Docstoc

Boot Camp Presentation Design

Document Sample
Boot Camp Presentation Design Powered By Docstoc
					Cisco Secure Virtual
Private Networks


Exam number: 9E0-570
Number of questions: 62
Time limit: 60 minutes
Passing Score: 673
Overview of VPN and
IPSec Technologies
   Overview

     You will achieve the following objectives by the end of
      this section:
          Identify the three types of VPNs.
          Describe the two IPSec protocols and how they function in
           transport and tunnel modes.
          List the functions of IPSec transforms.
          Identify and describe the three major crypto technologies used
           with IPSec.
          Describe the five steps of the IPSec process.
          List the features of SAs and how they are used in IPSec.
          List the main features of CA support.
          Describe digital signatures and their usage in IPSec.


Page 7
   Virtual Private Networks

     Secure, reliable connectivity over shared public network
      infrastructures
     Types:
          Access VPN
             Remote users
             Analog, dial, ISDN, DSL, mobile IP, cable
             Mobile users, telecommuters, branch offices
          Intranet VPN
             Internal employees
             Dedicated connections
             HQ, remote offices, branch offices, internal network
          Extranet VPN
             External users (customers, suppliers, partners)
             Dedicated connections
Page 8
   Cisco VPN Products

     Establish
          Cisco Secure IOS routers
          Cisco Secure PIX Firewalls
          Cisco Secure VPN Concentrators
          Cisco Secure VPN Clients
     Manage
          Cisco Secure IDS
          Cisco Secure Scanner
          Cisco Secure ACS
          Cisco Secure Policy Manager
          Cisco Works 2000



Page 9
   Internet Protocol Security (IPSec)

     Network layer protocol suite
     Provides:
           Data confidentiality
              Encrypting packets before transmission
           Data integrity
              Ensures packets are not altered during transmission
           Data origin authentication
              Receiver can verify the source of the data
           Antireplay
              Detection and rejection of replayed packets




Page 10
   IPSec Components

     IPSec protocols:
           Authentication Header (AH)
           Encapsulating Security Payload (ESP)
     Existing standards:
           Data Encryption Standard (DES)
           Triple DES (3DES)
           Diffie-Hellman (D-H)
           Message Digest 5 (MD5)
           Secure Hash Algorithm-1 (SHA-1)
           Rivest, Shamir, and Adelman (RSA) signatures
           Internet Key Exchange (IKE)
           Certificate Authorities (CAs)

Page 11
   Authentication Header (AH)

     The process:
           IP header and payload are hashed using a shared secret
           New AH header containing hash is appended to packet
           Peer receives packet and performs hash on IP header and
            payload using the same shared secret
           Peer compares computed hash with transmitted hash
           Exact match is accepted by peer
     Provides:
           Data integrity
           Origin authentication (shared secret)
           Optional antireplay
     Does not provide:
           Confidentiality – data is not encrypted
Page 12
   Encapsulating Security Payload
   (ESP)
     Provides:
           Confidentiality through encryption
           Data origin authentication
           Data integrity
           Antireplay services (optional)
           Some traffic flow confidentiality
     Default encryption is 56-bit DES
     You must use ESP instead of AH when confidentiality is
      required
     Similar process as AH except that data is encrypted


Page 13
   Standard Protocols

     Data encryption:
           DES Algorithm – 56-bit
           Triple DES Algorithm (3DES) – 168-bit
     Packet authentication:
           Message Digest 5 (MD5)
           Secure Hash Algorithm-1 (SHA-1)
     Peer authentication:
           Preshared Keys
           Rivest, Shamir, and Adelman (RSA) Signatures
     Key exchange:
           Diffie-Hellman (D-H) Group 1 – 768-bit
           Diffie-Hellman (D-H) Group 2 – 1024-bit
Page 14
   Standard Protocols                          (cont’d)

     Internet Key Exchange (IKE)
           Authentication of IPSec peers
           Negotiation of IKE and IPSec security associations (SAs)
           Establish keys for IPSec encryption algorithms
           IKE is synonymous with Internet Security Association Key
            Management Protocol (ISAKMP) on Cisco devices
              You set ISAKMP parameters on Cisco devices to configure IKE
     Certificate Authorities (CAs)
           Provides scalability to IPSec
           Trusted CAs provide digital certificates to IPSec peers




Page 15
   IPSec Modes

     Transport
           Used for end-to-end sessions
              End station to end station
              End station to IPSec gateway for admin purposes
                 Gateway is end station in this case

     Tunnel
           Used for everything else
           Default for Cisco IOS routers and PIX Firewalls
           Most secure mode




Page 16
   IPSec Modes used with AH

     Transport
           AH hash performed on original IP packet data and
            non-mutable fields in the original IP packet header
              Provides authentication for data and non-changing portion of original
               IP header
           AH header is inserted after original IP header
     Tunnel
           New IP header is created
           AH hash performed on entire original packet and
            non-mutable fields in the new IP header
              Provides authentication for entire original IP packet and non-
               changing portions of new IP header
     AH cannot be used with Network Address Translation
      (NAT) – hash will be invalidated
Page 17
   IPSec Modes used with ESP

     Transport
           Original IP header is left intact – not authenticated
           Data portion and ESP header are encrypted and authenticated
     Tunnel
           Entire original packet is encrypted and authenticated with ESP
            header
           New IP header is created
     ESP supports NAT – header is not authenticated
     ESP Hashed Message Authentication Codes (HMAC)
      provides optional authentication field


Page 18
   IPSec Transforms

     IPSec Transform specifies:
           Single security protocol (AH or ESP)
           Security algorithms
           IPSec mode
     Transform Set:
           Combination of individual IPSec transforms
           Enacts security policy for IPSec traffic
           Includes:
              AH transform
              ESP transform
              IPSec mode




Page 19
   IPSec Crypto

     Data Encryption
           Data Encryption Standard (DES)
     Key Agreement
           Diffie-Hellman (D-H) Key Agreement
     Authentication Hashing
           Hashed Message Authentication Codes (HMAC)




Page 20
   DES Encryption

     Used only with IPSec ESP
     Encrypts IP packet data
           In tunnel mode, also encrypts IP header
     Requires secret key that is shared by peers
           D-H key agreement used to negotiate shared secret key
     Encryption process
           DES takes shared secret key plus clear text to produce
            ciphertext
     Decryption process
           DES on peer takes same shared secret key plus ciphertext to
            produce clear text


Page 21
   Diffie-Hellman Key Agreement

     Procedure to generate shared secret key between peers
     Shared secret key is based on:
           Prime integer – shared by peers
           Private key – of each peer
     Shared key is used for:
           Encryption
              DES
              3DES
           Authentication
              MD5
              SHA-1
              HMAC


Page 22
   Hashed Method Authentication
   Code (HMAC)
     Additional security for MD5 and SHA-1 hash
     Provides encryption for hash
     HMAC-MD5-96 (HMAC-MD5)
           Performs MD5 hashing algorithm
           Encrypts hash with shared secret key
           128-bit hash truncated to 96-bits
     HMAC-SHA-1-96 (HMAC-SHA-1)
           Performs SHA-1 hashing algorithm (more secure than MD5)
           Encrypts hash with shared secret key
           160-bit hash truncated to 96 bits



Page 23
   IKE Overview

     Synonymous with ISAKMP
     Two-phase process:
           IKE Phase One:
             IKE peers authenticate each other
             Negotiates secure channel between peers – IKE Security
              Association
             D-H key agreement occurs here
           IKE Phase Two:
             IPSec SA is negotiated
             D-H key agreement may be performed again in this phase




Page 24
   IKE Peer Authentication

     Preshared keys
           Same key manually configured on each peer
           Easy to implement
           Does not scale well
     RSA signatures
           Public key from CA is used to authenticate peer
           Highly scalable
     RSA encryption
           Pseudorandom number (nonce) is hashed
           Hash is encrypted with peer’s public key (from CA)
     Peer identity is typically
           IP address
           FQDN

Page 25
   Digital Certificates

     Issued by trusted CAs after registration by client
     Certificate is signed by CA
     Contains:
           Client’s identity
           Certificate serial number
           Certificate expiration date
           Client’s public key
     Format is X.509
     CAs include:
           VeriSign OnSite
           Entrust PKI
           Baltimore CA
           Microsoft CA
Page 26
   The IPSec Process

     Step 1 – IPSec process initiated by interesting traffic
     Step 2 – IKE Phase One
           IPSec peer authentication
           Negotiation of IKE SAs
           Establishment of secure channel for IPSec SA negotiation
     Step 3 – IKE Phase Two
     Step 4 – Data transfer
     Step 5 – Termination of the IPSec tunnel




Page 27
   IPSec Step 1 –
   Define Interesting Traffic
     Identify which traffic must use IPSec connections.
     Cisco IOS Routers and PIX Firewalls
           Access control lists define interesting traffic.
              Permit entries – force IPSec encryption
              Deny entries – sent unencrypted
           ACLs are applied in crypto policies.
     VPN Clients
           Secure connections selected from menus




Page 28
   IPSec Step 2 – IKE Phase One

         Authentication of peers
         Negotiation of matching security association
         D-H key exchange – establish shared secret key
         Establish secure tunnel for IKE Phase Two
         IKE Phase One has two modes
           Main mode
           Aggressive mode
              Identity data is transferred in the clear
              Not as secure as Main mode
              Faster than Main mode




Page 29
   IPSec Step 3 – IKE Phase Two

         Negotiate IPSec SA parameters.
         Establish IPSec SA.
         Renegotiate IPSec SAs periodically.
         Perform Diffie-Hellman exchange (optional).
         One mode in IKE Phase Two – Quick Mode.
         Perfect Forward Security (PFS).
           New D-H exchange performed with each quick mode
           Provides greater resistance to crypto attacks
           D-H exchanges:
              Large exponentiations
                 Heavy CPU utilization
                 Performance degradation

Page 30
   IPSec Step 4 – IPSec Encrypted
   Tunnel
     Secure IPSec tunnel is established
     Data packets are exchanged between peers using
           Defined packet authentication
           Defined packet encryption




Page 31
   IPSec Step 5 – Tunnel
   Termination
     SAs terminate through
           Deletion
           Timeout
     When SAs expire, IPSec tunnel is torn down
     If interesting traffic still exists, a new tunnel must be
      established




Page 32
   Security Associations (SAs)

     An SA is a description of the negotiated security policy
      between two peers.
     SAs are unidirectional
           There must be an inbound and outbound SA on each device to
            hold a bidirectional conversation.
           There must be identical, corresponding SAs on peer pairs.
           To communicate with multiple peers, a host must establish a
            separate set of SAs for each peer.




