Virtual Private Network (VPN) and IPsec
- Extension of a private network over a public network and VPN doesn't necessarily imply encryption. For security reason, apply IPsec securtiy framework to VPN tunnel.. IPsec is a standards based security framework. IPSec offers four frames
- Data origin authentication
- Data integrity
- Data Confidentiality
- Anti-replay
- Main goal for IPSec VPN is to encrypt and authenticate IPv4 or IPv6 packets over public network.
- Goal of IPSec exchange is to establish phases using IKE
- Occurs through the main negotiation phases using IKE
- IPSec Phase 1
- Authenticate endpints and build a secure tunnel for further negotiation
- ISAKMP SA
- IPSec Phase 2
- Establish the tunnel used to protect the actual data traffic
- IPSEC SA
- Negotiating Phase 1 ( ISAKMP SA)
- Authentication method ( authentication pre-share/rsa-encr/rsa-sig)
- Encryption type ( 3des/aes/des)
- group ( 1/14/15/16..)
- lifetime (60-86400)
- Negotiating Phase 2 ( IPSEC SA)
- set peer ( xx.xx.xx)
- set transform-set xxx
- set address xx
- Applying the Crypto Map
- Crypto Map applies to the link level
R3 CONFIGURATION
R2 CONFIGURATION
R2's VPN CONNECTION VERIFICATION
USEFUL CONFIGURATION VERIFICATION COMMANDS
Router # show crypto isakmp [default] policy
Router # show crypto ipsec sa
Router # show crypto isakmp sa
Router # show crypto ipsec transform-set <name>
Router # show crypto debug-condition
USEFUL DEBUGGING COMMANDS FOR TROUBLESHOOTING
Router # debug crypto isakmp
Router # debug crypto ipsec
REFERENCE
- INE_CCIE_VPN_CONFIGURATION
- CISCO_VPN_CONFIGURATION_DOC
- PACKETLIFE_VPN_CONFIGURATION_EXAMPLE
- CBTNUGGETS_CCIE_VPN_CONFIGURATION
No comments:
Post a Comment