Site to Site VPN Theory

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
right IPSec VPN IPSec stands for Internet security Internet Security IPSec IP sick now this one is not a one is is not single protocol it's a combination of protocol that's what we saw in the previous class it has got some set of protocols like for encryption days three days AES these are all algorithms for encryption you cannot ask how the algorithm will look like and so on it's an algorithm you need to just enable those algorithms gets enabled and it just do the part or encryption part of encryption the strength of algorithm will be different now in days has got only 52 bits to do the encryption whereas dribble table days has got three times three into 52 whereas this one has got a is has got 128 bits so the strength may vary but it's an algorithm which will do encryption likewise a hashing hash will be generated out of encryption hash value cannot be decrypted your encryption can be decrypted hash values cannot be decrypted hash values are generated by some algorithms like md5 and sharp knife was to provide integrity for to provide the integrity of the data that you send to provide the integrity of the password that you send a kind of protection you know it to make sure that no one has touched the packet in the path that's what integrity means integrity you can say this guy is really an trustworthy guy integrity has got more integrity here is a trustworthy we can even trust him you know so integrity means the the one which gives you the trust for that you have various algorithms diffie-hellman is a man who designed this record a group 1 group 2 group 5 15 13 salt so and then all this work together to form is a KMP now these these protocols in is a KMP is phase one of IPSec or ik' ikl IPSec are interchangeable instead of saying IPSec you can say I K in something I key you can say IPSec so you know the VPN happens in two level first level is to share keys between two VPN peers just chatting case that is taken care by isakmp we called as i ke face1 face1 exchanging of keys keys in that that key if it is exchanged in as plain text anyone can sniff the packet and see the key and use the same key to form VPN with you so even the key should be shared in a secured manner that's why is a KMP has got encryption hashing for integrity group and so on so that your key first of all has to be sent in a say in a safer manner in a protected environment to pro to share the key in a protected environment phase one takes care once you share the key with the other peer the other peer knows how to identify your packet how to decrypt the packet so now you are going to decrypt and send the packet transform the packet in Phase two which we called as IPSec or iegaiiy phase two in here we will design the policies for encrypting data so here also you encrypt it but not the data here you encrypt it you hash the hash these are all you provided for the key now once the key is securely shared between two peer you are ready to you are ready to define the parameter for encryption of your data protecting your data so you have a lot of options in previous class we saw the difference between a H and ESP eh cannot provide you encryption it just encapsulate and then it indicates that's all now ESP provides you along with encryption sorry along with the authentication and encapsulation it also provides encryption so you can you can use any of anyone you know eh or ESP so ESP along with ESP for encryption I can use days or three days and along with the ESP I can use hashing algorithm like md5 M defy hitch Mac or shahe Jack so when I when I define this once to party got authenticated the packets will be encrypted and hashed by using these two algorithm and sent so you not only protect your your your key you also protect your data for that we define the parameters how my package should be encrypted should my building built by using mud or by using white cement or or normal cement those things are defined here what sort of cement I want to use to build my house so these parameters that you define must match with the peers if they do not match a peon will not come up if you define in one router three days as encryption algorithm you must use the same thing on the other side everything should match only then Association will form will establish so VPN happens in two sections to face phase one and phase two phase one is about key key management key exchanging phase two is about data encryption protecting our data that's going to be sent between a and B all right so this is what we are going to see in detail today right examining Cisco IOS VPN now how can I have VPN on a Cisco IOS router we know the meaning of i/o is internet operating system that works on every Cisco device now how to do this VPN on Cisco IOS now the VPN that we are trying to do is a site-to-site VPN VPN between to fix that size site to fix that side you know who your destination is with whom you want to form VPN now you want to secure data and send between that particular site so for side-to-side if you want if you want to do side-to-side you need to have fully mesh you can have hub-and-spoke you can have fully mesh on demand and DME pin there are various ways in which you can form a site-to-site VPN but this is fixed at site and you have fully mesh when you have hub-and-spoke you can also have sides or or VPN formed between site dynamically which is called dmvpn which is our aim of study you know we we are learning this to understand dmvpn better anyway we will focus more on side to side today we will talk about DME pin in the next class there is also the other type of VPNs called remote access VPN which is not our area of study here which uses cisco easy VPN client software which you can see you know in most of the grown up countries to access the library the they they they have VPN they just never click the icon and then