Tải bản đầy đủ - 0 (trang)
Chapter 3. Basic IPsec VPN Topologies and Configurations

Chapter 3. Basic IPsec VPN Topologies and Configurations

Tải bản đầy đủ - 0trang

Chapter3.BasicIPsecVPNTopologies

andConfigurations

Inthischapter,wewillreviewseveralcommondeploymentsof

IPsecvirtualprivatenetworks(VPNs).Wewillbeginby

reviewingthetypicalsite-to-siteIPsecmodeloveradedicated

circuitbetweentwoendpoints,thendiscusssomeofthedesign

implicationsasthatdedicatedcircuitgrowstoincludeanentire

routeddomain.Wewilldiscussaggregationofmanysite-to-site

IPsecVPNsatanaggregationpoint,orhubIPsecrouter,ina

standardhub-and-spokedesignandextendtheIPsec

aggregationconcepttoincludeRemoteAccessVPN(RAVPN)

designconsiderations.Figure3-1illustratesalooseprocessthat

maybehelpfulwhenconfiguringacryptoendpointforbasic

IPsecoperations.ThougheffectiveIPsecVPNdesigndrivesthe

complexityofconfigurationfarbeyondwhatisdepictedin

Figure3-1,mostofthebasictopologieswewilldiscusswill

relatetothisprocedureonafundamentallevel.



Figure3-1.High-LevelConfigurationProcessfor

IPsecVPN



[Viewfullsizeimage]



Eachofthefollowingdeploymentsrequirestheconfigurationof

IPsecinapoint-to-pointfashioninonewayoranother.Assuch,

allofthetopologiesdiscussedsharecommonconfiguration

taskstoestablishtheIPsectunnel:



Step1. DecidehowstrongtheIPsectransformmustbeand

whatmodethetunnelmustuse(defineIPsec

TransformSet).

Step2. Decidehowthesessionkeysmustbederivedandif

IKEisnecessary(createISAKMPPolicyorSessionKeys

withinCryptoMap).

Step3. IfIKEisrequired,decideonISAKMPpolicyparameters

(createInternetSecurityAssociationandKey

ManagementProtocolpolicy),addressingthefollowing

tasksinyourconfiguration:

Authenticationmethod(selectoneofthe

following):

Assignkeyandpeerifpre-shared.

CreateandshareRSApublickeysifRSA-encr.

AuthenticateandenrollwithCAifRSA-sig.

Diffie-HellmanKeyModulus(Group#)

HashusedforIKEauthentication

EncryptionmethodusedforIKEchannel

Step4. IdentifyandassignIPsecpeerandanyHighAvailabilityrequirements.(Createcryptomap.)



Note

Inthischapter,topologieswillincludeonlylimited

discussionsofIPsecHigh-Availability(HA)design

concepts.IPsecHAdesignandexamplesarediscussed



ingreaterdetailinChapters59.

Step5. Definetrafficsetstobeencrypted(CryptoACL

DefinitionandCryptoMapReference).

Step6. IdentifyrequirementforPFSandreferencePFSgroup

incryptomapifnecessary.

Step7. Applycryptomaptocryptointerfaces.







Site-to-SiteIPsecVPNDeployments

ThemostbasicformofIPsecVPNisrepresentedwithtwoVPN

endpointscommunicatingoveradirectlyconnectedshared

media,ordedicatedcircuit,whichcloselyresemblesbulk

encryptionalternativesatLayer1and2oftheOSIstack(see

Table1-1forVPNtechnologiesandtheOSIstack).This

scenario,whilesimpletodeployandmanage,canbecost

prohibitiveanddoesnotyieldmanyofthebenefitsofIPsecVPN

connectivityoverarouteddomain(multipleLayer3hops

betweenendpoints).

Indeed,becauseIPsecisaLayer3VPNtechnology,itwas

designedtofunctionacrossmultipleLayer3hopsinorderto

circumventmanyofthescalabilityandmanageabilityissuesin

previousVPNalternatives.Assuch,IPsecdeployedovera

routeddomainwillalsoprovidefurtherscalability,flexibility,and

availabilityoverandbeyondthesimplededicated-circuitmodel.

Inthissection,wewillexploredesignconceptsrelatedtoboth

topologiesandthecorrespondingconfigurationandverification

processesrequired.



Site-to-SiteVPNArchitecturalOverviewfora

DedicatedCircuit

Site-to-siteIPsecVPNsaretypicallydeployedwhentwoormore

autonomoussystemswishtocommunicatewitheachotherover

anuntrustedmediawhenconfidentialexchangeofdatais

required.ConsiderthesituationdescribedinFigure3-2,where

threeautonomoussystemswishtocommunicateusing

dedicatedT-1circuitsbetweeneachpair.



