Cisco press IPSEC virtual private network fundamentals jul 2006 ISBN 1587052075

The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding to more advanced topics including h

By James Henry Carmouche, - CCIE No 6085

Publisher: Cisco Press Pub Date: July 19, 2006 Print ISBN-10: 1-58705-207-5 Print ISBN-13: 978-1-58705-207-1 Pages: 480

is written using a layered approach, starting with basic explanations of why IPsec was developed and the types of organizations relying on IPsec to secure data transmissions It then outlines the basic IPsec/ISAKMP fundamentals that were developed to meet demand for secure data transmission The book covers the design and implementation of IPsec VPN architectures using an array of Cisco products, starting with basic concepts and proceeding

to more advanced topics including high availability solutions and public key infrastructure (PKI) Sample topology diagrams and configuration examples are provided in each chapter

to reinforce the fundamentals expressed in text and to assist readers in translating

concepts into practical deployment scenarios Additionally, comprehensive case studies are incorporated throughout to map topics to real-world solutions.

By James Henry Carmouche, - CCIE No 6085

Publisher: Cisco Press Pub Date: July 19, 2006 Print ISBN-10: 1-58705-207-5 Print ISBN-13: 978-1-58705-207-1 Pages: 480

information storage and retrieval system, without written

permission from the publisher, except for the inclusion of briefquotations in a review

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0First Printing June 2006

trademark or service mark

Warning and Disclaimer

This book is designed to provide information about IPsec virtualprivate networks Every effort has been made to make this book

as complete and as accurate as possible, but no warranty orfitness is implied

The information is provided on an "as is" basis The authors,Cisco Press, and Cisco Systems, Inc shall have neither liabilitynor responsibility to any person or entity with respect to anyloss or damages arising from the information contained in thisbook or from the use of the discs or programs that may

accompany it

The opinions expressed in this book belong to the author andare not necessarily those of Cisco Systems, Inc

technical community

Readers' feedback is a natural continuation of this process Ifyou have any comments regarding how we could improve thequality of this book, or otherwise alter it to better suit yourneeds, you can contact us through e-mail at

feedback@ciscopress.com Please make sure to include thebook title and ISBN in your message

Luxembourg • Malaysia • Mexico • The Netherlands • New

Zealand • Norway • Peru • Philippines • Poland • Portugal •Puerto Rico • Romania • Russia • Saudi Arabia • Scotland •

Singapore • Slovakia • Slovenia • South Africa • Spain •

Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine •United Kingdom • United States • Venezuela • Vietnam •

Study are service marks of Cisco Systems, Inc.; and Aironet,ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco,the Cisco Certified Internetwork Expert logo, Cisco IOS, the

Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems

Capital, the Cisco Systems logo, Empowering the Internet

Generation, Enterprise/Solver, EtherChannel, EtherSwitch, FastStep, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise,the iQ logo, LightStream, MGX, MICA, the Networkers logo,

Printed in the USA

Dedication

For my loving wife, Kristen, and my two wonderful sons, Jamesand Charlie This would not have been possible without yourunconditional love, support, and inspiration

bringing advanced security products to market, building

technical marketing collateral and presentations, and designingnew product introduction training for the GSU's newly

introduced security platforms In addition to his product andsolution development experience, Henry has more than sixyears of technical consulting experience, including three years

as a network consulting engineer in the Cisco Advanced

Services Group Henry earned an M.B.A degree from UNC'sKenan-Flagler Business School and a B.S degree in mechanicalengineering from Lehigh University Henry currently lives inChapel Hill, NC, with his wife and two sons

Aamer Akhter, CCIE No 4543, joined Cisco Systems in 1998

after graduating from Georgia Tech with a B.S degree in

electrical engineering to work in the Cisco Technical AssistanceCenter He then supported the larger enterprise customers fromCisco in the NSA unit, where he helped design and deploy

several large Layer 2 networks Aamer later moved to

Networked Solutions Integration Test Engineering (NSITE),

where after a brief stint with IPsec VPNs, he moved into a newgroup for testing MPLS-VPNs Five years later, MPLS-VPNS hadmatured much but testing of MPLS-related technologies stillcontinues Aamer is currently leading a team for testing Layer 3VPNs and related technologies in a cross-Cisco effort