they get into the library and download or they can read the books right from home it said they they don't sit in in a library they go to they don't go much to library and sit and study there we have access to the library materials from home in a secure manner that is easy VPN Cisco easy VPN client software will do that you will have a Cisco VPN client server on the library and you install the easy VPN client software that they have given you on the laptop or the PC and you get connected with the password that they give you and the group ID they give you there is also another type of VPN called web VPN that they will not use IPSec it uses SSL secured shell it is not that secured it's not so much it's not much secured like IPSec but it is also a solution for remote access so the beauty of wave VPN is you can you can have VPN with your office from anywhere anywhere means any computer it may not be your computer that computer has no idea about your office you can use any public computers from airport from anywhere and you can do secure communication to your office which is called web VPN what you need is one one internet browser you may need as Safari or Firefox or Internet Explorer that's all you need to do wave VPN you no need any client software VPN client software you no need to have any additional software to be installed in the in the computers see if you are trying to use a public computer from airport they don't allow you to install anything you can just use it and pay the number of euros or dollars for that many number of hours you're not allowed to install or download anything then how can you form a VPN if it is cisco easy deepen it is not possible for cisco easy VPN you need is client softer to be installed which the public computers will not allow you so what we do you know we go with SSL VPN web ppm you no need any client software all you need is an internet browser if you know if you have a browser to browse enough you can you can do VPN with your office in a secure manner but when you compare to IPSec it's not more secured like IPSec but it is also a secure VPN IPSec is always more secure all right so these are the various types of VPNs that we have and VPNs are used in different place you know you got a head court press and you got fixer branch office where you will have a site-to-site VPN you have a fixed partner you can go with site to site VPN you have a telecom being means you know this guys are roaming guys they keep running they keep running so they what they need is a remote access VPN they if they have their own laptop then they can go with the EZ VPN client they can act like an easy beep in client if they if they don't have a computer with them they can use the public internet and use the browser to have SSL VPN and VPN works in different media see it works in ATM it works in serial it works in Ethernet frame relay DSL cable more I can work in any sort of pan and LAN environment no issues extranets internets any any needs so fully mesh is not mandate it is not mandate you can also have fully mesh of you if you have full image you can also have VPN over it fully mesh is nothing but everyone is connected to all other routers that's not fully mesh and there may be a static public IP address given because you have a static public IP address you know who you are a remote peer so you can have a static side-to-side tunnel because you know your remote office IP address if this IP air is assigned here or if it will be keep on changing then you cannot have site-to-site VPN why you don't know the exact address of your remote site for that comes you note various other types of VPNs like dmvpn that's why we learn dmvpn this address may change never mind never mind but one address should be same that is the servers address in DME can we will talk about that in detail when we go to dmvpn not now so for site to site VPN what is manned it is the remote site should have a fixed IP address that's why I decide there are static public address between peers no DAC be given the address never changes with the remote site local LAN address can be private or public so in local it can be a private or public but this public IP address that you have it should be statically given address cannot keep changing always so in hub-and-spoke if you see you have a hub with a static IP address so this will act as a DNA dynamic multi-access dmvpn server it has got a fixed IP address and these guys know the server's IP address they associate with the server and they give their dynamic IP errors that keep changes they give their address hey this today this is my address today this is my address today this is my address take it I want to form association let's form VPN so that is dmvpn where you know you will have many number of spokes and spokes will have different IP address in different period every day they won't have the same ip address still you can form VPN but it's not a site-to-site VPN it is dmvpn dynamic multi access VPN and spoke to spoke IPSec tunnels between two spokes to interact they can have a private IP address they can also have a public IP address now this is too early for you to know because it's talking about dmvpn which is not our area of study today easy we pin as I told you that will be easy we pin client software you need to install and you can access the easy VPN server which is there in the office so these guys I have easily pin client installed in the laptop but they keep changing the location they are roaming engineers but still you know though they are in our in a in a in a in a remote area still they can communicate to the office in a secured manner because you got a easy VPN client software installed in the laptop where we peer as I told you all that you need as a internet explorer or any browser still you can form a secured communication but not by using IPSec but by using SSL VPN right so this chapter gave us a overall