Page 33
   Security Associations (SAs)                               (cont’d)

     SAs typically contain
           Peer address
           Security parameter index (SPI) – unique per SA
           IPSec transforms to use for the session
           Security keys
           SA lifetime
           Additional parameters
     Separate SAs for IKE and IPSec
     Separate SAs for AH and ESP
     SAs are stored in Security Parameter Database located in
      DRAM

Page 34
   IPSec SA Usage

     Host has data requiring IPSec protection to peer
     Host looks up outbound SA for this peer
     Host performs encryption and authentication required by
      SA
     Host inserts SPI from SA into IPSec header
     Host transmits packet to peer
     Peer extracts SPI from IPSec header
     Peer uses SPI to locate correct SA
     Peer performs authentication and decryption specified by
      SA to open the packet for processing

Page 35
   CA Support

     Certificate Authority (CA) servers
           Manage certificate requests
           Issue certificates to registered devices
           Provide centralized key management
     Digital certificates contain
           Device’s identity (name, IP address, serial number, etc.)
           Device’s public key
           CA’s signature
     Devices use private key to create digital signature
     Receiver uses device’s public key to authenticate


Page 36
   CA Support                (cont’d)

     Receiver must know CAs public key to validate digital
      certificate – often configured out-of-band
     CA usage in IPSec
           Peer authentication
           IKE Phase One
     Scalability
           Each IPSec participant registers with CA during initial
            configuration of device.
           Digital signatures and CA support allow peers to dynamically
            establish IPSec communications.
           Existing devices do not require reconfiguration to support new
            devices.


Page 37
   Digital Signatures

     Each entity generates their own
           Private key
              Which is maintained on the entity and never shared
           Public key
              Sent to CA
              Packaged in digital certificate
     Digital certificate
           Signed by CA
           Sent to peer
           Validated by peer using CA public key
     Digital signature is produced by encrypting a message
      hash with the entity’s private key
     Digital signature is authenticated by receiver using
      entity’s public key from digital certificate
Page 38
   Certificate Authorities

     CA – trusted third party
           Create certificates
           Administer certificates
           Revoke certificates
     CA’s digital signature authenticates digital certificate
     Current CAs include
           Entrust
           GTE Cybertrust
           Network Associates PGP
           Baltimore
           Microsoft
           Verisign

Page 39
   Registration Authority (RA)

     Proxy for CA
     Provides some CA functions
           Certificate enrollment
           Certificate distribution




Page 40
   Public Key Infrastructure (PKI)

     System used to control all aspects of digital certificates
     Two PKI models:
           Central authority
              Single authority signs all certificates
              That authority’s public key is used to validate all certificates
           Hierarchical authority
              Ability to sign certificates is delegated
              Root signs certificates for subordinate authorities
              Subordinate CAs sign certificates for lower-level CAs
              User certificate must be validated up through chain




Page 41
   Review Question 1

     Which IKE Phase Two option can cause excessive CPU
      utilization and adversely affect system performance?




Page 42
   Review Question 2

     What information is contained within a digital certificate?




Page 43
VPN 3000
Concentrator Series
Hardware Overview
   Overview

     You will achieve the following objectives by the end of
      this section
           Identify the various Cisco products that support VPN technology.
           Identify the Cisco IOS routers that support VACs, cable, and
            DSL VPN connections.
           List the current models of PIX Firewalls that support IPSec
            technology.
           List the VPN Concentrator models that utilize Scalable
            Encryption Processing (SEP) modules for hardware-based
            encryption.




Page 45
   Cisco Products Supporting VPNs

     This course considers IPSec VPNs only.
     Cisco devices offer other types of VPN capabilities.
     Current IPSec-capable hardware:
           Cisco IOS routers
           Cisco Secure PIX Firewalls
           Cisco VPN Concentrators




Page 46
   Cisco IOS Routers

     VPN capability is determined by IOS version
     Licensing options support:
           Firewall
           VPNs (supported since version 11.3(T))
           Intrusion detection
           Secure administration
     Some models support VPN Accelerator Cards (VACs):
           2600, 3600, 7140, and 7200 series
           Provides superior performance for DES and 3DES encryption




Page 47
   Cisco IOS Routers                       (cont’d)

     UBr900 series supports cable VPNs
     1400 series supports Cable and DSL VPNs
     Cisco 7100 series VPN routers are designed to primarily
      support VPNs
     Support site-to-site and client-to-site VPNs
     Licensing available for DES and 3DES encryption
           3DES has strict licensing requirements.




Page 48
   Cisco Secure PIX Firewalls

     VPN services – OS version 5.0 or greater
     Not routers – CLI uses router-like commands
     Current models:
           506:   fixed format; 10 Mbps
           515:   upgradeable; 120 Mbps; 125,000 concurrent sessions
           525:   upgradeable; 370 Mbps; 280,000 concurrent sessions
           535:   upgradeable; 1.0 Gbps; 500,000 concurrent sessions
     Retired models:
           520: 370 Mbps; 250,000 concurrent sessions




Page 49
   Cisco Secure PIX Firewalls                        (cont’d)

     515, 520, 525, and 535 series support VPN VACs.
           100 Mbps
           2,000 simultaneous tunnels
           168-bit 3DES
     PIX Firewalls support both site-to-site and client-to-site
      VPNs.
     Support DES and 3DES, with proper licensing.




Page 50
   Cisco VPN Concentrators

     Two series: VPN 3000 and VPN 5000
     VPN 3000 Scalable Encryption Processing (SEP)
      modules perform hardware-based cryptographic
      functions.
           Random-number generation
           MD5 and SHA-1 hash transforms for authentication
           DES and 3DES encryption and decryption
     VPN 3000 Client (unlimited distribution license) included
      with each VPN 3000




Page 51
   Cisco VPN Concentrators                                (cont’d)
          Feature        VPN        VPN        VPN        VPN      VPN
                         3005       3015       3030       3060     3080
          Simultaneous   100        100        1,500      5,000    10,000
          Users
          Redundancy     No         Yes        Yes        Yes      Yes

          Upgradeable    No         Yes        Yes        Yes      No

          Encryption     Software   Software   Hardware   Hardware Hardware
          Method                               (SEP)      (SEP)    (SEP)
          Encryption     4 Mbps     4 Mbps     50 Mbps    100 Mbps 100 Mbps
          Throughput
          Site-to-site   100        100        500        1,000    1,000
          Tunnels




Page 52
   Cisco VPN 3002 Client

     Hardware client supporting attachment to clients running
      a mixture of operating systems, including:
           Windows
           Linux
           Solaris
           MAC
           Other
     Simplifies client-side configuration
     Scalable to tens of thousands of users




Page 53
   Review Question 3

     What was the earliest Cisco IOS that supported VPNs?




Page 54
   Review Question 4

     What is a SEP?




Page 55
Cisco VPN 3000
Concentrator for
Remote Access
Using Preshared Keys
   Overview

     You will achieve the following objectives by the end of
      this section:
           Identify the steps you need to take to perform the initial CLI
            configuration of your VPN 3000 Concentrator.
           Perform general system configuration using the VPN 3000
            Concentrator Series Manager.
           Configure groups on the VPN 3000 Concentrator.
           List the parameters that are established on the Identity tab when
            configuring a new VPN group.
           Enter appropriate configuration settings on the General tab when
            configuring a new VPN group.




Page 57
   Overview              (cont’d)

     You will achieve the following objectives by the end of
      this section:
           Select the appropriate IKE and IPSec authentication and
            encryption processes from the IPSec tab when configuring a new
            VPN group.
           Configure the VPN 3000 Concentrator for either internal or
            external user authentication.
           Configure the remote access client to use preshared keys.




Page 58
   VPN 3000 Remote Access

     Accommodates mobile users or remote offices
     Provides VPN through group access on VPN concentrator
     May use preshared keys or digital certificates
           Both require conversation between client and VPN administrator
            to share group information
     The process for preshared keys involves:
           Configuring IPSec for a group on the VPN concentrator.
           Optionally configuring users on the VPN for local user
            authentication.
           Configuring the VPN client to access the group.




Page 59
   Initial Configuration

     Primary configuration is done through browser-based
      VPN 3000 Concentrator Series Manager
     Initial configuration of Private interface required to allow
      HTTP connectivity to the concentrator
     Connect to console port
           Straight Ethernet cable
           Terminal emulator on PC
           Modem settings 9600/8/N/1
     Initial login/password is admin/admin (for both CLI and
      browser)
     Set IP address, subnet mask, speed, and duplex – save
      before exiting the CLI menu
Page 60
   VPN 3000 Concentrator Series
   Manager
     With your browser, HTTP to the IP of the Private
      interface you just configured.
     Enter the login and password (admin/admin) to enter the
      Main menu of the manager.
     The left-hand frame shows three options:
           Configuration
           Administration
           Monitoring
     On initial entry or on reboot to factory, the default
      settings system presents option to enter Quick
      Configuration for minimal IPSec configuration.
     Save before rebooting or else all changes will be lost.
Page 61
   Basic VPN Concentrator
   Configuration
     Configuration | Interfaces
           Select Ethernet 2 (Public).
              Configure IP address, subnet mask, speed, and duplex
           Select and configure any other required interfaces.
     Configuration |System | IP Routing | Default Gateways
           Configure a default gateway for your system.
     Configuration | System | Address Management |
      Assignment
           Configure source of IP addresses for IPSec tunnels.
     Configuration | System | General
           Configure identification, time and date, sessions, and
            authentication parameters.

Page 62
   VPN Concentrator Groups

     LAN-to-LAN connections do not require Group settings.
           Configure IPSec through the Configuration | Tunneling Protocols
            screens.
     Remote Access requires Group configuration.
           Establishes authentication method – preshared key or digital
            signatures
           Group password becomes the preshared key if not using digital
            signatures
           IPSec parameters attached to group
     A base group can be established to provide inheritable
      settings for subordinate groups.


