300-420 ENSLD – Cisco CCNP Enterprise – CCNP Enterprise ENSLD (300-420): Designing Enterprise Managed VPN’s Part 2

3. Describe Dynamic VTI, GET VPN, SSL

Dynamic virtual tunnel interface. Dvti esque can provide highly scalable Hub configuration in hubba and spoke VPN ID to site and remote access connectivity. getvpn is a fully meshed vpns present a scalability and manageability challenge. Many sites usually avoid full mesh vpns ipsec with dynamic i. An overview of dynamic vti follows. It is used for Hub provisioning in Hub and spoke vpns. It simplifies the configuration complexity of the VPN hub router. spokes initiate a VPN establishment. A spoke is configured with a normal static vti. The Ipseg Dvti configure at the Hub device does not require a static mapping of ipsec sessions to a physical interface. Instead, virtual tunnel interface vti s are created dynamically from a preconfigured template just as tunnels to the Hub established. These dynamic tunnels provide on demand separate virtual access interfaces for each VPN session.

The configuration is cloned from a virtual template configuration which includes the ipsec configuration and any sys OS software features that are otherwise configured on a regular interface such as qos, netflow or acis. Dvti functionality requires minimal configuration on the Hub router. In Hub and spoke vpns to create vtis one for each spoke. The spoke peer that initiates the VPN connection creates tunnels and triggers the creation of the Hub Dvti interface on the spoke. A normal static vti is used to provision its tunnel to the Hub. On the Hub router, dvtis are created when spoke peers create an Internet Key Exchange I E session to the Hub device and negotiate ipsec policies. In terms of configuration, Dvtis on the Hub do not appear as tunnel interfaces but as virtual access interfaces which are automatically cloned from virtual interfaces.

A virtual template interface is a set of common settings that are inherited by Dvtis. All other dynamic parameters, such as the tunnel address of the spoke are filled in by the Hub as the remote peer connect. Dvti is appropriate for large hub and spoke deployments where you can simplify VPN provisioning on the Hub router. You can also use a Dvti implementation in an environment where the spoke has a dynamic van IP address. getvpn fully meshed vpns present a scalability and manageability challenge. Key sites usually avoid full mesh vpns. The cisco Group encrypted transport VPN getvpnnology provides solutions to these challenges and allows organizations to easily deploy complex, redundant, fully meshed networks. The general flows of the getvpn protocol follow. Group members register with the key serve the key server, pushes ipsec policy and keys to the group members.

The group members can securely communicate with each other. getvpn offers a new standards based ipsec security model that is based on the concept of trusted group members. Trusted member routers use a common security methodology that is independently point to point IP sectional relationship. Group controllers or key servers and group members are the two keycons in the getvpn architecture. The key server authenticates all group members, performs admission, control the getvpn domain, and creates and supplies group authentication keys and s A’s to group members. oop members provide the transmission protection service to sensitive site to site, member to member traffic key server distributes keys and policies to all registered and authenticated group members by distributing keys and policies from a centralized point and by sharing the same group S A with or authenticated group members. Key distribution management are greatly simplified.

Communication among the key server and group members is encrypted and secured using the Internet Key Exchange Group domain of interpretation. IK Agdoi Protocol IK Agdoi is a standards based Internet Security Association and Key Management protocol key management protocol that is designed to provide secure group communications get VPN users. IK Agdoi is the group keying mechanism. ika Agdoi supports the use of two keys. The Traffic Encryption Key Tech is used to protect the traffic between group members. The Key Encryption Cake is used to protect rekeys key refresh between key servers and group members. The key server distribute tech to all group members.

The group members use the downloaded tech to communicate securely among the group and to create verify ipsec packets. The key server also distributes the cake, which group members use to decrypt the incoming rekey messages from the key server. The group members need to register to the key server to receive policies from the key server. The key server, upon receiving registration messages from a group member, generates the information contains the rekey policy, one Cake and the new ipsec s A’s.

Multiple tech attributes traffic, encryption pod, lifetime source and destination information about the traffic that must be protected, as well as the security parameter ID that is associated with each tech. The new ipsec s A is then sent to the group member in the getvpn data plane. Group members that have appropriate group ipsec s A’s can protect traffic and the traffic to other group members. They will be able to decrypt the packets because they have the same group ipsec s A’s.

An overview of getvpn deployment follows. You can use getvpn in different van deployment choices follow Psk based or Pkibased authentication one or more servers general Deployment guidelines for getvpn follow use getvpn as a scalable solution mesh connectivity when there are many sites, you must use a routable IP address. The Psk based and Pkibased authentication provides same scalability properties in a getvpn. An overview of gi follows defines a key management protocol based on ika and isa. kmp standardized in rfc 3547 uses two types of keys cake to prekeys tech to protect the traffic between group members to rekeying options multicast rekeying unicastry keying use multicastry keying if the transport network is multicast capable. gd, which is the underlying standard for getvpn, is standardized in rfc 3547.

