More Related Content Similar to Vpn site to site (20) Vpn site to site1. Cisco
VPN Solutions
© 2001, Cisco Systems, Inc. 1
2. Agenda
• Introduction to IPSec
• IPSec VPN Topologies
• Cisco Site-to-Site VPN
Solutions
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 2
3. IPSec Design Guide
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.ht
m
IPSecDesignGuide.pdf.lnk
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 3
4. IPSec Overview
• Initiating the IPSec session
Phase one—exchanging keys
Phase two—setting up security associations
• Encrypting/decrypting packets
• Rebuilding security associations
Timing out security associations
• Simple IPSec configuration
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 4
5. Initiating the IPSec Session
Phase One—ISAKMP
• Internet Security Association Key Management Protocol
(ISAKMP)
• Both sides need to agree on the ISAKMP
security parameters
ISAKMP parameters
Encryption algorithm
Hash algorithm
Authentication method
Diffie-Hellman modulus
Group lifetime
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 5
6. Initiating the IPSec Session
Phase Two—IPSec
• Both sides need to agree on the IPSec security parameters
IPSec parameters
IPSec peer
Endpoint of IPSec tunnel
IPSec proxy
Traffic to be encrypted/decrypted
IPSec transform
Encryption and hashing
IPSec lifetime
Phase two SA regeneration time
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 6
7. Encrypting and
Decrypting Packets
• Phase one and phase two completes
• Security Associations (SA) are created at both IPSec
endpoints
• Using the negotiated SA information
Outbound packets are encrypted
Inbound packets are decrypted
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 7
8. Rebuilding
Security Associations
• To ensure that keys are not compromised they are
periodically refreshed
• Security associations will be rebuilt when:
The lifetime expires, or
Data volume has been exceeded, or
Another SA is attempted with identical parameters
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 8
9. Simple IPSec Configuration
10.1.1.0/24 10.1.2.0/24
192.1.1.1 200.1.1.2
Internet
IPSec Tunnel
crypto isakmp policy 1 crypto isakmp policy 1
authentication pre-share authentication pre-share
hash md5 hash md5
crypto isakmp key cisco123 address 200.1.1.2 crypto isakmp key cisco123 address 192.1.1.1
crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp crypto map vpnmap 10 ipsec-isakmp
set peer 200.1.1.2 set peer 192.1.1.1
set transform-set trans1 set transform-set trans1
match address 101 match address 101
interface Ethernet0 interface Ethernet0
ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0
interface Ethernet1 interface Ethernet1
ip address 192.1.1.1 255.255.255.0 ip address 200.1.1.2 255.255.255.0
crypto map vpnmap crypto map vpnmap
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 9
10. Topologies
Standard Site-to-Site IPSec Enabled VPN Solution
Design and Engineering Guide
http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.ht
m
Site2SiteDesignGuide.url
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 10
11. GRE Over IPSec
(Common Configuration
Issues)
• Apply crypto map on both the tunnel interfaces and
the physical interfaces
• Specify GRE traffic as IPSec interesting traffic.
access-list 101 permit gre host 200.1.1.1 host 150.1.1.1
• Static or dynamic routing is needed to send VPN
traffic to the GRE tunnel before it gets encrypted.
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 11
12. GRE over IPSec
(Avoid Recursive Routing)
• To avoid GRE tunnel interface damping due to
recursive routing, keep transport and passenger
routing info. separate:
Use different routing protocols or separate routing
protocol identifiers
Keep tunnel IP address and actual IP network
addresses ranges distinct
For tunnel interface IP address, don’t use
unnumbered to loopback interface when the
loopback’s IP address resides in the ISP address
space
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 12
13. GRE over IPsec (MTU Issues)
• Overhead calculation of GRE over IPSec (assume
ESP-DES & ESP-MD5-HMAC):
ESP overhead (with authentication) : 31 ~ 38 bytes
GRE header: 24 bytes
IP header: 20 byes
• GRE over IPSec with tunnel mode introduces ~75
bytes overhead, GRE over IPSec with transport mode
introduces ~55 bytes overhead
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 13
14. GRE over IPSec
c
IPSe
GRE
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a IP Hdr 1 TCP hdr Data
b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data
c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data
d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 14
15. GRE over IPSec (MTU Issues)
• After GRE tunnel encapsulation, the packets will be
sent to physical interface with DF bit set to 0
• The GRE packets will then be encrypted at physical
interface; if IPSec overhead causes final IPSec
packets to be bigger than the interface MTU, the
router will fragment the packets
• The remote router will need to reassemble the
fragmented IPSec packets (process switched) which
causes performance degradation
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 15
16. GRE over IPSec (MTU issue)
• To avoid fragementation and reassembly of IPSec
packets:
Set ip mtu 1420 (GRE/IPSec tunnel mode),
ip mtu 1440 (GRE/IPSec transport mode) under
tunnel interface.
