VPN:
IPSEC
· It is protocol suit based
on IETF (Internet Engineering Task Force) standard used together to setup
encrypted connection between devices.
· Used to connect
private network over internet = VPN (Virtual Private Network)
· Operate in two modes:
Transport mode & Tunnel modes
IPSec provides:
ü confidentiality,
ü peer authentication,
ü data integrate,
ü replay protection
and
ü access control.
Problem with IPSec
it reduces throughput of network over 80%, NAT has issue to overcome we use
NAT-traversal.
ESP & AH
Subprotocol of IPSEC
· ESP (Encapsulation
Security Payload): provide encryption service to IPSec / IP
o
Confidentiality,
limited non-repudiation (since it doesn’t encrypt IP header)
o
Encrypt
IP payload (data) not IP header.
o
End
to End security (between client to server or site to site)
o
ESP
can be used in tunnel or transport mode
§ Tunnel mode: between
two gateways. It encrypts all data IP header and all data above it.
§ In transport mode it
encrypts only IP payload and not header. Both sides should be host.
o
NIDS
(Network intrusion detection system) can monitor traffic before tunnel, in
transport mode we use HIDS (Host based Intrusion Detection System)
o
ESP
can be used with or without AH, in tunnel mode we use ESP with AH and without
AH in transport mode.
· AH (provide
connectionless integrity)
o
Both
data integrity and source integrity combine into non-repudiation where sender
of packet cannot deny that he has not send this packet.
o
AH
don’t provide confidential
o
Only
used in tunnel mode
o
Issue
with AH as it encrypts IP header
ESP provide
encryption from data in layer L4 and L7
AH added new IP
header
Security =
encryption + integrity + authentication
Encryption user keys
(aes / 3des)
Integrity uses hash
(Cisco support sha and md5)
ISAKMP
Entire security lies
in creating and exchanging key, by using one the method bellow.
1.
Use
public shared key and send to other 3rd party
2.
Use
static key
3.
Key
exchange algorithm (public, private key pair)
Key is exchanged on
ISAKMP (Internet security association key management protocol)
· It is framework to
create Security SA and key exchange.
· Used to carry
messages for IKE
· Used for
negotiating, establish, modify, and delete security association (SA) and
related parameter.
· Used for
denial-of-service protection
· ISAKMP don’t
exchange key, actual key exchange is done using
o
Pre-shared
through IKE
o
KINK
(Kerberized Internet Negotiation of keys , where we used 3rd party
KDC (Key Distribution Center) for distributing of keys between two endpoints.
o
IPSECKEY
Resource Record (RR) where public keys of domains are published. It uses DNSSEC
(DNSSecurity)
SA
§ Security Association
(SAs) are session parameters for AH and ESP
§ SPI (Security
parameter index) which is of 32, which denote the SA
§ It is simplex, we must
create two SA for ESP and 2 SA for AH in each direction (inbound and outbound)
IKE (Internet Key
Exchange)
§ IKE is used to setup
security association
§ Based on X.509
digital certificate for authentication
§ This can be
pre-shared or shared through DNS
§ UDP 500 and 4550 (when
NAT is used)
§ There are two phases
in IKE
o
Phase
I:
§ ISAKMP SA using Diffie-Hellman
(DH) for key exchange.
§ It is management
traffic to establish a policy for IPSec devices
§ Bidirectional
(single security association for both side)
o
Phase
II:
§ IPSec SA are
established
§ For data protection
§ Simplex /
Unidirectional (Two SA for each direction)
o
Highest
protocol will be used by IKE. E.g., DES (Data Encryption Standard) will be
superseded AES (Advanced Encryption Standard)
Phase 1 = ISAKMP SA = Mgmt. (1-bidirectional)
Phase 2 = IPSec SA = Data (2-unidirectional)
IKE Modes
§ Main mode (3 X two-way
exchanges)
o
1st
exchange: Proposal algorithm and hash
o
2nd
exchange: DH to generate shared key
o
3rd
exchange: Peer identity = IP, FQDN
§ Aggressive mode
(fewer exchange), faster than main mode
§ Quick mode: used in
Phase II to build IPSec SA
IKE Version
IKEv1
§ 9 / 6 message based
on mode main or aggressive.
§ NAT will not work,
we must enable NAT-Traversal
§ DPD (Dead Peer
Detection) need to be enabled manually
§ Don’t support EAP
authentication
§ Support symmetric authentication
(use same method / pre-shared key on both side)
IKEv2
§ Less bandwidth and
less message exchange
§ Following components
are built-in
o
ISAKMP,
AH/ESP, ISP DOI, DPD, NAT-T, mode config
o
Uses
single phase
o
Has
only two messages: Mandatory and optional
§ Support EAP
(Extensible Authentication protocol) along with pre-shared key and
certification authentication
Note: EAP allow to
use LAN authentication method like AD or ISE integration
§ Support asymmetric
authentication method
Note: Asymmetric authentication:
different pre-shared key on both side or different method like pre-shared on
one side and certificate on other
§ Support MOBIKE
(mobility and multi homing protocol), instant connection on network change (e.g.,
IP change when we move in Wi-Fi coverage)
Note: MOBIKE e.g.,
VPN don’t drop when we connect from Wi-Fi to 4G or different network.
