virtual private network (vpn)...
TRANSCRIPT
![Page 1: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/1.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1
Virtual Private Network (VPN) Uygulamaları
CCNA Security
![Page 2: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/2.jpg)
Presentation_ID 2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chapter 8 8.1 VPNs
8.2 GRE VPNs
8.3 IPsec VPN Bileşenleri ve İşlemleri
8.4 Site-to-Site VPN’i CLI ile Uygulama
8.5 Remote-Access VPN Uygulama
![Page 3: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/3.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 3
8.1 VPN
![Page 4: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/4.jpg)
Presentation_ID 4 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Genel Bakış Virtual Private Networks Bir Virtual Private Network (VPN), herkese açık bir ağdan (internet gibi)
tünelleme yapmadır.
VPN bazı faydalara sahiptir: • Geniş band teknolojisi ile uyumludur • Maliyet kazancı sağlarCost savings • Güvenlik • Ölçeklenebilirlik
![Page 5: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/5.jpg)
Presentation_ID 5 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Genel Bakış VPN Türleri Basit ifadeyle VPN iki uç noktayı birbirine bağlar; iki uzak ofis genel bir
ağ üzerinden mantıksal bir bağlantı ile bağlanır.
Mantıksal bağlantı OSI Layer 2 veya Layer 3’de yapılabilir.
Yaygın kullanılan Layer 3 VPN türleri: • Generic Routing Encapsulation (GRE) • Multiprotocol Label Switching (MPLS) • Internet Protocol Security (IPsec)
![Page 6: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/6.jpg)
Presentation_ID 6 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Topolojileri Site-to-Site VPN VPN yapılan cihazların ikisi de uzakta olduğu zaman kullanılır.
VPN static olarak kalıcıdır ve iç ağdaki hostlar VPN olduğundan haberdar olmazlar.
![Page 7: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/7.jpg)
Presentation_ID 7 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Topolojileri Site-to-Site VPN WAN networkünün uzantısıdır.
Uzak ağları birbirine bağlar.
Bir site-to-site VPN, bir firmanın şubesini merkezine bağlar.
Kiralık hat veya Frame Relay bağlı ağların VPN kullanarak geniş band internete taşınmasını sağlar.
![Page 8: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/8.jpg)
Presentation_ID 8 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Topolojileri Remote-Access VPN • Bağlantı bilgilerinin dinamik olarak değişimine imkan sağlar ve
gerektiğinde devreye alınıp devre dışı bırakılabilir. • Örneğin uzak çalışan bilgisayarı VPN bağlantısı kurabilir.
![Page 9: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/9.jpg)
Presentation_ID 9 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Topolojileri Remote-Access VPN Devre anahtarlamanın evrimi sonucu ortaya çıkmıştır.
Client/server mimariyi destekler. Bir VPN clientı (uzak bilgisayar) firma ağına güvenli erişim ihtiyacı duyarsa bu topolojiyi kullanır
![Page 10: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/10.jpg)
Presentation_ID 10 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Topolojileri VPN Client Yazılımı İşlemleri
![Page 11: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/11.jpg)
Presentation_ID 11 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Topolojileri Cisco IOS SSL VPN Cisco IOS SSL VPN, internet erişimi olan herhangi bir yerden bir
web browser ve SSL kullanarak uzak erişim bağlantısı sağlayan teknolojidir.
SSL VPN üç modda erişim kurar: • Clientless • Thin client • Full client
![Page 12: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/12.jpg)
Presentation_ID 12 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Çözümleri Cisco VPN Ürünleri
Secondary role Primary role SOHO Routers (Cisco 850 Series ISR and Linksys)
Secondary role Primary role Cisco VPN 3000 Series Concentrators
Secondary role Primary role Cisco ASA 5500 Adaptive Security Appliances
Secondary role
Secondary role
Remote-Access VPN
Primary role Cisco VPN-Enabled Routers and Switches
Primary role Cisco PIX 500 Series Security Appliances (Legacy)
Site-to-Site VPN Product Choice
![Page 13: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/13.jpg)
Presentation_ID 13 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Çözümleri Cisco ASA VPN Servisleri
![Page 14: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/14.jpg)
Presentation_ID 14 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN Çözümleri Cisco IPsec Client Seçenekleri Cisco remote-access VPN, üç tür IPsec client kullanabilir:
• Cisco VPN Client software – PC veya dizüstü bilgisayara yüklenebilir.
