakmp policy 1 (New Policy Number)
datacenter (config-isakmp)#authentication pre-share (Authentication Method)
datacenter (config-isakmp)#encryption des (Encryption symmetric )
datacenter (config-isakmp)#hash md5 (Hash function –for Data integrity)
datacenter (config-isakmp)#group 2 (Diffie Helman algorithm)
datacenter (config-isakmp)#exit
datacenter (config)#crypto isakmp key 123 address 172.16.1.1 0.0.0.0
(123 shared key, remote site Public ip address and subnet mask… (Packet tracer we are using 0.0.0.0 instead of subnet mask)
datacenter(config)#crypto ipsec transform-set vpnset esp-des esp-md5-hmac
(transform set name –vpnset)
datacenter(config)#crypto ipsec security-association lifetime seconds 86400
(key expire after this second)
datacenter(config)#ip access-list extended datacenter
datacenter(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 10.2.1.0 0.0.0.255
(Which traffic will use for vpn tunnel)
datacenter(config-ext-nacl)#exit
datacenter(config)#crypto map dmap 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
datacenter(config-crypto-map)#match address datacenter (access-list name)
datacenter(config-crypto-map)#set peer 172.16.1.1 (Remote site public IP)
datacenter(config-crypto-map)#set transform-set vpnset (Transform set name vpn set)
datacenter(config-crypto-map)#exit
datacenter(config)#interface fastEthernet 0/0
Datacenter (config-if)#crypto map dmap
Note: Must match at least one Transform set or sets (Name and encryption).
Must match ISAKMP KEY value also….
Trouble shooting Commands
Banglore#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Banglore#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.16.1.2 172.16.1.1 QM_IDLE 1084 0 ACTIVE
IPv6 Crypto ISAKMP SA
Note:show all the security associations currently active on the router (QM_IDLE). Look for a status of SA is active
Banglore#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: vpnmap, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.:172.16.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x53450115(1397031189)
inbound esp sas:
spi: 0x5101249F(1359029407)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4525504/86315)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x53450115(1397031189)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4525504/86315)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Banglore#show crypto ipsec transform-set
Transform set vpnset: { { esp-des esp-sha-hmac }
will negotiate = { Tunnel, },
Banglore#show crypto map
Crypto Map vpnmap 10 ipsec-isakmp
Peer = 172.16.1.2
Extended IP access list blr
access-list blr permit ip 10.2.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 172.16.1.2
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
vpnset,
}
Interfaces using crypto map vpnmap:
FastEthernet0/0
1. What is VPN? Types of VPN?
Virtual Private Network: VPN establishing private network connection over the public network.
Two Types of VPN: Site to Site and Remote Access VPN
2.Explain the site to site VPN & Remote Access VPN?
Site to Site: Connect branch office to Head Office.2.Explain the site to site VPN & Remote Access VPN?
Branch office users can use the resource such as email files, printers, shared Files are located in the Head Office.Site to Site VPN use IPSEC to provide data Authentication and confidentially.
Remote Access VPN: Remote access VPN provides secure Connectivity to remote users.
User has a software VPN client on his system or laptop and access the head office resource from a remote location. Once connected to the remote access vpn the user has a network connection to the head office and access resources.
3. Types of Remote access VPN & Explain?
Two Types of Remote Access VPN: 1. Client Base & 2. Clientless.
Client Based: (Traditional Method)
User system must have the IPSEC client software through that software you can connect to the head office.
SSL VPN - initiate via browser https://ASA address it will ask username and password. Cookies should be enable.
5. What is IP-Sec?
IP Sec: Set of rules for securing data communication across a public, untrusted network such as the Internet.
Remote Access VPN: Remote access VPN provides secure Connectivity to remote users.
User has a software VPN client on his system or laptop and access the head office resource from a remote location. Once connected to the remote access vpn the user has a network connection to the head office and access resources.
3. Types of Remote access VPN & Explain?
Two Types of Remote Access VPN: 1. Client Base & 2. Clientless.
Client Based: (Traditional Method)
User system must have the IPSEC client software through that software you can connect to the head office.
Clientless: (New Method) - Web VPN or SSLVPN
In this method internet explorer or firefox browsers to act as a client. Instant of IPSEC here SSL Secure Socket Layer. Connect to the secure gateway and then access the resource from the head office
In this method internet explorer or firefox browsers to act as a client. Instant of IPSEC here SSL Secure Socket Layer. Connect to the secure gateway and then access the resource from the head office
4. Different between IPSEC VPN (Client base) & SSL (clientless)?
IPSEC VPN - Full access vpn client installed in PC or Laptop. IPSEC initiate by VPN Client software.
SSL VPN - initiate via browser https://ASA address it will ask username and password. Cookies should be enable.
5. What is IP-Sec?
IP Sec: Set of rules for securing data communication across a public, untrusted network such as the Internet.
No comments:
Post a Comment