Jason Guy is an engineer within the Cisco Systems' NSITE

Security team, an organization responsible for network-basedsecurity solution testing Jason is a member of a team

responsible for testing, validating, scaling, and assisting in

deployment of the Cisco security solution Jason's primary focus

is on firewalls, IPsec Remote Access, and SSL VPN testing Prior

to his work on the security technologies, Jason worked on theAToM Layer 2 VPN and MPLS VPN teams Jason received hisMasters of Computer Engineering degree from North CarolinaState University in Raleigh, NC

Mark J Newcomb, CCNP, CCDP, is a retired network security

engineer Mark has more than 20 years experience in the

networking industry, focusing on the financial and medical

industries Mark is a frequent contributor and reviewer for CiscoPress books

During the development of this book, I had the privilege to

work in three different groups at Cisco Thank you to all of myteammates in Enterprise Systems Engineering, the GovernmentSystems Unit, and Advanced Services who have lent me yourprofessional acumen and loyal friendship over the years

I'd like to thank Mike O'Shea for his support and friendship overthe course of developing this book Mike's sound professionaland personal advice have helped me endure the ebbs and flows

And on that note, many thanks go out to Andrew Cupp and

Brett Bartow for their patience, understanding, and supportduring this process An author could not have asked for a moreprofessional team to work with while developing and publishinghis work

The conventions used to present command syntax in this bookare the same conventions used in the IOS Command Reference.The Command Reference describes these conventions as

follows:

Boldface indicates commands and keywords that are

entered literally as shown In actual configuration examplesand output (not general command syntax), boldface

In recent years, network security solutions have grown to

include IPsec as a critical component of secure network

architecture design One primary objective of this publication istherefore to provide the reader with a basic working knowledge

of IPsec on various Cisco routing and switching platforms and

an understanding of the different components of the Cisco IPsecimplementation This book covers successful implementation ofIPsec in a variety of network topologies This book views IPsec

as an emerging requirement in most major vertical markets(service provider, enterprise financial, government), explainingthe need for increased information authentication,

confidentiality, and non repudiation for secure transmission ofconfidential data (government records, financial data, billinginformation)

The primary development objective of this book is to create awork that aids network architects, administrators, and

managers in their efforts to integrate IPsec VPN technology intotheir existing IP infrastructures The focus is on IPsec

to-site virtual private network (VPN) configurations to

deployments in Cisco network environments, from simple site-comprehensive VPN strategies, including architectural

redundancy and interoperability

This book follows a tiered approach toward building a workingknowledge of fundamental IPsec VPN design, starting with anoverview of basic IPsec business drivers and functional

components These concepts and components are then used as

a foundation upon which IPsec VPN High Availability (HA) designconsiderations are presented Lastly, several advanced IPsecVPN technologies that are commonly available in today's

enterprise networks are presented and discussed Within eachchapter, the design concepts are presented and then reinforcedwith configurations, illustrations, and practical case studies

where appropriate

This book presents information for technically savvy individualswho want to further their understanding of the fundamentals ofthis specific technology Those parties interested in this bookmost likely include network engineers, network design

consultants, network administrators, systems administrators,information security specialists, and all other individuals whohave an interest in securing their networks with Cisco routersand VPN products Additionally, networking professionals whohave an understanding of IPsec and also want to view typicalCisco specific IPsec configurations and practical IPsec

deployment examples on Cisco products may also find the

design guidance provided in this book valuable Because it

provides information at a fundamental level, this book may alsoserve as an effective design reference for decision makers

looking to make strategic decisions impacting the security oftheir organizations' network

The organization of the book is formatted in a layered

approach, starting with a basic explanation of the motivationbehind IPsec's development and the types of organizations thatrely on IPsec to secure data transmissions The book then

proceeds to outline the basic IPsec/Internet Security Associationand Key Management Protocol (ISAKMP) fundamentals that

were developed to meet demand for secure data transmission.The book proceeds to cover the design and implementation ofIPsec VPN architectures using an array of Cisco products,

starting with basic concepts and proceeding to more advancedtopics, including HA solutions and public key infrastructure

(PKI) Sample topology diagrams and configuration examplesare provided to help reinforce the fundamentals expressed inthe text, and to assist the reader in translating explained IPsecconcepts into practical working deployment scenarios Case

studies are incorporated throughout the text in order to mapthe topics and concepts discussed to real-world solutions

Chapters 1 through 4 compose Part I of this book, covering themost basic concepts required to develop an understanding ofIPsec VPNs The chapter content provided in Part I aims to helpthe reader achieve the following objectives:

Understand the background of IPsec VPN development

Differentiate IPSEC/SSL VPN from other VPN technologies

Understand the underlying cryptographic technologies thatcompose an IPsec VPN

Understand basic IPsec VPN configuration techniques

After you are familiar with the content of Part I, you should

have the working knowledge of IPsec VPNs necessary to beginbuilding a knowledge base surrounding the fundamentals ofIPsec VPN High Availability using the design concepts provided

in Part II The chapters in Part I include:

Chapter 1 , "Introduction to VPN Technologies" This

chapter includes an introduction to various VPN

technologies, discusses how VPNs are utilized in today'snetworks, and identifies the drivers for business migration

to VPN technologies The discussion in this chapter providesthe reader with a high-level overview of VPN, particularlywith a comparison between Multiprotocol Label Switching(MPLS), Virtual Private Dialup Network (VPDN), Secure

Sockets Layer (SSL), and IPsec VPNs After a brief

comparison of the VPN technologies, the focus turns to thebusiness drivers for VPN, which include both economics andsecurity

Chapter 2 , "IPsec Fundamentals" This chapter focuses

on the underlying components and mechanics of IPsec,

including cryptographic components, Internet Key Exchange(IKE), and IPsec This chapter includes basic configurationexamples (not step-by-step) to demonstrate the concepts

Chapter 3 , "Basic IPsec VPN Topologies and

Configurations" This chapter demonstrates building of

basic VPN topologies using the knowledge gained in theprevious chapters Three basic topologies are discussed:hub-and-spoke without generic routing encapsulation

(GRE), hub-and-spoke VPN with GRE, and remote-accessVPN

Chapter 4 , "Common IPsec VPN Issues" IPsec

deployments can involve a number of potential pitfalls if notproperly addressed Chapter 4 discusses the common IPsecVPN issues that a network engineer should take into

consideration during the design and deployment process Itdiscusses common troubleshooting techniques to diagnosethese problems should they occur in your network Designsolutions to the common VPN issues presented in this

chapter are provided, along with the appropriate designverification techniques

Part II consists of Chapters 5 through 10 The topics discussedhere build on the introductory concepts from Part I, extendingthem to encompass a common architectural goal: High

environments

Chapter 6 , "Solutions for Local Site-to-Site High

Availability" This chapter uses concepts previously

described to develop solutions for local HA, including theuse of highly available interface for IPsec tunnel

termination, stateless tunnel termination HA, and statefultunnel termination HA

Chapter 7 , "Solutions for Geographic Site-to-Site High Availability" This chapter uses concepts previously

described to develop solutions for geographic HA This

Dynamic Multipoint VPN

Chapter 8 , "Handling Vendor Interoperability with High Availability" Unfortunately, current IPsec standards

do not address HA This leads to interoperability issues

among vendors This chapter discusses common issues anddetails the options that exist to handle these scenarios

Chapter 9 , "Solutions for Remote Access VPN High Availability" This chapter discusses the HA concepts

previously discussed in Chapters 6 and 7 in the context ofRAVPN deployments Additionally, it covers other HA toolscommonly found in RAVPNs, including the use of VPN

included in Part III provide design guidance around two

advanced topics of IPsec that are quite commonly deployed intoday's enterprise-class IP networks:

Chapter 11 , "Public Key Infrastructure and IPsec

VPNs" This chapter discusses the usage of public key

infrastructure (PKI) to authenticate IPsec peers via Rivest,Shamir, and Adelman (RSA) signatures This method uses acertificate authority as a trusted third party to secure and

de facto authentication mechanism

Chapter 12 , "Solutions for Handling Dynamically

Addressed Peers" Dynamic peers allow network

administrators to ensure network connectivity when remotenetwork peers are either not known in advance or change to

an unknown value over time Dynamic peers also requireless administrative effort than do static peers This chapteraddresses IPsec dynamic peering options, some of whichare less commonly used, and others that are more prolific invarious architectures

Part I: Introductory Concepts and Configuration/Troubleshooting

Chapter 1 Introduction to VPN Technologies

Chapter 2 IPsec Fundamentals

Chapter 3 Configurations Basic IPsec VPN Topologies and

Chapter 4 Common IPsec VPN Issues

Technologies

Modern business environments have been consistently changingsince the advent of the Internet in the 1990s Now more thanever, organizational leaders are asking themselves how

efficiencies can be gained through making their workforce moremobile and thus increasing the scope of sales and distributionchannels while continuing to maximize the economies of scope

in their existing data infrastructure investments Virtual privatenetwork (VPN) technologies provide a means by which to realizethese business efficiencies in tandem with greatly reduced IToperational expenditures In this chapter, we will discuss howtoday's VPN technologies enable enterprise workforces to sharedata seamlessly and securely over common yet separately

maintained network infrastructures, such as through an

Internet service provider (ISP) between enterprise networks orwith corporate extranet partners We will introduce several

IPsec VPN topologies commonly found in today's enterprise

networks, and we will conclude with the overview of two IPsecVPN business models, complete with cost savings realized bythe enterprise

A VPN is a means to securely and privately transmit data over

an unsecured and shared network infrastructure VPNs securethe data that is transmitted across this common infrastructure

by encapsulating the data, encrypting the data, or both

encapsulating the data and then encrypting the data In thecontext of VPN deployments, encapsulation is often referred to

as tunneling, as it is a method that effectively transmits datafrom one network to another transparently across a shared

of the GRE-encapsulated payload In doing so, they separate or

"tunnel" data from one network to another without making

changes to the underlying common network infrastructure

Although GRE tunnels have primitive forms of authentication, aswe'll explore in later chapters when discussing dynamic

multipoint VPN (DMVPN) deployments, they currently provide

no means to provide confidentiality, integrity, and non-repudiation natively Nevertheless, GRE tunneling is a

fundamental component of many different IP Security Protocol(IPsec) designs, and will be discussed frequently in subsequentchapters

Note

Although IPSec-processed data is encrypted, it is also

encapsulated with either Encapsulating Standard Protocol (ESP)

or Authentication Headers (AH)

different format, while decryption refers to decoding an

encrypted message into its original unencrypted format Forencryption to be an effective mechanism for implementing aVPN, this encrypted, encoded format must only be decipherable

by those whom the encrypting party trusts In order to deliverupon these requirements, encryption technologies generallyrequire the use of a mathematical operation, usually referred to

as an algorithm, or cipher, and a key Although generally

complex in nature, mathematical functions are known It is thesymmetric key, or as you'll see in the case of asymmetric

cryptography, the private key, that is to be kept unknown towould-be attackers The key is the primary way to keep theencrypted tunnel secure This book discusses these two

common types of cryptographic operations: symmetric key

encryption and asymmetric key encryption Other types of

encryption discussed in the framework of this book include

secure hashes and digital signatures

VPNs exist to effectively, securely, and privately protect datathat is transmitted between two networks from the common,shared, and separately maintained infrastructure between thetwo networks In order to effectively perform this task, thereare four goals that a confidential VPN implementation mustmeet:

Message authentication: Ensures that a message was

sent from an authentic source and that messages are beingsent to authentic destinations

