Cisco

VPN Solutions

2001, Cisco Systems, Inc. 1

 Agenda

Introduction to IPSec
IPSec VPN Topologies
Cisco Site-to-Site VPN
Solutions

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 2

 IPSec Design Guide

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/iptoc_dg.ht
m

IPSecDesignGuide.pdf.lnk

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 3

 IPSec Overview

Initiating the IPSec session

Phase oneexchanging keys
Phase twosetting up security associations
Encrypting/decrypting packets
Rebuilding security associations
Timing out security associations
Simple IPSec configuration

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 4

 Initiating the IPSec Session
Phase OneISAKMP

Internet Security Association Key Management Protocol (ISAKMP)

Both sides need to agree on the ISAKMP
security parameters
ISAKMP parameters
Encryption algorithm
Hash algorithm
Authentication method
Diffie-Hellman modulus
Group lifetime

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 5

 Initiating the IPSec Session
Phase TwoIPSec

Both sides need to agree on the IPSec security parameters

IPSec parameters
IPSec peer
Endpoint of IPSec tunnel
IPSec proxy
Traffic to be encrypted/decrypted
IPSec transform
Encryption and hashing
IPSec lifetime
Phase two SA regeneration time

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 6

 Encrypting and
Decrypting Packets
Phase one and phase two completes
Security Associations (SA) are created at both IPSec
endpoints
Using the negotiated SA information
Outbound packets are encrypted
Inbound packets are decrypted

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 7

 Rebuilding
Security Associations
To ensure that keys are not compromised they are
periodically refreshed
Security associations will be rebuilt when:
The lifetime expires, or
Data volume has been exceeded, or
Another SA is attempted with identical parameters

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 8

 Simple IPSec Configuration
10.1.1.0/24 10.1.2.0/24
192.1.1.1 200.1.1.2
Internet

IPSec Tunnel

crypto isakmp policy 1 crypto isakmp policy 1

authentication pre-share authentication pre-share
hash md5 hash md5
crypto isakmp key cisco123 address 200.1.1.2 crypto isakmp key cisco123 address 192.1.1.1
crypto ipsec transform-set trans1 esp-des esp-md5-hmac crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map vpnmap 10 ipsec-isakmp crypto map vpnmap 10 ipsec-isakmp
set peer 200.1.1.2 set peer 192.1.1.1
set transform-set trans1 set transform-set trans1
match address 101 match address 101
interface Ethernet0 interface Ethernet0
ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0
interface Ethernet1 interface Ethernet1
ip address 192.1.1.1 255.255.255.0 ip address 200.1.1.2 255.255.255.0
crypto map vpnmap crypto map vpnmap
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 9

 Topologies

Standard Site-to-Site IPSec Enabled VPN Solution

Design and Engineering Guide

http://www.cisco.com/cpropart/salestools/cc/so/neso/vpn/vpne/s2sdes.ht
m

Site2SiteDesignGuide.url

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 10

 GRE Over IPSec
(Common Configuration
Issues)

Apply crypto map on both the tunnel interfaces and

the physical interfaces
Specify GRE traffic as IPSec interesting traffic.
access-list 101 permit gre host 200.1.1.1 host 150.1.1.1

Static or dynamic routing is needed to send VPN

traffic to the GRE tunnel before it gets encrypted.

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 11

 GRE over IPSec
(Avoid Recursive Routing)

To avoid GRE tunnel interface damping due to recursive

routing, keep transport and passenger routing info.
separate:
Use different routing protocols or separate routing
protocol identifiers
Keep tunnel IP address and actual IP network
addresses ranges distinct
For tunnel interface IP address, dont use unnumbered
to loopback interface when the loopbacks IP address
resides in the ISP address space

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 12

 GRE over IPsec (MTU Issues)

Overhead calculation of GRE over IPSec (assume

ESP-DES & ESP-MD5-HMAC):
ESP overhead (with authentication) : 31 ~ 38 bytes
GRE header: 24 bytes
IP header: 20 byes
GRE over IPSec with tunnel mode introduces ~75
bytes overhead, GRE over IPSec with transport mode
introduces ~55 bytes overhead

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 13

 GRE over IPSec

c
IPSe
GRE
Internet
Internet
a. Original Packet
b. GRE Encapsulation
c. GRE over IPSec Transport Mode
d. GRE over IPSec Tunnel Mode
a IP Hdr 1 TCP hdr Data

b IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data

c IP hdr 2 ESP hdr GRE hdr IP Hdr 1 TCP hdr Data

d IP hdr 3 ESP hdr IP hdr 2 GRE hdr IP Hdr 1 TCP hdr Data

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 14

 GRE over IPSec (MTU Issues)

After GRE tunnel encapsulation, the packets will be

sent to physical interface with DF bit set to 0
The GRE packets will then be encrypted at physical
interface; if IPSec overhead causes final IPSec
packets to be bigger than the interface MTU, the
router will fragment the packets
The remote router will need to reassemble the
fragmented IPSec packets (process switched) which
causes performance degradation

