0% found this document useful (0 votes)

15 views75 pages

Wan 4

CCNA ch4

Uploaded by

eat7681

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

15 views75 pages

Wan 4

CCNA ch4

Uploaded by

eat7681

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 75

Module 8: VPN and IPsec

Concepts
Instructor Materials

Enterprise Networking, Security,

and Automation v7.0 (ENSA)
Module 8: VPN and IPsec
Concepts
Enterprise Networking, Security,
and Automation v7.0 (ENSA)
Module Objectives
Module Title: VPN and IPsec Concepts

Module Objective: Explain how VPNs and IPsec are used to secure site-to-site and remote
access connectivity.

Topic Title Topic Objective

VPN Technology Describe the benefits of VPN technology.
Types of VPNs Describe different types of VPNs.
IPsec Explain how the IPsec framework is used to secure
network traffic.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
VPN Technology
Virtual Private Networks
• Virtual private networks (VPNs) to
create end-to-end private network
connections.
• A VPN is virtual in that it carries
information within a private network,
but that information is actually
transported over a public network.
• A VPN is private in that the traffic is
encrypted to keep the data confidential
while it is transported across the public
network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
VPN Technology
VPN Benefits
• Modern VPNs now support encryption features, such as Internet Protocol Security
(IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
• Major benefits of VPNs are shown in the table:

Benefit Description

Cost Savings Organizations can use VPNs to reduce their connectivity costs while simultaneously
increasing remote connection bandwidth.
Security Encryption and authentication protocols protect data from unauthorized access.

Scalability VPNs allow organizations to use the internet, making it easy to add new users without
adding significant infrastructure.
Compatibility VPNs can be implemented across a wide variety of WAN link options including
broadband technologies. Remote workers can use these high-speed connections to
gain secure access to corporate networks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
VPN Technology
Site-to-Site and Remote Access VPNs
A site-to-site VPN is terminated on VPN gateways. VPN traffic is only encrypted
between the gateways. Internal hosts have no knowledge that a VPN is being used.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
VPN Technology
Site-to-Site and Remote Access VPNs (Cont.)
A remote-access VPN is dynamically created to establish a secure connection between a
client and a VPN terminating device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
VPN Technology
Enterprise and Service Provider VPNs
VPNs can be managed and
deployed as:
• Enterprise VPNs - common solution
for securing enterprise traffic across
the internet. Site-to-site and remote
access VPNs are created and
managed by the enterprise using
IPsec and SSL VPNs.
• Service Provider VPNs - created
and managed by the provider
network. The provider uses
Multiprotocol Label Switching
(MPLS) at Layer 2 or Layer 3 to
create secure channels between an
enterprise’s sites, effectively
segregating the traffic from other
customer traffic.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
8.2 Types of VPNs

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Types of VPNs
Remote-Access VPNs
• Remote-access VPNs let remote and
mobile users securely connect to the
enterprise.
• Remote-access VPNs are typically enabled
dynamically by the user when required and
can be created using either IPsec or SSL.
• Clientless VPN connection -The
connection is secured using a web
browser SSL connection.
• Client-based VPN connection - VPN
client software such as Cisco AnyConnect
Secure Mobility Client must be installed on
the remote user’s end device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Types of VPNs
SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate peers.
The type of VPN method implemented is based on the access requirements of the
users and the organization’s IT processes. The table compares IPsec and SSL
remote access deployments.

