1 / 23

Network Access for Remote Users: Practical IPSec

Dr John S. Graham ULCC johng@nosc.ja.net. Network Access for Remote Users: Practical IPSec. Summary of Installations. Remote Site Guildhall School of Music and Drama Southgate and Capel Manor Colleges Remote Users Conservatoire of Dance and Drama. Crypto Route Map. Crypto map

rob
Download Presentation

Network Access for Remote Users: Practical IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr John S. Graham ULCC johng@nosc.ja.net Network Access for Remote Users: Practical IPSec

  2. Summary of Installations • Remote Site • Guildhall School of Music and Drama • Southgate and Capel Manor Colleges • Remote Users • Conservatoire of Dance and Drama

  3. Crypto Route Map • Crypto map • Static or Dynamic • IKE Policy • Additional Optional Steps • User authentication • Peer configuration • Integrate with overall router config

  4. IKE Policies • Algorithms to be offered • Authentication method • Pre-shared key • X.509 certificates • RSA encrypted nonces • Diffie-Hellman Group

  5. GSMD Physical Installation Remote Site Main Campus

  6. GSMD: Equipment at Remote Site • ‘Wires Only’ ADSL Connection • One Static IP Address • Splitter • Cisco 827H Router • Ethernet hub (4 ports) plus ATM port

  7. Static Crypto Components • Create Crypto Map • Define trigger (ACL) • Peer Identity (IP address or FQDN) • Define transform • Mode (tunnel or transport) • List of algorithms that will be offered to peer • Lifetime of SA • Bind crypto map to external interface

  8. Authentication of Known Peers • One-to-one mappings between: • Peer IP addresses • Shared secret (unique to each peer) • IKE Phase I Main Mode exchanges: • Negotiate IKE SA and exchange cookies • Diffie-Hellman public values and pseudo-random nonces • Peers identify themselves and exchange authenticating hash

  9. IKE Main Mode Hdr, SA Proposals Hdr, Chosen Proposal Hdr, KE, Nonce Hdr, KE, Nonce Hdr, IDii, Hash_I Hdr, IDir, Hash_R IKE SA Established Initiator Responder

  10. Coexistence of NAT and IPSec • IPSec Precedes NAT • AH fails because source and/or destination addresses have changed • Transport-mode ESP invalidates TCP checksums • Invalidates IKE authentication exchange • NAT Precedes IPSec • Crypto triggers do not fire when expected

  11. Ethernet ACL IPSec Tunnel Crypto NAT Dialer Dynamic NAT vs Crypto B1 A1 B2 A2 B3

  12. Southgate and Capel Manor • Shared student records database at Southgate • Database queries & updates over high-speed WAN with crypto. • Back-up interface using ISDN

  13. Integrating Crypto and Routing • Create GRE tunnel interface • Routing protocol receives updates over T1 & T2 • Bind crypto map to T1 and T2 • Watch out for double fragmentations!

  14. Fragmentation Hell

  15. CDD and Physical Installation

  16. CDD: Logical Installation • Remote peer IP not known • Dynamic crypto • IKE Phase 1 uses aggressive mode • Insecure shared secret • IKE extended authentication (XAuth) • Central control of remote peer’s config • IPSec Mode-configuration (MODECFG)

  17. Authentication of Unknown Peers • Pre-shared secret not indexed by IP address • IKE Phase I Aggressive Mode Exchange • Supplementary authentication of user credentials

  18. Hdr, SA, KE, Nonce, IDii Hdr, SA, KE, Nonce, IDir, Hash_R Hdr, Hash_I IKE SA Established IKE Aggressive Mode Initiator Responder

  19. CDD: IKE XAuth • Router  PC • ISAKMP_CFG_REQUEST • PC  Router • ISAKMP_CFG_REPLY • Router  PC • ISAKMP_CFG_SET • PC  Router • ISAKMP_CFG_ACK

  20. CDD: Mode Configuration Remote station configured by router with: • a private IP address and mask • a list of local prefixes that will be tunnelled • a list of local domains and their associated resolvers

  21. Selective Static NAT ip nat inside source static 10.0.0.5 212.219.240.225 route-map selective-nat ! access-list 100 deny ip host 10.0.0.5 192.168.0.0 0.0.0.255 ! route-map selective-nat permit 10 match ip address 100

  22. Windows Gotchas • Domain Logons Over Tunnel • Kerberos not tunnelled • Shared secret not supported • Registry hack

  23. That's All Folks!

More Related