VPN – ahmedhussein

Virtual Private Networks

Virtual private networks (VPNs) to create end-to-end private network connections.
A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network.
A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.

Enterprise and Service Provider VPNs

VPNs can be managed and deployed as:

Enterprise VPNs – common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using IPsec and SSL VPNs.
Service Provider VPNs – created and managed by the provider network. The provider uses Multiprotocol Label Switching (MPLS) at Layer 2 or Layer 3 to create secure channels between an enterprise’s sites, effectively segregating the traffic from other customer traffic.

VPN Benefits

IPsec Technologies

IPsec is an IETF standard that defines how a VPN can be secured across IP networks. IPsec protects and authenticates IP packets between source and destination and provides these essential security functions:

Confidentiality – Uses encryption algorithms to prevent cybercriminals from reading the packet contents.
Integrity – Uses hashing algorithms to ensure that packets have not been altered between source and destination.
Origin authentication – Uses the Internet Key Exchange (IKE) protocol to authenticate source and destination.
Diffie-Hellman – Used to secure key exchange.

Configure Site To Site VPN

A site-to-site VPN is terminated on VPN gateways. VPN traffic is only encrypted between the gateways. Internal hosts have no knowledge that a VPN is being used.

Site-to-site VPNs connect networks across an untrusted network such as the internet.
End hosts send and receive normal unencrypted TCP/IP traffic through a VPN gateway.
The VPN gateway encapsulates and encrypts outbound traffic from a site and sends the traffic through the VPN tunnel to the VPN gateway at the target site. The receiving VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

R1 Configuration

license boot module c1900 technology-package securityk9

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

R1(config)# crypto isakmp policy 10
R1(config-isakmp)# encryption aes 256
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# group 5
R1(config-isakmp)# exit

R1(config)# crypto isakmp key vpnpa55 address 10.2.2.2

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
R1(config)# crypto map VPN-MAP 10 ipsec-isakmp
R1(config-crypto-map)# description VPN connection to R3
R1(config-crypto-map)# set peer 10.2.2.2
R1(config-crypto-map)# set transform-set VPN-SET
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# exit

R1(config)# interface s0/0/0
R1(config-if)# crypto map VPN-MAP

R3 Configuration

license boot module c1900 technology-package securityk9

R3(config)# access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

R3(config)# crypto isakmp policy 10
R3(config-isakmp)# encryption aes 256
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 5
R3(config-isakmp)# exit
R3(config)# crypto isakmp key vpnpa55 address 10.1.1.2

R3(config)# crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

R3(config)# crypto map VPN-MAP 10 ipsec-isakmp
R3(config-crypto-map)# description VPN connection to R1
R3(config-crypto-map)# set peer 10.1.1.2
R3(config-crypto-map)# set transform-set VPN-SET
R3(config-crypto-map)# match address 110
R3(config-crypto-map)# exit

R3(config)# interface s0/0/1
R3(config-if)# crypto map VPN-MAP

Remote Access VPN Configuration

A remote-access VPN is dynamically created to establish a secure connection between a client and a VPN terminating device.

R3 Configuration

license boot module c2900 technology-package securityk9

ip local pool poolVPN 192.168.2.100 192.168.2.115

aaa new-model
aaa authentication login userVPN local
aaa authorization network groupVPN local
username userVPN secret ciscoVPN
crypto isakmp policy 100
encryption aes 256
hash sha
authentication Pre-share
group 5
exit
crypto isakmp client configuration group groupVPN
key ciscogroupVPN
pool poolVPN
exit
crypto ipsec transform-set setVPN esp-aes esp-sha-hmac

crypto dynamic-map dynamicVPN 100
set transform-set setVPN
reverse-route
exit
crypto map staticMAP client configuration address respond
crypto map staticMAP client authentication list userVPN
crypto map staticMAP isakmp authorization list groupVPN
crypto map staticMAP 20 ipsec-isakmp dynamic dynamicVPN

interface s0/0/1
crypto map staticMAP

Test stage Configure Client With VPN parameter

56

Created on December 07, 2022

VPN Quiz

Test You Understanding

1 / 10

What is a type of VPN that is generally transparent to the end user?

remote access

public

site-to-site

private

With site-to-site VPNs, internal hosts have no knowledge that a VPN exists. Remote access VPNs support a client/server architecture, where the VPN client (remote host) gains secure access to the enterprise network via a VPN server device at the network edge. Public and private are not VPN types.

2 / 10

Which VPN type is a service provider managed VPN?

site-to-site VPN

remote access VPN

Layer 3 MPLS VPN

GRE over IPsec VPN

VPNs can be managed and deployed as:
Enterprise VPNs – Enterprise managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are examples of enterprise managed VPNs.
Service Provider VPNs – Service provider managed VPNs are created and managed over the provider network. Layer 2 and Layer 3 MPLS are examples of service provider managed VPNs. Other legacy WAN solutions include Frame Relay and ATM VPNs.

3 / 10

The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?

integrity

nonrepudiation

confidentiality

authentication

Diffie-Hellman

The IPsec framework consists of five building blocks. Each building block performs a specific securty function via specific protocols. The function of providing confidentiality is provided by protocols such as DES, 3DES, and AES

4 / 10

What algorithm is used to provide data integrity of a message through the use of a calculated hash value?

DH

AES

HMAC

RSA

The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. To ensure that data is not intercepted and modified (data integrity), Hashed Message Authentication Code (HMAC) is used. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

5 / 10

Which two statements describe a remote access VPN? (Choose two.)

It connects entire networks to each other.

It requires hosts to send TCP/IP traffic through a VPN gateway.

It may require VPN client software on hosts.

It requires static configuration of the VPN tunnel.

It is used to connect individual hosts securely to a company network over the Internet.

Remote access VPNs can be used to support the needs of telecommuters and mobile users by allowing them to connect securely to company networks over the Internet. To connect hosts to the VPN server on the corporate network, the remote access VPN tunnel is dynamically built by client software that runs on the hosts.

6 / 10

Which type of VPN may require the Cisco VPN Client software?

SSL VPN

MPLS VPN

remote access VPN

site-to-site VPN

With a remote-access VPN, the client peer may need special VPN client software installed.

7 / 10

Which technique is necessary to ensure a private transfer of data using a VPN?

encryption

scalability

authorization

virtualization

Confidential and secure transfers of data with VPNs require data encryption.

8 / 10

Which IPsec framework protocol provides data integrity and data authentication, but does not provide data confidentiality?

ESP

AH

IP protocol 50

DH

Authentication Header (AH) is IP protocol 51 and does not provide data confidentiality. The data payload is not encrypted. Encapsulating Security Payload (ESP) is IP protocol 50 and provides data confidentiality, integrity, and authentication. The DH algorithm is used in IPsec to negotiate a shared secret key for the peers.

9 / 10

True or False? All VPNs securely transmit clear text across the Internet.

True

False

A VPN is secure (private) when encrypted traffic is sent over a public network, such as the Internet.

10 / 10

What are two reasons a company would use a VPN? (Choose two.)

to allow suppliers to access the network

to eliminate the need of having a gateway

to test network connections to remote users

to connect remote users to the network

to increase bandwidth to the network

Organizations use VPNs to have a reliable secure method to connect remote users, branch offices, and suppliers to the company network. To implement VPNs, a VPN gateway is necessary.

Your score is
0%