Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

IPSec VPN Basics

3.802 visualizaciones

Publicado el

IPSec VPN Basic concepts

Publicado en: Tecnología
  • Copas Url to Read eBook === http://zakuratest.com/0679761276-Representations-of-the-Intellectual.html
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE Format, ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

IPSec VPN Basics

  1. 1. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 1 Technical Development Program VPN basics November 5, 2014
  2. 2. Martín Bratina • Buenos Aires, Argentina • 32 Years old • +10 Years in Telecom/Networking • 3+ in AT&T • Martin.Bratina@intl.att.com • Soccer • Music • Drumming • Golf © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  3. 3. Agenda © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 3 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  4. 4. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 4 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  5. 5. What is a VPN? • Establish a connection between networks over an untrusted network provided via a tunnel Site A Site B Internet VPN © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  6. 6. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 6 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  7. 7. Types of VPNs • Site to Site • Remote Access © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  8. 8. Types of VPNs • Site to Site • Remote Access Site A Site B Internet Data A-B DaDtaat aA-AB-B DDataat aAA-B-B Data A-B © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  9. 9. Internet Types of VPNs • Site to Site • Remote Access Site A User 1 © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. User 2 User n
  10. 10. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 10 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  11. 11. Commonly used VPNs • L2 VPNs  L2TP  MPLS VPN. VPLS • L3 VPNs  IPSec  MPLS VPN. Routed  GRE • L5/L6 VPNs  SSL-TLS © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  12. 12. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 12 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  13. 13. IPSec VPN • IP Security. • RFC: A lot!. Starts at 2401 • Works at IP Layer (L3) • Supports ONLY unicast traffic • 2 modes  Tunnel mode  Transport mode • 2 protocols  ESP. Encapsulation Security Payload  AH. Authentication Header • 2 Phases  Phase 1: Establishes a secure connection channel for Phase 2  Phase 2: Establishes a secure connection channel for IPSec © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  14. 14. IPSec VPN: Benefits • Anti Replay • Confidentiality • Integrity • Authentication © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  15. 15. IPSec encapsulation • AH. Transport mode • AH. Tunnel mode • ESP. Transport mode • ESP. Tunnel mode © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  16. 16. IPSec VPN: Phase 1 • Builds on ISAKMP and OAKLEY protocols • Internet Key Exchange (IKE) protocol • Protocol UDP, port 500 • 2 Modes:  Main  Aggressive • Parameters  Encryption  Integrity  Diffie-Hellman group  Timeout  Authentication © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  17. 17. IPSec VPN: Phase 2 • IPSec Parameters  Protocol: ESP or AH  Encryption: Transform set  Integrity: Transform set  Proxy: interesting traffic  Lifetime: SA regeneration time  Peer: endpoint  Optional: Perfect Forward Secrecy (PFS) © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  18. 18. IPSec VPN: concepts • Encryption • Integrity • Keys © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  19. 19. Encryption Process Encryption key Encryption key Data: www.att.com Encryption Algorithm Data: das$s.1O9&f © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  20. 20. Hash Process. (HMAC) Sender Receiver HASH Data If the hash values match, the data is good © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 5 2 3 4 1 If the hash values Data Data HASH Data HASH HASH HASH Hash Algorithm Hash Algorithm
  21. 21. Symmetric key encryption • Symmetric keys are faster and used for bulk data encryption • Typical key size vary from 40bits to 2048 bits • Examples: DES, 3DES, AES Sender Receiver Original data + + © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 1 2 3 Encrypted data Encrypted data Original data
  22. 22. Public key encryption • Public and Private key scheme • Slow when used for data encryption • Examples: RSA, DH Sender Receiver Pub © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Priv 1 Pub 2 + + 4 Pub Original data Original data Encrypted data Encrypted data 3
  23. 23. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 23 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  24. 24. 1.1.1.1 2.2.2.1 Internet LAB © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Site B 192.168.1.0/24 • Site to site IPSec VPN • Pre shared key authentication Site A 10.10.1.0/24 1.1.1.2 2.2.2.2
  25. 25. LAB config: Cisco ASA v8.4 ! !PHASE 1 ! tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key 1234567890 ! crypto ikev1 policy 10 authentication pre-share encryption aes hash md5 group 2 lifetime 86400 crypto ikev1 enable outside ! !PHASE 2 ! access-list cptomap_vpn_siteb extended permit ip 10.10.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ! crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5- hmac ! crypto map cptomap_outside 10 match address cptomap_vpn_siteb crypto map cptomap_outside 10 set peer 2.2.2.2 crypto map cptomap_outside 10 set transform-set ESP-3DES-MD5 ! crypto map cptomap_outside interface outside ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  26. 26. LAB config: Cisco IOS v15.1 ! !PHASE 1 ! crypto isakmp policy 10 encryption aes 128 hash md5 group 2 authentication pre-share lifetime 86400 ! crypto isakmp key 1234567890 address 1.1.1.2 ! ! !PHASE 2 ! ip access-list extended cptomap_vpn_sitea permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255 ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5- hmac mode tunnel ! crypto map cptomap_outside local-address fastethernet 0/0 crypto map cptomap_outside 10 ipsec-isakmp match address cptomap_vpn_sitea set peer 1.1.1.2 set transform-set ESP-3DES-MD5 ! interface fastethernet 0/0 crypto map cptomap_outside ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  27. 27. LAB config: Verification commands ! ! PHASE 1 ! Show crypto ikev1 sa Show crypto ikev1 sa detail ! !PHASE 2 ! Show crypto ipsec sa Show crypto ipsec sa detail Show crypto condition peer x.x.x.x Show crypto session (IOS) ! © 2014 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only) Not for use or disclosure outside the AT&T companies except under written agreement.
  28. 28. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 28 Agenda 1. What is a VPN? 2. Types of VPNs 3. Commonly used VPNs 4. IPSec VPNs 5. Lab 6. Real scenario troubleshooting 7. Q&A
  29. 29. Troubleshooting • Check Pre shared key • Check ACLs • Check Phase 1 parameters • Check Phase 2 parameters • Check routes to remote network • Verify that ISAKMP-IKE/crypto map is enabled on interfaces • Verify that ISAKMP and ESP traffic is allowed • Debug • Check internal port openings • Check NAT translations • Don’t assume, CHECK. Check the config, and RE CHECK the config again! Be prepared for guiding the other end through the verification/debug process © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change.
  30. 30. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 30 Q&A
  31. 31. © 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. The information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. 31 Thank You!

×