• Cisco Remote Router VPN Client – VPN Client olarak konfigüre edilmiş bir uzak router küçük ofisleri veya ev ofisleri bağlar.
• Cisco AnyConnect Secure Mobility Client – Yeni nesil VPN clientıdır. Uzak kullanıcıları Cisco ASA’ya bağlar.
![Page 15: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/15.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 15
8.2 GRE VPN
![Page 16: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/16.jpg)
Presentation_ID 16 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
İki popüler site-to-site tünelleme protokolü vardır: • GRE • IPsec
GRE veya IPsec ne zaman kullanılmalı?
Site-to-Site GRE Tünel Konfigürasyonu GRE Tüneli
Kullanıcı Trafiği Sadece IP mi?
GRE Kullan
Hayır
Evet
Hayır Evet Sadece Unicast
mi? IPsec VPN
Kullan
![Page 17: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/17.jpg)
Presentation_ID 17 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
GRE hemen hemen tüm diğer paket türlerini enkapsüle edebilir. • IP kullanarak cisco routerlar arasında sanal point-to-point linkler
oluşturabilir • Çoklu protokol desteğine (IP, CLNS, …) ve IP multicast tünelleme
desteğine sahiptir. Bu yüzden routing protokol paketlerini de tünelleyebilir • Site-to-site multiprotocol VPN’ler için en uygun yöntemdir. • RFC 1702 ve RFC 2784 ile tanımlanmıştır
Site-to-Site GRE Tünel Konfigürasyonu GRE Tüneli
![Page 18: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/18.jpg)
Presentation_ID 18 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
GRE tüm orijinal IP başlığını, IP başlığı ve GRE başlığı ile enkapsüle eder.
GRE tünel başlığı en az 2 byte zorunlu alan içerir: • GRE flag • Protocol type
Site-to-Site GRE Tünel Konfigürasyonu GRE Başlığı
Opsiyonel başlık bilgisi bulunup bulunmadığını belirler
Taşınan yükün protokol türünü belirler. IPv4 ise 0x800 kullanılır
![Page 19: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/19.jpg)
Presentation_ID 19 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
GRE kriptolama sağlamaz , protokol analizörü ile görüntülenebilir.
GRE ve Ipsec birlikte kullanıldığında, IPsec multicast/broadcast trafiğini desteklemez. Bu yüzden routing protokol paketlerini taşımaz. Ancak Ipsec, GRE ile enkapsüle edilirse routing protokol paketleri de taşınır. Buna GRE over IPSec denir.
Site-to-Site GRE Tünel Konfigürasyonu GRE Başlığı
![Page 20: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/20.jpg)
Presentation_ID 20 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
1. Bir tünel interface’i oluşturulur: interface tunnel 0
2. Tünele bir IP adresi atanır.
3. Kaynak tünel interface’i belirlenir: tunnel source
4. Tünel hedefi tanımlanır: tunnel destination
5. (Opsiyonel) GRE içinde enkapsüle edilecek protokol belirlenir: tunnel mode gre ip
Varsayılan olarak , GRE IP paketlerini tüneller.
Site-to-Site GRE Tünel Konfigürasyonu GRE Konfigürasyonu
![Page 21: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/21.jpg)
Presentation_ID 21 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Site-to-Site GRE Tünel Konfigürasyonu GRE Konfigürasyonu
![Page 22: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/22.jpg)
Presentation_ID 22 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Site-to-Site GRE Tünel Konfigürasyonu GRE Konfigürasyonu
![Page 23: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/23.jpg)
Presentation_ID 23 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Site-to-Site GRE Tünel Konfigürasyonu GRE Konfigürasyonu
![Page 24: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/24.jpg)
Presentation_ID 24 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Site-to-Site GRE Tünel Konfigürasyonu GRE Konfigürasyonu
![Page 25: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/25.jpg)
Presentation_ID 25 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
GRE’nin avantajlarından biri IP dışındaki trafikleri de taşımasıdır.
Sadece unicast trafik taşıyan IPsec’in aksine , multicast ve broadcast trafiği de taşır.
Ancak GRE kriptolamayı desteklemez, gerekiyorsa Ipsec konfigüre edilmelidir.
