Tuesday, February 7, 2012

VPN in a Nutshell

Not sure if this topic is for the CCNA Exam, ICND1, or ICND2 Exam but it was covered peripherally in the CCNA Bootcamp course and is offered as a separate course or certification for Cisco VPNs.

What is a VPN?
Definition: Virtual Private Network, for creating a private network tunneling over a public network, while maintaining confidentiality and security. It's a way to communicate through a dedicated server securely to a corporate network over the Internet. Windows NT, 2000 and XP offer native VPN support. The Cisco Router IOS has to support VPN.

VPN Client can also be setup on a Linux platform, the first of its kind. Download the network-manager-vpnc package. http://www.linuxplanet.com/linuxplanet/tutorials/6773/1

What are the Components of a VPN?
  • A real network with servers and workstations
  • An Internet connection
  • VPN gateways are endpoints to establish, maintain and control VPN connections; these could be routers, firewalls, VPN concentrators and ASA (Adaptive Security Applicance)
  • Software to manage the VPN tunnels
  • Cisco IOS software that supports VPN

How to make VPN's secure?
VPNs are inherently secure. In fact, there are certain totalitarian regimes in the world today where VPN's are absolutely banned! I suppose it is because the added security prevents the government from spying on its own people plotting a revolt. Now what I want to know is, how does the government know if someone is using a VPN, where it starts and where it ends? How do you even see a VPN signature?

VPN's are secure by virtue of encapsulation or tunneling, by transmitting data transparently from network to another through a shared infrastructure. Encryption is also used to code data into a format using a shared secret key, and then decode encrypted data into the original unencrypted format

Read more about Encryption Standards

Setting up or Connecting to the VPN
  • IPSEC gateway: the hostname or IP of the VPN server
  • IPSEC ID: the groupname
  • IPSEC secret: the shared password for the group
  • your username
  • your password
The pre shared key replaces the certificate file to form the tunnel. It sounds like a pretty serious breach if someone acquired the pre shared key so don't leave it stored on the computer in file called "my vpn shared password for the group" if you know what I'm saying.

Hardware
Cisco ASA 5500 Series offers both IPSec and SSL VPN, application inspection firewall and intrusion prevention services.

Cisco 7600 Series/ Catalyst 6500 Series IPSec VPN, requires a shared port adapter. Did I read correctly, it runs AES encryption and can carry up to 8,000 IPSec tunnels?

Configuration Commands
Here is a mishmash of commands I have to reorder in the right sequence because it is supposed to work on a Cisco 2811. It's not an actual configuration file but notes I wrote to myself as comments for things to include. Sample config file coming soon, when I can prove that it works!

It's tricky but there is useful information on HOW TO configure an IPSEC encrypted tunnel with Cisco. A lot of helpful pages on cisco.com as well.


% Prerequisites
% ip cef or ip cef distributed
% configure loopback interface
% enable SNMP notifications of L2TP session up/down; snmp-server enable traps l2tunnel session
% xconnect applied to which interface
% ip pmtu command configures the pseudowire class
% L2TPv3 data encapsulation directly over IP port 115, sessions between the same Layer 2 protocols.
% choose static or dynamic L2TPv3 sessions
% set mtu; use ipdfbit set and ip pmtu accordingly

No comments:

Post a Comment