Beruflich Dokumente
Kultur Dokumente
(SIMOS)
Pretty Good Privacy(PGP)
Spoke-to-spoke: A spoke-to-spoke
DMVPN requires that each branch
(spoke) have an mGRE interface through
which dynamic spoke-to-spoke tunnels
are used for spoke-to-spoke traffic. This
model provides a scalable configuration
for all involved devices and also provides
direct spoke-to-spoke communication.
DMVPN Benefits
Hub router configuration reduction:
The DMVPN feature allows you to create a single
mGRE tunnel interface and a single IPsec profile, and
does not require crypto ACLs on the hub router.
6. Associate the IPsec profile with the mGRE interface to configure tunnel
protection.
authentication pre-share
group 14
ip mtu 1400
Hub(config-if)# ip nhrp
authentication ADFqeqrDA
3. As with configuring the hub, an IPsec profile with an optional transform set can
be configured. If a transform set is not configured, the router will use default
IPsec transform sets.
4. Create an mGRE tunnel interface (or a GRE interface for strict hub-and-spoke
DMVPNs).
6. Associate the IPsec profile with the mGRE interface to configure tunnel
protection.
router(config-router)# no auto-summary
router(config-router)# exit
!
router(config)# interface tunnel 0
router(config-router)# no auto-summary
router(config-router)# exit
!
router(config)# interface tunnel 0
VRF mode
The model of interface VLANs is
preserved, but the crypto connect vlan
command is not used. Instead, a route
must be installed so that packets destined
for that particular subnet in that particular
VRF are directed to that interface VLAN.
Port VLAN And Interface
Outside VLAN Outside
Port Port
Port Port
VLAN Layer 2 VLAN
502 503
Outside Port
IPSec VPN SPA
Inside Port
Interfac Interfac
e VLAN Layer 3 e VLAN
2 3
MSFC/PFC
Access Port Configuration
GigabitEthernet 1 / 2
Wan interface access port
Outside Port
Gi4/0/2
IPSec VPN SPA in slot 4 subslot 1
Inside Port Gi4/0/1
Interface
VLAN 2
192.168.100.2
54
MSFC/PFC
VRF Mode Basic Configuration
Example
ip vrf ivrf
rd 1000:1
route-target export 1000:1
route-target import 1000:1
!
crypto engine mode vrf
!
vlan 2,3
!
crypto keyring key0
pre-shared-key address 11.0.0.2 key 12345
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
VRF Mode Basic Configuration
Example
crypto isakmp profile prof1
vrf ivrf
keyring key0
match identity address 11.0.0.2 255.255.255.255
!
!
crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac
!
crypto map testtag local-address Vlan3
crypto map testtag 10 ipsec-isakmp
set peer 11.0.0.2
set transform-set proposal1
set isakmp-profile prof1
match address 101
!
interface GigabitEthernet1/1
!switch inside port
ip vrf forwarding ivrf
ip address 12.0.0.1 255.255.255.0
VRF Mode Basic Configuration
Example
interface GigabitEthernet1/2
!switch outside port
switchport
switchport access vlan 3
switchport mode access
!
interface GigabitEthernet4/0/1
!IPsec VPN SPA inside port
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
VRF Mode Basic Configuration
Example
interface GigabitEthernet4/0/2
!IPsec VPN SPA outside port
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,1002-1005
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast trunk
!
interface Vlan2
ip vrf forwarding ivrf
ip address 13.0.0.252 255.255.255.0
crypto map testtag
crypto engine slot 4/0 inside
!
interface Vlan3
ip address 11.0.0.1 255.255.255.0
crypto engine slot 4/0 outside
!
access-list 101 permit ip host 12.0.0.2 host 13.0.0.2
Benefits Of IKEv2
Dead Peer Detection and Network
Address Translation-Traversal Built-
in Support.
Certificate URLs can be refrence
through URL and hash.
Denial of Service Attack Resilience.
EAP Support.
Multiple Crypto Engines.
Reliability and State Management
(Windowing).
IKEv2 CLI Construct
IKEv2 Proposal
Encryption algorithm
Integrity algorithm
Pseudo-Random Function (PRF) algorithm
Diffie-Hellman (DH) group
IKEv2 Policy
An IKEv2 policy contains proposals that are used to
negotiate.