Site-to-Site GRE Tünel Konfigürasyonu IPsec ile GRE
![Page 26: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/26.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 26
8.3 IPSec VPN Bileşenleri ve İşlemleri
![Page 27: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/27.jpg)
Presentation_ID 27 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Genel Bakış IPsec, IETF Standardı Olarak IETF tarafından network katmanında çalışacak güvenli bir tünel
çerçeve çalışması ortaya kondu • IETF güvenli haberleşmenin kurallarını detaylarıyla ortaya koydu • RFC 2401 - RFC 2412 dökümanları ile.
IPsec network katmanında çalışıp, IP paketlerinin cihazlar veya çiftler arasında korunmasını ve kimlik doğrulamayı sağlar.
IPsec herhengi bir özel kriptolama, anahtarlama veya güvenlik algoritmasına bağlı değildir.
IPsec en iyi ve en iyi algoritmalarla yamanarak kullanılabilir.
![Page 28: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/28.jpg)
Presentation_ID 28 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Genel Bakış IPsec, IETF Standardı Olarak
![Page 29: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/29.jpg)
Presentation_ID 29 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec iskeleti beş blok içerir.
Ağ yöneticisi uygulayacağı güvenlik servisine göre bu yapıdan seçim yapar..
IPsec Genel Bakış IPsec, IETF Standardı Olarak
![Page 30: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/30.jpg)
Presentation_ID 30 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec frameworkü kullanılarak yandaki fonksiyonlar seçilebilir.
IPsec Genel Bakış IPsec, IETF Standardı Olarak
![Page 31: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/31.jpg)
Presentation_ID 31 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Gizlilik kriptolama ile sağlanır
IPsec Genel Bakış Gizlilik
![Page 32: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/32.jpg)
Presentation_ID 32 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
VPN’de kullanılan kriptolama algoritmaları ve anahtar uzunlukları:
• DES • 3DES • AES • Software-
Optimized Encryption Algorithm (SEAL)
IPsec Genel Bakış IPsec, IETF Standardı Olarak
![Page 33: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/33.jpg)
Presentation_ID 33 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Bütünlük içeriğin değiştirilmediğinin garanti edilmesidir.
Bir bütünlük algoritması bu garantiyi verebilir.
Hashed Message Authentication Code (HMAC) bunlardan biridir.
IPsec Genel Bakış Bütünlük
![Page 34: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/34.jpg)
Presentation_ID 34 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Yaygın kullanılan iki HMAC algoritması:
• HMAC-Message Digest 5 (HMAC-MD5)
• HMAC-Secure Hash Algorithm 1 (HMAC-SHA-1)
IPsec Genel Bakış Bütünlük
![Page 35: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/35.jpg)
Presentation_ID 35 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Diğer uçtaki cihaz haberleşmeye başlamadan önce kimlik doğrulamaya zorlanır
İki esas yöntemden biri kullanılır: • Pre-shared Keys (PSKs) • RSA signatures
IPsec Genel Bakış Kimlik Doğrulama
![Page 36: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/36.jpg)
Presentation_ID 36 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Genel Bakış Kimlik Doğrulama
![Page 37: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/37.jpg)
Presentation_ID 37 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Genel Bakış Kimlik Doğrulama
![Page 38: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/38.jpg)
Presentation_ID 38 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Kriptolama algoritmaları ve hashing algoritmaları (DES, 3DES, AES, MD5,SHA-1) simetrik güvenli anahtara ihtiyaç duyarlar.
Kriptolama veya çözme cihazları bu güvenli anahtarları nasıl sağlar?
Diffie-Hellman (DH) anahtar değiştirmr metodu ile.
IPsec Genel Bakış Güvenli Anahtar Değiştirme
![Page 39: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/39.jpg)
Presentation_ID 39 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Security Protokolleri IPsec Framework Protokolleri IPsec iki esas protokol kullanarak güvenlik iskeletini oluşturur. :
• AH: Authentication Header • ESP: Encapsulating Security Payload
![Page 40: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/40.jpg)
Presentation_ID 40 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
AH kimlik doğrulama ve opsiyonel yeniden dedekte servisi sağlar.
• Veri göndericinin kimliğini doğrular. • HMAC-MD5 ve HMAC-SHA-1 algoritmalarını destekler.
IPsec Security Protokolleri AH
![Page 41: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/41.jpg)
Presentation_ID 41 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
AH, veri gizliliği (kriptolama) sağlamaz. • Veri gizliliği önemli olmayan durumlar için uygundur. • Tüm veri kriptolanmadan gönderilir.
