VPN and IPSec Concepts - CCNAv7

Transcript

1. Marc Khayat, CCIE #41288 Technical Manager 14-Dec-19 New module in

   CCNAv7 VPN and IPSec VPN Concepts

2. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential • VPN Technology • Types of VPN • IPSec Agenda

3. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential VPN Technology

4. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential • Cost Savings • Security • Scalability • Compatibility Virtual Private Networks

5. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Basic VPN Types Remote-Access VPN Site-to-Site VPN Access

6. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Who manages the VPN?

7. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Types of VPN

8. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential • Clientless VPN connection: • SSL • Browser-based • Client-based VPN connection • IPSec or SSL • Software such as AnyConnect Remote-Access VPNs

9. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential SSL or IPSec?

10. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Router or Firewall • Pass IP traffic only • Unicast Site-to-Site IPSec VPNs

11. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • GRE: no encryption, supports multicast/broadcast • Encapsulate traffic in GRE tunnel, then encrypt using IPSec. GRE over IPSec

12. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Dynamically expand your GRE/IPSec tunnels • Spoke-to-spoke ensured by NHRP • Simplifies tunnel management Dynamic Multipoint VPNs

13. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • VTI simplifies config and makes it flexible • Supports multicast => no need for GRE IPsec Virtual Tunnel Interface

14. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a peering between the customer’s routers and the provider’s routers. • Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. Service Provider MPLS VPNs

15. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential IPSec

16. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Confidentiality - encryption • Integrity - hashing algorithms • Origin authentication - pre- shared keys (passwords), digital certificates, or RSA certificates • Diffie-Hellman - Secure key exchange IPSec Technologies

17. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Select your preferred and supported protocols. • Build your own security associations. Security functions

18. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Authentication Header (AH) • Encapsulation Security Protocol (ESP). IPsec Protocol Encapsulation

19. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Data encryption • Symmetric algorithms Confidentiality

20. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Data that is received is exactly the same data that was sent. Integrity

21. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • VPNs ends must confirm their identities Authentication

22. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Public key exchange method to share secret key used for encryption/decryption Secure Key Exchange with Diffie-Hellman

23. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Default is tunnel mode • Transport mode is used when VPN gateways are the destination of data stream. Transport vs Tunnel Mode

24. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential
25. None