Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Cisco Ip Security

Download as pdf
Download as pdf
You are on page 1of 21

Introduction to IPSec VPN’s

Presented by
Dr. Peter J. Welcher, Chesapeake Netcraftsmen

Slide 1

About the Speaker


• Dr. Pete Welcher
– Cisco CCIE #1773, CCSI #94014, CCIP
– Network design & management consulting
• Stock quotation firm, 3000 routers, TCP/IP
• Second stock quotation firm, 2000 routers, UDP
broadcasts
• Hotel chain, 1000 routers, SNA
• Government agency, 1500 routers
– Teach many of the Cisco courses
• Enterprise Networking Magazine articles
– http://www.netcraftsmen.net/welcher/papers

Slide 2

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-1


Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up

Slide 3

Why Do We Care?
• Many organizations are trying to use
IPSec VPN to reduce costs and simplify
new connections
• VPN allows
– Shared Internet and Enterprise access
– Reduced access line costs
– Ease of provisioning, flexibility
– Increased security

Slide 4

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-2


IPSec VPN and V3PN Benefits
• IPSec VPN design provides resiliency
• Integrated branch routers provide ISP
connection, VPN termination, IPT gateway, and
Cisco IOS Firewall functionality
• Tested scalability and performance numbers
• Enhanced productivity and reduced support
costs: extend central site voice, video, data
resources and applications to all corporate sites
• Voice, Video, data transported securely and
transparently over IPSec tunnels with QoS
enabled
• Standard IP Telephony features including codecs,
SRST preserved

Slide 5

Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up

Slide 6

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-3


IPSec Basics
• IPSec uses a Security Association (SA) and crypto
key to encrypt selected data between a pair of sites
– This key is used with the DES, 3DES, or AES forms of encryption
to both encrypt and decrypt data
• The key is automatically established, changed, and
managed by IPSec devices using IKE (Internet Key
Exchange), a.k.a. “ISAKMP”
• Before a key can be established, IKE does
authentication
– Shared secret or Certificate Authority are two ways to do this
• IKE uses public key crypto to securely do its job
– Public and private keys, either encrypts, the other decrypts
– Diffie-Hellman is the technique used to securely exchange
encryption keys

Slide 7

Message Hashing
• Message Hashing is used to detect altered
messages
– Message bits a secret key are combined into short
hash code
– Hash code sent in header
– If received message hash doesn’t match,
message was altered
– Two forms: SHA and MD5
– SHA is a bit stronger

Slide 8

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-4


IPSec Protocols
• IPSec comes in two forms
– AH provides a keyed hash and authentication data
• Ensures data comes from peer router (authentication)
• Detects alterations (keyed hash)
• But does not encrypt for confidentiality
– ESP encrypts
• Two sub-modes: tunnel and transport
• In tunnel mode, the new IP header hides source and
destination addresses: keeps server address confidential
• Keyed hash for detecting alterations
• Authentication
• Encryption

Slide 9

The 4 Steps of IPSec SA Establishment


1. Host A sends interesting traffic for Host B
Host A Host B
Router A Router B

2. Router A and B negotiate an IKE Phase 1 session and authenticate


IKE SA IKE Phase 1 IKE SA

3. Router A and B negotiate an IKE Phase 2 session and exchange key


IPSec SA IKE Phase 2 IPSec SA

4. Information is exchanged via IPSec tunnel

IPSec Tunnel

Slide 10

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-5


What to Encrypt
• The crypto map you configure references
an access list for “interesting packets”
– What to encrypt (outbound)
– What to decrypt (inbound)
• If the router encrypts or decrypts the
wrong packet, it gets nonsense and a bad
checksum Å discarded packet!

Slide 11

IPSec Troubleshooting Tips


• The two ends have to agree on the various
choices
– How to do IKE (IKE policy)
– Authentication method, shared secret or CA, etc.
– AH versus ESP
– Tunnel versus transport
– Message hashing scheme
• You need routing to be able to deliver packets
• IPSec source address at one end must match
destination at the other
• You need consistent crypto access lists!!!
– The two endpoint ACL’s need to mirror each other
• Use the 4 steps to troubleshoot

Slide 12

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-6


Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up

Slide 13

Design Assumptions
• High availability and failover with fast
convergence
• Support for dynamic routing
• Ability to carry diverse traffic, including IP
multicast, multi-protocol
• Conservative CPU levels
• Router-based (versus VPN concentrator)

Slide 14

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-7


Key Design Components
• Cisco VPN routers as head-end VPN
termination
• Cisco access routers as branch
termination
• Use hardware IPSec acceleration
• IPSec ESP Tunnel mode
• GRE tunnels, dual star to two head-end
routers
– At HQ or two head-end sites for geographic
diversity
• Internet services from an ISP