Feature IPsec SSL

Applications supported Extensive – All IP-based applications Limited – Only web-based applications and
file sharing
Authentication strength Strong – Two-way authentication with Moderate – one-way or two-way
shared keys or digital certificates authentication
Encryption strength Strong – Key lengths 56 – 256 bits Moderate to strong - Key lengths 40 – 256
bits
Connection complexity Medium – Requires VPN client Low – Requires web browser on a host
installed on a host
Connection option Limited – Only specific devices with Extensive – Any device with a web browser
specific configurations can connect can connect
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Types of VPNs
Site-to-Site IPsec VPNs
• Site-to-site VPNs connect networks
across an untrusted network such as the
internet.
• End hosts send and receive normal
unencrypted TCP/IP traffic through a VPN
gateway.
• The VPN gateway encapsulates and
encrypts outbound traffic from a site and
sends the traffic through the VPN tunnel
to the VPN gateway at the target site.
The receiving VPN gateway strips the
headers, decrypts the content, and relays
the packet toward the target host inside
its private network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Types of VPNs
GRE over IPsec
• Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling
protocol.
• A GRE tunnel can encapsulate various network layer protocols as well as multicast
and broadcast traffic.
• GRE does not by default support encryption; and therefore, it does not provide a
secure VPN tunnel.
• A GRE packet can be encapsulated into an IPsec packet to forward it securely to
the destination VPN gateway.
• Standard IPsec VPNs (non-GRE) can only create secure tunnels for unicast
traffic.
• Encapsulating GRE into IPsec allows multicast routing protocol updates to be
secured through a VPN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Types of VPNs
GRE over IPsec (Cont.)
The terms used to describe the encapsulation of GRE over IPsec tunnel are
passenger protocol, carrier protocol, and transport protocol.
• Passenger protocol – This is the original packet that is to be encapsulated by
GRE. It could be an IPv4 or IPv6 packet, a routing update, and more.
• Carrier protocol – GRE is the carrier protocol that encapsulates the original
passenger packet.
• Transport protocol – This is the protocol that will actually be used to forward the
packet. This could be IPv4 or IPv6.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Types of VPNs
GRE over IPsec (Cont.)
For example, Branch and HQ need to exchange OSPF routing information over an
IPsec VPN. GRE over IPsec is used to support the routing protocol traffic over the
IPsec VPN. Specifically, the OSPF packets (i.e., passenger protocol) would be
encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an
IPsec VPN tunnel.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Types of VPNs
Dynamic Multipoint VPNs
Site-to-site IPsec VPNs and GRE over IPsec are not sufficient when the enterprise
adds many more sites. Dynamic Multipoint VPN (DMVPN) is a Cisco software
solution for building multiple VPNs in an easy, dynamic, and scalable manner.
• DMVPN simplifies the VPN tunnel configuration and provides a flexible option to
connect a central site with branch sites.
• It uses a hub-and-spoke configuration to establish a full mesh topology.
• Spoke sites establish secure VPN tunnels with the hub site.
• Each site is configure using Multipoint Generic Routing Encapsulation (mGRE).
The mGRE tunnel interface allows a single GRE interface to dynamically support
multiple IPsec tunnels.
• Spoke sites can also obtain information about each other, and alternatively build
direct tunnels between themselves (spoke-to-spoke tunnels).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Types of VPNs
IPsec Virtual Tunnel Interface
IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to
support multiple sites and remote access.
• IPsec VTI configurations are applied to a virtual interface instead of static mapping
the IPsec sessions to a physical interface.
• IPsec VTI is capable of sending and receiving both IP unicast and multicast
encrypted traffic. Therefore, routing protocols are automatically supported without
having to configure GRE tunnels.
• IPsec VTI can be configured between sites or in a hub-and-spoke topology.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Types of VPNs
Service Provider MPLS VPNs
Today, service providers use MPLS in their core network. Traffic is forwarded through
the MPLS backbone using labels. Traffic is secure because service provider
customers cannot see each other’s traffic.
• MPLS can provide clients with managed VPN solutions; therefore, securing traffic
between client sites is the responsibility of the service provider.
• There are two types of MPLS VPN solutions supported by service providers:
• Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a
peering between the customer’s routers and the provider’s routers.
• Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead,
the provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess
LAN segment over the MPLS network. No routing is involved. The customer’s routers
effectively belong to the same multiaccess network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
IPSec
Video – IPsec Concepts
This video will cover the following:
• The purpose of IPsec
• IPsec protocols (AH, ESP, SA, IKE)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IPSec
IPsec Technologies
IPsec is an IETF standard that defines how a VPN can be secured across
IP networks. IPsec protects and authenticates IP packets between source
and destination and provides these essential security functions:
• Confidentiality - Uses encryption algorithms to prevent cybercriminals from
reading the packet contents.
• Integrity - Uses hashing algorithms to ensure that packets have not been altered
between source and destination.
• Origin authentication - Uses the Internet Key Exchange (IKE) protocol to
authenticate source and destination.
• Diffie-Hellman – Used to secure key exchange.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
IPSec
IPsec Technologies (Cont.)
• IPsec is not bound to any specific rules
for secure communications.
• IPsec can easily integrate new security
technologies without updating existing
IPsec standards.
• The open slots in the IPsec framework
shown in the figure can be filled with any
of the choices that are available for that
IPsec function to create a unique security
association (SA).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
IPSec
IPsec Protocol Encapsulation
Choosing the IPsec protocol
encapsulation is the first building block
of the framework.
• IPsec encapsulates packets using
Authentication Header (AH) or
Encapsulation Security Protocol
(ESP).
• The choice of AH or ESP establishes
which other building blocks are
available.
• AH is appropriate only when
confidentiality is not required or permitted.
• ESP provides both confidentiality and
authentication.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
IPSec
Confidentiality
The degree of confidentiality
depends on the encryption
algorithm and the length of the
key used in the encryption
algorithm.

The number of possibilities to try

to hack the key is a function of the
length of the key - the shorter the
key, the easier it is to break.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
IPSec
Confidentiality (Cont.)
The encryption algorithms highlighted in
the figure are all symmetric key
cryptosystems:
• DES uses a 56-bit key.
• 3DES uses three independent 56-bit
encryption keys per 64-bit block.
• AES offers three different key
lengths: 128 bits, 192 bits, and 256
bits.
• SEAL is a stream cipher, which
means it encrypts data continuously
rather than encrypting blocks of data.
SEAL uses a 160-bit key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
IPSec
Integrity
• Data integrity means that the data
has not changed in transit.
• A method of proving data integrity is
required.
• The Hashed Message Authentication
Code (HMAC) is a data integrity
algorithm that guarantees the integrity
of the message using a hash value.
• Message-Digest 5 (MD5) uses a
128-bit shared-secret key.
• The Secure Hash Algorithm (SHA)
uses a 160-bit secret key.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
IPSec
Authentication
There are two IPsec peer authentication
methods:
1. Pre-shared key (PSK) - (PSK) value
is entered into each peer manually.
• Easy to configure manually
• Does not scale well
• Must be configured on every peer
2. Rivest, Shamir, and Adleman
(RSA) - authentication uses digital
certificates to authenticate the peers.
• Each peer must authenticate its opposite
peer before the tunnel is considered
secure.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
IPSec
Secure Key Exchange with Diffie - Hellman
DH provides allows two peers to establish
a shared secret key over an insecure
channel.

