Implementing VPN Solutions

1
Implementing VPN Solutions

• Laurel Boyer, CCIE 4918
• Presented, June 2003

2
Agenda

• Cost Analysis Frame vs. VPN
• VPN Drawbacks
• VPN Equipment Alternatives
• Using GRE for Dynamic Routing
• Implementation Examples
• Troubleshooting
• Questions/Discussion

3
Cost Analysis Frame vs. VPN

• Premise This discussion assumes that there is a
  requirement to remotely connect two or more
  offices/locations. This discussion focuses on a
  Hub/Spoke architecture.
• Frame Relay to DSL Cost examples

4
VPN Drawbacks

• VPN connections traverse the Internet, resulting
  in vulnerabilities due to latency and
  interruptions that the network administer cannot
  influence.
• DSL is normally a better choice than Cable Modem,
  as it does not share the broadcast media
• DSL may not be available in all areas, or may not
  be available at the required speeds.
• All DSL/ISP providers are not created equal.
• Ensure that provider will give you public IP
  addresses to manage.
• Ask provider where the POP is that connects to
  your office.
• Request ping times from the POP to your
  Hub/Destination location.
• Request peering information between provider and
  your destination.
• Scrutinize customer service policy.

5
VPN Equipment Alternatives

• PIX to PIX
• PIX to VPN Concentrator
• PIX to Router w/ IOS Firewall/IPSEC
• VPN Concentrator to Router w/ IOS Firewall/IPSEC
• VPN Concentrator to VPN Concentrator
• Router w/ IOS Firewall/IPSEC to Router w/ IOS
  Firewall/IPSEC

6
VPN GRE Example
7
Generic Steps for setting up VPN

• Load Basic FW or Router Config
• Set up IPSEC Tunnel
• Set up static routes on Routers
• Set up GRE Tunnel

8
Configure IPSEC Tunnel ISAKMP

• Define Encryption Algorithm normally DES or 3DES
• Define a Hashing Algorithm MD5 or SHA
• Define Authentication RSA/CA or Pre-shared Key
• Define SA (Security Association) Lifetime.
  Default is 86400 (1 day)

9
Configure IPSEC Tunnel ISAKMP

• Example
• crypto isakmp policy 10
• hash md5
• authentication pre-share
• crypto isakmp key vpn2vpn address 5.1.1.2

10
Configure IPSEC Tunnel IPSEC

• Create extended ACL (Access List)
• Create IPSEC transform(s)
• Create Crypto Map
• Apply Crypto Map to Interface

11
VPN Router Configuration

• crypto isakmp policy 10
• hash md5
• authentication pre-share
• crypto isakmp key vpn2vpn address 5.1.1.2
• !
• crypto ipsec transform-set ESP-DES-MD5 esp-des
  esp-md5-hmac
• !
• crypto map vpntunnel 10 ipsec-isakmp
• set peer 5.1.1.2
• set transform-set ESP-DES-MD5
• match address vpn-tunnel
• !
• interface Ethernet0
• ip address 10.1.1.254 255.255.255.0
• ip nat inside
• !

12
VPN Router Configuration, Cont.
interface Ethernet1 ip address 5.1.1.1
255.255.255.0 ip nat outside crypto map
vpntunnel ! ip nat inside source route-map
Internet interface Ethernet1 overload ! ip
access-list extended Nat deny ip 10.0.0.0
0.255.255.255 10.0.0.0 0.255.255.255 permit ip
any any ip access-list extended vpn-tunnel
permit ip 10.0.0.0 0.255.255.255 10.0.0.0
0.255.255.255 route-map Internet permit 10 match
ip address Nat
13
VPN PIX Configuration
nameif ethernet0 outside security0 nameif
ethernet1 inside security100 access-list
vpn-tunnel permit ip 10.0.0.0 255.0.0.0 10.0.0.0
255.0.0.0 interface ethernet0
10baset interface ethernet1 10full ip address
outside 5.1.1.2 255.255.255.0 ip address inside
10.1.2.254 255.255.255.0 nat (inside) 0
access-list vpn-tunnel nat (inside) 1 10.0.0.0
255.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0
5.1.1.1 1
14
VPN PIX Configuration, Cont.
sysopt connection permit-ipsec crypto ipsec
transform-set ESP-DES-MD5 esp-des
esp-md5-hmac crypto map vpntunnel 1
ipsec-isakmp crypto map vpntunnel 1 match address
vpn-tunnel crypto map vpntunnel 1 set peer
5.1.1.1 crypto map vpntunnel 1 set transform-set
ESP-DES-MD5 crypto map vpntunnel interface
outside isakmp enable outside isakmp key vpn2vpn
address 5.1.1.1 netmask 255.255.255.255 isakmp
policy 1 authentication pre-share isakmp policy 1
encryption des isakmp policy 1 hash md5 isakmp
policy 1 group 1 isakmp policy 1 lifetime 86400
15
VPN GRE

• GRE Generic Routing Encapsulation. Used to
  encapsulate a wide variety of protocol packet
  types inside IP tunnels, creating a virtual
  point-to-point link to remote points over an IP
  network.
• In this instance, we use an IPSEC tunnel to
  create a secure/encrypted path between to public
  points. GRE is used to create a virtual Intranet
  path between two private points.
• Because GRE facilitates broadcast and multicast
  traffic, we can run EIGRP or other dynamic
  protocols, reducing the need for static routing
  in larger VPN topologies.

16
GRE Example

• interface Loopback10
• description Loopback for GRE tunnel
• ip address 10.0.1.10 255.255.255.255
• !
• interface Tunnel10
• description GRE tunnel to GRE-RTR
• ip address 10.0.0.1 255.255.255.252
• tunnel source Loopback10
• tunnel destination 10.0.0.10
• !
• ip access-list extended vpn-tunnel
• permit ip host 10.0.1.10 host 10.0.0.10
• !
• ip route 10.0.0.10 255.255.255.255 5.1.1.2

17
Intro the VPN Concentrator
http//www.cisco.com/en/US/products/hw/vpndevc/ps2
284/prod_models_comparison.html
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
TroubleshootingTroubleshooting, Cont.

• Check IPSEC Tunnel
• Show crypto ipsec sa
• Show crypto isakmp sa
• Clear crypto sa
• Debug crypto ipsec
• Debug crypto isakmp
• Check for mismatched access-lists (most common
  problem!)
• Check for static routes - you must tell the
  local router/FW that the private destination is
  via the public interface

31
Questions ?