SlideShare una empresa de Scribd logo

IPSec VPN Basics

Descargar como PPTX, PDF
Martin Bratina
Martin Bratina

IPSec VPN Basic concepts

Tecnología
1 de 31
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 1 Technical Development Program VPN basics November 5, 2014
Martín Bratina • Buenos Aires, Argentina • 32 Years old • +10 Years in Telecom/Networking • 3+ in AT&T • Martin.Bratina@intl.att.com • Soccer • Music • Drumming • Golf © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Agenda © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 3 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 4 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
What is a VPN? • Establish a connection between networks over an untrusted network provided via a tunnel Site A Site B Internet VPN © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 6 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
Types of VPNs • Site to Site • Remote Access © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Types of VPNs • Site to Site • Remote Access Site A Site B Internet Data A-B DaDtaat aA-AB-B DDataat aAA-B-B Data A-B © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Internet Types of VPNs • Site to Site • Remote Access Site A User 1 © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. User 2 User n
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 10 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
Commonly used VPNs • L2 VPNs  L2TP  MPLS VPN. VPLS • L3 VPNs  IPSec  MPLS VPN. Routed  GRE • L5/L6 VPNs  SSL-TLS © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 12 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
IPSec VPN • IP Security. • RFC: A lot!. Starts at 2401 • Works at IP Layer (L3) • Supports ONLY unicast traffic • 2 modes  Tunnel mode  Transport mode • 2 protocols  ESP. Encapsulation Security Payload  AH. Authentication Header • 2 Phases  Phase 1: Establishes a secure connection channel for Phase 2  Phase 2: Establishes a secure connection channel for IPSec © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
IPSec VPN: Benefits • Anti Replay • Confidentiality • Integrity • Authentication © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
IPSec encapsulation • AH. Transport mode • AH. Tunnel mode • ESP. Transport mode • ESP. Tunnel mode © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
IPSec VPN: Phase 1 • Builds on ISAKMP and OAKLEY protocols • Internet Key Exchange (IKE) protocol • Protocol UDP, port 500 • 2 Modes:  Main  Aggressive • Parameters  Encryption  Integrity  Diffie-Hellman group  Timeout  Authentication © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
IPSec VPN: Phase 2 • IPSec Parameters  Protocol: ESP or AH  Encryption: Transform set  Integrity: Transform set  Proxy: interesting traffic  Lifetime: SA regeneration time  Peer: endpoint  Optional: Perfect Forward Secrecy (PFS) © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
IPSec VPN: concepts • Encryption • Integrity • Keys © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Encryption Process Encryption key Encryption key Data: www.att.com Encryption Algorithm Data: das$s.1O9&f © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Hash Process. (HMAC) Sender Receiver HASH Data If the hash values match, the data is good © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 5 2 3 4 1 If the hash values Data Data HASH Data HASH HASH HASH Hash Algorithm Hash Algorithm
Symmetric key encryption • Symmetric keys are faster and used for bulk data encryption • Typical key size vary from 40bits to 2048 bits • Examples: DES, 3DES, AES Sender Receiver Original data + + © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 1 2 3 Encrypted data Encrypted data Original data
Public key encryption • Public and Private key scheme • Slow when used for data encryption • Examples: RSA, DH Sender Receiver Pub © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Priv 1 Pub 2 + + 4 Pub Original data Original data Encrypted data Encrypted data 3
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 23 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
1.1.1.1 2.2.2.1 Internet LAB © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Site B 192.168.1.0/24 • Site to site IPSec VPN • Pre shared key authentication Site A 10.10.1.0/24 1.1.1.2 2.2.2.2
LAB config: Cisco ASA v8.4 ! !PHASE 1 ! tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key 1234567890 ! crypto ikev1 policy 10 authentication pre-share encryption aes hash md5 group 2 lifetime 86400 crypto ikev1 enable outside ! !PHASE 2 ! access-list cptomap_vpn_siteb extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ! crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5- hmac ! crypto map cptomap_outside 10 match address cptomap_vpn_siteb crypto map cptomap_outside 10 set peer 2.2.2.2 crypto map cptomap_outside 10 set transform-set ESP-3DES-MD5 ! crypto map cptomap_outside interface outside ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
LAB config: Cisco IOS v15.1 ! !PHASE 1 ! crypto isakmp policy 10 encryption aes 128 hash md5 group 2 authentication pre-share lifetime 86400 ! crypto isakmp key 1234567890 address 1.1.1.2 ! ! !PHASE 2 ! ip access-list extended cptomap_vpn_sitea permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255 ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5- hmac mode tunnel ! crypto map cptomap_outside local-address fastethernet 0/0 crypto map cptomap_outside 10 ipsec-isakmp match address cptomap_vpn_sitea set peer 1.1.1.2 set transform-set ESP-3DES-MD5 ! interface fastethernet 0/0 crypto map cptomap_outside ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
LAB config: Verification commands ! ! PHASE 1 ! Show crypto ikev1 sa Show crypto ikev1 sa detail ! !PHASE 2 ! Show crypto ipsec sa Show crypto ipsec sa detail Show crypto condition peer x.x.x.x Show crypto session (IOS) ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 28 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
Troubleshooting • Check Pre shared key • Check ACLs • Check Phase 1 parameters • Check Phase 2 parameters • Check routes to remote network • Verify that ISAKMP-IKE/crypto map is enabled on interfaces • Verify that ISAKMP and ESP traffic is allowed • Debug • Check internal port openings • Check NAT translations • Don’t assume, CHECK. Check the config, and RE CHECK the config again! Be prepared for guiding the other end through the verification/debug process © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 30 Q&A
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 31 Thank You!