Variations of the DH key exchange are

specified as DH groups:
• DH groups 1, 2, and 5 should no longer be
used.
• DH groups 14, 15, and 16 use larger key
sizes with 2048 bits, 3072 bits, and 4096
bits, respectively
• DH groups 19, 20, 21 and 24 with respective
key sizes of 256 bits, 384 bits, 521 bits, and
2048 bits support Elliptical Curve
Cryptography (ECC), which reduces the time
needed to generate keys.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
IPSec
Video – IPsec Transport and Tunnel Mode
This video will explain the process of the IPv4 packet with ESP in transport
mode and in tunnel mode.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Module Practice and Quiz
What did I learn in this module?
• A VPN is private in that the traffic is encrypted to keep the data confidential while it is
transported across the public network.
• Benefits of VPNs are cost savings, security, scalability, and compatibility.
• Remote-access VPNs let remote and mobile users securely connect to the enterprise by
creating an encrypted tunnel. Remote access VPNs can be created using either IPsec or
SSL.
• Site-to-site VPNs are used to connect networks across an untrusted network such as the
internet.
• In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through
a VPN terminating device. The VPN terminating device is typically called a VPN gateway.
• GRE is a non-secure site-to-site VPN tunneling protocol.
• DMVPN is a Cisco software solution for easily building multiple, dynamic, scalable VPNs.
• Like DMVPNs, IPsec VTI simplifies the configuration process required to support multiple
sites and remote access.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Module Practice and Quiz
What did I learn in this module? (Cont.)
• IPsec protects and authenticates IP packets between source and destination.
• IPsec can protect traffic from Layer 4 through Layer 7.
• Using the IPsec framework, IPsec provides confidentiality, integrity, origin authentication, and
Diffie-Hellman.
• IPsec encapsulates packets using AH or ESP.
• The degree of confidentiality depends on the encryption algorithm and the length of the key
used in the encryption algorithm.
• DH provides a way for two peers to establish a shared secret key that only they know, even
though they are communicating over an insecure channel.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
IPsec Technologies
 IPsec VPNs provide two significant benefits:
• Encryption
• Encapsulation
 IPsec encryption provides three major services:
• Confidentiality
• Integrity
• Authentication

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
IPsec Encapsulation
 IPsec is capable of tunneling packets using an additional
encapsulation.

New IP ESP Original IP ESP ESP

Header Header TCP Data Trailer
Header Authentication

Encrypted
Authenticated

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
IPsec Encapsulation Example
192.168.1.0 /24 10.10.10.0 /24

.1 IPsec VPN .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.10 .242 .226 .10

209.165.200.240 /29
Internet 209.165.200.224 /29

.241 .225

ISP
Original IP Header Original IP Header
Source IP: 192.168.1.10 TCP Data Source IP: 192.168.1.10 TCP Data
Destination: 10.10.10.10 Destination: 10.10.10.10

New IP Header
Original IP Header
Source: 209.165.200.242 ESP ESP ESP
Source IP: 192.168.1.10 TCP Data
Destination: Header Trailer Authentication
Destination: 10.10.10.10
209.165.200.226

 The example displays how a packet is encapsulated.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
IPsec Site-to-Site VPN Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

.241 .225
Branch Server NAT Pool NAT Pool Email Server
192.168.1.254 209.165.200.249 – ISP 209.165.200.233 – 10.10.10.238
(209.165.200.254) 209.165.200.253/29 209.165.200.237 (209.165.200.238)
/29

• The Branch router has been configured to support an IPsec VPN when
connecting to the HQ site.
• The purpose of the IPsec VPN link is to serve as a backup link in case
the private WAN link fails.
• The long-term goal is to decommission the WAN link completely and use only the VPN
connection to communicate between the branch office and the headquarters.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Steps to Configuring an IPsec VPN
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

.241 .225
Branch Server Email Server
192.168.1.254 ISP 10.10.10.238
(209.165.200.254) (209.165.200.238)

1. Configure the initial key (ISAKMP policy) details.

2. Configure the IPsec details.
3. Configure the crypto ACL.
4. Configure the VPN tunnel information.
5. Apply the crypto map.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
IPsec VPN Components
 ISAKMP Policy
• Contains authentication, encryption and the hashing method commands
that are first used to negotiate and exchange credentials with a VPN
peer.
 IPsec Details
• Identifies an acceptable combination of security protocols, algorithms,
and other settings.
 Crypto ACL
• Is an extended IP ACL that identifies the traffic to be protected.
• A permit statement results in the traffic being encrypted, while a deny statement
sends traffic out in clear text.
• Both VPN peers must have reciprocating ACLs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
IPsec VPN Components
 VPN Tunnel Information
• Binds all tunnel information together.
• Identifies the IPsec transform set to use, the peer router, the ACL, and
other tunnel information.
 Apply the Crypto Map
• The named crypto map must be applied to the Internet-facing interface to
which the peering router will connect to.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Branch Router IPsec VPN
Configuration
Branch# conf t
Branch(config)# crypto isakmp policy 1
Branch(config-isakmp)# encryption aes 
ISAKMP Policy
Specifies the initial VPN security
Branch(config-isakmp)# authentication pre-share details
Branch(config-isakmp)# group 2
Branch(config-isakmp)# exit
Branch(config)# crypto isakmp key cisco123 address 209.165.200.226
Branch(config)#