Incorporating the appropriate data confidentiality capabilities

into a VPN ensures that only the intended sources and

destinations are capable of interpreting the original messagecontents IPsec is very effective at encrypting data using theencapsulating security protocol (ESP), described in RFC 1827.Utilizing ESP, IPsec transforms clear text in to encrypted data,

or cipher text Because ESP-transformed messages are only

sent across in their ciphered representations, the original

contents of the message are kept confidential from would be

Figure 1-1 Confidentiality and Authenticity in

Encrypted Communications

[View full size image]

Encrypting messages relies on the use of a key to encrypt cleartext and to decrypt ciphered messages In the exchange ofmessages in Figure 1-1, both James and Charlie require theappropriate keys to encrypt and decrypt communications fromeach other Assuming that these keys were exchanged or

derived securely (for example, via a Diffie-Hellman exchange,which is discussed in detail in Chapter 2, "IPsec

Fundamentals"), when James receives a message from Charliethat he is able to decrypt, he can be assured that the message

has been delivered with full confidentiality, and vice versa.

Hashes and digital signatures protect the integrity of a specific

communication of data Hashes and digital signatures append

on a message to ensure data integrity

Figure 1-2 Data Integrity, Secure Hashes

[View full size image]

By providing a unique fingerprint specific only to the sender ofthe message, a digital signature also provides the receiver amethod of message authentication and sender non-repudiation.Notice in Figure 1-3 that digital signatures require the use of apublic decryption key unique to the sender's private encryptionkey The use of this cryptographic keypair thus guarantees

by offering message authentication and sender non-repudiation,the operation of which is illustrated in Figure 1-3

Figure 1-3 Message Authenticity and Data Non-Repudiation with Digital Signatures

[View full size image]

Although IPsec-based VPNs represent one of the most secureand widely deployed types of VPNs, they are only one of manyVPN technologies in existence today As we'll discuss throughoutthe course of this book, VPNs have been designed to protectdata at almost every layer of the OSI stack For example,

customers in different market verticals will deploy a range ofencryption technologies, from Layer 1 bulk encryptors to

Figure 1-4 VPN Technologies and the OSI Model

[View full size image]

Virtual private dialup networks (VPDN) are used to tunnel data

across a shared media Although the primary goal of a VPDN is

to tunnel data across shared network infrastructures, someVPDNs may also incorporate data confidentiality Most VPDNsrely on the use of PPP to encapsulate data in transit across acommon network infrastructure Typical VPDN deploymentsconsist of one or many PPP clients establishing a PPP sessionthat terminates on a device at the opposite end of the tunnel,usually located at a central location within the enterprise orservice provider edge In doing so, a secure point-to-point

tunnel is established from the client's network to the PPP

concentrator After the tunnel has been established, the client'snetwork appears as if it were the same network as the

enterprise side, while the underlying common network

unchanged Common VPDN technologies deployed in today'snetworks include Layer 2 Forwarding Protocol, Point-to-PointTunneling Protocol, and Layer 2 Tunneling Protocol

Layer 2 Forwarding Protocol

The Layer 2 Forwarding (L2F) Protocol was originally developed

by Cisco Systems as a way to tunnel privately addressed IP,AppleTalk, and Novell Internet Protocol Exchange (IPX) over PPP

or Serial Line Internet Protocol (SLIP) dialup connections overshared networks In order to do this, this VPDN technology

datagrams are forwarded on UDP 1701 The L2F encapsulatedPPP packets have the format described in Figure 1-5

Figure 1-5 L2F Data Packet Format

During the creation of an L2F tunnel, initially a user dials intothe Network Access Server (NAS), negotiates PPP, and is

authenticated with either Password Authentication Protocol

(PAP) or Challenge Handshake Authentication Protocol (CHAP),

as illustrated in Figure 1-6

1 NAS and the PPP client negotiate a PPP session NAS

authenticates the PPP client with CHAP (or, optionally, PAP)

