Upload
crnaupa
View
237
Download
0
Embed Size (px)
Citation preview
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
1/16
LIP06 - Confguring
Site-to-Site IPsecVPNs with the IOS CLI
V 1.0
1
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
2/16
Learning Objectives1.Confgure EIGRP on the routers2.Understand the main terms used in IPSec Tunnel3.Understand Phase I & Phase II in the !eration o" an IPSec Tunnel
#.Create a site$to$site IPsec %P using IS'.See the encr(!tion o" IP tra)c in data communication
LIP06 - Confguring Site-to-Site IPsec VPNswith the IOS CLI
2
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
3/16
IPSec Internet Protocol Securit(VPN %irtual Pri*ate et+or,I!" Internet -e( EchangeS# Securit( /ssociationIS#!$P Internet Securit( /ssociation and -e(0anagement Protocol
%"S ata Encr(!tion Standard&%"S Tri!le ata Encr(!tion Standard#"S /d*anced Encr(!tion StandardS"#L So"t+are $ !timied Encr(!tion /lgorithm'C( Ri*est Ci!hers #'S# Ri*est Shamir and /dleman%) i)e$4ellman
%S# igital Signature /lgorithm"CC Elli!tic Cur*e Cr(!togra!h(S)#-1 Secure 4ash /lgorithm $ 1$%-* 0essage igest '"SP Enca!sulating Securit( Pa(load#) /uthentication 4eader
)$#C 4ash$5ased 0essage /uthentication Code
#C'ON+$O,S
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
3
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
4/16
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$
IN"'N" !"+ "C)#N/"
#
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
5/16
IN"'N" !"+ "C)#N/"
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$ '
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
6/16
#uthentication/uthentication is used to ensure that theusers are +ho the( sa( the( are and hel!ssecure the de*ice that is 5eing !rotected.
•Pre$Shared -e(•Ri*est$Shamir$/dleman Encr(!tion•Ri*est$Shamir$/dleman Signature
#uthoriation/s stated earlier (ou can use authoriation todefne +hat commands can 5e used 7in thecase o" T/C/CS89 or "or other methods+hat t(!es o" access are defned.
#ccountingo+ +e get to the third A o" AAA +hich isaccounting. /ccounting allo+s (ou to !ro*ideaudit trails o" +hat is done on the net+or,and also to 5ill "or the usage o" ser*ices.
### Services Overwiew
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
7/16
In cr(!togra!h( encryption is the !rocess o" encodingmessages or in"ormation in such a +a( that onl(
authoried !arties can read it.
;hat
;ith s(mmetric encr(!tion (ou use the same ,e( toencr(!t and decr(!t. ;ith as(mmetric encr(!tion
(ou use a ,e( !air. The ,e(s are di=erent? one ,e( is!u5lic and the other is !ri*ate.
S(mmetric encr(!tion is "aster 5ut as(mmetricencr(!tion is 5etter "or communication 5et+een!arties +ho are not ,no+n to each other 5ecausethere is no need to share a secret ,e( +ith an
un,no+n !erson.
"ncr2tion Overview
S(metr(c Encr(!tion
•ES•3ES•/ES•SE/@•Ri*est Ci!her
/s(metr(c Encr(!tion
•RS/•4•S/•ECC•ElGamal
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$A
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
8/16
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$
%i3e-)e445an a4gorith5 si524ife78
B
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
9/16
)ashing Overview
/ hash "unction is a mathematical !rogram that can 5e
used to ma! data o" ar5itrar( sie to data o" fed sie. The *alues returned 5( a hash "unction are called hash *alues hash codes hash sums or sim!l( hashes. neuse is a data structure called a hash ta5le +idel( usedin com!uter so"t+are "or ra!id data loo,u!.
In this la5 +e +ill tal, a5out the mathematical
com!utations used to create the hashing algorithms. The t+o s!ecifc hashing algorithms +e +ill discuss are0essage igest ' 70'9 and Secure 4ash /lgorithm
7S4/ $ 19.
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
10/16
)ash $essage #uthentication Co7e
Hash Message Authentication Code (HMAC) is a +a( to"urther secure a hash. 40/C is not a hash "unctionreDuirement 5ut has its !lace +hen +e tal, a5out securingthe hash "unction. ecause some !o!ular hash algorithmsha*e 5een sho+n not to 5e com!letel( collision resistant itis im!ortant to add ne+er techniDues to *alidate theintegrit( o" a hash. 40/C accom!lishes this 5( addinganother la(er o" data into the hashing mi. This la(er iscalled a secret key . The secret ,e( is ,no+n onl( 5( thesender and recei*er and it !ro*ides authentication to40/C.In the 40/C !rocess the in!ut data is ta,en and a secret,e( is added. oth the in!ut data and secret ,e( are !utthrough the hashing algorithm. This !roduces an HMAChash . The sie o" the 40/C hash is the same as that o" thecorres!onding hashing algorithm. 7The t+o main t(!es o"
40/C hashes are 40/C $ 0' +hich !roduces a 12B $ 5ithash and 40/C $ S4/ $1 +hich !roduces a 1:F $ 5it hash.9
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$1F
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
11/16
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
#uthentication )ea7er
11
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
12/16
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
"nca2su4ating Securit Protoco4
12
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
13/16
unne4 $o7e versusrans2ort $o7e
13
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
14/16
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
IS#!$P 9 Phase I : PhaseII
1#
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
15/16
otas6
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
#,)"NIC#ION )"#%"': "SP
1'
8/17/2019 LIP06 - Configuring Site-To-Site IPsec VPNs With the IOS CLI
16/16
htt2;;s4i7e24aer.co5;s4i7e;&0