understanding about different types of VPN the next chapter is about our IPSec in detail drink topic side to side VPN using PP pre shared key what is pre shared key beforehand you give the password for r1 and r2 to get authenticated each other so we define the password we we tell r1 r1 if anyone is coming with this password cisco 1 3 to accept him as the junior authenticated person but the thing is you need to have the same password on both the side why this password will not be shared instead the hash value will be shared between these two routers hash value will be taken care by face 1 I say KMP I say campy will take this key this password encrypt generate a hash value and provide integrity over the path yes right yep so between r1 and r2 between r1 and r2 you want to form a VPN now how do you have you know that you are forming leap in with the right person by authenticating so what we do is on both the routers we provide the same password sorry same username sorry grams or each password same password same key and this key will be taken by is a KMP encrypted and generate a hash value and send the hash value exchange the key between two r2 will send its key r1 will send its key now the r1 key that is received on r2 r2 will compare it with this hash value that is generated locally the incoming hash value on the locally generated hash value because they match agrees to form an association with r1 same like that r1 will agree to form association with r2 when the hash matches this is what happens in phase one once they they agree now they're ready to encrypt the data and send to whom to only those who passed phase one right now let's let's see in steps you know one by one first of all we need to prepare is a KMP an IPSec if you want to have a site-to-site VPN using a pre shared key we need to do phase 1 preparation and phase 2 preparation this is phase 1 i ka phase 1 i ka phase 2 so for that first step is configure is a kmb with the pre shared key for authentication next is phase to what it is configure IPSec transform set this is what phase to transform transformation conversion so how you are going to convert your data so that it will be more secure is decided here in phase 2 I'll be using a ESP shop ESP AES ESP sha something like that I'll be using this to transform my data so those things are decided in phase 2 so we define those thing here in phase 2 next we write an ACL to say which traffic should be VP and very very important this you didn't see in the previous class because we were using GRE tunnel today we are not going to have any tunnel today we are not going to have any GRE tunnel any sort of tunnel we are going to have just secured communication that's it now so you have to define which traffic to get encrypted let us let us say something like let's have a scenery like this I got a computer here whose IP address is 10 dot 0 dot or let it be a public IP does nothing wrong 100 0 dot 0 dot 0 1 and this hundred out to 0 dot 0 dot 1 is connected to router 1 and you want to form a VPN so we got let's say this is site a and site a is connected to R 1 and R 1 is connected to the Internet and Inter from Internet we also have a remote site called R 2 connected to some other server 80 dot 0 dot 0 dot 1 now this 80 and this 100 let it be public on a problem and now whenever 100 wants to go to 80 to get some data from the remote office you want to do VPN but when the same 100 if it wants to go somewhere cisco.com or Gmail or some shopping Amazon eBay OLX whatever you don't want to do really VPN with them same source if destination is cisco you don't really go through VPN you don't you you don't do site to site VPN but when this source and when this destination matches only then you want to be tunneled it for that what you need is an ACL we write an ACL and we call that it is a normal ACL only but we call descriptor ACL why we threw that ACL we say which traffic need to be tunnel des whichever the traffic that doesn't match ACL will be sent and and encrypted without encryption so if ACL denies it doesn't mean the traffic will be denied now traffic will be allowed but allowed without encryption so we are going to write an ACL just to do just to tell the router which traffic need to get encrypted and which need not to be in for that only we needed a seal here after writing in a CL we called it a seal and a CL under a map called crypto map and then we called it Krypton up under the interface why if I call a CL directly on the interface what will happen those that didn't get matched with the ACL those that did not get matched with the ACL will be denied I want everyone to go to swisco.com gmail.com and everywhere I do not want to deny but I want to encrypt the traffic if site a and site B talks so what I do is I call under a crypto map and then I call only the crypto map to the interface not in not the ACL directly on the interface if you write a CL directly on the interface all those that didn't match will be denied that's not our aim our aim is whoever got matched with the ACL should be tunnelled others should be sent without encryption so you need a crypto map these things are new for you in the previous class I just wrote I didn't write any ACL because whatever the traffic that is already in GRE we want to encrypt their objective was different here it is different so here we write an ACL because we don't have any tunnel here GRE tunnel or any other tunnel we use crypto map and then bind the crypto map under the interface at last we will test and verify VPN phase one and phase two so this is what you know you're going to see in this entire chapter I have explained you everything here but it is going to come in step by step approach see here before you form VPN prepare your router for IPSec what do we mean when we say prepare the router preparing the router what it means make sure you are able to ping from R 1 to R 6 see they go to