0% found this document useful (0 votes)

302 views

Advanced IPSec

Associated Sessions VVT-2003 IP Telephony Security NMS-D02 Managing Security Technologies (c) 2004 Cisco Systems, Inc. All rights reserved. Prerequisites You should be familiar with IPSec You may have configured IPSec already Some basic GRE / routing knowledge won't hurt.

Uploaded by

Gabi Si Florin Jalencu

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

302 views

Advanced IPSec

Uploaded by

Gabi Si Florin Jalencu

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 138

ADVANCED IPSEC DEPLOYMENTS AND CONCEPTS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Associated Sessions
VVT-2003 IP Telephony Security NMS-D02 Managing Security Technologies

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Recommended Reading
Peripheral Reading Enhanced IP Services for Cisco Networks
ISBN: 1578701066

Network Security, Principles and Practice

ISBN: 1587050250

Managing Cisco Network Security,

ISBN: 1578701031

Network Security Architectures,

ISBN: 158705115X

Network Security First Step

ISBN: 1587200996

Network Security Fundamentals,

ISBN: 1587051672

Troubleshooting Virtual Private Networks

ISBN 1587051044

Dictionary of Internetworking Terms and Acronyms

ISBN:1587200457

Check the recommended Reading flyer at the Cisco Company Store books at 20% to 30% discount and dont forget to claim your free book!
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Prerequisites
You should be familiar with IPSec You may have configured IPSec already Some basic GRE/Routing knowledge wont hurt

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Agenda
General Design Considerations DMVPN Overview DMVPN Advanced Design DMVPN Details DMVPN example Deployments IOS CA SSL vs IPSec VPN

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

GENERAL CONSIDERATIONS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Design Considerations: Scaling, Sizing and Performance: I

Head-end VPN Device sizing consideration factors:
Total number of remote sites, tunnels VPN traffic throughput Features: routing protocols, GRE, Firewall, QoS

Scalability
The head-end design must scale to support future load requirements Consider integrated verses purposedefined devices Routing, resilience, load balancing, and the WAN connection are all key factors
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Design Considerations: Scaling, Sizing and Performance: II

A head-end device should not be deployed in a configuration that results in CPU utilization higher than 50% after failure The 50% target includes all overhead incurred by IPSec and any other enabled features (firewall, routing, IDS, logging, etc.) Branch devices should not be taxed above 65% CPU utilization

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Design Consideration: Topology

Peer-to-peer Hub and spoke
Most common topology Scales well, o(n) Performance penalty due to two encryption/decryption cycles

MeshPartial
Compared to hub and spoke topology, more direct spoke to spoke communications

MeshFull
Scaling issues: IPSec tunnels grow exponentially as number of sites increases Difficult to provision

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN OVERVIEW

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

What is DMVPN ?
Dynamic Multipoint VPN It is GRE, NHRP and IPSec mix NHRP allows the peers to have dynamic addresses (Dial, DSL,) with GRE / IPSec tunnels The backbone is a hub and spoke topology It allows direct spoke to spoke tunneling by auto leveling to a partial mesh

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Site-to-Site, Dynamic Multipoint VPN (DMVPN)

mGRE/IPsec/NHRP Integration, only the HUB address is known
10.0.0.0 255.255.255.0 HUB 10.0.0.1

LANs can have private addressing

Static known IP address

Dynamic unknown IP addresses

SPOKE 10.0.3.1 10.0.3.0 255.255.255.0

10.0.1.1 10.0.1.0 255.255.255.0 = Static spoke-to-hub IPsec tunnels

SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

10.0.2.0 255.255.255.0 10.0.2.1 = Dynamic&Temporary Spoke-to-spoke IPsec tunnels

DMVPN: How Does It Work?

Relies on Two Proven Cisco Technologies
NHRPNext Hop Resolution Protocol
Client/server protocol: hub is server; spokes are clients Hub maintains a (NHRP) database of all the spokes real (public interface) addresses Each spoke registers its real address when it boots Spokes query HNRP database for real addresses of destination spokes to build direct tunnels

Multipoint GRE Tunnel Interface

Allows single GRE interface to support multiple IPSec tunnels Simplifies size and complexity of configuration

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

NHRP Registration Dynamically Addressed Spokes

= Dynamic permanent IPsec tunnels 192.168.0.1/24

NHRP mapping Routing Table

10.0.0.11 10.0.0.12 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

172.16.1.1 172.16.2.1 Conn. 10.0.0.11 10.0.0.12

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1

172.17.0.1 10.0.0.1 Conn. 10.0.0.1

10.0.0.1

172.17.0.1 10.0.0.1 10.0.0.1 Conn.

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN: How Does It Work?

Spokes have a permanent IPSec tunnel to the hub, but not to the spokes; They register as clients of the NHRP server When a spoke needs to send a packet to a destination (private) subnet on another spoke, he queries the NHRP server for the real (outside) address of the destination spoke Now the originating spoke can initiate a dynamic ipsec tunnel to the target spoke (because he knows the peer address) The spoke to spoke tunnel is built over the mGRE interface
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

NHRP Resolution Process Switching

= Dynamic permanent IPsec tunnels 192.168.0.1/24

NHRP mapping (*NHS) Routing Table

10.0.0.11 10.0.0.12 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24

172.16.1.1 172.16.2.1 Conn. 10.0.0.11 10.0.0.12

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11 Spoke A .1 .25 PC 192.168.1.0/24

Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

Spoke B .1 192.168.2.0/24

Web .37

10.0.0.1 172.17.0.1 (*) 10.0.0.12 172.16.2.1 192.168.1.0/24 172.16.1.1 (l) 192.168.2.0/24 192.168.2.37/32 172.16.2.1 ??? 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 Conn. 10.0.0.12

10.0.0.1 172.17.0.1 (*) 10.0.0.11 172.16.1.1 192.168.1.0/24 192.168.1.25/32 172.16.1.1 ??? 192.168.2.0/24 172.16.2.1 (l) 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 10.0.0.11 Conn.
16

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

ADVANCED DESIGN ISSUES

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Advanced Design Issues

Network design
Design, Redundancy and Scaling

Routing
Dynamic routing protocols

Encryption peers
Finding, mapping and authenticating

Management
Deploying, Monitoring, and Maintaining

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Network Design
Hub-and-spoke
All VPN traffic must go via hub Hub bandwidth and CPU utilization limit VPN Number of tunnels = O(n)

Dynamic-Mesh Dynamic spoke-spoke tunnels

Control traffic Hub to Hub and Hub and spoke Next Hop Resolution Protocol (NHRP), Dynamic Routing, IP Multicast Data traffic Dynamic mesh Spoke routers only need to support spoke-hub and spoke-spoke tunnels currently in use. Hub only supports spoke-hub traffic and overflow from spoke-spoke traffic. Number of tunnels > O(n), << O(n2)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Network Design: Redundancy and Scaling Hub and Spoke

Configure spokes to use two hubs (primary, secondary). Can use multiple mGRE tunnel interfaces on Hub router
Increases number of spokes supported per hub Use same tunnel source and tunnel protection shared Each mGRE interface is a separate DMVPN network Different Tunnel key, NHRP network id and IP subnet

Hubs can be interconnected directly over physical links, mGRE tunnels or p-pGRE tunnels. Hub routers may pass routing information for DMVPN network through any of these paths.

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Network Design: Redundancy and Scaling Dynamic-Mesh

Configure spokes to use two hubs (primary, secondary) Hub routers can only have one mGRE tunnel interface
Reduces number of spokes supported per hub router

Hub routers must exchange routing information for DMVPN network through mGRE tunnel interfaces. Hub routers point to other hub routers as NHSs in a daisy-chain or pair wise fashion
Used for forwarding NHRP packets and data packets while dynamic spoke-spoke tunnels are being created

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Routing New IP Routing/Forwarding Model

Regular IP networks
IP routing updates and data packets traverse same physical/logical links

DMVPN IP networks
IP routing updates only traverse hub-and-spoke tunnels IP data packets traverse both hub-and-spoke and direct dynamic spoke-spoke tunnels Routing protocol doesnt monitor state of spoke-spoke tunnels

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Finding/Mapping Peers
Two layers of IP addresses
VPN layer, IP infrastructure (NBMA) layer

Mapping between VPN and IP Infrastructure

Next Hop Resolution Protocol (NHRP)

Authenticating peers
Pre-shared keys, certificates

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Two Layers of IP Addresses

VPN Layer EIGRP 1/OSPF 1/RIP/ODR

STATIC EIGRP 2 OSPF 2 BGP IP Infrastructure Layer

SEC-A04

STATIC EIGRP 2 OSPF 2 BGP

2004 Cisco Systems, Inc. All rights reserved.

Routing Dynamic Routing Protocols

EIGRP
Good for hub-and-spoke and spoke-spoke More control, medium overhead, faster convergence

OSPF
Okay for hub-and-spoke, maximum of 2 hubs for spoke-spoke Less control, medium overhead, faster convergence

RIP
Okay for hub-and-spoke and spoke-spoke Okay control, medium overhead, slower convergence

