1. Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer – Security/VPN Northeast [email_address]
2.
3.
4. Product Function Matrix Site-to-Site Role Remote Access Role IOS PIX 3000 Scales for large deployments PDM 2.0 includes VPN management Primary Role Full fledged remote access solution With recent addition of Cisco VPN Client now supported with good feature set Not recommended for large-scale use due to lack of QOS, SLA monitoring, and multiprotocol routing Integrated firewall and VPN device Primary Role Full fledged Site-to-Site
5.
6.
7.
8.
9.
10.
11.
12.
13.
14. EzVPN Configuration example Internet Head office 1.1.1.1 ? ? Remote Office crypto ipsec client ezvpn hw-client group engineering-1 key secret mode client peer 1.1.1.1 ! interface Ethernet1 description connected to INTERNET ip address ....... crypto ipsec client ezvpn hw-client
15.
16.
17.
18. IPsec/GRE Example IPsec Policy (Phase II) crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport access-list 102 permit gre host 1.1.1.1 host 2.2.2.2 access-list 103 permit gre host 1.1.1.1 host 3.3.3.3 Internet ? 1.1.1.1 2.2.2.2 3.3.3.3 ? ? tunnel 2003 tunnel 2002
19. IPsec/GRE Example crypto map IPSEC 20 ipsec-isakmp set peer 2.2.2.2 match address 102 set transform-set ESP-3DES-SHA crypto map IPSEC 30 ipsec-isakmp set peer 3.3.3.3 match address 103 set transform-set ESP-3DES-SHA Internet ? 1.1.1.1 2.2.2.2 3.3.3.3 ? ? tunnel 2003 tunnel 2002
20. IPsec/GRE Example Internet ? int tunnel 2002 ip address 10.99.1.1 255.255.255.0 tunnel source serial 0 tunnel destination 2.2.2.2 crypto map IPSEC int tunnel 2003 ip address 10.99.2.1 255.255.255.0 tunnel source serial 0 tunnel destination 3.3.3.3 crypto map IPSEC 1.1.1.1 2.2.2.2 3.3.3.3 ? ? tunnel 2003 10.99.2.0/24 tunnel 2002 10.99.1.0/24
21. IPsec/GRE Example int serial 0 ip address 1.1.1.1 255.255.255.252 crypto map IPSEC ! ip route 2.2.2.2 255.255.255.255 serial 0 ip route 3.3.3.3 255.255.255.255 serial 0 ! router ospf 1 network 10.0.0.0 0.255.255.255 area 1 Internet ? 1.1.1.1 2.2.2.2 3.3.3.3 ? ? tunnel 2003 10.99.2.0/24 tunnel 2002 10.99.1.0/24
22.
23.
24.
25.
26. Dynamic Multipoint VPN - DMVPN Spoke Dynamic (or static) public IP addresses 10.100.1.0 255.255.255.0 10.1.1.0 255.255.255.0 10.1.1.1 10.100.1.1 = Dynamic & Permanent spoke-to-hub IPsec tunnels Static public IP address 10.1.2.0 255.255.255.0 10.1.2.1 130.25.13.1 12.2(13)T = Dynamic&Temporary Spoke-to-spoke IPsec tunnels
27.
28. TED Example Alice Bob IP: A to B X Y Z Clive X(config)# crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA match address 100 ! crypto map IPSEC 99 ipsec-isakmp dynamic discover ! access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255 A to B must be protected No SA -> Send Probe IKE A to B (proxy X) IKE Y to X Traffic to B must be protected No SA -> Block &Answer probe
29. IPsec Migration Today 1. IPsec - t ime 0. - - - no communication possible - 2. IPsec IPsec - all encrypted - Problem : Migration to IPsec in large networks
30. IPSEC Passive M ode 1. passive - 2. passive passive 3. active passive 4. active active t ime 0. - - - now all router are on passive - - now all router are running normal IPsec - 12.2(13)T # crypto ipsec optional
31.
32.
33.
34.
35. High Availability with Dead Peer Detection Head-End Remote HE-2 HE-1 Internet Corporate Intranet X crypto map IPSEC 10 match address 10 set peer 1.1.1.1 set peer 1.1.1.2 set transform-set ESP-3DES-SHA 1.1.1.1 1.1.1.2
36.
37. High Availability with IPsec and HSRP+ Remote HE-2 HE-1 Internet Corporate Intranet X 1.1.1..3 crypto map IPSEC 10 match address 10 set peer 1.1.1.3 set transform-set ESP-3DES-SHA interface Ethernet1/0 ip address 1.1.1.1 255.255.255.248 standby 1 ip 1.1.1.3 standby 1 priority 200 standby 1 preempt standby 1 name VPNHA standby 1 track Ethernet1/1 150 crypto map VPN redundancy VPNHA
38.
39.
40.
41.
42. High Availability with IPsec/GRE Head-End Remote HE-2 HE-1 Internet Corporate Intranet Remote : ! int tunnel 1 ...... ip ospf cost 10 ..... ! int tunnel 2 ...... ip ospf cost 20 ...... tunnel 1 tunnel 2 HE-1 ! int tunnel 1 ...... ip ospf cost 10 ..... HE-2 ! int tunnel 2 ...... ip ospf cost 10 .....
43.
44.
45.
46. Split Tunneling Internet Split-Tunneling Enabled VPN Client www.evilhackers.com VPN HW No NAT for corporate traffic NAT for Internet traffic
47.
48.
49. VPN Device with separate Firewall To WAN Edge To Campus VPN Termination L4–L7 Stateful Inspection and Filtering DoS Mitigation Focused Layer 4–7 Analysis Nothing To See (crypto-wise) Stateless L3 Filtering (IKE, ESP) VPN DMZ
![Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer – Security/VPN Northeast [email_address]](https://image.slidesharecdn.com/vpn4-1231525243506308-2/85/vpn4-1-320.jpg)
![[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],IPsec - more than just crypto !](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)