Figure3-2.Site-to-SiteIPsecVPNTopologyUsing



DedicatedT-1CircuitsforCommunications



[Viewfullsizeimage]



Itisimportanttonotethat,assumingthateachautonomous

system(AS)doesnotactasatransitAS,thereisonlyonepath

betweeneachAS.Therefore,inthisspecificcase,thereisno

benefittoconfiguringredundantpeeringoptionsorsourcing

IPsectunnelendpointsfromhighlyavailableIPaddresses(such

asaloopbackaddress).Inthissimplesite-to-sitetopology,itis

mostcommontosourceIPsecVPNtunnelendpointsonthe

physicalinterfaces(DS-3inthiscase)themselves.Thistypeof

topologydoesnotleaveroomformuchinthewayofIPsecHA

design,andtherefore,itisrelativelysimpletodeploy.Wewill

nowexploretheconfigurationstepsnecessarytoestablishthe

basicsite-to-siteIPsecVPNdescribedearlier,andthenwewill

outlinesomecommontechniquesusedtoverifythe



establishmentandoperationoftheIPsecVPNtunnel.



CiscoIOSSite-to-SiteIPsecVPNConfiguration

Theconfigurationsinthefollowingexampleswereallbuiltusing

theprocessdescribedinFigure3-1andpertaintothetopology

depictedinFigure3-2.Somedesignconsiderationsforthese

particularIPsecVPNsareasfollows:

TunnelmodeisusedtokeeptheoriginalIPheader

confidential.

Theroutersarecapableofhandling256-bitAESESP

transformsinhardware.Hash-basedMessage

AuthenticationCodes(HMAC)areimplementedinthe

transformtoensureintegrityinthecipherblockchainof

encryptedpacketstraversingtheIPsecsecurityassociation

(SA).

TheDHgroupis5inordertoaccommodatethelargekey

materialneededbytheAEStransform.

Thereisnocertificationauthority(CA),andthe

administratorswanttousehardwareacceleration,which

rulesouttheRSA-encryptednoncesmethodof

authentication.SopresharedkeysareusedforInternet

SecurityAssociationandKeyManagementProtocol

(ISAKMP)authentication.

StrongauthenticationisrequiredduringISAKMP,sothe

hashisSHA-1andthesymmetrictransformfortheIKESA

is3DES.

ItisdesirabletohavetheIPsecsessionkeysderived



independently(asopposedtoderivedfromtheISAKMPDH

sharedsecretkeys).Assuch,perfectforwardsecrecy(PFS)

isenabled.Again,thegroupis5togeneratethe

appropriatekeymaterialfortheIPsectransform(AES).



Note

TheprecedingVPNconsiderationsdescribearelativelystrong

cryptographicsuite.Assuch,computationresourcesonthe

routersmustbesomewhatsubstantialtoaccommodatethem.

Itisimportantthatoneweightheamountofavailable

computationalresourcesagainsttheorganization'sperformance

andsecurityrequirementsbeforebuildingIPsecVPN

configurations.



Example3-1providesaconfigurationfortheAS1-7301Ain

Figure3-2.Thisrouter'sconfigurationemploysallofthe

elementsnecessarytoaccommodateasite-to-siteIPsecVPN,

includingtheIPsectransform,cryptoACL,andIPsecpeer.In

thiscase,AS1-7301Ausestwosite-to-siteIPsecVPNs,toAS#2

andAS#3,respectively.Thisisaccomplishedbyusingtwo

processIDswithinthesamecryptomap(AS1VPN10and

AS1VPN20).AS1VPN,process10,protectstrafficfromAS1to

AS2,asdefinedinCryptoACL101.AS1VPN,process20,

protectstrafficfromAS1toAS3(Example3-1,line14),as

definedinCryptoACL102(Example3-1,line15).



Example3-1.Site-to-SiteVPNConfigurationon

AS1-7301A



AS1-7304A#showrunning-config

!



cryptoipsectransform-setivdf3-1esp-aesesp-sha-hmac

cryptomapAS1VPN10ipsec-isakmp

setpeer200.1.1.2

settransform-setivdf3-1

matchaddress101

setpfsgroup5

cryptomapAS1VPN20ipsec-isakmp

setpeer200.1.1.10

settransform-setivdf3-1

matchaddress102

setpfsgroup5

access-list101permitip211.0.0.00.255.255.255212.0.0.00.255.255.255

access-list102permitip211.0.0.00.255.255.255213.0.0.00.255.255.255

!