Note

The NAS can optionally authenticate PPP connections against

Server) server in the service provider cloud Managing userconnections centrally would ease the administrative burdenand provide additional accounting and user database

synchronization capabilities (that is, synchronization with NTdatabases and automated backup of AAA data on peer

CSACS databases)

Once the PPP session has been authenticated, a series ofexchanges are performed to offload the termination of thedialup session to the home gateway Figure 1-7 illustratesthe CHAP handshake between the PPP client and the NASshown in Figure 1-6

Figure 1-7 PPP Authentication with CHAP

[View full size image]

2 NAS initiates a tunnel connection to the home gateway.

underlying common infrastructure that the data is tunneled

across Consider the following exchange between a small

remote office network (the PPP client) and a corporate VPDN(PPTP) concentrator Figure 1-8 illustrates the order of

infrastructure and that central network connectivity provided bythe service provider must remain transparent to the PPP clients,who are PSTN or ISDN attached In order to accomplish thistask, PPTP is used to provide an end-to-end tunnel for PPP

connections inbound to the service provider

Generally, there are two different types of PPTP VPDN tunnels:

compulsory tunnels and voluntary tunnels Compulsory tunnels

are formed when a PPP client accesses the NAS or PPTP AccessConcentrator (PAC) The NAS/PAC in turn establishes a tunnel

with the PPTP Network Server (PNS) Voluntary tunnels are

formed when a PPP client directly negotiates a PPTP tunnel withthe PNS The creation of a voluntary PPTP tunnel executes the

1 The first step in the negotiation occurs when the PPP client

establishes a connection with the NAS and is authenticatedthrough a chosen form of PPP authenticationPAP, CHAP, orMicrosoft CHAP (MS-CHAP) PPTP tunnels can be encryptedthrough the use of Microsoft Point-to-Point Encryption

(MPPE) to provide confidentiality in VPDNs Cisco IOS

supports both 40- and 128-bit MPPE encryption In order toencrypt a PPTP tunnel using MPPE, the network

administrator must use MS-CHAP to authenticate PPP

connections to the NAS

Tip

Authentication of PPP sessions can be passed to a centrallymanaged authentication database, such as CSACS via

RADIUS or TACACS+ Authenticating PPP sessions against aCSACS database greatly eases administration of user

authentication data for VPN access

2 Now that the PPP client has accessed the service provider

network, the client has IP connectivity to the PNS at its

corporate headquarters The PPP client and the PNS mustmaintain two connections to one anothera control

connection and a tunnel protocol connection The PPTP

control connection maintains the connection state and

negotiates call setup and teardown As such, it must be

established before the tunnel protocol connection can beestablished Once an NAS receives the call from the PPP

client, the next step in creating the VPDN connection is toeither establish a compulsory tunnel from the NAS/PAC tothe PNS or to establish a voluntary tunnel from the PPP

client itself to the PNS In Figure 1-8, the PPP client elects toestablish a voluntary tunnel directly to the PNS In this

exchange The client initiates the tunnel by establishing aTCP connection to the PNS on port 1723

Caution

In many cases, including the example in Figure 1-8, TCPport 1723 must be allowed through any corporate firewalls

or other filtering security devices for PPTP to operate

correctly In this scenario, the PIX would be configured withthe appropriate static translation and access list entry on itsoutside interface to allow TCP sessions from remote clients

on port 1723

3 Once the PPP client and the PNS have TCP connectivity, they

can start to exchange PPTP tunnel negotiation informationbetween them The tunnel negotiation process consists ofexchanging connection request and reply messages as

at which packets are traversing the PPTP tunnel

The preceding scenario describes a voluntary PPTP tunnel

negotiation between the PPP client, which also acts as its ownPAC, and the corporate PIX Firewall, acting as the PNS In acompulsory PPTP tunnel negotiation, the NAS would act as thePAC and would multiplex multiple sessions from the PPTP clientsinto a single tunnel to the PIX, or PNS The exchanges in a

compulsory tunnel would follow the same steps chronologically,but would appear as displayed in Figure 1-10

Figure 1-10 A PPTP Compulsory Tunnel Setup

between PAC and PNS