© 2006 Cisco Systems, Inc. All rights reserved.ISCW v1.04-1 IPsec VPNs Configuring GRE Tunnels over IPsec.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring IPsec Site-to-Site VPN Using SDM.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring GRE Tunnels.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Cisco High Availability Options.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implement the DiffServ QoS Model Implementing QoS Preclassify.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Implementing the Cisco VPN Client.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Introducing IPsec.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring Cisco Easy VPN and Easy VPN Server Using SDM.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary The IKE protocol is a key management protocol standard used in conjunction with.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring a DMVPN.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Implementation of Frame Mode MPLS Introducing MPLS Networks.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing VPNs.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Introducing Central Services VPNs.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS Concepts Introducing MPLS Labels and Label Stacks.
Designing Virtual Private Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing Site-to-Site VPNs ARCH v
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Completing ISDN Calls Configuring ISDN BRI and PRI.
© 2006 Cisco Systems, Inc. All rights reserved.SND v Building Cisco IPsec VPNs Building Remote Access VPNs.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v Optimizing BGP Scalability Implementing BGP Peer Groups.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring GRE Tunnels over IPsec

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Generic Routing Encapsulation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Generic Routing Encapsulation OSI Layer 3 tunneling protocol: Uses IP for transport Uses an additional header to support any other OSI Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Default GRE Characteristics Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-byte overhead by default (20-byte IP header and 4-byte GRE header)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Optional GRE Extensions GRE can optionally contain any one or more of these fields: –Tunnel checksum –Tunnel key –Tunnel packet sequence number GRE keepalives can be used to track tunnel path status.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v GRE Configuration Example GRE tunnel is up and protocol up if: –Tunnel source and destination are configured –Tunnel destination is in routing table –GRE keepalives are received (if used) GRE is the default tunnel mode.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Secure GRE Tunnels

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Secure GRE Tunnels GRE is good at tunneling: –Multiprotocol support –Provides virtual point-to-point connectivity, allowing routing protocols to be used GRE is poor at securityonly very basic plaintext authentication can be implemented using the tunnel key (not very secure) GRE cannot accommodate typical security requirements: –Confidentiality –Data source authentication –Data integrity

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Characteristics IPsec provides what GRE lacks: –Confidentiality through encryption using symmetric algorithms (e.g., 3DES or AES) –Data source authentication using HMACs (e.g., MD5 or SHA-1) –Data integrity verification using HMACs IPsec is not perfect at tunneling: –Older Cisco IOS software versions do not support IP multicast over IPsec –IPsec was designed to tunnel IP only (no multiprotocol support) –Using crypto maps to implement IPsec does not allow the usage of routing protocols across the tunnel –IPsec does not tunnel IP protocols; GRE does

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v GRE over IPsec GRE over IPsec is typically used to do the following: Create a logical hub-and-spoke topology of virtual point-to- point connections Secure communication over an untrusted transport network (e.g., Internet)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v GRE over IPsec Characteristics GRE encapsulates arbitrary payload. IPsec encapsulates unicast IP packet (GRE): –Tunnel mode (default): IPsec creates a new tunnel IP packet –Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring GRE over IPsec Site-to-Site Tunnel Using SDM (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Backup GRE Tunnel Information

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Backup GRE Tunnel Information

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Authentication Information

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Authentication Information 2. 1A1B

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating a Custom IKE Policy Define all IKE policy parameters: Priority Encryption algorithm: DES, 3DES, AES HMAC: SHA-1 or MD5 Authentication method: preshared secrets or digital certificates Diffie-Hellman group: 1, 2, or 5 IKE lifetime

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Routing Information

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Routing Information

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 1: Static Routing

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: Dynamic Routing Using EIGRP

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 3: Dynamic Routing Using OSPF

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Completing the Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Test Tunnel Configuration and Operation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Test Tunnel Configuration and Operation (Cont.) 7.7.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Monitor Tunnel Operation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Monitoring Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. show crypto isakmp sa Lists active IKE sessions router# show crypto ipsec sa Lists active IPsec security associations router# show interfaces Lists interface and the statistics including the statistics of tunnel interfaces router#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary GRE is a multiprotocol tunneling technology. SDM can be used to implement GRE over IPsec site-to-site VPNs. Backup tunnels can be configured in addition to one primary tunnel. Routing can be configured through the tunnel interfaces: –Static for simple sites –OSPF or EIGRP for more complex sites (more networks, multiple tunnels) Upon completing the configuration, the SDM converts the configuration into the Cisco IOS CLI format.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v