VPN Newbie

cdad2000

Hey team,

I never set-up a VPN before, and I have no clue. Can you help me by explaining the process of setting a VPN.

Humper

Nope...

Go to cisco.com, it's your friend.

By the way, if you showed that you had done some research and put an ounce of brain matter into the subject I would be helpful

Ahriakin

It's a HUGE topic entire careers are based on it, and the process varies depending on the protocols you use and the appliances themselves so explaining it ALL here is not possible.. The most common standard is IPSec so I'd go from there. "The Complete Cisco VPN configuration Guide" is probably the single best (and yes Cisco Centric) IPSec book I've seen. It's excellently written and not hard to pick up from scratch. It starts with an easy to get into but detailed primer on VPNs in general and IPSec before delving into the Cisco side, give it a go and come back with specific questions and folks will be happy to help.

mikej412

I'll "triple" the no easy answer answer. And the link I keep handy to the IPSec Negotiation/IKE Protocols Configuration Examples and TechNotes page would be more confusing than helpful until you agonize some long hours over basic configurations, commands, and debugs.

In the old CCNP it was something that was "wedged" into one of the exams. Now security is a larger part of the new CCNP -- so they are "spreading more joy" from the CCSP

And in the CCSP -- old and new -- its something that you trip over in several exams. With the CSVPN exam (and VPN 3000s) being retired you'll do most VPN learning (and configuration) in the PIX/ASA exam and Securing Network Devices exam.

But since cdad2000 has been around for a while and isn't some lazy noob off the Internet looking for an easy handout (or answer to a homework assignment) -- TechExams.net membership and participation does have its privileges -- I'll grab a cattle prod and some Cisco Doc links and try to provide some helpful guidance.

Simplest case (pre-shared keys) -- 4 steps
1. Prepare for IKE and IPSec
2. Configure IKE
3. Configure IPSec
4. Test and verify


Step 1:
You'll decide on the IKE polices that will be configured between peers including key distribution methods, authentication, IP peer addresses (or hostnames), encryption algorithms, hash algorithms, and IKE SA lifetimes.

You'll decide on IPSec transform set parameters, the traffic to protect, and manual or IKE-initiated SAs.

You'll check the current configuration, existing ACLs, and verify connectivity before you complicate your life (and network connection).

Step 2: Configure IKE (example)

Enable IKE (if previously disabled) and create IKE policies.

Configure the IKE parameters for Encryption, Integrity (hash), Authentication (pre-shared, RSA-encrypted nonces, or RSA Signatures), Diffie-Hellman Group, and Security Association (SA) lifetime.

Configure pre-shared keys.

Verify IKE configuration

Step 3: Configure IPSec (example)

Configure IPSec Global IPSec SA lifetimes
Configure Transform Set
Create Crypto ACLs
Create Crypto Maps
Apply Crypto Maps to interfaces

Step 4: Test and Verify


Modify and toss in additional steps as needed to configure for Certificates, rather than pre-shared keys.

This is one of those topics that would be confusing to just memorize the commands -- it's actually easier to spend the time to learn and practice the material.

You can check out Part 4: Implementing IPSec and IKE of the Cisco IOS Security Configuration Guide, Release 12.4 (another link I keep handy). You'll find a lot of the commands demonstrated here -- but you'll have to pick through lots of other material that could be confusing when you're first learning this. I've picked the easy direct links and added them to the material above.

cdad2000

Thanks for your help!!!Happy Holiday

liven

that mikej fella is such a nice feller!!!

netteaser

I also recommend that you read the Cisco Press IPsec VPN Fundementals. Really good book if you are a begineer

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052075