© 2006 Cisco Systems, Inc. All rights reserved.ISCW v1.04-1 IPsec VPNs Site-to-Site IPsec VPN Operation.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring IPsec Site-to-Site VPN Using SDM.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Introducing IPsec.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Building IPsec VPNs Module Self-Check.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring Cisco Easy VPN and Easy VPN Server Using SDM.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring GRE Tunnels over IPsec.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Implement the DiffServ QoS Model Implementing QoS Preclassify.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Implementing the Cisco VPN Client.
© 2006 Cisco Systems, Inc. All rights reserved.SND v Building Cisco IPsec VPNs Building Remote Access VPNs.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Cisco High Availability Options.
© 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring GRE Tunnels.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 14 Virtual Private Network Configuration.
© 1999, Cisco Systems, Inc Configuring Cisco IOS IPSec Chapter 12.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 8 Object Grouping.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary The IKE protocol is a key management protocol standard used in conjunction with.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Implementation Configuring an MP-BGP Session Between PE Routers.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 14 Virtual Private Network Configuration.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec VPN Operations

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Five Steps of IPsec

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 1: Interesting Traffic

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 2: IKE Phase 1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Policy Negotiates matching IKE transform sets to protect IKE exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Diffie-Hellman Key Exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Authenticate Peer Identity Peer authentication methods: Preshared keys RSA signatures RSA encrypted nonces

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 3: IKE Phase 2 Negotiates IPsec security parameters, IPsec transform sets Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie-Hellman exchange

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec Transform Sets A transform set is a combination of algorithms and protocols that enact a security policy for traffic.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Security Associations SA database: –Destination IP address –SPI –Protocol (ESP or AH) Security policy database: –Encryption algorithm –Authentication algorithm –Mode –Key lifetime

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SA Lifetime Data transmitted-based Time-based

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 4: IPsec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 5: Tunnel Termination A tunnel is terminated by one of the following: –By an SA lifetime timeout –If the packet counter is exceeded IPsec SA is removed

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring IPsec

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuration Steps for Site-to-Site IPsec VPN 1. Establish ISAKMP policy 2. Configure IPsec transform set 3. Configure crypto ACL 4. Configure crypto map 5. Apply crypto map to the interface 6. Configure interface ACL

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 1

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 2

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Phase 2

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Apply VPN Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Apply VPN Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Interface ACL

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site IPsec Configuration: Interface ACL When filtering at the edge, there is not much to see: IKE: UDP port 500 ESP and AH: IP protocol numbers 50 and 51, respectively NAT transparency enabled: –UDP port 4500 –TCP (port number has to be configured)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Router1#show access-lists access-list 102 permit ahp host host access-list 102 permit esp host host access-list 102 permit udp host host eq isakmp Site-to-Site IPsec Configuration: Interface ACL (Cont.) Ensure that protocols 50 and 51 and UDP port 500 traffic is not blocked on interfaces used by IPsec.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary IPsec operation includes these steps: Initiation by interesting traffic of the IPsec process, IKE Phase 1, IKE Phase 2, data transfer, and IPsec tunnel termination. To configure a site-to-site IPsec VPN: Configure the ISAKMP policy, define the IPsec transform set, create a crypto ACL, create a crypto map, apply crypto map, and configure ACL. To define an IKE policy, use the crypto isakmp policy global configuration command. To define an acceptable combination of security protocols and algorithms used for IPsec, use the crypto ipsec transform- set global configuration command. To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. Configure an ACL to enable the IPsec protocols (protocol 50 for ESP or 51 for AH) and IKE protocol (UDP/500).

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v