Virtual Private Network (VPN) Flashcards
1
Q
Protocols use in VPN (7)
A
Point-to-Point Tunneling (PPTP)
Layer 2 Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE) Protocol
Multiprotocol Label Switching (MPLS) Protocol
Internet Security Protocol (IPSec)
Secure Socket Layer (SSL)
2
Q
VPN Implementation are categorized in Two Groups
A
- Site-to-Site VPN (enable two sites to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium as the internet
- Remote-Access VPN (enable user to work from remote locations)
3
Q
Uses the internet key exchange (IKE) Protocol to negotiate and establish secured site-to-site remote access VPN tunnels.
A
IPSec
4
Q
Is a framework provided by the internet security association and key management protocol (ISAKAMP)
A
IKE (Internet Key Exchange)
5
Q
Attributes in IKEv1 Phase 1
A
- encryption algorithms
- hashing algorithms
- diffie-hellman groups
- authentication method
- vendor specific attributes
6
Q
Traditional Encryption use in IKE
A
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advance Encryption Standard (AES)
- AES 192:
- AES 256
7
Q
Hashing Algorithms sample
A
Secure Hash algorithms (SHA)
Message digest algorithm 5 (MD5)
8
Q
IPSEc uses two different protocols to encapsulate data over a VPN Tunnel
A
Encapsulate security payload (ESP) : IP protocol 50 Authentication Header (AH) : IP Protocol 51
9
Q
IPSec can use two modes with either AH or ESP:
A
Transport mode: protect upper-layer protocols such as User Datagram Protocol (UDP) and TCP
Tunnel Mode : protect the entire IP Packet
10
Q
This features allows VPN peers to dynamically discover wheter an address translation device exists betweeen them. If they detect NAT/PAT device, they use UDP Port 4500 to encapsulate the date packets, subsequently allowing the NAT device to successfully translate and forward the packets
A
NAT Traversal (NAT-T)
11
Q
Difference with IKEv1 and IKEv2
A
- IKEv1 Phase 1 has two possible exchanges main mode and aggressive mode. IKEv2 IKE_SA. has a single exchange of message pair
- IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 in phase 2 has at least three message pairs.
- IKEV2 supports the use of next-generation encryption protocols and anti-DOS capabilities
- IKEv1 does not allow the use of Extensible Authenticaiton Protocol (EAP). EAP allows IKEv2 to provide a solution for remote-access VPN as well..
12
Q
Remote-Access VPN Provides this properties if HTTPS(HTTP over SSL/TLS) is used
A
- Secure communication using cryptographic algorithms (https/tls offers confidentiality, integrity and authentication)
- Ubitquity- make it possible for VPN users to access corporate resources remotely from anywhere using any PC without having to pre-install a remote access VPN client
- low management cost- the clientless type of remote access VPN free of deployment cost and free of maintenance problems
- effective operation with a firewall and nat
13
Q
Is a solution designed to secure connections from mobile devices. This
A
Cisco AnyConnect Secure Mobility
14
Q
Cisco IOS and Cisco iOS-XE tunnels interface support different types of encapsulation (or modes)
A
- Generic Routing Encapsulation (GRE) protocol
- IP-in-IP
- Distance Vector Multicast Routing Protocol (DVMRP)
- IPv6-in-IPv4
15
Q
Is defined by RFC 2784 and extend by RFC 2890. Provides a simple mechanism to encapsulate packets of any protocol (the payload packets) over any other protocol(the delivery protocol) between two endpoints.
A
Generic Routing Protocol (GRE)
16
Q
this command was introduced to simplify IPSEC and GRE configurations.
A
Tunnel Mode
17
Q
command to configure Multiple GRE(mGRE) interface
A
tunnel mode gre multipoint
18
Q
Type of GRE Encapsulation where a single static GRE tunnel interface is used as the endpoint for multiple site-to-site tunnels.
A
Multipoint GRE (mGRE)
19
Q
Is a technology created by Cisco to reduced the hub router configuration.. When deploying this, you configure a single mGRE tunnel interface, a single IPSEC profile and no crypto access-list on the hub router.
