SlideShare a Scribd company logo

Vpn site to site

Download as PPT, PDF
IT Tech
IT Tech

Vpn site to site. More details...

TechnologyEducation
1 of 36
Cisco VPN Solutions © 2001, Cisco Systems, Inc. 1
Agenda • Introduction to IPSec • IPSec VPN Topologies • Cisco Site-to-Site VPN Solutions VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 2
IPSec Design Guide http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.ht m IPSecDesignGuide.pdf.lnk VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 3
IPSec Overview • Initiating the IPSec session Phase one—exchanging keys Phase two—setting up security associations • Encrypting/decrypting packets • Rebuilding security associations Timing out security associations • Simple IPSec configuration VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 4
Initiating the IPSec Session Phase One—ISAKMP • Internet Security Association Key Management Protocol (ISAKMP) • Both sides need to agree on the ISAKMP security parameters ISAKMP parameters Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulus Group lifetime VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 5
Initiating the IPSec Session Phase Two—IPSec • Both sides need to agree on the IPSec security parameters IPSec parameters IPSec peer Endpoint of IPSec tunnel IPSec proxy Traffic to be encrypted/decrypted IPSec transform Encryption and hashing IPSec lifetime Phase two SA regeneration time VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 6
Encrypting and Decrypting Packets • Phase one and phase two completes • Security Associations (SA) are created at both IPSec endpoints • Using the negotiated SA information Outbound packets are encrypted Inbound packets are decrypted VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 7
Rebuilding Security Associations • To ensure that keys are not compromised they are periodically refreshed • Security associations will be rebuilt when: The lifetime expires, or Data volume has been exceeded, or Another SA is attempted with identical parameters VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 8
Simple IPSec Configuration 10.1.1.0/24 10.1.2.0/24 192.1.1.1 200.1.1.2 Internet IPSec Tunnel crypto isakmp policy 1 crypto isakmp policy 1 authentication pre-share authentication pre-share hash md5 hash md5 crypto isakmp key cisco123 address 200.1.1.2 crypto isakmp key cisco123 address 192.1.1.1 crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto map vpnmap 10 ipsec-isakmp crypto map vpnmap 10 ipsec-isakmp set peer 200.1.1.2 set peer 192.1.1.1 set transform-set trans1 set transform-set trans1 match address 101 match address 101 interface Ethernet0 interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0 interface Ethernet1 interface Ethernet1 ip address 192.1.1.1 255.255.255.0 ip address 200.1.1.2 255.255.255.0 crypto map vpnmap crypto map vpnmap access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 9
Topologies Standard Site-to-Site IPSec Enabled VPN Solution Design and Engineering Guide http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.ht m Site2SiteDesignGuide.url VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 10
GRE Over IPSec (Common Configuration Issues) • Apply crypto map on both the tunnel interfaces and the physical interfaces • Specify GRE traffic as IPSec interesting traffic. access-list 101 permit gre host 200.1.1.1 host 150.1.1.1 • Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted. VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 11
GRE over IPSec (Avoid Recursive Routing) • To avoid GRE tunnel interface damping due to recursive routing, keep transport and passenger routing info. separate: Use different routing protocols or separate routing protocol identifiers Keep tunnel IP address and actual IP network addresses ranges distinct For tunnel interface IP address, don’t use unnumbered to loopback interface when the loopback’s IP address resides in the ISP address space VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 12
GRE over IPsec (MTU Issues) • Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC): ESP overhead (with authentication) : 31 ~ 38 bytes GRE header: 24 bytes IP header: 20 byes • GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 13
GRE over IPSec c IPSe GRE Internet Internet a. Original Packet b. GRE Encapsulation c. GRE over IPSec Transport Mode d. GRE over IPSec Tunnel Mode a IP Hdr 1 TCP hdr Data b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 14
GRE over IPSec (MTU Issues) • After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0 • The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets • The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 15
