Options
Notes on VPNs and Ipsec
Before i move on, I would like to share my notes, and reiterate the protocols and features of Ipsec and vpns.. This will help share some knowledge to the forum, as well as make sure i know what i am talking about before i move on the the next part, which is network hardening in the cisco press ISCW exam cert guide;.
The need to connect teleworkers and entrprise extenstion , along with SOHO are becomming an increasing demand.. One way to provide this connectivity over a secure channel is to implement VPNs. Vpns are simply a tunnel or channel where two sites can communicate. Older vpn technology consisted of PVC and SVC from frame-relay or ATM, and even dedicated leased lines. It was hard to implement redudandy in this old technology withough increasing the cost way up... Site-site vpns came up to emerge to provide a full mesh of connectivity with only 1 or more connections to the internet at both sites.
Vpns utilize Ipsec to in order to tranfer data securely. Ipsec is a framwork and suite of protocols consisting of IKE, ESP and AH, which provides data confidentialiy (encryption) data intergrity (hash functions) and data Authentication and Anti replay attacks. Three protocols help make IPsec framework for this secure connection.
Ike (internet key exchange) is responsible for setting up the secure channel, and negotiating polocies and Security Asociations. Ike is also responsible for exchanging Diffie-Helman keys (RSA keys) (public/private keys) between peers. Two protcols help IKE to provide these functions are ISAKMP (internet sercurity assocation key management protocol) and Oakley. ISAKMP is responsbily for setting up and negotiating policies and security associations. Oakley is responsibly for exhanging keys. There are two mandatory phases of IKE.. Phase 1 and phase 2. At phase 1 ike policies are negotated and exchanged to create a secure channel for management traffic, and to exchange DH keys. Ike phase 1 can be in aggressive mode or main mode. Main mode uses 6 messages (3 sent and 3 acks) to exhanged the polocies and DH keys. Agressive mode uses 3 messages to exchange polocies and is quicker than main mode. Ike phase 2 is responsible to setting up unidirectional SA's To protect the real data that is going to be transmitted.
ESP and AH (encapsulating security payload & Authentication header) are the other two ipsec protocols. ESP provides everything AH does, plus encryption or data confidentiality. AH does not provide encryption. Both protocols, however, use HMAC (hashed-based message authentication codes) which can be MD5 or SHA-1... MD5 takes a variable length input and fixates it at 128 bits.. ShA-1 fixates it at 160bits.. SHA-1 is more accurate at detecting alteration of data than MD5 but SHA-1 is computationally slower.
IPsec can be ran on two modes. Tunnel mode or transport mode... IN tunnel mode, the data payload and Ip headers are protected by ESP or AH, and a new ip header is tagged after the ESP header. The new ip header hides the internal addressing, and correlates to the tunnel ip address. In transport mode the ESP or AH header is shimmed after the ip header and before the Data, so therefor only the data payload (transport layer and up ) are protected. HENCE THE NAME TRANSPORT MODE.
A site to site VPN has a lifecycle. and the following explain it.
1) Interesting traffic (classified by ACL) is trasmitted across, and starts the secure VPN channel
2) Ike phase 1- policies are negotiated and exchanged in eighter aggressive mode or main mode and a bidirectional SA is created to setup and secure the management channel or traffic.
3) IKE phase 2 starts and ipsec SA and negotiation are exchanged to protect the actually data.Ipsec Transform-sets define IKE phase 2
4) Data Sent Securely- Data is exchanged over a secure channel and the data benefits from the ipsec features
5) termination of VPN Channel- the vpn is torn down eighter manually or automatically by time.
Configuration of a Site-to Site VPN can be summarized below
1) Ike phase 1 - specify Ike policies to be used to secure management data.
2) Ike phase 2 - specify ipsec transform-set to secure the real data
3) Crypto ACL - create an mirrored ACL on both sides to specify the interesting traffic that gets the benefits of ipsec
4) Create Crypto Map- create the crypto map which emcompasses the transform set and acl. it also specifies the peer to exchange with
5) apply crypto map - apply the crypto map to the interface
6)* Adjust NATsettings to deny the interesting traffic from being NATTED across, and allow ESP/AH along with UDP 500 (ISAKMP) to be sent and reciveed on an interface.
IPsec can transfer data securely but it creates a problem.. When connecting two sites together or a teleworker, static routes must be used to point to where networks are. But in a big environment this can become tedious and overwhelming. Before IOS 12.4(
Ipsec could not exchange routing protocols or multicast message. Enterprises used an older technology originally created by cisco Called GRE. In older days GRE was used to transfer non-ip traffic, such as IPX and appletalk, over an ip existing core. Today GRE tunneling is used to transfer routing protocols and multicast over a site-site vpn which still be secured by ipsec. GRE uses tunnel interface to encompasses this. Gre adds at minimun an extra 24 bytes to the ipsec data, which means the MTU needs to be adjusted to optimize performance. Gre has also be ran in tunnel mode or transport mode. When using GREover Ipsec it is recommended to use transport mode, becuase it is essentially the same as tunnel mode when using ipsec. If you use GRE with tunnel mode, you are created alot of overhead which can bog down your network.
