1 / 25

Configuring Site-to-Site VPN with Pre-shared Keys

Learn how to set up a site-to-site VPN using pre-shared keys for secure communication between routers and devices. Understand the encryption policies, IKE configurations, and testing methods involved. Explore limitations and best practices for peer authentication with pre-shared secrets.

lawrencecampbell
Download Presentation

Configuring Site-to-Site VPN with Pre-shared Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys

  2. Module 4: Configuring Site to Site VPN with Pre-shared keys Lesson 4.1 Prepare a Router for Site-to-Site VPN using Pre-shared Keys

  3. IPSec encryption with pre-shared keys • Site-to-site IPSec VPNs can be established between any combination of routers, PIX Security Appliances, VPN concentrators, VPN clients, and other devices that are IPSec compliant. • The use of pre-shared keys for authentication of IPSec sessions is relatively easy to configure • Does not scale well for a large number of IPSec clients.

  4. Configuring IKE pre-shared keys in Cisco IOS consists: • Task 1 is to prepare for IPSec. • Encryption policy • Hosts and networks to protect • Details about the IPSec peers • Needed IPSec features • Ensuring existing ACLs are compatible with IPSec IPSec encryption with pre-shared keys

  5. IPSec encryption with pre-shared keys • Task 2 involves configuring IKE. • Enabling IKE • Creating the IKE policies • Validating the configuration. • Task 3 is configuring IPSec. • Defining the transform sets • Creating crypto ACLs • Creating crypto map entries • Applying crypto map sets to interfaces. • Task 4 is to test and verify IPSec

  6. IKE peer authentication pre-shared secrets • Simplest authentication to configure, • Has several serious limitations. • based on a pre-shared secret. • secret is exchanged securely out-of-band. • Peers perform a PPP CHAP-like exchange of random values, hashed with the pre-shared secret key.

  7. IKE peer authentication pre-shared • IKE peer authentication using pre-shared secrets works in the following manner: • Peer A randomly chooses a string and sends it to peer • Peer B hashes the string together with the pre-shared • Peer B sends the result of hashing back to peer A. • Peer A calculates its own hash of the random string, together with the pre-shared secret • And the same process for Peer B • Main limitation of pre-shared secret authentication is the requirement to base the pre-shared secret on the IP address of remote peer, not its IKE identity. • Can impose problems in an environment with dynamic peer addresses.

  8. Planning the IKE and IPSec policy

  9. Step 1 – Determine ISAKMP (IKE Phase 1) policy • Some planning steps include the following: • Determine the key distribution method • Manually distribute keys • Use a CA server • Determine the authentication method – pre-shared keys, RSA encrypted nonces, or RSA signatures • Identify IP addresses and host names of the IPSec peers • Determine ISAKMP policies for peers • Encryption algorithm • Hash algorithm • IKE SA lifetime

  10. IKE Phase 1 Default Values

  11. Step 2 – Determine IPSec (IKE Phase 2) policy • Policy details to determine at this stage include the following: • Select IPSec algorithms and parameters for optimal security and performance • Select transforms and, if necessary, transform sets • Identify IPSec peer details • Determine IP address and applications of hosts to be protected • Select manual or IKE-initiated SAs

  12. IPSec Transform Sets

  13. Step 3 – Check the current configuration

  14. Check Current configuration

  15. View configured Cryto-Maps

  16. View Configured Transform Sets

  17. Step 4 – Ensure the network works without encryption

  18. Step 5 – Ensure ACLs are compatible with IPSec • Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and AH traffic is not blocked at interfaces used by IPSec. • ISAKMP uses UDP port 500 • ESP is assigned IP protocol number 50 • AH is assigned IP protocol number 51

  19. Q and A

More Related