01 - IPsec Intro

Question 1

Two primary IPsec protocols

Answer 1

Encapsulating Security Payload (ESP)
Authentication Header (AH)

Question 2

CET

Answer 2

Cisco Encryption Technology

IOS 11.2, August 2003

Question 3

CET Features / Capabilities

Answer 3

Commercial grade in the sense that it was a major simplification over the former systems. It allowed a mere mortal to configure a very regular and relatively cheap router (Cisco 2500) to encrypt data across a public Layer 3 network. The cryptographic algorithms were very good: DES, then 3-DES, Diffie-Hellman key exchange. At 160 Kbps, the throughput was acceptable in those days (~2003)

Question 4

4 Steps of Technology Deployment

Answer 4

1. Make it work.
2. Make it work reliably.
3. Make it work at speed.
4. Make it work at scale.

Question 5

What did CET evolve into?

Answer 5

CET evolved into IKE/ISAKMP + IPsec

Question 6

RFC 2408

Answer 6

Internet Security Association and Key Management Protocol (ISAKMP)

Question 7

Limits of Crypto Maps

Answer 7

• the combinatory explosion of source/destination pairs on ever larger and complex networks
• code complexity due to packets being stolen in OSI layer 2 and re-encapsulated into a new IP header (OSI layer 3)

Question 8

Control plane issues which triggered many race conditions in IKE/ISAKMP implementations

Answer 8

1. IKE itself and its rekey complexity

2. Differences in behavior between IKE SA rekeys and IPsec SA rekeys

Question 9

Effect of security policy size explosion

Answer 9

The security policy size explosion made mesh networks totally unmanageable.

Question 10

Limitation of GRE protected by IPsec in order to run routing protocols on top of the tunnels

Answer 10

Scalability was relatively limited due to hardware performance.

Question 11

Basic function of NHRP protocol

Answer 11

Establish circuits on demand

Question 12

EasyVPN Summary

Answer 12

EasyVPN supported remote access (especially the software client) compact but the feature had grown organically and the UI was terrible; it was also crypto map based, and its quality was poor.

Question 13

Enhanced EasyVPN Summary

Answer 13

Enhanced Easy VPN solved the crypto map problem and was a major improvement over Easy VPN, but it did not enjoy proper marketing and remained poorly adopted.
The UI was the same and hence difficult.

Question 14

What caused GRE/IPsec to gradually disappear?

Answer 14

GRE/IPsec was slowly disappearing at the benefit of DMVPN and tunnel protection in the site-to-site scenarios.

Question 15

GET VPN Summary

Answer 15

GET VPN has lower security and limited scalability, but it is lighter on resources when used properly, if the use case is adequate. Notably, it allows native multicast.

Question 16

Issue with DMVPN

Answer 16

DMVPN was growing in both the hub-and-spoke and partial mesh cases, but the routing protocol was a deterrent for Security Operations who preferred using EasyVPN.

Question 17

FlexVPN CLI

Answer 17

Clear, consistent, compact, and powerful CLI: simple things ought to be simple to configure, complex things ought to be possible.

Question 18

FlexVPN and Routing Protocols

Answer 18

Using routing protocols should be a customer choice, not mandatory.

Question 19

FlexVPN and NHRP

Answer 19

NHRP usage could decrease except for spoke-spoke tunnel creation.

Question 20

FlexVPN Scale

Answer 20

Increased scale to 10,000 tunnels per hub at least.

Question 21

FlexVPN and Remote Access Management

Answer 21

All the remote access management features had to be applicable to site-to-site and hub-and-spoke (AAA authorization in particular to apply per user QoS, ACLs, and so on.)

Question 22

FlexVPN and Reliance on PKI / Pre-Shared Keys

Answer 22

Reduce the reliance on PKI and make pre-shared keys more manageable.
Both had to be possible, at least for hub-and-spoke

Question 23

FlexVPN and the CLI

Answer 23

For the first time all VPN technologies could be configured under a single CLI construct.

Question 24

Effect of FlexVPN on IOS

Answer 24

FlexVPN has allowed IKEv2 and IPsec VPNs on Cisco IOS to become a lot more user friendly.

Question 25

Issues for IPsec VPNs

Answer 25

NAT traversal
fragmentation
segmentation
IP dual stack
multicast
non-IP protocols

Question 26

3 IPsec Databases

Answer 26

1. Security Policy Database (SPD)
2. Security Association Database (SADB)
3. Peer Authorization Database (PAD)

Question 27

Two Modes of IPsec

Answer 27

1. Tunnel Mode

2. Transport Mode

Question 28

Important IKE Packet Exchanges

Answer 28

SA_INIT
IKE_AUTH
INFORMATIONAL
CREATE_CHILD_SA