1 © 2002, cisco systems, inc. all rights reserved. sec-210 deploying and managing enterprise ipsec...

1© 2002, Cisco Systems, Inc. All rights reserved.SEC-210

Deploying and Managing Enterprise IPsec VPNs

Ken Kaminski

Cisco Systems

Consulting Systems Engineer – Security/VPN Northeast

[email protected]


• Security Enforcement, Firewall, IDS

• Network Topology

• Routing (OSPF, EIGRP) design

• High Availability

• Performance

• QoS

• Path MTU Discovery

• Network Management

• .............

IPsec - more than just crypto !


• IPsec Design Options

• IPsec Design Issues

• IPsec Management

Agenda


Product Function Matrix

Site-to-Site Role Remote Access Role

IOS

PIX

3000

Scales for large deployments

PDM 2.0 includes VPN management

Primary Role

Full fledged remote access solution

With recent addition of Cisco VPN Client now supported with

good feature set

Not recommended for large-scale use due to lack of QOS,

SLA monitoring, and multiprotocol routing

Integrated firewall and VPN device

Primary Role

Full fledged Site-to-Site


Agenda


IPsec

IPsec Remote Access (EzVPN)

IPsec/GRE




Basic IPsec Example

Internet10.1.1.0/24

10.1.2.0/24

• IKE Policy (Phase I)crypto isakmp policy 1

authentication pre-shared

hash sha

encryption 3des

crypto isakmp key cisco123isabadkey address 2.2.2.2

crypto isakmp key passwordisiabadkey address 3.3.3.3

1.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3


Basic IPsec Example

• IPsec Policy (Phase II)

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 103 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

Internet10.1.1.0/24

10.1.2.0/241.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3


Basic IPsec Example

• IPsec Policy (Phase II) crypto map IPSEC 20 ipsec-isakmp

set peer 2.2.2.2

match address 102

set transform-set ESP-3DES-SHA

crypto map IPSEC 30 ipsec-isakmp

set peer 3.3.3.3

match address 103


Internet10.1.1.0/24

10.1.2.0/241.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3


Basic IPsec Example

• Apply Crypto Map

interface serial 0

crypto map IPSEC

!

ip route 10.0.0.0 255.0.0.0 serial 0

Internet10.1.1.0/24

10.1.2.0/241.1.1.1

2.2.2.2

10.1.3.0/243.3.3.3


Basic IPsec Summary

• Supported by IOS, Pix, VPN 3000 and several other vendors

• Either side can initiate tunnel

• No support for routing protocol, multicast


Agenda


IPsec


IPsec/GRE





InternetHead office

1.1.1.1

?

?

• Client - Server Architecture• Client always initiates IPsec connection• Client may have dynamic ip address

• Very easy to configure !• Very scalable, no routing expertise required !

IOSPIX

VPN 3K

VPN Client

IOSPIX

VPN 3002



InternetHead office

1.1.1.1

?

• Client extension mode : Packets from all devices behind EzVPN Client are PATted to one ip address (then tunneled in IPsec).

• Network extension mode : Packets from all devices behind EzVPN client are tunneled in IPsec (no PAT before IPsec)

IOSPix

VPN 3K


EzVPN Configuration example

InternetHead office

1.1.1.1?

?Remote Office

crypto ipsec client ezvpn hw-client group engineering-1 key secret mode client peer 1.1.1.1! interface Ethernet1 description connected to INTERNET ip address ....... crypto ipsec client ezvpn hw-client


Agenda


IPsec


IPsec/GRE




IPsec/GRE : Scalable Site-to-site VPNs

Internet

Frame Relay

• Routing Protocol (OSPF, EIGRP...) necessary !

• Routing (or multicast) not specified by IPsec

• Supported in IOS using GRE/IPsec


IPsec/GRE Example

Internet?

• IKE Policy (Phase I)crypto isakmp policy 1

authentication pre-shared

hash sha

encryption 3des

crypto isakmp key cisco123isabadkey address 2.2.2.2

crypto isakmp key passwordisiabadkey address 3.3.3.3

1.1.1.1

2.2.2.2

3.3.3.3

?

?

Same as without GRE


IPsec/GRE Example

IPsec Policy (Phase II)crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

access-list 102 permit gre host 1.1.1.1 host 2.2.2.2

access-list 103 permit gre host 1.1.1.1 host 3.3.3.3

Internet?

1.1.1.1

2.2.2.2

3.3.3.3

?

?tunnel 2003

tunnel 2002


IPsec/GRE Example


set peer 2.2.2.2

match address 102



set peer 3.3.3.3

match address 103


Internet?

1.1.1.1

2.2.2.2

3.3.3.3

?

?tunnel 2003

tunnel 2002


IPsec/GRE Example

Internet?

int tunnel 2002

ip address 10.99.1.1 255.255.255.0

tunnel source serial 0

tunnel destination 2.2.2.2

crypto map IPSEC

int tunnel 2003

ip address 10.99.2.1 255.255.255.0

tunnel source serial 0

tunnel destination 3.3.3.3

crypto map IPSEC

1.1.1.1

2.2.2.2

3.3.3.3

?