A
Dynamic Multipoint VPN (DMVPN)
20
Q
Provides a collection of features and capabilities to protect IP multicast group traffic or unicast traffic over a private WAN
A
Group Encrypted Transport VPN (GETVPN)
21
Q
GETVPN relies on the following building blocks to provide the required functionality
A
- GDOI (RFC 6407)
- Key Servers (KSs)
- Cooperative (COOPS) KSs
- Group Members (GMs)
- IP tunnel header preservation
- Group Security association
- Rekey mechanisim
- Time-based anti-reply (TBAR)
- G-IKEv2
- IP-D3P
22
Q
Minimum Requirements of a basic GETVPN key server configuration
A
- IKE Policy
- RSA key for re-keying
- IPSEC phase 2 policies
- Traffic classification
23
Q
Minimum Requirements of a basic GETVPN group member configuration
A
IKE Policy
GDOI crypto map
Crypto map applied to an interface
24
Q
Is a framework to configure IPSEC VPN on Cisco IOS devices. IT was created to simplify the deployment of VPN solutions of all type
A
FlexVPN
25
Benefits of FlexVPN
- can interoperate with Non-CISCO IKEv2 implementations
- Support different VPN (point-to-point, remote-access, hub-and-spoke, dynamic mesh
- combines all these different VPN technologies using one command-line interface (CLI) set of configurations
- Support for dynamic overlay routing
- Integration with CISCO IOS AAA
- Support GRE and native IPSEC encapsulations
- Support IPV4 and IPv6 overlay and underlay
26
Show commands for troubleshooting IPSec VPN in Cisco Routers
- show cyrpto isakmp sa
- show crypto ikev2 sa
- show crypto ikev2 sa detailed
- show crypto ikev2 sessions
27
Show commands to display IKEv2 statistic
- show crypto ikev2 stats
- show crypto ikev2 stats exchange
- show crypto ikev2 stats ext-service
- show crypto ikev2 stats priority-queue
- show crypto ikev2 stats timeout
28
Debug commands to troubleshoot IPSec implementations
- debug crypto isakmp
- debug crypto ikev2
- debug crypto ikev2 internal
- debug radius authentication
- debug crypto ipsec
29
Commands to obtain and view error events or exceptions in IKEV2 negotiations
show monitor event-trace crypto ikev2
30
Configuring site-to-site on Cisco ASA firewalls
1. Enable isakmp
2. create isakmp policy
3. set the tunnel type
4. define the ipsec policy
5. configure the crypto map
6. configure traffic filtering (optional)
7. bypass NAt
8. enable perfect forward secrecy
31
command to enabling IKEv2 in the Cisco ASA site-to-site VPN config
crypto ikev2 enable outside
32
command in creating isakmp policy in Cisco ASA site-to-site VPN config
crypto ikev2 policy1
- encryption aes-256
- integrity sha
- group 5
- prf sha
- lifetime seconds 86400
33
commands in setting up tunnel group in Cisco ASA site-to-site VPN config
tunnel-group x.x.x.x type ipsec-121
tunnel-group x.x.x.x ipsec-attributes
>ikev2 remote-authentication pre-shared-key secret
>ikev2 local-authentication pre-shared-key secret
34
commands in configuring IPSec policy in the Cisco ASA for site-to-site VPN
crypto ipsec ikev2 ipsec-proposal mypolicy
>protocol esp encryption aes-256
>protocol esp integrity sha-512
35
Configuring crypto-map in Cisco ASA for site-to-site VPN
configure terminal
access-list outside-cryptomap line 1 remark ACL to encrypt traffic from site-a to site-b
access list outside-cryptomap line 2 extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto map outside_map 1 match address outside-cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev2 ipsec-proposal mypolicy
crypto map outside_map 1 interface outside
36
commands that is enabled by default and allow cisco ASA to bypass the ACL check for all the VPN tunnels, including remote-access IPSec Tunnels and SSL VPN tunnels
sysopt connection permit-vpn
37
command in CISCO asa for NAT Exempt Policy
```
object network 192.168-Net
>subnet 192.168.10.0 255.255.255.0
object network 10.10-Net
>subnet 10.10.10.0 255.255.255.0
nat (inside,outside) source static 192.168-Net 10.10-Net destination static 192.168-Net 10.10-Net
```
38
Is a cryptographic technique where newly generated keys are unrelated to any previously generated key
Perfect Forward Secrecy (FPS)
39
command in cisco ASA in enabling FPS
crypto map outside_map 10 set pfs group5
40
Additional attributes in Cisco Site-to-SIte VPN configuration
```
OSPF updates over IPSec
Reverse route injection
NAT traversal
Tunnel Default Gateway
Management Access
Fragmentation policies
```
41
Steps in configuring IPSec Remote Access VPN in Cisco ASA
1. enable isakmp (IKEV1)
2. create IKEv1 (isakmp) policy
3. set up tunnel group policies
4. define the IPSec policy
5. configure user authentication
6. assign an ip address
7. create a crypto map
8. configure traffic filtering (optional)
9. bypass NAT (optional)
10. set up split tunneling (optional)
11 define DNs and WINS address (optional)