Recomendados

OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Edgardo Scrimaglia
 
Aci presentation
Aci presentationAci presentation
Aci presentation
Joe Ryan
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1
VISHNU N
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1
Chaing Ravuth
 
Segment Routing
Segment RoutingSegment Routing
Segment Routing
APNIC
 

Recomendados

OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
Ospf.ppt
Ospf.pptOspf.ppt
Ospf.ppt
Edgardo Scrimaglia
 
Aci presentation
Aci presentationAci presentation
Aci presentation
Joe Ryan
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
CCNA ppt Day 1
CCNA ppt Day 1CCNA ppt Day 1
CCNA ppt Day 1
VISHNU N
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
NetProtocol Xpert
 
CCNP Switching Chapter 1
CCNP Switching Chapter 1CCNP Switching Chapter 1
CCNP Switching Chapter 1
Chaing Ravuth
 
Segment Routing
Segment RoutingSegment Routing
Segment Routing
APNIC
 
Network Troubleshooting - Part 2
Network Troubleshooting - Part 2Network Troubleshooting - Part 2
Network Troubleshooting - Part 2
SolarWinds
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
Sumant Garg
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
Martin Schütte
 
How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptions
Uday Bhatia
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
Aruba, a Hewlett Packard Enterprise company
 
Ccna Presentation
Ccna PresentationCcna Presentation
Ccna Presentation
bcdran
 
CCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the networkCCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the network
Vuz Dở Hơi
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101
Rohan Reddy
 
Chapter 17 : static routing
Chapter 17 : static routingChapter 17 : static routing
Chapter 17 : static routing
teknetir
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
Simon Vass
 
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPCCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCP
Vuz Dở Hơi
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
IT Tech
 
CCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 VlansCCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 Vlans
Vuz Dở Hơi
 
Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentals
Edgardo Scrimaglia
 
MPLS (Multiprotocol Label Switching)
MPLS (Multiprotocol Label Switching)MPLS (Multiprotocol Label Switching)
MPLS (Multiprotocol Label Switching)
Netwax Lab
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4
Nil Menon
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdf
ssuserf4db0a
 
Cisco Application Centric Infrastructure
Cisco Application Centric InfrastructureCisco Application Centric Infrastructure
Cisco Application Centric Infrastructure
islam Salah
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 

Más contenido relacionado

La actualidad más candente

Ccna Presentation
Ccna PresentationCcna Presentation
Ccna Presentation
bcdran
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
Chapter 17 : static routing
Chapter 17 : static routingChapter 17 : static routing
Chapter 17 : static routing
teknetir
 

La actualidad más candente (20)

Network Troubleshooting - Part 2
Network Troubleshooting - Part 2Network Troubleshooting - Part 2
Network Troubleshooting - Part 2
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptions
 
Real-world 802.1X Deployment Challenges
Real-world 802.1X Deployment ChallengesReal-world 802.1X Deployment Challenges
Real-world 802.1X Deployment Challenges
 
