Virtual Private Networks & Interfaces

Question 1

Typical VPN technologies used in Site-to-Site VPNs

Answer 1

1) Individual point-to-point VPN - 2 sites interconnect using a secure VPN path
2) Hub-and-spoke - One central site is considered a hub, and all other sites (spokes) peer exclusively with the central site devices
3) Fully meshed - Every device is connected to every other network device
4) Partial Mesh - A network in which some devices are organized in a full mesh topology, and other devices form either a hub-and-spoke or a point-to-point connection to some of the fully meshed devices.
5) Tiered hub-and-spoke - A network of hub-and-spoke topologies in which a device can behave as a hub in one or more topologies and a spoke in other topologies. Traffic is permitted from spoke groups to their most immediate hub.
6) Joined hub-and-spoke - A combination of two topologies (hub-and-spoke, point-to-point, or full mesh) that connect to form a point-to-point tunnel. For example, a joined hub-and-spoke topology could comprise two hub-and-spoke topologies, with the hubs acting as peer devices in a point-to-point topology.

Question 2

Site-to-Site VPN Bullet Points

Answer 2

Connect sites as a replacement for a classic WAN

Use peer (site) authentication and cryptographic path protection

Require basic network traffic controls

Frequently use IPsec for its cryptographic security services

Often work over controlled networks (MPLS) or internet backbones

Often require high availability and performance guarantees (QoS)

Can be configured to function in several different ways

Question 3

Dynamic Multipoint VPN (DMVPN)

Answer 3

enables site-to-site VPNs without a permanent VPN connection between sites and can dynamically create IP Security (IPsec) tunnels

Question 4

FlexVPN

Answer 4

uses the capabilities of the Internet Key Exchange version 2 (IKEv2)

Question 5

IPsec

Answer 5

• designed to provide interoperable, high-quality, and cryptographically based transmission security to IP traffic
• Defined in RFC 4301 and combines the protocols IKE/IKEv2, Authentication Header (AH), and Encapsulation Security Payload (ESP) into a cohesive security framework
• offers access control, connectionless integrity, data origin authentication, protection against replays, confidentiality, and limited traffic flow confidentiality
• For transport mode, new headers are placed after the IP header and before the Layer 4 protocol (typically TCP or UDP)
• For tunnel mode, a new IP header is created in place of the original; this allows for the encryption of the entire original packet.
• The new headers provide information for securing the payload of the IP packet. Note that all IPsec VPNs use tunnel mode by default.

Question 6

IKE/IKEv2

Answer 6

• Provides a framework for policy negotiation and key management
• IKE provides key management to IPsec.
• hybrid protocol that is defined by RFC 2408
• uses parts of several other protocols (Internet Security Association and Key Management Protocol (ISAKMP), Oakley, and Skeme) to automatically establish a shared security policy and authenticated keys for services that require keys, such as IPsec

Question 7

Authentication Header (AH)

Answer 7

Provides an encapsulation for authenitication traffic

• Mostly obsolete - AH is not supported on the Cisco ASA security appliance.
• AH defines a user traffic encapsulation that provides data integrity, data origin authentication, and protection against replay to user traffic. There is no encryption provided by AH.

Question 8

Encapsulation Security Payload (ESP)

Answer 8

Provides an encapsulation for encryption and authentication of user traffic
- ESP defines a user traffic encapsulation that provides data integrity, data origin authentication, protection against replays, and confidentiality to user traffic. ESP offers data encryption, and is preferred over AH.

Question 9

Security Associations (SA)

Answer 9

defines the following parameters:

Algorithms

Keys

Traffic

Other parameters - If AH or ESP protection is applied to a traffic stream, two (or more) security associations are created to provide protection to the traffic stream - To secure typical, bidirectional communication between two hosts or between two security gateways, two security associations (one in each direction) are required.

Question 10

Reasons to implement IKE in IPsec

Answer 10

Scalability

Manageable manual configuration

Security association characteristics negotiation

Automatic key generation

Automatic key refresh

Question 11

IPsec Modes

Answer 11

1) Transport mode: Encrypts only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable to either gateway or host implementations, and provides protection for upper layer protocols and selected IP header fields.
2) Tunnel mode: More secure than transport mode because it encrypts both the payload and the header. IPsec in tunnel mode is normally used when the ultimate destination of a packet is different than the security termination point. This mode is also used in cases when the security is provided by a device that did not originate packets, as in the case of VPNs. Tunnel mode is often used in networks with unregistered IP addresses. The unregistered address can be tunneled from one gateway encryption device to another by hiding the unregistered addresses in the tunneled packet.