§ IKEv2 support more
stronger encryption but still faster
§ Support PFS (Perfect
forward Secrecy)
Note: PFS feature:
force to use different key in PHASE I and PHASE II (re-keying mechanism)
§ Facility to
negotiate multiple sets of selectors
For IKEv1
interesting traffic is defined using ACL and it’s limited to IP and port
number.
§ Better reliability
through improved sequence numbers and acknowledgments.
ISAKMP SA State for
IKE Main Mode SA Negotiation.
· MM_NO_STATE: ISAKMP
SA has been created but nothing else has happened yet. “larval” at this state-
there is no state
· MM_SA_SETUP: Peers
have agreed on parameters for the ISAKMP SA.
· MN_HEY_EXCH: Peer
exchanged DH public keys and have generated a shared secret. ISAKMP SA remains
unauthenticated
· MM_KEY_AUTH: the
ISAKMP SA has been authenticated. If the router initiated these exchanges, this
state transition immediately to QM_IDLE and Quick Mode exchange begins.
ISAKMP SA State for
IKE Aggressive mode SA Negotiation.
· AG_NO_STATE: ISAKMP
SA has been created, but nothing else has been happened yet. There is not
state.
· AG_INIT_EXCH: the
peers have done the first exchange in Aggressive Mode, but the SA is not
authenticated.
· AG_AUTH: peers have
done the first exchange in Aggressive mode, but the SA is not authenticated.
DMVPN
DMVPN= mGRE + IPSec
+ NHRP
GRE (Generic Routing
Encapsulation)
· Simple
non-negotiated tunnel
· Protocol number 47
· 4-to-8-byte header +
new ip header
· P2P GRE, P2M mGRE
· To configure P2P GRE
o
Tunnel
ip
o
Tunnel
source
o
Tunnel
destination
o
Key
· To configure mGRE
o
Ip
address
o
Tunnel
source
o
Tunnel
key
o
Nhrp
(instead of tunnel destination)
· NBMA Address
(non-broadcast multi access address) is WAN ip.
NHRP: (RFC 2332)
· Allows peer to have
dynamic ip
· L2 protocol
· Map tunnel / vpn
address to NBMA address
· Multicast traffic
are sent to specific remote peer.
· NHRP config
o
Ip
nhrp network-id <id>
o
Ip
nhrp map <vpn-tunnel-ip> <Nbma-address>
o
Ip
nhrp map multicast <NBMA-Address>
Or
Ip nhrp map
multicast dynamic
o
Ip
nhrp nhs <vpn-tunnel-ip>
· NHRP cache
population
o
Manual
/ static
o
Registration
(hub learn spoke)
o
Resolution
How DMVPN work:
· Spoke router report
(local IP) to Hub and join multi-point GRE network.
· When spoke want to
talk to another spoke it send nhrp request to hub.
DMVPN Advantage:
· Don’t need static IP
· Scalable solution
· Device build up
tunnel dynamically
LAB 1:
SITE-to-SITE vpn ikev1
STEP
to create ikev1 Site-to-Site vpn tunnel:
1. Create
pre-share key
2. Create
crypto isakmp policy (authentication, encryption, hash, and group)
3. Create
IPsec transform-set
4. Create
ACL to define interesting traffic
5. Create
crypto map (set peer, transform-set, ACL-interesting traffic)
6. Create
tunnel (source, destination, and mode gre IP)
7. Apply
crypto ma to WAN interface
R1 Config
crypto isakmp key
cisco123 address 192.168.2.2
crypto isakmp policy
2
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec
transform-set TS esp-3des esp-md5-hmac
ip access-list
extended GRE
permit ip any any
crypto map CRYPTOMAP
10 ipsec-isakmp
set peer 192.168.2.2
set transform-set TS
match address GRE
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source Ethernet1/0
tunnel destination 192.168.2.2
int eth 1/0
ip address 192.168.1.1 255.255.255.0
crypto map CRYPTOMAP
R1# sh cry isakmp key
R1# sh crypto isakmp policy
R1# sh crypto is sa
R1#sh cry isakmp
peers
R1#sh crypto ipsec
transform-set
R1#sh cry ipsec sa
R3 will have
identical mirror config.