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 15

 GRE over IPSec (MTU issue)

To avoid fragementation and reassembly of IPSec

packets:
Set ip mtu 1420 (GRE/IPSec tunnel mode),
ip mtu 1440 (GRE/IPSec transport mode) under
tunnel interface.
Enable tunnel path-mtu-discovery (DF bit copied
after GRE encapsulation) under tunnel interface.
Use show ip int switching to verify switching path

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 16

 GRE IPSec Config
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share

crypto isakmp key cisco123 address 172.18.45.1

crypto isakmp key cisco123 address 172.18.45.2

crypto ipsec transform-set myset esp-3des esp-md5-hmac

mode transport

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 17

 GRE IPSEC Config continued
crypto map vpn 10 ipsec-isakmp
set peer 172.18.45.1
set transform-set myset
match address 101

crypto map vpn 20 ipsec-isakmp

set peer 172.18.45.2
set transform-set myset
match address 102
VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 18
 GRE IPSEC Config continued
interface Tunnel0
ip address 10.4.1.1 255.255.255.0
tunnel source 172.18.31.1
tunnel destination 172.18.45.1
crypto map vpn

interface Tunnel1
ip address 10.4.2.1 255.255.255.0
tunnel source 172.18.31.1
tunnel destination 172.18.45.2
crypto map vpn

interface Serial0
ip address 172.18.31.1 255.255.255.0
crypto map vpn

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 19

 GRE IPSEC Config continued

ip eigrp 100
network 10.0.0.0

ip route 172.18.0.0 255.255.0.0 serial0

ip access-list extended 101 permit gre

host 172.18.31.1 host 172.18.45.1

ip access-list extended 102 permit gre

host 172.18.31.1 host 172.18.45.2

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 20

 Preventing Traffic Injection

ACL on the physical interface

Interface serial 0/0
ip access-group Only_ESP in

ip access-list extended Only_ESP

permit esp host 193.193.193.1 any
permit udp host 193.193.193.1 eq 500 any
deny ip any any log-input
Even better, VRF lite !

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 21

 VPN Types and Applications

Type Application As Alternative To Benefits

Remote Remote Dial Dedicated

Dial Ubiquitous Access
Access Lower Cost
Connectivity
VPN ISDN

Site-to-Site Leased Line

Site-to-Site Extend Connectivity
Internal Frame Relay Increased Bandwidth
VPN
Connectivity ATM Lower Cost

Biz-to-Biz Fax
Extranet Facilitates
External Mail
VPN E-Commerce
Connectivity EDI

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 22

 VPN Requirements Vary By
Application
Extranet
Business Partner

Mobile User
POP
Internet VPN

DSL
Cable Central Site
Home Telecommuter
Site-to-Site
Remote Office

Remote Access VPN Site-to-Site VPN

Evolution away from dial Extension of classic WAN
Per-user manageability Compatibility with diverse network traffic
types
Multi-OS (desktop) support
Integration with routing
Deployment scalability
Deployment scalability
VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 23
 Cisco VPN Portfolio
Purpose-Built for Specific VPN Environments

VPN Application Large Enterprise Medium Enterprise Small Biz/Branch SOHO

New
VPN 3015 VPN 3002
Remote VPN 3080 VPN 3030
VPN 3005 Hardware Client
Access VPN 3060 Concentrator
Concentrators VPN 3000
Cisco VPN 3000 Concentrators
Software Client

Site-to-Site 3600 900

7200 7100
IOS Routers 2600 800
7100 3600
1700

Firewall-Based Pix 535 Pix 525 Pix 515

VPN Pix 515 Pix 506
Pix 525 Pix 506
Pix Firewall

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 24

 VPN Product Function Matrix
Site-to-Site VPN Remote Access VPN
IOS VPN Routers Primary role Basic remote access
functionality
All encompassing site-to-
site connectivity features
Provides routing, QoS,
WAN interfaces,
multicast and
multiprotocol support

PIX Firewalls Solution for security Provides most remote

organizations that prefer access features
operating firewalls
Solution for security
Provides full firewall organizations that prefer
features operating firewalls
Basic site-to-site Provides full firewall
functionality features

VPN 3000 Concentrators Basic site-to-site Primary role

functionality
Full featured remote
access solution

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 25

 Cisco IOS Software
Enhanced VPN Software Features
Quality
Qualityof
ofService
Service
Application-aware
Application-awarepacket
packetclassification
classification
Congestion
Congestionmanagement
managementandandpacket
packetqueuing
queuing
Traffic
Trafficshaping
shapingand
andpolicing
policing
Stateful
StatefulIOS
IOSFirewall
Firewall
Per
Perapplication
applicationcontent
contentfiltering
filteringand
andJava
Javablocking
blocking
Denial
Denialof
ofservice
serviceprotection
protectionand
andintrusion
intrusiondetection
detection
Time-based
Time-basedACLs
ACLs GRE
VPN
VPNResiliency
Resiliency
Dynamic
DynamicRoute
RouteRecovery
Recovery- -using
usingrouting
routingprotocols
protocols QoS
through IPSec secured GRE tunnel
through IPSec secured GRE tunnel
Dynamic
DynamicTunnel
TunnelRecovery
Recovery- -IPSec
IPSecKeep-Alives
Keep-Alives FW
Full BGP
FullLayer
Layer33Routing
Routingand
andBroad
BroadInterface
InterfaceSupport
Support IPSec
EIGRP,
EIGRP,BGP,
BGP,OSPF,
OSPF,and
andothers
others
Numerous
NumerousLAN
LANand
andWAN
WANinterfaces
interfaces