Ccna Presentation
Ccna PresentationCcna Presentation
Ccna Presentation
 
CCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the networkCCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the network
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
CCNA training 101
CCNA training 101CCNA training 101
CCNA training 101
 
Chapter 17 : static routing
Chapter 17 : static routingChapter 17 : static routing
Chapter 17 : static routing
 
pfSense presentation
pfSense presentationpfSense presentation
pfSense presentation
 
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPCCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCP
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
CCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 VlansCCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 Vlans
 
Ether channel fundamentals
Ether channel fundamentalsEther channel fundamentals
Ether channel fundamentals
 
MPLS (Multiprotocol Label Switching)
MPLS (Multiprotocol Label Switching)MPLS (Multiprotocol Label Switching)
MPLS (Multiprotocol Label Switching)
 
CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4CCNA 2 Routing and Switching v5.0 Chapter 4
CCNA 2 Routing and Switching v5.0 Chapter 4
 
ISE-CiscoLive.pdf
ISE-CiscoLive.pdfISE-CiscoLive.pdf
ISE-CiscoLive.pdf
 
Cisco Application Centric Infrastructure
Cisco Application Centric InfrastructureCisco Application Centric Infrastructure
Cisco Application Centric Infrastructure
 

Destacado

Arbol b+
Arbol b+Arbol b+
Arbol b+
cesarpa
 

Destacado (20)

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Ipsec
IpsecIpsec
Ipsec
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
IPsec
IPsecIPsec
IPsec
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Ipsec
IpsecIpsec
Ipsec
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
Protocole IKE/IPsec
Protocole IKE/IPsecProtocole IKE/IPsec
Protocole IKE/IPsec
 
IP Security
IP SecurityIP Security
IP Security
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
OSPF Basics
OSPF BasicsOSPF Basics
OSPF Basics
 
Ipsec
IpsecIpsec
Ipsec
 
Ch32
Ch32Ch32
Ch32
 
Arbol b+
Arbol b+Arbol b+
Arbol b+
 
Facebook Attacks
Facebook AttacksFacebook Attacks
Facebook Attacks
 
Stylish Bathroom Accessories
Stylish Bathroom AccessoriesStylish Bathroom Accessories
Stylish Bathroom Accessories
 
Internet Protocol Secure (IPSec)
Internet Protocol Secure (IPSec)Internet Protocol Secure (IPSec)
Internet Protocol Secure (IPSec)
 
phising netiqueta
phising netiquetaphising netiqueta
phising netiqueta
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 

Similar a IPSec VPN Basics

(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API
Amazon Web Services
 
CORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a DatacenterCORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a Datacenter
Open Networking Summits
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
Amazon Web Services
 
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of ThingsTAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
Eric Sineath
 
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Rustici Software
 

Similar a IPSec VPN Basics (20)

Multi-Network Location & SMS APIs
Multi-Network Location & SMS APIsMulti-Network Location & SMS APIs
Multi-Network Location & SMS APIs
 
(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API
 
Being A Socially Responsible Social Developer: Mobile App Security
Being A Socially Responsible Social Developer: Mobile App SecurityBeing A Socially Responsible Social Developer: Mobile App Security
Being A Socially Responsible Social Developer: Mobile App Security
 
Mobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile AppMobile App Security: How Secure is your Mobile App
Mobile App Security: How Secure is your Mobile App
 
CORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a DatacenterCORD: Central Office Re-architected as a Datacenter
CORD: Central Office Re-architected as a Datacenter
 
Mobile Performance at London Web Perf Mettup
Mobile Performance at London Web Perf MettupMobile Performance at London Web Perf Mettup
Mobile Performance at London Web Perf Mettup
 
What Makes Mobile Websites Tick - Oredev
What Makes Mobile Websites Tick - OredevWhat Makes Mobile Websites Tick - Oredev
What Makes Mobile Websites Tick - Oredev
 
Enterprise Global Messaging
Enterprise Global MessagingEnterprise Global Messaging
Enterprise Global Messaging
 
AT&T Mobile App Hackathon - Seattle
AT&T Mobile App Hackathon - SeattleAT&T Mobile App Hackathon - Seattle
AT&T Mobile App Hackathon - Seattle
 
Secure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSecure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce Applications
 