IPsec Details
Specifies how the
IPsec packet will
Branch(config)# crypto ipsec transform-set HQ-VPN esp-sha-hmac esp-3des be encapsulated
Branch(cfg-crypto-trans)# exit
Branch(config)#
Branch(config)# access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
Branch(config)#
Branch(config)#
Crypto ACL

Specifies the traffic that will trigger
the VPN to activate
Branch(config)# crypto map HQ-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
Branch(config-crypto-map)# set transform-set HQ-VPN 
VPN Tunnel Information
Creates the crypto map that
Branch(config-crypto-map)# set peer 209.165.200.226 combines the ISAKMP policy,
IPsec transform set, VPN peer
Branch(config-crypto-map)# match address 110 address, and crypto ACL
Branch(config-crypto-map)# exit
Branch(config)# int s0/0/1
Branch(config-if)# crypto map HQ-MAP 
Apply the Crypto Map
Identifies which interface is actively looking to create a
Branch(config-if)# ^Z VPN
Branch# © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Verifying and Troubleshooting IPsec

Command Description
Displays display the specifics contained in a crypto map
show crypto map
configuration.

Displays the status information of the active crypto

show crypto session
sessions.

show crypto ipsec sa Displays the settings used by current SAs.

debug crypto ipsec View real time IPsec events.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# debug crypto ipsec

Crypto IPSEC debugging is on
Branch# ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
Branch#

• Enable IPsec debugging and generate interesting VPN traffic.

• Notice that the ping traffic matches the crypto ACL 110 however, no
debug output is generated.
• access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# show crypto session

Crypto session current status
Interface: Serial0/0/1
Session status: DOWN
Peer: 209.165.200.226 port 500
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.10.0/255.255.255.0
Active SAs: 0, origin: crypto map

• Although the ping was successful, it appears that the tunnel is down.
• Recall that in the last implementation step, we implemented NAT.
• Perhaps this is causing some problems with the IPsec tunnel being created.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# debug ip nat

IP NAT debugging is on
Branch# ping 10.10.10.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
Branch#

• Enable NAT debugging and ping again.

• The pings are again successful.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch#
*Mar 26 16:35:21.251: NAT: s=192.168.1.1->209.165.200.249, d=10.10.10.1 [35]
*Mar 26 16:35:21.307: NAT*: s=209.165.200.238, d=209.165.200.249->192.168.1.1 [35]
*Mar 26 16:35:21.307: NAT: s=192.168.1.1->209.165.200.249, d=10.10.10.1 [36]
*Mar 26 16:35:21.367: NAT*: s=209.165.200.238, d=209.165.200.249->192.168.1.1 [36]
*Mar 26 16:35:21.367: NAT: s=192.168.1.1->209.165.200.249, d=10.10.10.1 [37]
*Mar 26 16:35:21.423: NAT*: s=209.165.200.238, d=209.165.200.249->192.168.1.1 [37]
*Mar 26 16:35:21.423: NAT: s=192.168.1.1->209.165.200.249, d=10.10.10.1 [38]
*Mar 26 16:35:21.479: NAT*: s=209.165.200.238, d=209.165.200.249->192.168.1.1 [38]
*Mar 26 16:35:21.483: NAT: s=192.168.1.1->209.165.200.249, d=10.10.10.1 [39]
*Mar 26 16:35:21.539: NAT*: s=209.165.200.238, d=209.165.200.249->192.168.1.1 [39]
Branch#

• The NAT debug output indicates that the internal IP address

192.168.1.1 is being translated to 209.165.200.249.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# show access-lists

Extended IP access list 110
10 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
Extended IP access list BRANCH-NAT-ACL
10 permit ip 192.168.1.0 0.0.0.255 any (1 match)
Branch#

• BRANCH-NAT-ACL identifies traffic to translate and has one match.

• ACL 110 is for the IPsec VPN.

• What is the solution to this problem?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch(config)# no ip access-list extended BRANCH-NAT-ACL

Branch(config)# ip access-list extended BRANCH-NAT-ACL
Branch(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
Branch(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any
Branch(config-ext-nacl)# ^Z
Branch

• Alter the NAT ACL to exempt VPN traffic.

• The ACL should ignore the Branch LAN traffic going to the HQ LAN!

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# clear ip nat translation *

Branch# clear crypto isakmp
Branch# clear crypto sa
Branch# ping 10.10.10.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
Branch#

• Clear the NAT translations and IPsec SAs and generate interesting
VPN traffic.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

*Mar 26 18:28:45.166: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 209.165.200.242, remote= 209.165.200.226,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 26 18:28:45.730: IPSEC(validate_proposal_request): proposal part #1

*Mar 26 18:28:45.738: IPSEC(update_current_outbound_sa): updated peer 209.165.200.226

current outbound sa to SPI 1C838B72!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 88/89/92 ms
Branch#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# show crypto session

Crypto session current status

Interface: Serial0/0/1
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.10.0/255.255.255.0
Active SAs: 2, origin: crypto map

Branch#

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# show crypto ipsec sa

interface: Serial0/0/1
Crypto map tag: HQ-MAP, local addr 209.165.200.242

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer 209.165.200.226 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0

<output omitted> © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

• The example confirmed that the Branch router and HQ router have an
established VPN.
• Notice how a service such as NAT could impact the creation of the VPN
tunnel.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

• Currently the VPN link is only enabled due to static routing.

