Scribd Logo
Upload

Welcome to Scribd!

  • VPN

    Uploaded by

    Ramana Rongala
    100 views77 pages
    VPN Tunnels and Encryption Use VPNs with a Variety of Devices Cisco VPN Solution Ecosystem -Network access server Site-to-site encryption at Several Layers Tunneling Protocols VPN Protocols Selecting Layer 3 VPN Tunnel Options Identifying Key VPN Terms Tunnel Encription and decryption Cryptosystem Hashing Authentication Authorization Key management CA -- certification authority service IPSec--interoperable Encryption and Authentication tunnel versus Transport Mode security association.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    VPN Tunnels and Encryption Use VPNs with a Variety of Devices Cisco VPN Solution Ecosystem -Network access server Site-to-site encryption at Several Layers Tunneling Protocols VPN Protocols Selecting Layer 3 VPN Tunnel Options Identifying Key VPN Terms Tunnel Encription and decryption Cryptosystem Hashing Authentication Authorization Key management CA -- certification authority service IPSec--interoperable Encryption and Authentication tunnel versus Transport Mode security association.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    100 views77 pages

    VPN

    Uploaded by

    Ramana Rongala
    VPN Tunnels and Encryption Use VPNs with a Variety of Devices Cisco VPN Solution Ecosystem -Network access server Site-to-site encryption at Several Layers Tunneling Protocols VPN Protocols Selecting Layer 3 VPN Tunnel Options Identifying Key VPN Terms Tunnel Encription and decryption Cryptosystem Hashing Authentication Authorization Key management CA -- certification authority service IPSec--interoperable Encryption and Authentication tunnel versus Transport Mode security association.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 77

    VPN

    Virtual Private Networks (VPN)

    Why Have VPNs?

    Virtual Private Networking

    VPN Tunnels and Encryption

    Use VPNs with a Variety of Devices

    Cisco VPN Solution Ecosystem

    VPNTypes

    Remote-access Client-initiated

    Network access server


    Site-to-site

    Intranet
    Extranet

    Remote-Access VPN Solutions

    Site-to-Site VPN Solutions

    Encryption at Several Layers

    Tunneling Protocols

    VPN Protocols

    Selecting Layer 3 VPN Tunnel Options

    Identifying Key VPN Terms

    Tunnel Encryption and decryption Cryptosystem Hashing Authentication Authorization Key management CA certification authority service

    Identifying Key IPSec VPN Terms

    AH: Authentication Header ESP: Encapsulating Security Payload IKE: Internet Key Exchange ISAKMP: Internet Security Association and Key Management Protocol SA: Security association

    AAA: Authentication, authorization, and accounting


    TACACS+: Terminal Access Controller Access Control System Plus RADIUS: Remote Authentication Dial-In User Service

    Cisco IOS Cryptosystem Overview

    Cryptosystem Overview

    Cryptosystem Overview

    Cryptosystem Overview

    Ron Rivest, Adi Shamir, and Leonard Adleman (RSA)

    Cryptosystem Overview

    Symmetric Encryption

    Asymmetric Encryption

    Key ExchangeDiffie-Hellman Overview

    Hashing

    IPSec Technologies

    IPSecInteroperable Encryption and Authentication

    Tunnel versus Transport Mode

    Security Association

    Five Steps of IPSec

    How IPSec uses IKE

    IKE and IPSec Flowchart

    Tasks to Configure IPSec

    Task 1 Prepare for IKE and IPSEC Step 1: Determine IKE (IKE phase 1) policy Step 2: Determine IPSec (IKE phase 2) policy Step 3: Check the current configuration Step 4: Ensure that the network works without encryption Step 5: Ensure that access lists are compatible with IPSec Task 2 Configure IKE Step 1: Enable or disable IKE Step 2: Create IKE policies Step 3: Configure ISAKMP identity Step 4: Configure preshared keys Step 5: Verify IKE configuration

    Tasks to Configure IPSec (cont.)

