CCNA Security
Chapter Eight
Implementing Virtual Private Networks
© 2009 Cisco Learning Institute. 1

Lesson Planning
• This lesson should take 3-4 hours to present
• The lesson should include lecture,
demonstrations, discussions and assessments
• The lesson can be taught in person or using
remote instruction
© 2009 Cisco Learning Institute. 2

Major Concepts
• Describe the purpose and operation of VPN types
• Describe the purpose and operation of GRE VPNs
• Describe the components and operations of IPsec VPNs
• Configure and verify a site-to-site IPsec VPN with pre-
shared key authentication using CLI
• Configure and verify a site-to-site IPsec VPN with pre-
shared key authentication using SDM
• Configure and verify a Remote Access VPN
© 2009 Cisco Learning Institute. 3

Lesson Objectives
Upon completion of this lesson, the successful participant
will be able to:
1. Describe the purpose and operation of VPNs
2. Differentiate between the various types of VPNs
3. Identify the Cisco VPN product line and the security features of
these products
4. Configure a site-to-site VPN GRE tunnel
5. Describe the IPSec protocol and its basic functions
6. Differentiate between AH and ESP
7. Describe the IKE protocol and modes
8. Describe the five steps of IPSec operation
© 2009 Cisco Learning Institute. 4

Lesson Objectives
9. Describe how to prepare IPSec by ensuring that ACLs are
compatible with IPSec
10. Configure IKE policies using the CLI
11. Configure the IPSec transform sets using the CLI
12. Configure the crypto ACLs using the CLI
13. Configure and apply a crypto map using the CLI
14. Describe how to verify and troubleshoot the IPSec configuration
15. Describe how to configure IPSec using SDM
16. Configure a site-to-site VPN using the Quick Setup VPN Wizard
in SDM
17. Configure a site-to-site VPN using the step-by-step VPN Wizard
in SDM
© 2009 Cisco Learning Institute. 5

Lesson Objectives
18. Verify, monitor and troubleshoot VPNs using SDM
19. Describe how an increasing number of organizations are
offering telecommuting options to their employees
20. Differentiate between Remote Access IPSec VPN solutions and
SSL VPNs
21. Describe how SSL is used to establish a secure VPN
connection
22. Describe the Cisco Easy VPN feature
23. Configure a VPN Server using SDM
24. Connect a VPN client using the Cisco VPN Client software
© 2009 Cisco Learning Institute. 6

What is a VPN?
Business Partner
with a Cisco Router
Mobile Worker
with a Cisco
VPN Client
CSA
VPN
Internet Firewall
SOHO with a Cisco
DSL Router
Corporate
WAN
VPN
Network
- Virtual: Information within a private network is
VPN transported over a public network.
Regional branch with
a VPN enabled - Private: The traffic is encrypted to keep the
Cisco ISR router
data confidential.
© 2009 Cisco Learning Institute. 7

Layer 3 VPN
IPSec
VPN
Internet
IPSec
SOHO with a Cisco DSL
Router
• Generic routing encapsulation (GRE)
• Multiprotocol Label Switching (MPLS)
• IPSec
© 2009 Cisco Learning Institute. 8

Types of VPN Networks
Business Partner Remote-access
with a Cisco Router
VPNs
Mobile Worker
with a Cisco
VPN Client
CSA
MARS
VPN
SOHO with a Internet Firewall
Cisco DSL Router
Site-to-Site VPN
IP
VPNs WAN S
VPN
Iron Port CSA
Regional branch with CSA CSACSA
CSA
a VPN enabled CSA
Cisco ISR router
Web Email
Server Server DNS
© 2009 Cisco Learning Institute. 9

Site-to-Site VPN
Business Partner
with a Cisco
Hosts send and receive normal
Router TCP/IP traffic through a VPN gateway
CSA
MARS
VP
N
SOHO with a Internet Firewall
Cisco DSL
Router
Site-to-Site VPN
IP
VPNs WAN S
VPN
Iron CSA
Port
Regional branch with CS
CSA
CS A CS
CSA
a VPN enabled
A A
Cisco ISR router
Web Email
Server Server DNS
© 2009 Cisco Learning Institute. 10

Remote-Access VPNs
Remote-access
VPNs
Mobile Worker
with a Cisco
VPN Client CSA
MARS
Internet Firewall
VPN
IPS
Iron Port CSA
CSA CSA CSA CSA
CSA
Web Email
Server Server DNS
© 2009 Cisco Learning Institute. 11

VPN Client Software
R1 R1-vpn-cluster.span.com
“R1”
In a remote-access VPN, each host
typically has Cisco VPN Client software
© 2009 Cisco Learning Institute. 12

Cisco IOS SSL VPN
• Provides remote-access
connectivity from any
Internet-enabled host
• Uses a web browser and
SSL encryption
• Delivers two modes of
access:
- Clientless
- Thin client
© 2009 Cisco Learning Institute. 13