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 26

 Cisco Site-to-Site VPN Solutions
Scalability for Every Site
Cisco
Cisco7100
7100&&7200
7200Series
Series
Cisco1700
Cisco 1700Series
Series
Remote 7100
7100 for dedicatedVPN
for dedicated VPNhead-end
head-end
VPN-optimizedrouter
VPN-optimized router Office 7200
7200for
forhybrid
hybridprivate
privateWAN
WAN++VPN
VPN
connectingremote
connecting remoteoffices
offices
connectivity
connectivity
atatT1/E1
T1/E1speeds
speeds

Main Office

Regional
Internet
Office

Cisco
Cisco2600
2600&&3600
3600Series
Series
VPN-optimized
VPN-optimizedrouters
routers
connecting
connecting branchand
branch and Cisco800
800&&900
900Series
Series
Cisco
regional offices at
regional offices at VPN-optimizedrouters
routersfor
forISDN,
ISDN,
Small Office/ VPN-optimized
nxT1/E1
nxT1/E1speeds
speeds Home Office DSL,and
andcable
cableconnectivity
connectivity
DSL,

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 27

 VPN-Enabled Broadband
Routers

806 827/804 905

Simultaneous Tunnels 50 50 50
Performance 384 kbps 384 kbps 6 Mbps
Hardware Acceleration None None (built-in)
WAN Interfaces Ethernet DSL/ISDN Cable
LAN Interfaces 4xEthernet 1xEthernet 4xEthernet

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 28

 VPN-Enabled Routers

1710 1720/1750 2611/2621 2651 3620/3640

Simultaneous Tunnels 100 100 300 800 800
Performance (Mbps) 4 4 10/12 14 10/19
Hardware Acceleration (built-in) VPN Module AIM-VPN/BP AIM-VPN/EP NM-VPN/MP
WAN Interfaces 1xEtherne (varies) (varies) (varies) (varies)
t
LAN Interfaces 1xFE 1xFE 2xFE 2xFE (varies)

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 29

 VPN-Enabled Routers

3660 7120 7140 7140 7200

Simultaneous Tunnels 1,300 2,000 2,000 3,000 5,000
Performance (Mbps) 40 50 90 140 145
Hardware Acceleration AIM-VPN/HP ISM ISM ISM & ISA SA-VAM
WAN Interfaces (varies) (varies) (varies) None (varies)
LAN Interfaces 1xFE 2xFE 2xFE 2xFE (varies)

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 30

 2650 Enhanced Performance
VPN Module
New!

AIM-VPN/EP Enhanced Performance Module

Delivers 14 Mbps 3DES performance
New AIM-VPN/EP is specially designed to take advantage of
the 2650 High Performance Router
This VPN Module is being offered in addition to our present
AIM-VPN/BP (Base Performance Module)
Supported on all 2600 platforms

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 31

 VPN Acceleration Module
(VAM) for 7100/7200
New!
Greater than DS3 encryption performance
145 Mbps 3DES IPSec performance for
scalable site-to-site encryption
Allows large number of VPN Tunnels
5000 simultaneous IPSec sessions
SA-VAM for 7200
Fast VPN tunnel setup time
Hardware acceleration for RSA: Tunnel setup
& key generation
Compression for bandwidth conservation
Hardware acceleration for IPPCP LZS
compression
SM-VAM for 7100

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 32

 VPN Management

VPN Device Manager

Embedded web single device policy manager
VPN Management Solutions
Enterprise VPN monitoring & policy manager
Cisco Secure Policy Manager
Centralized, intelligent security policy
management for firewall and VPN
Telnet/SSH/rlogin/rsh/rcp CLI, tftp, MIBs

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 33

 Site-to-Site VPN Platform
Summary
Comprehensive Suite of Site-to-Site VPN Features
Supports the most diverse VPN environments
High Performance VPN
Up to 145 Mbps 3DES/HMAC-SHA1 IPSec
Up to 5,000 simultaneous tunnels
Site Specific VPN Scalability
DSL, Cable, & ISDN VPN routers
Ethernet-to-Ethernet broadband routers
Network Management Tailored for Site-to-Site
Applications

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 34

 For More Information...

Blog.router-switch.com
News, tutorials, tips, info & thoughts on
Developments in the Cisco, Cisco network, IT,
Software & Network Hardware Industry

VPN Overview 2001, Cisco Systems, Inc. www.cisco.com/go/vpn 35

Presentation_ID 1999, Cisco Systems, Inc. 36