Virtual Private Network Configuration
Lesson 9 Virtual Private Network Configuration 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-1 Secure VPNs 2005 Cisco Systems, Inc. All rights reserved.
SNPA v4.011-2 Remote access VPN is cost-saving
VPN Overview Intranet VPN has low-cost, tunneled connections with rich VPN services, which lead to cost savings and new applications Home Office Remote Office POP MainOffice VPN POP Remote access VPN is cost-saving Extranet VPNextends WANs to business partners, which leads to new applications and business models Business Partner Mobile Worker IPSec Enables Security Appliance VPN Features
Internet IPSec Data confidentiality Data integrity Data authentication Anti-replay What Is IPSec? Internet IPSec IETF standard that enables encrypted communication between peers Consists of open standards for securing private communications Has network layer encryption that ensures data confidentiality, integrity, and authentication Scales from small to very large networks Is included in PIX Firewall v5.0 and later IPSec Standards Supported by the Security Appliance
ESP IKE DES 3DES AES DH MD5 SHA RSA Signatures CAs How IPSec Works 2005 Cisco Systems, Inc. All rights reserved.
SNPA v4.011-7 Five Steps of IPSec Host A SecurityAppliance A SecurityAppliance B Host B Interesting traffic: The VPN devices recognize the traffic to protect. IKE Phase 1: The VPN devices negotiate an IKE security policy and establish a secure channel. IKE Phase 2: The VPN devices negotiate an IPSec security policy to protect IPSec data. Data transfer: The VPN devices apply security services to traffic, then transmit the traffic. Tunnel terminated: The tunnel is torn down. Step 1: Interesting Traffic
Host A SecurityAppliance A SecurityAppliance B Host B Apply IPSec Send in Clear Text Step 2: IKE Phase 1 Negotiate the Policy Negotiate the Policy
Host A SecurityAppliance A SecurityAppliance B Host B IKE Phase 1: Main Mode Exchange Negotiate the Policy DH Exchange Verify the Peer Identity Negotiate the Policy DH Exchange Verify the Peer Identity IKE Phase 1 Policy Sets Host A SecurityAppliance A SecurityAppliance B Host B Negotiate IKE Proposals Policy Set 10 DES MD5 Pre-share DH1 Lifetime Policy Set 15 DES MD5 Pre-share DH1 Lifetime IKE Policy Sets Policy Set 20 3DES SHA Pre-share DH1 Lifetime Negotiates matching IKE transform sets to protect IKE exchange DH Key Exchange = Terry Alex Public Key B Public Key A + Private Key A
+ Private Key B Shared Secret Key (BA) Shared Secret Key (AB) = Key Key Encrypt Decrypt Pay to Terry Smith $100.00 One Hundred and xx/ Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Internet Authenticate Peer Identity
Remote Office Corporate Office SecurityAppliance A SecurityAppliance B Internet HR Servers Peer Authentication Peer authentication methods Pre-shared keys RSA Signature DSA Signature Step 3: IKE Phase 2 Host A Security Appliance A Security Appliance B
Host B Negotiate IPSec Security Parameters IPSec Transform Sets Host A SecurityAppliance A SecurityAppliance B Host B Negotiate Transform Sets Transform Set 30 ESP 3DES SHA Tunnel Lifetime Transform Set 55 ESP 3DES SHA Tunnel Lifetime IPSec transform sets Transform Set 40 ESP DES MD5 Tunnel Lifetime A transform set is a combination of algorithms and protocols that enacts a security policy for traffic. SAs SAD SPD Internet Destination IP address SPI Protocol
B A N K SAD Destination IP address SPI Protocol SPD Encryption algorithm Algorithm Authentication Mode Key lifetime SPI12 ESP/3DES/SHA Tunnel 28800 Internet SPI39 ESP/DES/MD5 Tunnel 28800 SA Lifetime Data-Based Time-Based Step 4: IPSec Session SAs are exchanged between peers.
