Virtual Private Network (VPN) Flashcards
Protocols use in VPN (7)
Point-to-Point Tunneling (PPTP)
Layer 2 Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE) Protocol
Multiprotocol Label Switching (MPLS) Protocol
Internet Security Protocol (IPSec)
Secure Socket Layer (SSL)
VPN Implementation are categorized in Two Groups
- Site-to-Site VPN (enable two sites to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium as the internet
- Remote-Access VPN (enable user to work from remote locations)
Uses the internet key exchange (IKE) Protocol to negotiate and establish secured site-to-site remote access VPN tunnels.
IPSec
Is a framework provided by the internet security association and key management protocol (ISAKAMP)
IKE (Internet Key Exchange)
Attributes in IKEv1 Phase 1
- encryption algorithms
- hashing algorithms
- diffie-hellman groups
- authentication method
- vendor specific attributes
Traditional Encryption use in IKE
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advance Encryption Standard (AES)
- AES 192
- AES 256
Hashing Algorithms sample
Secure Hash algorithms (SHA)
Message digest algorithm 5 (MD5)
IPSEc uses two different protocols to encapsulate data over a VPN Tunnel
Encapsulate security payload (ESP) : IP protocol 50
Authentication Header (AH) : IP Protocol 51
IPSec can use two modes with either AH or ESP:
Transport mode: protect upper-layer protocols such as User Datagram Protocol (UDP) and TCP
Tunnel Mode : protect the entire IP Packet
This features allows VPN peers to dynamically discover wheter an address translation device exists betweeen them. If they detect NAT/PAT device, they use UDP Port 4500 to encapsulate the date packets, subsequently allowing the NAT device to successfully translate and forward the packets
NAT Traversal (NAT-T)
Differences with IKEv1 and IKEv2
- IKEv1 Phase 1 has two possible exchanges main mode and aggressive mode. IKEv2 IKE_SA. has a single exchange of message pair
- IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 in phase 2 has at least three message pairs.
- IKEV2 supports the use of next-generation encryption protocols and anti-DOS capabilities
- IKEv1 does not allow the use of Extensible Authenticaiton Protocol (EAP). EAP allows IKEv2 to provide a solution for remote-access VPN as well
Remote-Access VPN Provides this properties if HTTPS(HTTP over SSL/TLS) is used
- Secure communication using cryptographic algorithms (https/tls offers confidentiality, integrity and authentication)
- Ubitquity- make it possible for VPN users to access corporate resources remotely from anywhere using any PC without having to pre-install a remote access VPN client
- low management cost- the clientless type of remote access VPN free of deployment cost and free of maintenance problems
- effective operation with a firewall and nat
Is a solution designed to secure connections from mobile devices
Cisco AnyConnect Secure Mobility
Cisco IOS and Cisco iOS-XE tunnels interface support different types of encapsulation (or modes)
- Generic Routing Encapsulation (GRE) protocol
- IP-in-IP
- Distance Vector Multicast Routing Protocol (DVMRP)
- IPv6-in-IPv4
Is defined by RFC 2784 and extend by RFC 2890. Provides a simple mechanism to encapsulate packets of any protocol (the payload packets) over any other protocol (the delivery protocol) between two endpoints.
Generic Routing Protocol (GRE)
this command was introduced to simplify IPSEC and GRE configurations.
Tunnel Mode
command to configure Multiple GRE(mGRE) interface
tunnel mode gre multipoint
Type of GRE Encapsulation where a single static GRE tunnel interface is used as the endpoint for multiple site-to-site tunnels.
Multipoint GRE (mGRE)
Is a technology created by Cisco to reduced the hub router configuration.. When deploying this, you configure a single mGRE tunnel interface, a single IPSEC profile and no crypto access-list on the hub router.
Dynamic Multipoint VPN (DMVPN)
Provides a collection of features and capabilities to protect IP multicast group traffic or unicast traffic over a private WAN
Group Encrypted Transport VPN (GETVPN)
GETVPN relies on the following building blocks to provide the required functionality
- GDOI (RFC 6407)
- Key Servers (KSs)
- Cooperative (COOPS) KSs
- Group Members (GMs)
- IP tunnel header preservation
- Group Security association
- Rekey mechanisim
- Time-based anti-reply (TBAR)
- G-IKEv2
- IP-D3P
Minimum Requirements of a basic GETVPN key server configuration
- IKE Policy
- RSA key for re-keying
- IPSEC phase 2 policies
- Traffic classification
Minimum Requirements of a basic GETVPN group member configuration
IKE Policy
GDOI crypto map
Crypto map applied to an interface
Is a framework to configure IPSEC VPN on Cisco IOS devices. IT was created to simplify the deployment of VPN solutions of all type
FlexVPN
Benefits of FlexVPN
- Can interoperate with Non-CISCO IKEv2 implementations
- Support different VPN (point-to-point, remote-access, hub-and-spoke, dynamic mesh
- Combines all these different VPN technologies using one command-line interface (CLI) set of configurations
- Support for dynamic overlay routing
- Integration with CISCO IOS AAA
- Support GRE and native IPSEC encapsulations
- Support IPV4 and IPv6 overlay and underlay
Show commands for troubleshooting IPSec VPN in Cisco Routers
- show cyrpto isakmp sa
- show crypto ikev2 sa
- show crypto ikev2 sa detailed
- show crypto ikev2 sessions
Show commands to display IKEv2 statistic
- show crypto ikev2 stats
- show crypto ikev2 stats exchange
- show crypto ikev2 stats ext-service
- show crypto ikev2 stats priority-queue
- show crypto ikev2 stats timeout
Debug commands to troubleshoot IPSec implementations
- debug crypto isakmp
- debug crypto ikev2
- debug crypto ikev2 internal
- debug radius authentication
- debug crypto ipsec