Bonding Your Private Network to Salesforce Clouds
Bonding Your Private Network to Salesforce CloudsBonding Your Private Network to Salesforce Clouds
Bonding Your Private Network to Salesforce Clouds
 
AT&T Mobile App Hackathon (Smart City) - Berkeley
AT&T Mobile App Hackathon (Smart City) - BerkeleyAT&T Mobile App Hackathon (Smart City) - Berkeley
AT&T Mobile App Hackathon (Smart City) - Berkeley
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
 
Not If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseNot If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach Response
 
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of ThingsTAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
 
Android App performance - Europe 2015
Android App performance - Europe 2015Android App performance - Europe 2015
Android App performance - Europe 2015
 
2015 AT&T Developer Summit
2015 AT&T Developer Summit2015 AT&T Developer Summit
2015 AT&T Developer Summit
 
Securing the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowSecuring the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to Know
 
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
 
Firewall Webinar
Firewall WebinarFirewall Webinar
Firewall Webinar
 

Último

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

IPSec VPN Basics

  • 1. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 1 Technical Development Program VPN basics November 5, 2014
  • 2. Martín Bratina • Buenos Aires, Argentina • 32 Years old • +10 Years in Telecom/Networking • 3+ in AT&T • Martin.Bratina@intl.att.com • Soccer • Music • Drumming • Golf © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 3. Agenda © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 3 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 4. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 4 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 5. What is a VPN? • Establish a connection between networks over an untrusted network provided via a tunnel Site A Site B Internet VPN © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 6. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 6 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 7. Types of VPNs • Site to Site • Remote Access © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 8. Types of VPNs • Site to Site • Remote Access Site A Site B Internet Data A-B DaDtaat aA-AB-B DDataat aAA-B-B Data A-B © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 9. Internet Types of VPNs • Site to Site • Remote Access Site A User 1 © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. User 2 User n
  • 10. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 10 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 11. Commonly used VPNs • L2 VPNs  L2TP  MPLS VPN. VPLS • L3 VPNs  IPSec  MPLS VPN. Routed  GRE • L5/L6 VPNs  SSL-TLS © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 12. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 12 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 13. IPSec VPN • IP Security. • RFC: A lot!. Starts at 2401 • Works at IP Layer (L3) • Supports ONLY unicast traffic • 2 modes  Tunnel mode  Transport mode • 2 protocols  ESP. Encapsulation Security Payload  AH. Authentication Header • 2 Phases  Phase 1: Establishes a secure connection channel for Phase 2  Phase 2: Establishes a secure connection channel for IPSec © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 14. IPSec VPN: Benefits • Anti Replay • Confidentiality • Integrity • Authentication © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 15. IPSec encapsulation • AH. Transport mode • AH. Tunnel mode • ESP. Transport mode • ESP. Tunnel mode © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  • 16. IPSec VPN: Phase 1 • Builds on ISAKMP and OAKLEY protocols • Internet Key Exchange (IKE) protocol • Protocol UDP, port 500 • 2 Modes:  Main  Aggressive • Parameters  Encryption  Integrity  Diffie-Hellman group  Timeout  Authentication © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 17. IPSec VPN: Phase 2 • IPSec Parameters  