R 1 and just the ping the IP address on dr6 it pings this is what preparation means first of all they should reach each other next check whether any other policy is already there phase 2 policy this is phase 2 IPSec IP segments phase 2 I say kmb means phase 1 check whether there is already a default or policy given by someone else is there sometimes sometimes that may hinder your configuration so to do that we type the command show crypto IPSec policy by default there won't be any phase 2 policies but there will be F phase 1 policy by default by default there will be a policy called global like AE policy if you want to use that you can use that otherwise you can just simply go with your own policies default policy says I will encrypt any data that you want to send via VPN using DES and encrypt the key with DES I will generate a hash value with char I'll the authentication method is not pre shared key I'll use RSA algorithm signature to do it the fail went by default is 1 and lifetime for the key that I'm going to share is only 1 day 24 hours 86 thousand 500 seconds so this is default policy if you okay with this you can use the default policy but we don't do that why everyone knows this policy I don't want to open gates for attacks so I want to have my own policy in stuff days I meani I may want to I may need three days in okay I am okay with the shahe is very strong I don't want the RSA signature and I want to go with Prashant key I want to define the key and I may not be happy with the group one integrity I want to go with group two ah here the keys keys valid for one day after one day what will happen will the VPN go down no if the weeping is still in use it will send another key without dropping VPN will not get dropped did you send another key between the will they will negotiate another key they will generate another key and they will send they will generate another hash valid password the same password that you give but the hash value will be generated fresh they will dig in renegotiate now yeah yeah bid will be at the same time same time yep yep yeah correct and the this one also should match with the body device clock should match time is very important clock should match fine and this can be altered if you may not be happy with 24 hours so you may be willing to to rekeying every one hour you can do that you can do you can change the timing it's optional giving time is optional but what is mandate is these things you need to define if you don't if you don't want to agree with this you need to define this according to your own policies but lifetime is optional and then check whether any crypto map is already there by default there won't be any crypto map and there won't be any transform set after after configuring if you go and check you can find your own brand swamp set your own crypto map your own eyes I can be policy along with the default to global I ke and also you will see IPSec and one more thing I want to tell you before we go further I ke is a KMP iik means it also means isakmp it also means IPSec IPSec also means i ke and but IPSec doesn't mean is a km P so is a km p according to which face if it is face one we call it an ISI km P sorry i ke if it is face one we called as isakmp if it is Phase two we called as IPSec overall what name you give for VPN IPSec can I call it as i ke you can call but not that much popular you can call because that is also another name given for phase 1 and phase 2 so you may you may get confused with these terms but there is no confusion here i ke if it is for phase one we call it as i say k NP i k if it is phase two we called his IP say what VPN it is IPSec VPN what it is is this is pointing towards phase two or phase one now its global name its overall it indicates both phase one and phase two but the command goes like IPSec for phase two and I as I came before phase one now in case if you will use a private IP address make sure you do netting or in internet if there will be any firewall or you if there will be a firewall between this r1 and Internet and r6 and Internet make sure i ke h ESP NAT traversal all these are permitted properly so for allowing H this is not a HP this is a mistake it is simply a H this is the command if there will be an ACL make sure you permit between 1.2 to 6.2 this is for IP protocol 51 what is IP protocol 51 we learnt the previous class it is H and we say ESP permit meaning we are permitting IP 50 and here we say UDP protocol C we know layer 4 has got UDP or TCP user Datagram protocol is unreliable communication TCB's reliable connection-oriented UDP is connectionless best for delivery we know that but is a KMP it uses UDP it uses UDP port number 500 so you can mention 500 here or you can simply say is a game it is understood there is also something called NAT traversal if you if you have NAT traversal that is called n at T then you need to allow UDP 4,500 or you can say non 500 is a game non 500 Isaac M P is nothing but NAT traversal that's not our area of study so no need to worry about these things these are all for security guys now planning planning for IPSec are planning for i ke policy i told you i p saying i think everything is interchangeable so determine the following policy details key distribution method how we are going to share the key are you going to do pre shared key or some other method like RSA signature that's not our area of study we use pre shared key so the key distribution method is preciate how do you want to authenticate using ESP or days or three days and what's your peer IP address the remote IP address what algorithm you want to use for encryption for hashing for what what is the life time you want to provide for is a KMP face one by default it is 24 hours so these are all in planning now here there is a comparison between different face one that is is a KMP policy parameters for encryption you can use days or three days or