GRE over IPSec (MTU issue) • To avoid fragementation and reassembly of IPSec packets: Set ip mtu 1420 (GRE/IPSec tunnel mode), ip mtu 1440 (GRE/IPSec transport mode) under tunnel interface. Enable “tunnel path-mtu-discovery” (DF bit copied after GRE encapsulation) under tunnel interface. • Use “show ip int switching” to verify switching path VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 16
GRE IPSec Config crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key cisco123 address 172.18.45.1 crypto isakmp key cisco123 address 172.18.45.2 crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 17
GRE IPSEC Config continued crypto map vpn 10 ipsec-isakmp set peer 172.18.45.1 set transform-set myset match address 101 crypto map vpn 20 ipsec-isakmp set peer 172.18.45.2 set transform-set myset match address 102 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 18
GRE IPSEC Config continued interface Tunnel0 ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map vpn interface Tunnel1 ip address 10.4.2.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.2 crypto map vpn interface Serial0 ip address 172.18.31.1 255.255.255.0 crypto map vpn VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 19
GRE IPSEC Config continued ip eigrp 100 network 10.0.0.0 ip route 172.18.0.0 255.255.0.0 serial0 ip access-list extended 101 permit gre host 172.18.31.1 host 172.18.45.1 ip access-list extended 102 permit gre host 172.18.31.1 host 172.18.45.2 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 20
Preventing Traffic Injection • ACL on the physical interface Interface serial 0/0 ip access-group Only_ESP in ip access-list extended Only_ESP permit esp host 193.193.193.1 any permit udp host 193.193.193.1 eq 500 any deny ip any any log-input • Even better, VRF lite ! VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 21
VPN Types and Applications Type Application As Alternative To Benefits Remote Remote Dial Dedicated Dial Ubiquitous Access Access Lower Cost Connectivity VPN ISDN Site-to-Site Leased Line Site-to-Site Extend Connectivity Internal Frame Relay Increased Bandwidth VPN Connectivity ATM Lower Cost Biz-to-Biz Fax Extranet Facilitates External Mail VPN E-Commerce Connectivity EDI VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 22
VPN Requirements Vary By Application Extranet Business Partner Mobile User POP Internet VPN DSL Cable Central Site Home Telecommuter Site-to-Site Remote Office Remote Access VPN Site-to-Site VPN • Evolution away from dial • Extension of classic WAN • Per-user manageability • Compatibility with diverse network traffic types • Multi-OS (desktop) support • Integration with routing • Deployment scalability • Deployment scalability VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 23
Cisco VPN Portfolio Purpose-Built for Specific VPN Environments VPN Application Large Enterprise Medium Enterprise Small Biz/Branch SOHO New VPN 3015 VPN 3002 Remote VPN 3080 VPN 3030 VPN 3005 Hardware Client Access VPN 3060 Concentrator Concentrators VPN 3000 Cisco VPN 3000 Concentrators Software Client Site-to-Site 3600 900 7200 7100 IOS Routers 2600 800 7100 3600 1700 Firewall-Based Pix 535 Pix 525 Pix 515 VPN Pix 515 Pix 506 Pix 525 Pix 506 Pix Firewall VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 24
VPN Product Function Matrix Site-to-Site VPN Remote Access VPN IOS VPN Routers •Primary role •Basic remote access functionality •All encompassing site-to- site connectivity features •Provides routing, QoS, WAN interfaces, multicast and multiprotocol support PIX Firewalls •Solution for security •Provides most remote organizations that prefer access features operating firewalls •Solution for security •Provides full firewall organizations that prefer features operating firewalls •Basic site-to-site •Provides full firewall functionality features VPN 3000 Concentrators •Basic site-to-site •Primary role functionality •Full featured remote access solution VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 25