Sadece verinin başlangıçtan itibaren değiştirilmediğini doğrular.
AH protokolü tek başına kullanılırsa zayıf koruma sağlar.
NAT kullanılması durumunda AH’nin problemleri vardır.
IPsec Security Protokolleri AH
![Page 42: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/42.jpg)
Presentation_ID 42 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
AH işlemleri şu sırada gerçekleşir:
1. IP başlığı ve taşınan veri yükü paylaşılmış gizli anahtar kullanılarak hashlenir.
2. Hash işlemi yeni bir AH başlığı oluşturur ve orijinal paketin içine yerleştirilir.
3. Yeni paket IPsec karşı routerına gönderilir.
4. Karşı router IP başlığı ve protokol veri yükünü aynı gizli anahtarla hashler, aldığı paketin AH başlığını açar ve iki değeri karşılaştırır.
IPsec Security Protokolleri AH
![Page 43: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/43.jpg)
Presentation_ID 43 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Security Protokolleri ESP ESP, AH ile aynı kimlik doğrulama ve veri bütünlüğü servislerini sağlar. Ek olarak kriptolama servisi de sağlar.
• Veriyi korumak için enkapsüle eder. • 50 protokol numarası üzerinde çalışır.
![Page 44: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/44.jpg)
Presentation_ID 44 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Security Protokolleri ESP
• 1. Veri yükü DES, 3DES, AES veya SEAL kullanılarak kriptolanır. • 2. Kriptolanmış veri kimlik doğrulama ve veri bütünlüğü için HMAC-MD5
veya HMAC-SHA-1 kullanılarak hashlenir.
![Page 45: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/45.jpg)
Presentation_ID 45 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Security Protokolleri Transport ve Tünel Modları ESP ve AH, IP paketlerine iki farklı modda uygulanabilir. Transport modu ve Tunnel modu.
![Page 46: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/46.jpg)
Presentation_ID 46 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Güvenlik sadece Transport katmanı ve üstünde sağlanır. Bu yöntem veriyi korur ancak orijinal IP adresi plaintext kalır.
ESP transport mod, hostlar arasında kullanılır.
Transport mod, GRE ile iyi çalışır. Çünkü GRE, kendi IP’sini ekleyerek hostun IP adresini gizler.
IPsec Security Protokolleri Transport ve Tünel Modları
![Page 47: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/47.jpg)
Presentation_ID 47 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Tunnel mod tüm IP paketi için güvenlik sağlar. Orijinal IP paketi kriptolanır ve bir başka IP paketi içine enkapsüle edilir. (IP-in-IP encryption).
ESP tunnel modu, remote access ve site-to-site uygulamalarında kullanılır.
IPsec Security Protokolleri Transport ve Tünel Modları
![Page 48: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/48.jpg)
Presentation_ID 48 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec VPN çözümleri • Anahtar değiştirme parametreleri üzerinde anlaşılır (Internet Key
Exchange-IKE). • Paylaşılmış anahtar oluşturulur (DH). • Kimlik doğrulanır (karşı uç ile). • Kriptolama parametreleri üzerinde anlaşılır.
İki cihaz tarafından parametreler üzerinde anlaşma işlemine güvenlik işbirliği (security association-SA) denir.
Internet Key Exchange Güvenlik İşbirlikleri
![Page 49: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/49.jpg)
Presentation_ID 49 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SA, IPsec’in temel inşa noktasıdır. Güvenlik işbirlikleri bir SA veritabanında (SADB) saklanır ve bu veritabanı her bir cihazda bulunur.
VPN, SA kayıtlarına sahiptir.
SA’lar iki uç cihaz arasındaki anlaşmayı gösterir ve cihazların network trafiğini korumak için IPsec’i nasıl kullanacağını gösterir.
SA’lar gerekli tüm güvenlik parametrelerini tanımlar.
Internet Key Exchange Güvenlik İşbirlikleri
![Page 50: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/50.jpg)
Presentation_ID 50 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Internet Key Exchange Güvenlik İşbirlikleri
![Page 51: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/51.jpg)
Presentation_ID 51 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IKE, uzak iki cihaz arasında Ipsec kriptografik anahtarlarının değişimine yardımcı olur. IKE, ISAKMP ve Oakley Key Exchange Protokollerinin kombinasyonudur.
