Virtual Private Networks & Interfaces Flashcards
Typical VPN technologies used in Site-to-Site VPNs
1) Individual point-to-point VPN - 2 sites interconnect using a secure VPN path
2) Hub-and-spoke - One central site is considered a hub, and all other sites (spokes) peer exclusively with the central site devices
3) Fully meshed - Every device is connected to every other network device
4) Partial Mesh - A network in which some devices are organized in a full mesh topology, and other devices form either a hub-and-spoke or a point-to-point connection to some of the fully meshed devices.
5) Tiered hub-and-spoke - A network of hub-and-spoke topologies in which a device can behave as a hub in one or more topologies and a spoke in other topologies. Traffic is permitted from spoke groups to their most immediate hub.
6) Joined hub-and-spoke - A combination of two topologies (hub-and-spoke, point-to-point, or full mesh) that connect to form a point-to-point tunnel. For example, a joined hub-and-spoke topology could comprise two hub-and-spoke topologies, with the hubs acting as peer devices in a point-to-point topology.
Site-to-Site VPN Bullet Points
Connect sites as a replacement for a classic WAN
Use peer (site) authentication and cryptographic path protection
Require basic network traffic controls
Frequently use IPsec for its cryptographic security services
Often work over controlled networks (MPLS) or internet backbones
Often require high availability and performance guarantees (QoS)
Can be configured to function in several different ways
Dynamic Multipoint VPN (DMVPN)
enables site-to-site VPNs without a permanent VPN connection between sites and can dynamically create IP Security (IPsec) tunnels
FlexVPN
uses the capabilities of the Internet Key Exchange version 2 (IKEv2)
IPsec
- designed to provide interoperable, high-quality, and cryptographically based transmission security to IP traffic
- Defined in RFC 4301 and combines the protocols IKE/IKEv2, Authentication Header (AH), and Encapsulation Security Payload (ESP) into a cohesive security framework
- offers access control, connectionless integrity, data origin authentication, protection against replays, confidentiality, and limited traffic flow confidentiality
- For transport mode, new headers are placed after the IP header and before the Layer 4 protocol (typically TCP or UDP)
- For tunnel mode, a new IP header is created in place of the original; this allows for the encryption of the entire original packet.
- The new headers provide information for securing the payload of the IP packet. Note that all IPsec VPNs use tunnel mode by default.
IKE/IKEv2
- Provides a framework for policy negotiation and key management
- IKE provides key management to IPsec.
- hybrid protocol that is defined by RFC 2408
- uses parts of several other protocols (Internet Security Association and Key Management Protocol (ISAKMP), Oakley, and Skeme) to automatically establish a shared security policy and authenticated keys for services that require keys, such as IPsec
Authentication Header (AH)
Provides an encapsulation for authenitication traffic
- Mostly obsolete - AH is not supported on the Cisco ASA security appliance.
- AH defines a user traffic encapsulation that provides data integrity, data origin authentication, and protection against replay to user traffic. There is no encryption provided by AH.
Encapsulation Security Payload (ESP)
Provides an encapsulation for encryption and authentication of user traffic
- ESP defines a user traffic encapsulation that provides data integrity, data origin authentication, protection against replays, and confidentiality to user traffic. ESP offers data encryption, and is preferred over AH.
Security Associations (SA)
defines the following parameters:
Algorithms Keys Traffic Other parameters - If AH or ESP protection is applied to a traffic stream, two (or more) security associations are created to provide protection to the traffic stream - To secure typical, bidirectional communication between two hosts or between two security gateways, two security associations (one in each direction) are required.
Reasons to implement IKE in IPsec
Scalability
Manageable manual configuration Security association characteristics negotiation Automatic key generation Automatic key refresh
IPsec Modes
1) Transport mode: Encrypts only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable to either gateway or host implementations, and provides protection for upper layer protocols and selected IP header fields.
2) Tunnel mode: More secure than transport mode because it encrypts both the payload and the header. IPsec in tunnel mode is normally used when the ultimate destination of a packet is different than the security termination point. This mode is also used in cases when the security is provided by a device that did not originate packets, as in the case of VPNs. Tunnel mode is often used in networks with unregistered IP addresses. The unregistered address can be tunneled from one gateway encryption device to another by hiding the unregistered addresses in the tunneled packet.
ISAKMP Policy Contents
An authentication method, to ensure the identity of the peers.
An encryption method, to protect the data and ensure privacy. A Hashed Message Authentication Code (HMAC) method to ensure the identity of the sender, and to ensure that the message has not been modified in transit. A Diffie-Hellman (DH) group to determine the strength of the encryption-key-determination algorithm. The security appliance uses this algorithm to derive the encryption and hash keys. A limit to the time the security appliance uses an encryption key before replacing it.
IPsec VPN Types
1) virtual tunnel interfaces (VTIs)
2) Dynamic Multipoint VPNs (DMVPNs)
3) Cisco IOS FlexVPN
Cisco IPsec VTI
a tool that customers can use to configure IPsec-based VPNs between site-to-site devices.
- A major benefit of IPsec VTIs is that the configuration does not require a static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with a virtual interface. Because there is a routable interface at the tunnel endpoint, you can apply many common interface capabilities to the IPsec tunnel.
- It requires fewer configuration lines because crypto maps are automatically generated for each tunnel. Features for plaintext packets are configured on the VTI
- features for encrypted packets are applied on the physical, outside interface.
They behave as regular tunnels, one for each remote site of the VPN.