Cisco IOS Software Enhanced VPN Software Features • • Quality of Service Quality of Service ––Application-aware packet classification Application-aware packet classification ––Congestion management and packet queuing Congestion management and packet queuing ––Traffic shaping and policing Traffic shaping and policing • • Stateful IOS Firewall Stateful IOS Firewall ––Per application content filtering and Java blocking Per application content filtering and Java blocking ––Denial of service protection and intrusion detection Denial of service protection and intrusion detection ––Time-based ACLs Time-based ACLs GRE • • VPN Resiliency VPN Resiliency ––Dynamic Route Recovery - -using routing protocols Dynamic Route Recovery using routing protocols QoS through IPSec secured GRE tunnel through IPSec secured GRE tunnel ––Dynamic Tunnel Recovery - -IPSec Keep-Alives Dynamic Tunnel Recovery IPSec Keep-Alives FW • • Full Layer 33Routing and Broad Interface Support Full Layer Routing and Broad Interface Support BGP IPSec ––EIGRP, BGP, OSPF, and others EIGRP, BGP, OSPF, and others ––Numerous LAN and WAN interfaces Numerous LAN and WAN interfaces VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 26
Cisco Site-to-Site VPN Solutions Scalability for Every Site Cisco 7100 & 7200 Series Cisco 7100 & 7200 Series Cisco 1700 Series Cisco 1700 Series Remote •7100 for dedicated VPN head-end •7100 for dedicated VPN head-end •VPN-optimized router •VPN-optimized router Office •7200 for hybrid private WAN ++VPN •7200 for hybrid private WAN VPN connecting remote offices connecting remote offices connectivity connectivity at T1/E1 speeds at T1/E1 speeds Main Office Regional Internet Office Cisco 2600 & 3600 Series Cisco 2600 & 3600 Series •VPN-optimized routers •VPN-optimized routers connecting branch and connecting branch and Cisco 800 & 900 Series Cisco 800 & 900 Series regional offices at regional offices at •VPN-optimized routers for ISDN, Small Office/ •VPN-optimized routers for ISDN, nxT1/E1 speeds nxT1/E1 speeds Home Office DSL, and cable connectivity DSL, and cable connectivity VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 27
VPN-Enabled Broadband Routers 806 827/804 905 Simultaneous Tunnels 50 50 50 Performance 384 kbps 384 kbps 6 Mbps Hardware Acceleration None None (built-in) WAN Interfaces Ethernet DSL/ISDN Cable LAN Interfaces 4xEthernet 1xEthernet 4xEthernet VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 28
VPN-Enabled Routers 1710 1720/1750 2611/2621 2651 3620/3640 Simultaneous Tunnels 100 100 300 800 800 Performance (Mbps) 4 4 10/12 14 10/19 Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MP WAN Interfaces 1xEtherne (varies) (varies) (varies) (varies) t LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies) VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 29
VPN-Enabled Routers 3660 7120 7140 7140 7200 Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000 Performance (Mbps) 40 50 90 140 145 Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAM WAN Interfaces (varies) (varies) (varies) None (varies) LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies) VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 30
2650 Enhanced Performance VPN Module New! • AIM-VPN/EP Enhanced Performance Module Delivers 14 Mbps 3DES performance New AIM-VPN/EP is specially designed to take advantage of the 2650 High Performance Router This VPN Module is being offered in addition to our present AIM-VPN/BP (Base Performance Module) Supported on all 2600 platforms VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 31
VPN Acceleration Module (VAM) for 7100/7200 New! Greater than DS3 encryption performance 145 Mbps 3DES IPSec performance for scalable site-to-site encryption Allows large number of VPN Tunnels 5000 simultaneous IPSec sessions SA-VAM for 7200 Fast VPN tunnel setup time Hardware acceleration for RSA: Tunnel setup & key generation Compression for bandwidth conservation Hardware acceleration for IPPCP LZS compression SM-VAM for 7100 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 32
VPN Management • VPN Device Manager Embedded web single device policy manager • VPN Management Solutions Enterprise VPN monitoring & policy manager • Cisco Secure Policy Manager Centralized, intelligent security policy management for firewall and VPN • Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 33
Site-to-Site VPN Platform Summary • Comprehensive Suite of Site-to-Site VPN Features Supports the most diverse VPN environments • High Performance VPN Up to 145 Mbps 3DES/HMAC-SHA1 IPSec Up to 5,000 simultaneous tunnels • Site Specific VPN Scalability DSL, Cable, & ISDN VPN routers Ethernet-to-Ethernet broadband routers • Network Management Tailored for Site-to-Site Applications VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 34
For More Information... Blog.router-switch.com •News, tutorials, tips, info & thoughts on Developments in the Cisco, Cisco network, IT, Software & Network Hardware Industry VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 35
Presentation_ID © 1999, Cisco Systems, Inc. 36