Slide 15

Enterprise IPSec VPN

GRE + IPSec tunnels

ISP

Remote Central
Offices Site(s)

Slide 16

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-8


Why GRE with IPSec?
• Dynamic routing and support of multicast
and non-IP protocols
• Side effect: simpler implementation and
troubleshooting
ÍIf you’re not building in redundancy, you
can leave out the GRE and the dynamic
routing and reduce overhead, at the price
of doing a bit more configuration

Slide 17

Overhead
• Cost (GRE + IPSec): 24 more bytes of
header (overhead)
• Total headers added: 76 bytes

IPSec Tunnel ESP Header GRE IP GRE IP Payload


IP Header Header Header Header
20 B 32 B, variable 20 B 4B 20 B

Slide 18

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-9


Avoiding Fragmentation
• We want to avoid fragmenting the IPSec
packets
– They have to be re-assembled at the termination
router to be decrypted
– Re-assembly is process switched
– Slow + CPU impact
– So create fragments BEFORE IPSec encrypts!
– Reduce GRE tunnel MTU to 1400+ Bytes
– Consider enabling Path MTU Discovery on the
tunnels

Slide 19

Path MTU Discovery


• Path MTU Discovery is used by current and
recent UNIX and Windows servers
– They send large packets with DF set
– Intervening routers needing smaller MTU send back ICMP
message with option indicating desired frame size
• Problem: some web / server sites block all ICMP
packets
– Result: large web images, FTP file transfers mysteriously
fail, but only to some sites
– Use router default, tunnels not doing P-MTU-D
– Use router default: Cisco GRE and IPSec tunnels reset
DF=1 to DF=0 and fragment
– “Cisco Pre-Fragmentation for IPSec VPN” feature
– This plus GRE MTU of 1400 means no P-MTU-D issues
even with web traffic via IPSec + GRE tunnels

Slide 20

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-10


Which Router?
• Cisco tested ESP tunnels with GRE to 2 head-end sites, 240
branch routers
• Recommendations are based on 55-65% CPU for a specific traffic
mix.
• This is a summary: see the Cisco documents for details. In
particular, specific models within a product family may have lower
performance than that shown. Your Mileage May Vary.

Router H/w Accel Max bps Recommended Role(s)


7200 ISA or VAM 140 M 40 M Central
7100 ISM, VAM 140 M 30 M Central
3600 AIM 38 M 16 M Large/medium branch
2600 AIM 14 M 3M Large/medium branch
1700 VPN Module 3 M 2.5 M Medium/small branch
800 N/a 384 K 100 K Small office

Slide 21

Other Recommendations
• Have a summarizable addressing scheme
– It can makes crypto ACL’s simpler, less of an issue with GRE
– Use route summarization
• For central DHCP, use helper addresses remotely
• Use IPSec Tunnel Mode with 3DES
• Don’t use IKE keepalives
• Base number of head-end devices on number of
remote sites and throughput
• Use appropriate (recent) Cisco IOS releases
• Avoid IPSec through NAT points

Slide 22

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-11


IPSec Sequence Numbers
• IPSec also uses sequence numbers for
anti-replay protection
– Out-of-order packets can lead to dropped packets!
– Conclusion: priority queuing and load-balancing
can lead to drops in an IPSec environment!
• Make one GRE tunnel primary with single
preferred path for each remote site
– Dynamic routing failover preserved
– Can use interface delay parameter to prefer one
GRE tunnel over the other (if both head end
routers at same site)

Slide 23

Service Provider

ISP

Need good
Remote service here! Central
Offices Site(s)

Slide 24

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-12


Service Provider – 2
• Many or even most ISP’s do not honor the L3 QoS
markings
– Your voice traffic may experience unacceptable delay or jitter
• Whenever possible, you need SLA’s
– Covering overall delay and jitter, repair time, etc.
– Or for QoS-aware service guaranteeing certain delay and jitter
levels for various classes of traffic, based on agreed-upon
markings
– Otherwise, you can deploy and later discover your IPSec VPN isn’t
working very well: no recourse!
• Multiple ISP’s is harder
– SLA’s generally only apply within a single ISP’s network
• Beware: some home cable & DSL services block IPSec
unless “business grade” service is paid for

Slide 25

SLA’s
• CPN Multi-service VPN standards:
– Jitter – less than or equal to 20 msec
– Delay – less than or equal to 60 msec one way
– Packet Loss – less than or equal to 0.5 percent

Slide 26

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-13


Configuration Steps
• Step 1: Configure IKE policy
• Step 2: Specify IPSec transform and
protocol
• Step 3: Create access lists (ACL’s) for
encryption
• Step 4: Configure crypto map
• Step 5: Apply crypto map

Slide 27

Enterprise IPSec VPN


Remote Central
Office Site(s)