ODR
Good for hub-and-spoke (non-split tunneling), no spoke-spoke Less control, low overhead, slower convergence, most scalable

BGP
Okay for hub-and-spoke and spoke-spoke Good control, lower overhead, slower convergence, static neighbor configuration
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Routing Dynamic Routing Configuration

Hub-and-spoke
EIGRP
no ip split-horizon eigrp <as>

Dynamic Spoke-spoke
EIGRP
no ip split-horizon eigrp <as> no ip next-hop-self eigrp <as> no auto-summary

OSPF
ip ospf network point-multipoint

RIP
no ip split-horizon

OSPF
ip ospf network broadcast ip ospf priority (2(hub)|0(spoke))

ODR
distribute-list <acl> out

RIP
no ip split-horizon no auto-summary

BGP
Hub is route reflector next-hop self

BGP
Hub is route reflector

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Authenticating Peers
Pre-shared keys Hub-and-spoke only Wildcard pre-shared keys Insecure Certificates
Certificate Authority/Server (CA/CS) Certificate distributionenrollment Manual (terminal, tftp), Automatic (SCEP) Some requirements for use Accurate timeNTP, SNTP Check for revocationcrl optional

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Configuring and Maintaining

Provisioning
Bootstrap PKI Certificates Dynamic Addressing and Call Home Policy Push for IPsec, QoS, Firewall, IDS, NAT, Routing Hub-and-spoke, full and partial mesh topologies

Ongoing Management (ISC)

Separate Management Tunnel Router Configuration and Image Control Configuration Change Notification Audit Checks
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

DMVPN DETAILS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Dynamic Multipoint VPN (DMVPN) Major Features

Supports encrypting IP unicast, multicast and dynamic routing protocols Supports remote IPsec peers with dynamically assigned addresses and NAT-T Configuration reduction Dynamic spoke-spoke tunnels for scaling partial/full mesh VPNs

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Multipoint GRE (mGRE) Tunnels

Single tunnel interface (multipoint)
Non-Broadcast Multi-Access (NBMA) Network Smaller hub configuration Multicast/broadcast support Harder to support Per-tunnel QoS

Dynamic tunnel destination

Next Hop Resolution Protocol (NHRP) VPN IP to NBMA IP address mapping Short-cut forwarding Direct support for dynamic addresses and NAT
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Terminology pause
The tunnel address is the ip address defined on the tunnel interface The NBMA (Non-Broadcast Multiple Access) address is the ip address used as tunnel source (or destination) Example on router A, one configures interface Ethernet0/0 ip address 172.16.0.1 255.255.255.0 interface Tunnel0 ip address 10.0.0.1 255.0.0.0 tunnel source Ethernet0/0 [] 10.0.0.1 is router A's tunnel address 172.16.0.1 is router A's NBMA address

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

NHRP Peer Mapping

Static mappings on spokes for Hub (NHS)
Needed to start the game

NHRP Registration
Dynamically register spokes VPN to NBMA address mapping with hub (NHS).

NHRP Resolutions
Dynamically resolve remote spokes VPN to NBMA mapping to build spoke-spoke tunnels. CEF switching Forwarded along NHS path (spoke hub hub) Process switching Forwarded along routed path (spoke hub hub spoke)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

What is NHRP exactly ?

NHRP is a layer two resolution protocol and cache like ARP or Inverse ARP (Frame Relay) It is used in DMVPN to map a tunnel IP address to an NBMA address Like ARP, NHRP can have static and dynamic entries Since 12.2(13)T, NHRP can work fully dynamically

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

NHRP Functionality
Address mapping/resolution
Next Hop Client (NHC) registration with Next Hop Server (NHS) Resolution of VPN to NBMA mapping Routing: NHRP: destination VPN IP next-hop NBMA address

VPN IP next-hop

Short-cut forwarding
Single hop instead of multiple hops across NBMA network NHRP Resolution requests/replies forwarded via NHS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Building Hub-and-Spoke tunnels NHRP Registration

Host1 Spoke1 IKE Initialization IKE Initialization IKE/IPsec Established IKE/IPsec Established NHRP Regist. Req. NHRP Regist. Rep. NHRP Regist. Req. NHRP Regist. Rep. Routing Adjacency Routing Adjacency Routing Update Routing Update Routing Update Routing Update Hub Spoke2 Host2

Encrypted
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Encrypted
36

Dynamic Spoke-Spoke Tunnels

mGRE/NHRP+IPsec configuration
On both hub and spokes ISAKMP authentication information Certificates, wildcard pre-shared keys (not secure)

Spoke-spoke data traffic direct

Reduced load on hub Reduced latency Single IPsec encrypt/decrypt

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Dynamic Spoke-Spoke Tunnels Forwarding Data Packets

Process-switching
Routing selects outgoing interface and IP next-hop NHRP overrides IP next-hop from routing

CEF switching
IP Next-hop from routing table Next-hop Next-hop hub spoke data packets via hub data packets direct

Data packets via hub while spoke-spoke tunnel is coming up, then direct

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

NHRP: Data Packet Forwarding Process Switching

IP Data packet is forwarded out tunnel interface to IP next-hop from routing table NHRP looks in mapping table for IP destination
Found Entry (socket) Forward to NBMA from mapping table overriding IP next-hop Found Entry (no socket) If tunnel is not source interface convert to (socket) Not found Forward to IP next-hop (if in table) otherwise to NHS If arriving interface was not tunnel interface Initiate NHRP Resolution Request for IP destination

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

NHRP: Data Packet Forwarding CEF Switching

IP Data packet is forwarded out tunnel interface to IP next-hop from CEF FIB table Adjacency is of type Valid
Packet is encapsulated and forwarded by CEF out tunnel interface NHRP not involved

Adjacency is of type Glean or Incomplete

Punt packet to process switching If arriving interface was not tunnel interface Initiate NHRP Resolution Request for IP next-hop Resolution reply is used to create NHRP mapping and to complete the Adjacency
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

NHRP Resolution Request/Response Forwarding

Insert protocol source to NBMA source address mapping, from request into mapping table (no socket) Lookup protocol destination in mapping table
If found (authoritative) Answer Request

Lookup protocol destination in routing table

If Outbound interface is not the tunnel This node is the exit point Answer Request

Look up IP next-hop in mapping table

Found Entry (socket) Forward to NBMA from mapping table Not found or Found Entry (no socket) Forward to NHS
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

NHRP Resolution Response

Lookup protocol destination in routing table for matching network, subnet mask and IP next-hop. Create NHRP local mapping entry for protocol destination network with mask-length to NBMA address Create NHRP Resolution Response with protocol destination, NBMA address and mask-length. Forwarding Resolution Response
Look up protocol source in mapping table Found Entry (socket) Forward to NBMA from mapping table Not found or Found Entry (no socket) Forward to IP next-hop (if in table) otherwise to NHS
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Building Spoke-Spoke Tunnels Process Switching

Host1 Spoke1 Hubs Spoke2 Host2

NHRP Resol. Req.

NHRP Resol. Req. IKE Initialization NHRP Resol. Req.

NHRP Resol. Req. IKE Initialization

IKE/IPsec Established NHRP Resolution Replies

Encrypted

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Building Spoke-Spoke Tunnels CEF Switching

Host1 Spoke1 Hubs Spoke2 Host2

NHRP Res. Request NHRP Res. Request NHRP Res. Reply IKE Initialization IKE Initialization

NHRP Res. Reply

IKE/IPsec Established

Encrypted

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

NHRP Resolution CEF Switching

NHRP mapping (*NHS) CEF FIB Table CEF Adjacency
Physical: 172.17.0.1 Tunnel0: 10.0.0.1 192.168.0.1/24

10.0.0.11 10.0.0.12

172.16.1.1 172.16.2.1 Conn. 10.0.0.11 10.0.0.12 172.16.1.1 172.16.2.1

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.11 10.0.0.12

Physical: 172.16.1.1 (dynamic) Tunnel0: 10.0.0.11

Physical: 172.16.2.1 (dynamic) Tunnel0: 10.0.0.12

192.168.1.1/24

Spoke A

Spoke B

192.168.2.1/24

10.0.0.1 10.0.0.12

172.17.0.1 (*) ??? 172.16.2.1 10.0.0.1 Conn. 10.0.0.12

10.0.0.1 10.0.0.11

172.17.0.1 (*) ??? 172.16.1.1 10.0.0.1 10.0.0.11 Conn.

