3.7

muterollΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

88 εμφανίσεις

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

1

Implementing Secure
Converged Wide
Area Networks
(ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

2

Module 3


Lesson 7

An Introduction to
Cisco Easy VPN

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

3

Module Introduction


Virtual private networks (VPNs) use advanced encryption
techniques and
tunneling

to permit organisations to establish
secure, end
-
to
-
end, private network connections over third
-
party
networks such as the Internet


Cisco offers a wide range of VPN products, including VPN
-
optimised routers, PIX security and Adaptive Security Appliances
(ASA), and dedicated VPN concentrators. These infrastructure
devices are used to create VPN solutions that meet the security
requirements of any organisation


This module explains fundamental terms associated with VPNs,
including the IP Security protocol, and Internet Key Exchange. It
then details how to configure various types of VPN, using various
currently available methods

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

4

Objectives


At the completion of this seventh lesson, you will be
able to:

Describe the concept of ‘Easy VPN’

Describe and illustrate the deployment of ‘Easy VPN’ server
and client software

Explain how a VPN can be set up using ‘Easy VPN’

Configure ‘Easy VPN’ tunnels

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

5

Cisco Easy VPN


The Cisco Easy VPN Remote feature and the Cisco Easy VPN
Server feature offer flexibility, scalability, and ease of use for site
-
to
-
site and remote
-
access VPNs


It eliminates tedious work by implementing the Cisco Unity Client
protocol to allow administrators to define most VPN parameters at
a Cisco

IOS Easy VPN Server


The Cisco Easy VPN Remote feature allows Cisco routers running
Cisco IOS Release 12.2(4)YA (or later releases), Cisco PIX
firewalls, and Cisco hardware clients to act as remote VPN clients


A Cisco

IOS Easy VPN Server can be a dedicated VPN device,
such as a Cisco

VPN 3000 Concentrator
, a Cisco
PIX Firewall
, or
a Cisco

IOS router

that supports the Cisco

Unity Client protocol

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

6

Cisco Easy VPN


Cisco Easy VPN simplifies deployment. When the Easy VPN
Remote initiates the VPN tunnel connection, the Cisco Easy VPN
Server pushes the IPsec policies to the Cisco Easy VPN Remote
client and creates the corresponding VPN tunnel connection


Cisco Easy VPN Remote provides for automatic management of:

The negotiation of tunnel parameters, such as addresses, algorithms,
and lifetime

Establishment of tunnels according to the parameters that are set

Network Address Translation (NAT) or Port Address Translation (PAT)
and associated access control lists (ACLs) creation as needed

Authentication of users (that is, ensuring that users are who they say
they are) by usernames, group names, and passwords

Security keys for encryption and decryption

Authenticating, encrypting, and decrypting data through the tunnel


© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

7

Easy VPN Components

Cisco Easy VPN consists of two components
:

1.
Cisco Easy VPN Server

Enables Cisco IOS routers, Cisco PIX Firewalls, Cisco VPN
Concentrators and Cisco ASA to act as VPN head
-
end
devices in site
-
to
-
site or remote
-
access VPNs, in which the
remote office devices are using the Cisco Easy VPN
Remote feature

2.
Cisco Easy VPN Remote

Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco
VPN Hardware Clients or Software Clients to act as remote
VPN clients



© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

8

Easy VPN Components


Cisco Easy VPN Server

enables Cisco IOS routers, Cisco PIX
Firewalls, and Cisco VPN 3000 Series Concentrators to act as
VPN head
-
end devices in site
-
to
-
site or remote
-
access VPNs
where the remote office devices use the Cisco Easy VPN Remote
feature


Using this feature, the Cisco Easy VPN Server pushes security
policies that are defined at the headend to the remote VPN device,
ensuring that those connections have up
-
to
-
date policies in place
before the connection is established


In addition, a Cisco Easy VPN Server
-
enabled device can
terminate IPsec tunnels that are initiated by mobile remote workers
running VPN Client software on PCs.

This flexibility makes it possible for mobile and remote workers, such
as sales staff on the road or telecommuters, to access their
headquarters intranet where critical data and applications exist.


© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

9

Easy VPN Components


Cisco

Easy VPN Remote

enables Cisco IOS routers, Cisco PIX
Firewalls, and Cisco VPN 3002 Hardware Clients or Software
Clients to act as remote VPN clients


These devices can receive security policies from a Cisco Easy
VPN Server, minimizing VPN configuration requirements at the
remote location


This cost
-
effective solution is ideal for remote offices with little IT
support or for large customer premises equipment (CPE)
deployments where it is impractical to individually configure
multiple remote devices

This feature makes VPN configuration with Cisco Easy VPN Remote
as easy as entering a password, which increases productivity and
lowers costs by minimising the need for local IT support


© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

10

Deployment Models


Small or Medium Business Deployment

A small or medium business (SMB) using a Cisco Easy VPN Server
-
enabled Cisco router at the main site can securely connect small
branch offices, teleworkers, and mobile workers

The head
-
end router must have security policies configured, which
determine the VPN parameters, such as encryption algorithms and
authentication algorithms, to use to communicate with remote devices.


Large Enterprise Deployment

A large enterprise can connect branch offices, remote offices, and
teleworkers to the enterprise network using a Cisco Easy VPN Server
-
enabled Cisco router.

The head
-
end router must be similarly configured as above



© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

11

Small or Medium Business Deployment


When the head
-
end security policies are defined, Cisco devices running
the Cisco Easy VPN Remote feature can be deployed to
small branch
offices
. During VPN initialisation, the head
-
end router is prompted to push
the security policies to the SMB devices, eliminating the need for remote
users to perform ongoing configuration updates. Once the VPN is
established, voice, video, and data can be safely exchanged over reliable
secure connections, and individuals at the small branch offices no longer
need to run VPN client software on their PCs


Teleworkers

using Cisco Easy VPN Remote
-
enabled Cisco routers or
Cisco security appliances can also access the Cisco Easy VPN Server
-
enabled router at the head
-
end through secure VPN connections. As
above, the head
-
end security policies are pushed to the remote devices
with minimal configuration


Mobile workers running VPN client software on PCs can easily establish
VPN connections with the Cisco Easy VPN Server
-
enabled device through
their ISP. This connectivity allows business travelers to securely access
critical data and applications at almost any time from their ISP's points of
presence


© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

12

Small or Medium Business Deployment

Mobile Worker

With VPN Software

Client On Laptop

Teleworker With DSL Or Cable
Modem & Cisco 806 or uBR900
With Easy VPN Remote Support

Nontechnical Users

Can Use CRWS GUI

To Set Up Easy VPNs

Internet

Remote Office With
Cisco 800 or Cisco 1700
Series Router With Easy
VPN Remote Support

Company

Main Site

Cisco 1700, Cisco 2600 Or Cisco
3600 Series Router With Support
To Terminate Cisco VPN Clients

VPN Tunnels

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

13

Large Enterprise Deployment


When the head
-
end security policies have been defined, branch
offices can deploy Cisco Easy VPN Remote
-
enabled devices.
During VPN initialisation, the head
-
end device is prompted to push
security policies to the small branch offices, eliminating the need
for extensive local configuration. Voice, video, and data can be
safely exchanged over reliable secure connections, and individuals
at the branch offices no longer need to run VPN client software on
their PCs


Remote office workers and teleworkers using Cisco Easy VPN
Remote
-
enabled devices can also access the Cisco Easy VPN
Server
-
enabled enterprise head
-
end through secure VPN
connections. As with the SBO scenario, the head
-
end security
policies are pushed to the remote devices with minimal
configuration. Additionally, non
-
technical users in remote sites can
easily set up the VPN connections without an on
-
site technician


The net effect of using the Cisco Easy VPN Remote and Server is
increased productivity, as remote workers spend less time
configuring network devices

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

14

Large Enterprise Deployment

Mobile Worker

With VPN Software

Client On Laptop

Teleworker With DSL Or Cable
Modem & Cisco 806 Or uBR900
With Easy VPN Remote Support

Nontechnical Users

Can Use CRWS GUI

To Set Up Easy VPNs

Internet

Branch Office With

Cisco 1700 DSL Router
Running Easy VPN
Remote

Cisco IOS Router With Support
For Terminating Cisco VPN
Clients Or Cisco VPN
Concentrator

