13 - Understanding Virtual Private Networks and Interfaces

Question 1

What are the 3 types of site-to-site VPN topology?

Answer 1

Individual point to point tunnels
Hub and spoke
Full mesh
In addition you could have more complex combinations such as partial mesh, tiered hub and spoke or joined hub and spoke

Question 2

What are some characteristics of site to site VPNs?

Answer 2

• Connects sites as replacement for WAN
• Use peer (site) auth and cryptographic path protection
• Require basic network traffic controls
• Frequently use IPsec for cryptographic security services
• Often work over controlled networks (MPLS) or internet backbones
• Often require HA and performance guarantee (QoS)
• Can be configured to function in several different ways

Question 3

IPsec combines these protocols into a cohesive security framework.

Answer 3

• IKE/IKEv2
• AH
• ESP

Question 4

What does IKE/IKEv2 do?

Answer 4

Provides a framework for policy negotiation and key management

Question 5

What does AH do?

Answer 5

o Provides encapsulation for authentication of user traffic.
o Provides data integrity, data origin authentication, and protection again replay of user traffic
o No encryption is provided
o Mostly obsolete

Question 6

What does ESP do?

Answer 6

o Provides an encapsulation for encryption and authentication of user traffic.
o Provides data integrity, data origin authentication, protection against replays, and confidential
o Offers data encryption
o Preferred over AH

Question 7

IPSec provides IP ___ and defines a new set of headers to be added to IP datagrams

Answer 7

network layer encryption

Question 8

You can use __ and __ independently or together, although for most applications, just one of them is sufficient (__ is preferred, __ is considered obsolete)

Answer 8

AH, ESP, ESP, AH

Question 9

__ is not supported on the Cisco ASA security appliance

Answer 9

AH

Question 10

Both AH and ESP use____ and a major function of IKE is to establish and maintain ___.

Answer 10

security associations

Question 11

A __ is a simple description of current traffic protection parameters (algorithms, keys, traffic specification, and so on) that you apply to specific user traffic flows

Answer 11

security association

Question 12

AH or ESP provides __ ___ to a security association

Answer 12

security services

Question 13

If AH or ESP protection is applied to a traffic stream, ___ security associations are created to provide protection to the traffic stream

Answer 13

two or more

Question 14

To secure typical, bi-directional communication between two hosts or between two security GWs, ___ are required.

Answer 14

two security associations (one in each direction)

Question 15

What are the features of IKE?

Answer 15

• Hybrid protocol
• Uses parts of several other protocols (ISAKMP, Oakley, skeme) to automatically establish a shared security policy and authenticated keys for services that require keys such as IPsec
• Creates an authenticated, secure connection between two entities, then negotiates security associations on behalf of the IPsec stack

Question 16

What are the benefits of implementing IKE in IPsec configuration?

Answer 16

• Scalability
• Manageable manual configuration
• Security association characteristics negotiation
• Automatic key generation
• Automatic key refresh

Question 17

What are the two encryption modes supported by IPsec?

Answer 17

transport mode, tunnel mode

Question 18

What are the features of transport mode?

Answer 18

• encrypts only the data portion (payload) of each packet
• leaves the packet header untouched
• Applicable to either GW or host implementations
• Provides protection for upper layer protocols and selected IP header fields

Question 19

What are the features of tunnel mode?

Answer 19

• More secure than transport mode because it encrypts the payload and the header
• IPsec in tunnel mode is normally used when the destination of a packet is different than the security termination point
• Also used in cases when the security is provided by a device that did not originate packets, as in the case of VPNs
• Often uses in networks with unregistered IP addresses
• Unregistered address can be tunnelled from one GW encryption device to another by hiding the unregistered address in the tunnelled packet

Question 20

When configuring IPsec peers must agree on an __ policy

Answer 20

ISAKMP

Question 21

An ISAKMP policy should include:

Answer 21

• An authentication method, to ensure the identity of the peers
• An encryption method, to protect the data and ensure privacy
• A Hashed message authentication code (HMAC) method to ensure the identity of the sender, and ensure the message has not been modified in transit
• A Diffie-hellman group to determine the strength of the encryption-key-determination algorithm. The security appliance uses this algorithm to derive the encryption and hash keys
• A limit to the time the security appliance uses an encryption key before replacing it

Question 22

What are the features of a Cisco IPsec VTI (virtual tunnel interface) VPN?

Answer 22

• A tool that customers can use to configure IPsec-based VPNs between site to site VPNs
• Provides a designated pathway across a shared WAN
• Encapsulates traffic with new packet headers
• Provides true confidentiality (as does encryption) and can carry encrypted data

Question 23

What are the features of DMVPN?

Answer 23

• Cisco solution for building scalable IPsec VPNs
• Uses centralised architecture to provide easier implementation
• Allows branch locations to communicate direction with each other over the public WAN or internet, but does not require a permanent VPN connection between sites
• Enables zero-touch deployment of IPsec VPNs and improves network performance by reducing latency and jitter, while optimised BW utilisation

Question 24

What are the features of Cisco IOS FlexVPN?