?tunnel 200310.99.2.0/24

tunnel 200210.99.1.0/24


IPsec/GRE Example

int serial 0

ip address 1.1.1.1 255.255.255.252

crypto map IPSEC

!

ip route 2.2.2.2 255.255.255.255 serial 0

ip route 3.3.3.3 255.255.255.255 serial 0

!

router ospf 1

network 10.0.0.0 0.255.255.255 area 1

Internet?

1.1.1.1

2.2.2.2

3.3.3.3

?

?tunnel 2003 10.99.2.0/24

tunnel 200210.99.1.0/24


IPsec/GRE Summary

• IOS only (not Pix, VPN 3000)

• Enables Routing over IPsec protected Tunnels

• Enables IPsec protected multicast

• Enables Multi-Protocol (IPX...)

• Easy to configure thanks to trivial ACLs

• Reduces the number of SAs

• Uses standards : RFC 240x (IPsec), RFC 2784 (GRE)

• IPinIP (RFC 2003) is an alternative to GRE


Agenda


• IPsec Design IssuesTopologies

High Availability

Split Tunneling

Device Placement



Internet

Site-to-Site Full Mesh

• N * (N-1) / 2 tunnels• Scaling issues with provisioning and routing

protocols (....future Cisco features may help here...)


Dynamic Multipoint VPN (DMVPN)

12.2(13)T

• Objective : Easy to configure full mesh IPsec VPN

• Uses multi-point GRE interfaces• Uses NHRP (Next Hop Resolution Protocol)

• Only configure hub connection• Spoke learns about spoke peer dynamically


Dynamic Multipoint VPN - DMVPN

Spoke

Dynamic (or static)

public IP addresses

10.100.1.0 255.255.255.0

10.1.1.0 255.255.255.0

10.1.1.1

10.100.1.1

= Dynamic & Permanent spoke-to-hub IPsec tunnels

= Dynamic&Temporary Spoke-to-spoke IPsec tunnels

Static public IP address

10.1.2.0 255.255.255.0

10.1.2.1

130.25.13.1

12.2(13)T


MPLS-VPN/Frame Relay

• Dynamically discover tunnel endpoint (peer)• IOS since 12.0T• Only works with routable (public) ip address• Must be enabled in all peer routers

Full Mesh :Tunnel Endpoint Discovery (TED)


TED Example

Alice Bob

IP: A to B

A to B must be protectedNo SA -> Send Probe

XY

IKE A to B (proxy X)

IKE Y to X

Traffic to B must be protectedNo SA -> Block &Answer probe

Z

Clive

X(config)#crypto dynamic-map DYN 10 set transform-set ESP-3DES-SHA match address 100!crypto map IPSEC 99 ipsec-isakmp dynamic discover!access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255


IPsec Migration Today

1. IPsec -

time

0. - -

- no communication possible -

2. IPsec IPsec

- all encrypted -

Problem : Migration to IPsec in large networks


IPSEC Passive Mode

1. passive -

2. passive passive

3. active passive

4. active active

time

0. - -

- now all router are on passive -

- now all router are running normal IPsec -

12.2(13)T

# crypto ipsec optional


Agenda



High Availability

Split Tunneling

Device Placement



High-Availability Design

Stateless options today:IPsec and Dead Peer Detection

IPsec and HSRP

IPsec/GRE : Routing Protocols

Head-End

Remote

HE-2

HE-1

Internet CorporateIntranet

10.1.5.0VPN

VPN


S1

Dead Peer Detection (IKE keepalives)

• Supported on IOS, Pix, VPN 3000, Cisco VPN Client• hellos are sent between IKE peers that have active tunnels established • Will detect dead peers (stale IPsec SAs)• On the third hello packet failure, IKE attempts to set up a new tunnel to

the next peer in list

Head-End

R1 HE-2

HE-1


S2

P1

VPNClien

t

Hello

Hello Hello


• DPD is an optimization to IKE keepalives : "I don't bother to check peer by sending keepalive, if I am receiving data from peer"

• DPD compatibility : IOS 12.2(8)T and later Pix 6.0 and later VPN 3000 3.0 and later

Dead Peer Detection vs IKE keepalives


High Availability with Dead Peer Detection

Head-End

RemoteHE-2

HE-1


X

crypto map IPSEC 10 match address 10 set peer 1.1.1.1 set peer 1.1.1.2 set transform-set ESP-3DES-SHA

1.1.1.1

1.1.1.2


IPsec and HSRP+

• Supported on IOS• HSRP address used as tunnel endpoint• Active device terminates IPsec tunnel• In the event of failure, standby device takes

over (SAs will be renegotiated)

Head-End

Remote

HE-2

HE-1


X


High Availability with IPsec and HSRP+

Remote

HE-2

HE-1

InternetCorporateIntranet

X

1.1.1..3

crypto map IPSEC 10 match address 10 set peer 1.1.1.3 set transform-set ESP-3DES-SHA

interface Ethernet1/0

ip address 1.1.1.1 255.255.255.248

standby 1 ip 1.1.1.3

standby 1 priority 200

standby 1 preempt standby 1 name VPNHA standby 1 track Ethernet1/1 150 crypto map VPN redundancy VPNHA


Reverse Route Injection (RRI)

Because IOS is active-active, and it is not possible for the next-hop-device to know which router “has” the active tunnel, Reverse Route Injection (RRI) is required for state tracking

Works with DPD and HSRP+

12.2(8)T

Head-End

Remote

HE-2

HE-1


10.1.5.0

who should I

send traffic to

for 10.1.5.0 ?