IKEv2 Profile
Repository of nonnegotiable parameters of the IKE SA,
such as local or remote identities and authentication
methods and services that are available to
authenticated peers that match the profile.
IKEv2 Key Ring
Repository of symmetric and asymmetric preshared
keys and is independent of the IKEv1 key ring.
Configuring Global IKEv2
Options
crypto ikev2 certificate-cache 750
crypto ikev2 cookie-challenge 450
crypto ikev2 diagnose error 500
crypto ikev2 dpd 500 50 on-demand
crypto ikev2 http-url cert
crypto ikev2 limit max-in-negotiation-sa 5000 incoming
crypto ikev2 nat keepalive 500
crypto ikev2 window 15
crypto logging ikev2
Configuring IKEv2 Fragmentation And
Proposal
An IKEv2 policy can have one or more match address local statements.
proposal proposal1
Better scalability
IPsec VTIs require fewer SAs to support all types of traffic.
Routable interface
Like GRE/IPsec, VTIs support all types of IP routing protocols
IPSec VTI Limitations
The IPsec VTI is limited to only IP
unicast and multicast traffic, while the
GRE/IPsec tunnels support a much
wider range of protocols and
applications.
Step 2.
Configure an IPsec traffic protection policy on all peers.
Step 3.
Configure a static or dynamic VTI tunnel on each peer.
Step 4.
Configure static or dynamic routing over the VTI tunnels.
Dynamic VTI(DVTI)
Spoke peers attempt to create VPN
connections with the hub peer.
Ip unnumbered FastEthernet0/0
Ip flow ingress
interface Tunnel1
ip address negotiated
ip mtu 1400
ip nhrp network-id 2
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 172.25.1.1
tunnel path-mtu-discovery
tunnel protection ipsec profile default
FlexVPN Spoke
Configuration
interface Virtual-Template1 type
tunnel
ip unnumbered Tunnel1
ip mtu 1400
ip nhrp network-id 2
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile default
FlexVPN Basic Connectivity Hub
Configuration
aaa new-model
aaa authorization network default local
It does not require any user training except for initiating and
terminating the VPN connection.
It requires administrative
privileges to install the VPN
client because the client needs
to modify network interfaces and
the IP stack to operate
successfully.
Cisco ISR Web VPN
Technique
URL and Common Internet File System
(CIFS) file access: When the client
browser establishes the SSL session and
the user is authenticated, the gateway
can present a page with resource
bookmarks.
router(config-webvpn-context)# policy
group MY-POLICY
router(config-webvpn-context)# banner
Welcome to SSL VPN
router(config-webvpn-context)# default-
group-policy MY-POLICY
Enable User Authentication Using
Local AAA
router(config)# aaa authentication login
LOCAL-AUTHEN local
router(config-webvpn-context)# aaa
authentication list LOCAL-AUTHEN
Full Tunneling Scenario
Enable Full Tunneling Access
router(config)# webvpn install svc
flash://anyconnect-win-2.4.0202-k9.bin
SSLVPN Package SSL-VPN-Client (seq:1): installed
successfully
router(config-webvpn-context)#policy
group MY-POLICY
router(config-vpn-policy)#svc address-
pool MY-POOL
Configure Client
Configuration
Router(config)# webvpn context MY-
CONTEXT
Router(config-webvpn-context)# policy
group MY-POLICY
4. The gateway extracts the TCP session from the SSL VPN session,
establishes a TCP connection with the internal target host on
the standard Telnet port, and acts as a data relay between the
two TCP sessions.
Port Forwarding Limitations
Port forwarding supports only simple,
static-port TCP applications.
router(config-webvpn-port-fwd)# exit
Router(config-context)#csd enable
Configure Optional Access
Control
router(config)# webvpn context MY-CONTEXT
router(config-webvpn-acl)# exit
pool FlexVPN-Pool-1
dns 10.7.7.129
netmask 255.255.255.0
def-domain example.com
Server Using Certificate To
Authenticate Itself
MTU/Fragmentation Issues
No IKE SA Troubleshooting
Step
Elliptic Curve
Diffie-Hellman
IPSec: 56 bit Digital 2048 bit
SHA-1 (Using P-256
Encryption Standard (DES) RSA Keys
and P-384
curves)
Elliptic
Curve
SHA-
168-bit Triple DES (3DES) Digital
256
Signature
Algorithm