Cisco VPN Product Family
Remote-Access
Product Choice Site-to-Site VPN
VPN
Cisco VPN-Enabled Router Secondary role Primary role
Cisco PIX 500 Series Security Appliances Secondary role Primary role
Cisco ASA 5500 Series Adaptive Security
Primary role Secondary role
Appliances
Cisco VPN
Primary role Secondary role
3000 Series Concentrators
Home Routers Primary role
© 2009 Cisco Learning Institute. 14

Cisco VPN-Optimized Routers
Remote Office
Cisco Router
Main Office
Cisco Router
Internet
Regional Office
Cisco Router VPN Features:
•Voice and video enabled VPN (V3PN)
•IPSec stateful failover
SOHO
Cisco Router •DMVPN
•IPSec and Multiprotocol Label Switching
(MPLS) integration
•Cisco Easy VPN
© 2009 Cisco Learning Institute. 15

Cisco ASA 5500 Series Adaptive
Security Appliances
Remote Site Central Site
Internet
Intranet
Extranet Remote User
Business-to-Business
• Flexible platform • Cisco IOS SSL VPN
• Resilient clustering • VPN infrastructure for
contemporary applications
• Cisco Easy VPN
• Integrated web-based
• Automatic Cisco VPN
management
© 2009 Cisco Learning Institute. 16

IPSec Clients
A wireless client that is loaded on a pda
Certicom PDA IPsec
VPN Client
Router with
Firewall and
Internet
VPN Client
Cisco VPN
Software Client
Software loaded on a PC
Small Office
A network appliance that connects SOHO LANs to the VPN
Cisco
AnyConnect
VPN Client
Internet
Provides remote users with secure VPN connections
© 2009 Cisco Learning Institute. 17

Hardware Acceleration Modules
• AIM
• Cisco IPSec VPN Shared
Port Adapter (SPA)
• Cisco PIX VPN
Accelerator Card+ (VAC+)
• Enhanced Scalable
Encryption Processing
Cisco IPsec VPN SPA
(SEP-E)
© 2009 Cisco Learning Institute. 18

GRE VPN Overview
© 2009 Cisco Learning Institute. 19

Encapsulation
Encapsulated with GRE
Original IP Packet
© 2009 Cisco Learning Institute. 20

Configuring a GRE Tunnel
Create a tunnel
interface
Assign the tunnel an IP address
R1(config)# interface tunnel 0 R2(config)# interface tunnel 0
R1(config–if)# ip address 10.1.1.1 255.255.255.252 R2(config–if)# ip address 10.1.1.2 255.255.255.252
R1(config–if)# tunnel source serial 0/0
R1(config–if)# tunnel destination 192.168.5.5
Identify the source tunnel interface
R2(config–if)# tunnel source serial 0/0
R2(config–if)# tunnel destination 192.168.3.3
R1(config–if)# tunnel mode gre ip R2(config–if)# tunnel mode gre ip
R1(config–if)# R2(config–if)#
Identify the destination of the tunnel
Configure what protocol GRE will encapsulate
© 2009 Cisco Learning Institute. 21

Using GRE
IP
User Only
Yes
Traffic ?
No
Tunnel
GRE
Use
Use
No Yes
Unicast
Only? IPsec
VPN
GRE does not provide encryption
© 2009 Cisco Learning Institute. 22

IPSec Topology
Main Site
Business Partner
with a Cisco Router IPsec Perimeter
Router
Legacy Legacy
Concentrator Cisco
POP PIX
Regional Office with a ASA Firewall
Cisco PIX Firewall
Mobile Worker with a
Cisco VPN Client Corporate
SOHO with a Cisco on a Laptop Computer
SDN/DSL Router
• Works at the network layer, protecting and authenticating IP packets.
- It is a framework of open standards which is algorithm-independent.
- It provides data confidentiality, data integrity, and origin authentication.
© 2009 Cisco Learning Institute. 23

IPSec Framework
Diffie-Hellman DH7
© 2009 Cisco Learning Institute. 24

Confidentiality
Least secure Most secure
Key length:
- 56-bits
Key length:
- 56-bits (3 times)
Key lengths:
-128-bits
Diffie-Hellman -DH7
192 bits
-256-bits
Key length:
- 160-bits
© 2009 Cisco Learning Institute. 25

Integrity
Least secure Most secure
Key length:
- 128-bits
Key length:
Diffie-Hellman - 160-bits) DH7
© 2009 Cisco Learning Institute. 26

Authentication
Diffie-Hellman DH7
© 2009 Cisco Learning Institute. 27

Pre-shared Key (PSK)
•At the local device, the authentication key and the identity information (device-specific
Diffie-Hellman
information) are sent through a hash algorithm to form hash_I. One-way authentication is
DH7
established by sending hash_I to the remote device. If the remote device can independently
create the same hash, the local device is authenticated.
• The authentication process continues in the opposite direction. The remote device
combines its identity information with the preshared-based authentication key and sends it
through the hash algorithm to form hash_R. hash_R is sent to the local device. If the local
device can independently create the same hash, the remote device is authenticated.
© 2009 Cisco Learning Institute. 28