Gdoi defines a key management protocol that is based on I-K-A and is a kmp. Edui uses the same principles to generate symmetric encryption keys, but it uses two keys kc and Tech. The key management protocol is an extension of I-K-A and I say Akmp, and it uses user datagram protocol. One major difference of Gdoi k a is the fact that Gdoi k es do not need to linger between members after initial establishment. Gdoi k e sile can be left to quickly expire after a group member has authenticated to the key server and obtained the policy. The second major difference is that Gdoi k e sessions do not get established between us in a VPN. The sessions are established only between each group member and the key server or multiple overs for redundancy.

Another notable difference of a Gtoibased VPN is that all group members use a set of session keys to protect network traffic. In contrast to the classic ipsec vpns e of peers has a private set of ipsec s A’s that is only shared between the two peers. Get VPN uses rekey messages to refresh ipsec s A’s session keys. Outside of I-K-E sessions, the group ipsec s a’s are about to expire. One single reeky message for a particular group is generated on the keystone. No new I-K-E sessions are created for the rekey message distribution. There are two options multicast Tree Keying with multicastry keying, the key server sends out multicastry keys to the groupmas. It sends out a single multicast Reky packet to the core, and the core does the replication for all group members. Because the group member does not send any acknowledgment, rekeys will be retransmitted two or three times during Reky period.

Using multicast transport is efficient and highly recommended for a larger network. In turn, it reduces the load on the key server to process the reeky messages for each group member and the acknowledgments that are received from each group member. Moreover, the group member does not send any acknowledgments as required in the cast transport mechanism. Unicastri Keying when you use unicastry keying with many group members, server generates reiki messages for only a few group members at a time. The key server also ensures that all group members receive the rekey messages for the new S a before the old S A expires.

This process helps reduce latency issues. In addition, when a unicast group receives the Reky message from the key server, a group sends an encrypted act message to the key server. It uses the keys that are received as part of the rekey message. If the enterprise network is multicast capable, it is recommended that you use multicast rekeying, which is a mobile mechanism. Some general guidelines for rekeying follow. If most group members are only capable nicaste, then use unicastry keying.

If most group members are capable of multicast and the entire spot network is capable of multicast, then use multicastry keying. Benefits and Limitations of getvpn has the following benefits configuration is very scalable. Because the configuration does not grow significantly when adding group members in a fully meshed scenario, it provides scalable support for multitraffic. There are, however, a few limitations. VPN addresses must be routable in the transportnet.

This limitation is a direct consequence of original IP header preservation and in most cases prevents Get and from being used over the Internet. The compromise of a peer can have a detrimental effect on the security of other peers because group keys are shared and an attacker could decrypt any traffic in the getvpn key servers available during rekeys and registration for the entire network to work. You can use getvpn based net in various van environments, including IP and multiprotocol label switching mpls. Mplsns that use this transmission protection technology are highly scalable, manageable, and cost effective, and they meet regular mandated transmission protection requirements. The flexible nature of getvpn enables security enterprises to manage their own network security over a service provider van service or to offload encryption services providers.

Get VPN simplifies securing large layer two or mpls networks that require partial mesh connectivity. When you design a getvpn, you have several deployment choices. You need to decide if you will use Psk based or pki based authentication. Using Psk is simpler, but seti is generally stronger when using pki. When you use Psk, you cannot use dynamically addressed group members. You must use Pkibased authentication for this task to provide high availability. You have multiple key servers. Each key server is an active key server that manages requests from the group members. One of the key servers is a primary key server which is used to update policies to the other key servers. Should consider three main guidelines when implementing a VPN using getvpn technology. It is recommended you consider getvpn as your primary technology to implement scalable, fully meshed connectivity with several sites. When implementing getvpn over the Internet, it is mandatory that you use routable IP addresses on all networks that are included in the VPN.

Usually this option is not possible because enterprises use rfc 1918 based private addresses inside their internal networks. In a getvpn, there is no scalability issue Psk approach because you need to configure only a limited number of IK e sessions. Other criteria must be used to decide between Psk and pki, especially weighing the complexity of pki against possible city issues with psk’s. ssl VPN The ssl VPN provide port for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided. An ssl enabled ssl VPN Gateway the ssl VPN gateway allows remote users to a star secure VPN tunnel using a web browser. An overview of ssl VPN follows. It provide your connectivity through ssl. Three modes of ssl VPN access follow clientless, thin client, and mode.

Cisco ssl VPN provides ssl VPN and remote access connectivity from almost any Internet location using only a web browser that natively supports ssl encryption. This feature allows your company to extend access to its secure enterprise network to any authorized user by providing remote access connectivity to core sources from any Internet enabled location. ssl VPN can also support access from noncop machines, including home computers, Internet kiosks and wireless hotspots. These locations are difficult places to deploy and manage VPN client software and remote configuration that is required to support ipsec vpns. ssl VPN delivers the following three modes of ssl VPN access Class clientless mode provides secure access to private web resources and will provide access to web content.