Question 12

ISAKMP Policy Contents

Answer 12

An authentication method, to ensure the identity of the peers.

An encryption method, to protect the data and ensure privacy.

A Hashed Message Authentication Code (HMAC) method to ensure the identity of the sender, and to ensure that the message has not been modified in transit.

A Diffie-Hellman (DH) group to determine the strength of the encryption-key-determination algorithm. The security appliance uses this algorithm to derive the encryption and hash keys.

A limit to the time the security appliance uses an encryption key before replacing it.

Question 13

IPsec VPN Types

Answer 13

1) virtual tunnel interfaces (VTIs)
2) Dynamic Multipoint VPNs (DMVPNs)
3) Cisco IOS FlexVPN

Question 14

Cisco IPsec VTI

Answer 14

a tool that customers can use to configure IPsec-based VPNs between site-to-site devices.
- A major benefit of IPsec VTIs is that the configuration does not require a static mapping of IPsec sessions to a physical interface. The IPsec tunnel endpoint is associated with a virtual interface. Because there is a routable interface at the tunnel endpoint, you can apply many common interface capabilities to the IPsec tunnel.
- It requires fewer configuration lines because crypto maps are automatically generated for each tunnel. Features for plaintext packets are configured on the VTI
- features for encrypted packets are applied on the physical, outside interface.
They behave as regular tunnels, one for each remote site of the VPN.

Their encapsulation must be either IPsec Encapsulating Security Payload (ESP) or Authentication Header (AH).

Their line protocol depends on the state of the VPN tunnel (IPsec Security Associations [SAs]).

Question 15

DMVPN Benefits

Answer 15

Lowers capital and operational expenses: Reduces costs in integrating voice and video with VPN security.

Simplifies branch communications: Enables direct branch-to-branch connectivity for business applications such as voice.

Reduces deployment complexity: Offers a zero-touch configuration, dramatically reducing the deployment complexity in VPNs.

Improves business resiliency: Prevents disruption of business-critical applications and services by incorporating routing with standards-based IPsec technology.

Question 16

FlexVPN Benefits

Answer 16

Flexibility in Transport network: FlexVPN can be deployed either over a public Internet or a private Multiprotocol Label Switching (MPLS) VPN network.

Easy Deployment Style: It is designed for the concentration of both site-to-site VPN and remote-access VPN. One single FlexVPN deployment can accept both types of connection requests at the same time.

Failover redundancy: Three different types of redundancy models can be implemented with FlexVPN:

    Dynamic routing protocols over FlexVPN tunnels. Path and headend selection is based on dynamic routing metrics.

    IKEv2-based dynamic route distribution and server clustering.

    IPsec/IKEv2 active/standby stateful failover between two chassis.

Third-party compatibility: As the IT world transitions to cloud- and mobile-based computing, more VPN routers, and VPN endpoints from different vendors are required. The Cisco IOS FlexVPN solution provides compatibility with any IKEv2-based third-party VPN vendors, including native VPN clients from Apple iOS and Android devices.

IP Multicast support: FlexVPN natively supports IP Multicast in two ways:

    FlexVPN hub router replicates IP Multicast packets for each spoke.

    If the transport network supports native IP Multicast, the FlexVPN hub router can choose to have the transport network do multicast packet replication after IPsec encryption.

Superior Quality of Service (QoS): The architecture of Cisco IOS FlexVPN easily allows hierarchical QoS to be integrated at the tunnel or per Security Association (SA) basis:

    Per tunnel QoS for each spoke at the FlexVPN hub router.

    Per tunnel QoS dynamically applied to direct traffic between spokes.

Centralized policy control: VPN dynamic policies such as split-tunnel policy, encryption network policy, VRF selection, DNS server (for remote access), and so on can be fully integrated with the AAA/RADIUS server and applied on a per-peer basis.

VRF awareness: The Cisco IOS FlexVPN solution can be fully integrated with MPLS VPN networks for the service provider type of deployment. Both Inside VRF and front-door VRF are supported. Inside VRF assignment, policy can be managed by the centralized AAA server.

