Virtual Private Network Configuration
Lesson 9 Virtual Private Network Configuration 2005 Cisco Systems,
Inc. All rights reserved. SNPA v4.011-1 Secure VPNs 2005 Cisco
Systems, Inc. All rights reserved.
SNPA v4.011-2 Remote access VPN is cost-saving
VPN Overview Intranet VPN has low-cost, tunneled connections with
rich VPN services, which lead to cost savings and new applications
Home Office Remote Office POP MainOffice VPN POP Remote access VPN
is cost-saving Extranet VPNextends WANs to business partners, which
leads to new applications and business models Business Partner
Mobile Worker IPSec Enables Security Appliance VPN Features
Internet IPSec Data confidentiality Data integrity Data
authentication Anti-replay What Is IPSec? Internet IPSec IETF
standard that enables encrypted communication between peers
Consists of open standards for securing private communications Has
network layer encryption that ensures data confidentiality,
integrity, and authentication Scales from small to very large
networks Is included in PIX Firewall v5.0 and later IPSec Standards
Supported by the Security Appliance
ESP IKE DES 3DES AES DH MD5 SHA RSA Signatures CAs How IPSec Works
2005 Cisco Systems, Inc. All rights reserved.
SNPA v4.011-7 Five Steps of IPSec Host A SecurityAppliance A
SecurityAppliance B Host B Interesting traffic: The VPN devices
recognize the traffic to protect. IKE Phase 1: The VPN devices
negotiate an IKE security policy and establish a secure channel.
IKE Phase 2: The VPN devices negotiate an IPSec security policy to
protect IPSec data. Data transfer: The VPN devices apply security
services to traffic, then transmit the traffic. Tunnel terminated:
The tunnel is torn down. Step 1: Interesting Traffic
Host A SecurityAppliance A SecurityAppliance B Host B Apply IPSec
Send in Clear Text Step 2: IKE Phase 1 Negotiate the Policy
Negotiate the Policy
Host A SecurityAppliance A SecurityAppliance B Host B IKE Phase 1:
Main Mode Exchange Negotiate the Policy DH Exchange Verify the Peer
Identity Negotiate the Policy DH Exchange Verify the Peer Identity
IKE Phase 1 Policy Sets Host A SecurityAppliance A
SecurityAppliance B Host B Negotiate IKE Proposals Policy Set 10
DES MD5 Pre-share DH1 Lifetime Policy Set 15 DES MD5 Pre-share DH1
Lifetime IKE Policy Sets Policy Set 20 3DES SHA Pre-share DH1
Lifetime Negotiates matching IKE transform sets to protect IKE
exchange DH Key Exchange = Terry Alex Public Key B Public Key A +
Private Key A
+ Private Key B Shared Secret Key (BA) Shared Secret Key (AB) = Key
Key Encrypt Decrypt Pay to Terry Smith $100.00 One Hundred and xx/
Dollars Pay to Terry Smith $100.00 One Hundred and xx/ Dollars
4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR
Internet Authenticate Peer Identity
Remote Office Corporate Office SecurityAppliance A
SecurityAppliance B Internet HR Servers Peer Authentication Peer
authentication methods Pre-shared keys RSA Signature DSA Signature
Step 3: IKE Phase 2 Host A Security Appliance A Security Appliance
B
Host B Negotiate IPSec Security Parameters IPSec Transform Sets
Host A SecurityAppliance A SecurityAppliance B Host B Negotiate
Transform Sets Transform Set 30 ESP 3DES SHA Tunnel Lifetime
Transform Set 55 ESP 3DES SHA Tunnel Lifetime IPSec transform sets
Transform Set 40 ESP DES MD5 Tunnel Lifetime A transform set is a
combination of algorithms and protocols that enacts a security
policy for traffic. SAs SAD SPD Internet Destination IP address SPI
Protocol
B A N K SAD Destination IP address SPI Protocol SPD Encryption
algorithm Algorithm Authentication Mode Key lifetime SPI12
ESP/3DES/SHA Tunnel 28800 Internet SPI39 ESP/DES/MD5 Tunnel 28800
SA Lifetime Data-Based Time-Based Step 4: IPSec Session SAs are
exchanged between peers.