Recommended

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
VPN
VPNVPN
VPN
Shiraz316
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9
Nil Menon
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
Irsandi Hasan
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 

Recommended

SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
mohannadalhanahnah
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
 
VPN
VPNVPN
VPN
Shiraz316
 
CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9CCNA 1 Routing and Switching v5.0 Chapter 9
CCNA 1 Routing and Switching v5.0 Chapter 9
Nil Menon
 
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
Irsandi Hasan
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
ArunKumar Subbiah
 
Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
Smriti Tikoo
 
CCNA
CCNACCNA
CCNA
Abhishek Parihari
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
AIRTEL
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
Ipv6
Ipv6Ipv6
Ipv6
satish 486
 
Vlan
Vlan Vlan
Vlan
sanss40
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
CCNA Product Overview.pptx
CCNA Product Overview.pptxCCNA Product Overview.pptx
CCNA Product Overview.pptx
KISHOYIANKISH
 
Ip address
Ip addressIp address
Ip address
Amandeep Kaur
 
Ccna
CcnaCcna
Ccna
AdityaKumar1548
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 ppt
Sonal Chandel
 
CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3
Nil Menon
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6
Nil Menon
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracer
Anabia Anabia
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
Sowmia Sathyan
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
Conferencias FIST
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
ThousandEyes
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
Netwax Lab
 
CCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the networkCCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the network
Muhd Mu'izuddin
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
Martin Bratina
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 

More Related Content

What's hot

CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracer
Anabia Anabia
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
Sowmia Sathyan
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
Conferencias FIST
 

What's hot (20)

Bgp protocol
Bgp protocolBgp protocol
Bgp protocol
 
CCNA
CCNACCNA
CCNA
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
Ipv6
Ipv6Ipv6
Ipv6
 
Vlan
Vlan Vlan
Vlan
 
ASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & AnswersASA Firewall Interview- Questions & Answers
ASA Firewall Interview- Questions & Answers
 
CCNA Product Overview.pptx
CCNA Product Overview.pptxCCNA Product Overview.pptx
CCNA Product Overview.pptx
 
Ip address
Ip addressIp address
Ip address
 
Ccna
CcnaCcna
Ccna
 
Ipv4 ppt
Ipv4 pptIpv4 ppt
Ipv4 ppt
 
CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3CCNA 1 Routing and Switching v5.0 Chapter 3
CCNA 1 Routing and Switching v5.0 Chapter 3
 
CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6CCNA 2 Routing and Switching v5.0 Chapter 6
CCNA 2 Routing and Switching v5.0 Chapter 6
 
Router configuration in packet tracer
Router configuration in packet tracerRouter configuration in packet tracer
Router configuration in packet tracer
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
 
How BGP Works
How BGP WorksHow BGP Works
How BGP Works
 
GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)GLBP (gateway load balancing protocol)
GLBP (gateway load balancing protocol)
 
CCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the networkCCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the network
 

Viewers also liked

Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
stolentears
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
slavenvvv
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
mmoizuddin
 
I psec
I psecI psec
I psec
nlekh
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPN
Mustafa Jarrar
 
Cisco Social Media Measurement
Cisco Social Media MeasurementCisco Social Media Measurement
Cisco Social Media Measurement
Stephanie Marx
 

Viewers also liked (20)

IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Ipsec
IpsecIpsec
Ipsec
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
Protocole IKE/IPsec
Protocole IKE/IPsecProtocole IKE/IPsec
Protocole IKE/IPsec
 
Cisco trouble shooting
Cisco trouble shootingCisco trouble shooting
Cisco trouble shooting
 
IPsec
IPsecIPsec
IPsec
 
How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptions
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
I psec
I psecI psec
I psec
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPN
 
Cisco Social Media Measurement
Cisco Social Media MeasurementCisco Social Media Measurement
Cisco Social Media Measurement
 
Cisco
CiscoCisco
Cisco
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
 
Unit08
Unit08Unit08
Unit08
 

Similar to Vpn site to site

I psec tunnel vs transport mode
I psec tunnel vs transport modeI psec tunnel vs transport mode
I psec tunnel vs transport mode
IT Tech
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
Tariq Sheikh
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
angelitoh11
 
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdfEMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
jawed29
 

Similar to Vpn site to site (20)

Vpn
VpnVpn
Vpn
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).ppt
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
 
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking DevicesITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
 
I psec tunnel vs transport mode
I psec tunnel vs transport modeI psec tunnel vs transport mode
I psec tunnel vs transport mode
 
Get vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityGet vpn multicast for CCIE Security
Get vpn multicast for CCIE Security
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdfEMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
EMEAR_Security_TAC_2021_IPSec_Site_to_Site_VPNs_on_FTD_Overview.pdf
 
ENSA_Module_8.pptx
ENSA_Module_8.pptxENSA_Module_8.pptx
ENSA_Module_8.pptx
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 
I psec
I psecI psec
I psec
 
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
Cisco Software Defined Access - новая архитектура для корпоративных кампусных...
 