RSA Signatures
• At the local device, the authentication key and identity information (device-specific
information) are sent through the hash algorithm forming hash_I. hash_I is
encrypted using the local device's private encryption key creating a digital
signature. The digital signature and a digital certificate are forwarded to the remote
device. The public encryption key for decrypting the signature is included in the
digital certificate. The remote device verifies the digital signature by decrypting it
using the public encryption key. The result is hash_I.
• Next, the remote device independently creates hash_I from stored information. If
the calculated hash_I equals the decrypted hash_I, the local device is
authenticated. After the remote device authenticates the local device, the
© 2009 Cisco Learning Institute.authentication process begins in the opposite direction and all steps are repeated 29

Secure Key Exchange
Diffie-Hellman DH7
© 2009 Cisco Learning Institute. 30

IPSec Framework Protocols
Authentication Header
R1 All data is in plaintext.
R2
AH provides the following:
 Authentication
 Integrity
Encapsulating Security Payload
R1 Data payload is encrypted.
R2
ESP provides the following:
 Encryption
 Authentication
 Integrity
© 2009 Cisco Learning Institute. 31

Authentication Header
1. The IP Header and data payload are hashed
IP Header + Data + Key R2
Hash
IP HDR AH Data
Authentication Data IP Header + Data + Key
(00ABCDEF)
3. The new packet is
Internet
transmitted to the Hash
IPSec peer router
IP HDR AH Data
Recomputed Received
2. The hash builds a new AH Hash = Hash
header which is prepended (00ABCDEF) (00ABCDEF)
R1
to the original packet
4. The peer router hashes the IP
© 2009 Cisco Learning Institute. 32

ESP
Diffie-Hellman DH7
© 2009 Cisco Learning Institute. 33

Function of ESP
Internet
Router Router
IP HDR Data IP HDR Data
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Encrypted
Authenticated
• Provides confidentiality with encryption
• Provides integrity with authentication
© 2009 Cisco Learning Institute. 34

Mode Types
IP HDR Data
Original data prior to selection of IPSec protocol mode
Transport Mode Encrypted
ESP ESP
IP HDR ESP HDR Data Trailer Auth
Authenticated
Tunnel Mode Encrypted
ESP ESP
New IP HDR ESP HDR IP HDR Data Trailer Auth
Authenticated
© 2009 Cisco Learning Institute. 35

Security Associations
IPSec parameters are configured using IKE
© 2009 Cisco Learning Institute. 36

IKE Phases
R1 R2
Host A Host B
10.0.1.3 10.0.2.3
IKE Phase 1 Exchange
Policy 10 Policy 15
1. Negotiate IKE policy DES DES 1. Negotiate IKE policy
MD5 MD5
sets pre-share pre-share sets
DH1 DH1
lifetime lifetime
2. DH key exchange 2. DH key exchange
3. Verify the peer identity 3. Verify the peer identity
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
© 2009 Cisco Learning Institute. 37

IKE Phase 1 – First Exchange
R1 R2
Host A Host B
Negotiate IKE Proposals 10.0.2.3
10.0.1.3
Policy 10 Policy 15
DES DES
MD5 MD5
pre-share IKE Policy Sets pre-share
DH1 DH1
lifetime lifetime
Policy 20
3DES
SHA
pre-share
DH1
lifetime
Negotiates matching IKE policies to protect IKE exchange
© 2009 Cisco Learning Institute. 38

IKE Phase 1 – Second Exchange
Establish DH Key
Private value, XA Private value, XB
Alice Public value, YA Public value, YB
Bob
YA = g XA mod p Y = gXB mod p
B
YA
YB
XA XB
(YB ) mod p = K (YA ) mod p = K
A DH exchange is performed to establish keying material.
© 2009 Cisco Learning Institute. 39

IKE Phase 1 – Third Exchange
Authenticate Peer
Remote Office Corporate Office
Internet
HR
Servers
Peer
Authentication
Peer authentication methods
• PSKs
• RSA signatures
• RSA encrypted nonces
A bidirectional IKE SA is now established.
© 2009 Cisco Learning Institute. 40

IKE Phase 1 – Aggressive Mode
R1 R2
Host A Host B
10.0.1.3 10.0.2.3
IKE Phase 1 Aggressive Mode Exchange
Policy 10 Policy 15
1.Send IKE policy set DES
MD5
DES
MD5
pre-share pre-share
and R1’s DH key DH1 DH1
lifetime lifetime 2. Confirm IKE
policy set,
calculate shared
secret and send
3.Calculate shared
R2’s DH key
secret, verify peer
identify, and confirm
with peer 4. Authenticate peer
and begin Phase
2.
IKE Phase 2 Exchange
Negotiate IPsec policy Negotiate IPsec policy
© 2009 Cisco Learning Institute. 41