Reverse Route Injection Example

Head-End

Remote

HE-2

HE-1


X

crypto isakmp keepalive 10 !crypto map vpn 20 ipsec-isakmp set peer 2.2.2.2 set transform-set ESP-3DES-SHA match address 102 reverse-route !

2.2.2.2


RRI In Action

RRI triggers when SA goes down

Head-End

RemoteInternet

10.1.5.0/24

P

S

(1) SA Established To PrimarySending IKE Keepalives

(2) Router P RRI:“I can reach 10.1.5.0”

(3) 10.1.5.0/24 via P

(8) 10.1.5.0/24 via S

(5) Secondary Active(6) New SA Established To Secondary

Sending IKE Keepalives(7) Router S RRI:“I can reach 10.1.5.0”

= Unscheduled Immediate Memory Initialization Routine (4)


High Availability with IPsec/GRE

• Just plain routing ! (OSPF, EIGRP...)

• Routing copes with some failures other methods can't detect

• Local and Geographical redundancy possible

• Except under failure conditions:

The IPsec and GRE tunnels are always up since routing protocols are always running

Head-End

RemoteHE-2

HE-1



High Availability with IPsec/GRE

Head-End

RemoteHE-2

HE-1


Remote :!int tunnel 1 ...... ip ospf cost 10 .....!int tunnel 2 ...... ip ospf cost 20 ......

tunnel 1

tunnel 2

HE-1!int tunnel 1 ...... ip ospf cost 10 .....

HE-2!int tunnel 2 ...... ip ospf cost 10 .....


Local/Geographical Failover/Load-Balancing

• The Cisco VPN Client supports the notion of backup servers for high availability

PIX, 3000, and IOS compatible

• The 3000 Concentrator also supports local clustering

Supports local load sharing (not geographical)

DNS resolution based load balancing could also be used as the client resolves the FQDN of the head-end device (geographical)


• Key: DPD = Dead Peer Detection; RP = Routing Protocol; RRI = Reverse Route Injection

RemoteDevice

Head-endDevice IOS PIX 3000

IOS

PIX Failover

3000

RPDPD (RRI)

HSRP+ (RRI)DPD

DPD(RRI)

DPD

DPD

DPD(RRI)

DPD(RRI)

HSRP+ (RRI)DPD (RRI)

HSRP+ (RRI)DPD (RRI)

High Availability Summary


Agenda



High Availability

Split Tunneling

Device Placement



Internet

Split Tunneling

Split-Tunneling Enabled

VPNClient

www.evilhackers.com

No NAT for corporate traffic

No NAT for corporate traffic

NAT for Internet traffic

NAT for Internet traffic

VPNHW


Split Tunneling

• Should it be allowed ? Policy Decision !

• If allowed, firewall is needed at remote end

• Cisco VPN Client - $0 firewallDefault stops incoming connections; allows outgoing connections

Firewall active even when VPN client is not connected

Firewall policies can be pushed from VPN 3000 concentrator


Agenda



High Availability

Split Tunneling

Device Placement



VPN Device with separate Firewall

To WAN Edge To Campus

VPN

VPN Termination

L4–L7 Stateful Inspection and Filtering

DoS Mitigation

Focused Layer4–7 Analysis

Nothing To See(crypto-wise)

Stateless L3Filtering (IKE, ESP)

DMZ


Agenda





VPN Management

• Nothing dramatically new- configuration management

- performance management

- fault management

- sw updates

• Many of the same tools apply :

SNMP, TFTP, SSH

• Management traffic should be encrypted

( IPsec vs SSH)


VPN Management Applications

• Device Managers (on the box)

PDM—PIX Device Manager

VDM—VPN Device Manager for IOS and 3000

• VPN/Security Management Solution (VMS) 2.1

IOS, IDS, PIX Multiple Device Centers

• VPN Solution Center (VPNSC)

Primary focus : Service Providers


VPN/Security Management Solution 2.1

Management Centers (MCs) for

VPN RoutersPix FirewallIDS Sensors


VMS 2.1 / Router MC

• Web based• IOS IPsec/GRE (Hub/Spoke topologies)• Workflow approach (create task/approve task)• Grouping of devices/apply policy on group


VMS 2.1 / VPN Monitor

• Performance Monitoring of IOS and VPN 3000

Number of tunnelsStatus/Performance of tunnelsPerformance threshold violations

1 © 2002, cisco systems, inc. all rights reserved. sec-210 deploying and managing enterprise ipsec...

Documents