Back to Dashboard
Module 35
VPN Technologies
β Previous Module
Next Module β
# π CCNA 200-301 - Video 35: VPN Technologies ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What VPNs are and why they're used - Site-to-Site vs. Remote Access VPNs - IPsec protocols and components - IPsec tunnel vs. transport mode - DMVPN (Dynamic Multipoint VPN) concepts - VPN configuration fundamentals - VPN troubleshooting --- ## π§ Core Concepts ### 1. What is a VPN? **Definition:** A Virtual Private Network (VPN) creates a secure, encrypted connection over a public network (like the internet), allowing remote sites or users to communicate securely as if they were on a private network. **Analogy:** Think of a VPN like a private, armored car traveling through a busy city. The armored car (VPN tunnel) protects its contents (data) from thieves and prying eyes, even though it's traveling on public roads (the internet). ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β VPN CONCEPT β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β WITHOUT VPN: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Site A ββββββββββββββββββββββββββββ Site B β β β β (Data travels in clear text) β β β β β β β β [Internet] ββββββββ ββββ ISP can see data β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β WITH VPN (IPsec Tunnel): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Site A ββββββββββββββββββββββββββββββββββββ Site B β β β β (Encrypted VPN Tunnel) β β β β β β β β [Internet] ββββββββ ββββ ISP cannot read data (encrypted) β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. VPN Types | Type | Description | Use Case | Example | |------|-------------|----------|---------| | **Site-to-Site VPN** | Connects entire networks to each other | Branch to HQ, partner connections | IPsec tunnel between routers | | **Remote Access VPN** | Connects individual users to corporate network | Employees working from home | AnyConnect, IPsec client | | **Client-Based VPN** | Software installed on user device | End-user connectivity | Cisco AnyConnect | | **Clientless VPN** | Browser-based access | Limited application access | SSL VPN portal | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β VPN TYPES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β SITE-TO-SITE VPN: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββ βββββββββββ β β β β β Branch ββββββββββββββββββββββ HQ β β β β β β Office β IPsec Tunnel β Office β β β β β βββββββββββ βββββββββββ β β β β β β β β Entire network at branch can access entire network at HQ β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β REMOTE ACCESS VPN: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β βββββββββββ β β β β β Laptop β β β β β β(Home) β β β β β ββββββ¬βββββ β β β β β β β β β β AnyConnect/IPsec β β β β βΌ β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β Internet β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β β β β β β β β βΌ β β β β βββββββββββ β β β β β HQ β β β β β β Office β β β β β βββββββββββ β β β β β β β β Individual users connect securely to corporate network β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 3. IPsec Components **IPsec (IP Security):** A suite of protocols that provides security for IP communications through authentication and encryption. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β IPSEC COMPONENTS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β IPSEC SUITE β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β ββββββββββββββββββββββββββΌβββββββββββββββββββββββββ β β β β β β β βΌ βΌ βΌ β β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β β β IKE/ISAKMP β β ESP β β AH β β β β (Phase 1) β β (Encryption) β β(Authentication)β β β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β β β β β β β β β β β β βΌ βΌ βΌ β β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β β β β’ Key Exchangeβ β β’ Data β β β’ Integrity β β β β β’ Peer Auth β β Encryption β β β’ Auth only β β β β β’ SA Creation β β β’ Auth β β (no encryption)β β β β β’ DH Exchange β β β’ Anti-Replay β β β β β βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **IPsec Protocols:** | Protocol | IP Number | Purpose | |----------|-----------|---------| | **AH (Authentication Header)** | 51 | Data integrity and authentication (no encryption) | | **ESP (Encapsulating Security Payload)** | 50 | Encryption, authentication, anti-replay | | **IKE (Internet Key Exchange)** | UDP 500 | Key exchange, SA establishment | --- ### 4. IPsec Modes ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β IPSEC MODES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β TRANSPORT MODE: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Original IP Header β TCP/UDP β Payload β β β β β β β β After IPsec (Transport Mode): β β β β Original IP Header β ESP/AH β TCP/UDP β Payload β β β β (Unencrypted) β Header β (Encrypted) β β β β β β β β Use Case: End-to-end encryption (host to host) β β β β IP header preserved (for routing) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β TUNNEL MODE (Most Common): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Original IP Header β TCP/UDP β Payload β β β β β β β β After IPsec (Tunnel Mode): β β β β New IP Header β ESP/AH β Original IP Header β Payload β β β β (Encrypted) β Header β (Encrypted) β β β β β β β β β Use Case: Site-to-site VPN (gateway to gateway) β β β β Entire original packet encrypted β β β β New IP header for routing β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 5. IPsec Phase 1 (IKE Phase 1) **Purpose:** Establish a secure, authenticated channel (ISAKMP SA) for Phase 2 negotiation. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β IKE PHASE 1 - MAIN MODE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Router A Router B β β β β β β β β 1. IKE SA Proposal (Encryption, Hash, DH Group) β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β 2. IKE SA Accepted β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β 3. Diffie-Hellman Key Exchange β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β 4. Diffie-Hellman Key Exchange β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β 5. Identity Verification (Pre-shared key / Certificates) β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β 6. Identity Verification β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β IKE SA Established (Phase 1 Complete) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **IKE Phase 1 Parameters:** | Parameter | Options | Description | |-----------|---------|-------------| | **Encryption** | AES, 3DES, DES | Data encryption algorithm | | **Hash** | SHA, MD5 | Integrity/hashing algorithm | | **DH Group** | 1, 2, 5, 14, 19, 20, 21 | Diffie-Hellman key exchange group | | **Authentication** | Pre-shared key, RSA signatures | Peer authentication method | | **Lifetime** | 86400 seconds (default) | SA lifetime | --- ### 6. IPsec Phase 2 (IKE Phase 2) **Purpose:** Establish IPsec SA for actual data encryption. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β IKE PHASE 2 - QUICK MODE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Router A Router B β β β β β β β β 1. IPsec SA Proposal (ESP/AH, Encryption, Lifetime) β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β 2. IPsec SA Accepted β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β 3. IPsec SA Confirmation β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β β β β IPsec SA Established (Phase 2 Complete) β β β β β β Data Transmission β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **IPsec Phase 2 Parameters:** | Parameter | Options | Description | |-----------|---------|-------------| | **Protocol** | ESP, AH | Security protocol | | **Encryption** | AES, 3DES, DES | Data encryption (ESP) | | **Authentication** | SHA, MD5 | Data integrity | | **Mode** | Tunnel, Transport | Encapsulation mode | | **Lifetime** | 3600 seconds (default) | IPsec SA lifetime | --- ### 7. Site-to-Site IPsec VPN Configuration **Basic IPsec VPN Configuration:** ```cisco ! ========== ROUTER A ========== ! ! Phase 1: ISAKMP Policy crypto isakmp policy 10 encryption aes hash sha authentication pre-share group 2 lifetime 86400 ! crypto isakmp key VPNKEY address 203.0.113.2 ! ! Phase 2: IPsec Transform Set crypto ipsec transform-set VPN-TRANSFORM esp-aes esp-sha-hmac mode tunnel ! ! Phase 2: Crypto Map crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set VPN-TRANSFORM match address 110 ! ! ACL for interesting traffic access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! Apply crypto map to interface interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 crypto map VPN-MAP ! ! ========== ROUTER B ========== ! crypto isakmp policy 10 encryption aes hash sha authentication pre-share group 2 lifetime 86400 ! crypto isakmp key VPNKEY address 203.0.113.1 ! crypto ipsec transform-set VPN-TRANSFORM esp-aes esp-sha-hmac mode tunnel ! crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.1 set transform-set VPN-TRANSFORM match address 110 ! access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 crypto map VPN-MAP ``` --- ### 8. VPN Interesting Traffic **Definition:** Interesting traffic is traffic that triggers the VPN tunnel to be established. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β INTERESTING TRAFFIC β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β ACL defines what traffic should be encrypted: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Traffic Flow: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β PC (192.168.1.10) β Server (192.168.2.10) β β β β β β β β Router A sees packet: β β β β β’ Source: 192.168.1.10, Dest: 192.168.2.10 β β β β β’ Matches ACL 110 β Interesting! β β β β β’ Check if IPsec SA exists β β β β β’ If not, initiate IKE (Phase 1 and Phase 2) β β β β β’ Encrypt packet and send through tunnel β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Traffic that does NOT match ACL: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Internet traffic (dest not in 192.168.2.0/24) β β β β β’ Goes out without encryption β β β β β’ Or may be blocked (depending on configuration) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 9. IPsec Verification Commands | Command | Purpose | |---------|---------| | `show crypto isakmp sa` | Display IKE Phase 1 SAs | | `show crypto ipsec sa` | Display IPsec Phase 2 SAs | | `show crypto map` | Display crypto map configuration | | `show crypto ipsec transform-set` | Display transform sets | | `debug crypto isakmp` | Debug IKE Phase 1 | | `debug crypto ipsec` | Debug IPsec Phase 2 | | `show crypto session` | Display active crypto sessions | **Example Outputs:** ```cisco Router# show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 203.0.113.2 203.0.113.1 QM_IDLE 1001 ACTIVE Router# show crypto ipsec sa interface: GigabitEthernet0/0 Crypto map tag: VPN-MAP, local addr 203.0.113.1 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 203.0.113.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 1234, #pkts encrypt: 1234, #pkts digest: 1234 #pkts decaps: 1234, #pkts decrypt: 1234, #pkts verify: 1234 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 203.0.113.1, remote crypto endpt.: 203.0.113.2 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0 current outbound spi: 0x12345678(305419896) inbound esp sas: spi: 0x87654321(2271560481) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: VPN-MAP sa timing: remaining key lifetime (k/sec): (4608000/3585) IV size: 16 bytes replay detection support: Y Status: ACTIVE ``` --- ### 10. DMVPN (Dynamic Multipoint VPN) **Definition:** DMVPN is a Cisco solution that combines GRE tunnels, IPsec encryption, and NHRP (Next Hop Resolution Protocol) to create a dynamic, scalable VPN network. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β DMVPN ARCHITECTURE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β βββββββββββββββββββ β β β HQ Router β β β β (Hub) β β β β NHRP Server β β β ββββββββββ¬βββββββββ β β β β β βββββββββββββββββββΌββββββββββββββββββ β β β β β β β βΌ βΌ βΌ β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β β Branch 1 β β Branch 2 β β Branch 3 β β β β (Spoke) β β (Spoke) β β (Spoke) β β β β NHRP Client β β NHRP Client β β NHRP Client β β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β β β DMVPN Features: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Dynamic spoke-to-spoke tunnels (no need to configure all peers) β β β β β’ NHRP resolves spoke IP addresses β β β β β’ Single GRE tunnel interface for all spokes β β β β β’ IPsec encryption for all traffic β β β β β’ Scalable (add spokes without hub reconfiguration) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **DMVPN Hub Configuration:** ```cisco ! Hub Router interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNKEY ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ! crypto ipsec profile DMVPN-PROFILE set transform-set DMVPN-TRANSFORM ``` **DMVPN Spoke Configuration:** ```cisco ! Spoke Router interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPNKEY ip nhrp map 10.0.0.1 203.0.113.1 ip nhrp map multicast 203.0.113.1 ip nhrp network-id 1 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN-PROFILE ``` --- ### 11. VPN Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **No IKE SA** | `show crypto isakmp sa` empty | Check reachability, ACL, shared secret | | **Phase 1 Fails** | `debug crypto isakmp` shows errors | Verify IKE policy matches, pre-shared key | | **No IPsec SA** | Phase 1 up, Phase 2 down | Check transform set, ACL, interesting traffic | | **Traffic Not Encrypted** | Packets going in clear | Verify ACL matches traffic, crypto map applied | | **Tunnel Flapping** | SA constantly rebuilding | Check keepalive, routing, NAT issues | | **MTU Issues** | Large packets fail | Adjust MTU, configure MSS | **Troubleshooting Commands:** ```cisco ! Check IKE Phase 1 Router# show crypto isakmp sa Router# debug crypto isakmp ! Check IPsec Phase 2 Router# show crypto ipsec sa Router# debug crypto ipsec ! Check crypto map application Router# show crypto map Router# show running-config | section crypto ! Clear VPN SAs (if stuck) Router# clear crypto isakmp Router# clear crypto sa ``` --- ### 12. VPN Best Practices ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β VPN BEST PRACTICES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β 1. STRONG CRYPTOGRAPHY β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Use AES-256 encryption (not DES or 3DES) β β β β β’ Use SHA-256 for hashing (not MD5) β β β β β’ Use Diffie-Hellman Group 14 or higher β β β β β’ Use RSA certificates instead of pre-shared keys when possible β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 2. PERFECT FORWARD SECRECY (PFS) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Enable PFS in Phase 2 β β β β β’ Ensures compromise of one key doesn't compromise others β β β β β’ set pfs group2 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 3. MTU CONSIDERATIONS β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Reduce MTU on tunnel interfaces (1400) β β β β β’ Configure TCP MSS adjustment β β β β β’ ip tcp adjust-mss 1360 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 4. KEY MANAGEMENT β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Use short SA lifetimes (1-8 hours) β β β β β’ Rotate pre-shared keys regularly β β β β β’ Use certificate-based authentication for large deployments β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 5. MONITORING β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Configure syslog for VPN events β β β β β’ Monitor SA counts and lifetimes β β β β β’ Set up alerts for tunnel failures β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## π§ Complete Configuration Examples ### Lab 1: Site-to-Site IPsec VPN **Topology:** ``` Site A (192.168.1.0/24) Site B (192.168.2.0/24) βββββββββββ βββββββββββ β Router Aβ β Router Bβ β203.0.113.1ββββββββββββββββββββββββββββ203.0.113.2β βββββββββββ βββββββββββ ``` **Router A Configuration:** ```cisco hostname RouterA ! ! Phase 1 crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key VPNKEY address 203.0.113.2 ! ! Phase 2 crypto ipsec transform-set VPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode tunnel ! ! Crypto Map crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set VPN-TRANSFORM set pfs group14 match address 110 ! ! Interesting Traffic access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! Interfaces interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 crypto map VPN-MAP ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! end ``` **Router B Configuration:** ```cisco hostname RouterB ! crypto isakmp policy 10 encryption aes 256 hash sha256 authentication pre-share group 14 lifetime 86400 ! crypto isakmp key VPNKEY address 203.0.113.1 ! crypto ipsec transform-set VPN-TRANSFORM esp-aes-256 esp-sha256-hmac mode tunnel ! crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.1 set transform-set VPN-TRANSFORM set pfs group14 match address 110 ! access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 crypto map VPN-MAP ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 ! end ``` --- ### Lab 2: GRE over IPsec VPN **Router A Configuration:** ```cisco hostname RouterA ! ! IKE Phase 1 crypto isakmp policy 10 encryption aes hash sha authentication pre-share group 2 ! crypto isakmp key VPNKEY address 203.0.113.2 ! ! IPsec Profile for GRE crypto ipsec profile GRE-PROFILE set transform-set GRE-TRANSFORM ! crypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac mode transport ! ! GRE Tunnel with IPsec interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 tunnel protection ipsec profile GRE-PROFILE ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! ! OSPF over tunnel router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 0 ! end ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **IPsec Protocols** | ESP (50) for encryption, AH (51) for auth, IKE (UDP 500) | | **IKE Phase 1** | Establishes secure channel (ISAKMP SA) | | **IKE Phase 2** | Establishes IPsec SA for data | | **Tunnel vs. Transport** | Tunnel (gateway-gateway), Transport (host-host) | | **Interesting Traffic** | ACL that triggers VPN | | **DMVPN** | NHRP, mGRE, IPsec for scalable VPNs | ### Common Exam Scenarios: **Scenario 1:** "Which IPsec protocol provides both encryption and authentication?" - **Answer:** ESP (Encapsulating Security Payload) **Scenario 2:** "What is the purpose of IKE Phase 1?" - **Answer:** Establish a secure, authenticated channel for IKE Phase 2 **Scenario 3:** "What protocol does DMVPN use for dynamic peer discovery?" - **Answer:** NHRP (Next Hop Resolution Protocol) ### Mnemonics: **IPsec Protocols:** **"A-E-I" - AH, ESP, IKE** - **A**H: Authentication only (IP 51) - **E**SP: Encryption + Authentication (IP 50) - **I**KE: Key Exchange (UDP 500) **IKE Phases:** **"1 for Channel, 2 for Data"** - Phase 1: Establish secure channel - Phase 2: Protect actual data --- ## π Summary (1-Minute Revision) ``` VPN TECHNOLOGIES: VPN TYPES: βββ Site-to-Site: Connects entire networks βββ Remote Access: Connects individual users IPSEC COMPONENTS: βββ IKE (UDP 500): Key exchange, SA establishment βββ ESP (IP 50): Encryption + authentication βββ AH (IP 51): Authentication only IPSEC MODES: βββ Tunnel Mode: Entire packet encrypted (site-to-site) βββ Transport Mode: Only payload encrypted (host-to-host) IKE PHASE 1 (ISAKMP SA): βββ Encryption: AES, 3DES, DES βββ Hash: SHA, MD5 βββ DH Group: 1, 2, 5, 14 βββ Authentication: Pre-shared key, RSA βββ Lifetime: 86400 sec (default) IKE PHASE 2 (IPsec SA): βββ Protocol: ESP, AH βββ Encryption: AES, 3DES βββ Authentication: SHA, MD5 βββ Mode: Tunnel, Transport βββ Lifetime: 3600 sec (default) DMVPN: βββ mGRE: Multipoint GRE tunnel βββ NHRP: Dynamic peer discovery βββ IPsec: Encryption βββ Hub-and-spoke with spoke-to-spoke tunnels VERIFICATION: βββ show crypto isakmp sa βββ show crypto ipsec sa βββ show crypto map βββ debug crypto isakmp βββ debug crypto ipsec ``` --- ## π§ͺ Practice Questions **1. Which IPsec protocol provides encryption and authentication?** - A) AH - B) ESP - C) IKE - D) ISAKMP <details> <summary>Answer</summary> <b>B) ESP</b> - Encapsulating Security Payload provides both encryption and authentication. </details> **2. What is the default IPsec mode for site-to-site VPNs?** - A) Transport Mode - B) Tunnel Mode - C) GRE Mode - D) L2TP Mode <details> <summary>Answer</summary> <b>B) Tunnel Mode</b> - Tunnel mode encapsulates the entire packet, used for site-to-site VPNs. </details> **3. Which protocol does IKE use for key exchange?** - A) TCP - B) UDP - C) IP - D) ICMP <details> <summary>Answer</summary> <b>B) UDP</b> - IKE uses UDP port 500 for key exchange. </details> **4. What is the purpose of IKE Phase 1?** - A) Encrypt data traffic - B) Establish a secure channel for Phase 2 - C) Authenticate users - D) Assign IP addresses <details> <summary>Answer</summary> <b>B) Establish a secure channel for Phase 2</b> - Phase 1 creates the ISAKMP SA for secure negotiation. </details> **5. Which command displays active IKE Phase 1 SAs?** - A) `show crypto ipsec sa` - B) `show crypto isakmp sa` - C) `show crypto session` - D) `show ipsec sa` <details> <summary>Answer</summary> <b>B) `show crypto isakmp sa`</b> - Displays IKE Phase 1 security associations. </details> **6. What does NHRP do in DMVPN?** - A) Encrypts traffic - B) Provides dynamic peer address resolution - C) Establishes GRE tunnels - D) Authenticates users <details> <summary>Answer</summary> <b>B) Provides dynamic peer address resolution</b> - NHRP resolves spoke IP addresses for direct tunnels. </details> **7. Which IPsec protocol uses IP number 50?** - A) AH - B) ESP - C) IKE - D) ISAKMP <details> <summary>Answer</summary> <b>B) ESP</b> - ESP uses IP protocol number 50. </details> **8. What is the default IKE Phase 1 lifetime?** - A) 3600 seconds - B) 86400 seconds - C) 14400 seconds - D) 7200 seconds <details> <summary>Answer</summary> <b>B) 86400 seconds</b> - Default IKE Phase 1 lifetime is 24 hours. </details> **9. Which command defines traffic that should be encrypted?** - A) `crypto map` - B) `access-list` in crypto map - C) `ip route` - D) `tunnel destination` <details> <summary>Answer</summary> <b>B) `access-list` in crypto map</b> - The ACL in the crypto map defines interesting traffic. </details> **10. Which protocol does DMVPN use for dynamic tunnel establishment?** - A) IPsec - B) GRE - C) NHRP - D) All of the above <details> <summary>Answer</summary> <b>D) All of the above</b> - DMVPN combines mGRE, NHRP, and IPsec. </details> **11. What is the difference between IKE Phase 1 and Phase 2?** - A) Phase 1 encrypts data, Phase 2 negotiates keys - B) Phase 1 establishes secure channel, Phase 2 establishes data SAs - C) Phase 1 uses ESP, Phase 2 uses AH - D) Phase 1 is for remote access, Phase 2 for site-to-site <details> <summary>Answer</summary> <b>B) Phase 1 establishes secure channel, Phase 2 establishes data SAs</b> - Phase 1 creates ISAKMP SA, Phase 2 creates IPsec SA. </details> **12. Which of the following is a strong encryption algorithm for IPsec?** - A) DES - B) 3DES - C) AES-256 - D) RC4 <details> <summary>Answer</summary> <b>C) AES-256</b> - AES-256 provides strong encryption, while DES and 3DES are deprecated. </details> --- ## π Next Steps After completing Video 35, you should be ready for: - **Video 36:** Device Hardening and Security - **Video 37:** AAA (Authentication, Authorization, Accounting) **Lab Practice:** 1. Configure site-to-site IPsec VPN between two routers 2. Verify with `show crypto isakmp sa` and `show crypto ipsec sa` 3. Test with ping between private networks 4. Configure GRE over IPsec 5. Run OSPF over GRE over IPsec 6. Troubleshoot with debug commands --- **Ready for Video 36?** Share the link or say "next" and I'll continue with Device Hardening and Security. I'll continue with **Video 36: Device Hardening and Security** based on the standard CCNA 200-301 curriculum. ---