Network Security 2

1. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys

2. Module 4: Configuring Site to Site VPN with Pre-shared keys Lesson 4.1 Prepare a Router for Site-to-Site VPN using Pre-shared Keys

3. IPSec encryption with pre-shared keys • Site-to-site IPSec VPNs can be established between any combination of routers, PIX Security Appliances, VPN concentrators, VPN clients, and other devices that are IPSec compliant. • The use of pre-shared keys for authentication of IPSec sessions is relatively easy to configure • Does not scale well for a large number of IPSec clients.

4. Configuring IKE pre-shared keys in Cisco IOS consists: • Task 1 is to prepare for IPSec. • Encryption policy • Hosts and networks to protect • Details about the IPSec peers • Needed IPSec features • Ensuring existing ACLs are compatible with IPSec IPSec encryption with pre-shared keys

5. IPSec encryption with pre-shared keys • Task 2 involves configuring IKE. • Enabling IKE • Creating the IKE policies • Validating the configuration. • Task 3 is configuring IPSec. • Defining the transform sets • Creating crypto ACLs • Creating crypto map entries • Applying crypto map sets to interfaces. • Task 4 is to test and verify IPSec

6. IKE peer authentication pre-shared secrets • Simplest authentication to configure, • Has several serious limitations. • based on a pre-shared secret. • secret is exchanged securely out-of-band. • Peers perform a PPP CHAP-like exchange of random values, hashed with the pre-shared secret key.

7. IKE peer authentication pre-shared • IKE peer authentication using pre-shared secrets works in the following manner: • Peer A randomly chooses a string and sends it to peer • Peer B hashes the string together with the pre-shared • Peer B sends the result of hashing back to peer A. • Peer A calculates its own hash of the random string, together with the pre-shared secret • And the same process for Peer B • Main limitation of pre-shared secret authentication is the requirement to base the pre-shared secret on the IP address of remote peer, not its IKE identity. • Can impose problems in an environment with dynamic peer addresses.

8. Planning the IKE and IPSec policy

9. Step 1 – Determine ISAKMP (IKE Phase 1) policy • Some planning steps include the following: • Determine the key distribution method • Manually distribute keys • Use a CA server • Determine the authentication method – pre-shared keys, RSA encrypted nonces, or RSA signatures • Identify IP addresses and host names of the IPSec peers • Determine ISAKMP policies for peers • Encryption algorithm • Hash algorithm • IKE SA lifetime

13. IKE Phase 1 Default Values

14. Step 2 – Determine IPSec (IKE Phase 2) policy • Policy details to determine at this stage include the following: • Select IPSec algorithms and parameters for optimal security and performance • Select transforms and, if necessary, transform sets • Identify IPSec peer details • Determine IP address and applications of hosts to be protected • Select manual or IKE-initiated SAs

16. IPSec Transform Sets

18. Step 3 – Check the current configuration

19. Check Current configuration

20. View configured Cryto-Maps

21. View Configured Transform Sets

22. Step 4 – Ensure the network works without encryption

23. Step 5 – Ensure ACLs are compatible with IPSec • Ensure that the ACLs are configured so that ISAKMP, Encapsulating Security Payload (ESP), and AH traffic is not blocked at interfaces used by IPSec. • ISAKMP uses UDP port 500 • ESP is assigned IP protocol number 50 • AH is assigned IP protocol number 51

24. Q and A