Ipsec High avalibity option: Redudancy is always a plus in enterprise environments and productions networks. Ipsec can be deployed with other features to allow high availabilty of Ipsec tunnels. There are two methods of availablity or failover. Stateful and Stateless. Stateful failover involves using multiple hardware devices with the same ios to mirror each other and failover quick to provide availability. Stateless failover uses keepalives to determine whenever one path has failed to switch over to the next.
for stateless Failover, HSRP can be used to provide redundancy, along with an IGP in a GRE tunnel to treat the links as layer 3 links, and DPD(dead peer detection can be used) Dead peer detection is a isakmp keepalive protocol and can eighter periodically send keepalives, or send keepalives whenever the device in suspect of failing.
For stateful Failover, HSRP along with SSO (stateful switchover ) can be used.
Creating IPsec vpns can be wordy and CLI lengthy. Cisco has created the EASY VPN solution to provide clients an easy way to connect to the vpn server. Instead of specific policies for both side, the server is configured by the admin of the policies they support, and the easy vpn remote (client) **** a set of policies to the server hoping to negotiate on one.
The connection of the VPN solution can be summarized below
1) client initiates IKE phase 1
2) client **** a load of supported policies to the server
3) server accepts one of the preferred policies according to its priority
4) Server ask for authentication credentials for vpn group membership
5) Xauth and mode configuration are pushed down to the client
6) Server optionally injects a RRI (reverse route injection)
7)IPsec (Ike phase 2 begins in quick mode)
I didnt go into configuration, but i do know how to configure them ( see some of my other post )... But these are my notes from the top of my head, (i have some more written down).. Hope this helps some people.
Time to move on to Network hardening, the last part of the exam cert guide. hopefully be ready to take the exam in a month or so.
The need to connect teleworkers and entrprise extenstion , along with SOHO are becomming an increasing demand.. One way to provide this connectivity over a secure channel is to implement VPNs. Vpns are simply a tunnel or channel where two sites can communicate. Older vpn technology consisted of PVC and SVC from frame-relay or ATM, and even dedicated leased lines. It was hard to implement redudandy in this old technology withough increasing the cost way up... Site-site vpns came up to emerge to provide a full mesh of connectivity with only 1 or more connections to the internet at both sites.
Vpns utilize Ipsec to in order to tranfer data securely. Ipsec is a framwork and suite of protocols consisting of IKE, ESP and AH, which provides data confidentialiy (encryption) data intergrity (hash functions) and data Authentication and Anti replay attacks. Three protocols help make IPsec framework for this secure connection.
Ike (internet key exchange) is responsible for setting up the secure channel, and negotiating polocies and Security Asociations. Ike is also responsible for exchanging Diffie-Helman keys (RSA keys) (public/private keys) between peers. Two protcols help IKE to provide these functions are ISAKMP (internet sercurity assocation key management protocol) and Oakley. ISAKMP is responsbily for setting up and negotiating policies and security associations. Oakley is responsibly for exhanging keys. There are two mandatory phases of IKE.. Phase 1 and phase 2. At phase 1 ike policies are negotated and exchanged to create a secure channel for management traffic, and to exchange DH keys. Ike phase 1 can be in aggressive mode or main mode. Main mode uses 6 messages (3 sent and 3 acks) to exhanged the polocies and DH keys. Agressive mode uses 3 messages to exchange polocies and is quicker than main mode. Ike phase 2 is responsible to setting up unidirectional SA's To protect the real data that is going to be transmitted.
ESP and AH (encapsulating security payload & Authentication header) are the other two ipsec protocols. ESP provides everything AH does, plus encryption or data confidentiality. AH does not provide encryption. Both protocols, however, use HMAC (hashed-based message authentication codes) which can be MD5 or SHA-1... MD5 takes a variable length input and fixates it at 128 bits.. ShA-1 fixates it at 160bits.. SHA-1 is more accurate at detecting alteration of data than MD5 but SHA-1 is computationally slower.
IPsec can be ran on two modes. Tunnel mode or transport mode... IN tunnel mode, the data payload and Ip headers are protected by ESP or AH, and a new ip header is tagged after the ESP header. The new ip header hides the internal addressing, and correlates to the tunnel ip address. In transport mode the ESP or AH header is shimmed after the ip header and before the Data, so therefor only the data payload (transport layer and up ) are protected. HENCE THE NAME TRANSPORT MODE.
A site to site VPN has a lifecycle. and the following explain it.
1) Interesting traffic (classified by ACL) is trasmitted across, and starts the secure VPN channel
2) Ike phase 1- policies are negotiated and exchanged in eighter aggressive mode or main mode and a bidirectional SA is created to setup and secure the management channel or traffic.
3) IKE phase 2 starts and ipsec SA and negotiation are exchanged to protect the actually data.Ipsec Transform-sets define IKE phase 2
4) Data Sent Securely- Data is exchanged over a secure channel and the data benefits from the ipsec features
5) termination of VPN Channel- the vpn is torn down eighter manually or automatically by time.
Configuration of a Site-to Site VPN can be summarized below
1) Ike phase 1 - specify Ike policies to be used to secure management data.