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.0.0.1 10.0.0.12

SEC-A04

192.168.0.0/24 192.168.2.0/24 192.168.2.0/24 10.0.0.1 10.0.0.11

172.17.0.1 incomplete 172.16.2.1

172.17.0.1 incomplete 172.16.1.1

DMVPN Data Structures

NHRP Mapping Table
Maps VPN and Tunnel IP addresses to NBMA (Physical address) show ip nhrp, debug nhrp { packet | cache | extension }

Crypto Socket Table

Mapping between NHRP and IPsec show crypto socket, debug crypto socket, show crypto ipsec profile, debug tunnel {protection}

Crypto Map Table

Dynamic Crypto map for each mGRE tunnel or for each IPsec profile (tunnel protection shared) show crypto map

IPsec SA Table
show crypto ipsec sa { | include Tag|peer|spi|endpt }

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN NHRP Mapping Tables

Hub1
Hub1#show ip nhrp 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 01:03:41, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 01:03:38, expire 00:04:18 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.1.2 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:15, expire 00:05:44 Type: dynamic, Flags: router implicit NBMA address: 172.16.2.2 (no-socket) SpokeB#show ip nhrp 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:03:37, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:11, expire 00:04:26 Type: dynamic, Flags: router NBMA address: 172.16.2.2

Spoke A

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Crypto Socket Tables

Hub1
Hub1# show crypto socket Number of Crypto Socket connections 2 Tu0 Peers (local/remote): 172.17.0.1/172.17.0.5 Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.17.0.5/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Tu0 Peers (local/remote): 172.17.0.1/172.16.1.2 Local Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.16.1.2/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Crypto Sockets in Listen state: 1 TUNNEL SEC Profile: "vpnprof" Map-name "Tunnel0-head-0" SpokeA#show cry socket Number of Crypto Socket connections 2 Tu0 Peers (local/remote): 172.16.1.2/172.17.0.1 Local Ident (addr/mask/port/prot): (172.16.1.2/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.17.0.1/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Tu0 Peers (local/remote): 172.16.1.2/172.16.2.2 Local Ident (addr/mask/port/prot): (172.16.1.2/255.255.255.255/0/47) Remote Ident (addr/mask/port/prot): (172.16.2.2/255.255.255.255/0/47) Socket State: Open, Client: "TUNNEL SEC" (Client State: Active) Crypto Sockets in Listen state: 1 TUNNEL SEC Profile: "vpnprof" Map-name "Tunnel0-head-0"

Spoke A

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Crypto Map Tables

Hub1
Hub1#show crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: vpnprof SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Trans sets={ trans1, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.0.5, access-list permit gre host 172.17.0.1 host 172.16.0.5 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={ trans1, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.1.2, access-list permit gre host 172.17.0.1 host 172.16.1.2 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={ trans1, }

Spoke A

Spoke1#sho crypto map Crypto Map "Tunnel0-head-0" 65536 ipsec-isakmp Profile name: vpnprof SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N ,Transform sets={trans1, } Crypto Map "Tunnel0-head-0" 65537 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.17.0.1, access-list permit gre host 172.16.1.2 host 172.17.0.1 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={trans1, } Crypto Map "Tunnel0-head-0" 65538 ipsec-isakmp, PROFILE INSTANCE. Peer = 172.16.2.2, access-list permit gre host 172.16.1.2 host 172.16.2.2 SA lifetime: 4608000 KB/3600 s, PFS (Y/N): N, Transform sets={trans1, }

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Crypto IPsec SAs

Hub1
Hub1#show crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr. 172.17.0.1 local crypto endpt.: 172.17.0.1, remote crypto endpt.: 172.16.1.2 current outbound spi: D111D4E0 inbound esp sas: spi: 0x8FE87A1B(2414377499) {Transport, } outbound esp sas: spi: 0xD111D4E0(3507606752) {Transport, } local crypto endpt.: 172.17.0.1, remote crypto endpt.: 172.17.0.5 current outbound spi: 149FA5E7 inbound esp sas: spi: 0x3C32F075(1009971317) {Transport, } outbound esp sas: spi: 0x149FA5E7(346007015) {Transport, } SpokeA#sho crypto ipsec sa interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr. 172.16.1.2 local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.17.0.1 current outbound spi: 8FE87A1B inbound esp sas: spi: 0xD111D4E0(3507606752) {Transport, } outbound esp sas: spi: 0x8FE87A1B(2414377499) {Transport, } local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.2.2 current outbound spi: 32E65B6D inbound esp sas: spi: 0x3B44DBD0(994368464) {Transport, } spi: 0x8B07B649(2332538441) {Transport, } outbound esp sas: spi: 0x8CCD4943(2362263875) {Transport, } spi: 0x32E65B6D(853957485) {Transport, }

Spoke A

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Routing Tables

Hub1
Hub1# show ip route C C C D D S* 172.17.0.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [90/2611200] via 10.0.0.11, 00:42:39, Tunnel0 192.168.2.0/24 [90/2636800] via 10.0.0.12, 00:42:37, Tunnel0 0.0.0.0/0 [1/0] via 172.17.0.2

Spoke A

SpokeA# show ip route C C D C D S* 172.16.1.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 [90/297372416] via 10.0.0.1, 00:42:34, Tunnel0 192.168.1.0/24 is directly connected, Ethernet0/0 192.168.2.0/24 [90/297321216] via 10.0.0.12, 00:42:34, Tunnel0 0.0.0.0/0 [1/0] via 172.16.1.1

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

EXAMPLE DMVPN DEPLOYMENTS

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Example DMVPN Deployments

DMVPN Dual Hub
Redundancy Routing and Load Balancing

DMVPN High Concentration Hub

Server Load Balancing (SLB) CAT6500/7600, VPNSM, MWAM

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Features

Redundancy
Two spoke-hub links for each spoke All spokes connected to both hubs Can lose 1 hub and spoke not isolated

Routing and load balancing

Both spoke-hub links always up Dynamic routing controls packet flow for redundancy and/or load balancing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub

Single DMVPN Dual Hub Single mGRE tunnel on all nodes
Physical: 172.17.0.5 Tunnel0: 10.0.0.2 192.168.0.0/24 .2 .1

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: (dynamic) Tunnel0: 10.0.0.12

Spoke B Physical: (dynamic) Tunnel0: 10.0.0.11

.37 Web

192.168.2.0/24

.1 192.168.1.0/24

Spoke A .25

...
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels
55

PC
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Single DMVPN Dual Hub Crypto and Interface Configuration

crypto ca trustpoint msca-root enrollment terminal crl optional rsakeypair <hostname> crypto ca certificate chain msca-root certificate <router-certificate-id> certificate ca 1244325DE0369880465F977A18F61CA8 ! crypto isakmp policy 1 encryption 3des ! crypto ipsec transform-set trans1 esp-3des esp-md5-hmac mode transport required ! crypto ipsec profile vpnprof set transform-set trans1 ! interface Ethernet0/0 ! < inside interface > ip address 192.168.<x>.<x> 255.255.255.0 ! interface Serial1/0 ! < outside interface > ip address 172.<16|17>.<x>.<x> 255.255.255.252
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Hub1

Common Subnet Static NHRP to Hub2 interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 2 ip ospf cost 100 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.0.0 0.0.0.255 area 0

OSPF Network Priority and cost

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Hub2

Common Subnet Static NHRP to Hub1 interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 2 ip ospf cost 105 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.0.0 0.0.0.255 area 0

OSPF Network Priority and cost

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Spoke A

interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.1.0 0.0.0.255 area 1 distance 111 192.168.0.2 0.0.0.0
59

Hub1 NHRP mappings Hub2 NHRP mappings

OSPF Network and Priority

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Spoke B

interface Tunnel0 bandwidth 1000 ip address 10.0.0.12 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip nhrp nhs 10.0.0.2 ip tcp adjust-mss 1360 ip ospf network broadcast ip ospf priority 0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router ospf 1 network 10.0.0.0 0.0.0.255 area 1 network 192.168.2.0 0.0.0.255 area 1 distance 111 192.168.0.2 0.0.0.0
60

Hub1 NHRP mappings Hub2 NHRP mappings

OSPF Network and Priority

OSPF Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Hub Routing Tables

Hub1
C C C O O 172.17.0.0/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [110/110] via 10.0.0.11, 00:36:53, Tunnel0 192.168.2.0/24 [110/110] via 10.0.0.12, 00:36:53, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.17.0.2

Hub 2

C C C O O

172.17.0.4/30 is directly connected, Serial1/0 10.0.0.0/24 is directly connected, Tunnel0 192.168.0.0/24 is directly connected, Ethernet0/0 192.168.1.0/24 [110/115] via 10.0.0.11, 00:42:02, Tunnel0 192.168.2.0/24 [110/115] via 10.0.0.12, 00:42:02, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.17.0.6

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Spoke Routing Tables

Spoke A
C 172.16.1.0/30 is directly connected, Serial1/0 C 10.0.0.0/24 is directly connected, Tunnel0 O IA 192.168.0.0/24 [110/110] via 10.0.0.1, 00:46:20, Tunnel0 C 192.168.1.0/24 is directly connected, Ethernet0/0 O 192.168.2.0/24 [110/110] via 10.0.0.12, 00:46:20, Tunnel0 ... S* 0.0.0.0/0 [1/0] via 172.16.1.2

Spoke B

C 172.16.2.0.0/30 is directly connected, Serial1/0 C 10.0.0.0/24 is directly connected, Tunnel0 O IA 192.168.0.0/24 [110/110] via 10.0.0.1, 00:53:14, Tunnel0 O 192.168.1.0/24 [110/110] via 10.0.0.11, 00:53:14, Tunnel0 C 192.168.2.0/24 is directly connected, Ethernet0/0 ... S* 0.0.0.0/0 [1/0] via 172.16.2.2

