IPSec VPNs

Presented by

Avinash R Desai

AGENDA

Introduction and Motivation

IPSec Basics
Enterprise IPSec VPN
Managing VPN
Wrap-up
Q&A

Why Do We Care?
Many organizations are trying to use IPSec VPN to costs
and simplify new connections
VPN allows
Shared Internet and Enterprise access
Reduced access line costs
Ease of provisioning, flexibility
Increased security

IPSec VPN and V3PN Benefits

IPSec VPN design provides resiliency
Integrated branch routers provide ISP connection, VPN
termination, IPT gateway, and Cisco IOS Firewall functionality
Tested scalability and performance numbers
Enhanced productivity and reduced support costs: extend central
site voice, video, data resources and applications to all corporate
sites
Voice, Video, data transported securely and transparently over
IPSec tunnels with enabled QoS
Standard IP Telephony features including codecs,SRST preserved

Agenda
Introduction and Motivation

IPSec Basics
Enterprise IPSec VPN
Managing VPN
Wrap-up

IPSec Basics
IPSec uses a Security Association (SA) and crypto key to encrypt
selected data between a pair of sites
This key is used with the DES, 3DES, or AES forms of encryption
to both encrypt and decrypt data
The key is automatically established, changed, and managed by
IPSec devices using IKE (Internet Key Exchange), a.k.a. ISAKMP
Before a key can be established, IKE does authentication
Shared secret or Certificate Authority are two ways to do this
IKE uses public key crypto to securely do its job
IKE uses public key crypto to securely do its job
Diffie-Hellman is the technique used to securely exchange encryption
keys

Message Hashing
Message Hashing is used to detect altered messages
Message bits a secret key are combined into short hash code
Hash code sent in header
If received message hash doesnt match, message was altered
Two forms: SHA and MD5
SHA is a bit stronger

Message Hashing

Message bits a secret key are combined into short hash code
Hash code sent in header
If received message hash doesnt match, message was altered
Two forms: SHA and MD5
SHA is a bit stronger

Message Hashing
IPSec comes in two forms
AH provides a keyed hash and authentication data
Ensures data comes from peer router (authentication)
Detects alterations (keyed hash)
But does not encrypt for confidentiality
ESP encrypts
Two sub-modes: tunnel and transport
In tunnel mode, the new IP header hides source and
destination addresses: keeps server address confidential
Keyed hash for detecting alterations
Authentication
Encryption

The 4 Steps of IPSec SA Establishment

1. Host A sends interesting traffic for Host B

2. Router A and B negotiate an IKE Phase 1 session and

authenticate
3. Router A and B negotiate an IKE Phase 2 session and exchange
key
4. Information is exchanged via IPSec tunnel

What to Encrypt
The crypto map you configure references an access list for
interesting packets
What to encrypt (outbound)
What to decrypt (inbound)
ESP encrypts
If the router encrypts or decrypts the wrong packet, it gets
nonsense and a bad checksum discarded packet!

IPSec Troubleshooting Tips

The two ends have to agree on the various choices
How to do IKE (IKE policy)

Authentication method, shared secret or CA, etc.

AH versus ESP
Tunnel versus transport
Message hashing scheme
You need routing to be able to deliver packets
IPSec source address at one end must match destination at the other
You need consistent crypto access lists!!!
The two endpoint ACLs need to mirror each other
Use the 4 steps to troubleshoot

Agenda

Introduction and Motivation

IPSec Basics

Enterprise IPSec VPN

Managing VPN
Wrap-up

Design Assumptions

High availability and failover with fast convergence

Support for dynamic routing
Ability to carry diverse traffic, including IP multicast, multiprotocol
Conservative CPU levels
Router-based (versus VPN concentrator)

Key Design Components

Cisco VPN routers as head-end VPN termination

Cisco access routers as branch termination
Use hardware IPSec acceleration
IPSec ESP Tunnel mode
GRE tunnels, dual star to two head-end routers
At HQ or two head-end sites for geographic diversity
Internet services from an ISP

Enterprise IPSec VPN

Why GRE with IPSec?