a years but which is stronger you see here three days and a s for hashing you can use md5 or sha-1 a show for authentication pre share or you can use RSA signatures but which is popularly seen in the real world RSA in a big environment and small environment they go with pre shared key because we want to provide a wrong key but in a big environment when we have more sites we want some automation we don't want to predefined the key we want to use a centralized certification authority to authenticate each other so you can go with that and for exchanging key diffie-hellman Group one is okay but which is more good is two and five that's why I always used to lifetime one are a 1 1 a 1 1 day is default if you want to reduce it it will be more stronger why you you reek he often more of more often you you do the rekeying more you can avoid someone attacking or more you can avoid getting compromised with someone else a third party right now if you are configuring phase 1 if you are configuring phase 1 this is very important on both side 1 and side 2 whatever you put inside one it should be the same on side two for our encryption I used s so it should be same I cannot use one side encryption there is another side 3 days you cannot this policy should agree once identify and this side also should be M different one side pressure can other side also should be group this need not to match but it is good to match why otherwise they don't be sync there will be drop for some time and then it will come back when the time matches so it is good to have time sink also if you don't change by default it is 24 hours on the both side pre shared key so this is the address of r6 6.2 it is a mistake 6.2 and this is the address of r1 the peer address so peer address should need not to match it won't match first all it should not match it should not match and here they made a mistake in stuff too it is 6 so peer is not this - don't get confused here you may need traffic going from here to here to get encrypted yeah traffic from here to here I want to get encrypted those thing I don't mention in here those thing I mentioned in is here this is for forming tunnel so when you talk about peer don't talk about the VPN sorry the traffic source don't talk about traffic source traffic source are mentioned in ACL crypto map so whenever you write peer you need to be very careful people get confused only here in the right peer they say on side one they will say ten dot zero dot six dot well no it's wrong that is not your VP in peer that may be your final destination but for our one the peer is this 6.2 4r6 1.2 that's TV PNP you we you do side to side we P not on the PC on the routers all right so that is phase one phase two is about the transform set determine the following policy details IPSec algorithm and parameters for optimal security and performance for what for data so I need to define what algorithm I am going to use for my hashing and encryption of my data that we call the strand sunset we use TransAm set and IPSec peer we will define it as own define it on crypto map anyone has a question I think someone is turned on someone has turned on the mic any question okay all right welcome welcome back so IP sick IPSec peer details will be mentioned on a crypto map when I do you will see that and then so this is also the same thing you know talking about the PRI P address and then we will not use manual we will use automatic I key to get initially to do security Association Auto association between IP say guys again no need to worry about this is not practically being used in real world and manual now this is the way that you define the transforms at phase two crypto IPSec transform set and you can go with any two of this one for encryption and one for one for hashing so here you got this sorry eh will not do encryption that's why you don't see anything for encryption you have any one of this for hashing if you are going for encryption then ESP is the option you got three options for encryption you can go any one of this with any one of this and two option for hashing you can also use null or seal but not practically then so when you define phase to parameter even that should match with the neighbor see if I use for transform said if I use for encryption des I need to use des on the other side so my remote host is B here the remote host is a the remote IP address is this which I will be defining a Decrypter map and here the remote addresses or one the host encryption IP address this is defined in a CL this is not six this is not 1.3 it is 1.12 1.12 which traffic need to get in cryptid traffic going from 10.0 212 to ten dot 0.6 thought 12 so any traffic going from here to here need to be encrypted that this we will define using at access control lists whatever packet it is it is a TCP packet or UDP packet you can define anything or ICMP what traffic you want to allow from here to here to be encrypted that we can define and automated how security Association should be established automatically by using IPSec and isakmp not using manual so the VPN can be configured on cisco router or a access sorry adapter adaptive security appliance or a picks these are all security box in cisco or it can be a VPN concentrator it is also another device a special device for VPN alone it can be a normal cisco router it can be a IPSec peer no vendor defined or a VPN client software so anything can be peer it is not only always router to router it can be between a router to a PC can be between router to VPN can be between router to a firewall it can be between a router to a VPN concentrator or real app top that runs between router and a laptop that runs a VPN client easily pin client software so this is the configuration step step one what we will do is we will write face one parameter you no need to enable phase one by default it is enabled you no need to enable on a router but on Cisco aasa