WK 14 Consolidated Notes

Module 18: VPNs

VPN Overview:
  • Purpose of VPNs:

    • VPNs create secure, encrypted connections between sites or remote users over public networks like the Internet. This ensures confidentiality and integrity of data transmitted over these insecure networks.

    • Types of VPNs:

      • Site-to-Site VPN: Established between two or more VPN gateways. The traffic is encrypted between the gateways, and internal hosts are unaware of the VPN.

      • Remote-Access VPN: Provides secure access for remote users to a network via VPN, often used for connecting mobile workers or remote offices.

VPN Topologies:
  • Site-to-Site VPNs:

    • The VPN tunnel is established between fixed devices (VPN gateways) and traffic is encrypted only between these devices.

    • Commonly used for inter-site connections, allowing remote locations to access main network resources securely.

  • Remote-Access VPNs:

    • Initiated by a client, and can be clientless or client-based (e.g., SSL VPNs).

    • SSL VPNs provide flexibility and are easy to deploy, while IPsec VPNs offer higher security but are more complex.

  • SSL vs. IPsec VPNs:

    • SSL VPNs: Easier to deploy, widely used for web-based access (e.g., online banking).

    • IPsec VPNs: Preferred when security is the top priority, particularly for site-to-site connections and high-security environments.

IPsec Overview:
  • Security Functions:

    • Confidentiality: Achieved through encryption using algorithms such as AES (Advanced Encryption Standard).

    • Integrity: Ensured with hashing algorithms (SHA, MD5) to verify that the data has not been altered.

    • Authentication: IPsec uses IKE (Internet Key Exchange) to authenticate peers.

  • IPsec Protocols:

    • AH (Authentication Header): Provides integrity and authentication but does not encrypt data.

    • ESP (Encapsulating Security Payload): Provides both encryption and authentication.

  • Key Exchange (Diffie-Hellman):

    • Ensures secure key exchange between peers even over insecure channels, with different DH groups offering varying levels of security.

Modes of IPsec:
  • Transport Mode: Only the payload is encrypted, the original IP address remains in plaintext. Suitable for end-to-end communication.

  • Tunnel Mode: The entire IP packet is encrypted and encapsulated into a new IP packet. Suitable for site-to-site VPNs.


Module 19: Implement Site-to-Site IPsec VPNs with CLI

Site-to-Site IPsec VPN Configuration:
  • IPsec Negotiation Steps:

    1. Phase 1 (ISAKMP Tunnel): Both peers authenticate and agree on security policies.

    2. Phase 2 (IPsec Tunnel): Establishes encryption and integrity policies for data traffic.

    3. Interesting Traffic: VPN negotiation is triggered by traffic that matches the defined ACL.

Configuration Tasks:
  1. Configure ISAKMP Policy for IKE Phase 1:

    • Defines parameters such as encryption, hash, and authentication methods.

  2. Configure IPsec Policy for Phase 2:

    • Specifies the protocols (ESP), encryption algorithms, and key exchange mechanisms.

  3. Crypto Map:

    • Binds ACL, IPsec policies, and defines the peer address.

  4. Apply IPsec Policy:

    • Apply the policy to the outbound interface and verify with the show crypto map command.

ISAKMP Policy Configuration:
  • The ISAKMP policy defines the security associations (SAs) used to establish the tunnel.

  • Key Elements (HAGLE):

    • H: Hash (SHA)

    • A: Authentication (pre-shared key)

    • G: Group (Diffie-Hellman group 14)

    • L: Lifetime (3600 seconds)

    • E: Encryption (AES)

Crypto Map Configuration:
  • Binding ACLs: Define traffic that will trigger the tunnel setup (interesting traffic).

  • Configure Peer Address and IPsec Parameters:

    • Include peer’s IP, DH group, and tunnel lifetime.

    • Verify the configuration using show crypto map.

Verification:
  • Use show crypto isakmp sa and show crypto ipsec sa to verify the status of ISAKMP and IPsec tunnels.

  • Ping Test: Send traffic that matches the ACLs to verify the VPN tunnel is operational.

Handling Routing Protocol Traffic:
  • If multicast or broadcast traffic (like OSPF or EIGRP) needs to be routed through the tunnel, consider implementing a GRE tunnel for encapsulation.


robot