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Hub NHRP tables

Hub1
10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:58:13, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 02:51:46, expire 00:04:13 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 02:51:26, expire 00:04:33 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 02:48:42, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 02:43:05, expire 00:05:01 Type: dynamic, Flags: authoritative unique registered NBMA address: 172.16.1.1 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 02:44:08, expire 00:05:20 Type: dynamic, Flags: authoritative unique registered used NBMA address: 172.16.2.1

Hub 2

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Spoke NHRP tables

Spoke A
10.0.0.1/32 via 10.0.0.1, Tunnel0 created 02:51:20, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:51:20, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.12/32 via 10.0.0.12, Tunnel0 created 00:00:06, expire 00:05:05 Type: dynamic, Flags: router unique used NBMA address: 172.16.2.1 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 02:51:18, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.2/32 via 10.0.0.2, Tunnel0 created 02:51:18, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.5 10.0.0.11/32 via 10.0.0.11, Tunnel0 created 00:00:24, expire 00:04:27 Type: dynamic, Flags: router unique used NBMA address: 172.16.1.1

Spoke B

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Dual Hub Summary

Network design
Hub and spokerouting Dynamic meshdata traffic

Add spoke routers without hub or other spoke router changes

NHRP and dynamic routing propagate information

Hub redundancy
Must lose both before spoke isolated

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Example DMVPN Deployments

DMVPN Dual Hub
Redundancy Routing and Load Balancing

DMVPN Multi-hub
Redundancy, Scaling NHRP Resolution Forwarding

DMVPN High Concentration Hub

Server Load Balancing (SLB) CAT6500/7600, VPNSM, MWAM

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Features

Redundancy
Two spoke-hub links for each spoke (example only shows one for clarity) Can lose 1 hub and spoke not isolated hub-and-spoke

Routing and load balancing

Both spoke-hub links always up Dynamic routing controls packet flow for redundancy and/or load balancing Dynamic routing configuration more complex

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Hub Daisy Chaining

Daisy chain styles
Single daisy chain through all hubs Spokes two tunnels distributed across hubs equally Two single daisy chains one through primary hubs and other through secondary hubs. Spokes connected to both a primary and secondary hub

Loss of Hub breaks daisy chain

No new spoke-spoke dynamic tunnels until hub back online Cross-connect between primary and secondary hubs restores spoke-spoke data traffic, but goes through hubs.
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub
Single DMVPN Multi-hub, Single mGRE tunnel on all nodes
.2 .3 Physical: 172.17.0.5 Tunnel0: 10.0.0.2 .1 Physical: 172.17.0.9 Tunnel0: 10.0.0.3 192.168.0.0/24

Physical: 172.17.0.1 Tunnel0: 10.0.0.1

Physical: (dynamic) Tunnel0: 10.0.0.13

Spoke C Physical: (dynamic) Tunnel0: 10.0.0.11 Physical: (dynamic) Tunnel0: 10.0.0.12

.1 192.168.3.0/24

.1 192.168.1.0/24

Spoke A

...
Spoke B .1 192.168.2.0/24
69

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Hub1

Common Subnet Set Hub2 as NHS
interface Tunnel0 bandwidth 1000 ip address 10.0.0.1 255.255.255.0 ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp map multicast 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip nhrp nhs 10.0.0.2 no ip split-horizon eigrp 1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Hub2

Common Subnet Set Hub3 as NHS
interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.3 172.17.0.9 ip nhrp map multicast 172.17.0.9 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip nhrp nhs 10.0.0.3 no ip split-horizon eigrp 1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Hub3

Common Subnet Set Hub1 as NHS
interface Tunnel0 bandwidth 1000 ip address 10.0.0.3 255.255.255.0 ip mtu 1400 no ip next-hop-self eigrp 1 ip nhrp authentication test ip nhrp map multicast dynamic ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip tcp adjust-mss 1360 ip nhrp nhs 10.0.0.1 no ip split-horizon eigrp 1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 no auto-summary

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Spoke A

interface Tunnel0 bandwidth 1000 ip address 10.0.0.11 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.1 ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255 no auto-summary

Hub1 NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Spoke B

interface Tunnel0 bandwidth 1000 ip address 10.0.0.12 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.5 ip nhrp map 10.0.0.2 172.17.0.5 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.2 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.2.0 0.0.0.255 no auto-summary

Hub2 NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Spoke C

interface Tunnel0 bandwidth 1000 ip address 10.0.0.13 255.255.255.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.17.0.9 ip nhrp map 10.0.0.3 172.17.0.9 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.3 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.3.0 0.0.0.255 no auto-summary

Hub3 NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Hub NHRP tables

Hub1

10.0.0.2/32, NBMA addr: 172.17.0.5 (stat, auth, used) 10.0.0.3/32, NBMA addr: 172.17.0.9 (dyn, auth, uniq, reg) 10.0.0.11/32, NBMA addr: 172.16.1.2 (dyn, auth, uniq, reg) 10.0.0.13/32, NBMA addr: 172.16.3.2 (no-socket) (dyn, router) 10.0.0.1/32, NBMA addr: 172.17.0.1 (dyn, auth, uniq, reg) 10.0.0.3/32, NBMA addr: 172.17.0.9 (stat, auth, used) 10.0.0.11/32, NBMA addr: 172.16.1.2 (no-socket) (dyn, router) 10.0.0.12/32, NBMA addr: 172.16.2.2 (dyn, auth, uniq, reg) 10.0.0.1/32, NBMA addr: 172.17.0.1 (stat, auth, used) 10.0.0.2/32, NBMA addr: 172.17.0.5 (dyn, auth, uniq, reg) 10.0.0.11/32, NBMA addr: 172.16.1.2 (no-socket) (dyn, router) 10.0.0.13/32, NBMA addr: 172.16.3.2 (dyn, auth, uniq, reg)

Hub 2

Hub 3

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Spoke NHRP tables

Spoke A

10.0.0.1/32, Tunnel0 created 1d10h, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.1 10.0.0.13/32, Tunnel0 created 00:00:12, expire 00:04:18 Type: dynamic, Flags: router used NBMA address: 172.16.3.2 10.0.0.3/32, Tunnel0 created 1d10h, never expire Type: static, Flags: authoritative used NBMA address: 172.17.0.9 10.0.0.11/32, Tunnel0 created 00:00:54, expire 00:03:36 Type: dynamic, Flags: router NBMA address: 172.16.1.2

Spoke C

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN Multi-Hub Summary

Multi-hub and spoke (redundant DMVPN)
Use to increase the number of spokes in DMVPN cloud Daisy-chain hubs as NHSs of each other

Daisy-chaining
Currently fragilelose one hub and cant create new dynamic spoke-spoke tunnels

Consider setting up smaller regional DMVPN networks interconnected with dedicated high speed physical links
Probably will give better performance then cross-country spoke-spoke dynamic tunnels
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

High Concentration Design

BGP IPSec + GRE + NHRP + OSPF/EIGRP Hub 1 Hub 2 Hub 3

Server Load Balancer

SLB will load each hub smoothly. SLB is fine tunable. Dynamic GRE w/ NHRP Dynamic routing on a hub with IGP Dynamic routing to core with BGP

Spoke 1 Spoke 2

Spoke 3

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub Features

Single hub-and-spoke tunnel per spoke Server Load Balancing (SLB) is used to load balance mGRE tunnels (after decryption) between MWAM processors or 7200 router farm If you lose an MWAM processor then SLB will redistribute tunnels to other processors
Loss of traffic until spoke sends next NHRP registration

Routing
Use EIGRP for routing between hub (MWAM) and spoke Use BGP for routing between hubs

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub

CAT6500
VPNSM
VLAN 11 VLAN 10 10.1.0.0

MFSC

MWAM
VLAN 100 10.1.1.0

P h y s i c a l

I n t e r f a c e s

SLB
VIP 172.18.7.32

.2 .3

172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32 172.18.7.32

.4 .5 .6 .7

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub MSFC: SLB Configuration

MWAM Routers
mwam module 2 port 1 allowed-vlan 1,100 mwam module 2 port 2 allowed-vlan 1,100 ... mwam module 2 port 6 allowed-vlan 1,100 ! ip slb probe PING-PROBE ping faildetect 3 ! ip slb serverfarm MWAM-FARM predictor leastconns failaction purge probe PING-PROBE ! real 10.0.0.2 maxconns 750 inservice ... ! real 10.0.0.7 maxconns 750 inservice ! ip slb vserver GRE virtual 172.18.7.32 255.255.255.252 gre serverfarm MWAM-FARM no advertise sticky 17 inservice
82

SLB

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub MSFC Configuration

! interface Loopback0 ip address 172.18.7.32 255.255.255.255 ! interface GigabitEthernet7/1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,1002-1005 switchport mode trunk ! interface GigabitEthernet7/2 no ip address switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,11,1002-1005 switchport mode trunk vlan 10-11,100 ! interface FastEthernet4/1 no ip address switchport switchport access vlan 11 switchport mode access

...