we have to enable it manually we don't we don't we don't deal with this we are doing on iOS router so no need to worry about enabling is a KMP it is enabled by default so step one is not for us step 2 create is again be policy where we say authentication method pre shared key all the stuff or RSA key we don't use RSA we use P key ppreciate key not public infrastructure use pressure key so step 3 is not for us after doing step 2 we will go and verify step 4 is a kmb configuration this is phase 1 configuration done phase 2 ok here they show the example face on how to enable a a say KMP if it is disabled by default it is enabled if it is disabled then you enable like this crypto is a KMP enable how to disable there is no command disabled you just put no in front of the same command it gets disabled so if it is disabled this is the way that you enable by default it is enabled I say Camp is enabled by default so I say Kay you can write an ACL and match with you DB 500 and block a particular interface forming a VPN we don't do that you want to form VPN why we want to block next is this is how we define the policy crypto is I came to policy give any number is there any significance to this number yes if I have policy here 10 20 30 and here policy 50 here only one policy here there are three policies this policy number need not to match not necessary to match no need they need not to match now first you know they will try to form Association these two guys will talk each other I want to form Association what do you say okay this guy is sending the policy first r1 will check the policy against 10 first it won't check the three it won't check with 30 in a check with the smallest policy number first if 50 and 10 agrees matches that and then they reform key exchange if this did match only then it will go and check 20 policy see this is how the overall policy look like encryption hashing authentication group lifted like voice you can have many policies here you see 110 policy 210 policy 320 policy 310 policy so now this number need not to match but what need to match is this inside content here I think this is matching yeah this is matching three days three days pressure key pressure he md5 md5 to two this is matching so first you know this will be checked against this because there is a match you don't go and check with the other to assume you know you do not have this so this will be trying to associate it will compare with 110 no match now only you go and check 210 so what I am coming to say is the smallest policy number the small the num the policy the small number will be checked first if doesn't match goes next next keep going till there is a match if there is no match no association so policy number also matters if you have more policies more than one otherwise it's not a dull issue define a nice a campy policy with a set of parameters used during the phase 1 negotiation IQ fees were negotiation I say campy this is the sample example it is for 10 hours 3,600 what we saw here is 86400 this is one day by default but in this sample output they have they are made as 10 hours so every 10 hours this will automatically do rekeying you will not come to know that it is doing Ricky it will happen automatically without getting dropped it's taken care this is default timer you can change the timer like this this is for face one I want to mention here very well very very you know again and again I want to say here this is for face one like this you also have timer for phase two phase two to reassociate for providing more security you have time of a Phase two also which will be coming so here you already saw this how how the number is more significant during negotiation so crypto I say can be identity address we we use along with the key actually this this method we don't use we use along with a key we can also use like this no not necessary now here this is how we do we do not do like this we do like this crypto I say KB what key I am using to authenticate this is what the pre shared key and with whom I want to verify with our 6 or 600 so this I do an r1 next is transform said this is phase two phase one is over so for what we saw is phase one and here comes Phase two crypto transform set sorry we configure transform set and then we set the lifetime for this fail phase to transform set this is also optional this you already saw you know how to define phase to transform set crypto IPSec transforms that give any name and then I want to use for encryption I want to use - and for for hashing you want to use md5 whatever I used in phase one I can use in phase two but it is not mandate in phase one for for encryption of key if I use for three days here my data can be encrypted with three days or it can be encrypted with anything not necessary that the algorithm should match with phase one and phase two not necessary at all by using this your data will be encrypted and hashed so transformed set can be defined using number the mode is tunnel mode I showed you by default distal mode you can have many transform set and you can have negotiation like this here also number matters first it will take the smaller one next smaller one and the next smaller one so this a match happened between this and this so with this only they are going to encrypt and decrypt data so they agree on these Al Gore on both the side only if you have more transform set you can do this but we don't we don't go with this you just use only one side to side so only one transforms it this is what I was telling you for phase two also you can set lifetime for renegotiation doing security Association once again here you can save every 10 hours you can do this face to renegotiate check whether the other way is really having the same policy every 10 hours this command is configured globally IPSec security Association lifetime value when you negotiate IPSec security Association IPSec security