Page 63
   VPN Concentrator Groups

     To create a new group:
           Configuration | User Management | Groups
              Add Group
     Additional actions available:
           Modify Group
           Modify Authentication Servers
           Modify Accounting Servers
           Modify Address Pools
           Modify client Update
           Delete Group




Page 64
   Add Groups: Identity

     Identity tab:
           Provide a name for the group
           Provide and verify the password (preshared key)
     The group name and password will be required for each
      client that wants to connect to this group.
     Select the type of user authentication to use (External or
      Internal).




Page 65
   Add Groups: General

     General tab
           Used to control user access parameters
              Access Hours
              Simultaneous Logins
              Minimum Password Length
              Allow Alphabetic-only Passwords
              Idle Timeout
              Maximum Connect Time
           Primary and Secondary DNS and WINS server addresses
           Also used to select tunneling protocol for attachments to the
            group. You may select any combination of these
              PPTP
              L2TP
              IPSec
              L2TP over IPSec

Page 66
   Add Groups: IPSec

     IPSec tab
           Select the IPSec SA that you want to use.
           Select the Tunnel type to use.
              LAN-to-LAN
              Remote Access
           Select the user authentication mode.
              None
              RADIUS
              RADIUS with Expiry
              NT Domain
              SDI
              Internal



Page 67
   External User Authentication

     Configuration | User Management | Groups |
      Authentication Servers | Add
           Select from RADIUS, NT Domain, or SDI
           May configure multiple authentication servers of each type
           Add screen will be different for each type of authentication server
            you select
           Screen will display
              Authentication Server Address
              Server Port
              Timeout limit
              Retry limit
              Optional information specific to authentication type



Page 68
   Internal User Authentication

     If using internal authentication, you must add users to the
      VPN 3000 Concentrator’s internal database.
     Configuration | User Management | Users | Add
           Ties User to IPSec Group
              Supply this information
                   User Name
                   Password (and verify)
                   Group (from selection list)
                   IP Address
                   Subnet Mask




Page 69
   Configuring the Remote Access
   Client
     Cisco Systems VPN 3000 Client runs on Windows
      systems only:
           95, 98, 98(SE), ME, NT4.0(SP3), 2000, and XP
     Create a new Connection Entry to identify:
           VPN device to access.
           Preshared key or certificate information.
           Optional parameters.
     New Connection Entry Wizard allows you to specify
           Connection Entry name
           Brief description of Connection Entry (optional)
           Host name or IP address of the VPN device
           Wizard allows you to configure General, Authentication, and
            Connections settings
Page 70
   Connection Entry: General

     Transparent Tunneling – default is enabled
           IPSec over UDP – default is enabled
     If you need to access devices on your local LAN while
      connected to VPN, check Allow local LAN access.
           Unchecked – all traffic traverses IPSec connection
     Specify whether user is to log on to Microsoft Network
      and how to obtain logon credentials




Page 71
   Connection Entry: Authentication

     For Remote Access with preshared keys;
           Select Group Access information
              Provide Group Name
              Provide Group Password
              Confirm Group Password
           The section for Certificates is not used with preshared keys.




Page 72
   Connection Entry: Connections

     Optional capabilities can be configured on the
      Connections tab.
           Enable backup server(s)
           Connect to the Internet via dial-up
              Microsoft Dial-Up Networking
                 Phonebook Entry
           Third party dial-up application
              Application name




Page 73
   Review Question 5

     What must you first configure on your VPN 3000
      Concentrator before you can use the VPN 3000
      Concentrator Series Manager?




Page 74
   Review Question 6

     What are the initial login and password settings for the
      VPN 3000 Concentrator Series Manager’s administrator
      account?




Page 75
Cisco Secure VPN
3000 for Remote
Access Using Digital
Certificates
   Overview

     You will achieve the following objectives by the end of
      this section:
           Identify the various types of digital signatures that must be
            present for authentication with digital signatures.
           Describe X.509 digital certificates and X.500 distinguished
            names.
           Perform certificate enrollment on a VPN 3000 Concentrator.
           Describe the steps used to validate a peer’s digital certificate.
           List the components of a CRL.
           Configure digital certificate support between a VPN 3000
            Concentrator and a client.
           Describe how an IPSec SA connects digital certificates and IKE
            proposals.


Page 77
   Remote Access with Certificates

     Similar to process of using preshared keys
     Steps include
           Certificate generation on VPN 3000
           Certificate validation
           VPN 3000 CA support
           VPN Client configuration for digital signatures




Page 78
   Certificate Review

     Certificate types:
           CA Certificate – used to sign other certificates
              Root Certificate – self-signed by CA
              Subordinate Certificate - issued by another CA
           Identity Certificate – for specific system or host
     VPN Concentrator must have:
           At least one identity certificate
           At least one CA certificate (from the CA that issued the identity
            certificate)
           (Optional) One Secure Sockets Layer (SSL) certificate
     Certificates and private keys are stored in Flash:
           Keys are store encrypted
           Keys and certificates are hidden to file manager
Page 79
   Certificate Review                        (cont’d)

     CA encrypts certificates with private key.
     Peers decrypt certificates with CA’s public key
           From the root certificate obtained during enrollment with CA
     VPN Concentrators support X.509 digital certificates.




Page 80
   Viewing Digital Certificate

     Administration | Certificate Management | View
           Subject and Issuer X.500 Distinguished Names
           Certificate Serial Number
           Signing Algorithm
           Public Key Type
           Certificate Usage
           MD5 Thumbprint
           SHA1 Thumbprint
           Validity
           CRL Distribution Point




Page 81
   X.500 Distinguished Names

     X.500 distinguished names consist of six attributes, listed
      in order from most descriptive to least descriptive:
           CN (Common Name): the name of a person, system, or other
            entity
           OU (Organizational Unit): the subgroup within the organization
           O (Organization): the name of the company, institution, agency,
            association, or other entity
           L (Location): the city or town where the organization is located
           SP (State or Province): where the organization is located
           C (Country): the two-letter country abbreviation
     Analogous to postal address


Page 82
   Certificate Enrollment Process

     Administrator creates Public Key Cryptography
      Standards (PKCS) #10 certificate request on concentrator
     PKCS#10 transmitted to CA
           Concentrator generates public/private key pair
              Includes public with PKCS#10 request
              Stores encrypted private in Flash
         CA authenticates PKCS#10
         CA generates identity certificate
         CA generates and encrypts hash of certificate
         Identity certificate returned to concentrator
         Concentrator authenticates and stores certificate
Page 83
   Concentrator Enrollment

     Administration | Certificate Management | Enroll |
      Identity Certificate | PKCS10
           Provide the following information
              Common Name (CN)
              Organizational Unit (OU)
              Organization (O)
              Locality (L)
              State/Province (SP)
              Country (C)
              Subject alternative Name (FQDN)
              Subject Alternative Name (E-Mail Address)
              Key Size – from options list



Page 84
   Manual Enrollment Process

     PKCS#10 certificate request is created on concentrator
      and sent to CA
     Root, subordinate (if needed), and identity CAs are
      transferred to a PC
     Certificates are loaded into concentrator
           Root certificate is always loaded first
           Subordinate certificate(s) is loaded next
           Identity certificate is loaded last




Page 85
   Certificate Validation

     IPSec peers exchange digital certificates during IKE
      process.
     Each peer validates the other’s certificate.
           It must be signed by a trusted CA.
              The validating peer must have previously registered with the same
               CA in order to obtain the CA’s public key.
           The certificate must not have expired.
           The certificate must not be on a certificate revocation list (CRL).
     Validation in hierarchical CA structures
           Peer certificate is validated with subordinate CA public key.
           Public key of root CA certificate is used to validate subordinate
            CA certificate.


Page 86
   Certificate Revocation List (CRL)

     CRLs are issued by a CA, covering certificates that were
      issued by the CA
     CRL contains:
           Name of CA issuing the CRL
           Effective date
           Expected date of next update
           List of revoked certificate serial numbers with revocation date
     In hierarchical CA structures, CRL distribution point may
      differ from root CA




Page 87
   Concentrator Configuration for
   Digital Certificates
     Four-step process:
           Activate an IKE RSA proposal.
           Configure an SA to use the concentrator’s identity certificate.
           Create a group for certificate connections.
           Configure the Client for certificates.




Page 88
   Activating an IKE RSA Proposal

     Configuration | System | Tunneling Protocols | IPSec |
      IKE Proposals
           Select RSA IKE proposals and make them active.
           Change their order to place preferred proposals first.
           Modify to view or edit configuration settings.




Page 89
   Modifying an IKE RSA Proposal

     Configuration | System | Tunneling Protocols | IPSec |
      IKE Proposals | Modify (or Add if starting a new
      proposal)
           Proposal Name – provide a name if one does not exist.
            Remember this name for later configuration.
           Authentication Mode - set to RSA Digital Certificate.
           Select additional configuration settings.
              Authentication Algorithm
              Encryption Algorithm
              Diffie-Hellman Group
              SA Lifetime




Page 90
   Configure an SA to use
   Certificates
     Configuration | Policy Management | Traffic
      Management | Security Associations
           Select from preconfigured SAs, Add a new SA, or Modify an
            existing SA to match your IKE proposal.




Page 91
   Modifying an Existing SA

     Configuration | Policy Management | Traffic
      Management | Security Associations | Modify
           SA Name – create a name to identify this security association
           Digital Certificate – select the name of the Identity Certificate to
            use
           IKE Proposal – select the name of the IKE Proposal to use
           Modify IPSec or IKE parameters as required




Page 92
   Create a Group for Certificate
   Connections
     Configuration | User management | Groups |Add
           IPSec SA – Select the SA you have just configured
     Link SA to group
     SA links to use of digital certificates
     Group name must match OU from the X.500 address for
      the clients using this group.
           If different OUs are needed, you must create a separate group
            for each.




Page 93
   Review Question 7

     What does a VPN 3000 Concentrator use to validate a
      peer’s digital certificate?




Page 94
   Review Question 8

     What is a CRL?