Dynamic routing and support of multicast and non-IP protocols
Side effect: simpler implementation and troubleshooting
If youre not building in redundancy, you can leave out the GRE
and the dynamic routing and reduce overhead, at the price of
doing a bit more configuration

Key Design Components

Cost (GRE + IPSec): 24 more bytes of header (overhead)
Total headers added: 76 bytes

Avoiding Fragmentation
We want to avoid fragmenting the IPSec packets
They have to be re-assembled at the termination router to be
decrypted
Re-assembly is process switched
Slow + CPU impact
So create fragments BEFORE IPSec encrypts!
Reduce GRE tunnel MTU to 1400+ Bytes
Consider enabling Path MTU Discovery on the tunnels

Path MTU Discovery

Path MTU Discovery is used by current and recent UNIX and Windows servers
They send large packets with DF set
Intervening routers needing smaller MTU send back ICMP message with
option indicating desired frame size
Problem: some web / server sites block all ICMP packets
Result: large web images, FTP file transfers mysteriously fail, but only to
some sites
Use router default, tunnels not doing P-MTU-D
Use router default: Cisco GRE and IPSec tunnels reset DF=1 to DF=0 and
fragment
Cisco Pre-Fragmentation for IPSec VPN feature
This plus GRE MTU of 1400 means no P-MTU-D issues even with web traffic
via IPSec + GRE tunnels

Which Router?
Cisco tested ESP tunnels with GRE to 2 head-end sites, 240
branch routers
Recommendations are based on 55-65% CPU for a specific traffic
mix.
This is a summary: see the Cisco documents for details. In
particular, specific models within a product family may have
lower performance than that shown. Your Mileage May Vary.

Other Recommendations
Have a summarizable addressing scheme
It can makes crypto ACLs simpler, less of an issue with GRE
Use route summarization
For central DHCP, use helper addresses remotely
Use IPSec Tunnel Mode with 3DES
Dont use IKE keepalives
Base number of head-end devices on number of remote sites
and throughput
Use appropriate (recent) Cisco IOS releases
Avoid IPSec through NAT points

IPSec Sequence Numbers

IPSec also uses sequence numbers for anti-replay protection
Out-of-order packets can lead to dropped packets!
Conclusion: priority queuing and load-balancing can lead to
drops in an IPSec environment!
Make one GRE tunnel primary with single preferred path for each
remote site
Dynamic routing failover preserved
Can use interface delay parameter to prefer one GRE tunnel
over the other (if both head end routers at same site)

Service Provider

Service Provider 2
Many or even most ISPs do not honor the L3 QoS markings
Your voice traffic may experience unacceptable delay or jitter
Whenever possible, you need SLAs
Covering overall delay and jitter, repair time, etc.
Or for QoS-aware service guaranteeing certain delay and jitter
levels for various classes of traffic, based on agreed-upon markings
Otherwise, you can deploy and later discover your IPSec VPN isnt
working very well: no recourse!
Multiple ISPs is harder
SLAs generally only apply within a single ISPs network
Beware: some home cable & DSL services block IPSec unless
business grade service is paid for

SLAs
CPN Multi-service VPN standards:
Jitter less than or equal to 20 msec
Delay less than or equal to 60 msec one way
Packet Loss less than or equal to 0.5 percent

Configuration Steps
Step 1: Configure IKE policy
Step 2: Specify IPSec transform and protocol
Step 3: Create access lists (ACLs) for encryption
Step 4: Configure crypto map
Step 5: Apply crypto map

Enterprise IPSec VPN

Sample: IKE Policy

Sample: IPSec Transform and Protocol

Sample: Encryption ACLs

Sample: Crypto Map

Sample: Apply Crypto Map

Agenda
Introduction and Motivation
IPSec Basics
Enterprise IPSec VPN

Managing VPN
Wrap-up

Cisco VPN Network Management Tools

CiscoWorks VPN / Security Management Solution (VMS) includes
Management Center (MC) for IDS Sensors
Management Center for VPN Routers
Management Center for PIX Firewalls
Centralized configuration and management of devices
Monitoring Center for Security
Central IDS event software, w/ correlation, notification, reports
VPN Monitor
Track status of VPN devices, w/ drill-down reporting
IDS Host Sensor
Auto-Update Server
Pull model of distribution of images and configurations
Resource Manager Essentials (RME), CiscoView, Common Services

Agenda
Introduction and Motivation
IPSec Basics
Enterprise IPSec VPN
Managing VPN
Wrap-up

See Also
AVVID Enterprise Site-to-Site VPN Design
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns142/c649/ccmigratio
n_09186a00800d67f9.pdf

IPSec support page

http://www.cisco.com/cgibin/Support/PSP/psp_view.pl?
p=Internetworking:IPSec

Summary
Use GRE + IPSec in a hub and spoke design for easily managed
IPSec VPN with redundancy and failover
Cisco has tested performance under load for 240 remote branch
routers going to 2 central routers
Fragment before IPSec for much betterperformance

*Disclaimer: this presentation touches on most of the high-level

issues,but it definitely does not cover all the details of QoS or V3PN
planning.

Q&A

THANKYOU