VPN Tunnels

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

15

Requirements and Restrictions for Cisco Easy
VPN Remote


Cisco Easy VPN Remote can be enabled on a variety
of platforms

See curriculum for full list and details


The Cisco Easy VPN Remote feature requires that the
destination peer on the network is a Cisco IOS Easy
VPN Server or VPN concentrator that supports the
Cisco Easy VPN Server feature. Currently (APR 07),
the available servers and concentrators include a
number of platforms when running the required
software releases

See curriculum for full list and details


© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

16

Requirements and Restrictions for Cisco Easy
VPN Remote

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

17

Limitations


DH Group

The Cisco Unity Client protocol supports only ISAKMP policies that use DH
Group 2 (1024
-
bit) IKE negotiation. Therefore, the Cisco Easy VPN Server
being used with the Cisco Easy VPN Remote feature must be configured for a
Group

2 ISAKMP policy

The Easy VPN Server cannot be configured for ISAKMP Group 1 or Group 5
when the server is being used with a Cisco

Easy VPN client


Transform Sets Supported

To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature
does not support transform sets that provide encryption without authentication
(esp
-
des and esp
-
3des) or transform sets that provide authentication without
encryption (esp
-
null esp
-
sha
-
hmac and esp
-
null esp
-
md5
-
hmac)

The Cisco Unity Client protocol does not support Authentication Header (AH)
authentication but does support Encapsulating Security Payload (ESP)


Dial Backup for Easy VPN Remotes

Line status
-
based backup is not supported in this feature


NAT Interoperability Support

NAT interoperability is not supported in client mode with split tunneling

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

18

Easy VPN Server and Easy VPN Remote
Operation

Step 1

The VPN client initiates the IKE Phase 1 process

Step 2

The VPN client establishes an ISAKMP SA

Step 3

The Easy VPN Server accepts the SA proposal

Step 4

The Easy VPN Server initiates a username

and
password challenge

Step 5

The mode configuration process is initiated

Step 6

The RRI process is initiated

Step 7

IPsec quick mode completes the connection

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

19

Step 1: The VPN Client Initiates the IKE Phase
1 Process

Using pre
-
shared keys? Initiate aggressive mode.

Using digital certificates? Initiate main mode.

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

20

Step 2: The VPN Client Establishes an ISAKMP
SA

The VPN client attempts to establish an SA between peer IP
addresses by sending multiple ISAKMP proposals to the Easy VPN
Server.

To reduce manual configuration on the VPN client, these ISAKMP
proposals include several combinations of the following:

Encryption and hash algorithms

Authentication methods

Diffie
-
Hellman group sizes

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

21

Step 3: The Cisco Easy VPN Server
Accepts the SA Proposal

The Easy VPN Server searches for a match:

The first proposal to match the server list is accepted (highest
-
priority match).

The most secure proposals are always listed at the top of the Easy
VPN Server proposal list (highest priority).

The ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

22

Step 4: The Cisco Easy VPN Server Initiates a
Username and Password Challenge

If the Easy VPN Server is configured for Xauth, the VPN client
waits for a username and password challenge:

The user enters a username and password combination.

The username and password information is checked against
authentication entities using AAA.

All Easy VPN Servers should be configured to enforce user
authentication.

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

23

Step 5: The Mode Configuration Process Is
Initiated

If the Easy VPN Server indicates successful authentication, the VPN
client requests the remaining configuration parameters from the Easy
VPN Server:

Mode configuration starts.

The remaining system parameters (IP address, DNS, split tunneling
information, and so on) are downloaded to the VPN client.

Remember that the IP address is the only required parameter in a
group profile; all other parameters are optional.

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

24

Step 6: The RRI Process Is Initiated

RRI should be used when the following conditions occur:

More than one VPN server is used

Per
-
client static IP addresses are used with some clients (instead of
using per
-
VPN
-
server IP pools)

RRI ensures the creation of static routes
.

Redistributing static routes into an IGP allows the server site routers to
find the appropriate Easy VPN Server to use for return traffic to clients
.

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

25

Step 7: IPsec Quick Mode

Completes the Connection

After the configuration parameters have been successfully
received by the VPN client, IPsec quick mode is initiated to
negotiate IPsec SA establishment.

After IPsec SA establishment, the VPN connection is complete.

© 2007 Cisco Systems, Inc. All rights reserved.

ISCW
-
Mod3_L7

26