• What would happen if EIGRP was configured to operate
over the link?
• Would it work?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
IPsec VPN Verification Example
192.168.1.0 /24 10.10.10.0 /24

.1 .1
Fa0/0
IPsec VPN
Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

• A significant drawback of an IPsec VPN is that it cannot route multicast

and broadcast packets and therefore cannot support IGPs.
• However, IPsec can be combined with generic routing encapsulation
(GRE) to create a tunnel to circumvent the issue.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Implementation Plan
1. Deploy broadband connectivity
2. Configure static routing
3. Document and verify other services
4. Implement and tune the IPsec VPN
5. Configure GRE tunnels

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Routing IGPs Using IPsec
 Point-to-point generic routing encapsulation (P2P GRE)
• IGPs are associated with tunnel interfaces which use the physical
interface of the router to send GRE traffic.
• GRE traffic will have to be added to the crypto ACL.

 Virtual tunnel interface (VTI)

• IPsec endpoints are associated with routable virtual interfaces at the
tunnel endpoints.
• VTI is a good alternative to IPsec over GRE tunnels.
 Dynamic multipoint VPN (DMVPN) or Group encrypted transport
VPN (GET VPN)
• Both designed for large scale full mesh IPsec VPN implementations.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
GRE Overview
 Tunneling protocol developed by Cisco.

 Can encapsulate a wide variety of network layer protocol packets

inside IP tunnels.
• GRE is commonly implemented with IPsec to support IGPs.
 GRE is just an encapsulation protocol.
• By default, the traffic leaves in clear text.
 Therefore , GRE tunnels do not provide encryption services.
• IPsec must also be configured to encrypt the routing traffic.
 Note:
• IPsec was designed to tunnel IP only (no multiprotocol support)
• Older IOS versions do not support IP multicast over IPsec

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Sending IGP Traffic Over IPsec
 Routing protocols are encapsulated with a GRE header.

 The packet encapsulated by GRE is then encapsulated with IPsec.

 Therefore, IPsec encrypts the GRE packet which contains the routing
update.

IPsec
Routing Protocol Updates GRE Tunnel Crypto IPsec Encrypted Traffic
Map

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Transport, Carrier, Passenger Protocols
 In our scenario, the payload of GRE packets will be EIGRP routing
updates and LAN-to-LAN corporate traffic.
• The GRE packet will then be encapsulated inside an IPsec packet.
 Therefore, IPsec is the “transport protocol,” and GRE is the “carrier
protocol” used to carry other “passenger protocols,” such as IP
broadcast or IP multicast, and non-IP protocols

Transport Carrier Passenger

Protocol Protocol Protocol

IPsec GRE Network Packet

(New IP Header) (Original IP header and Data)

GRE Encapsulation
Carrier Protocol

GRE Original IP
GREGRE
IP Header Header
TCP Data

IPsec Encapsulation
(Tunnel Mode)
Transport Protocol

New IP / ESP GRE Original IP ESP ESP

UDP Header Header GRE
IP Header
GRE
Header
TCP Data
Trailer Authentication

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Steps to Configuring GRE
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.0.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

1. Create a tunnel interface for GRE.

2. Configure GRE tunnel parameters including IP address, source and
destination tunnel addresses, and tunnel mode.
3. Change the crypto ACL to encrypt GRE traffic.
4. Configure routing protocols to route through the GRE tunnel.

Router(config)#
interface tunnel number

• Command creates a tunnel interface which is a virtual.

• Once in interface configuration mode, configure the tunnel parameters

including:
• IP address
• Tunnel source
• Tunnel destination
• Tunnel mode (type of tunnel)

Router(config-if)#
tunnel source {ip-address | ipv6-address | interface-
type interface-number}

Parameter Description

ip-address IP address to use as the source address for packets

in the tunnel.

ipv6-address IPv6 address to use as the source address for

packets in the tunnel.

interface-type Interface type, such as loopback interface.

number Port, connector, or interface card number.

Router(config-if)#
tunnel destination {ip-address | ipv6-address |
interface-type interface number}

Parameter Description

ip-address IP address to use as the destination address for

packets in the tunnel.

ipv6-address IPv6 address to use as the destination address for

packets in the tunnel.

interface-type Interface type, such as loopback interface.

number Port, connector, or interface card number.

Router(config-if)#
tunnel mode {aurp | cayman | dvmrp | eon | gre ip | gre
multipoint | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4
| iptalk | ipv6 | ipsec ipv6 | mpls | nos | rbscp}

• Optional command since the default tunnel mode is tunnel mode

gre ip
• Of interest to us is specifically the tunnel mode gre option.
• The additional options listed are for reference only.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Configuring GRE Example
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.0.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch(config)# interface tunnel 0

Branch(config-if)# ip address 172.16.100.2 255.255.255.252
Branch(config-if)# tunnel source 209.165.200.242
Branch(config-if)# tunnel destination 209.165.200.226
Branch(config-if)#
*Mar 27 15:45:05.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0,
changed state to up
Branch(config-if)#

• Configure the tunnel interface on the Branch router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Configuring GRE Example
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.0.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