Page 95
Cisco Secure VPN
3000 Remote Access
Networks
   Overview

     You will achieve the following objectives by the end of
      this section:
           Use the VPN 3000 Concentrator Series Manager to monitor and
            administer VPN concentrators.
           Identify the information that can be viewed from the Monitoring |
            System Status screen.
           List the capabilities of the Monitoring | Sessions set of screens.
           Log out sessions on the Administration | Sessions screen.
           Perform a software update and activate the new software.
           Enable additional administrator accounts and describe the
            options available to control administrator activity.




Page 97
   Monitoring the VPN Concentrator

     VNP 3000 Concentrator Series Manager can be used to
      fully monitor and administer the concentrators.
     Monitoring allows viewing of routing tables, event logs,
      system status, sessions, and statistics.
           Sessions – also provides access to top ten sessions




Page 98
   Monitoring Routing Tables

     VPN Concentrators can provide routing functions:
           RIP
           OSPF
     Monitoring | Routing Tables allows you to view current
      routing table
           Available data fields
              IP Address and subnet mask
              Next hop IP address
              Next hop interface
              Protocol that created entry
              Entry age and metric
           Click on Refresh@ to update screen


Page 99
   Monitoring Event Logs

    Two ways to monitor event logs:
        Filterable
        Live
    Filterable Event Log viewing provides selection of:
        Event class to view
        Severity level to view
        Events per page limiting
        Selection by client IP address
        Sort order
        Saving log files
        Retrieving saved log files
        Clearing the active log

Page 100
   Monitoring System Status

    Monitoring | System Status provides information on
     both hardware and software
    Static information – loaded at boot-up
        Bootcode and software revision
        Uptime and RAM size
    Dynamic information
        Fan speed and system temperature
        CPU utilization, active sessions, and throughput
    Active links
        Front panel, power supply, Ethernet interfaces, SEP modules



Page 101
   Monitoring LED Status

    Monitoring | System Status | LED Status
        Amber system light indicates system has crashed.
        Toggle button lets you select from CPU utilization, active
         sessions, or throughput.




Page 102
   Monitoring Interfaces

    Clicking on any of the interfaces in the System Status
     view will provide the following information:
        IP address of the interface
        Total number of packets sent and received since last system
         boot
            Unicast
            Broadcast
            Multicast
        Interface status
            UP = configured, enabled, and ready to pass data traffic
            DOWN = configured but disabled
            Testing = test mode; will not pass regular data traffic
            Dormant = configured and enabled; waiting for a connection
            Not Present = missing hardware components
            Lower Layer Down = lower layer is down; not operational
            Unknown = not configured
Page 103
   Monitoring Sessions

    The Monitoring | Sessions screen shows summary and
     detailed information for active user and administrator
     sessions grouped into four categories:
        Session Summary
            Number of active connections in each of next three categories
        LAN-to-LAN Sessions
            Connection name, IP address, protocol, etc.
        Remote Access Sessions
            Username, public and assigned IP addresses, protocol, encryption
             method, connection time, duration, bytes transmitted and received
        Management Sessions
            Administrator account name, IP address, protocol, encryption, login
             time, and duration


Page 104
   Monitoring Sessions                       (cont’d)

    Clicking on a highlighted user or connection name brings
     up Monitoring | Sessions | Detail screen
        IKE Session, IPSec UDP Session, and Authenticated Users
    Top Ten Lists may be viewed by:
        Data – total bytes transmitted and received
        Duration – total time connected
        Throughput – average bytes per second
    Top Ten Lists display:
        Username, Group, IP Address, Protocol, Encryption, Login Time,
         and one of these
            Total Bytes
            Duration
            Avg. Throughput
Page 105
   Monitoring Statistics

    Monitoring | Statistics
        Provides menu of available protocols and services, including
            PPTP, L2TP, HTTP, IPSec, Events, Telnet, DNS, Authentication,
             Accounting, filtering, VRRP, SSL, DHCP, Address Pools, MIB-II
             statistics
    Monitoring | Statistics | IPSec
        Provides count information for data such as
            IKE Phase 1 Statistics
               Active and Total Tunnels
               Received and Sent Bytes
               Initiated, Failed Initiated, and Failed Remote Tunnels
            IPSec Phase 2 Statistics
               Inbound Authentications
               Encryptions and Decryptions


Page 106
   Concentrator Administration

    Administration has the following options:
        Administer Sessions
        Software Update
        System Reboot
        Ping
        Monitoring Refresh
        Access Rights
        File Management
        Certificate Management




Page 107
   Session Administration

    Administration | Sessions
        Provides similar statistics as the Monitoring | Sessions screen
        Allows administrator to force logout of sessions
            Individual sessions
               Select Logout option for session
            All sessions for a specific protocol such as IPSec
               Prompts to be sure you want to continue
               Deletes all sessions of the specified type immediately, without warning to
                users




Page 108
   Updating Software

    Administration | Software Update
        Copies previously downloaded OS image file from workstation or
         server to backup OS image on concentrator
        Backup image is made active image for next reboot
        Must reboot the VPN concentrator to enable the new software
         image
        Two options:
            Concentrator – updates operating software on concentrator
            Client – updates 3002 Client software




Page 109
   Administering System Reboot

    Administration | System Reboot
        Three available actions
            Reboot
            Shutdown (does not powerdown automatically)
            Cancel scheduled reboot
        Three configuration actions
            Save config on reboot
            Reboot without saving active config
            Reboot to factory default settings
        Scheduling options
            Now
            In xx minutes
            At xx:xx time of day
            After active sessions terminate (no new sessions allowed)

Page 110
   Ping Utility

    Administration | Ping
        Insert IP address of host you wish to ping.
        You may halt ping with Cancel button.
        Successful ping
            xxx.xxx.xxx.xxx is alive!
        Unsuccessful ping
            xxx.xxx.xxx.xxx cannot be reached.




Page 111
   Adjusting Automatic Refresh

    Administration | Monitoring Refresh
        Allows you to turn on automatic refresh of all status and statistic
         screens in the Monitoring section
        You can set the refresh rate from 1 to 2,000,000,000 seconds.
         That’s about 63 years on the top end – you might miss it.
        Very short refresh rates may affect system performance




Page 112
   Controlling Access Rights

    Administration | Access Rights
        Allows you to manage
            Administrators - Administrator accounts, passwords, and access
             rights
            Access Control Lists - Manage ACL that controls admin access to
             the concentrator
            Access Settings - Manage session idle timeout, session limits, and
             config file encryption for administrative accounts
            AAA Servers - Configure AAA authentication for admin accounts
        Only admin account is active by default
        Other accounts are: config, isp, mis, and user
            Each has default settings for Authentication, General, SNMP, and
             Files, but none are active by default



Page 113
   File Management

    Administration | File Management
        Swap Config File – make the backup config become the boot
         config and the boot config become the backup config
        TFTP Transfer – allows concentrator to act as TFTP client to
         GET/PUT files from/to a TFTP server
        File Upload – uses HTTP to upload file from a workstation to the
         concentrator
        XML Export – copy active config to XML file stored on the
         concentrator
        Each listed file has the following options
            View – new browser window to view file contents
            Delete – file from flash
            Copy – to within flash


Page 114
   Review Question 9

    Under what Monitoring option can you view the top ten
     sessions with respect to connection time?




Page 115
   Review Question 10

    What must you do after performing a software update on
     a VPN 3000 Concentrator?




Page 116
Configure the Cisco
Secure VPN Client
   Overview

    You will achieve the following objectives by the end of
     this section:
        Identify Cisco’s two VPN Client products and list their primary
         features.
        Configure a VPN 3000 Client to support VPN connections using
         preshared keys.
        Import individual identity certificates into Internet Explorer.
        Configure a VPN 3000 Client to support VPN connections using
         digital certificates.
        Configure a PIX Firewall to support VPN 3000 Clients and VPN
         1.1 Clients.
        Configure a VPN 1.1 Client to support VPN connections to PIX
         Firewalls and Cisco IOS routers.
        Configure a Cisco IOS router to support VPN 1.1 Clients.
Page 118
   Client Types

    Cisco Systems VPN 3000 Client
        Unlimited license packaged with each VPN 3000 Concentrator
        Supports VPN Concentrators, PIX Firewalls
        Centrally managed configuration policies can be pushed from
         concentrator to client
    Cisco Secure VPN 1.1 Client
        Separate product available from Cisco – use this if you do not
         have a concentrator
        Supports PIX Firewalls, Cisco Secure IOS routers and other
         IPSec-compliant products
        Manageable through Cisco Secure Policy Manager




Page 119
   Cisco Secure VPN 1.1 Client
   Overview
    Product features:
        Operates on Windows 95/98/NT platforms
        Compliance with IPSec and related standards
            Supports for Tunnel and Transport Mode security
            Supports DES, 3DES, MD-5, and SHA-1 algorithms
            Supports IKE using ISAKMP/Oakley handshake and key
             agreement
        X.509 Certificate Authority compatibility
              Windows 2000 Certificate Services
              Verisign Onsite
              Entrust VPN Connector
              Netscape Certificate Management System (CMS)




Page 120
   Cisco VPN 3000 Client Overview

    Product features:
        Operates on Windows 95/98/NT/ME/2000/XP platforms
        Uses Internet Explorer and HTTP
        Compliance with IPSec and related standards
            Supports for Tunnel and Transport Mode security
            Supports DES, 3DES, MD-5, and SHA-1 algorithms
            Supports IKE using ISAKMP/Oakley handshake and key agreement
        X.509 Certificate Authority compatibility (requires NT)
            Microsoft Windows 2000 Certificate Services
            Verisign Onsite
            Entrust VPN Connector
            Baltimore Technologies
            GTE Cybertrust
            Network Associates PGP Net Tools PKI
Page 121
   VPN 3000 Client and Preshared
   Keys
    Start | Programs | Cisco Systems VPN 3000 Client |
     VPN Dialer
    Create a new Connection Entry:
        Supply
            Name and description for the Connection Entry
            IP address or hostname of the VPN concentrator
            Select Group Access Information radio button
            Enter group name and password and verify password
               Same as the entry made on the VPN concentrator
            Select Finish to save




Page 122
   VPN 3000 Client and Preshared
   Keys (cont’d)
    Start the connection
        Start | Programs | Cisco Systems VPN 3000 Client | VPN
         Dialer
        Select the name of the Connection Entry you want to use
        Select the Connect button
        Enter username and password when requested
    Troubleshoot the connection
        Start | Programs | Cisco Systems VPN 3000 Client | Log Viewer
            Program allows you to save, print, filter, clear, and search the log file
             in addition to capturing event messages




Page 123
   Using Internet Explorer to Enroll
   with Trusted CA
    You can use IE to enroll with CA.
        Root certificate – preloaded when IE is installed on workstation
        Identity certificate
    If client will connect with VPN concentrator:
        Department (OU) field must exactly match a group name on
         concentrator.
    Enrollment for Identity Certificate:
        Contact CA directly – Web site.
        Fill out enrollment document (be careful about OU field).
        Pay for the certificate.
        Download and Import certificate into IE.



