© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring IPsec Site-to-Site VPN Using SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing the SDM VPN Wizard Interface

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Router and SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SDM is an embedded web-based management tool. Provides intelligent wizards to enable quicker and easier deployments, and does not require knowledge of Cisco IOS CLI or security expertise. Contains tools for more advanced users: –ACL editor –VPN crypto map editor –Cisco IOS CLI preview What Is Cisco SDM?

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco SDM Features Smart wizards for these frequent router and security configuration issues: –Avoid misconfigurations with integrated routing and security –Secure the existing network infrastructure easily and cost- effectively –Uses Cisco TAC- and ICSA-recommended security configurations Startup wizard, one-step router lockdown, policy-based firewall and ACL management (firewall policy), one-step VPN (site-to-site), and inline IPS Guides untrained users through workflow

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing the SDM VPN Wizard Interface Wizards for IPsec solutions Individual IPsec components

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site VPN Components

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site VPN Components VPN wizards use two sources to create a VPN connection: –User input during the step-by-step wizard process –Preconfigured VPN components SDM provides some default VPN components: –Two IKE policies –IPsec transform set for Quick Setup wizard Other components are created by the VPN wizards. Some components (e.g., PKI) must be configured before the wizards can be used.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Site-to-Site VPN Components (Cont.) Two main components: –IPsec –IKE Two optional components: –Group Policies for Easy VPN server functionality –Public Key Infrastructure for IKE authentication using digital certificates Individual IPsec components used to build VPNs

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Launching the Site-to-Site VPN Wizard

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Launching the Site-to-Site VPN Wizard 1.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Launching the Site-to-Site VPN Wizard (Cont.) 2a. 2b. 3.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Quick Setup

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Quick Setup (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step-by-Step Setup Multiple steps are used to configure the VPN connection: Defining connection settings: Outside interface, peer address, authentication credentials Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression Defining traffic to protect: Single source and destination subnets, ACL Reviewing and completing the configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Connection Settings

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Connection Settings

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Defining What Traffic to Protect

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 1: Single Source and Destination Subnet

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: Using an ACL

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: Using an ACL (Cont.) 1. 2.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: Using an ACL (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Completing the Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Test Tunnel Configuration and Operation ~ ~ ~ ~

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Monitor Tunnel Operation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Monitoring Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. show crypto isakmp sa Lists active IKE sessions show crypto ipsec sa Lists active IPsec security associations router#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary SDM is a GUI and one of its features is to provide simplified management of security mechanisms on Cisco IOS routers. SDM can manage various types of site-to-site VPNs. SDM can be used to implement a simple site-to-site VPN in three ways: –Using the quick setup wizard –Using the step-by-step wizard –Configuring individual VPN components Upon completing the configuration, the SDM converts the configuration into the Cisco IOS CLI format.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v