Anahtar yönetimi IKE (ISAKMP) veya manuel olarak önceden ayarlanabilir. IKE ve ISAKMP sıklıkla birbirlerinin yerine kullanılabilir.
IKE tüneli SA bildirimlerini de korur.
Internet Key Exchange Güvenlik İşbirlikleri
![Page 52: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/52.jpg)
Presentation_ID 52 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Her IKE bildiriminde iki faz vardır: • Phase 1 (Authentication) • Phase 2 (Key Exchange)
IKE bildirimleri iki modda yapılabilir: • Main mode • Aggressive mode
İkisi arasındaki fark; main mod değişim için 6 mesaj kullanırken aggressive mod 3 mesaj kullanır.
Internet Key Exchange IKE Phase 1 ve Phase 2
![Page 53: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/53.jpg)
Presentation_ID 53 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IKE Phase 1: • Bir IKE koruma suiti bildirilir • Anahtarlama materyalleri IKE oturumunu korumak için değiştirilir. • Kimlik doğrulama yapılır. • IKE SA’sı kurulur. • Main mod kullanılıyorsa 6 mesaj, aggressive mod kullanılıyorsa 3
mesaj gönderilir.
IKE Phase 2: • Ipsec güvenlik parametreleri bildirilir, bunlar Ipsec transform setleri
olarak bilinir. • IPsec SA’ları kurulur. • Periyodik olarak Ipsec SA’ları yeniden bildirilir. • Opsiyonel olarak ek bir DH değişimi uygulanabilir.
Internet Key Exchange IKE Phase 1 and Phase 2
![Page 54: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/54.jpg)
Presentation_ID 54 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Internet Key Exchange IKE Phase 1 ve Phase 2
![Page 55: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/55.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 67
8.4 Site-to-Site IPsec VPN Uygulaması (CLI ile)
![Page 56: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/56.jpg)
Presentation_ID 68 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation VPN, public bir ağ üzerinden haberleşen iki uç cihaz arasında
mantıksal bir bağlantı oluşturmak için kullanılır.
IPsec VPN bildirimleri birkaç adımdan oluşur.
1. Host A, Host B’ye önemli trafik gönderir
![Page 57: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/57.jpg)
Presentation_ID 69 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation
2. R1 ve R2 routerları IKE faz 1 oturumu için anlaşırlar
![Page 58: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/58.jpg)
Presentation_ID 70 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation
3. R1 ve R2 routerları IKE faz 2 oturumu için anlaşır
![Page 59: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/59.jpg)
Presentation_ID 71 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation
4. Veri transferi IPsec tüneli üzerinden yapılır.
![Page 60: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/60.jpg)
Presentation_ID 72 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a Site-to-Site IPsec VPN IPsec VPN Negotiation
5. Ipsec tüneli sonlandırılır
![Page 61: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/61.jpg)
Presentation_ID 73 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a Site-to-Site IPsec VPN IPsec Konfigürasyon Adımları Site-to-site IPsec VPN için aşağıdaki adımlar uygulanır.
1. Ipsec ile uyumlu ACL konfigürasyonlarının interfaceler üzerinde yapılmış olduğundan emin olunur.
2. ISAKMP (IKE) politikası oluşturulur. 3. IPsec transform seti oluşturulur. 4. Bir kripto ACL’i oluşturulur. 5. Bir kripto haritası oluşturulur ve uygulanır..
![Page 62: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/62.jpg)
Presentation_ID 74 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 1 – Uygun ACL Oluşturma Protocol 50, 51 ve UDP Port 500 ACL’lerin oluşturulduğundan emin olunur böylece ISAKMP, ESP ve AH protokollerine ait trafiğin bloklanmaması sağlanır.
• ESP, IP protokol 50’ye atanır. • AH, IP protokol 51’e atanır. • ISAKMP, UDP port 500’ü kullanır.
![Page 63: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/63.jpg)
Presentation_ID 75 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 1 – Uygun ACL Oluşturma ACL Konfigürasyonu
![Page 64: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/64.jpg)
Presentation_ID 77 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
İkinci ana görev IKE politikası içindeki parametrelerin tanımlanmasıdır
Çoklu ISAKMP politikaları Ipsec’e katılan her uçta konfigüre edilebilir
Adım 2 – IKE Konfigürasyonu ACL Konfigürasyonu
![Page 65: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/65.jpg)
Presentation_ID 78 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
crypto isakmp policy komutu ile ISAKMP parametreleri ayarlanabilir
Adım 2 – IKE Konfigürasyonu ACL Konfigürasyonu
![Page 66: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/66.jpg)
Presentation_ID 79 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 2 – IKE Konfigürasyonu ISAKMP Politika Bildirimleri İki karşılıklı uç SA üzerinde anlaşmadan önce ISAKMP politikalarını bildirmek zorundadır.