42
Cisco ASA supports the following SSL VPN Modes
- Clientless (remote client need only a SSL-enabled broswer)
- Thin Client (remote clients need to install small java applet)
- Full tunnel (remote client need to install SSL VPN Client)
43
Cisco ASA remote-access design considerations
- analyze current environment and determine which features
- determine how you user connect to corporate network (hotel kiosks, computer in public)
- determine the size of SSLVPN deployment (concurrent users)
- load balancing
- make sure you have the appropriate licenses
44
The infrastructure requirements for SSL VPN includes but not limited to
- ASA placement (if behind another firewall make sure to open the ports)
- User accounts (active directory, radius,RSA, secureID, ldap)
- Administrative privileges: required for all connections with port forwarding if you want to use host mapping
45
Pre-SSL VPN Configurations steps
- enroll digital certificates
- set up tunnel and group policies
- set up user authentication
46
command in cisco asa to import a CA certificate manually
crypto ca trustpoint sslcertexample
>enrollment terminal
crypto ca authenticate sslcertexample
47
command in cisco asa to manually enroll a certificate
```
configure terminal
>domain-name domain.org
>crypto key generate rsa label domaincert
>crypto ca trustpoint domaincert
>>keypair domaincertrsa
>>id-usage ssl-ipsec
>>no fqdn
>>subject-name CN=omar-asa
>>enrollment terminal
>>crypto ca encroll domaincert
```
48
command to import Identity certificate
crypto sa import domaincert certificate
49
command to activating the Identity Certificate
ssl trust-point domaincert outside
50
Cisco ASA uses an inheritance model when it pushes network and security policies to the end-user sessions. You can configure policies at the following three policy locations
Under the default group policy (DfltGrpPolicy)
Under the user's assigned group policy
Under the specific users policy
51
Cisco ASA supports a number of authentication mechanism and databases
```
RADIUS
NT Domain
Kerberos
SDI
LDAP
Digital certificates
SMart Cards
SAML
Local databases
```
52
UDP ports uses by CISCO ASA as defaults for authentication and accounting
1645 and 1646
53
Most Radius servers uses this assigned ports for authentication and accounting (official IANA)
1812 and 1813
54
command in ASA to configure RADIUS server as authentication server
aaa-server Radius Protocol radius
aaa-server Radius (inside) host 192.168.10.123
>key thisisthekey
55
Steps in enabling Clientless SSL VPN
1. enable clientless SSL VPN on an interface
2. configure SSL VPN Portal customization
3. configure bookmarks
4. configure WebTypes ACLs
5. configure application access
6. configure client-server plug-ins
56
command on Cisco ASA to enable SSL VPN on the outside interface
webvpn
| >enable outside
57
Cisco ASA methods that allows application access
- smart tunnel (works on application layer and establishing Winsock 2 connections)
- port forwarding
58
Cisco AnyConnect Secure mobility client VPN can be installed on a users computer using one of these methods
- Web-enabled mode (download thru browser)
| - standalone mode (download from file server or cisco.com)
59
Configuring of Cisco AnyConnect Secure Mobility client VPN is a two step process
1. Load the Cisco Anyconnect Secure Mobility client package
| 2. Define Cisco Anyconnect Secure Mobility Client VPN attributes
60
Before Cisco AnyConnect Secure Mobility Client SSL VPN tunnel is functional, you have to configure the following two required actions
1. Enabling Cisco AnyConnect Secure mobility connections
| 2. Address pool definition
61
Optional attributes to enhance the functionality of the Cisco AnyConnect Secure Mobility client
```
Split tunneling
DNS and WINS assignment
Keeping SSL VPN client installed
DTLS
Configuring traffic filters
Configure a tunnel group
```
62
Cisco ASA support 3 different method to assign IP address back to the client
- local address pool
- dhcp server
- radius server
63
With this Cisco ASA notifies Cisco Anyconnect Clients about secured subnets. The VPN clients, using the secured routes, encrypts only those packets that are destined for the network behind the security appliance
Split tunneling
64
Steps in configuring SSL and IPSEC-IKEv2 remote access VPN with the Remote Access VPN Policy wizard
1. Navigate to Devices>VPN>Remote Access
2. Enter a name. Select VPN Protocols (SSL or IPSec-IKEv2)
3. Configure connections profile
4. Set AAA method (AAA,certificates or both)
5. Select Radius server or different for authorization and accounting
6. Configure different attributes in the group policy (authorization profile, ip address, any connect settings, vlan mapping and user sessions)