Answer 24

• Flexibility in Transport network – can be deployed either over a public internet or a private MPLS vpn network
• Easy deployment style – it is designed for the concentration of both site-to-site VPN and remote access VPN. One single FlexVPN deployment can accept both types of connection requests at the same time
• Failover redundancy – three different types of redundancy model can be implemented with FlexVPN
o Dynamic route protocols over FlexVPN tunnels. Path/head-end selection is based on dynamic routing metrics
o IKEv2 based dynamic route distribution and server clustering
o IPsec/IKEv2 active/standby stateful failover between two chassis
• Third party compatibility – Provides compatibility with any IKEv2 based 3rd party VPN vendors, including native VPN clients from Apple iOS and Android devices
• IP multicast support – natively supports IP multicast in two ways
o FlexVPN hub router replicates IP Multicast packets for each spoke
o If the transport network supports native IP multicast, the FlexVPN hub router can choose to have the transport network do multicast packet replication after IPsec encryption
• Superior QoS – easily allows hierarchical QoS to be integrated at the tunnel or per SA (security association) basis
o Per tunnel QoS for each spoke at the FlexVPN hub router
o Per tunnel QoS dynamically applied to the direct traffic between spokes
• Centralised policy control – VPN dynamic policies such as split-tunnel, encryption network policy, VRF selection, DNS server can be fully integrated with the AAA/RADIUS server and applied per-peer basis
• VRF awareness – can be fully integrated with MPLS VPN networks for service provider type of deployment. Both inside vrf and front door VRF are support

Question 25

IPsec ___ simplifies the configuration process when you must provide site-to-site VPNs

Answer 25

VTIs

Question 26

Replaces cryptographic map-based configurations, and intuitive to configure and better with Cisco IOS software features

Answer 26

VTIs

Question 27

What are the features of VTIs?

Answer 27

• They behave as regular tunnels, one for each remote site of the VPN
• Their encapsulation must be either ESP or AH
• Their line protocol depends on the state of the VPN tunnel (IPsec Security Associations)

Question 28

What are some benefits of an Ipsec VTI

Answer 28

• Simplified configuration – can use virtual tunnels to configure ipsec peering
• Flexible interface feature support – an encapsulation that uses its own cisco ios software interface
• Multicast support – securely transfer multicast traffic such as voice and video
• Improved scalability – fewer established SAs to cover different types of traffic, both unicast and multicast, thus improving scalability
• Provides a routable interface – natively support all types of ip routing protocols

Question 29

What are some limitations of VTIs?

Answer 29

• Limited to only IP unicast and multicast traffic, as opposed to GRE tunnels which have a wider, multiprotocol application
• IPsec stateful failover is not supported, however can use alternative failover methods such as dynamic routing protocols to achieve similar functionality

Question 30

What are the guidelines when deploying VTI-based site-to-site IPsec VPNS?

Answer 30

• Use VTI-based site t site VPNs as the default IPsec technology for point-to-point and hub and spoke VPNs
• Consider deploying DMVPN or Group Encrypted Transport (GET VPn) for larger environments with partial or fully meshed VPN requirements

Question 31

How would you configure basic IKE peering using pre-shared keys? (not config)

Answer 31

• First task for deploying VTI-based point-to-point IPsec VPNs involves setting up an IKE security association between two peers
o Using PSKs for mutual auth
o An encryption and hashing algorithm to guarantee confidentiality and integrity
o Using a DH exchange of an appropriate strength
o Using appropriate session lifetimes
• Requires you to create a PSK and bind it to the name or IP address of the VPN peer

Question 32

How do you configure IKE peering? (config)

Answer 32

• Crypto isakmp policy 10 – creates a new IKE policy
• Authentication pre-share – specifies PSKs for authentication
• Hash sha – sends hash algorithm
• Encr aes 128 sets encryption algorithm
• Group 14 – sets DH groups for key exchange
• Lifetime 3600 – configures a lifetime
• Crypto isakmp key wqednf0jqfoq09249iv address 172.17.2.24 creates a random, long psk and bits it to the IP address of the peer

Question 33

How do you display parameters of each local IKE policy?

Answer 33

show crypto isakmp policy

Question 34

How do you verify the status of the IKE peering SAs

Answer 34

show crypto isakmp sa

Question 35

How do you configure static VTI point-to-point tunnels?

Answer 35

Create IKE policy:
R2(config)# crypto isakmp policy 10
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# hash sha
R2(config-isakmp)# encryption aes 128
R2(config-isakmp)# group 14
R2(config-isakmp)# lifetime 3600
Create a PSK and bind it to IP address of other end of tunnel address:
R2(config)# crypto isakmp key cisco address 172.18.4.2
Create transform set to determine the encryption and data authentication has for the IPsec SA. This must match an equal policy on peer:
R2(config)# crypto ipsec transform-set MYSET esp-aes 128 esp-sha-hmac
Create IPsec profile, and include transform set in the profile:
R2(config)# crypto ipsec profile MYPROFILE
R2(ipsec-profile)# set transform-set MYSET
Create tunnel interface and specify source and destination:
R2(config)# interface Tunnel0
R2(config-if)# ip unnumbered Ethernet0/0
R2(config-if)# tunnel source Ethernet0/0
R2(config-if)# tunnel destination 172.18.4.2
Specify IPsec as tunnel encapsulation, and traffic protection policy by referencing the configured IPsec profile:
R2(config)# interface Tunnel0
R2(config-if)# tunnel mode ipsec ipv4
R2(config-if)# tunnel protection ipsec profile MYPROFILE

Question 36

How do you verify status of ipsec SA?

Answer 36

show crypto ipsec sa

Question 37

How do you verify the status of tunnel interface?

Answer 37

show interface tunnel 0