More from IT Tech

More from IT Tech (20)

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Vpn site to site

  • 1. Cisco VPN Solutions © 2001, Cisco Systems, Inc. 1
  • 2. Agenda • Introduction to IPSec • IPSec VPN Topologies • Cisco Site-to-Site VPN Solutions VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 2
  • 3. IPSec Design Guide http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.ht m IPSecDesignGuide.pdf.lnk VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 3
  • 4. IPSec Overview • Initiating the IPSec session Phase one—exchanging keys Phase two—setting up security associations • Encrypting/decrypting packets • Rebuilding security associations Timing out security associations • Simple IPSec configuration VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 4
  • 5. Initiating the IPSec Session Phase One—ISAKMP • Internet Security Association Key Management Protocol (ISAKMP) • Both sides need to agree on the ISAKMP security parameters ISAKMP parameters Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulus Group lifetime VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 5
  • 6. Initiating the IPSec Session Phase Two—IPSec • Both sides need to agree on the IPSec security parameters IPSec parameters IPSec peer Endpoint of IPSec tunnel IPSec proxy Traffic to be encrypted/decrypted IPSec transform Encryption and hashing IPSec lifetime Phase two SA regeneration time VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 6
  • 7. Encrypting and Decrypting Packets • Phase one and phase two completes • Security Associations (SA) are created at both IPSec endpoints • Using the negotiated SA information Outbound packets are encrypted Inbound packets are decrypted VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 7
  • 8. Rebuilding Security Associations • To ensure that keys are not compromised they are periodically refreshed • Security associations will be rebuilt when: The lifetime expires, or Data volume has been exceeded, or Another SA is attempted with identical parameters VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 8
  • 9. Simple IPSec Configuration 10.1.1.0/24 10.1.2.0/24 192.1.1.1 200.1.1.2 Internet IPSec Tunnel crypto isakmp policy 1 crypto isakmp policy 1 authentication pre-share authentication pre-share hash md5 hash md5 crypto isakmp key cisco123 address 200.1.1.2 crypto isakmp key cisco123 address 192.1.1.1 crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto map vpnmap 10 ipsec-isakmp crypto map vpnmap 10 ipsec-isakmp set peer 200.1.1.2 set peer 192.1.1.1 set transform-set trans1 set transform-set trans1 match address 101 match address 101 interface Ethernet0 interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0 interface Ethernet1 interface Ethernet1 ip address 192.1.1.1 255.255.255.0 ip address 200.1.1.2 255.255.255.0 crypto map vpnmap crypto map vpnmap access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 9
  • 10. Topologies Standard Site-to-Site IPSec Enabled VPN Solution Design and Engineering Guide http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.ht m Site2SiteDesignGuide.url VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 10
  • 11. GRE Over IPSec (Common Configuration Issues) • Apply crypto map on both the tunnel interfaces and the physical interfaces • Specify GRE traffic as IPSec interesting traffic. access-list 101 permit gre host 200.1.1.1 host 150.1.1.1 • Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted. VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 11
  • 12. GRE over IPSec (Avoid Recursive Routing) • To avoid GRE tunnel interface damping due to recursive routing, keep transport and passenger routing info. separate: Use different routing protocols or separate routing protocol identifiers Keep tunnel IP address and actual IP network addresses ranges distinct For tunnel interface IP address, don’t use unnumbered to loopback interface when the loopback’s IP address resides in the ISP address space VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 12
  • 13. GRE over IPsec (MTU Issues) • Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC): ESP overhead (with authentication) : 31 ~ 38 bytes GRE header: 24 bytes IP header: 20 byes • GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 13
  • 14. GRE over IPSec c IPSe GRE Internet Internet a. Original Packet b. GRE Encapsulation c. GRE over IPSec Transport Mode d. GRE over IPSec Tunnel Mode a IP Hdr 1 TCP hdr Data b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 14
  • 15. GRE over IPSec (MTU Issues) • After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0 • The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets • The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 15