![Page 67: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/67.jpg)
Presentation_ID 80 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Politika numaraları sadece yerel olarak önemlidir, iki uç arasında numaralar uyuşmak zorunda değildir.
Adım 2 – IKE Konfigürasyonu ISAKMP Politika Bildirimleri
![Page 68: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/68.jpg)
Presentation_ID 81 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 2 – IKE Konfigürasyonu Pre-Shared Keys Anahtar cisco123 uyuşuyor
Adres kimliklendirme metodu özelleştirildi
ISAKMP politikası uygun
Varsayılan değerler konfigüre edilmek zorunda değildir
![Page 69: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/69.jpg)
Presentation_ID 82 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 3 – Dönüşüm Setleri Konfigürasyonu Transform Setleri Tanımlama Dönüşüm seti bireysel Ipsec güvenlik politikaları trafiği için oluşturulur.
Router(config)# crypto ipsec transform-set transform-set-name ? ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth esp-null ESP transform w/o cipher
Not: • esp-md5-hmac ve esp-sha-hmac daha fazla veri bütünlüğü sağlar.
• Bunlar NAT/PAT ile uyumludur ve ah-md5-hmac ve ah-sha-hmac den daha sık kullanılırlar.
![Page 70: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/70.jpg)
Presentation_ID 83 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Transform setleri IKE faz 2 esnasında bildirilir.
R1, ALPHA, BETA veCHARLIE adıyla konfigüre edilmiş transform setine sahipken R2 RED, BLUE ve YELLOW olarak yapılandırılmıştır.
R1’in her bir transform seti R2’nin setleriyle eşleşme bulununcaya kadar karşılaştırılır.
R1 R2
Adım 3 – Dönüşüm Setleri Konfigürasyonu Transform Setleri Konfigürasyonu
![Page 71: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/71.jpg)
Presentation_ID 84 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
R1 R2
Adım 3 – Dönüşüm Setleri Konfigürasyonu Transform Setleri Konfigürasyonu
![Page 72: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/72.jpg)
Presentation_ID 85 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
R1 R2
Adım 3 – Dönüşüm Setleri Konfigürasyonu Transform Setleri Konfigürasyonu
![Page 73: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/73.jpg)
Presentation_ID 86 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
R1 R2
Adım 3 – Dönüşüm Setleri Konfigürasyonu Transform Setleri Konfigürasyonu
![Page 74: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/74.jpg)
Presentation_ID 87 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 3 – Dönüşüm Setleri Konfigürasyonu Transform Setleri Konfigürasyonu
![Page 75: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/75.jpg)
Presentation_ID 88 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 4 – Kripto ACL’leri Konfigürasyonus Kripto ACL’leri Tanımlama Kripto ACL’leri trafik akışını korur.
Outbound kripto ACL’leri Ipsec çıkış trafiğini seçer. Plaintext gönderilmiş trafik seçilmez.
İstenirse inbound ACL’ler Ipsec tarafından korunan trafiği filtrelemek ve gözardı etmek için kullanılabilir.
![Page 76: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/76.jpg)
Presentation_ID 89 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Outbound kripto ACL’leri önemli trafiği kriptolamak için tanımlanır. Diğer tüm trafik kriptolanmadan çıkartılır.
Adım 4 – Kripto ACL’leri Konfigürasyonus Kripto ACL Syntaksı
![Page 77: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/77.jpg)
Presentation_ID 90 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Simetrik kripto ACL’ler Ipsec kullanılarak konfigüre edilmek zorundadır.