IKE Phase 2
R1 R2
Host A Host B
10.0.1.3 Negotiate IPsec 10.0.2.3
Security Parameters
• IKE negotiates matching IPsec policies.
• Upon completion, unidirectional IPsec Security
Associations(SA) are established for each protocol and
algorithm combination.
© 2009 Cisco Learning Institute. 42

IPSec VPN Negotiation
10.0.1.3 R1 R2 10.0.2.3
1. Host A sends interesting traffic to Host B.
2. R1 and R2 negotiate an IKE Phase 1 session.
IKE SA IKE Phase 1 IKE SA
3. R1 and R2 negotiate an IKE Phase 2 session.
IPsec SA IKE Phase 2 IPsec SA
4. Information is exchanged via IPsec tunnel.
IPsec Tunnel
5. The IPsec tunnel is terminated.
© 2009 Cisco Learning Institute. 43

Configuring IPsec
Tasks to Configure IPsec:
Task 1: Ensure that ACLs are compatible with IPsec.
Task 2: Create ISAKMP (IKE) policy.
Task 3: Configure IPsec transform set.
Task 4: Create a crypto ACL.
Task 5: Create and apply the crypto map.
© 2009 Cisco Learning Institute. 44

Task 1
Configure Compatible ACLs
Site 1 AH Site 2
ESP
10.0.1.0/24 IKE 10.0.2.0/24
10.0.2.3
10.0.1.3 R1 R2
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
• Ensure that protocols 50 (ESP), 51 (AH) and UDP port 500 (ISAKMP)
traffic are not blocked by incoming ACLs on interfaces used by IPsec.
© 2009 Cisco Learning Institute. 45

Permitting Traffic
AH
ESP
Site 1 IKE Site 2
10.0.1.0/2 10.0.2.0/24
4 10.0.2.3
10.0.1.3 R1 R2
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
R1(config)# access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
R1(config)# access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1(config)#
R1(config)# interface Serial0/0/0
R1(config-if)# ip address 172.30.1.2 255.255.255.0
R1(config-if)# ip access-group 102 in
!
R1(config)# exit
R1#
R1# show access-lists
access-list 102 permit ahp host 172.30.2.2 host 172.30.1.2
access-list 102 permit esp host 172.30.2.2 host 172.30.1.2
access-list 102 permit udp host 172.30.2.2 host 172.30.1.2 eq isakmp
R1#
© 2009 Cisco Learning Institute. 46

Task 2
Configure IKE
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
Policy 110
DES
MD5 Tunnel
Preshare
86400
DH1
router(config)#
crypto isakmp policy priority
Defines the parameters within the IKE policy
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption des
R1(config–isakmp)# group 1
R1(config–isakmp)# hash md5
R1(config–isakmp)# lifetime 86400
© 2009 Cisco Learning Institute. 47

ISAKMP Parameters
Default
Parameter Keyword Accepted Values Description
Value
des
56-bit Data Encryption Standard
3des Triple DES
Message encryption
encryption aes 128-bit AES des
algorithm
192-bit AES
aes 192 256-bit AES
aes 256
sha SHA-1 (HMAC variant) Message integrity
hash sha
md5 MD5 (HMAC variant) (Hash) algorithm
pre-share
authenticati preshared keys
Peer authentication
rsa-encr RSA encrypted nonces rsa-sig
on RSA signatures
method
rsa-sig
1 768-bit Diffie-Hellman (DH) Key exchange
group 2 1024-bit DH 1 parameters (DH
1536-bit DH group identifier)
5
Can specify any number of 86,400 sec ISAKMP-established
lifetime seconds seconds (one day) SA lifetime
© 2009 Cisco Learning Institute. 48

Multiple Policies
10.0.1.0/24 10.0.2.0/24
10.0.1.3
R1 R2 10.0.2.3
Internet
Site 1 Site 2
R1(config)# R2(config)#
crypto isakmp policy 100 crypto isakmp policy 100
hash md5 hash md5
authentication pre-share authentication pre-share
! !
crypto isakmp policy 200 crypto isakmp policy 200
hash sha hash sha
authentication rsa-sig authentication rsa-sig
! !
crypto isakmp policy 300 crypto isakmp policy 300
hash md5 hash md5
authentication pre-share authentication rsa-sig
© 2009 Cisco Learning Institute. 49

Policy Negotiations
R1 attempts to establish a VPN tunnel with
R2 and sends its IKE policy parameters
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Policy 110 Site 2
Preshare
3DES Tunnel
SHA
DH2
43200
R2 must have an ISAKMP policy
configured with the same parameters.
R1(config)# crypto isakmp policy 110 R2(config)# crypto isakmp policy 100
R1(config–isakmp)# authentication pre-share R2(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des R2(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2 R2(config–isakmp)# group 2
R1(config–isakmp)# hash sha R2(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200 R2(config–isakmp)# lifetime 43200
© 2009 Cisco Learning Institute. 50

