1 / 42

Network Security 2

Network Security 2. Module 4: Configuring Site to Site VPN with Pre-shared keys. Module 4: Configuring Site to Site VPN with Pre-shared keys. Lesson 4.4 Test and Verify the IPSec Configuration of the Router. Step 2 – Create IKE policies.

corbin
Télécharger la présentation

Network Security 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys

  2. Module 4: Configuring Site to Site VPN with Pre-shared keys Lesson 4.4 Test and Verify the IPSec Configuration of the Router

  3. Step 2 – Create IKE policies

  4. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match with its policies

  5. ISAKMP Identity

  6. Configure a VPN using SDM • Select VPN Wizard

  7. SDM Supported Platforms

  8. SDM Home Page ‘Configure’ icon About your router Configuration overview

  9. VPN Configuration To select and start a VPN wizard, follow this procedure: Click the Configure icon in the top horizontal navigation bar of the Cisco SDM main page (previous) to enter the configuration page Click VPN icon in the left vertical navigation bar to open the VPN page. Choose one of the available VPN wizards from the list. The example on the next slide shows the screen that appears when you choose the Site to Site VPN wizard from the list. Here you can create two types of site-to-site VPNs: classic and generic routing encapsulation (GRE) over IPsec

  10. VPN Configuration Page 1. 3. Wizards for IPsec solutions Individual IPsec components 2.

  11. Site-to-Site VPN Components VPN wizards use two sources to create a VPN connection: User input during the step-by-step wizard process Preconfigured VPN components SDM provides some default VPN components: Two IKE policies IPsec transform set for Quick Setup wizard Other components are created by the VPN wizards.

  12. Site-to-Site VPN Components (Continued) Two main components: IPsec IKE Individual IPsec components used to build VPNs

  13. Starting SDM SDM can be started on a router by entering the IP address of the router in a browser If SDM has been installed on the PC, start it by double-clicking the SDM shortcut or by choosing it from the program menu (Start > Programs > Cisco Systems > Cisco SDM) and enter the IP address of the router. SDM Launcher SDM Launch Page

  14. SDM Home Page

  15. Launching Site-to-Site VPN Wizard – Step 1 1.

  16. Selecting the Quick Setup or Step-by-Step Configuration Wizard – Step 2 2a. 2b. 3.

  17. Quick Setup

  18. Quick Setup Configuration Summary

  19. Step-by-Step Setup Multiple steps are required to configure the VPN connection: Defining connection settings: Outside interface, peer address, authentication credentials Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression Defining traffic to protect: Single source and destination subnets,ACL Reviewing and completing the configuration

  20. Configuring Connection Settings 1. 2. 3. 4.

  21. Configuring IKE Proposals 1. 2. 3.

  22. Configuring the Transform Set 1. 2. 3.

  23. Defining What Traffic to Protect: Simple Mode (Single Source and Destination Subnet) 1. 3. 2.

  24. Defining What Traffic to Protect: Using an ACL 1. 2. 3.

  25. Adding Rules to ACLs 1. 2.

  26. Configuring a New ACL Rule Entry 1. 2. 3.

  27. Review the Generated Configuration

  28. Review the Generated Configuration (Cont.)

  29. Test Tunnel Configuration and Operation ~ ~ ~ ~

  30. Monitor Tunnel Operation 1. 3. 2.

  31. Test, Monitor, and Troubleshoot Tunnel Configuration and Operation router# show crypto isakmp sa • To display all current IKE security associations (SAs), use the router# show crypto ipsec sa • To display the settings used by current SAs, use the show crypto

  32. Encryption and Decryption Statistics Router2#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mikesmap, local addr. 172.30.2.2 protected vrf: local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) current_peer: 172.30.1.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 15, #pkts encrypt: 15, #pkts digest 0 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.2.2, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 938FF981 etc etc etc……….. From a working tunnel!

  33. Troubleshooting router# debug crypto isakmp • Debugs IKE communication • Advanced troubleshooting uses the Cisco IOS CLI • Requires knowledge of Cisco IOS CLI commands

  34. Q and A

More Related