interfaceHSSI1/0

ipaddress200.1.1.1255.255.255.252

encapsulationHDLC

cryptomapAS1VPN

interfaceHSSI2/0

ipaddress200.1.1.9255.255.255.252

encapsulationHDLC

cryptomapAS1VPN



Example3-2providestheconfigurationfortheIPsecVPN

gatewayforAS2,AS2-3745A.LikeAS1-7304A,AS2-3745Auses

asinglecryptomapwithtwoprocessIDstoprotecttrafficflows

toAS1andAS3.AS2VPN10protectstraffictoAS1(endpoint

200.1.1.1),andreferencesACL101forcrypto-protectedtraffic

andIPsectransform"ivdf3-1."AS2VPN20protectstrafficto

AS3(endpoint200.1.1.6),andreferencesACL102forcryptoprotectedtrafficandIPsectransform"ivdf3-1."AS2-3745uses

arelativelystrongtransform,AEScipherwithSHA1HMAC

authentication.PFSisalsoconfiguredtorefreshthesymmetric

transformkeyeachtimeanIPsecSAisnegotiated.



Example3-2.Site-to-SiteVPNConfigurationon

AS2-3745A



AS2-3745A#showrunning-config

!

cryptoipsectransform-setivdf3-1esp-aesesp-sha-hmaccryptomapAS2VPN10ipsec-isakmp

setpeer200.1.1.1



settransform-setivdf3-1

matchaddress101

setpfsgroup5

cryptomapAS2VPN20ipsec-isakmp

setpeer200.1.1.6

settransform-setivdf3-1

matchaddress102

setpfsgroup5

access-list101permitip212.0.0.00.255.255.255211.0.0.00.255.255.255

access-list102permitip212.0.0.00.255.255.255213.0.0.00.255.255.255

!

interfaceHSSI1/0

ipaddress200.1.1.2255.255.255.252

encapsulationHDLC

cryptomapAS2VPN

interfaceHSSI2/0

ipaddress200.1.1.5255.255.255.252

encapsulationHDLC

cryptomapAS2VPN



Example3-3providestheconfigurationfortheIPsecVPN

gatewayforAS3,AS3-3745A.LikeAS1-7304AandAS2-3745A,

AS3-3745AusesasinglecryptomapwithtwoprocessIDsto

protecttrafficflowstoAS1andAS3.AS3VPN10protectstraffic

toAS1(endpoint200.1.1.9),andreferencesACL101forcryptoprotectedtrafficandIPsectransform"ivdf3-1."AS3VPN20

protectstraffictoAS3(endpoint200.1.1.5),andreferences

ACL102forcrypto-protectedtrafficandIPsectransform"ivdf31."AS2-3745usesarelativelystrongtransform,AEScipher

withSHA1HMACauthentication.PFSisalsoconfiguredto

refreshthesymmetrictransformkeyeachtimeanIPsecSAis

negotiated.



Example3-3.Site-to-SiteVPNConfigurationon

AS3-3745A



AS3-3745A#showrun

!

cryptoipsectransform-setivdf3-1esp-aesesp-sha-hmac

cryptomapAS3VPN10ipsec-isakmp

setpeer200.1.1.9



settransform-setivdf3-1

matchaddress101

setpfsgroup5

cryptomapAS3VPN20ipsec-isakmp

setpeer200.1.1.5

settransform-setivdf3-1

matchaddress102

setpfsgroup5

access-list101permitip213.0.0.00.255.255.255211.0.0.00.255.255.255

access-list102permitip213.0.0.00.255.255.255212.0.0.00.255.255.255

!

interfaceHSSI1/0

ipaddress200.1.1.10255.255.255.252

encapsulationHDLC

cryptomapAS3VPN

interfaceHSSI2/0

ipaddress200.1.1.6255.255.255.252

encapsulationHDLC

cryptomapAS3VPN



VerifyingCiscoIOSSite-to-SiteIPsecVPNOperation

NowthatwehaveconfiguredafullmeshofIPsecVPNtunnels

betweenAS#1,AS#2,andAS#3,wemusttakesomebasic

precautionarymeasurestoguaranteethattheVPNisoperating

successfully:

Step1. VerifytheestablishmentofISAKMPSAs.

Step2. VerifytheestablishmentofIPsecSAs.

Step3. Verifythatbasicnetworkconnectivityhasbeen

establishedovertheVPN.

Step4. VerifythattheCryptoEngineisactivelyparticipatingin

IPsecandthatprotectedtrafficisbeingencryptedand

decrypted.

Step5. Checkphysicalinterfacestatisticsforerrors.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 3. Basic IPsec VPN Topologies and Configurations

Tải bản đầy đủ ngay(0 tr)

×