access-list 110 permit tcp 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
RouterA#(config)
access-list 110 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
RouterB#(config)
Adım 4 – Kripto ACL’leri Konfigürasyonus Simetrik Kripto ACL Syntaksı
![Page 78: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/78.jpg)
Presentation_ID 91 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 5 – Kripto Haritası Kripto Haritası Tanımlama Kripto haritaları şunları tanımlar:
• Kripto ACL kullanarak trafiği korumayı • SA setleri ile akışı korumayı • Ipsec çiftleri kimlerdir • Ipsec için kullanılan lokal adres • Hangi tür Ipsec güvenliği bu trafiğe uygulanır • Anahtar yönetim metodu • SA ömürleri
![Page 79: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/79.jpg)
Presentation_ID 92 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 5 – Kripto Haritası Kripto Haritası Syntaksı
![Page 80: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/80.jpg)
Presentation_ID 93 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 5 – Kripto Haritası Kripto Haritası Tanımlama
![Page 81: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/81.jpg)
Presentation_ID 94 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Adım 5 – Kripto Haritası Kripto Haritası Tanımlama
![Page 82: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/82.jpg)
Presentation_ID 95 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Konfigürasyonunu Doğrulama Kripto Haritaları
![Page 83: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/83.jpg)
Presentation_ID 96 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Konfigürasyonunu Doğrulama IPsec Show Komutları
R1# show crypto map Crypto Map “MYMAP" 10 ipsec-isakmp
Peer = 172.30.2.2 Extended IP access list 102 access-list 102 permit ip host 172.30.1.2 host 172.30.2.2 Current peer: 172.30.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ MINE, }
![Page 84: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/84.jpg)
Presentation_ID 97 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Konfigürasyonunu Doğrulama IPsec Show Komutları
R1# show crypto isakmp policy Protection suite of priority 110 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: pre-share Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
![Page 85: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/85.jpg)
Presentation_ID 98 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Konfigürasyonunu Doğrulama IPsec Show Komutları
![Page 86: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/86.jpg)
Presentation_ID 99 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Konfigürasyonunu Doğrulama Güvenlik İlişkilerini Doğrulama
R1# show crypto isakmp sa dst src state conn-id slot 172.30.2.2 172.30.1.2 QM_IDLE 47 5
![Page 87: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/87.jpg)
Presentation_ID 100 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IPsec Konfigürasyonunu Doğrulama VPN Bağlanılabilirliği Doğrulama
R1# debug crypto isakmp 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 150.150.150.1
Main Mode hata mesajı örneği
Main Mode hatası Faz 1 politikalarının iki tarafta eşleşmediğini öneriyor
Tüm politikaların eşleştiğinden emin olunmalıdır: • Encryption: DES or 3DES • Hash: MD5 or SHA • Diffie-Hellman: Group 1 or 2 • Authentication: rsa-sig, rsa-encr or pre-share
![Page 88: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/88.jpg)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 101
8.5 Remote-Access VPN Uygulama
![Page 89: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/89.jpg)
Presentation_ID 102 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Shift to Telecommuting Advantages of Telecommuting Organizational benefits:
• Continuity of operations • Increased responsiveness • Secure, reliable, and manageable access to information • Cost-effective integration of data, voice, video, and applications • Increased employee productivity, satisfaction, and retention.
Social benefits: • Increased employment opportunities for marginalized groups • Less travel and commuter related issues.
Environmental benefits: • Reduced carbon footprints, both for individual workers and
organizations
![Page 90: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/90.jpg)
Presentation_ID 103 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Shift to Telecommuting Benefits of Telecommuting Telecommuting offers organizational, social, and
environmental benefits.
Studies have shown that telecommuting improves employee lifestyles by decreasing job-related stresses.
There may be some drawbacks.
Example - telecommuters working from home can experience distractions that they would not have at work.
![Page 91: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/91.jpg)
Presentation_ID 104 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Introducing Remote Access VPNs Remote-Access VPN Options There are two primary methods for deploying remote-access VPNs, as shown in the figure:
1. IPsec 2. SSL
IPsec Remote Access VPN
SSL-Based VPN
Any Application
Anywhere Access
![Page 92: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/92.jpg)
Presentation_ID 105 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Introducing Remote Access VPNs Access Requirements Determine Remote-Access VPNs
IPsec exceeds SSL in many significant ways: • Number of applications that are supported • Strength of encryption • Strength of authentication • Overall security
![Page 93: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/93.jpg)
Presentation_ID 106 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SSL VPNs Cisco IOS SSL VPN Technology Cisco SSL VPN deliver many remote-access connectivity features and benefits:
• Web-based clientless access and full network access without preinstalled desktop software.
• Protection against viruses, worms, spyware, and hackers on a VPN connection by integrating network and endpoint security in the Cisco SSL VPN platform.
• Simple, flexible, and cost-effective licensing. SSL uses a single license.