Crypto ISAKMP Key
router(config)#
crypto isakmp key keystring address peer-address
router(config)#
crypto isakmp key keystring hostname hostname
Parameter Description
This parameter specifies the PSK. Use any combination of alphanumeric characters
keystring up to 128 bytes. This PSK must be identical on both peers.
peer-
This parameter specifies the IP address of the remote peer.
address
This parameter specifies the hostname of the remote peer.
hostname This is the peer hostname concatenated with its domain name (for example,
myhost.domain.com).
• The peer-address or peer-hostname can be used, but must be
used consistently between peers.
• If the peer-hostname is used, then the crypto isakmp
identity hostname command must also be configured.
© 2009 Cisco Learning Institute. 51

Sample Configuration
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
Site 1 Site 2
R1(config)# crypto isakmp policy 110
R1(config–isakmp)# authentication pre-share
R1(config–isakmp)# encryption 3des
R1(config–isakmp)# group 2
R1(config–isakmp)# hash sha
R1(config–isakmp)# lifetime 43200
R1(config-isakmp)# exit
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)#
Note:
R2(config)# crypto isakmp policy 110
• The keystring cisco1234 matches. R2(config–isakmp)# authentication pre-share
R2(config–isakmp)# encryption 3des
• The address identity method is R2(config–isakmp)# group 2
specified. R2(config–isakmp)# hash sha
• The ISAKMP policies are compatible. R2(config–isakmp)# lifetime 43200
R2(config-isakmp)# exit
• Default values do not have to be R2(config)# crypto isakmp key cisco123 address 172.30.1.2
configured. R2(config)#
© 2009 Cisco Learning Institute. 52

Task 3
Configure the Transform Set
router(config)#
crypto ipsec transform–set transform-set-name
transform1 [transform2] [transform3]]
crypto ipsec transform-set Parameters
Description
Command
transform-set-name This parameter specifies the name of the transform set
to create (or modify).
Type of transform set. You may specify up to four
transform1, "transforms": one Authentication Header (AH), one
transform2, transform3 Encapsulating Security Payload (ESP) encryption, one
ESP authentication. These transforms define the IP
Security (IPSec) security protocols and algorithms.
A transform set is a combination of IPsec transforms that enact a
security policy for traffic.
© 2009 Cisco Learning Institute. 53

Transform Sets
Host A Host B
R1 172.30.1.2 R2
10.0.1.3
Internet 10.0.2.3
172.30.2.2
1
transform-set ALPHA transform-set RED
esp-3des 2 esp-des
tunnel tunnel
3
4
transform-set BETA transform-set BLUE
esp-des, esp-md5-hmac 5 esp-des, ah-sha-hmac
tunnel 6
tunnel
7
transform-set CHARLIE 8 transform-set YELLOW
esp-3des, esp-sha-hmac 9 Match
esp-3des, esp-sha-hmac
tunnel tunnel
• Transform sets are negotiated during IKE Phase 2.
• The 9th attempt found matching transform sets (CHARLIE - YELLOW).
© 2009 Cisco Learning Institute. 54

Sample Configuration
Site 1 R1 172.30.1.2 R2 Site 2
A
Internet B
10.0.1.3 10.0.2.3
172.30.2.2
R1(config)# crypto isakmp key cisco123 address 172.30.2.2
R1(config)# crypto ipsec transform-set MYSET esp-aes 128
R1(cfg-crypto-trans)# exit
R1(config)#
Note:
• Peers must share the
same transform set R2(config)# crypto isakmp key cisco123 address 172.30.1.2
settings. R2(config)#crypto ipsec transform-set OTHERSET esp-aes 128
R2(cfg-crypto-trans)# exit
• Names are only locally
significant.
© 2009 Cisco Learning Institute. 55

Task 4
Configure the Crypto ACLs
Host A
R1
Internet
Outbound
Encrypt
Traffic
Bypass (Plaintext)
Permit Inbound
Traffic
Bypass
Discard (Plaintext)
• Outbound indicates the data flow to be protected by IPsec.
• Inbound filters and discards traffic that should have been
protected by IPsec.
© 2009 Cisco Learning Institute. 56

Command Syntax
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router(config)#
access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny |
permit} protocol source source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [log]
access-list access-list-number Parameters
access-list access-list-number Description
Command
This option causes all IP traffic that matches the specified conditions to be protected by
permit cryptography, using the policy described by the corresponding crypto map entry.
deny This option instructs the router to route traffic in plaintext.
This option specifies which traffic to protect by cryptography based on the protocol,
protocol such as TCP, UDP, or ICMP. If the protocol is IP, then all traffic IP traffic that matches
that permit statement is encrypted.
If the ACL statement is a permit statement, these are the networks, subnets, or hosts
source and destination between which traffic should be protected. If the ACL statement is a deny statement,
then the traffic between the specified source and destination is sent in plaintext.
© 2009 Cisco Learning Institute. 57

