A VPN provides secure connectivity over the internet for remote users. It uses encryption and authentication techniques like symmetric keys, hashing, and digital certificates to securely transmit data. Common VPN protocols are L2TP, GRE, and IPSec which can operate in transport or tunnel mode. Setting up a VPN involves configuring IKE/IPsec policies, transform sets, and crypto maps to protect traffic according to defined security parameters and control VPN access. VPN clients facilitate remote access by guiding users through profile configuration and establishing connections according to defined authentication and tunneling protocols.
7. : Symmetric key
Shared secret key is the same key is used by the sender (for
encryption) and the receiver (for decryption).
Shared secret key is often used for long messages.
12. HashFunction :( (MD5,SHA-1
is a formula used to convert a variable-length message into a single
.string of digits of a fixed length
13. : VPN protocols
L2TP (layer 2 tunneling protocol):
is used to create a media-independent , multiprotocol virtual
private dialup network (VPDN)…….but it does not provide
encryption.
GRE(Generic routing encapsulation ) :
with GRE tunneling cisco router at each site encapsulates
protocol specific packets in IP HEADER creating point to point
link to cisco router at other of an Ip cloud ,where the IP header
is stripped off .
IPsec( IP security protocol ):
is the choice for secure corporate VPNs .it can provide the
security service using internet key exchange (IKE) to handle
negotation of protocols and algortithms based on local polivy
and to generate the encryption and authentication key to be
used by IPSec.
14. Internet Key Exchange (IKE):
used to esablish ashared security policy and
authentication keys for services such as IPSec
that require keys .
one of its protocols is ISAKMP
Internet Security Association and Key
Management Protocol (ISAKMP):
it is protocol used for implementing akey
exchange and negotation of security
association (SA)
15. Security association (SA):
It is the security database that contains all the
security policy that the VPN will based on.
This security database contains that:
1-authentication ,encryption algorithm.
2-specification of network traffic.
3-IPsec protocols .
4-IPsec modes .
16. :IPsec protocols
Encapsulating Security Payload (ESP):
a security protocol that provide data encryption
and production with optional authentication …it
can completely encapsulates user data
Authentication Header (AH):
a security protocol that provide authentication
.it can be used either by itself or with ESP
18. Tasks to Configure IPSec (site to
(site
Task 1 – Prepare for IKE and IPSEC
Task 2 – Configure IKE
Task 3 – Configure IPSec
Task 4 – Test and Verify IPSEC
20. Step1- Determine IKE(IKE Phase 1( Policy
Determine the following policy details:
Key distribution method
Authentication method
IPSec peer IP addresses and hostnames
IKE phase 1 policies for all peers
Encryption algorithm
Hash algorithm
IKE SA lifetime
Goal : setup a secure commuication channel for negotiation of
IPSec SA in phase2
21. Step2-Determine IPSec (IKE Phase 2( Policy
Determine the following policy details:
IPSec algorithms and parameters for optimal security and
performance
IPSec peer details
IP address and applications of hosts to be protected
IKE-initiated Sas
Goal : these are security parameters used to protect data and
messages
exchanged between end points
34. Purpose of Crypto Maps
Crypto maps pull together the various parts configured
for IPSec, including
The traffic to be protected by IPSec and a set of SAs
The local address to be used for the IPSec traffic
The destination location of IPSec-protected traffic
The IPSec type to be applied to this traffic
37. Display your configured IKE policies .
show crypto isakmp policy
Display your configured transform sets.
show crypto ipsec transform set
Display security associations
show crypto isakmp sa
Display the current state of your IPSec SAs.
show crypto ipsec sa
Display your configured crypto maps.
show crypto map
Enable debug output for IPSec events.
debug crypto ipsec
Enable debug output for ISAKMP events.
debug crypto isakmp
38. :VPN Remote access
The requirements for VPN Servers include the
need for Internet Security Association and Key
Management Protocol (ISAKMP) policies using
Diffie-Hellman.
The VPN Remote feature does support transform
sets providing Both encryption and authentication
; so it does not support Authentication Header
(AH) authentication.
39. AAA (authentication, authorization and accounting)
servers :
are used for more secure access in a remote-access VPN
environment.
AAA then checks the following:
Who you are (authentication)
What you are allowed to do (authorization)
What you actually do (accounting)
The accounting information is especially useful for
tracking client use for security auditing, billing or
reporting purposes
40. : VPN Client
The installation of the Cisco VPN Client is a very straightforward
process. A number of tasks must be completed to establish
connectivity to a VPN head-end.
just start setup and the Welcome screen will be presented
41. The Connection Entries screen is capable of
holding multiple entries should multiple access
sites. Click the New button at the top of the
screen to open the Create New VPN Connection
Entry dialog box, shown in Figure
42. Authentication Tab
Group Authentication—A username and password
is necessary to complete the VPN profile.
43. Transport Tab
The Transport tab allows the configuration of transparent
tunneling as well as the choice of whether to use IPsec
over UDP or TCP.
44. Backup Servers Tab:
The VPN client contains a Backup Servers tab to
configure a single connection with the capability to
connect to multiple servers.
45. Finish the Connection Configuration
From the main VPN Client window, you can establish a VPN
connection by highlighting one of the profiles and clicking the
Connect button at the top of the window. If the connection
parameters were properly configured, the VPN connection is
successful.
46. After a VPN connection is established, various
statistics about the connection are available.
From the Status pull-down menu, select Statistics.
This launches the Statistics window.