© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 14 Virtual Private Network Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Identify how the PIX Firewall enables a secure VPN. Identify the tasks to configure PIX Firewall IPSec support. Identify the commands to configure PIX Firewall IPSec support. Configure a VPN between PIX Firewalls. Describe the Cisco VPN Client.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA The PIX Firewall Enables a Secure VPN

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall VPN Topologies Other vendors to a PIX Firewall VPN A PIX Firewall to a PIX Firewall VPN gateway A PIX Firewall to a router VPN gateway A VPN Client to a PIX Firewall VPN via dialup A VPN Client to a PIX Firewall VPN via a network Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Enables PIX Firewall VPN Features Data confidentiality Data integrity Data authentication Anti-replay IPSec Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA What Is IPSec? IETF standard that enables encrypted communication between peers Consists of open standards for securing private communications Network layer encryption ensuring data confidentiality, integrity, and authentication Scales from small to very large networks Included in PIX Firewall version 5.0 and later IPSec Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Standards Supported by the PIX Firewall IPSec –Authentication Header (AH) –Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Data Encryption Standard (DES) Triple-Data Encryption Standard (3DES) Advanced Encryption Standard (AES) Diffie-Hellman (DH) Message Digest 5 (MD5) Secure Hash Algorithm (SHA) Rivest, Shamir, and Adleman (RSA) signatures Certificate Authorities (CAs)

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA How IPSec Works

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Five Steps of IPSec Interesting trafficThe VPN devices recognize the traffic to protect. IKE Phase 1The VPN devices negotiate an IKE security policy and establish a secure channel. IKE Phase 2The VPN devices negotiate an IPSec security policy used to protect IPSec data. Data transferThe VPN devices apply security services to traffic and then transmit the traffic. Tunnel terminatedThe tunnel is torn down. Host AHost B PIX APIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Interesting Traffic Host A Host B Apply IPSec Send in clear text PIX A PIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2IKE Phase 1 Host AHost B IKE Phase 1: main mode exchange Negotiate the policy DH exchange Verify the peer identity Negotiate the policy DH exchange Verify the peer identity PIX A

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IKE Phase 1 Policy Sets Policy Set 15 DES MD5 pre-share DH1 lifetime Policy Set 10 DES MD5 pre-share DH1 lifetime IKE policy sets Policy Set 20 3DES SHA pre-share DH1 lifetime Host AHost B Negotiate IKE Proposals Negotiates matching IKE transform sets to protect IKE exchange. PIX A PIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Internet DH Key Exchange Terry Alex Public key A + Private key B Shared secret key (BA) Pay to Terry Smith $ One Hundred and xx/100 Dollars Pay to Terry Smith $ One Hundred and xx/100 Dollars Public key B + Private key A Shared secret key (AB) = 4ehIDx67NMop9eR U78IOPotVBn45TR 4ehIDx67NMop9eR U78IOPotVBn45TR Key DecryptEncrypt

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authenticate Peer Identity Peer authentication methods Pre-shared keys RSA signatures HR servers Peer authentication Remote office Corporate office Internet PIX APIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3IKE Phase 2 Host AHost B Negotiate IPSec security parameters PIX A PIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Transform Sets A transform set is a combination of algorithms and protocols that enact a security policy for traffic. Transform set 55 ESP 3DES SHA Tunnel Lifetime Transform set 30 ESP 3DES SHA Tunnel Lifetime IPSec transform sets Transform set 40 ESP DES MD5 Tunnel Lifetime Host AHost B Negotiate transform sets PIX APIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SAs SA SAD Destination IP address SPI Protocol (ESP or AH) SPD Encryption algorithm Authentication algorithm Mode Key lifetime B A N K SPI–12 ESP/3DES/SHA tunnel SPI–39 ESP/DES/MD5 tunnel Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA SA Lifetime Data-based Time-based

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 4IPSec Session SAs are exchanged between peers. The negotiated security services are applied to the traffic. Host AHost B IPSec session PIX APIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 5Tunnel Termination A tunnel is terminated –By an SA lifetime timeout –If the packet counter is exceeded Removes IPSec SA Host AHost B IPSec tunnel PIX A PIX B