HQ(config)# interface Tunnel0

HQ(config-if)# ip address 172.16.100.1 255.255.255.252
HQ(config-if)# tunnel source 209.165.200.226
HQ(config-if)# tunnel destination 209.165.200.242
HQ(config-if)#
*Mar 27 10:50:59.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0,
changed state to up
HQ(config)#

• Configure the tunnel interface on the HQ router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Verify the Tunnel Configuration
Branch# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.100.2/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 209.165.200.242, destination 209.165.200.226
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Configuring GRE Example
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch(config)# no access-list 110

Branch(config)# access-list 110 permit gre host 209.165.200.242 host
209.165.200.226
Branch(config)# router eigrp 1
Branch(config-router)# network 192.168.1.0 0.0.0.255
Branch(config-router)# network 172.16.100.0 0.0.0.3
Branch(config-router)# no auto-summary
Branch(config-router)#

• Change the ACL and add the Internet link and GRE tunnel
network to EIGRP on the Branch router.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Configuring GRE Example
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

HQ(config)# no access-list 110

HQ(config)# access-list 110 permit gre host 209.165.200.226 host
209.165.200.242
HQ(config)# router eigrp 1
HQ(config-router)# network 10.10.10.0 0.0.0.255
HQ(config-router)# network 172.16.100.0 0.0.0.3
HQ(config-router)# no auto-summary
HQ(config-router)#
*Mar 27 12:02:52.483: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.2
(Tunnel0) is up: new adjacency
HQ(config-router)#

• Do the same on the HQ router.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Verifying GRE Example
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# show ip eigrp neighbors

IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTOQ Seq
(sec) (ms) Cnt Num
0 172.16.100.1 Tu0 14 00:00:27 92 2151 0 3
Branch#

• Notice that the EIGRP neighbor is at the GRE tunnel IP

address 172.16.100.1.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Verifying GRE Example
192.168.1.0 /24 10.10.10.0 /24
GRE Tunnel
172.16.100.2 172.16.100.0.1
172.16.100.0/30
.1 .1
Fa0/0 Branch HQ Fa0/0
S0/0/1 S0/0/1
.242 .226

209.165.200.240 /29 Internet 209.165.200.224 /29

Branch# ping 10.10.10.1 source 192.168.1.1

Type escape sequence to abort.

• Pings successfully cross the Internet link over the IPsec

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Uptime: 00:35:47
Session status: UP-ACTIVE
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 209.165.200.226
Desc: (none)
IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
Capabilities:(none) connid:1002 lifetime:23:24:11
IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 142 drop 0 life (BPSKBPSec) 4495354/1452
Outbound: #pkts enc'ed 211 drop 1 life (BPSKBPSec) 4495345/1452

Branch#

Ipsec VPN Qos Design: End-To-End Qos Network Design: Quality of Service For Rich-Media & Cloud Networks, 2Nd Edition
No ratings yet
Ipsec VPN Qos Design: End-To-End Qos Network Design: Quality of Service For Rich-Media & Cloud Networks, 2Nd Edition
44 pages
CSN11109
No ratings yet
CSN11109
68 pages
Unidad IV Seguridad de Redes 2
No ratings yet
Unidad IV Seguridad de Redes 2
29 pages
VPN DCN - Project
No ratings yet
VPN DCN - Project
137 pages
VPN Concept
100% (1)
VPN Concept
12 pages
Mod4 4
No ratings yet
Mod4 4
27 pages
CCNA Security Chapter 8 VPN
No ratings yet
CCNA Security Chapter 8 VPN
123 pages
ENSA - Module - 8-VPN and IPsec Concepts
No ratings yet
ENSA - Module - 8-VPN and IPsec Concepts
28 pages
VPN and IPSec Presentation Upload
No ratings yet
VPN and IPSec Presentation Upload
33 pages
VPNs
No ratings yet
VPNs
19 pages
IPSec VPNs - An Overview - Presentation
No ratings yet
IPSec VPNs - An Overview - Presentation
157 pages
Networking Infrastructure and Protocols 06
No ratings yet
Networking Infrastructure and Protocols 06
27 pages
What Is A VPN - Virtual Private Network - Cisco
No ratings yet
What Is A VPN - Virtual Private Network - Cisco
3 pages
Module 18 VPNs
No ratings yet
Module 18 VPNs
45 pages
ENSA Module 8
No ratings yet
ENSA Module 8
42 pages
VPN Ccna
No ratings yet
VPN Ccna
23 pages
D.zela B.mema K.zela Artikulli
No ratings yet
D.zela B.mema K.zela Artikulli
18 pages
Chapter7 - Security Site To Site Network - Final
No ratings yet
Chapter7 - Security Site To Site Network - Final
23 pages
CCNA Security - Chapter 8-IPsec PDF
100% (1)
CCNA Security - Chapter 8-IPsec PDF
58 pages
6342 CH 2
No ratings yet
6342 CH 2
16 pages
VPN Concept
No ratings yet
VPN Concept
15 pages
Fanuc Cimplicity I Cell Operator
100% (1)
Fanuc Cimplicity I Cell Operator
739 pages
What Is VPN
No ratings yet
What Is VPN
37 pages
Cisco3 VPN
No ratings yet
Cisco3 VPN
19 pages
Virtual Private Network
No ratings yet
Virtual Private Network
25 pages
PM Networking: WWW - Pmnetworking.in
No ratings yet
PM Networking: WWW - Pmnetworking.in
17 pages
Enterprise Networking, Security, and Automation - VPN Technology
No ratings yet
Enterprise Networking, Security, and Automation - VPN Technology
3 pages
Enterprise Networking, Security, and Automation - Module Practice and Quiz
No ratings yet
Enterprise Networking, Security, and Automation - Module Practice and Quiz
3 pages
VPN Seminar Report
No ratings yet
VPN Seminar Report
22 pages
VPN Lecture
No ratings yet
VPN Lecture
14 pages
03) VPC - VPN
100% (1)
03) VPC - VPN
21 pages
base24 stuff M9hFGpip67zoQkJgES4OkhDzSdGE41AFJf15wm2lyXbU1zM2jWeZplA%3D%3D-dx8SR18S2LU1pEVsCAfadagun%2B4%3D; __gads=ID=3855e33d2849c23a:T=1362756576:S=ALNI_MaMOBN46-wm5NXstwbDf-ZVO1eIWw; __CJ_session_metadata=%22%7B%5C%22active_facebook_session%5C%22%3A%5C%22false%5C%22%2C%5C%22last_facebook_ping%5C%22%3A1362799725053%7D%22; _trp_hit_8989/15071_300x250=2; grvinsights=d3b5fc74702b7e7494caab382114b774; __utma=137936306.1372482448.1362756592.1362756592.1362799723.2; __utmb=137936306.43.9.1362800241261; __utmc=137936306; __utmz=137936306.1362756592.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=scribd; __utmv=137936306.|1=logged_in=true=1^2=fb_setup_context=none=1; _scribd_session=BAh7CjoQbGFzdF9yZWF1dGhsKweArDpRIgx3b3JkX2lkaQRoJTkBOgxjc3JmX2lkIiVkNjI3OWNjNGVhNTJmMjQzMGFiOWZlNDVmYjQ1NGQwMyIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADocZGlzYWJsZV9pbnN0YW50X2Nvbm5lY3RG--234c3e551720993a91c6c4cb308ccb64e39eaac9 X-Forwarded-For: 218.186.49.46 Jj�
100% (1)
base24 stuff M9hFGpip67zoQkJgES4OkhDzSdGE41AFJf15wm2lyXbU1zM2jWeZplA%3D%3D-dx8SR18S2LU1pEVsCAfadagun%2B4%3D; __gads=ID=3855e33d2849c23a:T=1362756576:S=ALNI_MaMOBN46-wm5NXstwbDf-ZVO1eIWw; __CJ_session_metadata=%22%7B%5C%22active_facebook_session%5C%22%3A%5C%22false%5C%22%2C%5C%22last_facebook_ping%5C%22%3A1362799725053%7D%22; _trp_hit_8989/15071_300x250=2; grvinsights=d3b5fc74702b7e7494caab382114b774; __utma=137936306.1372482448.1362756592.1362756592.1362799723.2; __utmb=137936306.43.9.1362800241261; __utmc=137936306; __utmz=137936306.1362756592.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=scribd; __utmv=137936306.|1=logged_in=true=1^2=fb_setup_context=none=1; _scribd_session=BAh7CjoQbGFzdF9yZWF1dGhsKweArDpRIgx3b3JkX2lkaQRoJTkBOgxjc3JmX2lkIiVkNjI3OWNjNGVhNTJmMjQzMGFiOWZlNDVmYjQ1NGQwMyIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADocZGlzYWJsZV9pbnN0YW50X2Nvbm5lY3RG--234c3e551720993a91c6c4cb308ccb64e39eaac9 X-Forwarded-For: 218.186.49.46 Jj�
105 pages
Cisco PPT VPN 2400
No ratings yet
Cisco PPT VPN 2400
27 pages
Chapter 7: Securing Site-to-Site Connectivity: Connecting Networks
No ratings yet
Chapter 7: Securing Site-to-Site Connectivity: Connecting Networks
54 pages
ENSA Module 8
No ratings yet
ENSA Module 8
33 pages
VPNs - Presentation PDF
No ratings yet
VPNs - Presentation PDF
42 pages
Wan 3
No ratings yet
Wan 3
83 pages
Slide Keamanan Jaringan 06
No ratings yet
Slide Keamanan Jaringan 06
33 pages
Virtual Private Networks (VPN)
100% (3)
Virtual Private Networks (VPN)
38 pages
Digital Literacy Level 4 Exam
No ratings yet
Digital Literacy Level 4 Exam
3 pages
LiFi Project Report
No ratings yet
LiFi Project Report
49 pages
VPNs
No ratings yet
VPNs
23 pages
Unit-I Advanced Java Programming
No ratings yet
Unit-I Advanced Java Programming
69 pages
VPN (Virtual Private Network)
No ratings yet
VPN (Virtual Private Network)
14 pages
Manual MLT 1 MLT 2 Cat 200 Foundation Fieldbus Communication Software 3rd Ed Rosemount en 69940
No ratings yet
Manual MLT 1 MLT 2 Cat 200 Foundation Fieldbus Communication Software 3rd Ed Rosemount en 69940
98 pages
Virtual Private Network
No ratings yet
Virtual Private Network
16 pages
ENSA Module 8
No ratings yet
ENSA Module 8
30 pages
Abstract
No ratings yet
Abstract
2 pages
Wan 2
No ratings yet
Wan 2
46 pages
Introduction To Medicinal Chemistry-And Physicochemical Properties
No ratings yet
Introduction To Medicinal Chemistry-And Physicochemical Properties
43 pages
Virtual Private Network
No ratings yet
Virtual Private Network
8 pages
CSE VPN Report
No ratings yet
CSE VPN Report
16 pages
Cyber Security III Security For VPN and Next Generation Technologies
No ratings yet
Cyber Security III Security For VPN and Next Generation Technologies
37 pages
Cisco VPN Throughput Comparison
No ratings yet
Cisco VPN Throughput Comparison
10 pages
Profihub B5plus B5plusrd Manual en v301
No ratings yet
Profihub B5plus B5plusrd Manual en v301
53 pages
VPN Presentation
No ratings yet
VPN Presentation
29 pages
Transport Layer Numerical
No ratings yet
Transport Layer Numerical
29 pages
Quartus II Introduction Using Verilog Design
No ratings yet
Quartus II Introduction Using Verilog Design
29 pages
Cisco VPN Security Routers: Setting The Standard in Site-to-Site VPN Solutions
No ratings yet
Cisco VPN Security Routers: Setting The Standard in Site-to-Site VPN Solutions
6 pages
Product Description: E5576-325 Mobile Wifi V100R001
No ratings yet
Product Description: E5576-325 Mobile Wifi V100R001
21 pages
VPN+IPsec 2
No ratings yet
VPN+IPsec 2
2 pages
Automatic Meter Reading Systems: PPT Manikant Lakshkar
No ratings yet
Automatic Meter Reading Systems: PPT Manikant Lakshkar
26 pages
Virtual Private Network
No ratings yet
Virtual Private Network
10 pages
Collage of Computer Technologies
No ratings yet
Collage of Computer Technologies
8 pages
3 Tally Prime Course Annex - 1 Bill Entry
No ratings yet
3 Tally Prime Course Annex - 1 Bill Entry
34 pages
Designing and Building A SAN
No ratings yet
Designing and Building A SAN
8 pages
Assignment CCNP1
No ratings yet
Assignment CCNP1
9 pages
What Are Schemas
No ratings yet
What Are Schemas
25 pages
Site To Sitevirtual Private Networks (VPN'S)
No ratings yet
Site To Sitevirtual Private Networks (VPN'S)
33 pages
ICT Group 1A
No ratings yet
ICT Group 1A
3 pages
Information Security Management Through Reflexive Security
No ratings yet
Information Security Management Through Reflexive Security
18 pages
Navalar College
No ratings yet
Navalar College
8 pages
Advanced Web Technology
No ratings yet
Advanced Web Technology
2 pages
VPN Abstract
No ratings yet
VPN Abstract
11 pages
An Insight Into Virtual Private Networks & IP Tunneling: Abstract
No ratings yet
An Insight Into Virtual Private Networks & IP Tunneling: Abstract
5 pages
Cj1m-Cpu-Etn Ds e 2 1 csm1794 PDF
No ratings yet
Cj1m-Cpu-Etn Ds e 2 1 csm1794 PDF
13 pages
PHP Point of Sale
No ratings yet
PHP Point of Sale
52 pages
CPS and Digital Twin in Industry 4.0 - Group 5
No ratings yet
CPS and Digital Twin in Industry 4.0 - Group 5
11 pages
Lecture 1
No ratings yet
Lecture 1
5 pages
Official Website Direktorat Jenderal Bea Dan Cukai - Fatisah
No ratings yet
Official Website Direktorat Jenderal Bea Dan Cukai - Fatisah
1 page
VPN Seminar Report
No ratings yet
VPN Seminar Report
13 pages
2 Years Software Testing Resume Software Testing
No ratings yet
2 Years Software Testing Resume Software Testing
9 pages
DEC 4000 Brochure AP
100% (1)
DEC 4000 Brochure AP
8 pages
Ideapad 330 15IGM Spec
No ratings yet
Ideapad 330 15IGM Spec
1 page
NodeJS Cheat Sheet - OverAPI
No ratings yet
NodeJS Cheat Sheet - OverAPI
3 pages
Bright Kankam
No ratings yet
Bright Kankam
3 pages
Software Engineering: Elysium Technologies Private Limited
No ratings yet
Software Engineering: Elysium Technologies Private Limited
16 pages
Prepking EX0-100 Exam Questions
No ratings yet
Prepking EX0-100 Exam Questions
11 pages
Build Your Own VPN Server: A Step by Step Guide: Build Your Own VPN
From Everand
Build Your Own VPN Server: A Step by Step Guide: Build Your Own VPN
Lin Song
No ratings yet
VPN - Security, Privacy, and Internet Freedom
From Everand
VPN - Security, Privacy, and Internet Freedom
Mostafizur Rahman
No ratings yet
Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN
From Everand
Set Up Your Own IPsec VPN, OpenVPN and WireGuard Server: Build Your Own VPN
Lin Song
5/5 (1)
REMOTE ACCESS VPN- SSL VPN: A deep dive into SSL VPN from basic
From Everand
REMOTE ACCESS VPN- SSL VPN: A deep dive into SSL VPN from basic
MAMTA DEVI
5/5 (1)
The OpenVPN Handbook: Secure Your Networks with Virtual Private Networking
From Everand
The OpenVPN Handbook: Secure Your Networks with Virtual Private Networking
Robert Johnson
No ratings yet