! interface Vlan10 ip address 10.1.0.1 255.255.255.0 crypto map cm ! interface Vlan11 no ip address crypto connect vlan 10 ! interface Vlan100 ip address 10.1.1.1 255.255.255.0

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub MWAM Routers

Same secondary for spoke neighbor
interface Loopback0 ip address 172.18.7.32 255.255.255.255 ! interface Tunnel0 bandwidth 1000 ip mtu 1400 ip address 10.0.0.1 255.255.0.0 secondary ip address 10.0.0.<x> 255.255.0.0 ! x = 2,3,4,5,6,7 no ip next-hop-self eigrp 1 ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 no ip split-horizon eigrp 1 delay 1000 ip tcp adjust-mss 1360 tunnel source Loopback0 tunnel mode gre multipoint tunnel key 100000 ! interface GigabitEthernet0/0.100 encapsulation dot1Q 100 ip address 10.1.1.<x> 255.255.255.0 ! router eigrp 1 network 10.0.0.0 0.0.255.255 no auto-summary router bgp 1 bgp router-id 10.0.0.<x> redistribute eigrp 1 neighbor 10.1.1.1 remote-as 1
84

EIGRP and BGP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub Spoke

interface Tunnel0 bandwidth 1000 ip address 10.0.0.<z> 255.255.0.0 ip mtu 1400 ip nhrp authentication test ip nhrp map multicast 172.18.7.32 ip nhrp map 10.0.0.1 172.18.7.32 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 1000 tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile vpnprof ! router eigrp 1 network 10.0.0.0 0.0.255.255 network <local-network> <inverse-mask> no auto-summary

Hub NHRP mappings

EIGRP Routing

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

DMVPN High Concentration Hub Summary

Spokes load balanced by SLB over six MWAM processors
Single Hub per Spoke, but dynamically redundant MWAM and VPNSM processors. Use another 6500/7600, VPNSM, MWAM as a second hub

Use as a hub for DMVPN

Uses dynamic crypto-map on VPNSM so it cannot initiate IPsec tunnels

Possibly use as a high bandwidth spoke

Rely on DMVPN initiating spoke-spoke tunnels from both sides
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

DMVPN Hub-and-Spoke Hub Throughput

7200, NPE-G1, VAM2, mGRE 350 EIGRP IMIX, 75% CPU 325 OSPF IMIX, 75% CPU 1200 ODR IMIX, 75% CPU 800 EIGRP EMIX, 82% CPU 2 mGRE, 2 VAM2 3576 EIGRP EMIX, ~24% CPU (MSFC, MWAM) CAT6500, VPNSM, MWAM Encrypted (PPS) 27,000 27,000 26,000 45,212 453,000 Encrypted (Mbps) 87.3 87.3 79.3 104.2 1004

EMIX Enterprise Mix

Average packet size 188B(down)/144B(up) (FTP, VoIP, WWW, POP3)

IMIX Internet Mix

Average packet size 344B (7x64B, 4x570B, 1x1400B)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

MANAGEMENT

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Management: A Case Study

Cisco: Enterprise Class Teleworker (ECT) Network What is ECT? ECT is a SOHO Remote Access IOS based VPN solution for enterprise users using the public Internet service while providing additional services (VoIP, QoSS, Multicast) with Security as its primary concern.
Cisco IT

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

ECT Technology Overview

ECT
Connectivity
Enterprise Class Teleworker (ECT)
Cisco 83x, 17xx series

Security
Public Key Infrastructure
PKI-AAA Integration Auto Enrolment Multiple Trust Points Secure RSA Private Key

Network Integration
DMVPN
Dynamic Addressing for Spoke-to-Hub On-Demand Spoke-toSpoke Tunnels

Management
Touchless Provisioning (ISC)
Bootstrap PKI Certificates Dynamic Addressing and Call Home Policy Push for IPsec, QoS, Firewall, IDS, NAT, Routing Hub-and-spoke, full and partial mesh topologies

Full Service Branch (FSB)

Cisco 17xx, 26xx, 37xx series

V3PN
QoS VoIP Video Multicast

Enterprise Aggregation
Cisco 37xx, 72xx series

Device and User Authentication

Secure ARP Authentication Proxy/802.1x

Resiliency
Self-Healing and Load Balancing

Service Provider Edge

Cisco 72xx series

Stateful Firewall Intrusion Protection

Ongoing Management (ISC)

Management Tunnel Configuration Change Notification Audit Checks
90

Scalability
Full Mesh up to 1000 Sites

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

ECT Large Scale VPN Management Challenges

Ease of large scale deployment with minimal end-user intervention Distribution of updated configurations and security policies Varying third party provider network connections (cable modem, DSL) Ongoing security monitoring and auditing Automated software update

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

ECT Management and Provisioning

Touchless provisioning of routing, IPsec, NAT, QoS, firewall, IDS Bootstrapping and call home
Automatic registration and policy push, no user intervention

Automatic CA enrolment for PKI certificates Dedicated management tunnel facilitates outsourcing of management Per-user or per-group configuration policies Email notification on spoke events: config change, or policy audit violations
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

ECT Management Tools Used

ISC IP Solution Center for deploying and managing configurations CNS provide event based management
Intelligence Engine 2100 CNS server CNS Event Gateway and Auto Update Server CNS agent running on IOS in the spoke routers

CA Servers
IOS Certificate Server - bootstrap certificate Production CA Server - certificate for data tunnels

AAA server - RADIUS

SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center 3.0: Carrier-Class Network and Service Management

Hub-and-spoke, full and partial mesh topologies Design and deploy complex firewall rules Cisco IOS IDS provisioning and tuning Integrated routing OSPF, EIGRP, RIP Automate provisioning of failover and load balancing
Siteto-site VPN Managed firewall Logi Device Customer cal VPN RBAC Remote Access NAT Service Service Invento Inventory Data StoreData Store Relationship Netw DMVPN Managed IDS ry ork Easy VPN
Topo logy Device Abstraction Layer

QoS provisioning NAT configuration deployment PKI-based end-to-end authentication and audit checks
94

Network-based IPsec

IOS Router
SEC-A04

PIX Appliance

VPN 3000

IDS

2004 Cisco Systems, Inc. All rights reserved.

ISC Touchless Provisioning

Home routers are bootstrapped before given to the end-users Permanent management tunnel to provide secured connectivity to management servers to perform
Initial configuration of home router upon call-home Listen to config changes Automatic software update

Separate VPN gateway devices

Management Gateway to terminate management tunnels Data Gateway to tunnel traffic into the corporate network

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Initial Provisioning (Bootstrapping)

Two methods
Bootstrap in the corporate network using ISC Bootstrap remotely using EzSDD (Ez Secure Device Deployment)

Bootstrap in the corporate network requires less end-user intervention EzSDD provides total automatic device deployment without initial bootstrapping home routers in the corporate network

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Corporate Network Bootstrapping Steps

Enterprise orders the router for end-user The following basic configuration is bootstrapped on the router using ISC
IP Connectivity (Cable, PPPoE, etc.) Certificate for authenticating to the management gateway Crypto policy used for the management tunnel CNS Agent configuration to communicate with IE2100 External NTP server configurations

SEC-A04

2004 Cisco Systems, Inc. All rights reserved.

Deployment in Action
1.
Linux, MAC, MS-Windows PC WLAN/TKIP

Remote routers call home and management tunnel is set up. Management server authenticates remote router using certificate authority and AAA servers. Management server pushes policy including new certificate. Remote router establishes primary data tunnel, access to corporate resources. Secondary tunnel established, stays active for instant failover. When required, remote router establishes direct spoke-tospoke tunnel with other authorized remotes and torn down after use.
98

2.
On-Demand Peer 1. Call Home 6. On-Demand Tunnel

ISP
5. Secondary Tunnel 4. Data Tunnel

3. Management VPN Gateway ISC, IE2100 Certificate Authority, AAA

Policy Push Data VPN Gateway 1

Data VPN Gateway 2 Access to Corporate Resources

2. Authenticate

SEC-A04

ECT Ongoing Management

Management tunnel maintained throughout the operations of the router Event-driven notification and regular audit checks used to satisfy security requirements
Attempt to downgrade/upgrade IOS Password recovery Enable/vty password change Modified/disabled CNS Agent

IOS image management via CNS Image Agent

SEC-A04

Summary
DMVPN is used today We have a couple of x00(0) nodes networks deployed Customers are having the SLB Design in production Add spokes without touching the headend Routing for resiliency

Presentation_ID

100

IOS CERTIFICATE SERVER

SEC-A04

101

Cisco IOS Certificate Server

Allows router to be a Certificate Authority Issues certificates for routers via Simple Certificate Enrollment Protocol (SCEP) Not a real CA, just the bare minimum Useful for IPsec VPN
Site-to-site Dynamic Multipoint VPN (DMVPN)

Can be in automatic mode (always grant a certificate to all requests) or manual Storage of certs & crl is either flash, or (T)FTP server Implemented with other security features:
VPN Cisco IOS Firewall
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

102

Deployment Considerations
Cisco IOS Hypertext Transfer Protocol (HTTP) server must be enabled Small deployments use internal HTTP server for revocation database External server is used for certificate revocation list (CRL)
HTTP, Lightweight Directory Access Protocol (LDAP), Online Certificate Status Protocol (OCSP) External revocation server strongly recommended for large deployments

