3. What is VPN ?
A virtual private network (VPN) is a
computer network that is
implemented in an additional logical
layer (overlay) on top of an existing
network. It has the purpose of
creating a private scope of computer
communications or providing a
secure extension of a private
network into an insecure network
such as the Internet.
http://en.wikipedia.org/wiki/Virtual_private_network
4. Categories of VPN
VPN technologies may be classified
by many standards.
Two broad categories of VPN are:
– Secure VPNs
– Trusted VPNs
5. Secure VPNs
• Provide mechanisms for authentication of the
tunnel endpoints and encryption of the traffic.
• Provide remote access facilities to employees.
• Connects multiple networks together securely
using the Internet to carry the traffic.
• Secure VPN protocols include IPSec, SSL or
PPTP (with MPPE).
• Doesn't provide Qos or routing.
6. Trusted VPNs
• Created by carriers and large organizations on
large core networks.
• Provides Quality of Service.
• Trusted VPN protocols include MPLS, ATM or
Frame Relay.
• Do not provide security features such as data
confidentiality through encryption.
9. Basic Router Configuration
• Creating Local Login Users for VPN.
Router(config)# username [loginID] privilege [1-15] password 0 [password]
• Configure Fast Ethernet Interfaces
Router#config t
Router(config)#int f0/0
Router(config-if)# description Internal LAN (192.168.0.0/24)
Router(config-if)#ip address 192.168.0.254 255.255.255.0
Router(config-if)#no shut
Router(config)#int f0/1
Router(config-if)# description VPN INT (10.1.1.0/24)
Router(config-if)#ip address 10.1.1.254 255.255.255.0
Router(config-if)#no shut
10. Basic Router Configuration (contd)
• Configure Routing Protocol
Router#config t
Router(config)#router eigrp 1
Router(config-router)#network 192.168.0.0
Router(config-router)#network 172.16.1.0
Router(config-router)#network 10.0.0.0
• IP Pool
Router(config)# ip local pool ip_pool 172.16.1.10 172.16.1.20
11. Configuring AAA
• aaa-model
Enables the authentication, authorization, and accounting (AAA) access control
model.
Router(config)#aaa new-model
• aaa session-id [common | unique]
Ensures that all session identification (ID) information that is sent out for a given
call will be made identical. The default behavior is common.
Router(config)#aaa session-id common
12. Configuring AAA (contd)
• aaa authentication login [list-name] local
Sets (AAA) authentication at login. ‘Local’ keyword tells the AAA to use local
username database for authentication.
Router(config)# aaa authentication login vpn_xauth local
• aaa authorization network [list-name] local
Creates a list for authorization of all network-related service requests . ‘Local’
keyword tells the AAA to use local username database for authentication
Router(config)# aaa authorization network vpn_group local
13. Virtual Template
• A virtual template interface is a logical entity that
are created, configured dynamically, used, and
then freed when no longer needed.
• Requires the same amount of memory as a serial
interface.
• Cisco routers support a maximum of 300 virtual
interfaces.
14. Benifts of Virtual Template
• For easier maintenance, allows customized
configurations to be predefined.
• For scalability, allows interface configuration to
be separated from physical interfaces.
• For consistency and configuration ease, allows the
same predefined template to be used for all
users.
• For efficient router operation, frees the virtual
access interface memory for another dial-in use
15. Configuring Virtual Template
Router#config t
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered FastEthernet0/1
Router(config-if)# no peer default ip address
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
16. VPDN
• A virtual private dial−up network (VPDN) allows a
private network dial in service to span across to
remote access servers (defined as the L2TP Access
Concentrator [LAC]).
• LAC forwards the PPP session on to an L2TP
Network Server (LNS). The LNS then authenticates
the user and starts the PPP negotiation.
• VPDN uses the Layer 2 Forwarding protocol (L2F)
which permits the tunneling of link level frames
17. Configuring VPDN
• enable vpdn
Enables virtual private networking.
Router(config)#enable vpdn
• vpdn-group [group name]
Ceates a vpdn group which specifies the protocol, dialup mode and interface
Router(config)# vpdn-group VPN_Server
Router(config)# accept-dialin
Router(config)# protocol pptp
Router(config)# virtual-template 1
18. IPSec
• Internet Protocol Security (IPsec) is a protocol
suite for securing Internet Protocol (IP)
communications.
• IPsec uses the following protocols to perform
various functions
Internet key exchange (IKE and IKEv2) to set up a security
association (SA)
Authentication Header (AH) to provide connectionless
integrity.
Encapsulating Security Payload (ESP) to provide
confidentiality.
19. Configuring IPSec based VPN
• crypto isakmp policy [priority]
Defines an Internet Key Exchange (IKE) policy. IKE policies define a set of
parameters to be used during the IKE negotiation
Router(config)#crypto isakmp policy 1
Router(config-crypto-isakmp)# encr 3des
Router(config-crypto-isakmp)# authentication pre-share
Router(config-crypto-isakmp)# group 2
20. Configuring IPSec based VPN (contd)
• sh crypto isakmp policy
Below command list the policy created as a result of last command (previous slide).
Router#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
21. Configuring IPSec based VPN (contd)
• crypto isakmp client configuration group [name]
Specify which group’s policy profile will be defined by defining key and ip address
pool.
Router(config)#crypto isakmp client configuration group ipsec_group
Router(config-crypto-isakmp )# key ipsec
Router(config-crypto-isakmp )# pool ip_pool
Router(config-crypto-isakmp )# netmask 255.255.255.255
22. Configuring IPSec based VPN (contd)
• crypto ipsec transform-set
A transform set specifies the encryption and authentication algorithms used to
protect the data in the VPN Tunnel.
Router(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Router(config-crypto-ipsec )#crypto dynamic-map DYNMAP 1
Router(config-crypto-ipsec )#set transform-set ESP-3DES-SHA
Transform Set:
Name:ESP-3DES-SHA1
ESP Encryption: ESP_3DES
ESP Integrity: ESP_SHA_HMAC
23. Configuring IPSec based VPN (contd)
• crypto map
Creates a crypto profile that provides a template for configuration.
Router(config)#crypto map CMAP client authentication list vpn_auth
Router(config)#crypto map CMAP isakmp authorization list vpn_group
Router(config)#int f0/1
Router(config-if)#crypto map CMAP
The IPSec Encapsulating Security Payload (ESP) provides data privacy. The ESP protocol also defines an authenticated format that provides data authentication and integrity, with data privacy. AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm