1
Instructional Resource
Chapter 8 Implementing Virtual Private Networks
Chapter 8: Objectives
Describe the purpose and types of VPNs and define where to use VPNs in
a network.
Describe how to configure a GRE VPN tunnel.
Describe the fundamental concepts and technologies of VPNs, and terms
Cisco CCP.
Describe the two common remote network access methods used in
enterprise networks.
Describe how the Cisco VPN Client is used in an IPsec remote-access
VPN.
Describe how Secure Socket Layer (SSL) is used in a remote-access VPN.
Configure a remote-access IPsec VPN using CLI and Cisco CCP.
2012 Cisco and/or its affiliates. All rights reserved.
9.2.1 IPsec
9.2.2 SSL
9.3.1 IKE
9.3.2 ESP
9.3.3 AH
9.4.1 CCP
9.4.2 CLI
block IPsec traffic, define the IKE parameters and IPsec transform set,
configure the crypto ACL and create and apply a crypto map.
Use the CCP Quick Setup VPN wizard or the Step-by-Step wizard to
Chapter 8: Activities
Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS
and CCP
Part 1: Basic Router Configuration
Part 2: Configure a Site-to-Site VPN Using Cisco IOS
Part 3: Configure a Site-to-Site VPN using CCP
Client
Part 1: Basic Router Configuration
Part 2: Configuring a Remote Access VPN
IPsec
SSL
GRE
ATM
PVC
MPLS
POTS
ISDN
Dynamic Multipoint VPN enables the auto-provisioning of siteto-site IPsec VPNs, combining three Cisco IOS software
features: NHRP, multipoint GRE, and IPsec VPN.
V3PN
HSRP
NHRP
Cisco AnyConnect
AIM
SPA
VAM2+
Pre-shared keys
ESP
AH
DES
3DES
AES
SEAL
HMAC
HMAC-SHA-1
RSA
DH
Tunnel Mode
Transport Mode
SA
Security Associations
ISAKMP
IKE Phase 1
IKE Phase 2
10
Aggressive mode
Quick mode
QM_IDLE
RRI
11
12
13
14
parameters.
Usually indicated by k9 in the image name. (k8 indicates limited crypto
commands available)
15
2 negotiations.
16
mode negotiations.
17
include:
Incorrect ISAKMP policies configured.
Incorrect crypto keys or peer address configured.
Crypto map parameters not configured accurately.
Crypto map not applied to the correct interface (should usually be the outside
interface).
Invalid ACL statements.
18
19
VPNs.
IPsec remote access VPNs are more secure and supports most applications
but requires a client to be pre-installed on a host such as the Cisco VPN client
or Cisco AnyConnect.
SSL remote access VPNs is more flexible as it is accessed using a web
browser but can only access web enabled applications.
20
Categories
Anywhere
Access
Any
Application
IPsec Remote
Access VPN
SSL
IPsec
Encryption
Moderate
Key lengths from 40 bits to 128 bits
Stronger
Key lengths from 56 bits to 256 bits
Authentication
Moderate
One-way or two-way authentication
Strong
Two-way authentication using
shared secrets or digital certificates
Very easy
Moderately easy
Moderate
Any device can connect
Strong
Only specific devices with specific
configurations can connect
Application support
Ease of Use
Overall Security
21
22
23
island.
Without VPN tunnels, you must travel using a ferry between islands which
means there is no privacy.
With VPN tunnels, you have your own private submarine to go from island to
island.
nearby islands.
24
each other.
They know that letters will pass through many hands, including the postal
service, organization, and perhaps even parents at either end.
By setting up a secret code in advance, they can send letters without
someone knowing what theyre sending.
25
26
possible.
Student must get their own battle scars.
scenarios.
27
VPN client
http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
28
29