1 / 24

Cisco Router as a VPN Server

Cisco Router as a VPN Server. Agenda. VPN Categories of VPN Secure VPNs Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration Configuring AAA Server Virtual Template VPDN IPSec. What is VPN ?.

jun
Download Presentation

Cisco Router as a VPN Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco Router as a VPN Server

  2. Agenda • VPN • Categories of VPN • Secure VPNs • Trusted VPN • Hardware / Software Requirement • Network Diagram • Basic Router Configuration • Configuring AAA Server • Virtual Template • VPDN • IPSec

  3. What is VPN ? A virtual private network (VPN) is a computer network that is implemented in an additional logical layer (overlay) on top of an existing network. It has the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet. http://en.wikipedia.org/wiki/Virtual_private_network

  4. Categories of VPN VPN technologies may be classified by many standards. Two broad categories of VPN are: • Secure VPNs • Trusted VPNs

  5. Secure VPNs • Provide mechanisms for authentication of the tunnel endpoints and encryption of the traffic. • Provide remote access facilities to employees. • Connects multiple networks together securely using the Internet to carry the traffic. • Secure VPN protocols include IPSec, SSL or PPTP (with MPPE). • Doesn't provide Qos or routing.

  6. Trusted VPNs • Created by carriers and large organizations on large core networks. • Provides Quality of Service. • Trusted VPN protocols include MPLS, ATM or Frame Relay. • Do not provide security features such as data confidentiality through encryption.

  7. Hardware / Software Req • Cisco integrated services router with 12.4 advance enterprise IOS. • Ethernet Cables (Cross Over). • PCs / Laptops. • Cisco VPN Client (v5.0.06.0110). • Cisco Security Device Manager (SDM for GUI based configuration). • Java Runtime Environment (for SDM).

  8. Network Diagram

  9. Basic Router Configuration • Creating Local Login Users for VPN. Router(config)# username [loginID] privilege [1-15] password 0 [password] • Configure Fast Ethernet Interfaces Router#config t Router(config)#int f0/0 Router(config-if)# description Internal LAN (192.168.0.0/24) Router(config-if)#ip address 192.168.0.254 255.255.255.0 Router(config-if)#no shut Router(config)#int f0/1 Router(config-if)# description VPN INT (10.1.1.0/24) Router(config-if)#ip address 10.1.1.254 255.255.255.0 Router(config-if)#no shut

  10. Basic Router Configuration (contd) • Configure Routing Protocol Router#config t Router(config)#router eigrp 1 Router(config-router)#network 192.168.0.0 Router(config-router)#network 172.16.1.0 Router(config-router)#network 10.0.0.0 • IP Pool Router(config)# ip local pool ip_pool 172.16.1.10 172.16.1.20

  11. Configuring AAA • aaa-model Enables the authentication, authorization, and accounting (AAA) access control model. Router(config)#aaa new-model • aaa session-id [common | unique] Ensures that all session identification (ID) information that is sent out for a given call will be made identical. The default behavior is common. Router(config)#aaa session-id common

  12. Configuring AAA (contd) • aaa authentication login[list-name]local Sets (AAA) authentication at login. ‘Local’ keyword tells the AAA to use local username database for authentication. Router(config)# aaa authentication login vpn_xauth local • aaa authorization network [list-name] local Creates a list for authorization of all network-related service requests . ‘Local’ keyword tells the AAA to use local username database for authentication Router(config)# aaa authorization network vpn_group local

  13. Virtual Template • A virtual template interface is a logical entity that are created, configured dynamically, used, and then freed when no longer needed. • Requires the same amount of memory as a serial interface. • Cisco routers support a maximum of 300 virtual interfaces.

  14. Benifts of Virtual Template • For easier maintenance, allows customized configurations to be predefined. • For scalability, allows interface configuration to be separated from physical interfaces. • For consistency and configuration ease, allows the same predefined template to be used for all users. • For efficient router operation, frees the virtual access interface memory for another dial-in use when the user's call ends.

  15. Configuring Virtual Template Router#config t Router(config)# interface Virtual-Template1 Router(config-if)# ip unnumbered FastEthernet0/1 Router(config-if)# no peer default ip address Router(config-if)# ppp encrypt mppe auto required Router(config-if)# ppp authentication ms-chap ms-chap-v2

  16. VPDN • A virtual private dial−up network (VPDN) allows a private network dial in service to span across to remote access servers (defined as the L2TP Access Concentrator [LAC]). • LAC forwards the PPP session on to an L2TP Network Server (LNS). The LNS then authenticates the user and starts the PPP negotiation. • VPDN uses the Layer 2 Forwarding protocol (L2F) which permits the tunneling of link level frames

  17. Configuring VPDN • enablevpdn • Enables virtual private networking. • Router(config)#enable vpdn • vpdn-group [group name] • Ceates a vpdn group which specifies the protocol, dialup mode and interface • Router(config)# vpdn-group VPN_Server • Router(config)# accept-dialin • Router(config)# protocol pptp • Router(config)# virtual-template 1

  18. IPSec • Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications. • IPsec uses the following protocols to perform various functions • Internet key exchange (IKE and IKEv2) to set up a security association (SA) • Authentication Header (AH) to provide connectionless integrity. • Encapsulating Security Payload (ESP) to provide confidentiality.

  19. Configuring IPSec based VPN Defines an Internet Key Exchange (IKE) policy. IKE policies define a set of parameters to be used during the IKE negotiation Router(config)#crypto isakmp policy 1 Router(config-crypto-isakmp)# encr 3des Router(config-crypto-isakmp)# authentication pre-share Router(config-crypto-isakmp)# group 2 • crypto isakmp policy [priority]

  20. Configuring IPSec based VPN (contd) • sh crypto isakmp policy Below command list the policy created as a result of last command (previous slide). Router#sh crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit

  21. Configuring IPSec based VPN (contd) • crypto isakmp client configuration group [name] Specify which group’s policy profile will be defined by defining key and ip address pool. Router(config)#crypto isakmp client configuration group ipsec_group Router(config-crypto-isakmp )# key ipsec Router(config-crypto-isakmp )# pool ip_pool Router(config-crypto-isakmp )# netmask 255.255.255.255

  22. Configuring IPSec based VPN (contd) • crypto ipsec transform-set A transform set specifies the encryption and authentication algorithms used to protect the data in the VPN Tunnel. Router(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac Router(config-crypto-ipsec )#crypto dynamic-map DYNMAP 1 Router(config-crypto-ipsec )#set transform-set ESP-3DES-SHA Transform Set: Name:ESP-3DES-SHA1 ESP Encryption: ESP_3DES ESP Integrity: ESP_SHA_HMAC

  23. Configuring IPSec based VPN (contd) • crypto map Creates a crypto profile that provides a template for configuration. Router(config)#crypto map CMAP client authentication list vpn_auth Router(config)#crypto map CMAP isakmp authorization list vpn_group Router(config)#int f0/1 Router(config-if)#crypto map CMAP

  24. Live Demonstration

More Related