SecurityAppliance A SecurityAppliance B Host A Host B IPSec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic. Step 5: Tunnel Termination
SecurityAppliance A SecurityAppliance B Host A Host B IPSec tunnel A tunnel is terminated: By an SA lifetime timeout If the packet counter is exceeded Removes IPSec SA Configure VPN Connection Parameters
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-20 tunnel-group Command To create and manage the database ofconnection-specific records for IPSec, use thetunnel-group command in global configuration mode. The tunnel-group command has the following subcommands: tunnel-group general-attributes tunnel-group ipsec-attributes firewall(config)# tunnel-group name type type fw1(config)# tunnel-group training type ipsec-l2l tunnel-group general-attributes Command
The general-attribute sub-configuration mode is used to configure settings that are common to all supported tunneling protocols. The tunnel-group general-attributes command has the following subcommands: accounting-server-group address-pool authentication-server-group authorization-server-group default-group-policy dhcp-server strip-group strip-realm firewall(config)# tunnel-group name general-attributes fw1(config)# tunnel-group training general fw1(config-general)# tunnel-group ipsec-attributes Command
The ipsec-attribute sub-configuration mode is used to configure settings that are specific to the IPSec tunneling protocol. The tunnel-group ipsec-attribute command has the following subcommands: authorization-dn-attributes authorization-required chain client-update isakmp keepalive peer-id-validate pre-shared-key radius-with-expiry trust-point firewall(config)# tunnel-group name ipsec-attributes fw1(config)# tunnel-group training ipsec-attributes fw1(config-ipsec)# IPSec Configuration Tasks
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-24 Configuring IPSec Encryption
Task 1: Prepare to configure VPN support. Task 2: Configure IKE parameters. Task 3: Configure IPSec parameters. Task 4: Test and verify VPN configuration. Task 1: Prepare to Configure VPN Support
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-26 Task 1: Prepare for IKE and IPSec
Step 1: Determine the IKE (IKE Phase 1) policy. Step 2: Determine the IPSec (IKE Phase 2) policy. Step 3: Ensure that the network works without encryption. Step 4: (Optional) Implicitly permit IPSec packets to bypass security appliance ACLs and access groups. Determine IKE Phase 1 Policy
Parameter Strong Stronger Encryption algorithm DES 3DES or AES Hash algorithm MD5 SHA-1 Authentication method Pre-share RSA Signature Key exchange DH Group 1 DH Group 2 or 5 IKE SA lifetime 86,400 seconds < 86,400 seconds Determine IPSec (IKE Phase 2) Policy
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e Policy Site 1 Site 2 Transform set ESP-DES, tunnel ESP-DES, tunnel Peer security applianceIP address Encrypting hosts Traffic (packet type)to be encrypted IP IP Task 2: Configure Ike Parameters
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-30 Task 2: Configure IKE Step 1: Enable or disable IKE.
Step 2: Configure IKE Phase 1 policy. Step 3: Configure a tunnel group. Step 4: Configure the tunnel group attributes pre-shared key. Step 5: Verify IKE Phase 1 policy. Enable or Disable IKE SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 e e firewall(config)# isakmp enable interface-name Enables or disables IKE on the security appliance interfaces Disables IKE on interfaces not used for IPSec fw1(config)# isakmp enable outside Configure IKE Phase 1 Policy
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 e e fw1(config)# isakmp policy 10 encryption des fw1(config)# isakmp policy 10 hash sha fw1(config)# isakmp policy 10 authentication pre-share fw1(config)# isakmp policy 10 group 1 fw1(config)# isakmp policy 10 lifetime 86400 Creates a policy suite grouped by priority number Creates policy suites that match peers Can use default values Configure a Tunnel Group
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 Tunnel Group L2L IPSec Tunnel Group L2L IPSec firewall(config)# tunnel-group name type type Names the tunnel group Defines the type of VPN connection that is to be established fw1(config)# tunnel-group type ipsec-l2l Configure Tunnel Group Attributes Pre-Shared Key
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 Tunnel Group isakmp key cisco123 Tunnel Group isakmp key cisco123 firewall(config)# tunnel-group name [general-attributes | ipsec-attributes] Enters tunnel-group ipsec-attributes subconfiguration mode firewall(config-ipsec)# pre-shared-key key Associates a pre-shared key with the connection policy fw1(config)# tunnel-group ipsec-attributes fw1(config-ipsec)# pre-shared-key cisco123 Verify IKE Phase 1 Policy
