1 / 35

Cisco VPN Solutions

jed
Download Presentation

Cisco VPN Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Cisco VPN Solutions

    2. Agenda Introduction to IPSec IPSec VPN Topologies Cisco Site-to-Site VPN Solutions

    3. IPSec Design Guide

    4. IPSec Overview Initiating the IPSec session Phase one—exchanging keys Phase two—setting up security associations Encrypting/decrypting packets Rebuilding security associations Timing out security associations Simple IPSec configuration

    5. Initiating the IPSec Session Phase One—ISAKMP Internet Security Association Key Management Protocol (ISAKMP) Both sides need to agree on the ISAKMP security parameters ISAKMP parameters Encryption algorithm Hash algorithm Authentication method Diffie-Hellman modulus Group lifetime Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitProtection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

    6. Initiating the IPSec Session Phase Two—IPSec Both sides need to agree on the IPSec security parameters IPSec parameters IPSec peer Endpoint of IPSec tunnel IPSec proxy Traffic to be encrypted/decrypted IPSec transform Encryption and hashing IPSec lifetime Phase two SA regeneration time SA’s will regenerate behind the scenes 7206BA#sh crypto ipsec security-association-lifetime Security association lifetime: 4608000 kilobytes/3600 secondsSA’s will regenerate behind the scenes 7206BA#sh crypto ipsec security-association-lifetime Security association lifetime: 4608000 kilobytes/3600 seconds

    7. Encrypting and Decrypting Packets Phase one and phase two completes Security Associations (SA) are created at both IPSec endpoints Using the negotiated SA information Outbound packets are encrypted Inbound packets are decrypted

    8. Rebuilding Security Associations To ensure that keys are not compromised they are periodically refreshed Security associations will be rebuilt when: The lifetime expires, or Data volume has been exceeded, or Another SA is attempted with identical parameters Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitProtection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit

    9. Simple IPSec Configuration

    10. Topologies

    11. GRE Over IPSec (Common Configuration Issues) Apply crypto map on both the tunnel interfaces and the physical interfaces Specify GRE traffic as IPSec interesting traffic. access-list 101 permit gre host 200.1.1.1 host 150.1.1.1 Static or dynamic routing is needed to send VPN traffic to the GRE tunnel before it gets encrypted.

    12. GRE over IPSec (Avoid Recursive Routing) To avoid GRE tunnel interface damping due to recursive routing, keep transport and passenger routing info. separate: Use different routing protocols or separate routing protocol identifiers Keep tunnel IP address and actual IP network addresses ranges distinct For tunnel interface IP address, don’t use unnumbered to loopback interface when the loopback’s IP address resides in the ISP address space

    13. GRE over IPsec (MTU Issues) Overhead calculation of GRE over IPSec (assume ESP-DES & ESP-MD5-HMAC): ESP overhead (with authentication) : 31 ~ 38 bytes GRE header: 24 bytes IP header: 20 byes GRE over IPSec with tunnel mode introduces ~75 bytes overhead, GRE over IPSec with transport mode introduces ~55 bytes overhead

    14. GRE over IPSec

    15. GRE over IPSec (MTU Issues) After GRE tunnel encapsulation, the packets will be sent to physical interface with DF bit set to 0 The GRE packets will then be encrypted at physical interface; if IPSec overhead causes final IPSec packets to be bigger than the interface MTU, the router will fragment the packets The remote router will need to reassemble the fragmented IPSec packets (process switched) which causes performance degradation

    16. GRE over IPSec (MTU issue) To avoid fragementation and reassembly of IPSec packets: Set ip mtu 1420 (GRE/IPSec tunnel mode), ip mtu 1440 (GRE/IPSec transport mode) under tunnel interface. Enable “tunnel path-mtu-discovery” (DF bit copied after GRE encapsulation) under tunnel interface. Use “show ip int switching” to verify switching path

    17. GRE IPSec Config

    18. GRE IPSEC Config continued

    19. GRE IPSEC Config continued

    20. GRE IPSEC Config continued

    21. Preventing Traffic Injection ACL on the physical interface Even better, VRF lite !

    22. VPN Types and Applications

    23. VPN Requirements Vary By Application Site-to-site VPNs and remote access VPNs tend to have different requirements Site-to-site VPNs and remote access VPNs tend to have different requirements

    24. Cisco VPN Portfolio Purpose-Built for Specific VPN Environments

    25. VPN Product Function Matrix

    26. Cisco IOS Software Enhanced VPN Software Features Quality of Service Application-aware packet classification Congestion management and packet queuing Traffic shaping and policing Stateful IOS Firewall Per application content filtering and Java blocking Denial of service protection and intrusion detection Time-based ACLs VPN Resiliency Dynamic Route Recovery - using routing protocols through IPSec secured GRE tunnel Dynamic Tunnel Recovery - IPSec Keep-Alives Full Layer 3 Routing and Broad Interface Support EIGRP, BGP, OSPF, and others Numerous LAN and WAN interfaces

    27. Cisco Site-to-Site VPN Solutions Scalability for Every Site

    28. VPN-Enabled Broadband Routers

    29. VPN-Enabled Routers

    30. VPN-Enabled Routers

    31. 2650 Enhanced Performance VPN Module AIM-VPN/EP Enhanced Performance Module Delivers 14 Mbps 3DES performance New AIM-VPN/EP is specially designed to take advantage of the 2650 High Performance Router This VPN Module is being offered in addition to our present AIM-VPN/BP (Base Performance Module) Supported on all 2600 platforms

    32. VPN Acceleration Module (VAM) for 7100/7200 Greater than DS3 encryption performance 145 Mbps 3DES IPSec performance for scalable site-to-site encryption Allows large number of VPN Tunnels 5000 simultaneous IPSec sessions Fast VPN tunnel setup time Hardware acceleration for RSA: Tunnel setup & key generation Compression for bandwidth conservation Hardware acceleration for IPPCP LZS compression

    33. VPN Management VPN Device Manager Embedded web single device policy manager VPN Management Solutions Enterprise VPN monitoring & policy manager Cisco Secure Policy Manager Centralized, intelligent security policy management for firewall and VPN Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs

    34. Site-to-Site VPN Platform Summary Comprehensive Suite of Site-to-Site VPN Features Supports the most diverse VPN environments High Performance VPN Up to 145 Mbps 3DES/HMAC-SHA1 IPSec Up to 5,000 simultaneous tunnels Site Specific VPN Scalability DSL, Cable, & ISDN VPN routers Ethernet-to-Ethernet broadband routers Network Management Tailored for Site-to-Site Applications

    35. For More Information... http://www.cisco.com/GO/VPN

More Related