Association lifetime or negotiated during phase 2 you can optionally configure again I am saying it's optional interface specific IPSec security session lifetime in crypto map IPSec security lifetime encrypted map overrides the global ok there is also an interface level also global level interface level will always override the global level again I am Telling You this lifetime itself is an optional one not mandate there is also another option you can use any one of this you can say after this many kilobytes kilobytes of data on VPN you do reassociation or you can say the timer either this or that you can say if he pin VPN has passed this many kilobytes of data if he pin is used to send this many kilobytes of data then you do Ari Association security Association once again phase 2 association once again with the peer or you can set the time in seconds and say after this many seconds you do reassociation as I already told you a CL is used to say which traffic need to be encrypted and which traffic need to be bypassed from encryption which ever gets matched with the ACF will be tunneled will be encrypted the other traffic will be just bypassed it won't be tunneled it will be sent without encryption so traffic going to some internet it will be sent without encryption by passed from tunneling same inbound traffic also when the match happens with the written traffic then it is VP and other traffic's will will not be getting drifted they will be just sent bypassed so only those that got matched with the ECL those traffic need to be decrypted and accepted as a VPN packets so a CL does the job here see here is an example here they are writing a name dacl but they use a number but still it's a named ACL the extended command has been used permit any traffic going from ten dot zero dot one network to ten dot zero dot X need work and it should be a TCP so only TCP traffic going from here to here you want to do VPN ICMP you don't want so i simpiy traffic will be bypassed so here permit means encrypted deny means do not encrypt bypass send it without encryption so after writing an ACL like this what we do is so what what here it is said is on r1 it's not a big thing an r1 you will say permit this going this so source will always come first and destination will come next like phase an r6 it will be a mirror meaning this will become the source six will become the source and this source will become the destination here that is what they mean here mirror image of a seal must be configured and then we write a crypto map what is the purpose of crypto map the purpose of crypto map is to say which traffic should be tunnelled we call the ACL in the crypto map which traffic should be protected by IPSec where the IPSec protected traffic should be sent to which destination so pier address will also we will mention here pier address will mention here in IPSec phase to crypto map we will say ACL and then what is a local address of the IP traffic your your your physical interface address this is optional and which type of which IPSec type should be applied on this traffic I say KMP IPSec weather security associations are established manually or I key we use ideally not manually and other optional parameters you can defend so very important thing is an ACL and the pier address and the transform set where it is that invention transforms it so those three should be mentioned in the crypto map so crypto my parameters as I already told you this crypto map will have an ACL transform set the pier address management key management method means you know using is a km BITC and security Association lifetime option we will put all this in a crypto map and assign the scriptum up to the router interface in one single comment we'll call the crypto map like this we don't use manual so don't worry about this so we say crypto map give any name and this number can be any number to identify the crypto map and IPSec is a kmb now you may ask why do you use a number as well as the name see with the same name you can have many number of crypto map if you have a number so you just called one single name you call all the crypto verb under the interface one single name with the different different peer a dress for every peer address you will have different crypto map number and when you call that single name all the crypto map will be called under that name with a different different peer matching that's why you need a name and a number here see you call the access list here this is an access list number this is the peer number P redress this is the transform set name and this is the lifetime optional and then go under the interface and call the crypto map that's all your VPN is over see the overall configuration will look like this this may be very small but we are going to do this in some time so you got phase one here encryption three days three days both side it should be same this number need not to be same can be different but three days three days it should be same md5 and effect should be same pressure keep region key should be same group to mean zero so it should be same lifetime also it should be same and crypto I see can be cisco one two three four here also it should be same but only the pier address will be different here we will give our to address here we will give our once address and then we define phase 2 parameter phase 2 parameter what we say is we want to use only for encryption we want to use this we don't we don't do hashing here you don't do hashing here only encryption this is phase 2 and then we write a map called crypto map given name and give a number and this is automatic kernel IPSec is a KMP we say who our peer is pd6 6.2 and we call the transform sit here is the transform set we call the transforms at phase 2 and here is the ACL CaCl says and this is a mistake it's not 1 not 1 it is 1 not 2 ok here or not I am changing here it is 1 not 1 see I am changing