2) Ike phase 2 - specify ipsec transform-set to secure the real data
3) Crypto ACL - create an mirrored ACL on both sides to specify the interesting traffic that gets the benefits of ipsec
4) Create Crypto Map- create the crypto map which emcompasses the transform set and acl. it also specifies the peer to exchange with
5) apply crypto map - apply the crypto map to the interface
6)* Adjust NATsettings to deny the interesting traffic from being NATTED across, and allow ESP/AH along with UDP 500 (ISAKMP) to be sent and reciveed on an interface.
IPsec can transfer data securely but it creates a problem.. When connecting two sites together or a teleworker, static routes must be used to point to where networks are. But in a big environment this can become tedious and overwhelming. Before IOS 12.4(
Ipsec could not exchange routing protocols or multicast message. Enterprises used an older technology originally created by cisco Called GRE. In older days GRE was used to transfer non-ip traffic, such as IPX and appletalk, over an ip existing core. Today GRE tunneling is used to transfer routing protocols and multicast over a site-site vpn which still be secured by ipsec. GRE uses tunnel interface to encompasses this. Gre adds at minimun an extra 24 bytes to the ipsec data, which means the MTU needs to be adjusted to optimize performance. Gre has also be ran in tunnel mode or transport mode. When using GREover Ipsec it is recommended to use transport mode, becuase it is essentially the same as tunnel mode when using ipsec. If you use GRE with tunnel mode, you are created alot of overhead which can bog down your network.Ipsec High avalibity option: Redudancy is always a plus in enterprise environments and productions networks. Ipsec can be deployed with other features to allow high availabilty of Ipsec tunnels. There are two methods of availablity or failover. Stateful and Stateless. Stateful failover involves using multiple hardware devices with the same ios to mirror each other and failover quick to provide availability. Stateless failover uses keepalives to determine whenever one path has failed to switch over to the next.
for stateless Failover, HSRP can be used to provide redundancy, along with an IGP in a GRE tunnel to treat the links as layer 3 links, and DPD(dead peer detection can be used) Dead peer detection is a isakmp keepalive protocol and can eighter periodically send keepalives, or send keepalives whenever the device in suspect of failing.
For stateful Failover, HSRP along with SSO (stateful switchover ) can be used.
Creating IPsec vpns can be wordy and CLI lengthy. Cisco has created the EASY VPN solution to provide clients an easy way to connect to the vpn server. Instead of specific policies for both side, the server is configured by the admin of the policies they support, and the easy vpn remote (client) **** a set of policies to the server hoping to negotiate on one.
The connection of the VPN solution can be summarized below
1) client initiates IKE phase 1
2) client **** a load of supported policies to the server
3) server accepts one of the preferred policies according to its priority
4) Server ask for authentication credentials for vpn group membership
5) Xauth and mode configuration are pushed down to the client
6) Server optionally injects a RRI (reverse route injection)
7)IPsec (Ike phase 2 begins in quick mode)
I didnt go into configuration, but i do know how to configure them ( see some of my other post )... But these are my notes from the top of my head, (i have some more written down).. Hope this helps some people.
Time to move on to Network hardening, the last part of the exam cert guide. hopefully be ready to take the exam in a month or so.
NHSCA National All-American Wrestler 135lb
Comments
-
Options
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
Ipsec is not available in Active/Active HA configurations. Learned this one the hard way just last week I believe.
-
Options
APA
Member Posts: 959
cisco_trooper wrote: »Ipsec is not available in Active/Active HA configurations. Learned this one the hard way just last week I believe.
Your talking about PIX & ASA implementations......
ISCW focuses on IPSec from an ISR perspective purely on dedicated routers.... So IPSec with Stateful failover would cover this.
lil_deezul - You pointed out that ISAKMP SA's are bi-directional, you should also highlight in your notes that IPSec SA's are uni-directional... so for traffic flow to occur both sides must have negotiated it's own IPSec uni-directional SA or SA's.
Good stuff though on the notes, it's not everyday you play with IPSec as once you've implemented it properly it just works! so handy reminder notes like this really help
How long till you are ready for ISCW? Seems like you are on the right track!
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
Options
lildeezul
Member Posts: 404
lil_deezul - You pointed out that ISAKMP SA's are bi-directional, you should also highlight in your notes that IPSec SA's are uni-directional... so for traffic flow to occur both sides must have negotiated it's own IPSec uni-directional SA or SA's.
Yes i do have these in my notes, i wrote this topic right off my head, but i do have more stuff that is actually written down on my notes.How long till you are ready for ISCW? Seems like you are on the right track!
I dont know, i just starting the last part of the ISCW cert guide, and after that im going to go back and review everything, so hopefully in the next 5-6 weeks or maybe a month or so, i will be ready to sit the exam... That depends on how much stuff i can lab up on the network hardending section, and how quickly i can pick this stuff up, which shouldn;t be hard becuase I am very interesting in security...
after the ISCW, ill hit the CCNA security for a month hopefully, and then finish up the CCNP with ONTNHSCA National All-American Wrestler 135lb