Page 124
   VPN 3000 Client and Digital
   Certificates
    Install CA and Identity certificates onto client.
        Start | Programs | Cisco Systems VPN 3000 Client |
         Certificate Manager
            Select Personal Certificates tab.
            Select New to generate new enrollment request.
    Create a new Connection Entry.
        Start | Programs | Cisco Systems VPN 3000 Client | VPN
         Dialer
        Select New
        Supply
            Name and description for the Connection Entry
            IP address or hostname of the VPN concentrator
            Select Certificate option button
            Select Certificate from drop-down list
            Select Finish to save

Page 125
   PIX Configuration for VPN 3000
   Clients: Preshared Keys
    Typical configuration
        Wildcard preshared keys
        Dynamic crypto map
        Xauth – AAA authentication of username
           crypto map map-name client authentication tacacs+
        IKE mode configuration
    Configure vpngroup command to push IPSec policy
     from PIX to Client
       vpngroup group-name address-pool pool-name
       vpngroup group-name password group-password
            Group name and password must match group name and password
             on VPN 3000 Client


Page 126
   PIX Configuration for VPN 1.1
   Clients: Preshared Keys
    Typical configuration:
        Wildcard preshared keys
           isakmp key wildcard-key address 0.0.0.0 netmask 0.0.0.0
        Dynamic crypto map
        Xauth – AAA authentication of username
           crypto map map-name client authentication tacacs+
        IKE mode configuration
    Wildcard-key is the preshared key and must match the
     configuration on the client.




Page 127
   Cisco Secure VPN 1.1 Client
   Configuration: PIX and IOS
    Client Config – Main screen
        Remote Party – subnet on far side of PIX or router
        Secure Gateway Tunnel – outside interface of PIX or router
    My Identity – Preshared key
        Must match key specified on PIX or router
    Expanded Security Policy – Phase 1
        Authentication method – Pre-Shared key
        Encrypt Alg, Hash Alg, SA Life, and Key Group must all match
         the settings on the PIX or router
    Expanded Security Policy – Phase 2
        IPSec Protocol, Encrypt Alg, Hash Alg, Encapsulation must all
         match the settings on the PIX or router
        SA Life is set to Unspecified – lets PIX or router set lifetime
Page 128
   IOS Configuration for VPN 1.1
   Clients: Preshared Keys
    Typical configuration:
        Wildcard preshared keys
           crypto isakmp key wildcard-key address 0.0.0.0
        Dynamic crypto map
        Xauth – AAA authentication of username
           crypto map map-name client authentication tacacs+
        IKE mode configuration
    Wildcard-key is the preshared key and must match the
     configuration on the client




Page 129
   Review Question 11

    What are the names of the Cisco VPN Client products?




Page 130
   Review Question 12

    What VPN 3000 Client options must match with similar
     options on the PIX Firewall or VPN Concentrator to
     connect using preshared keys?




Page 131
                Lab 3-2


VPN 3000 IPSec and Digital Certificates
Cisco IOS IPSec for
Preshared Keys
Site-to-Site
   Overview

    You will achieve the following objectives by the end of
     this section:
        Identify the four primary tasks involved in setting up IPSec.
        Describe the steps of the IPSec planning phase.
        Investigate the current IPSec configuration settings.
        Verify network operation before configuring IPSec.
        Permit IPSec traffic.
        Configure IKE to use preshared keys and verify the
         configuration.
        Configure IPSec and verify the configuration.




Page 134
   IPSec Configuration Tasks

      Task 1 – Prepare for IPSec
      Task 2 – Configure IKE
      Task 3 – Configure IPSec
      Task 4 – Test and Verify IPSec




Page 135
   Task 1 - Preparing for IPSec

    Planning minimizes chance of misconfiguration
    Five step process
          Develop IKE (IKE phase one) policy.
          Develop IPSec (IKE phase two) policy.
          Inspect current configuration.
          Verify network operability prior to encryption.
          Ensure that IPSec traffic is not blocked by firewalls.




Page 136
   Step 1: Developing the IKE Policy

    Decide how you will distribute keys.
        Manually or through digital certificates
    Decide upon the authentication method you will use.
        Preshared or RSA
    Get the IP addresses and host names of VPN peers.
    Design ISAKMP policy for each peer or set of peers.
        Multiple policies can be grouped into a protection suite
        You can create a hierarchy of policies to provide differing
         degrees of security




Page 137
   ISAKMP Policy

    Each individual policy has 5 parameters.
        Message encryption algorithm
            DES – default
            3DES – stronger – protected distribution
        Message integrity (hash) algorithm
            SHA-1 – default - stronger
            MD5 - optional
        Peer authentication method
            Preshared keys
            RSA encrypted nonces - stronger
            RSA signatures – default - stronger




Page 138
   ISAKMP Policy                     (cont’d)

    Each individual policy has 5 parameters (cont’d)
        Key exchange parameters (Diffie-Hellman group identifier)
            Group 1 – 768-bit Diffie-Hellman – default
            Group 2 – 1024-bit Diffie-Hellman - stronger
        ISAKMP-established SA’s lifetime
            Any number of seconds – default is 86,400 – one day
    Peers will negotiate best policy to use for VPN
     connection




Page 139
   Step 2: Developing the IPSec
   Policy
    Decide which algorithms and parameters you need.
    Select the transforms or transform sets you need to
     provide the security you need.
    Identify all peers.
    Identify which applications and addresses need
     protection.
    Decide how SAs will be initiated.




Page 140
   IPSec Transforms

    AH Authentication Transforms
        Ah-md5-hmac
        Ah-sha-hmac
        Ah-rfc1828
    ESP Encryption Transforms
        Esp-des
        Esp-3des
        Esp-null
        Esp-rfc1829
    ESP Authentication Transforms
        Esp-md5-hmac
        Esp-sha-hmac

Page 141
   IPSec Transform Sets

    Transforms can be grouped into Transform Sets.
        Provides robust authentication and encryption
        Possible combinations
            Up to one AH Authentication transform
            Up to one ESP Encryption transform
            Up to one ESP Authentication transform
        Examples of valid transforms sets
            ah-md5-hmac
            esp-des
            esp-3des and esp-sha-hmac
            ah-sha-hmac and esp-des and esp-sha-hmac




Page 142
   Step 3: Inspect Current
   Configuration
    Inspect current IOS configuration for existing IPSec
     settings.
        All IPSec settings
           show running-config
        IKE Policies
           show crypto isakmp policy
        Crypto maps and transform sets
           show crypto map
        Transform sets
           show crypto ipsec transform-set




Page 143
   Step 4: Verify Network Operation

    Verify that the network is functioning properly before
     adding the complexity of IPSec.
    Verify IP services.
        ping
        trace
        show ip traffic
        show ip routes
    Verify routing protocols.
        show ip routes
    Verify other routed protocols.
        Telnet
        FTP
        HTTP

Page 144
   Step 5: Permit IPSec Traffic

    Enable IPSec traffic by ensuring that the protocols and
     ports are allowed to pass by ACLs.
        Port 500 – for ISAKMP traffic
        Protocol 50 – for IPSec ESP traffic
        Protocol 51 – for IPSec AH traffic
    Best plan is to explicitly permit this traffic.
       access-list 101 permit ahp any host 192.168.15.30
       access-list 101 permit esp any host 192.168.15.30
       access-list 101 permit udp any host 192.168.15.30 eq isakmp
       access-list 101 deny ip any any




Page 145
   Task 2: Configure IKE

    Now that you have done the planning, perform the
     configuration.
        Four steps to configure IKE
              Enable or disable IKE
              Create IKE policies
              Configure preshared keys
              Verify IKE configuration




Page 146
   Step 1: Enable or Disable IKE

    Choose to enable IKE for all interfaces or just a few.
    Choose to disable IKE for some interfaces.
    Global command (Config)– affects all interfaces
       crypto isakmp enable
       no crypto isakmp enable
    Interface command (Config-if) – affects single interface
       crypto isakmp enable
       no crypto isakmp enable
    Typical configuration
        Enable IKE on WAN or remote LAN interfaces
        Disable IKE on local LAN interfaces

Page 147
   Step 2: Create IKE Policies

    Define a suite of policies to simplify peer connection.
        Global command (config) to open policy definition
           crypto isakmp policy priority
            Priority groups a unique policy and indicates most-preferred policy
             (lower priority is highest)
        ISAKMP Policy commands (config-isakmp)
           authentication {rsa-sig | rsa-encr | pre-share}
           default
           encryption {des | 3des}
           group {1 | 2}
           hash {sha | md5}
           lifetime seconds




Page 148
   Step 2: Create IKE Policies                        (cont’d)

    Default ISAKMP policy settings are
        DES, SHA, RSA-SIG, D-H 1, 86400 seconds
    During negotiation process, peers
        Exchange policies
        Compare peer’s policy with own
            Begin at top of list (lowest priority)
            Exit search when match is made
        Look for exact match of
            Encryption
            Hash
            Authentication
            Diffie-Hellman group
        SA Lifetime is negotiable

Page 149
   Step 3: Configure Preshared
   Keys
    Select peer identity method – address or hostname
        Address is default
       crypto isakmp identity {address | hostname}
        “No” form of command resets back to address
    Identify host if DNS is not available
       ip host router.domain.com ip-address
    Configure preshared key using one of these
       crypto isakmp key keystring address peer-address
       crypto isakmp key keystring hostname peer-hostname
    Best practice
        Use different keys for different peers


