Marc Khayat, CCIE #41288 Technical Manager 14-Dec-19 New module in CCNAv7 VPN and IPSec VPN Concepts 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • VPN Technology • Types of VPN • IPSec Agenda 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential VPN Technology 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Cost Savings • Security • Scalability • Compatibility Virtual Private Networks 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Basic VPN Types Remote-Access VPN Site-to-Site VPN Access 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Who manages the VPN? 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Types of VPN 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Clientless VPN connection: • SSL • Browser-based • Client-based VPN connection • IPSec or SSL • Software such as AnyConnect Remote-Access VPNs 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential SSL or IPSec? 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Router or Firewall • Pass IP traffic only • Unicast Site-to-Site IPSec VPNs 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • GRE: no encryption, supports multicast/broadcast • Encapsulate traffic in GRE tunnel, then encrypt using IPSec. GRE over IPSec 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Dynamically expand your GRE/IPSec tunnels • Spoke-to-spoke ensured by NHRP • Simplifies tunnel management Dynamic Multipoint VPNs 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • VTI simplifies config and makes it flexible • Supports multicast => no need for GRE IPsec Virtual Tunnel Interface 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a peering between the customer’s routers and the provider’s routers. • Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead, the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN segment over the MPLS network. Service Provider MPLS VPNs 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential IPSec 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Confidentiality - encryption • Integrity - hashing algorithms • Origin authentication - pre- shared keys (passwords), digital certificates, or RSA certificates • Diffie-Hellman - Secure key exchange IPSec Technologies 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Select your preferred and supported protocols. • Build your own security associations. Security functions 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Authentication Header (AH) • Encapsulation Security Protocol (ESP). IPsec Protocol Encapsulation 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Data encryption • Symmetric algorithms Confidentiality 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Data that is received is exactly the same data that was sent. Integrity 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • VPNs ends must confirm their identities Authentication 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Public key exchange method to share secret key used for encryption/decryption Secure Key Exchange with Diffie-Hellman 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Default is tunnel mode • Transport mode is used when VPN gateways are the destination of data stream. Transport vs Tunnel Mode 

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 

No content