- Cost savings
- Broadband compatibility
- Site to Site
- Remote Access(Easy VPN, IOS IPSEC/SSL VPN)
Easy VPN Restrictions
- No manual NAT/PAT, auto configuration for the tunnel
- Only 1 destination peer is supported
- Destination peer must be a Cisco Easy VPN remote-access server
- Digital Certificates are not supported
- Only ISAKMP policy group 2 is supported on IPSEC servers
- Some Transform sets are NOT supported: ESP-DES & ESP-3DES, ESP-NULL, ESP-SHA-HMAC, ESP NULL ESP-MD5-HMAC, No support for AH either.
IPSEC SSL VPN Restrictions
Is currently supported only in software
Remote access VPN clients
Certicom CLient – Wireless PDA client
VPN 3002 Hardware Client – Network Switch Appliance
VPN Software Client – Cisco VPN Client
IPSEC is a framework of open standards
IPSEC provides 4 critical functions:
- Confidentially (encryption)
- Data Integrity
- Anti Replay Protection
DES – Data Encryption Standard: 56bit key, symmetric key cryptosystem
3DES – Triple Des: Variant of DES, data broken into 64 bit blocks, each block processed 3 times with an independent 56bit key
AES – Advanced Encryption Standard: Stronger than DES and more efficient than 3 DES, offers 128, 192 and 256bit leys.
Rivest, Shamir and Adleman (RSA): Asymmetrical key crypto system. Not used for data encryption (IPSEC), IKE uses RSA in peer authentication phase.
Keyed Hash Based Message Authentication Code (HMAC):
HMAC MD5: 128bit Shared secret key
HMAC SHA1 – 160bit secret key
The Two Peer Authentication Methods:
- PSK: Manually entered into each peer
- RSA Signatures: Exchange of digital certificates
Two IPSEC framework protocols:
Authentication Header (AH): Verify’s that any message passed from A to B has not been modified. Does not provide encryption of packets. Used with ESP to provide encryption and tamper-aware features.
Encapsulating Security Payroll: Can encrypt the IP packet payload and the source/destination. Provides authentication fro inner IP packet AND ESP header. Encryption and authentication are optional but 1 must be selected.
- VPN’s are less expensive, more secure and easier to scale than WAN’s
- VPN’s implemented on IOS Routers, ASA’s, VPN Client Software
- IPSEC is the framework for VPN’s
- AH and ESP are the 2 main framework protocols.