Page 150
   Step 4: Verify IKE Configuration

    Display the ISAKMP policy showing configured and
     default policies
       show crypto isakmp policy
        Displays priority of each policy (lowest number is highest priority)
        Displays 5 IKE variables for each policy
            Encryption algorithm
            Hash algorithm
            Authentication method
            Diffie-Hellman group
            Lifetime
    Display ISAKMP SAs
       show crypto isakmp sa


Page 151
   Task 3: Configure IPSec

    Perform IPSec configuration after IKE configuration
    Step 1 – Configure transform set(s).
       crypto ipsec transform-set transform-set-name transform1
         [transform2 [transform3]]
       mode [tunnel | transport] – default is tunnel
    Step 2 – Configure IPSec SA lifetimes.
       crypto ipsec security-association lifetime {seconds seconds |
         kilobytes kilobytes} – default 3,600 sec., 4,608,000 K
       no crypto ipsec security-association lifetime {seconds
         | kilobytes} – resets lifetime to default




Page 152
   Configure IPSec                         (cont’d)

    Step 3 – Define IPSec interesting traffic ACLs
        Permit statements – traffic that must be encrypted
        Deny statements – traffic does not need encryption
        Avoid use of any keyword
        Required on all peers – used for both incoming and outgoing
         traffic
            Incoming traffic matching permit
               Must be encrypted
               Dropped if not encrypted
            Outgoing traffic matching permit
               Must be encrypted
       access-list access-list-number {permit | deny} protocol source
         source-wildcard destination destination-wildcard


Page 153
   Configure IPSec                         (cont’d)

    Step 4 – Configure crypto maps
        Each crypto map can have multiple map entries – identified by
         sequence number – lower numbers have higher priority
        An interface may have only one crypto map assigned
        Define a crypto map – enters (config-crypto-map) mode
           crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-
             map-name]
                map-name – identifies crypto map set
                seq-num – groups commands into a specific crypto map
                ipsec-isakmp – tells router to use ISAKMP to setup SAs
                dynamic – indicates that this crypto map references a pre-existing static
                 crypto map




Page 154
   Configure IPSec                     (cont’d)

    Step 4 – Configure crypto maps (cont’d)
        Configure settings for each crypto map (config-crypto-map)
         mode
            Identify ACL to use - match address [access-list-id | name]
            Identify peer(s) - set peer {hostname | ip-address}
            Require PFS – select D-H group - set pfs [group1 | group2]
            Require separate IPSec SA per host - set security-association
             level per-host
            Establish SA lifetime - set security-association lifetime {seconds
             seconds | kilobytes kilobytes}
            Specify transform sets to use - set transform-set transform-set-
             name [transform-set-name2...transform-set-name6]
    Step 5 – Apply crypto maps to interfaces
       crypto map map-name

Page 155
   Task 4: Test and Verify IPSec

    Display IKE policies.
       show crypto isakmp policy
    Display transform sets.
       show crypto ipsec transform set [tag transform-set-name]
    Display current state of IPSec Sas.
       show crypto ipsec sa [map map-name | address | identity]
         [detail]
    Display crypto maps.
       show crypto map [interface interface | tag map-name]
    Debug IKE and IPSec – resource intensive.
       debug crypto ipsec
       debug crypto isakmp
Page 156
   Review Question 13

    What is the maximum number of crypto map sets that can
     be applied to a single router interface?




Page 157
   Review Question 14

    What ports and/or protocols must be allowed to pass
     through firewalls or ACLs in order to permit IPSec to
     function?




Page 158
Cisco IOS IPSec Certificate
Authority Support Site-to-Site
   Overview

    You will achieve the following objectives by the end of
     this section:
        Identify the tasks required to configure a Cisco IOS router to
         support Cas.
        Identify the CA servers that interoperate with Cisco IOS routers.
        Perform basic router configuration procedures to prepare the
         router for CA support.
        Generate and view RSA key pairs.
        Configure the router to work with a CA server.
        Manage certificates and keys that are stored on the router.
        Verify CA support and IPSec configuration using a variety of
         show commands.



Page 160
   IPSec with CA Support
   Configuration Tasks
    Similar to tasks required for preshared keys
        Task 1 – Prepare for IPSec
        Task 1b – Configure CA Support
        Task 2 – Configure IKE
        Task 3 – Configure IPSec
        Task 4 – Test and Verify IPSec




Page 161
   Task 1: Preparing for IPSec

    Planning minimizes chance of misconfiguration
    Preparing for IPSec is now a 6 step process:
          Plan for CA Support.
          Develop IKE (IKE phase one) policy.
          Develop IPSec (IKE phase two) policy.
          Inspect current configuration.
          Verify network operability prior to encryption.
          Ensure that IPSec traffic is not blocked by firewalls.




Page 162
   Planning for CA Support

    Identify the type of CA server you want to use.
        Does it support the RSA type you need?
        Does it support CRLs?
        Will you need RA support?
    Get the CA server’s:
        IP address.
        Hostname.
        URL.
    Get the CA server’s administrator contact info.




Page 163
CA Support Overview
   Cisco IOS CA Support Capabilities

      IKE
      PKCS #7 – certificate enrollment
      PKCS #10 – certificate requests
      RSA keys
      X.509 certificates
      CA interoperability using Simple Certificate Enrollment
       Protocol (SCEP)




Page 165
   SCEP Authentication

    Manual
        CA operator must perform out-of-band verification of certificate
         requestor’s identity
    Preshared secret
        Requestor provides challenge password with request




Page 166
   CA Servers

    These CA Servers interoperate with Cisco IOS routers.
        Entrust Technologies, Inc.
            Entrust/PKI 4.0
            Cisco IOS release 11.(3)5T or later
        VeriSign
            OnSite 4.5
            Cisco IOS release 12.0(6.0.1)T or later
        Baltimore Technologies
            UniCERT v3.05
            Cisco IOS release 12.0(5)T or later
        Microsoft Corporation
            Windows 2000 Certificate Services 5.0
            Cisco IOS release 12.0(5)T or later


Page 167
   Enrollment with a CA

    Enrollment is a six-step process:
        Configure the router for CA support.
        Generate RSA keys.
        Router authenticates the CA server.
        Router sends certificate request to CA server.
        CA server signs certificates.
        CA server sends certificates to router.




Page 168
Configuring CA
Support
   Preparing the Router for CA
   Support
    Verify NVRAM space.
        Certificates and CRLs will be stored there
    Set accurate date, time, and timezone.
        Certificates are time-sensitive
           clock timezone zone hours [minutes]
           clock set hh:mm:ss day month year
        Could use NTP
    Set router’s host and domain names.
       hostname name
       ip domain-name name




Page 170
   RSA Key Generation

    Generate an RSA key pair
        Special Usage Keys
            2 pairs generated
               One for peers using RSA signatures
               One for peers using RSA encrypted nonces
        General Purpose Keys
            1 key-pair used for everything
    Generating the key pair
       crypto key generate rsa [usage-keys]
    Viewing the key
       show crypto key mypubkey rsa
    Select appropriate modulus length when prompted

Page 171
   Identifying the CA Server

    Identify the CA your router will use and enter ca identity
     configuration mode
       crypto ca identity name
        Specify URL of CA
           enrollment url url
        Specify RA support and provide URL
           enrollment mode ra
           query url url
        Specify retry parameters
           enrollment retry-period minutes
           enrollment retry-count number
        Configure to ignore CRLs in some cases
           crl optional

Page 172
   Authenticate the CA

    Two-step process
        Obtain the CA’s fingerprint at the router.
           crypto ca authenticate name
            Name is same as that configured in the crypto ca identity
             command
        Contact the CA administrator and verify the fingerprint obtained.
            If valid, accept the certificate
    This process saves CA’s certificate on the router.




Page 173
   Obtain Router’s Certificate(s)

    One certificate is required for each key pair.
        General key pair – 1 certificate
        Special usage key pairs – 2 certificates
    Enrollment obtains certificate(s) from CA.
       crypto ca enroll name
            Name is the name you gave the CA with the crypto ca identity
             command
        Password must be supplied during enrollment
            Password will be used to revoke certificate
        Subject name options you can choose
            Add router serial number to subject name
            Add IP address to subject name
    After obtaining certificate, save the configuration.
       copy running-config startup-config

Page 174
   Certificate Maintenance

    Request a CRL from your CA.
       crypto ca crl request name
    Delete RSA keys and remove certificate(s).
        Might do this if keys were compromised
        Delete all RSA keys - crypto key zeroize rsa
        Call CA administrator and revoke certificate(s) – provide
         revocation password
        Delete certificates from router configuration
            Obtain certificate serial number – show crypto ca certificates
            Enter (config-cert-chain) mode – crypto ca certificate chain name
            Delete certificate – no certificate certificate-serial-number




Page 175
   Certificate Maintenance                                  (cont’d)

   router# show crypto ca certificates
   Certificate
     Subject Name
        Name: router.company.com
        IP Address: 192.168.15.1
     Status: Available
     Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
     Key Usage: General Purpose
   CA Certificate
     Status: Available
     Certificate Serial Number: FEDCBA9876543210FEDCBA9876543210
     Key Usage: Not Set
   router# configure terminal
   router(config)# crypto ca certificate chain certauth
   router(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
   % Are you sure you want to remove the certificate [yes/no]? yes
   % Be sure to ask the CA administrator to revoke this certificate.
   router(config-cert-chain)# exit
   router(config)#
Page 176
   Certificate Maintenance                               (cont’d)

    Remove peer’s public key from router
        Might do this if you no longer trust the peer
            Compromised key
            Change in business relationship
        Display peer’s public key
           show crypto key pubkey-chain rsa [name key-name | address key-
             address]
        Enter (config-pubkey-chain) mode
           crypto key pubkey-chain rsa
        Delete peer’s RSA public key
           named-key key-name [encryption | signature]
           addressed-key key-address [encryption | signature]



Page 177
   Verify CA Support Configuration

    Show commands provide CA and certificate information.
    Display certificates installed on the router
       show crypto ca certificates
    Display the router’s public key
       show crypto key mypubkey rsa
    Display peer public keys.
       show crypto key pubkey-chain rsa
    View configuration settings
       show running-config




Page 178
   Additional Show Commands

    Display commands:
        IPSec transform sets – show crypto ipsec transform-set
        Crypto map – show crypto map
        IKE policy – show crypto isakmp policy
        Preshared keys – show crypto isakmp key
        Access lists – show ip access-list
        Interface – show crypto map interface type/num
        Routing – show ip route
    Information commands:
        IPSec connections – show crypto engine connections active
        Security associations – show crypto ipsec sa
    Debug commands:
        Troubleshoot ISAKMP – debug crypto isakmp
Page 179
   Review Question 15

    Which SCEP enrollment process requires the CA operator
     to use an out-of-band process to verify the requestor’s
     identity?