Symmetric Crypto ACLs
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2 10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
S0/1
Applied to R1 S0/0/0 outbound traffic:
R1(config)# access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
(when evaluating inbound traffic– source: 10.0.2.0, destination: 10.0.1.0)
Applied to R2 S0/0/0 outbound traffic:
R2(config)# access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
(when evaluating inbound traffic- source: 10.0.1.0, destination: 10.0.2.0)
© 2009 Cisco Learning Institute. 58

Task 5
Apply the Crypto Map
Site 1 Site 2
R1 R2
Internet
10.0.1.3 10.0.2.3
Crypto maps define the following:
 ACL to be used
 Remote VPN peers Encrypted Traffic
 Transform set to be used
 Key management method Router
Interface
 SA lifetimes or Subinterface
© 2009 Cisco Learning Institute. 59

Crypto Map Command
router(config)#
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name]
crypto map Parameters
Command Parameters Description
Defines the name assigned to the crypto map set or indicates the name of the crypto
map-name
map to edit.
seq-num The number assigned to the crypto map entry.
ipsec-manual Indicates that ISAKMP will not be used to establish the IPsec SAs.
ipsec-isakmp Indicates that ISAKMP will be used to establish the IPsec SAs.
(Default value) Indicates that CET will be used instead of IPsec for protecting the
cisco
traffic.
(Optional) Specifies that this crypto map entry references a preexisting static crypto
dynamic map. If this keyword is used, none of the crypto map configuration commands are
available.
(Optional) Specifies the name of the dynamic crypto map set that should be used as
dynamic-map-name
the policy template.
© 2009 Cisco Learning Institute. 60

Crypto Map Configuration
Mode Commands
Command Description
Used with the peer, pfs, transform-set, and security-association
set commands.
peer [hostname | ip-
Specifies the allowed IPsec peer by IP address or hostname.
address]
pfs [group1 | group2] Specifies DH Group 1 or Group 2.
Specify list of transform sets in priority order. When the ipsec-manual
transform-set parameter is used with the crypto map command, then only one transform set
can be defined. When the ipsec-isakmp parameter or the dynamic
[set_name(s)] parameter is used with the crypto map command, up to six transform sets can
be specified.
security-association
Sets SA lifetime parameters in seconds or kilobytes.
lifetime
match address [access- Identifies the extended ACL by its name or number. The value should match
the access-list-number or name argument of a previously defined IP-extended
list-id | name] ACL being matched.
no Used to delete commands entered with the set command.
exit Exits crypto map configuration mode.
© 2009 Cisco Learning Institute. 61

Sample Configuration
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
R1 R2
10.0.2.3
10.0.1.3
Internet
S0/0/0
172.30.2.2
R3
S0/0/0
172.30.3.2
R1(config)# crypto map MYMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# set peer 172.30.2.2 default
R1(config-crypto-map)# set peer 172.30.3.2
R1(config-crypto-map)# set pfs group1
R1(config-crypto-map)# set transform-set mine
R1(config-crypto-map)# set security-association lifetime seconds 86400
Multiple peers can be specified for redundancy.
© 2009 Cisco Learning Institute. 62

Assign the Crypto Map Set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
MYMAP
router(config-if)#
crypto map map-name
R1(config)# interface serial0/0/0
R1(config-if)# crypto map MYMAP
• Applies the crypto map to outgoing interface
• Activates the IPsec policy
© 2009 Cisco Learning Institute. 63

CLI Commands
Show Command Description
show crypto map Displays configured crypto maps
show crypto isakmp policy Displays configured IKE policies
show crypto ipsec sa Displays established IPsec tunnels
show crypto ipsec Displays configured IPsec transform
transform-set sets
debug crypto isakmp Debugs IKE events
Debugs IPsec events
debug crypto ipsec
© 2009 Cisco Learning Institute. 64

show crypto map
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
router#
show crypto map
Displays the currently configured crypto maps
R1# show crypto map
Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2
Extended IP access list 110
access-list 102 permit ip host 10.0.1.3 host 10.0.2.3
Current peer: 172.30.2.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ MYSET, }
© 2009 Cisco Learning Institute. 65

show crypto isakmp policy
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
router# 172.30.1.2 172.30.2.2
show crypto isakmp policy
R1# show crypto isakmp policy
Protection suite of priority 110
encryption algorithm: 3DES - Data Encryption Standard (168 bit keys).
hash algorithm: Secure Hash Standard
authentication method: preshared
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
© 2009 Cisco Learning Institute. 66

show crypto ipsec transform-set
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
show crypto ipsec transform-set
Displays the currently defined transform sets
R1# show crypto ipsec transform-set
Transform set AES_SHA: { esp-128-aes esp-sha-hmac }
will negotiate = { Tunnel, },
© 2009 Cisco Learning Institute. 67