Protocol: ESP or AH  Encryption: Transform set  Integrity: Transform set  Proxy: interesting traffic  Lifetime: SA regeneration time  Peer: endpoint  Optional: Perfect Forward Secrecy (PFS) © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 18. IPSec VPN: concepts • Encryption • Integrity • Keys © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 19. Encryption Process Encryption key Encryption key Data: www.att.com Encryption Algorithm Data: das$s.1O9&f © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 20. Hash Process. (HMAC) Sender Receiver HASH Data If the hash values match, the data is good © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 5 2 3 4 1 If the hash values Data Data HASH Data HASH HASH HASH Hash Algorithm Hash Algorithm
  • 21. Symmetric key encryption • Symmetric keys are faster and used for bulk data encryption • Typical key size vary from 40bits to 2048 bits • Examples: DES, 3DES, AES Sender Receiver Original data + + © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 1 2 3 Encrypted data Encrypted data Original data
  • 22. Public key encryption • Public and Private key scheme • Slow when used for data encryption • Examples: RSA, DH Sender Receiver Pub © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Priv 1 Pub 2 + + 4 Pub Original data Original data Encrypted data Encrypted data 3
  • 23. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 23 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 24. 1.1.1.1 2.2.2.1 Internet LAB © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Site B 192.168.1.0/24 • Site to site IPSec VPN • Pre shared key authentication Site A 10.10.1.0/24 1.1.1.2 2.2.2.2
  • 25. LAB config: Cisco ASA v8.4 ! !PHASE 1 ! tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key 1234567890 ! crypto ikev1 policy 10 authentication pre-share encryption aes hash md5 group 2 lifetime 86400 crypto ikev1 enable outside ! !PHASE 2 ! access-list cptomap_vpn_siteb extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ! crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5- hmac ! crypto map cptomap_outside 10 match address cptomap_vpn_siteb crypto map cptomap_outside 10 set peer 2.2.2.2 crypto map cptomap_outside 10 set transform-set ESP-3DES-MD5 ! crypto map cptomap_outside interface outside ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  • 26. LAB config: Cisco IOS v15.1 ! !PHASE 1 ! crypto isakmp policy 10 encryption aes 128 hash md5 group 2 authentication pre-share lifetime 86400 ! crypto isakmp key 1234567890 address 1.1.1.2 ! ! !PHASE 2 ! ip access-list extended cptomap_vpn_sitea permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255 ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5- hmac mode tunnel ! crypto map cptomap_outside local-address fastethernet 0/0 crypto map cptomap_outside 10 ipsec-isakmp match address cptomap_vpn_sitea set peer 1.1.1.2 set transform-set ESP-3DES-MD5 ! interface fastethernet 0/0 crypto map cptomap_outside ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  • 27. LAB config: Verification commands ! ! PHASE 1 ! Show crypto ikev1 sa Show crypto ikev1 sa detail ! !PHASE 2 ! Show crypto ipsec sa Show crypto ipsec sa detail Show crypto condition peer x.x.x.x Show crypto session (IOS) ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  • 28. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 28 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  • 29. Troubleshooting • Check Pre shared key • Check ACLs • Check Phase 1 parameters • Check Phase 2 parameters • Check routes to remote network • Verify that ISAKMP-IKE/crypto map is enabled on interfaces • Verify that ISAKMP and ESP traffic is allowed • Debug • Check internal port openings • Check NAT translations • Don’t assume, CHECK. Check the config, and RE CHECK the config again! Be prepared for guiding the other end through the verification/debug process © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  • 30. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 30 Q&A
  • 31. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 31 Thank You!