Page 180
   Review Question 16

    How many key pairs are generated when you request
     special usage keys, and what are their purposes?




Page 181
PIX Firewall for IPSec
Preshared Keys
Site-to-Site
   Overview

    You will achieve the following objectives by the end of
     this section:
        Identify the steps required to configure VPN support on a PIX
         Firewall.
        Configure the interfaces of a PIX Firewall to support IKE.
        Configure a PIX Firewall to support preshared keys.
        Configure IPSec transform sets.
        Configure an IPSec crypto map.
        Apply an IPSec crypto map to an interface on a PIX Firewall.
        Test and verify the IKE and IPSec components of a VPN on a
         PIX Firewall.




Page 183
   PIX Firewall IPSec Configuration
   Tasks
      Task 1 – Prepare for IPSec support.
      Task 2 – Configure IKE.
      Task 3 – Configure IPSec.
      Task 4 – Test and Verify IPSec.




Page 184
   Task 1: Prepare for IPSec
   support
          Develop IKE phase one policy
          Develop IPSec (IKE phase two) policy
          Check the current configuration
          Verify that the network is functional without IPSec
          Permit IPSec protocols and ports




Page 185
Task 2 – Configure IKE
   Enable or Disable IKE

    No global configuration command available
    Enable ISAKMP on required interfaces
       isakmp enable interface-name
    Disable on interfaces where ISAKMP is not required
       no isakmp enable interface-name




Page 187
   Create IKE Policies

    Identify policy
       isakmp policy priority
    Specify encryption
       isakmp policy priority encryption {des | 3des}
    Specify hash algorithm
       isakmp policy priority hash {md5 | sha}
    Specify authentication
       isakmp policy priority authentication {pre-share | rsa-sig}
    Specify Diffie-Hellman group
       isakmp policy priority group {1 | 2}
    Specify IKE SA Lifetime
       isakmp policy priority lifetime seconds
Page 188
   Configure Preshared Keys

    Choose how the peer will be identified
       isakmp identity {address | hostname}
    (Optional) Define a name to address mapping
       name ip_address name
    Define the preshared key
       isakmp key keystring address peer-address [netmask netmask]
       Isakmp key keystring hostname peer-hostname
    Preshared keys are not scalable




Page 189
   Verify IKE Phase One

    Display configuration settings
       write terminal
    Display ISAKMP policy settings
       show isakmp policy
    Display ISAKMP policies
       show isakmp




Page 190
Task 3 – Configure
IPSec
   Permit Inbound IPSec Traffic

    Negate requirement to always check conduit or access-
     lists for all inbound traffic
       sysopt connection permit-ipsec




Page 192
   Define Crypto Traffic

      All traffic permitted by ACL will be encrypted.
      ACL supports both inbound and outbound traffic.
      Be careful using any keyword.
      PIX Firewalls use netmask; IOS routers use wildcard.
      Access-list command
        Access-list access-list-name {deny | permit} protocol source
         source-netmask [operator port [port]] destination destination-
         netmask [operator port [port]]




Page 193
   Configure Transform Sets

    AH transforms
        ah-md5-hmac
        ah-sha-hmac
    ESP transforms
        esp-des
        esp-3des
        esp-md5-hmac
        esp-sha-hmac
    Configuration command
       crypto ipsec transform-set transform-set-name transform1
         [transform2 [transform3]]



Page 194
   Configure IPSec SA Lifetime

    Default settings in seconds or kilobytes
        Seconds – 28,800 (or 8 hours)
        Kilobytes – 4,608,000
    Global configuration
        Used by all crypto maps
        May be overridden with specific crypto map setting
       crypto ipsec security-association lifetime {seconds seconds |
         kilobytes kilobytes}




Page 195
   Configure Crypto Maps

    Identify the crypto map
       crypto map map-name seq-num ipsec-isakmp
    Assign an ACL
       crypto map map-name seq-num match address access-list name
    Specify peer
       crypto map map-name seq-num set peer {hostname | ip-address}
    Specify transform sets
       crypto map map-name seq-num set transform-set transform-set-
         name1 [transform-set-name2, … [transform-set-name9]]




Page 196
   Configure Crypto Maps                     (cont’d)

    Specify PFS and D-H group (optional)
       crypto map map-name seq-num set pfs [group1 | group2]
    Specify IPSec SA lifetime for the map (optional)
       crypto map map-name seq-num set security-association
         lifetime {seconds seconds | kilobytes kilobytes}
    Identify dynamic crypto maps (optional)
       crypto dynamic-map dynamic-map-name dynamic-seq-num




Page 197
   Apply Crypto Maps

    Each interface – only one crypto map
    Apply using:
       crypto map map-name interface interface-name
    Verify using:
       show crypto map




Page 198
Task 4 – Test and
Verify VPN
   Verify IKE

    Show ACLs that permit IPSec ports and protocols
       show access-list
    Display ISAKMP information
       show isakmp
       write terminal
    Display ISAKMP policies
       show isakmp policy




Page 200
   Verify IPSec

    Display ACLs that define traffic to encrypt over VPN
       show access-list
    Display crypto map settings
       show crypto map [interface interface | tag map-name]
    Display transform sets
       show crypto ipsec transform-set [tag transform-set-name]
    Display global IPSec SA lifetime setting
       show crypto ipsec security-association lifetime




Page 201
   Manage IPSec

    Display current ISAKMP SA status
       show isakmp sa
    Display current IPSec SA status
       show crypto ipsec sa
    Clear ISAKMP SAs
       clear isakmp
    Clear IPSec SAs
       clear crypto ipsec sa
    Display IKE communications with peers
       debug crypto isakmp
    Display IPSec communications with peers
       debug crypto ipsec
Page 202
   Review Question 17

    What PIX Firewall CLI command would you use to view
     IKE policy settings?




Page 203
   Review Question 18

    What do we call a grouping of security policies that
     govern the authentication, encryption, and IPSec mode to
     use on a VPN connection?




Page 204
PIX Firewall Certificate
Authority Support
Site-to-Site
   Overview

    You will achieve the following objectives by the end of
     this section:
        Identify the tasks required to configure PIX Firewalls to support
         IPSec using CA servers.
        Configure a PIX Firewall in preparation for CA support.
        Generate RSA key pairs on the PIX Firewall.
        Configure the CA server identity and communication parameters.
        Obtain and save the digital certificates for the PIX Firewall.
        Verify CA support, IKE, and IPSec configurations on the PIX
         Firewall using show commands.
        Monitor and manage IKE and IPSec configurations on the PIX
         Firewall.



Page 206
   PIX Firewall CA Support Tasks

      Task 1 – Plan for IPSec
      Task 2 – Configure CA Support
      Task 3 – Configure IKE
      Task 4 – Configure IPSec
      Task 5 – Test and Verify VPN




Page 207
   Task 1: Plan for IPSec

    Same processes as used for VPN concentrators and IOS
     routers:
        Gather CA server information.
        Develop IKE phase one policy.
        Develop IPSec (IKE phase two) policy.
        Examine the current configuration.
        Verify network functionality without IPSec.
        Verify that IPSec traffic is permitted through firewall.




Page 208
Task 2 – Configure
CA Support
CA Support Overview
   Cisco IOS CA Support Capabilities

      IKE
      PKCS #7 – certificate enrollment
      PKCS #10 – certificate requests
      RSA keys
      X.509 certificates
      CA interoperability using Simple Certificate Enrollment
       Protocol (SCEP)




Page 211
   SCEP Authentication

    Manual
        CA operator must perform out-of-band verification of certificate
         requestor’s identity
    Preshared Secret
        Requestor provides challenge password with request




Page 212
   CA Servers

    These CA Servers interoperate with PIX Firewalls:
        Entrust Technologies, Inc.
            Entrust/PKI 4.0
            PIX Firewall release 5.1 or later
        VeriSign
            OnSite 4.5
            PIX Firewall release 5.1 or later
        Baltimore Technologies
            UniCERT v3.05
            PIX Firewall release 5.2 or later
        Microsoft Corporation
            Windows 2000 Certificate Services 5.0
            PIX Firewall release 5.2 or later


Page 213
   Enrollment with a CA

    Enrollment is a six-step process:
        Configure the PIX Firewall for CA support.
        Generate RSA keys.
        PIX Firewall authenticates the CA server.
        PIX Firewall sends certificate request to CA server.
        CA server signs certificates.
        CA server sends certificates to router.