192.168.2.2 ISP

10.0.0.5

10.60.60.1
192.168.1.1

10.0.0.6

Slide 28

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-14


Sample: IKE Policy
Head End Router Branch Router
interface FastEthernet1/0 interface s0/0
ip address 192.168.1.1 ip address 192.168.2.2
255.255.255.0 255.255.255.0
! !
crypto isakmp policy 1 crypto isakmp policy 1
encr 3des encr 3des
authentication pre-share authentication pre-share
crypto isakmp key mybigsecret crypto isakmp key mybigsecret
address 192.168.2.2 address 192.168.1.1

Slide 29

Sample: IPSec Transform and Protocol


Head End Router Branch Router
crypto ipsec transform-set crypto ipsec transform-set
vpn-t-test esp-3des vpn-t-test esp-3des
esp-sha-hmac esp-sha-hmac

Slide 30

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-15


Sample: Encryption ACL’s
Head End Router Branch Router
ip access-list extended ip access-list extended
vpn-static-1 permit gre vpn-static-2 permit gre
host 192.168.1.1 host host 192.168.2.2 host
192.168.2.2 192.168.1.1

Slide 31

Sample: Crypto Map


Head End Router Branch Router
crypto map static-map-pjw1 crypto map static-map-pjw2
local-address local-address Serial0/0
FastEthernet1/0 crypto map static-map-pjw2 1
crypto map static-map-pjw1 1 ipsec-isakmp
ipsec-isakmp set peer 192.168.1.1
set peer 192.168.2.2 set transform-set vpn-t-test
set transform-set vpn-t-test match address vpn-static-2
match address vpn-static-1

Slide 32

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-16


Sample: Apply Crypto Map
Head End Router Branch Router
interface Tunnel1 interface Tunnel1
ip address 10.0.0.5 ip address 10.0.0.6
255.255.255.252 255.255.255.252
tunnel source 192.168.1.1 tunnel source 192.168.2.2
tunnel destination tunnel destination 192.168.1.1
192.168.2.2 crypto map static-map-pjw2
crypto map static-map-pjw1 !
! interface Serial0/0
interface FastEthernet1/0 bandwidth 1536
ip address 192.168.1.1 ip address 192.168.2.2
255.255.255.0 255.255.255.0
crypto map static-map-pjw1 crypto map static-map-pjw2

Slide 33

Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up

Slide 34

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-17


Cisco VPN Network Management Tools
• CiscoWorks VPN / Security Management Solution (VMS)
includes
– Management Center (MC) for IDS Sensors
– Management Center for VPN Routers
– Management Center for PIX Firewalls
• Centralized configuration and management of devices
– Monitoring Center for Security
• Central IDS event software, w/ correlation, notification, reports
– VPN Monitor
• Track status of VPN devices, w/ drill-down reporting
– IDS Host Sensor
– Auto-Update Server
• Pull model of distribution of images and configurations
– Resource Manager Essentials (RME), CiscoView, Common Services

Slide 35

Agenda
• Introduction and Motivation
• IPSec Basics
• Enterprise IPSec VPN
• Managing VPN
• Wrap-up

Slide 36

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-18


See Also
• AVVID Enterprise Site-to-Site VPN Design
– http://www.cisco.com/application/pdf/en/us/guest/ne
tsol/ns142/c649/ccmigration_09186a00800d67f9.pdf
• IPSec support page
– http://www.cisco.com/cgi-
bin/Support/PSP/psp_view.pl?p=Internetworking:IP
Sec

Slide 37

Summary
• Use GRE + IPSec in a hub and spoke
design for easily managed IPSec VPN
with redundancy and failover
• Cisco has tested performance under load
for 240 remote branch routers going to 2
central routers
• Fragment before IPSec for much better
performance

Disclaimer: this presentation touches on most of the high-level issues,


but it definitely does not cover all the details of QoS or V3PN planning.

Slide 38

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-19


THANK YOU !

Slide 39

A Word From Us …

• We can provide
– Network design review: how to make what you have work better
– Periodic strategic advice: what’s the next step for your network or staff
– Network management tools & procedures advice: what’s right for you
– Implementation guidance (your staff does the details) or full
implementation
• We do
– Small- and Large-Scale Routing and Switching (design, health check,
etc.)
– IPsec VPN and V3PN (design and implementation)
– QoS (strategy, design and implementation)
– IP Telephony (preparedness survey, design, and implementation)
– Call Manager deployment
– Security
– Network Management (design, installation, tuning, tech transfer, etc.)

Slide 40

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-20


Cisco Certifications

Chesapeake Netcraftsmen
is certified by Cisco in:
• IP Telephony
• Network Management
• Wireless
• Security
• (Routing and Switching)

Slide 41

Copyright © 2003, Chesapeake Netcraftsmen Handout Page-21

You might also like