SecurityAppliance A SecurityAppliance B Host A Host B IPSec Session
SAs are exchanged between peers. The negotiated security services
are applied to the traffic. Step 5: Tunnel Termination
SecurityAppliance A SecurityAppliance B Host A Host B IPSec tunnel
A tunnel is terminated: By an SA lifetime timeout If the packet
counter is exceeded Removes IPSec SA Configure VPN Connection
Parameters
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-20
tunnel-group Command To create and manage the database
ofconnection-specific records for IPSec, use thetunnel-group
command in global configuration mode. The tunnel-group command has
the following subcommands: tunnel-group general-attributes
tunnel-group ipsec-attributes firewall(config)# tunnel-group name
type type fw1(config)# tunnel-group training type ipsec-l2l
tunnel-group general-attributes Command
The general-attribute sub-configuration mode is used to configure
settings that are common to all supported tunneling protocols. The
tunnel-group general-attributes command has the following
subcommands: accounting-server-group address-pool
authentication-server-group authorization-server-group
default-group-policy dhcp-server strip-group strip-realm
firewall(config)# tunnel-group name general-attributes fw1(config)#
tunnel-group training general fw1(config-general)# tunnel-group
ipsec-attributes Command
The ipsec-attribute sub-configuration mode is used to configure
settings that are specific to the IPSec tunneling protocol. The
tunnel-group ipsec-attribute command has the following subcommands:
authorization-dn-attributes authorization-required chain
client-update isakmp keepalive peer-id-validate pre-shared-key
radius-with-expiry trust-point firewall(config)# tunnel-group name
ipsec-attributes fw1(config)# tunnel-group training
ipsec-attributes fw1(config-ipsec)# IPSec Configuration Tasks
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-24
Configuring IPSec Encryption
Task 1: Prepare to configure VPN support. Task 2: Configure IKE
parameters. Task 3: Configure IPSec parameters. Task 4: Test and
verify VPN configuration. Task 1: Prepare to Configure VPN
Support
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-26 Task
1: Prepare for IKE and IPSec
Step 1: Determine the IKE (IKE Phase 1) policy. Step 2: Determine
the IPSec (IKE Phase 2) policy. Step 3: Ensure that the network
works without encryption. Step 4: (Optional) Implicitly permit
IPSec packets to bypass security appliance ACLs and access groups.
Determine IKE Phase 1 Policy
Parameter Strong Stronger Encryption algorithm DES 3DES or AES Hash
algorithm MD5 SHA-1 Authentication method Pre-share RSA Signature
Key exchange DH Group 1 DH Group 2 or 5 IKE SA lifetime 86,400
seconds < 86,400 seconds Determine IPSec (IKE Phase 2)
Policy
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e
Policy Site 1 Site 2 Transform set ESP-DES, tunnel ESP-DES, tunnel
Peer security applianceIP address Encrypting hosts Traffic (packet
type)to be encrypted IP IP Task 2: Configure Ike Parameters
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-30 Task
2: Configure IKE Step 1: Enable or disable IKE.
Step 2: Configure IKE Phase 1 policy. Step 3: Configure a tunnel
group. Step 4: Configure the tunnel group attributes pre-shared
key. Step 5: Verify IKE Phase 1 policy. Enable or Disable IKE
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 e e
firewall(config)# isakmp enable interface-name Enables or disables
IKE on the security appliance interfaces Disables IKE on interfaces
not used for IPSec fw1(config)# isakmp enable outside Configure IKE
Phase 1 Policy
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 e e
fw1(config)# isakmp policy 10 encryption des fw1(config)# isakmp
policy 10 hash sha fw1(config)# isakmp policy 10 authentication
pre-share fw1(config)# isakmp policy 10 group 1 fw1(config)# isakmp
policy 10 lifetime 86400 Creates a policy suite grouped by priority
number Creates policy suites that match peers Can use default
values Configure a Tunnel Group
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2
Tunnel Group L2L IPSec Tunnel Group L2L IPSec firewall(config)#
tunnel-group name type type Names the tunnel group Defines the type
of VPN connection that is to be established fw1(config)#
tunnel-group type ipsec-l2l Configure Tunnel Group Attributes
Pre-Shared Key
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2
Tunnel Group isakmp key cisco123 Tunnel Group isakmp key cisco123
firewall(config)# tunnel-group name [general-attributes |
ipsec-attributes] Enters tunnel-group ipsec-attributes
subconfiguration mode firewall(config-ipsec)# pre-shared-key key
Associates a pre-shared key with the connection policy fw1(config)#
tunnel-group ipsec-attributes fw1(config-ipsec)# pre-shared-key
cisco123 Verify IKE Phase 1 Policy
