1 / 36

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Configuring IPsec VPN using SDM . Module 3 – Lesson 4. Module Introduction.

suchi
Télécharger la présentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW)

  2. Configuring IPsec VPN using SDM Module 3 – Lesson 4

  3. Module Introduction • Virtual private networks (VPNs) use advanced encryption techniques and tunneling to permit organisations to establish secure, end-to-end, private network connections over third-party networks such as the Internet • Cisco offers a wide range of VPN products, including VPN-optimised routers, PIX security and Adaptive Security Appliances (ASA), and dedicated VPN concentrators. These infrastructure devices are used to create VPN solutions that meet the security requirements of any organisation • This module explains fundamental terms associated with VPNs, including the IP Security protocol, and Internet Key Exchange. It then details how to configure various types of VPN, using various currently available methods

  4. Objectives • At the completion of this fourth lesson, you will be able to: • Describe how to configure a VPN using SDM on a Cisco router • Successfully configure a site to site VPN using SDM on Cisco routers

  5. What is SDM? • The Cisco Router and Security Device Manager (SDM) is an easy-to-use, Java based, device management tool designed for configuring LAN, WAN, and security features on a router • SDM can reside in router memory or on your PC • SDM simplifies router and security configuration by using intelligent wizards to enable users to quickly and easily deploy, configure, and monitor a Cisco access router • SDM meets the needs of persons that are proficient in LAN fundamentals and basic network design but have little or no experience with the IOS CLI or may not be security experts

  6. What is SDM (continued) • SDM can also assist more advanced users • SDM contains several other timesaving tools and wizards, including • An access control list (ACL) editor, • A VPN crypto map editor, • A Cisco IOS CLI preview • SDM has a unique Security Audit wizard that provides a comprehensive router security audit. This uses Cisco Technical Assistance Centre (TAC) and Internet Computer Security Association (ICSA) recommended security configurations as the basis for comparisons and default settings

  7. SDM ‘Wizards’ • Other intelligent Cisco wizards are available in SDM for these three tasks: • Autodetecting misconfigurations and proposing fixes • Providing strong security and verifying configuration entries • Using device and interface-specific defaults • Examples of SDM wizards include: • Startup wizard for initial router configuration • One-step router lockdown wizard to harden the router • Policy-based firewall and access-list management to easily configure firewall settings based on policy rules • One-step site-to-site VPN wizard

  8. SDM Installation and Use • Use the SDM wizards to provide quick deployment • A suggested workflow is given in the lower part of each wizard screen to guide untrained users through the process • Begin with configuring LAN, WAN, firewall, intrusion prevention system (IPS), and VPN, and finish with performing a security audit • SDM is embedded and factory-installed within the Cisco IOS 800–3800 Series routers and available for download for select router platforms (see next) • NB: This course focuses specifically on SDM version 2.2a. Due to the nature of the software, changes must be expected with new revisions. Although the features and screens may vary between versions of SDM, the general concepts shown here are applicable to all versions.

  9. SDM Supported Platforms

  10. SDM Home Page ‘Configure’ icon About your router Configuration overview

  11. VPN Configuration • To select and start a VPN wizard, follow this procedure: • Click the Configure icon in the top horizontal navigation bar of the Cisco SDM main page (previous) to enter the configuration page • Click VPN icon in the left vertical navigation bar to open the VPN page. • Choose one of the available VPN wizards from the list. • The example on the next slide shows the screen that appears when you choose the Site to Site VPN wizard from the list. • Here you can create two types of site-to-site VPNs: classic and generic routing encapsulation (GRE) over IPsec

  12. VPN Configuration Page 1. 3. Wizards for IPsec solutions Individual IPsec components 2.

  13. Site-to-Site VPN Components • VPN wizards use two sources to create a VPN connection: • User input during the step-by-step wizard process • Preconfigured VPN components • SDM provides some default VPN components: • Two IKE policies • IPsec transform set for Quick Setup wizard • Other components are created by the VPN wizards. • Some components (for example, PKI) must be configured before the wizards can be used.

  14. Site-to-Site VPN Components (Continued) • Two main components: • IPsec • IKE • Two optional components: • Group Policies for Easy VPN Server functionality • Public Key Infrastructure for IKE authentication using digital certificates Individual IPsec components used to build VPNs

  15. Starting SDM • SDM can be started on a router by entering the IP address of the router in a browser • If SDM has been installed on the PC, start it by double-clicking the SDM shortcut or by choosing it from the program menu (Start > Programs > Cisco Systems > Cisco SDM) and enter the IP address of the router. SDM Launcher SDM Launch Page

  16. SDM Home Page

  17. Launching Site-to-Site VPN Wizard – Step 1 1.

  18. Selecting the Quick Setup or Step-by-Step Configuration Wizard – Step 2 2a. 2b. 3.

  19. Quick Setup

  20. Quick Setup Configuration Summary

  21. Step-by-Step Setup • Multiple steps are required to configure the VPN connection: • Defining connection settings: Outside interface, peer address, authentication credentials • Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime • Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression • Defining traffic to protect: Single source and destination subnets,ACL • Reviewing and completing the configuration

  22. Configuring Connection Settings 1. 2. 3. 4.

  23. Configuring IKE Proposals 1. 2. 3.

  24. Configuring the Transform Set 1. 2. 3.

  25. Defining What Traffic to Protect: Simple Mode (Single Source and Destination Subnet) 1. 3. 2.

  26. Defining What Traffic to Protect: Using an ACL 1. 2. 3.

  27. Adding Rules to ACLs 1. 2.

  28. Configuring a New ACL Rule Entry 1. 2. 3.

  29. Review the Generated Configuration

  30. Review the Generated Configuration (Cont.)

  31. Test Tunnel Configuration and Operation ~ ~ ~ ~

  32. Monitor Tunnel Operation 1. 3. 2.

  33. Test, Monitor, and Troubleshoot Tunnel Configuration and Operation router# show crypto isakmp sa • To display all current IKE security associations (SAs), use the show crypto isakmp sa command in EXEC mode. QM_IDLE status indicates an active IKE SA. router# show crypto ipsec sa • To display the settings used by current SAs, use the show crypto ipsec sa command in EXEC mode. Non-zero encryption and decryption statistics can indicate a working set of IPsec SA (see next slide)

  34. Encryption and Decryption Statistics Router2#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: mikesmap, local addr. 172.30.2.2 protected vrf: local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0) current_peer: 172.30.1.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 15, #pkts encrypt: 15, #pkts digest 0 #pkts decaps: 15, #pkts decrypt: 15, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.30.2.2, remote crypto endpt.: 172.30.1.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 938FF981 etc etc etc……….. From a working tunnel!

  35. Troubleshooting router# debug crypto isakmp • Debugs IKE communication • Advanced troubleshooting uses the Cisco IOS CLI • Requires knowledge of Cisco IOS CLI commands

More Related