Notas del editor

  1. Estimated duration 00:55 Hello Everyone, how are you? I hope you are doing fine! Welcome to this new TDP session, I’m glad to see you again. In this opportunity, I will bring you the VPN basics. I hope that you find it useful. Before going forward I would like to thank you Daniel, Sabrina and all the TDP team for the excellent work they are doing. I totally recommend you to visit the TDP site and check the previous sessions. They are all very interesting and the knowledge level of the speakers is very high. Definitively the bar is set higher every year and that is thank you to the speakers and your feedback.
  2. Estimated duration 00:40 Let me introduce myself. That is me on the left. My name is Martin Bratina. I’m 32 Years old and as Daniel said, I have more than 10 years in the Telecommunications industry. I’ve been in AT&T for a little more than 3 years. I like to listen music play soccer and drums and now I’m adding golf to my hobbies. I’m pretty bad on all of those things except for listening music.
  3. Estimated duration 00:55 The agenda for today is the following: I will start explaining what a VPN is for later tell you what types of VPN are and which are the most commonly used. After that introduction I will go in deepth into IPSec VPNs. We will have a strong base of technical theory before moving to the LAB. Once we finish the LAB ,we will have a troubleshooting space. And finally we will move to the Q&As section. If you are thinking about having a coffee and grab something to eat, now it is the time
  4. Estimated duration 00:40 What is a VPN? A VPN is a communication path between private sites via an untrusted network An untrusted network could be Internet, an ISP network, a customer network or an internal network without security. In a VPN, the original data is encapsulated, encrypted and a new VPN header is added and used for routing Throughout this session I will use internet for referring to this untrusted network.
  5. Estimated duration 00:10 There are 2 types of VPNs. Site to site VPNs and Remote Access VPNs
  6. Estimated duration 01:15 As the name states, Site to site VPN connects two sites. The VPN tunnel can be up permanently or can be generated on demand when traffic needs to flow to the remote site. In the picture you can see the original data from network A network B in site B in black. The original data is encapsulated and encrypted on the VPN gateway with a new VPN Header. That VPN header is the green one in the picture and you can see that the original data is inside that new packet as payload data. This new VPN IP header has the VPN peers as source/destination IP addresses, not the originalIPs (Green packet in the drawing). That header is used to transport the information over the untrusted network until It reaches the remote VPN peer. The remote VPN peer decapsulates and decripts the packet and forwards the original data to the destination.
  7. Estimated duration 00:45 Remote Access VPN is used for provide access for remote users or systems to sites/systems. This scenario is similar to old remote dial-up scenarios. Users can be mobile users, desktop users, servers, etc This scenario it is most commonly used for mobile users. The user has a VPN client application installed on its PC and it is used to connect to the Main site for access to resources. The traffic towards the main site is encrypted in the same way as site to site VPN This is how we connect to AT&T network from our PC when doing home work.
  8. Estimated duration 01:00 There are a lot of VPN types used in the real life. The difference between them is how they encapulate and/or encrypt data and what kind of data can they manage, but the main operation idea is the same for all of them, provide a connection over untrusted networks. Here I mention some of the most commonly used VPNs. I will not get through in detail on each of them but I just mention them to give you an idea about on which layer they operate. L2 VPNs L2TP MPLS VPN. VPLS L3 VPNs IPSec MPLS VPN. Routed GRE L5/L6 VPNs SSL-TLS
  9. Well, fasten your seat belts and take a deep breath because we will start with IP Sec. Estimated duration 00:55 Estimated duration 00:40 Estimated duration 00:55 Estimated duration 00:40 Estimated duration 00:10 Estimated duration 01:15 Estimated duration 00:45 Estimated duration 01:00 Estimated total time so far: 7 minutes
  10. Estimated duration 02:45 IP Security (IPSec) is a protocol for providing IP data security and integrity services for IPv4 and IPv6 It is defined on RFC 2401 but as it uses many protocols for VPN establishment. There are a lot of more RFCs for those. (like 2402, 2406, 2408, and so on) Works at IP layer Supports only unicast traffic. Because these services are provided at the IP layer, they can be used by any higher layer protocol, e.g., TCP, UDP, ICMP, BGP, etc. It supports 2 modes of operation: tunnel mode and transport mode Tunnel mode: It protects the entire IP packet. Is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it. In transport mode it provides protection primarily for upper layer protocols. When transport mode is used, IPSec encrypts only the IP payload, not the entire IP packet. Is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a host. IPSec uses two protocols to provide traffic security Encapsulation Security Payload – ESP. Authentication Header- AH. ESP ESP encapsulates the entire IP packet and adds a new VPN IP header. It is defined in RFC 2406 IP Protocol number 50 Provides Data confidentiality Data integrity Data origin authentication Anti-replay services Can be used in tunnel and transport mode AH AH encapsulates the payload of the IP packet and adds a new VPN IP header but uses the original IP header for routing. defined in RFC 2402 Protocol number 51 Provides Data integrity Data origin authentication Anti-replay services Can be used in tunnel and transport mode Establishing an IPSec session it is 2 phase process: Phase 1: Establishes a secure connection channel for Phase 2 negotiations Phase 2: Establishes a secure connection channel for IPSec secure communication