SecurityAppliance 1 SecurityAppliance 6 Site 1 Internet Site 2 fw1#
show run crypto isakmp isakmp identity address isakmp enable
outside isakmp policy 10 authentication pre-share isakmp policy 10
encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2
isakmp policy 10 lifetime 86400 Displays configured and default IKE
protection suites Task 3: Configure IPSec Parameters
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-37 Task
3: Configure IPSec Step 1:Configure interesting traffic: NAT 0 and
ACL. access-list 101 permit nat 0 Step 2:Configure IPSec transform
set suites. crypto ipsec transform-set Step 3:Configure the crypto
map. crypto map Step 4:Apply the crypto map. crypto map map-name
interfaceinterface-name Configure Interesting Traffic
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet X
Encrypt X Encrypt fw1(config)# access-list 101 permit ip permit =
encrypt deny = do not encrypt Example: Crypto ACLs Site 1 Site 2
Internet Security Appliance 1
Lists are symmetrical. Security Appliance 1 (fw1) fw1# show run
access-list access-list 101 permit ip Security Appliance 6 (fw6)
fw6# show run access-list access-list 101 permit ip Configure
Interesting Traffic: NAT 0
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet Do
Not Translate Do Not Translate fw1(config)# nat (inside) 0
access-list 101 Configure an IPSec Transform Set
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e
firewall(config)# crypto ipsec transform-set transform-set-name
transform1 [transform2] Sets are limited to two transforms Default
mode is tunnel Configures matching sets between IPSec peers
fw1(config)# crypto ipsec transform-set fw6 esp-des esp-md5-hmac
Available IPSec Transforms
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e
esp-des ESP transform using DES cipher (56 bits) esp-3desESP
transform using 3DES cipher(168 bits) esp-aesESP transform using
AES-128 cipher esp-aes-192ESP transform using AES-192 cipher
esp-aes-256ESP transform using AES-256 cipher esp-md5-hmacESP
transform using HMAC-MD5 auth esp-sha-hmacESP transform using
HMAC-SHA auth esp-noneESP no authentication esp-nullESP null
encryption Configure the Crypto Map
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e
fw1(config)# crypto map FW1MAP 10 match address 101 fw1(config)#
crypto map FW1MAP 10 set peer fw1(config)# crypto map FW1MAP 10 set
transform-set pix6 fw1(config)# crypto map FW1MAP 10 set
security-association lifetime seconds 28800 Specifies IPSec (IKE
Phase 2) parameters Maps names and sequence numbers of group
entries into a policy Apply the Crypto Map to an Interface
SecurityAppliance 1 SecurityAppliance 6 Site 1 Site 2 Internet e e
firewall(config)# crypto map map-name interface interface-name
Applies the crypto map to an interface Activates IPSec policy
fw1(config)# crypto map FW1MAP interface outside Example: Crypto
Map for Security Appliance 1
Site 1 Site 2 Internet e e Security Appliance 1 (fw1) fw1# show run
crypto map crypto map FW1MAP 10 match address 101 crypto map FW1MAP
10 set peer crypto map FW1MAP 10 set transform-set pix6 crypto map
FW1MAP interface outside Example: Crypto Map for Security Appliance
6
Site 1 Site 2 Internet e e Security Appliance 1 (fw6) fw6# show run
crypto map crypto map FW1MAP 10 match address 101 crypto map FW1MAP
10 set peer crypto map FW1MAP 10 set transform-set pix1 crypto map
FW1MAP interface outside Task 4: Test and Verify VPN
Configuration
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-48 Task
4: Test and Verify VPN Configuration
Verify ACLs and interesting traffic. show run access-list Verify
correct IKE configuration. show run isakmp show run tunnel-group
Verify correct IPSec configuration. show run ipsec Task 4: Test and
Verify VPN Configuration (Cont.)
Verify correct crypto map configuration. show run crypto map Clear
IPSec SA. clear crypto ipsec sa Clear IKE SA. clear crypto isakmp
sa Debug IKE and IPSec traffic through the security appliance.
debug crypto ipsec debug crypto isakmp Scale Security Appliance
VPNs
2005 Cisco Systems, Inc. All rights reserved. SNPA v4.011-51 CA
Server Fulfilling Requests from IPSec Peers
Each IPSec peer individually enrolls with the CA server. Enroll a
Security Appliance with a CA
CA Server The security appliance generates publicand private key
pair. The security appliance obtains public keyand certificate from
the CA. The security appliance requests signedcertificate from the
CA. The CA administrator verifies request andsends signed
certificate. Summary A VPN is a service that offers secure,
reliable connectivity over a shared public network infrastructure
such as the Internet. Cisco security appliances enable a secure
VPN. IPSec configuration tasks include configuring IKE and IPSec
parameters. CAs enable scaling to a large number ofIPSec peers.