show crypto ipsec sa
Site 1 Site 2
10.0.1.0/24 10.0.2.0/24
10.0.1.3 R1 R2
10.0.2.3
Internet
S0/0/0 S0/0/0
172.30.1.2 172.30.2.2
R1# show crypto ipsec sa
Interface: Serial0/0/0
Crypto map tag: MYMAP, local addr. 172.30.1.2
local ident (addr/mask/prot/port): (172.30.1.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.30.2.2/255.255.255.255/0/0)
current_peer: 172.30.2.2
PERMIT, flacs={origin_is_acl,}
#pkts encaps: 21, #pkts encrypt: 21, #pkts digest 0
#pkts decaps: 21, #pkts decrypt: 21, #pkts verify 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.30.1.2, remote crypto endpt.: 172.30.2.2
path mtu 1500, media mtu 1500
current outbound spi: 8AE1C9C
© 2009 Cisco Learning Institute. 68

debug crypto isakmp
router#
debug crypto isakmp
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no
offers accepted!
1d00h: ISAKMP (0:1): SA not acceptable!
1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 172.30.2.2
• This is an example of the Main Mode error message.
• The failure of Main Mode suggests that the Phase I policy
does not match on both sides.
• Verify that the Phase I policy is on both peers and ensure that
all the attributes match.
© 2009 Cisco Learning Institute. 69

Starting a VPN Wizard
1. Click Configure in main toolbar
1 Wizards for IPsec
3 Solutions, includes
type of VPNs and
Individual IPsec
components
2 3. Choose a wizard
2. Click the VPN button 4. Click the VPN
to open the VPN page implementation subtype
VPN implementation
4 Subtypes. Vary based
On VPN wizard chosen.
5
5. Click the Launch the
Selected Task button
© 2009 Cisco Learning Institute. 70

VPN Components
VPN Wizards
SSL VPN parameters
Individual IPsec
components used
to build VPNs
Easy VPN server parameters
VPN Components
Public key certificate
parameters
Encrypt VPN passwords
© 2009 Cisco Learning Institute. 71

Configuring a Site-to-Site VPN
Choose Configure > VPN > Site-to-Site VPN
Click the Create a Site-to-Site VPN
Click the Launch the Selected Task button
© 2009 Cisco Learning Institute. 72

Site-to-Site VPN Wizard
Choose the wizard mode
Click Next to proceed to the configuration of parameters.
© 2009 Cisco Learning Institute. 73

Quick Setup
Configure the parameters
•Interface to use
•Peer identity information
•Authentication method
•Traffic to encrypt
© 2009 Cisco Learning Institute. 74

Verify Parameters
© 2009 Cisco Learning Institute. 75

Step-by-Step Wizard
Choose the outside
interface that is used
1 to connect to the
IPSec peer
2 Specify the IP
address of the peer
3
Choose the authentication
method and specify the
credentials
4 Click Next
© 2009 Cisco Learning Institute. 76

Creating a Custom IKE Proposal
Make the selections to configure
2 the IKE Policy and click OK
1
Click Add to define a proposal 3 Click Next
© 2009 Cisco Learning Institute. 77

Creating a Custom IPSec
Transform Set
Define and specify the transform
set name, integrity algorithm, 2
encryption algorithm, mode of
operation and optional compression
1
Click Add 3 Click Next
© 2009 Cisco Learning Institute. 78

Protecting Traffic
Subnet to Subnet
Click Protect All Traffic Between the Following subnets
1
2 3
Define the IP address
and subnet mask of the Define the IP address
local network and subnet mask of the
remote network
© 2009 Cisco Learning Institute. 79

Protecting Traffic
Custom ACL
Click the ellipses button
to choose an existing ACL
or create a new one
1 2
Click the Create/Select an Access-List 3
for IPSec Traffic radio button
To use an existing ACL, choose the Select an Existing
Rule (ACL) option. To create a new ACL, choose the
Create a New Rule (ACL) and Select option
© 2009 Cisco Learning Institute. 80

Add a Rule
1
Give the access rule a 2
name and description
Click Add
© 2009 Cisco Learning Institute. 81

Configuring a New Rule Entry
Choose an action and enter a description of the rule entry
1
2
Define the source hosts or networks in the Source Host/Network pane
and the destination hosts or network in the Destination/Host Network pane
3
(Optional) To provide protection for specific protocols, choose
the specific protocol radio box and desired port numbers
© 2009 Cisco Learning Institute. 82

Configuration Summary
• Click Back to modify the configuration.
• Click Finish to complete the configuration.
© 2009 Cisco Learning Institute. 83

Verify VPN Configuration
Choose Configure > VPN > Site-to-Site VPN > Edit Site-to-Site VPN
Check VPN status.
Create a mirroring configuration if
no Cisco SDM is available on the
peer.
Test the VPN
configuration.
© 2009 Cisco Learning Institute. 84