Page 214
Configuring CA
Support
   Preparing the PIX Firewall for CA
   Support
    Verify flash memory usage
        Certificates and CRLs will be stored there
    Set accurate date, time, and timezone
        Certificates are time-sensitive
           clock set hh:mm:ss day month year
           clock set hh:mm:ss month day year
        Could use NTP
    Set PIX Firewall’s host and domain names
       hostname name
       domain-name name




Page 216
   RSA Key Generation

    Generate an RSA key pair
        Special Usage Keys
            2 pairs generated
               One for peers using RSA signatures
               One for peers using RSA encrypted nonces
        General Purpose Keys
            1 key-pair used for everything
    Generating the key pair
       ca generate rsa {key | specialkey} key_modulus_size
    Viewing the key pair(s)
       show ca mypubkey rsa



Page 217
   Identifying the CA Server

    Identify the CA your PIX Firewall will use
       ca identity ca_nickname ca_ipaddress [:ca_script_location]
         [ldap_ip_address]
    Configure CA communication parameters
       ca configure ca_nickname {ca | ra} retry_period retry_count
         [crloptional]




Page 218
   Authenticate the CA

    Authentication command
       ca authenticate ca_nickname [fingerprint]
    To include fingerprint for automatic authentication
        Contact CA administrator for fingerprint
    For manual authentication
        Execute ca authentication command without fingerprint
        CA server returns certificate with fingerprint
        Contact the CA administrator and verify the fingerprint obtained
            If valid, accept the certificate




Page 219
   Obtain PIX Firewall’s
   Certificate(s)
    One certificate is required for each key pair
        General key pair – one certificate
        Special usage key pairs – two certificates
    Enrollment obtains certificate(s) from CA
       ca enroll ca_name challenge_password [serial] [ipaddress]
            CA_name – assigned with the ca identity command
        Password must be supplied during enrollment
            Password will be used to revoke certificate
        Subject name options you can choose:
            serial - add router serial number to subject name
            ipaddress - add IP address to subject name




Page 220
   Save Configuration

    After obtaining certificate, save configuration
       ca save all
        Saves to Flash memory
            RSA key pairs
            CA certificate
            RA certificate
            PIX Firewall certificate(s)
            CA’s CRLs
       write memory
        Saves current PIX configuration, including CA configuration, to
         Flash memory




Page 221
   Certificate Maintenance

    Request a CRL from your CA.
       ca crl request ca_nickname
    Delete RSA keys and remove certificate(s).
        Might do this if keys were compromised
        Delete RSA keys - ca zeroize rsa [keypair_name]
        Call CA administrator and revoke certificate(s) – provide
         revocation password
        Delete certificates from router configuration – all certificates from
         the specified CA
           no ca identity ca_nickname




Page 222
   Verify CA Support Configuration

    Show commands provide CA and certificate information.
    Display current CA identity settings.
       show ca identity
    Display CA communication parameter settings.
       show ca configure
    Display all certificates.
       show ca certificate
    Display RSA key pair(s).
       show ca mypubkey rsa




Page 223
Task 5 – Test and
Verify the VPN
   Verify IKE Configuration

    Display access lists permitting IPSec ports and protocols.
       show access-list
    Display ISAKMP policies.
       show isakmp
       show isakmp policy




Page 225
   Display IPSec Configuration

    Display access list that defines traffic to be encrypted.
       show access-list
    Display crypto maps.
       show crypto map
    Display IPSec transform sets.
       show crypt ipsec transform-set
    Display IPSec SA lifetime settings.
       show crypto ipsec security-association lifetime




Page 226
   Monitor and Manage IKE and
   IPSec
    Display ISAKMP or IPSec SA status.
       show isakmp sa
       clear crypto ipsec sa
    Clear ISAKMP or IPSec SA status.
       clear crypto isakmp sa
       clear crypto ipsec sa
    Debug ISAKMP or IPSec communications.
       debug crypto isakmp
       debug crypto ipsec
    Display active connection information.
       show crypto engine


Page 227
   Review Question 19

    What happens when you execute the ca save all
     command on a PIX Firewall?




Page 228
   Review Question 20

    What command would you use to view the RSA key pairs
     on a PIX Firewall?




Page 229
Scale Cisco Router
and PIX Firewall VPNs
   Overview

    You will achieve the following objectives by the end of
     this section:
        List features of the PIX Firewall and Cisco IOS that provide
         scalability for IPSec.
        Configure dynamic crypto maps on a PIX Firewall and Cisco IOS
         router.
        Configure a PIX Firewall to use extended authentication (Xauth)
         and wildcard preshared keys.
        Configure IKE mode configuration on a PIX Firewall and Cisco
         IOS router.
        Describe and configure tunnel endpoint discovery on a Cisco
         IOS router.
        Describe and configure Perfect Forward Secrecy (PFS).
        Identify where NAT occurs in the IPSec negotiation process.
        Identify which IPSec protocol can work with address translation.

Page 231
   Dynamic Crypto Maps

    Characteristics:
        Used where peers are not always known
        Dynamic crypto map – crypto map without all parameters
         configured
        Used when peer initiates connection
        Not used LAN-to-LAN
        Dynamic crypto map entries should be lowest priority (highest
         sequence number)
    Procedure:
        Create the dynamic crypto maps
        Add dynamic crypto maps to crypto map set for device
        Available on PIX Firewalls and Cisco IOS routers


Page 232
   PIX Firewall Dynamic Crypto Map
   Commands
    Required:
       crypto dynamic-map dynamic-map-name dynamic-seq-num
       crypto dynamic-map dynamic-map-name dynamic-seq-num set
         transform-set transform-set-name1 [transform-set-name9]
    Optional:
       crypto dynamic-map dynamic-map-name dynamic-seq-num
         [option], where [option] is:
           match address acl_name
           set peer {hostname | ip-address}
           set pfs [group1 | group2]
           set security-association lifetime {seconds seconds | kilobytes
             kilobytes}



Page 233
   PIX Firewall Crypto Map Set
   Configuration
    Add dynamic crypto maps to firewall’s crypto map set
       crypto map map-name seq-num {ipsec-isakmp | ipsec-manual}
         [dynamic dynamic-map-name]
    Example
              crypto dynamic-map dmap 250 match address 110
              crypto dynamic-map dmap 250 set transform-set hisec
              crypto map allmap 35 ipsec-isakmp dynamic dmap
              crypto map allmap interface outside
              crypto ipsec transform-set hisec esp-3des esp-sha-
              hmac
              access-list 110 permit ip host 192.168.45.14 any



Page 234
   Cisco IOS Dynamic Crypto Map
   Commands
    Required
       crypto dynamic-map dynamic-map-name dynamic-seq-num –
         opens (config-crypto-map) mode
           set transform-set transform-set-name1 [transform-set-
             name2…transform-set-name6]
    Optional
           match address acl_name
           set peer {hostname | ip-address}
           set pfs [group1 | group2]
           set security-association lifetime {seconds seconds | kilobytes
             kilobytes}




Page 235
   Cisco IOS Crypto Map Set
   Configuration
    Add dynamic crypto maps to firewall’s crypto map set
       crypto map map-name seq-num {ipsec-isakmp | ipsec-manual}
         [dynamic dynamic-map-name]
    Example:
              crypto ipsec transform-set hisec esp-3des esp-sha-
              hmac
              crypto dynamic-map dmap 250
                 match address 110
                 set transform-set hisec
              crypto map allmap 35 ipsec-isakmp dynamic dmap
              interface Serial0
                 crypto map allmap
              access-list 110 permit ip host 192.168.45.14 any

Page 236
   VPNs Between Cisco Devices

    Cisco IOS Routers to
        Cisco IOS routers
        PIX Firewalls
        VPN 1.1 Clients
    PIX Firewalls to
        PIX Firewalls
        Cisco IOS routers
        VPN 3000 concentrators
        VPN 1.1 clients
        VPN 3000 clients
    VPN 3000 Concentrators to
        VPN 3000 concentrators
        PIX Firewalls
        VPN 3000 clients
Page 237
   Extended Authentication (Xauth)

    Xauth provides peer authentication within IKE through
        Terminal Access Controller Access Control System Plus
         (TACACS+)
        Remote Authentication Dial-In User Service (RADIUS)
    Works with
        Cisco Systems VPN 3000 Client version 2.5
        Cisco Secure VPN Client version 1.1
    Configuration
       aaa-server aaa-group-tag (if-name) host server-ip key timeout
         seconds
       crypto map map-name client authentication aaa-group-tag



Page 238
   Wildcard Preshared Keys

    Provides key that matches any unknown peer for IKE
     phase one authentication
        Potential security risk if compromised
        Recommend using Xauth along with wildcard preshared keys
    Configuration on PIX Firewall
       isakmp key keystring address peer-address [netmask netmask]
            Use peer-address of 0.0.0.0 to indicate wildcard preshared keys




Page 239
   IKE Mode Configuration

    IKE mode negotiation occurs between IKE phase one and
     phase two.
        ISP assigns outside address
        Mode configuration assigns inside address from VPN client pool




Page 240
   IKE Mode Configuration:
   PIX Firewalls
    Standard configuration
        Define IP address pool
           ip local pool pool_name pool-start-address[-pool_end-address]
        Reference address pool
           isakmp client configuration address-pool local pool-name
             [interface-name]
        Define crypto map
           crypto map map-name client configuration {initiate | respond}
    Security gateway exception [no-config-mode]
        Depends upon IKE authentication method.
       isakmp key keystring address ip-address [netmask] [no-xauth]
         [no-config-mode]
       isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

Page 241
   IKE Mode Configuration:
   Cisco IOS Router
    Standard configuration
        Define IP address pool.
           ip local pool pool_name pool-start-address[-pool_end-address]
        Reference address pool.
           crypto isakmp client configuration address-pool local pool-name
        Define crypto map.
           crypto map map-name client configuration address {initiate |
             respond}




Page 242
   Tunnel Endpoint Discovery

    Allows VPN initiator to locate peer dynamically
    Works with dynamic crypto maps
    Reduces multiple encryptions and setup time – highly
     scalable
    Cisco IOS command
       crypto map map-name map-number ipsec-isakmp dynamic
         dynamic-map-name [discover]




Page 243
   Perfect Forward Secrecy

    Without PFS, new keys are derived from previous keys
     for IPSec SA negotiations
    With PFS, session keys are completely regenerated
     whenever IPSec SAs are renegotiated
    If PFS key is compromised, previous and subsequent keys
     are not at risk
    PFS Configuration
        PIX Firewall
           crypto map map-name seq-num set pfs [group1 | group2]
        Cisco IOS router – in (config-crypto-map) mode:
           set pfs [group1 | group2]


Page 244
   IPSec with NAT

    NAT allows private IP subnets to connect to Internet
    PAT allows one external address to be used for all
     internal addresses
    PAT/NAT occurs before IPSec
        ISAKMP works with the translated address
        Authentication Header (AH) cannot work with NAT/PAT
            You must use ESP transforms




Page 245
   Review Question 21

    What is the PIX Firewall feature called that allows it to
     perform IKE authentication using RADIUS or
     TACACS+?




Page 246
   Review Question 22

    What is the drawback to using wildcard preshared keys?




Page 247

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:12/9/2011
language:
pages:243