For some time now, Virtual Private Networks (VPN) have been used within and between many organizations to send traffic in a secure fashion over unsecure and shared networks infrastructure like the Internet.
The CCNA Security exam (650-554 IINS) includes a section dedicated to the fundamental concepts of VPN technologies covering mainly 3 VPN methods: IPSec site to site on ISR (Integrated Service Routers) IOS, SSL-VPN clientless remote access on ASA firewall and SSL-VPN full tunnel remote access on ASA firewall.
CCNA Training – Resources (Intense)
This article will cover only IPsec VPN technical concepts while SSL-VPN remote access will be discussed on future ones. This will be the first of a four-part series about VPN technologies.
After reading this article, you will learn the basic properties of IPsec VPN, all various protocols involved in the creation of IPsec tunnels, how IPsec operates allowing 2 routers to successfully negotiate a tunnel and how to implement and to verify an IOS IPsec site-to-site VPN using PSK (pre-shared key) on a Cisco router. To successfully pass the exam, you will need to have full understanding of all these article topics.
By definition, a VPN (Virtual Private Network) extends a private network over a shared, public backbone such as the Internet, enabling two different hosts to communicate as if they are an integrated part of the same private network. It’s called Virtual because, theoretically, a secure tunnel is created between the endpoints though technically, the packets are encrypted and encapsulated at the source and decrypted and de-capsulated at the destination using cryptography algorithms. As the encryption keys are known only by the sender and the receiver, it is possible to send packets across the Internet in a secure manner.
VPN Type Categories
There are 2 major categories of VPN:
- * IPsec site-to-site VPN is used to connect 2 or more sites.
- * Remote access VPN allows individual users to establish secure connections with a remote computer network anywhere, at anytime, from anything. Remote access VPN can use different access methods such as SSL-VPN clientless, SSL-VPN full-tunnel, IPsec remote access client.
Figure 1: Some Available VPN methods
VPN Main Benefits
VPN provides 4 main benefits:
- * Authentication: The primary purpose of authentication is to make sure you are who you say you are, and this can be achieved through the use of usernames and passwords, pre-shared keys (PSK), OTP (one time password), public key infrastructure (PKI) and digital certificates, or a combination of these.
- * Confidentiality: This is provided by encrypting user data before transmission with the aim of preventing any data from being captured by an attacker. It is accomplished by using symmetrical encryption algorithm.
- * Integrity: This is ensuring data has not been tampered with along the path between the source and destination achieved by using hashing algorithm.
- * Antireplay: To avoid hackers injecting or making changes in packets that travel from a source to a destination, encrypting and encapsulated the packets is needed.
VPN IPsec Site-to-Site Tunnel Configuration on a Single Peer
There are 6 required steps to create an IPsec VPN site-to-site tunnel using PSK on an ISR router:
Configure the peer IP address of the remote router or firewall it will be connected to and specify the pre-shared key which is required to verify the peer’s identity to the other peer.
PSK must match at booth peers.
Dario_ISR(config)#crypto isakmp key intenseschool address 188.8.131.52
Configure ISAKMP/IKE phase 1 policy which lists all the parameters needed to establish a bidirectional ISAKMP/IKE SA (Security Association) such as authentication type used by the 2 peers to authenticate each other (in this case PSK), Diffie-Hellman group, encryption type, hashing method, ISAKMP exchange mode (Main or Aggressive where Main is the default) and the tunnel lifetime.
Dario_ISR(config)#crypto isakmp policy 10
Dario_ISR(config-isakmp)#encryption aes 256
- Configure IPsec phase 2 transform-set where ESP encapsulation protocol is specified along the encryption type and hashing method in order to create an IPsec SA. At this point, it is possible to set up which mode ESP protocol uses between Transport and Tunnel; Transport is the default.
Dario_ISR(config)#crypto ipsec transform-set INTENSE_SCHOOL_IPSEC esp-aes esp-sha hmac
- Define the source and destination interesting traffic (encrypted) which will take part of the tunnel by configuring an extended access list.