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 fw1# show run crypto isakmp isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 Displays configured and default IKE protection suites Task 3: Configure IPSec Parameters
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-37 Task 3: Configure IPSec Step 1:Configure interesting traffic: NAT 0 and ACL. access-list 101 permit nat 0 Step 2:Configure IPSec transform set suites. crypto ipsec transform-set Step 3:Configure the crypto map. crypto map Step 4:Apply the crypto map. crypto map map-name interfaceinterface-name Configure Interesting Traffic
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet X Encrypt X Encrypt fw1(config)# access-list 101 permit ip permit = encrypt deny = do not encrypt Example: Crypto ACLs Site 1 Site 2 Internet Security Appliance 1
Lists are symmetrical. Security Appliance 1 (fw1) fw1# show run access-list access-list 101 permit ip Security Appliance 6 (fw6) fw6# show run access-list access-list 101 permit ip Configure Interesting Traffic: NAT 0
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet Do Not Translate Do Not Translate fw1(config)# nat (inside) 0 access-list 101 Configure an IPSec Transform Set
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e firewall(config)# crypto ipsec transform-set transform-set-name transform1 [transform2] Sets are limited to two transforms Default mode is tunnel Configures matching sets between IPSec peers fw1(config)# crypto ipsec transform-set fw6 esp-des esp-md5-hmac Available IPSec Transforms
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e esp-des ESP transform using DES cipher (56 bits) esp-3desESP transform using 3DES cipher(168 bits) esp-aesESP transform using AES-128 cipher esp-aes-192ESP transform using AES-192 cipher esp-aes-256ESP transform using AES-256 cipher esp-md5-hmacESP transform using HMAC-MD5 auth esp-sha-hmacESP transform using HMAC-SHA auth esp-noneESP no authentication esp-nullESP null encryption Configure the Crypto Map
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e fw1(config)# crypto map FW1MAP 10 match address 101 fw1(config)# crypto map FW1MAP 10 set peer fw1(config)# crypto map FW1MAP 10 set transform-set pix6 fw1(config)# crypto map FW1MAP 10 set security-association lifetime seconds 28800 Specifies IPSec (IKE Phase 2) parameters Maps names and sequence numbers of group entries into a policy Apply the Crypto Map to an Interface
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e firewall(config)# crypto map map-name interface interface-name Applies the crypto map to an interface Activates IPSec policy fw1(config)# crypto map FW1MAP interface outside Example: Crypto Map for Security Appliance 1
Site 1 Site 2 Internet e e Security Appliance 1 (fw1) fw1# show run crypto map crypto map FW1MAP 10 match address 101 crypto map FW1MAP 10 set peer crypto map FW1MAP 10 set transform-set pix6 crypto map FW1MAP interface outside Example: Crypto Map for Security Appliance 6
Site 1 Site 2 Internet e e Security Appliance 1 (fw6) fw6# show run crypto map crypto map FW1MAP 10 match address 101 crypto map FW1MAP 10 set peer crypto map FW1MAP 10 set transform-set pix1 crypto map FW1MAP interface outside Task 4: Test and Verify VPN Configuration
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-48 Task 4: Test and Verify VPN Configuration
Verify ACLs and interesting traffic. show run access-list Verify correct IKE configuration. show run isakmp show run tunnel-group Verify correct IPSec configuration. show run ipsec Task 4: Test and Verify VPN Configuration (Cont.)
Verify correct crypto map configuration. show run crypto map Clear IPSec SA. clear crypto ipsec sa Clear IKE SA. clear crypto isakmp sa Debug IKE and IPSec traffic through the security appliance. debug crypto ipsec debug crypto isakmp Scale Security Appliance VPNs
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-51 CA Server Fulfilling Requests from IPSec Peers
Each IPSec peer individually enrolls with the CA server. Enroll a Security Appliance with a CA
CA Server The security appliance generates publicand private key pair. The security appliance obtains public keyand certificate from the CA. The security appliance requests signedcertificate from the CA. The CA administrator verifies request andsends signed certificate. Summary A VPN is a service that offers secure, reliable connectivity over a shared public network infrastructure such as the Internet. Cisco security appliances enable a secure VPN. IPSec configuration tasks include configuring IKE and IPSec parameters. CAs enable scaling to a large number ofIPSec peers.