Purpose of VPNs:
VPNs create secure, encrypted connections between sites or remote users over public networks like the Internet. This ensures confidentiality and integrity of data transmitted over these insecure networks.
Types of VPNs:
Site-to-Site VPN: Established between two or more VPN gateways. The traffic is encrypted between the gateways, and internal hosts are unaware of the VPN.
Remote-Access VPN: Provides secure access for remote users to a network via VPN, often used for connecting mobile workers or remote offices.
Site-to-Site VPNs:
The VPN tunnel is established between fixed devices (VPN gateways) and traffic is encrypted only between these devices.
Commonly used for inter-site connections, allowing remote locations to access main network resources securely.
Remote-Access VPNs:
Initiated by a client, and can be clientless or client-based (e.g., SSL VPNs).
SSL VPNs provide flexibility and are easy to deploy, while IPsec VPNs offer higher security but are more complex.
SSL vs. IPsec VPNs:
SSL VPNs: Easier to deploy, widely used for web-based access (e.g., online banking).
IPsec VPNs: Preferred when security is the top priority, particularly for site-to-site connections and high-security environments.
Security Functions:
Confidentiality: Achieved through encryption using algorithms such as AES (Advanced Encryption Standard).
Integrity: Ensured with hashing algorithms (SHA, MD5) to verify that the data has not been altered.
Authentication: IPsec uses IKE (Internet Key Exchange) to authenticate peers.
IPsec Protocols:
AH (Authentication Header): Provides integrity and authentication but does not encrypt data.
ESP (Encapsulating Security Payload): Provides both encryption and authentication.
Key Exchange (Diffie-Hellman):
Ensures secure key exchange between peers even over insecure channels, with different DH groups offering varying levels of security.
Transport Mode: Only the payload is encrypted, the original IP address remains in plaintext. Suitable for end-to-end communication.
Tunnel Mode: The entire IP packet is encrypted and encapsulated into a new IP packet. Suitable for site-to-site VPNs.
IPsec Negotiation Steps:
Phase 1 (ISAKMP Tunnel): Both peers authenticate and agree on security policies.
Phase 2 (IPsec Tunnel): Establishes encryption and integrity policies for data traffic.
Interesting Traffic: VPN negotiation is triggered by traffic that matches the defined ACL.
Configure ISAKMP Policy for IKE Phase 1:
Defines parameters such as encryption, hash, and authentication methods.
Configure IPsec Policy for Phase 2:
Specifies the protocols (ESP), encryption algorithms, and key exchange mechanisms.
Crypto Map:
Binds ACL, IPsec policies, and defines the peer address.
Apply IPsec Policy:
Apply the policy to the outbound interface and verify with the show crypto map
command.
The ISAKMP policy defines the security associations (SAs) used to establish the tunnel.
Key Elements (HAGLE):
H: Hash (SHA)
A: Authentication (pre-shared key)
G: Group (Diffie-Hellman group 14)
L: Lifetime (3600 seconds)
E: Encryption (AES)
Binding ACLs: Define traffic that will trigger the tunnel setup (interesting traffic).
Configure Peer Address and IPsec Parameters:
Include peer’s IP, DH group, and tunnel lifetime.
Verify the configuration using show crypto map
.
Use show crypto isakmp sa
and show crypto ipsec sa
to verify the status of ISAKMP and IPsec tunnels.
Ping Test: Send traffic that matches the ACLs to verify the VPN tunnel is operational.
If multicast or broadcast traffic (like OSPF or EIGRP) needs to be routed through the tunnel, consider implementing a GRE tunnel for encapsulation.