    Task 3 Configure IPSec


    Step 1: Configure transform set suites Step 2: Configure global IPSec lifelines Step 3: Create crypto ACLs

    Step 4: Create crypto ACLs using extended access lists


    Step 5: Create crypto maps Step 6: Configure IPSec crypto maps Task 4 Test and Verify IPSEC

    Task 1Prepare for IKE and IPSec

    Task 1Prepare for IKE and IPSec


    Task 1 Prepare for IKE and IPSEC Step 1Determine IKE (IKE phase one) policy. Step 2Determine IPSec (IKE phase two) policy. Step 3Check the current configuration. show running-configuration show crypto isakmp policy show crypto map Step 4Ensure the network works without encryption: ping Step 5Ensure access lists are compatible with IPSec: show access-lists Task 2 Configure IKE Task 3 Configure IPSec Task 4 Test and Verify IPSEC

    Step 1Determine IKE(IKE Phase 1) Policy

    Determine the following policy details: Key distribution method Authentication method IPSec peer IP addresses and hostnames IKE phase 1 policies for all peers Encryption algorithm Hash algorithm IKE SA lifetime Goal: Minimize misconfiguration

    IKE Phase 1 Policy Parameters

    Step 2Determine IPSec (IKE Phase 2) Policy

    Determine the following policy details: IPSec algorithms and parameters for optimal security and performance Transforms and, if necessary, transform sets IPSec peer details IP address and applications of hosts to be protected Manual or IKE-initiated SAs Goal: Minimize misconfiguration

    IPSec Transforms Supported in Cisco IOS Software

    IPSec Policy Example

    Identify IPSec Peers

    Step 3Check Current Configuration

    Step 4Ensure the Network Works

    Step 5Ensure that Access Lists are Compatible with IPSec

    Task 2Configure IKE

    Task 2Configure IKE

    Task 1 Prepare for IKE and IPSEC Task 2 Configure IKE Step 1Enable or disable IKE. crypto isakmp enable Step 2Create IKE policies. crypto isakmp policy Step 3Configure ISAKMP crypto isakmp identity Step 4Configure pre-shared keys. crypto isakmp key Step 5Verify the IKE configuration. show crypto isakmp policy Task 3 Configure IPSec Task 4 Test and Verify IPSEC

    Step 1Enable IKE

    Step 2Create IKE Policies

    Create IKE Policies with the crypto isakmp Command

    IKE Policy Negotiation

    Step 3Configure ISAKMP Identity

    Step 4Configure Preshared Keys

    Step 5Verify IKE Configuration

    Task 3Configure IPSec

    Task 3Configure IPSec

    Task 1 Prepare for IKE and IPSEC Task 2 Configure IKE Task 3 Configure IPSec Step 1Configure transform set suites crypto ipsec transform-set Step 2Configure global IPSec SA lifetimes crypto ipsec security-association lifetime Step 3Create crypto ACLs using extended access lists crypto map Step 4Configure IPSec crypto maps Step 5Apply crypto maps to interfaces crypto map map-name Task 4 Test and Verify IPSEC

    Step 1Configure Transform Sets

    Transform Set Negotiation

    Step 2Configure Global IPSec Security Association Lifetimes

    Purpose of Crypto Access Lists

    Step 3Create Crypto ACLs using Extended Access Lists

    Configure Symmetric Peer Crypto Access Lists

    Purpose of Crypto Maps

    Crypto maps pull together the various parts configured for IPSec, including
    The traffic to be protected by IPSec and a set of SAs The local address to be used for the IPSec traffic

    The destination location of IPSec-protected traffic


    The IPSec type to be applied to this traffic

    The method of establishing SAs (manually or via RSA)


    Other parameters needed to define an IPSec SA

    Crypto Map Parameters

    Step 4Configure IPSec Crypto Maps

    Example Crypto Map Commands

    Step 5Applying Crypto Maps to Interfaces

    IPSec Configuration Examples

    Task 4Test and Verify IPSec

    Task 4Test and Verify IPSec

    Task 1 Prepare for IKE and IPSEC Task 2 Configure IKE Task 3 Configure IPSec Task 4 Test and Verify IPSEC Display your configured IKE policies. show crypto isakmp policy (show isakmp policy on a PIX) Display your configured transform sets. show crypto ipsec transform set Display Phase I security associations show crypto isakmp sa (show isakmp sa on a PIX) Display the current state of your IPSec SAs. show crypto ipsec sa Display your configured crypto maps. show crypto map Enable debug output for IPSec events. debug crypto ipsec Enable debug output for ISAKMP events. debug crypto isakmp

    show crypto isakmp policy

    show crypto ipsec transform-set show crypto isakmp sa

    show crypto ipsec sa

    show crypto map

    clear commands

    debug crypto

    Crypto System Error Messages for ISAKMP

    You might also like