Question 17

VTI Benefits

Answer 17

Simplifies configuration: Customers can use the virtual tunnel constructs to configure an IPsec peering, thus simplifying the complexity of the VPN configuration as compared to crypto maps or GRE IPsec tunnels.

Flexible interface feature support: An IPsec VTI is an encapsulation that uses its own Cisco IOS Software interface. This characteristic offers the flexibility of defining features to run on either the physical interface (that operates on ciphertext traffic) or on the IPsec VTI (that operates on cleartext traffic).

Multicast support: Customers can use the IPsec VTIs to securely transfer multicast traffic such as voice and video applications from one site to another.

Improved scalability: IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

Provides a routable interface: Like GRE IPsec, IPsec VTIs can natively support all types of IP routing protocols, which provide scalability and redundancy.

Question 18

VTI Limitations

Answer 18

The IPsec VTI is limited to only IP unicast and multicast traffic, as opposed to GRE tunnels, which have a wider, multiprotocol application.

Cisco IOS Software IPsec stateful failover is not supported with IPsec VTIs. However, you can use alternative failover methods such as dynamic routing protocols to achieve similar functionality.

Question 19

VTI Deployment Guidelines

Answer 19

Use VTI-based site-to-site VPNs as the default IPsec technology for individual point-to-point VPN links and for hub-and-spoke VPNs.

Consider deploying DMVPN or Group Encrypted Transport (GET VPN) for larger environments with partial or fully meshed VPN requirements.

Question 20

Basic IKE peering using PSK Configuration Tasks

Answer 20

1) Set up an IKE SA between two peers.

Use PSKs for mutual authentication.

Use an encryption and hashing algorithm to guarantee confidentiality and integrity of the key management session.

Use a DH exchange of an appropriate strength (group) to provide keying material to IKE and IPsec.

Use appropriate session lifetimes.

2) Create a PSK and bind it to the name or IP address of the VPN peer.

Configuring IKE peering between VPN members is the first step when configuring VTI-based IPsec VPNs. You should determine the IKE (ISAKMP) phase 1 policy requirements that you want to use, and then configure those policies on all peers. Having a detailed IKE policy plan lessens the chances of improper configuration.

Question 21

IKE Peering Planning Steps

Answer 21

Determine the peer authentication method: Choose the peer authentication method based on the credentials that are provisioned to all peers. Cisco IOS Software supports either PSKs, Rivest–Shamir–Adleman (RSA)-encrypted nonces, or RSA signatures to authenticate IPsec peers. This topic focuses on using PSKs.

Determine the session protection policy for the IKE session: Specify an encryption and hashing algorithm that will be used to protect IKE packets.

Determine the strength of the session key exchange method: IPsec uses the Diffie-Hellman (DH) algorithm to exchange session keys. The length of DH keys is determined by the DH group, which is part of an IKE policy.

Use an appropriate IKE session lifetime: Typically, the default Cisco IOS Software IKE session lifetime is appropriate for most use scenarios.

Question 22

Default IKE PSK-Based Policies

Answer 22

Priority: 65508 = PSK, AES, SHA, DH5
Priority: 65510 = PSK, AES, MD5, DH5
Priority: 65512 = PSK, 3DES, SHA, DH2
Priority: 65514 = PSK, 3DES, MD5, DH2

• avoid using policies that use MD5
• avoid using policies that use DH2
• use the highest priority policy (65508) for optimal security

Question 23

Command to create new IKE policy

Answer 23

crypto isakmp policy 10

Question 24

Command to specify PSKs for authentication

Answer 24

authentication pre-share

Question 25

Command to set hash algorithm. Use SHA-1 as the IKE hash (HMAC) algorithm; avoid MD5.

Answer 25

hash sha

Question 26

Command to set encryption algorithm. Use 128-bit AES or 3DES as the preferred encryption algorithms; avoid DES

Answer 26

encr aes 128

Question 27

Command to set DH groups for key exchange. Use DH groups 5, 14, 15, or 16 as the key exchange method; avoid DH groups 1 and 2

Answer 27

group 14

Question 28

Command to configure a lifetime; the default value is reasonable and does not require tuning.

Answer 28

lifetime 3600

Question 29

Command to create a random, long PSK and binds it to the IP address of the peer.

Answer 29

crypto isakmp key jg40fb90FFrhn98R3Bv9ng9fe4 address 172.17.2.24