7. Add an address pool
8. create an IP Pool
9. Select the anyconnect image that VPN Users will use to connect to remote access.
10. Select network interface and identity certificate
11. view the summary of the remote access vpn policy configurations
65
The only supported client on endpoint devices for Remote vpn connectivity to Cisco FTD devices
AnyConnect
66
debug command use to troubleshoot remote access vpn connections on FTD devices.
debug webvpn conditions {group-name, p-ipaddress ip address, subnet subnet_mask, reset , username
ex. debug webvpn condition user hannah
show webvpn debug-condition
67
Steps in configuring Site-to-Site VPN in FTD devices
1. Navigate to Devices>VPN>Site-to-Site VPN
2. create new vpn topology by clicking firepower device
3. enter a unique name for the new topology and specify a topology type
4. specify the node pairs
5. select the devices you want to configure to establish site-to-site VPN tunnel, their associated interfaces and the IP Address.
68
Example of DMVPN Hub Configuration
```
!The ISAKMP policy
crypto isakmp policy 1
encryption aes
authentication pre-share
group 14
! A dynamic ISAKMP key and IPsec profile
crypto isakmp key supersecretkey address 0.0.0.0
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
! crypto ipsec profile my_hub_vpn_profile
set transform-set trans2
!!
The tunnel interface with NHRP
Interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip nhrp authentication anothersupersecretkey
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
! This line must match on all nodes that want to use this mGRE tunnel.
tunnel key 100000
tunnel protection ipsec profile my_hub_vpn_profile
! interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.0
! interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
! router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
```
69
A spoke configuration sample of DMVPN
```
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key supersecretkey address 0.0.0.0
! crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
! crypto ipsec profile my_spoke_vpn_profile
set transform-set trans2
! interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip nhrp authentication anothersupersecretkey
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp network-id 99
ip nhrp holdtime 300
! Configures the hub router as the NHRP next-hop server.
ip nhrp nhs 10.0.0.1
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile my_spoke_vpn_profile
! interface GigabitEthernet0/0
ip address dhcp hostname Spoke1
! interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
! router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
```
70
Example of FlexVPN Server Configuration
! AAA configuration. R1 is configured with AAA authorization to use
! the RADIUS server (10.1.2.3) to retrieve the IKEv2 pre-shared keys.
aaa new-model
aaa group server radius radius_group1
server name radius_server1
! aaa authorization network aaa_psk_list group radius_group1
! radius server radius_server1
address ipv4 10.1.2.3 auth-port 1645 acct-port 1646
key radius_server1_key
! The IKEv2 name mangler is configured to derive the AAA username from
! the hostname portion of the peer IKEv2 identity of type FQDN.
! When each branch router is configured with a unique local FQDN identity,
! the name mangler will yield a unique AAA username for the pre-shared key
! lookup on the RADIUS server.
! The IKEv2 profile is configured to match all the branch routers, based on
! the domain portion (secretcorp.org) of the peer FQDN identity.
! The profile is configured to use an AAA-based keyring that would retrieve
! the pre-shared keys, using AAA authorization from the RADIUS
! server specified in the referenced AAA method list.
! The referenced IKEv2 name mangler will yield a unique AAA username for
! pre-shared key lookup on the RADIUS server that is derived from the
! username portion the peer FQDN identity.
crypto ikev2 name-mangler aaa_psk_name_mangler
fqdn hostname
! crypto ikev2 profile default
match identity remote fqdn domain example.com
identity local fqdn hq.example.com
authentication local pre-share
authentication remote pre-share
keyring aaa aaa_psk_list name-mangler aaa_psk_name_mangler
71
Example of FlexVPN Client Configuration
```
crypto ikev2 keyring local_keyring
peer hub-router
address 10.1.1.1
pre-shared-key branch1-hub-key
crypto ikev2 profile default
match identity remote fqdn hq.secretcorp.org
identity local fqdn rtp-branch.secretcorp.org
authentication local pre-share
authentication remote pre-share
keyring local local_keyring
```
72
Feature that allows logging information to be stored in binary files so that you can later retrieve them without adding any more stress on the infrastructure device
Event-trace monitoring