Enable “tunnel path-mtu-discovery” (DF bit copied
after GRE encapsulation) under tunnel interface.
• Use “show ip int switching” to verify switching path
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 16
17. GRE IPSec Config
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 172.18.45.1
crypto isakmp key cisco123 address 172.18.45.2
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode transport
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 17
18. GRE IPSEC Config continued
crypto map vpn 10 ipsec-isakmp
set peer 172.18.45.1
set transform-set myset
match address 101
crypto map vpn 20 ipsec-isakmp
set peer 172.18.45.2
set transform-set myset
match address 102
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 18
19. GRE IPSEC Config continued
interface Tunnel0
ip address 10.4.1.1 255.255.255.0
tunnel source 172.18.31.1
tunnel destination 172.18.45.1
crypto map vpn
interface Tunnel1
ip address 10.4.2.1 255.255.255.0
tunnel source 172.18.31.1
tunnel destination 172.18.45.2
crypto map vpn
interface Serial0
ip address 172.18.31.1 255.255.255.0
crypto map vpn
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 19
20. GRE IPSEC Config continued
ip eigrp 100
network 10.0.0.0
ip route 172.18.0.0 255.255.0.0 serial0
ip access-list extended 101 permit gre
host 172.18.31.1 host 172.18.45.1
ip access-list extended 102 permit gre
host 172.18.31.1 host 172.18.45.2
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 20
21. Preventing Traffic Injection
• ACL on the physical interface
Interface serial 0/0
ip access-group Only_ESP in
ip access-list extended Only_ESP
permit esp host 193.193.193.1 any
permit udp host 193.193.193.1 eq 500 any
deny ip any any log-input
• Even better, VRF lite !
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 21
22. VPN Types and Applications
Type Application As Alternative To Benefits
Remote Remote Dial Dedicated
Dial Ubiquitous Access
Access Lower Cost
Connectivity
VPN ISDN
Site-to-Site Leased Line
Site-to-Site Extend Connectivity
Internal Frame Relay Increased Bandwidth
VPN
Connectivity ATM Lower Cost
Biz-to-Biz Fax
Extranet Facilitates
External Mail
VPN E-Commerce
Connectivity EDI
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 22
23. VPN Requirements Vary By
Application
Extranet
Business Partner
Mobile User
POP
Internet VPN
DSL
Cable Central Site
Home Telecommuter
Site-to-Site
Remote Office
Remote Access VPN Site-to-Site VPN
• Evolution away from dial • Extension of classic WAN
• Per-user manageability • Compatibility with diverse network traffic
types
• Multi-OS (desktop) support
• Integration with routing
• Deployment scalability
• Deployment scalability
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 23
24. Cisco VPN Portfolio
Purpose-Built for Specific VPN Environments
VPN Application Large Enterprise Medium Enterprise Small Biz/Branch SOHO
New
VPN 3015 VPN 3002
Remote VPN 3080 VPN 3030
VPN 3005 Hardware Client
Access VPN 3060 Concentrator
Concentrators VPN 3000
Cisco VPN 3000 Concentrators
Software Client
Site-to-Site 3600 900
7200 7100
IOS Routers 2600 800
7100 3600
1700
Firewall-Based Pix 535 Pix 525 Pix 515
VPN Pix 515 Pix 506
Pix 525 Pix 506
Pix Firewall
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 24
25. VPN Product Function Matrix
Site-to-Site VPN Remote Access VPN
IOS VPN Routers •Primary role •Basic remote access
functionality
•All encompassing site-to-
site connectivity features
•Provides routing, QoS,
WAN interfaces,
multicast and
multiprotocol support
PIX Firewalls •Solution for security •Provides most remote
organizations that prefer access features
operating firewalls
•Solution for security
•Provides full firewall organizations that prefer
features operating firewalls
•Basic site-to-site •Provides full firewall
functionality features
VPN 3000 Concentrators •Basic site-to-site •Primary role
functionality
•Full featured remote
access solution
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 25
26. Cisco IOS Software
Enhanced VPN Software Features
• • Quality of Service
Quality of Service
––Application-aware packet classification
Application-aware packet classification
––Congestion management and packet queuing
Congestion management and packet queuing
––Traffic shaping and policing
Traffic shaping and policing
• • Stateful IOS Firewall
Stateful IOS Firewall
––Per application content filtering and Java blocking
Per application content filtering and Java blocking
––Denial of service protection and intrusion detection
Denial of service protection and intrusion detection
––Time-based ACLs
Time-based ACLs GRE
• • VPN Resiliency
VPN Resiliency
––Dynamic Route Recovery - -using routing protocols
Dynamic Route Recovery using routing protocols QoS
