Extending the Network Into the WAN – IPSEC

VPN Benefits

  • Cost savings
  • security
  • scalability
  • Broadband compatibility

VPN Types:

  • Site to Site
  • Remote Access(Easy VPN, IOS IPSEC/SSL VPN)

Easy VPN Restrictions

  • No manual NAT/PAT, auto configuration for the tunnel
  • Only 1 destination peer is supported
  • Destination peer must be a Cisco Easy VPN remote-access server
  • Digital Certificates are not supported
  • Only ISAKMP policy group 2 is supported on IPSEC servers
  • Some Transform sets are NOT supported: ESP-DES & ESP-3DES, ESP-NULL, ESP-SHA-HMAC, ESP NULL ESP-MD5-HMAC, No support for AH either.

IPSEC SSL VPN Restrictions

Is currently supported only in software

Remote access VPN clients

Certicom CLient – Wireless PDA client

VPN 3002 Hardware Client – Network Switch Appliance

VPN Software Client – Cisco VPN Client

Introducing IPSEC

IPSEC is a framework of open standards

IPSEC provides 4 critical functions:

  • Confidentially (encryption)
  • Data Integrity
  • Authentication
  • Anti Replay Protection

DES Data Encryption Standard: 56bit key, symmetric key cryptosystem

3DES – Triple Des: Variant of DES, data broken into 64 bit blocks, each block processed 3 times with an independent 56bit key

AES – Advanced Encryption Standard: Stronger than DES and more efficient than 3 DES, offers 128, 192 and 256bit leys.

Rivest, Shamir and Adleman (RSA): Asymmetrical key crypto system.  Not used for data encryption (IPSEC), IKE uses RSA in peer authentication phase.

Keyed Hash Based Message Authentication Code (HMAC):

HMAC MD5: 128bit Shared secret key

HMAC SHA1 – 160bit secret key

The Two Peer Authentication Methods:

  • PSK: Manually entered into each peer
  • RSA Signatures: Exchange of digital certificates

Two IPSEC framework protocols:

Authentication Header (AH): Verify’s that any message passed from A to B has not been modified.  Does not provide encryption of packets.  Used with ESP to provide encryption and tamper-aware features.

Encapsulating Security Payroll: Can encrypt the IP packet payload and the source/destination.  Provides authentication fro inner IP packet AND ESP header. Encryption and authentication are optional but 1 must be selected.

VPN Summary:

  • VPN’s are less expensive, more secure and easier to scale than WAN’s
  • VPN’s implemented on IOS Routers, ASA’s, VPN Client Software
  • IPSEC is the framework for VPN’s
  • AH and ESP are the 2 main framework protocols.

Leave a Reply