Their encapsulation must be either IPsec Encapsulating Security Payload (ESP) or Authentication Header (AH). Their line protocol depends on the state of the VPN tunnel (IPsec Security Associations [SAs]).
DMVPN Benefits
Lowers capital and operational expenses: Reduces costs in integrating voice and video with VPN security.
Simplifies branch communications: Enables direct branch-to-branch connectivity for business applications such as voice. Reduces deployment complexity: Offers a zero-touch configuration, dramatically reducing the deployment complexity in VPNs. Improves business resiliency: Prevents disruption of business-critical applications and services by incorporating routing with standards-based IPsec technology.
FlexVPN Benefits
Flexibility in Transport network: FlexVPN can be deployed either over a public Internet or a private Multiprotocol Label Switching (MPLS) VPN network.
Easy Deployment Style: It is designed for the concentration of both site-to-site VPN and remote-access VPN. One single FlexVPN deployment can accept both types of connection requests at the same time.
Failover redundancy: Three different types of redundancy models can be implemented with FlexVPN:
Dynamic routing protocols over FlexVPN tunnels. Path and headend selection is based on dynamic routing metrics.
IKEv2-based dynamic route distribution and server clustering.
IPsec/IKEv2 active/standby stateful failover between two chassis.
Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more VPN routers, and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices.
IP Multicast support: FlexVPN natively supports IP Multicast in two ways:
FlexVPN hub router replicates IP Multicast packets for each spoke.
If the transport network supports native IP Multicast, the FlexVPN hub router can choose to have the transport network do multicast packet replication after IPsec encryption.
Superior Quality of Service (QoS): The architecture of Cisco IOS FlexVPN easily allows hierarchical QoS to be integrated at the tunnel or per Security Association (SA) basis:
Per tunnel QoS for each spoke at the FlexVPN hub router.
Per tunnel QoS dynamically applied to direct traffic between spokes.
Centralized policy control: VPN dynamic policies such as split-tunnel policy, encryption network policy, VRF selection, DNS server (for remote access), and so on can be fully integrated with the AAA/RADIUS server and applied on a per-peer basis.
VRF awareness: The Cisco IOS FlexVPN solution can be fully integrated with MPLS VPN networks for the service provider type of deployment. Both Inside VRF and front-door VRF are supported. Inside VRF assignment, policy can be managed by the centralized AAA server.
VTI Benefits
Simplifies configuration: Customers can use the virtual tunnel constructs to configure an IPsec peering, thus simplifying the complexity of the VPN configuration as compared to crypto maps or GRE IPsec tunnels.
Flexible interface feature support: An IPsec VTI is an encapsulation that uses its own Cisco IOS Software interface. This characteristic offers the flexibility of defining features to run on either the physical interface (that operates on ciphertext traffic) or on the IPsec VTI (that operates on cleartext traffic). Multicast support: Customers can use the IPsec VTIs to securely transfer multicast traffic such as voice and video applications from one site to another. Improved scalability: IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling. Provides a routable interface: Like GRE IPsec, IPsec VTIs can natively support all types of IP routing protocols, which provide scalability and redundancy.
VTI Limitations
The IPsec VTI is limited to only IP unicast and multicast traffic, as opposed to GRE tunnels, which have a wider, multiprotocol application.
Cisco IOS Software IPsec stateful failover is not supported with IPsec VTIs. However, you can use alternative failover methods such as dynamic routing protocols to achieve similar functionality.
VTI Deployment Guidelines
Use VTI-based site-to-site VPNs as the default IPsec technology for individual point-to-point VPN links and for hub-and-spoke VPNs.
Consider deploying DMVPN or Group Encrypted Transport (GET VPN) for larger environments with partial or fully meshed VPN requirements.
Basic IKE peering using PSK Configuration Tasks
1) Set up an IKE SA between two peers.
Use PSKs for mutual authentication. Use an encryption and hashing algorithm to guarantee confidentiality and integrity of the key management session. Use a DH exchange of an appropriate strength (group) to provide keying material to IKE and IPsec. Use appropriate session lifetimes.
2) Create a PSK and bind it to the name or IP address of the VPN peer.
Configuring IKE peering between VPN members is the first step when configuring VTI-based IPsec VPNs. You should determine the IKE (ISAKMP) phase 1 policy requirements that you want to use, and then configure those policies on all peers. Having a detailed IKE policy plan lessens the chances of improper configuration.
IKE Peering Planning Steps
Determine the peer authentication method: Choose the peer authentication method based on the credentials that are provisioned to all peers. Cisco IOS Software supports either PSKs, Rivest–Shamir–Adleman (RSA)-encrypted nonces, or RSA signatures to authenticate IPsec peers. This topic focuses on using PSKs.
Determine the session protection policy for the IKE session: Specify an encryption and hashing algorithm that will be used to protect IKE packets. Determine the strength of the session key exchange method: IPsec uses the Diffie-Hellman (DH) algorithm to exchange session keys. The length of DH keys is determined by the DH group, which is part of an IKE policy. Use an appropriate IKE session lifetime: Typically, the default Cisco IOS Software IKE session lifetime is appropriate for most use scenarios.
Default IKE PSK-Based Policies
Priority: 65508 = PSK, AES, SHA, DH5
Priority: 65510 = PSK, AES, MD5, DH5
Priority: 65512 = PSK, 3DES, SHA, DH2
Priority: 65514 = PSK, 3DES, MD5, DH2
- avoid using policies that use MD5
- avoid using policies that use DH2
- use the highest priority policy (65508) for optimal security
Command to create new IKE policy
crypto isakmp policy 10
Command to specify PSKs for authentication
authentication pre-share