• Single device for both SSL VPN and IPsec VPN.
![Page 94: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/94.jpg)
Presentation_ID 107 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SSL VPNs Types of SSL VPN Access SSL VPNs provide different types of access:
• Clientless • Thin client • Full client
![Page 95: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/95.jpg)
Presentation_ID 108 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SSL VPNs Steps to Establishing SSL VPN
![Page 96: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/96.jpg)
Presentation_ID 109 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SSL VPNs SSL VPN Design SSL VPN design considerations:
• User connectivity • Router feature • Router hardware • Infrastructure planning • Implementation scope
![Page 97: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/97.jpg)
Presentation_ID 110 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Easy VPN Cisco Easy VPN Cisco Easy VPN consists of three components:
• Cisco Easy VPN Server - A Cisco IOS router or Cisco ASA Firewall acting as the VPN head-end device in site-to-site or remote-access VPNs.
• Cisco Easy VPN Remote - A Cisco IOS router or Cisco ASA Firewall acting as a remote VPN client.
• Cisco VPN Client - An application supported on a PC used to access a Cisco VPN server.
![Page 98: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/98.jpg)
Presentation_ID 111 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Easy VPN Cisco Easy VPN Cont.
![Page 99: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/99.jpg)
Presentation_ID 112 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Easy VPN Cisco Easy VPN Endpoints
![Page 100: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/100.jpg)
Presentation_ID 113 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco Easy VPN Cisco Easy VPN Connection Steps
![Page 101: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/101.jpg)
Presentation_ID 114 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP CCP Tasks for Cisco Easy VPN Server
Configuring Cisco Easy VPN Server functionality using CCP consists of two major tasks:
Task 1. Configure prerequisites, such as AAA, privileged users, and the enable secret password, based on the chosen VPN design.
Task 2. Configure the Cisco Easy VPN Server.
![Page 102: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/102.jpg)
Presentation_ID 115 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP CCP Tasks for Cisco Easy VPN Server On the CCP main window, click Configure, click the Security folder, click the VPN subfolder, and then select the Easy VPN Server option.
![Page 103: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/103.jpg)
Presentation_ID 116 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Initial Easy VPN Server Steps Specify the router interface where the VPN connection will terminate
and the authentication method (e.g., pre-shared keys, digital certificates, or both).
Click Next to display the IKE Proposals window.
![Page 104: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/104.jpg)
Presentation_ID 117 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Initial Easy VPN Server Steps Cont. When configuring IKE proposals, use the default policy that is predefined by CCP or add a custom IKE Policy.
![Page 105: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/105.jpg)
Presentation_ID 118 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Selecting the Transform Set
![Page 106: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/106.jpg)
Presentation_ID 119 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Group Authorization & Group Policy Lookup
Easy VPN group policies can be stored:
• Local - All groups are in the router configuration in NVRAM.
• RADIUS - The router uses the RADIUS server for group authorization.
• RADIUS and Local - The router can look up policies stored in an AAA server database that can be reached via RADIUS.
![Page 107: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/107.jpg)
Presentation_ID 120 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Group Authorization & Group Policy Lookup Cont. Configure the Group Authorization parameters
![Page 108: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/108.jpg)
Presentation_ID 121 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Easy VPN Server Summary After all the steps are completed, the Easy VPN Server wizard displays a summary of the configured parameters.
![Page 109: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/109.jpg)
Presentation_ID 122 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Easy VPN Server Summary Cont.
![Page 110: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/110.jpg)
Presentation_ID 123 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Configuring a VPN Server with CCP Easy VPN Server Summary Cont.
![Page 111: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/111.jpg)
Presentation_ID 124 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Connecting with a VPN Client Cisco VPN Client The Cisco VPN Client is simple to deploy and operate.
It allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or telecommuters.
![Page 112: Virtual Private Network (VPN) Uygulamalarıakademik.duzce.edu.tr/Content/Dokumanlar/resulkara/... · Cisco VPN Ürünleri . SOHO Routers (Cisco 850 Series ISR and Linksys) Primary](https://reader034.vdocuments.net/reader034/viewer/2022042402/5f12feff1fb3a97e5b253f86/html5/thumbnails/112.jpg)
Presentation_ID 125 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Connecting with a VPN Client Connection Status When the Cisco VPN client is installed, open the Cisco VPN client
window to start an IPsec VPN connection on a PC.
The application lists the available preconfigured sites.