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Configuration Tasks

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Tasks to Configure IPSec Encryption Task 1Prepare to configure VPN support. Task 2Configure IKE. Task 3Configure IPSec. Task 4Test and verify IPSec.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 1Prepare to Configure VPN Support

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 1Prepare for IKE and IPSec Step 1Determine the IKE (IKE Phase 1) policy. Step 2Determine the IPSec (IKE Phase 2) policy. Step 3Ensure that the network works without encryption. Step 4Implicitly permit IPSec packets to bypass PIX Firewall ACLs and access groups.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Determine the IKE (IKE Phase 1) Policy Determine the following policy details: Identify IKE Phase 1 policies for peers. –Encryption algorithm –Hash algorithm –IKE SA lifetime Authentication method. Determine key distribution methods. Identify IPSec peer PIX Firewall IP addresses or hostnames. Goal: Minimize misconfiguration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DH Group 1 IKE Phase 1 Policy Parameters IKE SA lifetime Authentication method Encryption algorithm Hash algorithm 3DES or AES SHA-1 Parameter Key exchange RSA signature DH Group 2 < 86,400 seconds Stronger DES MD5 Pre-share 86,400 seconds Strong

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Determine IKE Phase 1 Policy e Site 1Site 2 e pix1pix Internet 768-bit DH IKE SA lifetime Authentication method Encryption algorithm Hash algorithm DES SHA Parameter Key exchange Pre-share 768-bit DH 86,400 seconds Site 2 DES SHA Pre-share 86,400 seconds Site 1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Determine the IPSec (IKE Phase 2) Policy Determine the following policy details: Select IPSec algorithms and parameters for optimal security and performance. Identify IPSec peer PIX Firewall details. Determine IP addresses and applications of hosts to be protected. Select manual or IKE-initiated SAs. Goal: Minimize misconfiguration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Determine IPSec (IKE Phase 2) Policy e Site 1Site 2 e pix1pix Internet IP SA establishment Encrypting hosts Transform set Peer PIX Firewall IP address Policy Traffic (packet type) to be encrypted Site 2 ESP-DES, tunnel ipsec-isakmp Site 1 IP ESP-DES, tunnel ipsec-isakmp

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 2Configure IKE Parameters

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 2Configure IKE Step 1Enable or disable IKE Step 2Configure IKE policies Step 3Configure pre-shared keys Step 4Verify the IKE configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Enable or Disable IKE Enables or disables IKE on the PIX Firewall interfaces. Disables IKE on interfaces not used for IPSec. isakmp enable interface-name pixfirewall (config)# pix1(config)# isakmp enable outside Site 1Site pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Configure IKE Phase 1 Policy Creates a policy suite grouped by priority number. Creates policy suites that match peers. Can use default values. pix1(config)# isakmp policy 10 encryption des pix1(config)# isakmp policy 10 hash sha pix1(config)# isakmp policy 10 authentication pre-share pix1(config)# isakmp policy 10 group 1 pix1(config)# isakmp policy 10 lifetime e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA isakmp key keystring address peer-address [netmask] pixfirewall(config)# Step 3Configure IKE Pre-Shared Key Pre-shared keystring must be identical at both peers. Specify peer-address as a host or wildcard address. pix1(config)# isakmp key cisco123 address Site 1Site pix1pix Internet isakmp key cisco isakmp key cisco

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pix1# show isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Step 4Verify IKE Phase 1 Policies Displays configured and default IKE protection suites Site 1Site pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 3Configure IPSec Parameters

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 3Configure IPSec (Step 1) Configure interesting trafficnat 0 and ACL. –access-list 101 permit –NAT 0 (inside) (Step 2) Configure IPSec transform set suites. –crypto ipsec transform-set (Step 3) Configure the crypto map. –crypto map (Step 4) Apply the crypto map. –crypto map map-name interface interface-name