LAB 2:
SITE-to-SITE vpn ikev2
Step
to create ikev2 site-to-site vpn:
Step
1: ikev2 proposal (encryption, integrity and DH group)
Step
2: create ikev2 policy (call proposal)
Step
3: Create ikev2 key ring (peer name, address and local and remote pre-share
key)
Step
4: create ikev2 profile (match local and remote identity, local and remote
authentication method, call key-ring)
Step
5: create IPsec transform-set
Step 6:
ACL for interesting traffic
Step
7: create crypto map (transform-set, profile, peer, DH group, ACL)
Step
8: Apply crypto map to wan
Step
9: create tunnel interface
R1#
crypto ikev2
proposal Pro1
encryption aes-cbc-128
integrity md5
group 2
crypto ikev2 policy
Policy1
proposal Pro1
crypto ikev2 keyring
K-Ring
peer R3
address 192.168.2.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile
Profile1
match identity remote address 192.168.2.2
255.255.255.255
identity local address 192.168.1.1
authentication remote pre-share
authentication local pre-share
keyring local K-Ring
crypto ipsec
transform-set TSET esp-3des esp-md5-hmac
mode tunnel
ip access-list
extended GRE
permit ip any any
crypto map CMAP 1
ipsec-isakmp
set peer 192.168.2.2
set transform-set TSET
set pfs group2
set ikev2-profile Profile1
match address GRE
crypto map CMAP
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet1/1
tunnel destination 192.168.2.2
tunnel mode gre ip
i
nterface Ethernet1/1
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
crypto map CMAP
end
debug crypto ikev2
packet
debug crypto ikev2
internal
show crypto ikev2 sa
detailed
show crypto ipsec sa
show crypto session
R1#sh cry ikev2 sa
R1#sh crypto ikev2 session
LAB 3: DMVPN with IKEv1
Step to create ikev1 DMVPN tunnel:
1. Crypto
pre-share key
2. Crypto
isakmp policy (authentication , encryption, hash and DH group)
3. Transform
set
4. Profile
(transform set)
5. ACL
for interesting traffic
6. Crypto
MAP
7. Apply
crypto map to wan interface.
R1-Configuration for Hub
!
crypto isamkp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
Crypto ipsec profile MY_PROFILE
Set transform-set TSET
!
Interface tunnel 0
bandwidth 1000
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
Ip address 172.16.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mass 1360
Ip nhrp authentication cisco123
Ip nhrp map multicast dynamic
Ip nhrp network-id 5
tunnel source eth 1/1
tunne mode gre multipoint
tunne key key6
tunnel protection ipsec profile MY_PROFOLE
router eigrp 1
network 10.10.10.0 0.0.0.255
no auto-summary
exit
Configuration on spoke R2
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto ipsec profile MY_PROFILE
Set transform-set TSET
!
interface tunnel 0
bandwidth 1000
ip add 172.16.1.2 255.25255.255.0
ip mtu 1400
ip tcp adjust-mass 1360
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.1.1
ip nhrp nhs 172.16.1.1
ip nhrp map 192.168.1.1 172.16.1.1
ip nhrp network-id 5
tunnel source eth 1/1
tunnel mode gre multipoint
tunnel key 6
router eigrp 1
network 20.20.20.0 0.0.0.255
Note: R3 will have identical configuration as R1, with updated tunnel ip.
# Show ip nhrp deail
# show crypto ipsec sa
LAB 4:
DMVPN with IKEv2
Steps
for IKEv2 DMVPN:
1. IKEv2
proposal (define encryption, integrity, and group)
2. IKEv2
policy (attach proposal to policy)
3. IKEv2
keyring (peer, local and remote key)
4. IKEv2
profile (attach key ring)
5. IPsec
profile (call ikev2 profile)
6. Create
tunnel: apply ipsec profile using tunnel protection ipsec profile command
Topology:
R1 Hub Config
crypto
ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 15
crypto
ikev2 policy ikev2-policy
proposal ikev2-proposal
crypto
ikev2 keyring K-Ring
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto
ikev2 profile ikev2-profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local K-Ring
crypto
ipsec profile ipsec-profile
set ikev2-profile ikev2-profile
interface
Ethernet1/1
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
end
interface
Tunnel0
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source Ethernet1/1
tunnel mode gre multipoint
tunnel protection ipsec profile ipsec-profile
end
R2 Spoke Config
crypto
ikev2 proposal ikev2-proposal
encryption aes-cbc-256
integrity sha512
group 15
crypto
ikev2 policy ikev2-policy
proposal ikev2-proposal
crypto
ikev2 keyring K-Ring
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto
ikev2 profile ikev2-profile
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local K-Ring
crypto
ipsec profile ipsec-profile
set identity ANY
set ikev2-profile ikev2-profile
interface
Tunnel0
bandwidth 1000
ip address 172.16.1.2 255.255.255.0
no ip redirects
ip nhrp authentication cisco123
ip nhrp map multicast 192.168.1.1
ip nhrp map 172.16.1.1 192.168.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.1.1
tunnel source Ethernet1/1
tunnel mode gre multipoint
tunnel protection ipsec profile ipsec-profile
end
interface
Ethernet1/1
ip address 192.168.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
duplex full
R2 #sh cry ikev2 session
R2#sh crypto ikev2 sa