Cert Signing is CPU-intensive

CPU utilization spikes, when enrollment requests are processed

SEC-A04

103

Cisco IOS Certificate Server Small VPN

Cisco IOS Certificate Server Head end router are configured for Cisco IOS Certificate Server, IPsec VPN Connections, and CRL distribution HTTP must be enabled and exposed to public internet for enrollment and CRL requests Cisco IOS Firewall features may be employed for private network security
Remote Sites

Head End
Certificate Enrollment and VPN Tunnels

Ideal for site-to-site and DMVPN IPsec networks

104

SEC-A04

Cisco IOS Certificate Server Medium/Large VPN

Central Site
Cisco IOS Certificate VPN Router Server/VPN CRL Server

Head end router are configured for Cisco IOS Certificate Server and VPN Connections CRL distribution is carried by external HTTP or LDAP server HTTP must be enabled and exposed to public internet for enrollment and CRL requests Cisco IOS Firewall features may be employed for private network security
105

VPN Tunnels

Certificate Enrollment

Remote Sites

SEC-A04

Configuring Certificate Server /1

crypto pki server MY_SCEP database level names database url disk0: issuer-name cn=Homer Simpson,o=PowerPlant,c=com grant auto % This will cause all certificate requests to be automatically granted. Are you sure you want to do this? [yes/no]: yes cdp-url http://192.168.0.3/disk0/MY_SCEP.crl no shutdown

SEC-A04

106

Configuring Certificate Server /2

NTP or clock must be configured HTTP server must be enabled If CRL Distribution Point is the router, direct flash access must be enabled
ntp server 192.168.0.47 ip http server ip http path disk0:

Misc info including CA fingerprint:

#show crypto pki ser CA cert fingerprint: 1B42B189 B5984C40 B17292A1 FD70D5DA

Storage media contains:

Jun Jun Jun Jun

30 30 30 30

2003 2003 2003 2003

06:38:34 10:46:28 07:29:48 06:44:56

1.cnm MY_SCEP.ser MY_SCEP.crl 2.cnm

107

Configuring IOS Clients

crypto ca trustpoint MY_SCEP enrollment url http://192.168.0.3:80 serial-number subject-name cn=Kwik-E-Mart,o=PowerPlant,c=com auto-enroll 90 crypto ca authenticate MY_SCEP

SEC-A04

108

Adding Resilience & Scalability CRL Distribution Point, Lifetime,

IOS CS will use FTP to store CRL, to an external web server
crypto pki server MY_SCEP database level names database url ftp://192.168.0.47/public_html/ database username crusty password 0 clown issuer-name cn=Homer Simpson,o=PowerPlant,c=com grant auto lifetime crl 1 lifetime ca-certificate 1825 cdp-url http://192.168.0.47/Springfield/MY_SCEP.crl

FTP server requires some credentials

CDP will be reached by HTTP

109

Enrolling Clients on Certificate Server Without Automatic Grant

#crypto pki server MY_SCEP info requests

Enrollment Request Database: ReqID State Fingerprint SubjectName -------------------------------------------------------------10 pending E5F7D1B235542F9EC7868D9512352CB4 serialNumber=C10ADCA9+ipaddress= 192.168.0.11+hostname=c2651b.cisco.com,cn=2651c,o=PowerPlant,c=com

#crypto pki server MY_SCEP grant 10

SEC-A04

110

Cisco IOS Certificate Server Summary

VPN deployment
Offers simple solution to deploy IPsec VPN with certificates Relieves expense and workload from configuring full-featured Certification Authority server No multi-vendor finger pointing for support calls Certification Authority server falls into router ops/sec ops instead of server ops group responsibility

Simplifies laboratory VPN testing

Configuration of full-featured Certification Authority for quick lab testing of IPsec VPN features is not necessary

111

SSL vs. IPSec VPN

SEC-A04

112

Virtual Private Network (VPN) Overview

IP Security (IPSec) and SSL
Mechanism for secure communication over IP
Authenticity (Unforged/trusted party) Integrity (Unaltered/tampered) Confidentiality (Unread)

Remote Access (RA) VPN Components

VPN Client or Browser

113

Technical Overview SSL and IPSec

SSL VPN
Connections originated from a web browser Dependent on applet delivery for access to other programs on the PC Granular access control that can limit access to specific web pages or other internal resources IT department may have limited or no control over the remote system, especially in the case of a partner Strong authentication a necessity

IPSec VPN
Tunneled connection, allowing installed system applications to operate same as when in office No browser dependency Access control less granularwide open or limited to certain internal hosts or subnets IT department often maintains complementary applications on PC like Anti-Virus and Personal FW software Strong authentication desirable

SEC-A04

114

Deployment Considerations Remote Access VPNs: Pros and Cons

SSL VPN
PROS
No manual software deployment Easy network traversal Anywhere access Seamless wireless roaming since session isnt locked to IP

IPSec VPN
PROS
Full Network access Same as office experience Wide application availability

SSL VPN
CONS
Dependency on Active X or Java for non browser-enabled access More limited application availability Browser specific support

IPSec VPN
CONS
Manual software deployment Most appropriate for corporate managed PCs No support for proxy server traversal

BEST OF BOTH WORLDS IS HAVING THE FLEXIBILITY TO CONNECT USERS WITH EITHER IPSEC OR SSL, DEPENDING ON SPECIFIC REQUIREMENTS

SEC-A04

115

Firewall Traversal
SSL VPN
HTTPS (TCP 443) HTTP (TCP 80) (If HTTP redirection desired)
THE PORTS AND PROTOCOLS LISTED MUST BE OPEN FOR A REMOTE USER TO BE ABLE TO CONNECT SUCCESSFULLY; HTTPS (TCP 443) WILL BE OPEN THROUGH MOST NETWORKS WHILE THE PROTOCOLS REQUIRED FOR IPSEC MAY NOT BE OPEN BY DEFAULT ON A NETWORK THAT OUTBOUND PERFORMS FILTERING
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

IPSec VPN
Standard IPSec
ESP (Protocol 50) IKE (UDP 500)

Standard NAT/PAT Traversal

IKE (UDP 500) ESP over UDP (UDP 4500)

Proprietary TCP Encapsulation

Administrator defined TCP port(s)

116

Understanding Your Remote Users

What applications do they need to access?
Web browsing (including Web-based email) Thick client applications (TCP) Full network access

Where will they be accessing from?

Corporate managed computers Unmanaged computers Kiosks/Public systems

How long will users stay connected?

117

Deployment Example
Using IPSec and SSL VPN to Reach Diverse User Populations
Supply Partner Extranet Account Manager Mobile User IP/Internet VPN Doctor at Home Unmanaged Desktop
IPSEC VPN
ENGINEERMany servers/apps, needs native app formats, VoIP, frequent access, long connect times ACCOUNT MANAGERDiverse apps, homegrown apps, always works from enterprisemanaged desktop
118

Central Site

Software Engineer Telecommuter

SSL VPN
PARTNERFew apps/servers, tight access control, no control over desktop software environment, firewall traversal DOCTOROccasional access, few apps, no desktop software control

SEC-A04

SSL VPN Client Options

Clientless
Web browser Proxying and/or application translation at concentrator

Thin Client
Port Forwarding via Java/ActiveX Enhanced Client Delivered from concentrator

Thick Client
Persistent Full Tunneling or Nailed Client Delivered from concentrator

SEC-A04

119

SSL VPN: Proxying

Standard Browser Clientless
Concentrator proxies HTTP(S) over SSL connection Limited to web pages
HTML pages Web-based (webified) applications

SEC-A04

120

Data Flow URL Mangling

Web Server Web Browse SSL Tunnel Concentrator Web Server HTTP Request Web Server

HTTP Requests
protocol://user:password@host:port/path?query

https://user:password@chost:cport/protocol/flags/host/path?query

http://www.yahoo.com https://1.2.3.4/http/0/www.yahoo.com https://www.abc.com/d/index.html https://1.2.3.4/https/0/www.abc.com/d/index.html http://www.abc.com/x.cgi?a=b https://1.2.3.4/http/0/www.abc.com/x.cgi?a=b http://www.xyz.com:8080 https://1.2.3.4/http/8080/www.xyz.com

121

SSL VPN: Application Translation

Standard Browser Clientless
Concentrator webifies application
Translates (proxies) protocol to HTTP

Requires detailed application knowledge Delivers HTML look-and-feel Expands use to some non-web applications
CIFS (NT and Active Directory file sharing)

SEC-A04

122

SSL VPN: Port Forwarding

Java/ActiveX Thin or Enhanced Client
Local thin client acts as proxy
Tunnels and forwards application traffic

Delivered via Java/ActiveX from concentrator Some system permissions may be required Maintains native application look-and-feel Works with predictable non-web applications
Generally outbound, TCP-based, with static port(s) Telnet, SMTP, POP3

SEC-A04

123

Port Forwarding
HTTPS connection to concentrator Client Workstation HOSTS Web Browser Java Applet Protocol connection to remote server Concentrator

Client Program

Remote Server

TCP Connection to local port (127.0.0.x:y)

SEC-A04

124

Port Forwarding
Local Port Destination Protocol

1100

sun.test.com:22

SSH

1101

sun2.test.com:22

SSH

1102

mail.test.com:110

POP3

1103

mail.test.com:25

SMTP

127.0.0.1:1100; Host File Is Not Modified If Host File Can be Modified: Applet Listens on Server.test.com:22; where server.test.com Is Mapped to 127.0.0.x (x Is Greater than 1, Determined at Run Time)
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

125

SSL VPN: Network Extension

Persistent Thick, Full Tunneling or Nailed Client
Traditional-style client delivered via concentrator Requires administrative privileges Provides access very similar to IPSec
Better accessibility over firewalls and NAT

Lacks the granularity of other SSL mechanisms

SEC-A04

126

SSL VPN: Client Authentication

SSL requires central site digital certificates Often combined with other user auth. mechanisms
Username and password Tokens Smart cards

Authenticated against
RADIUS LDAP Active Directory (AD)

SEC-A04

127

SSL VPN: Access Control

User and group authentication Extremely granular
Source and destination IP URL Directory-level

SEC-A04

128

ACLs
The following ACL allows access to all resources within the company, but denies access to resources outside the company
permit url http://*.company.com permit url https://*.company.com permit url cifs://*.company.com permit url pop3://*.company.com permit url imap4://*.company.com permit url smtp://*.company.com

SEC-A04

129

Endpoint Control
Determine trust of the end system
Is it a corporate machine?

Assess endpoint security

Does it have virus protection, personal firewall installed?

Endpoint cleanup
Can I remove confidential info?

SEC-A04

130

Endpoint Security for SSL VPN Sessions

Prevent or restrict SSL VPN access from users under some of the following categories
Restrict access to corporate managed machines Allow access from non-corporate managed machines (i.e. employee home PC), but ensure all content is destroyed on these specific systems after connection is complete Clientless compatible endpoint posture assessmentAV, PFW, running processes, registry items/values

Protect data delivered to systems with suspect complianceany files downloaded, content, or cookie information would not remain on system after connection complete
SEC-A04
2004 Cisco Systems, Inc. All rights reserved.

131

Whats Left Behind

The Risk of VPN on Public Systems
Cookies
Usernames and passwords

URL history Page caches

Sensitive corporate data

Downloaded files

SEC-A04

132

Cisco Acquisition of Twingo Systems

Comprehensive Endpoint Security for SSL VPN
THE TECHNOLOGY: VIRTUAL SECURE DESKTOP Removes sensitive security information (cookies, browser cache/history, e-mail file attachments, etc.) related to an SSL VPN connection at the close of the session; This protects from exploitation of such information for host network or system penetration The Virtual Secure Desktop is transparent to the end user and automatically creates a secure session under Windows 2000 and Windows XP User can still have access to all of the PCs hardware and software resources All applications and processes that run in the Virtual Secure Desktop are controlled The Virtual Secure Desktop creates a cryptographic file system on the fly and nothing is ever written in clear on the disk

SEC-A04

133

Twingo Features and Benefits

FOR THE END USER Small download size and rapid installation Transparent use, no new UI to learn and get used to Access to all PC Hardware and Software Automatic session and data cleanup FOR THE IT MANAGER User proof
Easy download and install process User is guided into the Twingo Session (one click only) User cannot unintentionally save documents or data to the non-encrypted portion of the disk

TWINGO SECURITY FEATURES Prevents digital leakage Protects against malicious code Protects user privacy Is easy to implement and manage

User experience is greatly customizable

Look and feel Windows and browser settings and all office application templates and settings

Added security features

Automatic time out of Twingo session Easy integration with major authentication mechanisms

SEC-A04

134

How Twingo Works

Twingo components are installed or updated Installation can be done through either an activeX, a java applet or an executable Total size is less than 500kB No reboot, no specific privilege required Twingo supports four 64-bit block encryption algorithm: DES (56-bit key), triple DES (168-bit key), CAST (128-bit key) and Blowfish (256-bit key) 128-character password is randomly generated

Secure vault is created

Virtual session is created

All processes on the Virtual Secure Desktop are monitored and can be controlled All hard-disk (file or registry) are redirected to the vault

Session is closed Vault is closed

All processes on the Virtual Secure Desktop are killed Secure vault is closed and password is lost At this time, it is not possible to recover any information

Vault is destroyed Byte-to-byte

Sanitization of the vault Implementation of the Department of Defense clearing and sanitizing standard DOD 5220.22-M
135

SEC-A04

SSL vs. IPSec - Summary

The technologies should be considered complementary. Both have strong features

SEC-A04

136

Housekeeping
Dont forget to complete your evaluations - you can access them on-line via Schedule Builder! Visit the World of Next Generation Solutions on Level -01! You can collect your session printouts at the
Print Center on Level -01

Please remember this is a No Smoking venue! Please switch off your mobile phones! Please remember to wear your badge at all times including the Party!

SEC-A04

137

138

(Nov-2023) New PassLeader SAA-C03 Exam Dumps
No ratings yet
(Nov-2023) New PassLeader SAA-C03 Exam Dumps
15 pages
Hurom HU-500 DG Manual English
100% (1)
Hurom HU-500 DG Manual English
28 pages
UMMT 3.0 Implementation Guide - Large Network Multi-Area IGP Design With IPMPLS Access Design and Implementation Guide
100% (2)
UMMT 3.0 Implementation Guide - Large Network Multi-Area IGP Design With IPMPLS Access Design and Implementation Guide
114 pages
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
From Everand
WAN TECHNOLOGY FRAME-RELAY: An Expert's Handbook of Navigating Frame Relay Networks
Mamta Devi
No ratings yet
Implementing Interprovider Layer 3 VPN Option B
No ratings yet
Implementing Interprovider Layer 3 VPN Option B
26 pages
DFWCUG Cisco Nexus and How It Differs From Catalyst 6500
No ratings yet
DFWCUG Cisco Nexus and How It Differs From Catalyst 6500
54 pages
Palo Alto Networks Customer Presentation: November 2009 Ozan Ozkara
No ratings yet
Palo Alto Networks Customer Presentation: November 2009 Ozan Ozkara
20 pages
BFD Support On Cisco ASR9000 - Cisco Support Community
No ratings yet
BFD Support On Cisco ASR9000 - Cisco Support Community
65 pages
BGP Case Studies PDF
No ratings yet
BGP Case Studies PDF
79 pages
Brkaci 2102 PDF
No ratings yet
Brkaci 2102 PDF
142 pages
BGP
No ratings yet
BGP
135 pages
Tshooting Cisco VPN Solutions
No ratings yet
Tshooting Cisco VPN Solutions
107 pages
OSPF Summary: The Characteristics of OSPF Follow
100% (1)
OSPF Summary: The Characteristics of OSPF Follow
20 pages
Yasser Auda CCIEv5 IPv4 Multicast Study Guide PDF
No ratings yet
Yasser Auda CCIEv5 IPv4 Multicast Study Guide PDF
50 pages
Versa Training Lab Guide: Groups 1 - 2
No ratings yet
Versa Training Lab Guide: Groups 1 - 2
20 pages
Campus QoS Design
100% (1)
Campus QoS Design
78 pages
NetBrain End User Quick Start Guide
No ratings yet
NetBrain End User Quick Start Guide
25 pages
Extra Notes On IPsec VPNs
100% (1)
Extra Notes On IPsec VPNs
21 pages
DeployingF5LoadBalancerswithCiscoISE Techalk Security Dec04 2014
No ratings yet
DeployingF5LoadBalancerswithCiscoISE Techalk Security Dec04 2014
208 pages
Basic BGP Notes in Short
No ratings yet
Basic BGP Notes in Short
12 pages
Routehub TUNNEL L3VPN MPLS PDF
No ratings yet
Routehub TUNNEL L3VPN MPLS PDF
189 pages
Lab 2 - Mpls Te - Mpls and Application Lab Assignments - Thuan
100% (1)
Lab 2 - Mpls Te - Mpls and Application Lab Assignments - Thuan
27 pages
Yasser Auda - Introduction To SDN
No ratings yet
Yasser Auda - Introduction To SDN
31 pages
Cisco ACI Interview
No ratings yet
Cisco ACI Interview
18 pages
Advanced Switching Reference Manual Ver. 0.9
No ratings yet
Advanced Switching Reference Manual Ver. 0.9
168 pages
Cisco IP Security Troubleshooting Understanding and Using Debug Commands
No ratings yet
Cisco IP Security Troubleshooting Understanding and Using Debug Commands
14 pages
Configuring l2ckt To l3vpn
No ratings yet
Configuring l2ckt To l3vpn
26 pages
1 bgp1
No ratings yet
1 bgp1
161 pages
F Path Troubleshooting Step by Step Guide
No ratings yet
F Path Troubleshooting Step by Step Guide
91 pages
Devnet 2000
No ratings yet
Devnet 2000
44 pages
ASR9000 or XR Understanding Turboboot and Initial System Bring Up
No ratings yet
ASR9000 or XR Understanding Turboboot and Initial System Bring Up
17 pages
Implementing Cisco Application Centric Infrastructure - Advanced v1.0 (300-630)
No ratings yet
Implementing Cisco Application Centric Infrastructure - Advanced v1.0 (300-630)
1 page
This Chapter Describes The Cisco NX-OS Interfaces Commands
No ratings yet
This Chapter Describes The Cisco NX-OS Interfaces Commands
308 pages
Cisco NX-OS IOS BGP (Advanced) Comparison
No ratings yet
Cisco NX-OS IOS BGP (Advanced) Comparison
6 pages
Converged SDN Transport For CCIE SPv5 v202104
No ratings yet
Converged SDN Transport For CCIE SPv5 v202104
326 pages
BRKCRS 2502
No ratings yet
BRKCRS 2502
153 pages
Getting Started With Palo Alto Firewalls v8
No ratings yet
Getting Started With Palo Alto Firewalls v8
41 pages
Implementing and Configuring Cisco Identity Services Engine (SISE) - Sunset Learning Institute
No ratings yet
Implementing and Configuring Cisco Identity Services Engine (SISE) - Sunset Learning Institute
5 pages
MPLS Juniper
No ratings yet
MPLS Juniper
37 pages
Versa SDWAN Design Guide V1.2
No ratings yet
Versa SDWAN Design Guide V1.2
143 pages
Ipsec With Cisco Asa
No ratings yet
Ipsec With Cisco Asa
10 pages
Automating Cisco ACI With Python Day 2-Stamped
No ratings yet
Automating Cisco ACI With Python Day 2-Stamped
22 pages
VPC Guide PDF
100% (4)
VPC Guide PDF
71 pages
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
No ratings yet
Implementing Cisco NX-OS Switches and Fabrics in The Data Center (DCNX) v1.0
3 pages
BGP Attributes
No ratings yet
BGP Attributes
54 pages
Understanding NAT 4.1 RevC
No ratings yet
Understanding NAT 4.1 RevC
30 pages
Cisco IOS XR - Complete Getting Started Examples Guide, Part1 - 2
No ratings yet
Cisco IOS XR - Complete Getting Started Examples Guide, Part1 - 2
14 pages
Palo Alto HA-LAB - Self Prepared
No ratings yet
Palo Alto HA-LAB - Self Prepared
55 pages
Mcast Tutorial
No ratings yet
Mcast Tutorial
70 pages
How To Load Images To The EVE
No ratings yet
How To Load Images To The EVE
2 pages
IPsec Quick and Dirty
No ratings yet
IPsec Quick and Dirty
4 pages
C9800 Module 1 9800 Family Deployment Options
No ratings yet
C9800 Module 1 9800 Family Deployment Options
38 pages
BRKMPL 2333
No ratings yet
BRKMPL 2333
98 pages
BGP Route Reflectors and Route Filters
No ratings yet
BGP Route Reflectors and Route Filters
12 pages
Open Short Path Protocol - OSPF
No ratings yet
Open Short Path Protocol - OSPF
78 pages
Configuring VSS (Cisco 6500) and VPC (Cisco NX5K) - Data Center and Network Technobabble
No ratings yet
Configuring VSS (Cisco 6500) and VPC (Cisco NX5K) - Data Center and Network Technobabble
7 pages
BGP Multihoming Examples
No ratings yet
BGP Multihoming Examples
33 pages
System Log Messages Reference
No ratings yet
System Log Messages Reference
564 pages
Meraki SD-WAN
0% (1)
Meraki SD-WAN
32 pages
In Depth Guide to IS-IS Routing: Learn Intermediate System to Intermediate System Routing from scratch
From Everand
In Depth Guide to IS-IS Routing: Learn Intermediate System to Intermediate System Routing from scratch
Mamta Devi
No ratings yet
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
From Everand
Next-Generation switching OS configuration and management: Troubleshooting NX-OS in Enterprise Environments
Mamta Devi
No ratings yet
Software-Defined WAN SD-WAN A Clear and Concise Reference
From Everand
Software-Defined WAN SD-WAN A Clear and Concise Reference
Gerardus Blokdyk
No ratings yet
Configuring Resilient Ethernet Protocol: Information About Configuring REP
No ratings yet
Configuring Resilient Ethernet Protocol: Information About Configuring REP
12 pages
c1101 4pltep Datasheet
No ratings yet
c1101 4pltep Datasheet
5 pages
Mixed Models Day 2 Student Version2023
No ratings yet
Mixed Models Day 2 Student Version2023
51 pages
bq20z90EVM-001 SBS 1.1 Impedance Track™ Technology Enabled Battery Management Solution Evaluation Module
No ratings yet
bq20z90EVM-001 SBS 1.1 Impedance Track™ Technology Enabled Battery Management Solution Evaluation Module
17 pages
Sbs 1.1-Compliant Gas Gauge Enabled With Impedance Track™ Technology For Use With The Bq29330
No ratings yet
Sbs 1.1-Compliant Gas Gauge Enabled With Impedance Track™ Technology For Use With The Bq29330
28 pages
Battery Protection Analog Front End (AFE) IC: Description
No ratings yet
Battery Protection Analog Front End (AFE) IC: Description
24 pages
Battery Protection Analog Front End (AFE) IC: Description
No ratings yet
Battery Protection Analog Front End (AFE) IC: Description
24 pages
Prerequisites For Dynamic Multipoint VPN
No ratings yet
Prerequisites For Dynamic Multipoint VPN
46 pages
Philips Hd8651
No ratings yet
Philips Hd8651
78 pages
Compact 5630 Led
No ratings yet
Compact 5630 Led
2 pages
0611 DSR DS en
No ratings yet
0611 DSR DS en
2 pages
Serial Port Level Converter: C4 220pF R12 1.5K
No ratings yet
Serial Port Level Converter: C4 220pF R12 1.5K
1 page
DG GR1321
No ratings yet
DG GR1321
1 page
Wireshark Lab: TCP: Approach, 7 Ed., J.F. Kurose and K.W. Ross
No ratings yet
Wireshark Lab: TCP: Approach, 7 Ed., J.F. Kurose and K.W. Ross
11 pages
Ejemplo 2 Factura Amz PDF
No ratings yet
Ejemplo 2 Factura Amz PDF
3 pages
Win Inet
No ratings yet
Win Inet
207 pages
VDTU2-R140 - User Manual - v1.1 - 20151224
No ratings yet
VDTU2-R140 - User Manual - v1.1 - 20151224
62 pages
Nexxt Nebula 150
No ratings yet
Nexxt Nebula 150
1 page
Configure L2TP Over IPsec Between Window
No ratings yet
Configure L2TP Over IPsec Between Window
28 pages
DMVPN Dual Hub Single Cloud
No ratings yet
DMVPN Dual Hub Single Cloud
14 pages
Tibco Soap Vs Service Palette
No ratings yet
Tibco Soap Vs Service Palette
1 page
AWS Architecture Icons Deck For Light BG 04282023
No ratings yet
AWS Architecture Icons Deck For Light BG 04282023
154 pages
400 101 PDF
No ratings yet
400 101 PDF
986 pages
Final
No ratings yet
Final
25 pages
Static Routing Configuration For CCNA Students by Eng. Abeer Hosni
No ratings yet
Static Routing Configuration For CCNA Students by Eng. Abeer Hosni
12 pages
Untitled
No ratings yet
Untitled
3 pages
1.1 GCP_vpc_and_subnets.pdf
No ratings yet
1.1 GCP_vpc_and_subnets.pdf
18 pages
12.9.2 Lab - Configure IPv6 Addresses On Network Devices - ILM
No ratings yet
12.9.2 Lab - Configure IPv6 Addresses On Network Devices - ILM
14 pages
MSTP & VSTP
No ratings yet
MSTP & VSTP
25 pages
Troubleshooting TCPIP
No ratings yet
Troubleshooting TCPIP
32 pages
Squid With Transparent Proxy
No ratings yet
Squid With Transparent Proxy
5 pages
A10 Sce70164 en
No ratings yet
A10 Sce70164 en
2 pages
Multicast Impelementations Case Study PDF
No ratings yet
Multicast Impelementations Case Study PDF
5 pages
Unit-1.5 Case Study - Google Cloud Platform
No ratings yet
Unit-1.5 Case Study - Google Cloud Platform
17 pages
Service - 2021 05 16
No ratings yet
Service - 2021 05 16
76 pages
Vmware: Exam 2V0-31.21
No ratings yet
Vmware: Exam 2V0-31.21
44 pages
Unicast Routing in Ipv6: Babu Ram Dawadi
No ratings yet
Unicast Routing in Ipv6: Babu Ram Dawadi
56 pages
Comandos P T
No ratings yet
Comandos P T
3 pages
8 Steps To A DDoS Mitigation Plan - GD 1
No ratings yet
8 Steps To A DDoS Mitigation Plan - GD 1
2 pages
2HFY17 - APJ EG PowerUP - Level 1 Agenda
No ratings yet
2HFY17 - APJ EG PowerUP - Level 1 Agenda
19 pages
Cloud Foundations
No ratings yet
Cloud Foundations
17 pages