Dario_ISR(config)#access list 120 permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
- Configure a crypto-map where the peer IP address is set, the transform-set configured at point 3 is recalled, and the access list which defines the interesting traffic is applied.Dario_ISR(config)#crypto map INTENSE_SCHOOL_MAP 1 ipsec-isakmp
Dario_ISR(config-crypto-map)#set peer 184.108.40.206
Dario_ISR(config-crypto-map)#set transform-set INTENSE_SCHOOL_IPSEC
Dario_ISR(config-crypto-map)#match address 110
- Apply the crypto-map to the interface which will be used to build the IPsec VPN tunnel.
Dario_ISR(config-if)#crypto map INTENSE_SCHOOL_MAP
Figure 2: IPsec site-to-site with PSK in ISR router peer sample configuration
Keep in mind the above IPsec tunnel config for the rest of the article because I am going to explain the function of every piece. In fact, there are several protocols which perform actions behind the scenes when you apply this config and you will be tested on all of them during the exam.
Symmetric and Asymmetric Algorithms
Before a secure communications tunnel (VPN) between two endpoints is fully established, they generate, exchange, and use keys as a means to authenticate and encrypt the information used to create a secure tunnel.
Symmetric key algorithms generate and use a single key for the purposes of encrypting and decrypting data. Examples of symmetric key algorithms include:
-Digital Encryption Standard (DES), key size of 56 bits;
-Triple DES (3DES), key size of 168 bits;
-Advanced Encryption Standard (AES), key size of 128, 192, 256 bits;
–IDEA key size of 128 bit;
–Blowfish key size from 32 bits up to 448 bits.
Figure 3: Symmetric Key Algorithm
Asymmetric key algorithms use a key pair, one key for encryption and one key for decryption.
Because a mathematical relationship between the two keys is generated, a piece of information or data that has been encrypted can be decrypted only by the key that belongs to the corresponding key pair of the encryption key used. You might have heard of the terms public and private key before.
Examples of asymmetric key algorithms include:
Figure 4: Asymmetric Key Algorithm
The main drawback of symmetric algorithm is that when the key is compromised, it can be used for potential attacks.
So how it is possible for the 2 legitimate IPsec peers to exchange the symmetric encryption key over an unsecure and public channel like the Internet with the risk that it can be maliciously captured?
Simply by leveraging the Diffie-Hellman asymmetric algorithm during the ISAKMP/IKE phase 1.
Diffie-Hellman is a complex mathematical algorithm which, as its main purpose, allows an exchange of DES or 3DES with either AES key over the internet. This process is unbreakable, hence it cannot be hacked.
DH group methods are not used for encryption/decryption data because asymmetric encryption algorithms are highly CPU intensive. They often use larger key sizes, are more-sophisticated and have processor-intensive mathematical functions that would require expensive dedicated hardware.
On figure 2, AES symmetric encryption has been set up on the crypto isakmp policy 10 (encryption aes 256) and on the INTENSE_SCHOOL_IPSEC transform-set (esp-aes) while Diffie-Hellman Group 5 asymmetric encryption (group 5) has been chosen on the crypto isakmp policy 10.These values must coincide on both IPsec peers.
Another function of DH is to authenticate the 2 peers during the ISAKMP/IKE phase 1: in the above example PSK is used as it is reported on the command authentication pre-share within the crypto isakmp policy 10 and the PSK will be intenseschool only for the remote peer 220.127.116.11.
The remote 18.104.22.168 peer must have the same config and the same key; Of course, the peer IP address must be different from that of the local peer.
Hashing is a method used to verify data integrity.
A cryptographic hash function is a process that takes a block of data and creates a small fixed-sized hash value. It is a one-way function; meaning, if two different computers take the same data and run the same hash function, they should get the same fixed sized hash value. However, different input data applied to the same hash function gives out 2 different digests as a result.
There are 3 types of hash:
- * Message digest 5 (MD5) creates a 128-bit digest;
- * Secure Hash Algorithm 1 (SHA-1) creates a 160-bit digest;
- * Secure Hash Algorithm 2 (SHA-2) includes a digest between 224 bits and 512 bits.