  11. Estimated duration 01:15 A VPN is secure because private data is encapsulated, encrypted and sent to the remote peer for decryption/de capsulation. We will later see what encapsulation and encryption is. There are four major concerns when sending private data over a public medium that IPSec addresses. One is Anti-replay It Ensures the uniqueness of each IP packet. Anti-replay is also called replay prevention. Anti-replay ensures that data captured by an attacker cannot be reused or replayed to establish a session or gain information illegally. Confidentiality Keep data secure and hidden (using Encryption). Ensures that data is only disclosed to intended recipients. Integrity Ensure data hasn’t been changed. Protects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent. Authentication Verifies if did the traffic really come from the advertised source? Verifies that a message could only have been sent from a computer that has knowledge of the authentication key --------------------------------------------------------------------------------------------------------------------- The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.
  12. Estimated duration 01:45 In this diagram you can see how the IP packet is modified on each IPSec mode usage. AH in transport mode only adds a new authentication header after the IP header. In tunnel mode, AH signs the entire IP packet. -----But not all the IP header fields. There are some fields that need to change like TTL and ToS. Both AH modes are most used for integrity checks to verify that the IP packet was not modified. ESP in transport mode only encapsulates the IP payload in an ESP header/trailer ESP in tunnel mode encapsulates and encrypts the IP payload and also Signs the entire ESP header plus the IP payload Encapsulation is the process of taking a data and add it into a new format data format Lets take the example of ESP protocol mode. ESP takes the original IP payload and adds it into a new ESP header and trailer. The IP addresses of the original IP header (who are the ones who belong to the end hosts) are now on the ESP header. The IP header IP addresses are new IP addresses of the VPN peers. When a devices receives the entire IP packet, it processes first at IP layer, removes the IP header and then process the ESP header for later examine the original IP payload.
  13. Estimated duration 05:00 As I told you before, for establishing an IPSec VPN tunnel we need to configure 2 phases. Phase 1: Establishes a secure connection channel for Phase 2 negotiations Phase 1 builds on ISAKMP and OAKLEY protocols (ISAKMP) The Internet Security Association and Key Management Protocol defines the procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA) This is needed because in a VPN there is a lot of background work related to key generation and management that it is complex to configure if you want to do it manually. ISAKMP formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. ISAKMP cleanly separate the details of security association management (and key management) from the details of key exchange. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework. A Security Association (SA) is a relationship between two or more entities that describes how the entities will utilize security services to communicate securely A security association (SA) is a set of policy and key(s) used to protect information. The ISAKMP SA is the shared policy and key(s) used by the negotiating peers in this protocol to protect their communication Phase 1 uses Internet Key Exchange (IKE) protocol to negotiate, and provide authenticated keying material for, security associations in a protected manner. IKE uses udp protocol 500 Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA) Establishes Security Associations for Phase 2 negotiated services The ISAKMP SA is bi-directional. That is, once established, either party may initiate Phase 2 negotiations Main mode: in main mode the initiator and the requester exchanges 6 messages before having a established SA Aggressive mode: : in Aggressive mode the initiator and the requester exchanges 3 messages before having a established SA Main mode is more secure than aggressive mode Main mode – used when both tunnel peers have static IP addresses configured Aggressive mode – used when one tunnel peer has a dynamically-assigned IP address To sum up, Phase 1 is IKE where you start things out... You will configure the encryption algorithm, the integrity hash, the diffie-hellkman group, the timeout and the authentication mode. We will see all those parameters options later. You can define many Phase 1 policies in the sender and all will be sent to the receiver, but it will only choose one. ------------------------------------------------------------------------------------------------------------------------------------------- Adicional para mi -------------------------------------------------------------------------------------------------------------------------- Negotiates proposals containing encryption and authentication algorithms Creates Encryption and Authentication Keys automatically which provides ability to be re-keyed frequently Provides gateway identity function After the basic set of security attributes has been agreed upon, initial identity authenticated, and required keys generated, the established SA can be used for subsequent communications by the entity that invoked ISAKMP. Key Establishment (Key Generation / Key Transport): The two common methods of using public key cryptography for key establishment are key transport and key generation An example of key transport is the use of the RSA algorithm to encrypt a randomly generated session key (for encrypting subsequent communications) with the recipient's public key. The encrypted random key is then sent to the recipient, who decrypts it using his private key The Diffie-Hellman (D-H) algorithm illustrates key generation using public key cryptography. The D-H algorithm is begun by two users exchanging public information. Each user then mathematically combines the other's public information along with their own secret information to compute a shared secret value. This secret value can be used as a session key or as a key encryption key for encrypting a randomly generated session key. This method generates a session key based on public and secret information held by both users. The benefit of the D-H algorithm is that the key used for encrypting messages is based on information held by both users and the independence of keys from one key exchange to another provides perfect forward secrecy.