  • 16. GRE over IPSec (MTU issue) • To avoid fragementation and reassembly of IPSec packets: Set ip mtu 1420 (GRE/IPSec tunnel mode), ip mtu 1440 (GRE/IPSec transport mode) under tunnel interface. Enable “tunnel path-mtu-discovery” (DF bit copied after GRE encapsulation) under tunnel interface. • Use “show ip int switching” to verify switching path VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 16
  • 17. GRE IPSec Config crypto isakmp policy 1 encr 3des hash md5 authentication pre-share crypto isakmp key cisco123 address 172.18.45.1 crypto isakmp key cisco123 address 172.18.45.2 crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 17
  • 18. GRE IPSEC Config continued crypto map vpn 10 ipsec-isakmp set peer 172.18.45.1 set transform-set myset match address 101 crypto map vpn 20 ipsec-isakmp set peer 172.18.45.2 set transform-set myset match address 102 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 18
  • 19. GRE IPSEC Config continued interface Tunnel0 ip address 10.4.1.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.1 crypto map vpn interface Tunnel1 ip address 10.4.2.1 255.255.255.0 tunnel source 172.18.31.1 tunnel destination 172.18.45.2 crypto map vpn interface Serial0 ip address 172.18.31.1 255.255.255.0 crypto map vpn VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 19
  • 20. GRE IPSEC Config continued ip eigrp 100 network 10.0.0.0 ip route 172.18.0.0 255.255.0.0 serial0 ip access-list extended 101 permit gre host 172.18.31.1 host 172.18.45.1 ip access-list extended 102 permit gre host 172.18.31.1 host 172.18.45.2 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 20
  • 21. Preventing Traffic Injection • ACL on the physical interface Interface serial 0/0 ip access-group Only_ESP in ip access-list extended Only_ESP permit esp host 193.193.193.1 any permit udp host 193.193.193.1 eq 500 any deny ip any any log-input • Even better, VRF lite ! VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 21
  • 22. VPN Types and Applications Type Application As Alternative To Benefits Remote Remote Dial Dedicated Dial Ubiquitous Access Access Lower Cost Connectivity VPN ISDN Site-to-Site Leased Line Site-to-Site Extend Connectivity Internal Frame Relay Increased Bandwidth VPN Connectivity ATM Lower Cost Biz-to-Biz Fax Extranet Facilitates External Mail VPN E-Commerce Connectivity EDI VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 22
  • 23. VPN Requirements Vary By Application Extranet Business Partner Mobile User POP Internet VPN DSL Cable Central Site Home Telecommuter Site-to-Site Remote Office Remote Access VPN Site-to-Site VPN • Evolution away from dial • Extension of classic WAN • Per-user manageability • Compatibility with diverse network traffic types • Multi-OS (desktop) support • Integration with routing • Deployment scalability • Deployment scalability VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 23
  • 24. Cisco VPN Portfolio Purpose-Built for Specific VPN Environments VPN Application Large Enterprise Medium Enterprise Small Biz/Branch SOHO New VPN 3015 VPN 3002 Remote VPN 3080 VPN 3030 VPN 3005 Hardware Client Access VPN 3060 Concentrator Concentrators VPN 3000 Cisco VPN 3000 Concentrators Software Client Site-to-Site 3600 900 7200 7100 IOS Routers 2600 800 7100 3600 1700 Firewall-Based Pix 535 Pix 525 Pix 515 VPN Pix 515 Pix 506 Pix 525 Pix 506 Pix Firewall VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 24
  • 25. VPN Product Function Matrix Site-to-Site VPN Remote Access VPN IOS VPN Routers •Primary role •Basic remote access functionality •All encompassing site-to- site connectivity features •Provides routing, QoS, WAN interfaces, multicast and multiprotocol support PIX Firewalls •Solution for security •Provides most remote organizations that prefer access features operating firewalls •Solution for security •Provides full firewall organizations that prefer features operating firewalls •Basic site-to-site •Provides full firewall functionality features VPN 3000 Concentrators •Basic site-to-site •Primary role functionality •Full featured remote access solution VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 25
  • 26. Cisco IOS Software Enhanced VPN Software Features • • Quality of Service Quality of Service ––Application-aware packet classification Application-aware packet classification ––Congestion management and packet queuing Congestion management and packet queuing ––Traffic shaping and policing Traffic shaping and policing • • Stateful IOS Firewall Stateful IOS Firewall ––Per application content filtering and Java blocking Per application content filtering and Java blocking ––Denial of service protection and intrusion detection Denial of service protection and intrusion detection ––Time-based ACLs Time-based ACLs GRE • • VPN Resiliency VPN Resiliency ––Dynamic Route Recovery - -using routing protocols Dynamic Route Recovery using routing protocols QoS through IPSec secured GRE tunnel through IPSec secured GRE tunnel ––Dynamic Tunnel Recovery - -IPSec Keep-Alives Dynamic Tunnel Recovery IPSec Keep-Alives FW • • Full Layer 33Routing and Broad Interface Support Full Layer Routing and Broad Interface Support BGP IPSec ––EIGRP, BGP, OSPF, and others EIGRP, BGP, OSPF, and others ––Numerous LAN and WAN interfaces Numerous LAN and WAN interfaces VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 26