this one this should be 1 not if it is 1 not 1 there it should be 1 or 1 here so permit any traffic going from 10.0 to 1/24 to traffic 10.0.0.0 / 24 say this access-list i am calling in the crypto map at last I call the crypto map under the interface do the same thing on the other side your VPN is up now whenever you do TCP because ok here it is mentioned IP so any traffic from here to here will be sent encrypted so how to test it we can test any non mini comments crypto show crypto is a KMP security Association will show you this show crypto transforms it will show you this show crypto map will be showing you this show crypto map IPSec security Association on is a KMP security Association will show you the current status how many things how many packets encrypted how many packets got decrypted all those status you can also use debug command if we pin is not coming up so this is what the verification commands that we see here is a sample output when you type show crypto is ikb policy it will show you all the policy this is default policy this is user-defined policy when you type show crypto IPSec TransAm said it will show you what you have enabled and what mode by default it is default mode is tunnel and for encryption this is what the algorithm used and when you type show crypto map and the interface name it will show you on on on this interface what crypto map is been binded in that crypto map which is configured as peer and what access list number and what is the access list permit I want you to make make a note of this command this is really a good command it shows phase 1 phase 2 everything here sorry it shows complete phase 2 and the access list everything except phase 1 everything is shown here show crypto map interface and then the interface name it shows the current peer it shows the lifetime that transform said is SN RS what does s n RS do and that is not mentioned here it is it is there in the pre previous slide SLRs there's only ESP DES encryption so anyway it shows the name of the transform set this is user defined name is a user defined name and it shows on which interface this has been applied all the spinet now what is the sign that VPN is up or not to check whether phase one is up this is the command phase one show crypto is a kemppi sha security Association crypto I give me security Association when you type this you should see your destination address and your own address the source and you must see idle idle is a good sign and here the state should be active status should be active state should be idle it's a good thing you should not see anything else collection ID is automatically generated QM idle is a good state so now if you want to see how many packets got encrypted and decrypted this is the command phase to show crypto IPSec security Association it shows you on which interface and what crypto map and what is the local ID and between which two between which source and which destination the packet will be encrypted this is this you got because of the ACL and then it will also show you how many packets got encrypted so far and how many packets got decrypted so far alright and many more information actually here it is not completely shown here there will be many more information like what type of trance some said everything will be here so you can use the satio commands and debug commands to troubleshoot if you learn properly you know how to do we pian there won't be much trouble in doing so you won't have a trouble if you face trouble you can use some show commands and you can easily figure it out it depends on the trouble that you face it depends on the output that you type the show commands first what I will do if I if I want to troubleshoot someone's EPN the first thing I will do is show crypto is I can be si I'll check whether phase one is up or not if I don't seek QM Idol I showed you here right if I don't see this if I'm not seeing this then what I'll do is I'll enable debug so phase one itself is not up and enable this dump debug before enabling this debug first of all I will just try to ping to sites ping is happening but I don't have this so what I'll do is I will shut down and then I'll say no shut down and I will try to generate a traffic if nothing is happening the VPN itself is not properly configured if no debug is coming then I will go step by step phase one configuration phase two configuration so to refresh your VPN this is the command clear crypto is a KB refreshes phase one show clear crypto securitisation refreshes face on it face to face on debug phase two debug these are the some error messages you can go through later if you fear if you say no if you see an error message like not authenticated then password is not matching on both the side all right and then remote peer so and so response with respond with attribute Chad no offered means you know the peer address may not be matching on both the sides so peer is failing so this chapter has given you a very clear understanding of phase one and phase two configuration I hope so I'll send you this document you I want you to go through this document and this video once again and come back in the next class I am going to do this configuration step by step mean value you can also try configuring by yourself with this document that I'm sharing with you I'll also share you one of the video that I recorded in the previous batch for side-to-side VPN well sherry the link you can go through the link and come come up with some doubts right when you come to the next class next class I'm going to do side to side VPN between two routers and if you have any doubt you can ask me now
Info
Channel: Jayachandran
Views: 68,662
Rating: 4.758007 out of 5
Keywords: Virtual Private Network (Software Genre)
Id: MnVEfVp_P-w
Channel Id: undefined
Length: 75min 19sec (4519 seconds)
Published: Fri Oct 31 2014
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.