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Configure Interesting Traffic ACL permit = encrypt deny = do not encrypt pix1(config)# access-list 101 permit ip Site 1Site pix1pix Internet Encrypt X X

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pix1# show access-list access-list 101 permit ip pix1 pix6# show access-list access-list 101 permit ip pix6 e Site 1Site 2 e pix1pix Example of Crypto ACLs Lists are symmetrical. Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Configure Interesting Traffic NAT Site 1Site pix1pix Internet Do not translate pix1(config)# nat(inside) 0 access-list 101 Do not translate

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] pixfirewall(config)# Step 2Configure an IPSec Transform Set Sets are limited to up to one AH and up to two ESP transforms. Default mode is tunnel. Configure matching sets between IPSec peers. pix1(config)# crypto ipsec transform-set pix6 esp- des e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Available IPSec Transforms ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-aesESP transform using AES-128 cipher esp-aes-192ESP transform using AES-192 cipher esp-aes-256ESP transform using AES-256 cipher esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Configure the Crypto Map Specifies IPSec (IKE Phase 2) parameters. Maps names and sequence numbers group entries into a policy. pix1(config)# crypto map PIX1MAP 10 ipsec-isakmp pix1(config)# crypto map PIX1MAP 10 match address 101 pix1(config)# crypto map PIX1MAP 10 set peer pix1(config)# crypto map PIX1MAP 10 set transform-set pix6 pix1(config)# crypto map PIX1MAP 10 set security- association lifetime seconds e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA crypto map map-name interface interface-name pixfirewall(config)# Step 4Apply the Crypto Map to an Interface Applies the crypto map to an interface. Activates IPSec policy. pix1(config)# crypto map PIX1MAP interface outside e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pix1# show crypto map Crypto Map "peer6" 10 ipsec-isakmp Peer = access-list 101 permit ip Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix6, } Example of Crypto Map for pix1 e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pix6# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = access-list 101 permit ip (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, } Example of Crypto Map for pix6 e Site 1Site 2 e pix1pix Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Test and Verify VPN Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Test and Verify VPN Configuration Verify ACLs and interesting traffic. –show access-list Verify correct IKE configuration. –show isakmp –show isakmp policy Verify correct IPSec configuration. –show crypto ipsec transform-set

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Test and Verify VPN Configuration (Cont.) Verify correct crypto map configuration. –show crypto map Clear IPSec SA. –clear crypto ipsec sa Clear IKE SA. –clear crypto isakmp sa Debug IKE and IPSec traffic through the PIX Firewall. –debug crypto ipsec –debug crypto isakmp

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA The Cisco VPN Client

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Topology Overview The PIX Firewall is configured for Pre-shared keys XAUTH Mode config PIX Firewall Router Remote user with VPN Client Remote user with VPN Client Remote user with VPN Client Cisco Secure ACS server (TACACS+) authenticates remote client Internet/ISP.2.1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Features Support for Windows ME, Windows 2000, and Windows XP Data compression Split tunneling User authentication by way of VPN central-site device Automatic Cisco VPN Client configuration Internal MTU adjustment CLI to the VPN dialer Start Before Logon Software update notifications from the VPN device upon connection

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Scale PIX Firewall VPNs

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. CA server

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enroll a PIX Firewall with a CA Generate public or private keys. Obtain public key and certificate from CA. Request signed certificates from the CA. CA administrator verifies request and sends signed certificates. CA server

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall enables a secure VPN. IPSec configuration tasks include configuring IKE and IPSec parameters. CAs enable scaling to a large number of IPSec peers. Remote users can establish secure VPN tunnels between PCs running Cisco VPN Client software and any Cisco VPN-enabled product, such as the PIX Firewall, that supports the Unified Client framework.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective.2.1 Student PC PIX Firewall Web/FTP CSACS Local: 10.0.P.11Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5Pods 6– Web FTP RBB PIX Firewall Student PC Web/FTP CSACS

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Visual Objective P.0 Student PC VPN Client.1 Remote: P Local: P 10.0.P.0 RTS.2.1 PIX Firewall.150 Web FTP RBB