For hashing and encryption, longer keys imply more security.
On figure 2, within the crypto isakmp policy the hash sha (means sha-1) has been selected and within the INTENSE_SCHOOL_IPSEC transform-set, the esp-sha hmac too. These parameters must match on both peers.
Figure 5: SHA-1 Hash function
You might have noticed that the parameter hmac has been configured on the INTENSE_SCHOOL_IPSEC transform-set. By definition, HMAC (keyed-hash message authentication code) calculates a message authentication code (MAC) combining the hash function and secret cryptographic key.
IPsec Protocol Suite
IPsec is a collection of protocols and algorithms used to protect IP packets at Layer 3 of the OSI model. It is composed of a collection of underlying protocols that together provide the overall operation of parameter negotiation, connection establishment, tunnel maintenance, data transmission and connection teardown.
IPsec framework also provides the core benefits of confidentiality through encryption, data integrity through hashing and HMAC, authentication using digital signatures or using a pre-shared key (PSK) and antireplay support.
Protocols of the IPSec suite:
- * IKE (Internet Key Exchange) is used by IPsec for the exchange of parameters used for key negotiation, the exchange of the derived authentication/encryption keys and the overall establishment of security associations (SA).
- * Encapsulating Security Payload (ESP, IP Protocol 50) provides a framework for the data integrity, encryption, authentication, and antireplay functions of an IPsec VPN.
- * Authentication Header (AH, IP Protocol 51) provides a framework for the data integrity, authentication and antireplay functions. No encryption is provided when using AH.
The parameters negotiation and the creation of an IPsec tunnel goes through 2 different phases called IKE phase1 (aka ISAKMP) and IKE phase2 (aka IPsec ).
IKE phase1 uses either IKE Main mode or IKE Aggressive mode while IKE phase2 uses IKE Quick mode.
IKE Phase 1 (ISAKMP)
During IKE Phase 1, both peers negotiate parameters (integrity and encryption algorithms, authentication methods) to set up a secure and authenticated tunnel. This is also called a management channel because no user data is flowing through it (and it is actually a bidirectional IKE SA). Its sole scope is to handle secure Phase 2 negotiations. It is bidirectional because both peers use only one session key to secure both incoming and outgoing traffic.
IKE Main mode (Phase 1) uses three pairs of messages (making six in total) between peers:
Pair 1 consists of the IKE security policies configured on the device: one peer (initiator) begins by sending one or more IKE policies, and the receiving peer responds (responder) with its choice from the policies.
In our example, the IKE policy would be the crypto isakmp policy 10, but it is possible to configure more than one policy. The ISR router has 8 default IKE policies, therefore this configuration step is not mandatory.
Figure 6: 8 default IKE policies on ISR router
Pair 2 includes DH public key exchange: DH creates shared secret keys using the agreed upon DH group/algorithm exchanged in pair 1 (group 5)
Pair 3 is used for ISAKMP authentication: each peer is authenticated and their identity is validated by the other using pre-shared keys (authentication pre-share) or digital certificates. These packets and all others exchanged from now on during the negotiations are encrypted and authenticated using the policies exchanged and agreed upon in pair 2.
IKE Aggressive mode (Phase 1) uses just three messages rather than the six used with Main mode. The same information is exchanged between peers but it is possible to discover peer identity information because peer identification happens unencrypted, occurring before the secure DH public key exchange.
This method is preferred when one of the peers has no static IP public address and instead has a dynamic public IP address. In this case the “dynamic” side will always initiate the communication with the “static” peer in order to establish the ISAKMP/IKE tunnel.
IKE Phase 2
IKE Phase 2 leverages the negotiated parameters in Phase 1 for securing IPsec SA creation. However, unlike the single bidirectional SA created within Phase 1, the IPsec SAs are unidirectional, meaning a different session key is used for each direction (one for inbound, or decrypted traffic, and one for outbound, or encrypted traffic). This is applicable for any administrator-configured source destination network pair. Therefore, you might end up with four unidirectional IPsec SAs if you have two source-destination network pairs defined in a VPN policy.
