VPN Newbie

cdad2000cdad2000 Member Posts: 323
Hey team,

I never set-up a VPN before, and I have no clue. Can you help me by explaining the process of setting a VPN.


  • HumperHumper Member Posts: 647

    Go to cisco.com, it's your friend.

    By the way, if you showed that you had done some research and put an ounce of brain matter into the subject I would be helpful :)
    Now working full time!
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    It's a HUGE topic entire careers are based on it, and the process varies depending on the protocols you use and the appliances themselves so explaining it ALL here is not possible.. The most common standard is IPSec so I'd go from there. "The Complete Cisco VPN configuration Guide" is probably the single best (and yes Cisco Centric) IPSec book I've seen. It's excellently written and not hard to pick up from scratch. It starts with an easy to get into but detailed primer on VPNs in general and IPSec before delving into the Cisco side, give it a go and come back with specific questions and folks will be happy to help.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    I'll "triple" the no easy answer answer. And the link I keep handy to the IPSec Negotiation/IKE Protocols Configuration Examples and TechNotes page would be more confusing than helpful until you agonize some long hours over basic configurations, commands, and debugs.

    In the old CCNP it was something that was "wedged" into one of the exams. Now security is a larger part of the new CCNP -- so they are "spreading more joy" from the CCSP :D

    And in the CCSP -- old and new -- its something that you trip over in several exams. With the CSVPN exam (and VPN 3000s) being retired you'll do most VPN learning (and configuration) in the PIX/ASA exam and Securing Network Devices exam.

    But since cdad2000 has been around for a while and isn't some lazy noob off the Internet looking for an easy handout (or answer to a homework assignment) -- TechExams.net membership and participation does have its privileges :D -- I'll grab a cattle prod and some Cisco Doc links and try to provide some helpful guidance.

    Simplest case (pre-shared keys) -- 4 steps
    1. Prepare for IKE and IPSec
    2. Configure IKE
    3. Configure IPSec
    4. Test and verify

    Step 1:
    You'll decide on the IKE polices that will be configured between peers including key distribution methods, authentication, IP peer addresses (or hostnames), encryption algorithms, hash algorithms, and IKE SA lifetimes.

    You'll decide on IPSec transform set parameters, the traffic to protect, and manual or IKE-initiated SAs.

    You'll check the current configuration, existing ACLs, and verify connectivity before you complicate your life (and network connection).

    Step 2: Configure IKE (example)

    Enable IKE (if previously disabled) and create IKE policies.

    Configure the IKE parameters for Encryption, Integrity (hash), Authentication (pre-shared, RSA-encrypted nonces, or RSA Signatures), Diffie-Hellman Group, and Security Association (SA) lifetime.

    Configure pre-shared keys.

    Verify IKE configuration

    Step 3: Configure IPSec (example)

    Configure IPSec Global IPSec SA lifetimes
    Configure Transform Set
    Create Crypto ACLs
    Create Crypto Maps
    Apply Crypto Maps to interfaces

    Step 4: Test and Verify

    Modify and toss in additional steps as needed to configure for Certificates, rather than pre-shared keys.

    This is one of those topics that would be confusing to just memorize the commands -- it's actually easier to spend the time to learn and practice the material.

    You can check out Part 4: Implementing IPSec and IKE of the Cisco IOS Security Configuration Guide, Release 12.4 (another link I keep handy). You'll find a lot of the commands demonstrated here -- but you'll have to pick through lots of other material that could be confusing when you're first learning this. I've picked the easy direct links and added them to the material above.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • cdad2000cdad2000 Member Posts: 323
    Thanks for your help!!!Happy Holiday
  • livenliven Member Posts: 918
    that mikej fella is such a nice feller!!!
    encrypt the encryption, never mind my brain hurts.
  • netteasernetteaser Member Posts: 198
    I also recommend that you read the Cisco Press IPsec VPN Fundementals. Really good book if you are a begineer

Sign In or Register to comment.