  • 27. Cisco Site-to-Site VPN Solutions Scalability for Every Site Cisco 7100 & 7200 Series Cisco 7100 & 7200 Series Cisco 1700 Series Cisco 1700 Series Remote •7100 for dedicated VPN head-end •7100 for dedicated VPN head-end •VPN-optimized router •VPN-optimized router Office •7200 for hybrid private WAN ++VPN •7200 for hybrid private WAN VPN connecting remote offices connecting remote offices connectivity connectivity at T1/E1 speeds at T1/E1 speeds Main Office Regional Internet Office Cisco 2600 & 3600 Series Cisco 2600 & 3600 Series •VPN-optimized routers •VPN-optimized routers connecting branch and connecting branch and Cisco 800 & 900 Series Cisco 800 & 900 Series regional offices at regional offices at •VPN-optimized routers for ISDN, Small Office/ •VPN-optimized routers for ISDN, nxT1/E1 speeds nxT1/E1 speeds Home Office DSL, and cable connectivity DSL, and cable connectivity VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 27
  • 28. VPN-Enabled Broadband Routers 806 827/804 905 Simultaneous Tunnels 50 50 50 Performance 384 kbps 384 kbps 6 Mbps Hardware Acceleration None None (built-in) WAN Interfaces Ethernet DSL/ISDN Cable LAN Interfaces 4xEthernet 1xEthernet 4xEthernet VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 28
  • 29. VPN-Enabled Routers 1710 1720/1750 2611/2621 2651 3620/3640 Simultaneous Tunnels 100 100 300 800 800 Performance (Mbps) 4 4 10/12 14 10/19 Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MP WAN Interfaces 1xEtherne (varies) (varies) (varies) (varies) t LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies) VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 29
  • 30. VPN-Enabled Routers 3660 7120 7140 7140 7200 Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000 Performance (Mbps) 40 50 90 140 145 Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAM WAN Interfaces (varies) (varies) (varies) None (varies) LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies) VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 30
  • 31. 2650 Enhanced Performance VPN Module New! • AIM-VPN/EP Enhanced Performance Module Delivers 14 Mbps 3DES performance New AIM-VPN/EP is specially designed to take advantage of the 2650 High Performance Router This VPN Module is being offered in addition to our present AIM-VPN/BP (Base Performance Module) Supported on all 2600 platforms VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 31
  • 32. VPN Acceleration Module (VAM) for 7100/7200 New! Greater than DS3 encryption performance 145 Mbps 3DES IPSec performance for scalable site-to-site encryption Allows large number of VPN Tunnels 5000 simultaneous IPSec sessions SA-VAM for 7200 Fast VPN tunnel setup time Hardware acceleration for RSA: Tunnel setup & key generation Compression for bandwidth conservation Hardware acceleration for IPPCP LZS compression SM-VAM for 7100 VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 32
  • 33. VPN Management • VPN Device Manager Embedded web single device policy manager • VPN Management Solutions Enterprise VPN monitoring & policy manager • Cisco Secure Policy Manager Centralized, intelligent security policy management for firewall and VPN • Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 33
  • 34. Site-to-Site VPN Platform Summary • Comprehensive Suite of Site-to-Site VPN Features Supports the most diverse VPN environments • High Performance VPN Up to 145 Mbps 3DES/HMAC-SHA1 IPSec Up to 5,000 simultaneous tunnels • Site Specific VPN Scalability DSL, Cable, & ISDN VPN routers Ethernet-to-Ethernet broadband routers • Network Management Tailored for Site-to-Site Applications VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 34
  • 35. For More Information... Blog.router-switch.com •News, tutorials, tips, info & thoughts on Developments in the Cisco, Cisco network, IT, Software & Network Hardware Industry VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 35
  • 36. Presentation_ID © 1999, Cisco Systems, Inc. 36

Editor's Notes

  1. Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
  2. SA’s will regenerate behind the scenes 7206BA#sh crypto ipsec security-association-lifetime Security association lifetime: 4608000 kilobytes/3600 seconds
  3. Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
  4. Site-to-site VPNs and remote access VPNs tend to have different requirements