  14. Estimated duration 02:00 Phase 2 is where Security Associations are negotiated on behalf of upper services .   Phase 2 is IPSec where you get into what specifics you set up in your policies to have your keys set.  This is the traffic keys themselves.  And the traffic is getting encrypted here.  IPSec SA is present if everything goes well. Security Associations are negotiated using a Phase 1 secure channel Phase 2 is called Quick Mode Phase 2 uses ESP or AH protocols to protect traffic. Phase2 SA are unidirectional, therefore 2 SAs needs to be established. One for outgoing traffic and one for incoming traffic. To establish a Phase 2 you need to define the encryption algorithm The integrity hash The Proxy: interesting traffic for encryption identified using an ACL SA lifetime Remote peer ID And optionally PFS, perfect forward secrecy. PFS is Diffie-Hellman applied on Phase 2 for key generation. The Diffie-Hellman (D-H) algorithm illustrates key generation using public key cryptography. The D-H algorithm is begun by two users exchanging public information. Each user then mathematically combines the other's public information along with their own secret information to compute a shared secret value. This secret value can be used as a session key or as a key encryption key for encrypting a randomly generated session key. --------------------------------------------------------------------------------------------------------------------------------------------------------- Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
  15. Estimated duration 07:00 + Estimated duration 02:45 Estimated duration 01:15 Estimated duration 01:45 Estimated duration 05:00 Estimated duration 02:00 Total estimated time 20:00
  16. Estimated duration 01:00 Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. The original data is encrypted using an encryption algorithm and a key. The receiver can only read the data if it has the key to decrypt it. This way, if the data is captured it can only be read if you have the encryption key. Using a long complex key is recommended in conjunction with a strong encryption algorithm. Some common encryption algorithms are: DES 3DES AES 128, 256 RSA As you can see in the presentation, after applying the encryption algorithm, the data is changed and there is no way that you can know that the encrypted data with www.att.com
  17. Estimated duration 02:00 Hash message authentication codes (HMAC) sign packets to verify that the information received is exactly the same as the information sent. This is called integrity. HMACs provide integrity through a keyed hash, the result of a mathematical calculation on a message using a hash function combined with a shared, secret key. (a hash function is an algorithm) The sender takes the data and applies the hash algorithm. The result Hash is appended to the data and then the entire information is sent to the receiver. The receiver receives the data + hash and separates them. Then it takes the separated data and applies the hash algorithm. As a result, it will have a HASH value for the same data. Finally it compares both Hashes, the one generated by itself and the one received from the sender. If they are equal, then the data was not modified. Examples MD5, SHA MD5 provides 128 bit output SHA provides 160 bit output For integrity, you can choose between two hash functions when setting policy: MD5 Message Digest 5 (MD5) is based on RFC 1321. MD5 completes four passes over the data blocks, using a different numeric constant for each word in the message on each pass. The number of 32-bit constants used during the MD5 computation ultimately produces a 128-bit hash that is used for the integrity check. SHA1 Secure Hash Algorithm 1 (SHA1) was developed by the National Institute of Standards and Technology as described in Federal Information Processing Standard (FIPS) PUB 180-1. The SHA process is closely modeled after MD5. The SHA1 computation results in a 160-bit hash that is used for the integrity check. Because longer hash lengths provide greater security, SHA is stronger than MD5
  18. Estimated duration 01:00 You can use pre shared keys for the encryption process. Pre shared means that the parties agree on a shared, secret key that is used for encryption /decryption of data. A pre shared key is a symmetric key IPSec can use pre shared keys for authentication of the peers.
  19. Estimated duration 02:00 Public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Although different, the two parts of this key pair are mathematically linked. The receiver generates 2 keys, one private and one public. The traffic encrypted using the public key can only be decrypted with the private key and vice versa. The receiver sends its public key to the sender. The sender will use that public key to encrypt traffic. The receiver will decrypt that traffic using its private key. Asymmetric (public) key: certificates Ipsec VPN uses Asymetric key Provides data confidentiality Data is encrypted and decrypted by using keys Symmetric (secret) key Asymmetric (public) key Symmetric (secret) key: pre shared keys
  20. In this lab we will establish a VPN tunnel between 2 private networks over a public network. On the left side we have Site A with private network 10.10.1.0/24. The VPN gateway is a Cisco ASA FW and it is connected to internet. On the right side we have site B with private network 192.168.1.0/24. The VPN gateway is a Cisco 7600 router. Internet is simulated with a WAN router that connects 2 public networks.
  21. MM_ACTIVE QM_IDLE debug IKE_DECODE SENDING IKE_DECODE RECEIVED MM_WAIT_MSG2, MM_WAIT_MSG4, MM_WAIT_MSG6