Monitor
Choose Monitor > VPN Status > IPSec Tunnels
1
Lists all IPsec tunnels, their
parameters, and status.
© 2009 Cisco Learning Institute. 85

Telecommuting
• Flexibility in working
location and working
hours
• Employers save on real-
estate, utility and other
overhead costs
• Succeeds if program is
voluntary, subject to
management discretion,
and operationally feasible
© 2009 Cisco Learning Institute. 86

Telecommuting Benefits
• Organizational benefits:
- Continuity of operations
- Increased responsiveness
- Secure, reliable, and manageable access to information
- Cost-effective integration of data, voice, video, and applications
- Increased employee productivity, satisfaction, and retention
• Social benefits:
- Increased employment opportunities for marginalized groups
- Less travel and commuter related stress
• Environmental benefits:
- Reduced carbon footprints, both for individual workers and
organizations
© 2009 Cisco Learning Institute. 87

Implementing Remote Access
© 2009 Cisco Learning Institute. 88

Methods for Deploying
Remote Access
IPsec Remote Any Anywhere SSL-Based
Application Access
Access VPN VPN
© 2009 Cisco Learning Institute. 89

Comparison of SSL and IPSec
SSL IPsec
Web-enabled applications, file sharing, e-
Applications mail
All IP-based applications
Moderate Stronger
Encryption
Key lengths from 40 bits to 128 bits Key lengths from 56 bits to 256 bits
Strong
Moderate
Authentication Two-way authentication using shared secrets
One-way or two-way authentication
or digital certificates
Moderate
Ease of Use Very high
Can be challenging to nontechnical users
Strong
Moderate
Overall Security Only specific devices with specific
Any device can connect
configurations can connect
© 2009 Cisco Learning Institute. 90

SSL VPNs
• Integrated security and routing
• Browser-based full network SSL VPN access
SSL VPN
Internet
Headquarters
SSL VPN
Tunnel
Workplace
Resources
© 2009 Cisco Learning Institute. 91

Types of Access
© 2009 Cisco Learning Institute. 92

Full Tunnel Client Access Mode
© 2009 Cisco Learning Institute. 93

Establishing an SSL Session
User makes a connection
1 to TCP port 443
Router replies with a
2
User using digitally signed public key
SSL VPN
SSL client enabled ISR
3 User software creates a router
shared-secret key
4
Shared-secret key, encrypted
with public key of the server, is
sent to the router
Bulk encryption occurs using the
5
shared-secret key with a
symmetric encryption algorithm
© 2009 Cisco Learning Institute. 94

SSL VPN Design Considerations
• User connectivity
• Router feature
• Infrastructure planning
• Implementation scope
© 2009 Cisco Learning Institute. 95

Cisco Easy VPN
• Negotiates tunnel parameters
• Establishes tunnels according to
set parameters
• Automatically creates a NAT /
PAT and associated ACLs
• Authenticates users by
usernames, group names,
and passwords
• Manages security keys for
encryption and decryption
• Authenticates, encrypts, and
decrypts data through the tunnel
© 2009 Cisco Learning Institute. 96

Cisco Easy VPN
© 2009 Cisco Learning Institute. 97

Securing the VPN
1 Initiate IKE Phase 1
2 Establish ISAKMP
SA
3 Accept Proposal1
Username/Password
4 Challenge
Username/Password
5 System Parameters Pushed
Reverse Router Injection
6 (RRI) adds a static route
entry on the router for the
remote clients IP address
7 Initiate IKE Phase 2: IPsec
IPsec SA
© 2009 Cisco Learning Institute. 98

Configuring Cisco Easy VPN Server
1
4
3
2
5
© 2009 Cisco Learning Institute. 99

Configuring IKE Proposals
2
Specify required parameters
1
Click Add 3 Click OK
© 2009 Cisco Learning Institute. 100

Creating an IPSec Transform Set
3
1
2
4
© 2009 Cisco Learning Institute. 101

Group Authorization and Group
Policy Lookup
1
Select the location where
Easy VPN group policies Click Add
3
can be stored
2 4
5
Click Next
Click Next
Configure the local
group policies
© 2009 Cisco Learning Institute. 102

Summary of Configuration
Parameters
© 2009 Cisco Learning Institute. 103

VPN Client Overview
R1 R1-vpn-cluster.span.com
R1 R1-vpn-cluster.span.com
• Establishes end-to-end, encrypted VPN tunnels for
secure connectivity
• Compatible with all Cisco VPN products
• Supports the innovative Cisco Easy VPN capabilities
© 2009 Cisco Learning Institute. 104

Establishing a Connection
R1-vpn-cluster.span.com
Once
authenticated,
status changes to
connected.
R1 R1-vpn-cluster.span.com
“R1”
© 2009 Cisco Learning Institute. 105

© 2009 Cisco Learning Institute. 106