through IPSec secured GRE tunnel
through IPSec secured GRE tunnel
––Dynamic Tunnel Recovery - -IPSec Keep-Alives
Dynamic Tunnel Recovery IPSec Keep-Alives FW
• • Full Layer 33Routing and Broad Interface Support
Full Layer Routing and Broad Interface Support
BGP
IPSec
––EIGRP, BGP, OSPF, and others
EIGRP, BGP, OSPF, and others
––Numerous LAN and WAN interfaces
Numerous LAN and WAN interfaces
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 26
27. Cisco Site-to-Site VPN Solutions
Scalability for Every Site
Cisco 7100 & 7200 Series
Cisco 7100 & 7200 Series
Cisco 1700 Series
Cisco 1700 Series Remote •7100 for dedicated VPN head-end
•7100 for dedicated VPN head-end
•VPN-optimized router
•VPN-optimized router Office •7200 for hybrid private WAN ++VPN
•7200 for hybrid private WAN VPN
connecting remote offices
connecting remote offices connectivity
connectivity
at T1/E1 speeds
at T1/E1 speeds
Main Office
Regional
Internet
Office
Cisco 2600 & 3600 Series
Cisco 2600 & 3600 Series
•VPN-optimized routers
•VPN-optimized routers
connecting branch and
connecting branch and Cisco 800 & 900 Series
Cisco 800 & 900 Series
regional offices at
regional offices at •VPN-optimized routers for ISDN,
Small Office/ •VPN-optimized routers for ISDN,
nxT1/E1 speeds
nxT1/E1 speeds Home Office DSL, and cable connectivity
DSL, and cable connectivity
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 27
28. VPN-Enabled Broadband
Routers
806 827/804 905
Simultaneous Tunnels 50 50 50
Performance 384 kbps 384 kbps 6 Mbps
Hardware Acceleration None None (built-in)
WAN Interfaces Ethernet DSL/ISDN Cable
LAN Interfaces 4xEthernet 1xEthernet 4xEthernet
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 28
29. VPN-Enabled Routers
1710 1720/1750 2611/2621 2651 3620/3640
Simultaneous Tunnels 100 100 300 800 800
Performance (Mbps) 4 4 10/12 14 10/19
Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MP
WAN Interfaces 1xEtherne (varies) (varies) (varies) (varies)
t
LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies)
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 29
30. VPN-Enabled Routers
3660 7120 7140 7140 7200
Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000
Performance (Mbps) 40 50 90 140 145
Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAM
WAN Interfaces (varies) (varies) (varies) None (varies)
LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies)
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 30
31. 2650 Enhanced Performance
VPN Module
New!
• AIM-VPN/EP Enhanced Performance Module
Delivers 14 Mbps 3DES performance
New AIM-VPN/EP is specially designed to take advantage of
the 2650 High Performance Router
This VPN Module is being offered in addition to our present
AIM-VPN/BP (Base Performance Module)
Supported on all 2600 platforms
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 31
32. VPN Acceleration Module
(VAM) for 7100/7200
New!
Greater than DS3 encryption performance
145 Mbps 3DES IPSec performance for
scalable site-to-site encryption
Allows large number of VPN Tunnels
5000 simultaneous IPSec sessions
SA-VAM for 7200
Fast VPN tunnel setup time
Hardware acceleration for RSA: Tunnel setup
& key generation
Compression for bandwidth conservation
Hardware acceleration for IPPCP LZS
compression
SM-VAM for 7100
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 32
33. VPN Management
• VPN Device Manager
Embedded web single device policy manager
• VPN Management Solutions
Enterprise VPN monitoring & policy manager
• Cisco Secure Policy Manager
Centralized, intelligent security policy
management for firewall and VPN
• Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 33
34. Site-to-Site VPN Platform
Summary
• Comprehensive Suite of Site-to-Site VPN Features
Supports the most diverse VPN environments
• High Performance VPN
Up to 145 Mbps 3DES/HMAC-SHA1 IPSec
Up to 5,000 simultaneous tunnels
• Site Specific VPN Scalability
DSL, Cable, & ISDN VPN routers
Ethernet-to-Ethernet broadband routers
• Network Management Tailored for Site-to-Site
Applications
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 34
35. For More Information...
Blog.router-switch.com
•News, tutorials, tips, info & thoughts on
Developments in the Cisco, Cisco network, IT,
Software & Network Hardware Industry
VPN Overview © 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 35
Editor's Notes Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit SA’s will regenerate behind the scenes 7206BA#sh crypto ipsec security-association-lifetime Security association lifetime: 4608000 kilobytes/3600 seconds Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Site-to-site VPNs and remote access VPNs tend to have different requirements