Mode is useful for accessing most content that you would expect to access in a web browser. Examples are Internet access databases and online tools that employ a web interface. Thin Client Thin Client Mode takes the capability of the cryptographic functions of the web browser. This option enables remote access to routine based applications such as Post Office Protocol version Three pop three Simple Mail Transfer Protocol, se Internet Message Access Protocol, imap, telnet and ssh. The remote user downloads a java by clicking the link that is provided on the portal page, or the java applet is downloaded automatically. java applet acts as a tcp proxy on the client machine for the services that you configure on the gateway.

Tunnel mode. Full tunnel client mode offers extensive application support through its dynamically downloaded cisco. any connect VPN for ssl VPN Full Tunnel Client Mode delivers a lightweight, centrally configured, and easy to support cell VPN tunneling client that provides network layer access to virtually any application. Flexvpn Configuration Blocks Overview flexvpn combined site to site remote access hub and spoke topology in partial measures, spoke to spoke direct. Flexvpn offers a simple but modular framework that extensively uses the tunnel interface paradigm while remaining compatible with legacy VPN implementations using cryptographs. I-K-F Two a next generation key management protocol that is based on rfc 4306, is an enhancement of the IK E protocol. IK ev Two is used for performing rule authentication and establishing and maintaining S A’s.

Flexvpn supports for peer configurations of service parameters such as qos firewall mechanisms, policies, and Vrfrelated settings. It is ideal for service aggregation that encompasses both remote access and site to site vpns. It provides improved service management through integration with external aaa databases and works well in multitenancy scenario. Flexvpn is the future technology of choice to implement Flexvpn on the router. There are all building blocks that need to be configured. Some of them can have default values. The configuration for Flexvpn follow IK F Two proposal defines the protection attributes to be used in the negotiation of the IK F Two SA. After you create an IK F Two proposal, attach it to an IK Two policy so that the proposal is picked for negotiation. IK F Two policy binds the proposal to a VPN peer.

The IK F Two policy references the IK F Two proposal used to define psks, which can be asymmetric IK F Two profile repository of nonnegotiable parameters of the IK esa, such as the VPN peer address and authentication method used. There is no default IK F Two profile, so you must configure one and attach it to an IP profile on the initiator. If psk authentication is used. The IK f Two profile references the IK f Two key ring ipsec transform set specifies an acceptable combination of secure protocols and algorithms for the Ipsecsa. ipsec profile summarizes Flexvpn settings in a single profile that can be applied to an interface. The ipsec profile references the ipsec transport and the IK f Two profile. To minimize Flexvpn configuration, you can use an IK feature called Smart defaults.

This feature includes default settings for all configuration blocks except K f Two profile and keyring IK f Two smart defaults can also be customized for specific use cases, although this practice is not recommended. Typical flex VPN Deployment Flexvpn was created to simplify the deployment of vpns and to address the complexity of multiple solutions. Flpn covers all types of VPN remote access, teleworker, site to site mobility, managed, secure, Etluses and others. Flexvpn is a robust standards based encryption technology that helps enableizations to securely connect branch offices and remote users.

The solution can provide significant cravings compared to supporting multiple separate types of VPN solutions such as gray, cryptographic and vti behaviours. Flexvpn relies on open standards based IK f Two as a security technol and provides many specific enhancements on top of it to provide high levels of security added value and competitorientiations. Flexvpn is the cisco implementation of the IK f Two standard. An overview of Flexvpn architecture follows single configuration approach for all VPN types. IK F Two major protocol update no backward compatibility with IK f One from many improvements per peer features, qos firewall policies, vrf reinjection and so on.

Service aggregations, remote access and site to site improved service management. aaa T tenancy recommended for the future. Lexvpn provides the following benefits transport net lex VPN can be deployed over the public, Internet or private mpls. VPN deployment style differ the concentration of both side to side and remote access. vpns One single flex VPN deployment can accept bypees of connection requests at the same time. Failover redundancy Three different kinds of redundancy model implemented with Flexvpn dynamic routing protocols IK F Two based dynamic root distribution and clustering and ipsec or IK F Two active standby stateful failover between two chassis. Third party Compatibility The Flexvpn solution provides compatibility with any IK f Two based 30 VPN vendors, including native VPN clients from Apple iOS and Android devices.

IP multicast support flexvpn natively supports IP multicast superior qos. The architecture of VPN easily allows hierarchical qos to be integrated at the per tunnel or per subases. Centralized policy Control VPN dynamic policies can be fully integrated with the triple A or radius server and applied at a purposes. These dynamic policies include split tunnel policy, encryption network policy, VR fishing, dns server for remote access, and so on. On vrf awareness, the Flexvpn supports both side vrf and front door vrf. You can manage inside vrf assignment policy with the centralized lay server.