1 / 18

Network Security 2

Network Security 2. Module 6 – Configure Remote Access VPN. Lesson 6.1 An Introduction to Cisco Easy VPN. Module 6 – Configure Remote Access VPN. Module Introduction.

isewell
Download Presentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 6 – Configure Remote Access VPN

  2. Lesson 6.1 An Introduction to Cisco Easy VPN Module 6 – Configure Remote Access VPN

  3. Module Introduction • Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet • Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation • This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods

  4. Cisco Easy VPN • Eliminates tedious work by implementing the Cisco Unity Client protocol to allow administrators to define most VPN parameters at a Cisco IOS Easy VPN Server • Cisco Easy VPN Remote allows devices to act as remote VPN clients • Routers running IOS Release 12.2(4)YA (or later) • PIX firewalls • Cisco hardware clients • Cisco IOS Easy VPN Server can be these devices that supports the Cisco Unity Client protocol • VPN 3000 Concentrator • PIX Firewall • IOS router

  5. Cisco Easy VPN • Cisco Easy VPN simplifies deployment. • When the Easy VPN Remote initiates the VPN tunnel connection, the Cisco Easy VPN Server pushes the IPsec policies to the Cisco Easy VPN Remote client and creates the corresponding VPN tunnel connection • Cisco Easy VPN Remote provides for automatic management of: The negotiation of tunnel parameters Establishment of tunnels NAT or PAT and ACLs creation as needed Authentication of users by usernames, group names, and passwords Security keys for encryption and decryption Authenticating, encrypting, and decrypting data through the tunnel

  6. Easy VPN Components • Cisco Easy VPN Server • The Cisco Easy VPN Server pushes security policies that are defined at the headend to the remote VPN device • Cisco Easy VPN Server-enabled device can terminate IPsec tunnels that are initiated by mobile remote workers running VPN Client software on PCs.

  7. Easy VPN Components • CiscoEasy VPN Remote • These devices can receive security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements at the remote location • This cost-effective solution is ideal for remote offices with little IT support

  8. Requirements and Restrictions for Cisco Easy VPN Server

  9. Limitations • DH Group The Cisco Unity Client protocol supports only ISAKMP policies that use DH Group 2 (1024-bit) • Transform Sets Supported The Cisco Unity Client protocol does not support Authentication Header (AH) authentication but does support Encapsulating Security Payload (ESP)

  10. Easy VPN Server and Easy VPN Remote Operation Step 1 The VPN client initiates the IKE Phase 1 process Step 2 The VPN client establishes an SA Step 3 The Easy VPN Server accepts the SA proposal Step 4 The Easy VPN Server initiates a username and password challenge Step 5 The mode configuration process is initiated Step 6 The RRI process is initiated Step 7 IPsec quick mode completes the connection

  11. Step 1: The VPN Client Initiates the IKE Phase 1 Process

  12. Step 2: The VPN Client Establishes an ISAKMP SA The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following: Encryption and hash algorithms Authentication methods Diffie-Hellman group sizes

  13. Step 3: The Cisco Easy VPN Server Accepts the SA Proposal The Easy VPN Server searches for a match: The first proposal to match the server list is accepted (highest-priority match). The ISAKMP SA is successfully established. Device authentication ends and user authentication begins.

  14. Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge If the Easy VPN Server is configured for Xauth, the VPN client waits for a username and password challenge: The username and password information is checked against authentication entities using AAA.

  15. Step 5: The Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server: Mode configuration starts. The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client. IP address is the only required parameter in a group profile. All other parameters are optional

  16. Step 6: The RRI Process Is Initiated RRI ensures that a static route is created on the Cisco Easy VPN Server for the internal IP address of each VPN client RRI is used • when per-user IP addresses are used • when more than one Easy VPN Server is used Redistributing static routes into an IGP allows the server site routers to find the appropriate Easy VPN Server to use for return traffic to clients.

  17. Step 7: IPsec Quick ModeCompletes the Connection After the configuration parameters have been successfully received by the VPN client, IPsec quick mode is initiated to negotiate IPsec SA establishment. After IPsec SA establishment, the VPN connection is complete.

More Related