Official Lammle User Forum
Before I Move on
I would like to share my notes, and reiterate the protocols and features of Ipsec and vpns.. This will help share some knowledge to the forum, as well as make sure i know what i am talking about before i move on the the next part, which is network hardening in the cisco press ISCW exam cert guide;.
The need to connect teleworkers and entrprise extenstion , along with SOHO are becomming an increasing demand.. One way to provide this connectivity over a secure channel is to implement VPNs. Vpns are simply a tunnel or channel where two sites can communicate. Older vpn technology consisted of PVC and SVC from frame-relay or ATM, and even dedicated leased lines. It was hard to implement redudandy in this old technology withough increasing the cost way up... Site-site vpns came up to emerge to provide a full mesh of connectivity with only 1 or more connections to the internet at both sites.
Vpns utilize Ipsec to in order to tranfer data securely. Ipsec is a framwork and suite of protocols consisting of IKE, ESP and AH, which provides data confidentialiy (encryption) data intergrity (hash functions) and data Authentication and Anti replay attacks. Three protocols help make IPsec framework for this secure connection.
Ike (internet key exchange) is responsible for setting up the secure channel, and negotiating polocies and Security Asociations. Ike is also responsible for exchanging Diffie-Helman keys (RSA keys) (public/private keys) between peers. Two protcols help IKE to provide these functions are ISAKMP (internet sercurity assocation key management protocol) and Oakley. ISAKMP is responsbily for setting up and negotiating policies and security associations. Oakley is responsibly for exhanging keys. There are two mandatory phases of IKE.. Phase 1 and phase 2. At phase 1 ike policies are negotated and exchanged to create a secure channel for management traffic, and to exchange DH keys. Ike phase 1 can be in aggressive mode or main mode. Main mode uses 6 messages (3 sent and 3 acks) to exhanged the polocies and DH keys. Agressive mode uses 3 messages to exchange polocies and is quicker than main mode. Ike phase 2 is responsible to setting up unidirectional SA's To protect the real data that is going to be transmitted.
ESP and AH (encapsulating security payload & Authentication header) are the other two ipsec protocols. ESP provides everything AH does, plus encryption or data confidentiality. AH does not provide encryption. Both protocols, however, use HMAC (hashed-based message authentication codes) which can be MD5 or SHA-1... MD5 takes a variable length input and fixates it at 128 bits.. ShA-1 fixates it at 160bits.. SHA-1 is more accurate at detecting alteration of data than MD5 but SHA-1 is computationally slower.
IPsec can be ran on two modes. Tunnel mode or transport mode... IN tunnel mode, the data payload and Ip headers are protected by ESP or AH, and a new ip header is tagged after the ESP header. The new ip header hides the internal addressing, and correlates to the tunnel ip address. In transport mode the ESP or AH header is shimmed after the ip header and before the Data, so therefor only the data payload (transport layer and up ) are protected. HENCE THE NAME TRANSPORT MODE.
A site to site VPN has a lifecycle. and the following explain it.
1) Interesting traffic (classified by ACL) is trasmitted across, and starts the secure VPN channel
2) Ike phase 1- policies are negotiated and exchanged in eighter aggressive mode or main mode and a bidirectional SA is created to setup and secure the management channel or traffic.
3) IKE phase 2 starts and ipsec SA and negotiation are exchanged to protect the actually data.Ipsec Transform-sets define IKE phase 2
4) Data Sent Securely- Data is exchanged over a secure channel and the data benefits from the ipsec features
5) termination of VPN Channel- the vpn is torn down eighter manually or automatically by time.
Configuration of a Site-to Site VPN can be summarized below
1) Ike phase 1 - specify Ike policies to be used to secure management data.
2) Ike phase 2 - specify ipsec transform-set to secure the real data
3) Crypto ACL - create an mirrored ACL on both sides to specify the interesting traffic that gets the benefits of ipsec
4) Create Crypto Map- create the crypto map which emcompasses the transform set and acl. it also specifies the peer to exchange with
5) apply crypto map - apply the crypto map to the interface
6)* Adjust NATsettings to deny the interesting traffic from being NATTED across, and allow ESP/AH along with UDP 500 (ISAKMP) to be sent and reciveed on an interface.
IPsec can transfer data securely but it creates a problem.. When connecting two sites together or a teleworker, static routes must be used to point to where networks are. But in a big environment this can become tedious and overwhelming. Before IOS 12.4(8) Ipsec could not exchange routing protocols or multicast message. Enterprises used an older technology orignally created by cisco Called GRE. In older days GRe was used to transfer non-ip traffic, such as IPX and appletalk, over an ip existing core. Today GRE tunneling is used to transfer routing protcols and multicast over a site-site vpn which still be secured by ipsec. GRE uses tunnel interface to encompasses this. Gre adds at minimun an extra 24 bytes to the ipsec data, which means the MTU needs to be adjusted to optimize performance. Gre has also be ran in tunnel mode or transprot mode. When using GREover Ipsec it is reccomended to use transport mode, becuase it is essentially the same as tunnel mode when using ipsec. If you use GRE with tunnel mode, you are created alot of overhead which can bog down your network.
Ipsec High avalibity option: Redudancy is always a plus in enterprise environements and productions networks. Ipsec can be deployed with other features to allow high availabilty of Ipsec tunnels. There are two methods of availablity or failover. Stateful and Stateless. Stateful failover involves using multiple hardware devices with the same ios to mirror each other and failover quick to prodive availabilty. Stateless failover uses keepalives to determine whenever one path has failed to switch over to the next.
for stateless Failover, HSRP can be used to provide redudancy, along with an IGP in a GRE tunnel to treat the links as layer 3 links, and DPD(dead peer detection can be used) Dead peer detection is a isakmp keepalive protocol and can eighter periodly send keepalives, or send keepalives whenever the device in suspect of failing.
For stateful Failover, HSRP along with SSO (stateful switchover ) can be used.
Creating IPsec vpns can be wordy and CLI lengthy. Cisco has created the EASY VPN solution to provide clients an easy way to connect to the vpn server. Instead of specifiy polocies for both side, the server is configured by the admin of the polocies they support, and the easy vpn remote (client) dumps a set of polocies to the server hoping to negotiate on one.
The connection of the VPN solution can be summarized below
1) client initiates IKE phase 1
2) client dumps a load of supported policies to the server
3) server accepts one of the peferred polocies according to its priority
4) Server ask for authetication credentions for vpn group membershio
5) Xauth and mode configuration are pushed down to the client
6) Server optionally injects a RRI (reverse route injection)
7)IPsec (Ike phase 2 begins in quick mode)
I didnt go into configuration, but i do know how to configure them ( see some of my other post )... But these are my notes from the top of my head, (i have some more written down).. Hope this helps some people.
Time to move on to Network hardending, the last part of the exam cert guide. hopefully be ready to take the exam in a month or so.
-CCNA ----------------------Security +