Professional Documents
Culture Documents
Implementing Virtual Private Networks: CCNA Security v2.0
Implementing Virtual Private Networks: CCNA Security v2.0
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 8.1:
VPNs
Upon completion of this section, you should be able to:
• Describe VPNs and their benefits.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 8.1.1:
VPN Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introducing VPNs
VPN Benefits:
• Cost Savings
• Security
• Scalability
• Compatibility
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Layer 3 IPsec VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Topic 8.1.2:
VPN Technologies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Two Types of VPNs
Remote-Access VPN
Site-to-Site VPN
Access
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Components of Remote-Access VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Components of Site-to-Site VPNs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Section 8.2:
IPsec VPN Components and
Operation
Upon completion of this section, you should be able to:
• Describe the IPsec protocol and its basic functions.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Topic 8.2.1:
Introducing IPsec
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IPsec Technologies
IPsec Implementation
IPsec Framework Examples
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Confidentiality
Confidentiality with Encryption:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Confidentiality (Cont.)
Encryption Algorithms:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Integrity
Hash Algorithms
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Authentication
PSK
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Authentication (Cont.)
RSA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Secure Key Exchange
Diffie-Hellman Key Exchange
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Topic 8.2.2:
IPsec Protocols
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
IPsec Protocol Overview
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Authentication Header
AH Protocols
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Authentication Header (Cont.)
Router Creates Hash and Transmits
to Peer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
ESP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ESP Encrypts and Authenticates
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Transport and Tunnel Modes
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Transport and Tunnel Modes (Cont.)
ESP Tunnel Mode
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Topic 8.2.3:
Internet Key Exchange
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
The IKE Protocol
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Phase 1 and 2 Key Negotiation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Phase 2: Negotiating SAs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Section 8.3:
Implementing Site-to-Site IPsec
VPNs with CLI
Upon completion of this section, you should be able to:
• Describe IPsec negotiation and the five steps of IPsec configuration.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Topic 8.3.1:
Configuring a Site-to-Site IPsec VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IPsec Negotiation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
IPsec Negotiation (Cont.)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Site-to-Site IPsec VPN Topology
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IPsec VPN Configuration Tasks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Existing ACL Configurations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Existing ACL Configurations (Cont.)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Topic 8.3.2:
ISAKMP Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
The Default ISAKMP Policies
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Syntax to Configure a New ISAKMP Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
XYZCORP ISAKMP Policy Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Configuring a Pre-Shared Key
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Configuring a Pre-Shared Key (Cont.)
Pre-Shared Key Configuration
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Topic 8.3.3:
IPsec Policy
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Define Interesting Traffic
The IKE Phase 1 Tunnel Does Not Exist Yet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Define Interesting Traffic (Cont.)
Configure an ACL to Define Interesting Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Configure IPsec Transform Set
The crypto ipsec transform-set Command
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Configure IPsec Transform Set (Cont.)
The crypto ipsec transform-set Command
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Topic 8.3.4:
Crypto Map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Syntax to Configure a Crypto Map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Syntax to Configure a Crypto Map (Cont.)
Crypto Map Configuration Commands
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
XYZCORP Crypto Map Configuration
Crypto Map Configuration:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
XYZCORP Crypto Map Configuration (Cont.)
Crypto Map Configuration:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Apply the Crypto Map
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Topic 8.3.5:
IPsec VPN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Send Interesting Traffic
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Verify ISAKMP and IPsec Tunnels
Verify the ISAKMP Tunnel is Established
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Verify ISAKMP and IPsec Tunnels (Cont.)
Verify the IPsec Tunnel is Established
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Section 8.4:
Summary
Chapter Objectives:
• Explain the purpose of VPNs.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Thank you.
Instructor Resources
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63