During IKE Quick mode (IKE Phase 2), IKE transform-sets (a list of encryption and hashing protocols) used for IPsec policy negotiation and unidirectional SA creation are exchanged between peers. Regardless of the parameters/attributes selected within a transform set, the same five pieces of information are always sent:
- * IPsec encryption algorithm (DES, 3DES, AES)
- * IPsec authentication algorithm (MD5, SHA-1)
- * IPsec protocol (AH or ESP)
- * IPsec SA lifetime (seconds or kilobytes)
- * IPsec mode (Tunnel, Transport)
The lifetime is how long until this IKE Phase 1 tunnel should be torn down. The default is 86400 seconds. This is the only parameter that does not have to exactly match with the other peer to be accepted.
Tunnel and Transport modes are configurable in the crypto ipsec transform-set config mode.
Tunnel mode is the default and Transport mode is never used; You can understand the reason on the following figure 7: in this mode, the original IP header is not encapsulated within the ESP header/trailer which makes it useless to run over the internet.
In our example we have configured esp-aes esp-sha hmac in tunnel mode (default) with lifetime 86400(default).
The IKE phase 2 transform-set must match on both peers.
AH (Authentication Header) and ESP (Encapsulating Security Payload)
Both AH and ESP operate at the network layer of the OSI model and, as a result, have their own protocol numbers for protocol identification carried out by devices in the VPN path.
ESP can provide the optional encryption function for data traversing the VPN connection. Therefore, ESP is the preferred choice for use with IPsec.
The data encryption function provided by ESP is carried out by one of the following symmetric key algorithms:
- * Digital Encryption Standard (DES)
- * Triple DES (3DES)
- * Advanced Encryption Standard (AES)
The origin authentication, provided by both AH and ESP, can be carried out by one of the following hash algorithms:
- * Message Digest 5 algorithm (MD5)
- * Secure Hash (SHA)
Only Encapsulation Security Protocol (ESP) in tunnel mode is used in the real world. It encrypts and encapsulates the original packet, and then places a new IP header before forwarding the packet. The Internet sees only the packet as being from the global IP address of one router and destined to the global address of the second router.
Figure 7: ESP Transport and Tunnel modes
Access List & Crypto Map
The extended access list specifies which local and remote networks can communicate through the VPN tunnel. Permit statements identify which traffic will be encrypted and deny traffic statements identify which traffic will not be encrypted.
This logic has particular relevance with IPsec VPN in tunnel mode where the original IP header may contain both source and destination private IP address. The ESP packets will be successfully routed because the new IP header will contain the peer public routable IP addresses.
In our example we have set up the extended access list 120 where only 192.168.10.0/24 and 10.10.10.0/24 are allowed to communicate within the tunnel.
access list 120 permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
The same permit statement must be reversed and applied on the other peer. For instance:
access list 135 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
Then a crypto map must be created and named (crypto map INTENSE_SCHOOL_MAP 1 ipsec-isakmp) where the access list (match address 110) will be applied and where the peer (set peer 22.214.171.124) and the transform-set (set transform-set INTENSE_SCHOOL_IPSEC) will be set.
Finally the crypto map has to be applied within the interface used to negotiate the tunnel with the remote peer, crypto map INTENSE_SCHOOL_MAP.
Cisco expects you to know about the above-mentioned protocols, their responsibilities on building the IPsec VPN tunnel, and the tunnel configuration using the CLI and the CPP.
Cisco will potentially get the candidates to use Simlets where they are expected to configure, verify and troubleshoot IPsec VPN site-to-site using the CCP (Cisco Configuration Professional). It is also very likely that you’ll be asked to answer questions based on CLI show crypto commands output.
Also they might be drag and drop tests where the candidate has to recognize the different functions and/or algorithm types between symmetric and asymmetric or the difference between IKE phase1 and IKE phase2.