Virtual Private Networks (VPNs)
The huge increase in the number of VPN clients and companies wanting to use VPNs requires administrators to understand the special security considerations necessary when dealing with VPNs. Because most VPNs are used over a connection to the Internet, any security gap has the potential to be exploited by hundreds of hackers.
VPNs are built by using tunneling protocols, which are protocols that are encapsulated within another protocol. Examples of tunneling protocols used in VPNs are General Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP), Encapsulation Security Protocol (ESP), Cisco Encryption Technology (CET), and the Layer 2 Forwarding (L2F) protocols. This section covers some of the more commonly used tunneling protocols.
Although a tunneling protocol by itself does offer some protection, greater protection can be obtained by adding encryption within the tunnel. Because a tunnel can normally only be entered from one of the endpoints, some administrators consider them safe without encryption. Only encryption can truly protect data. The “man in the middle” form of attack can be used to inject a device in the middle of a tunnel. This is why a tunnel without encryption is not truly secure.
Because most tunnels can carry encrypted traffic, there is no reason other than router overhead not to also encrypt traffic running through the tunnel. If the performance of your routers is adversely affected by the combination of encryption and tunneling, the routers should be upgraded.
Before discussing how to set up an encrypted tunnel, this section includes a quick overview of some of the types of tunnels and encryption available on Cisco equipment.
L2F
The Layer 2 Forwarding (L2F) protocol is a Cisco proprietary protocol developed to allow Virtual Private Dial-up Network (VPDN) connections. While still supported for various other functions, L2F has largely been replaced by L2TP.
L2TP
Layer 2 Tunneling Protocol (L2TP) builds on the best features present in both the L2F and PPTP protocols. Supporting both IP and non-IP protocols, L2TP is used mainly for dial-up connections.
Generic Routing Encapsulation (GRE) Tunneling
Generic routing encapsulation (GRE) tunnels build a path through the public Internet while encapsulating traffic with new packet headers that ensure the delivery to a specified destination. GRE tunneling is also commonly used to transfer non-IP traffic over an IP network by encapsulating this non-IP traffic within IP.
Encryption
Cisco supports both IPSec and Cisco Encryption Technology (CET) data encryption within GRE tunnels.
IPSec is an open standard, supporting 56-bit, 128-bit, and 256-bit encryption algorithms. Supported on platforms such as Windows and UNIX, IPSec uses certificate authentication and Internet Key Exchange (IKE).
CET is a Cisco standard that supports 40-bit and 56-bit encryption algorithms. CET can be used only between two Cisco routers. Administrators need to be aware that with the exception of the acceleration card within the 7200 and 7500 series routers, CET will be discontinued with the next major release after IOS version 12.1.
If you are currently deploying CET, you should consider upgrading your configurations before you are forced to when installing a new IOS version. Cisco recommends that IPSec with IKE be used instead of CET for encryption within the tunnel.
See the article at this URL for more details about the CET end-of-life announcement: www.cisco.com/warp/public/cc/general/bulletin/security/1118_pp.htm
IPSec Configuration
The following configurations show how a main router and a branch router can be set up to accept a VPN connection using IPSec encryption. The new commands will be explored after the configurations. The following is the main office router configuration:
access-list 101 permit any any crypto map branchoffice 10 ipsec-isakmp match address 101 set transform-set mytransformset set peer 172.30.2.2 interface Serial0 ip address 172.30.2.1 crypto map branchoffice
The following is the branch router configuration:
access-list 101 permit any any crypto map branchoffice 10 ipsec-isakmp match address 101 set transform-set mytransformset set peer 172.30.2.1 interface Serial0 ip address 172.30.2.2 crypto map branchoffice
The crypto map branchoffice 10 ipsec-isakmp line defines a map name (branchoffice) and assigns a number (10) to that map name. Next, the line defines that you will use IKE to establish IPSec security associations for the traffic specified in the map statement.
The match address command specifies that extended access list 101 is used to determine what traffic is encrypted. A named access list can also be used.
The set transform-set command specifies the name mytransformset. This name is compared to the peer router. If the transform set on the peer router is the same, encryption and decryption takes place. If the names are different, no data transfer occurs.
The set peer command sets the IP address of the peer router. The peer router must also have the correct IP address configured.
Within the interface, there is the crypto map command that associates this interface with the globally defined mapping of branchoffice.
This was a very simple example. Next, look at an example that is closer to real life. Take extra time to read all of the imbedded comments within this configuration:
access-list 199 permit udp any eq 500 any eq 500 access-list 199 permit 50 any any access-list 199 permit 51 any any !These ports are necessary because IKE and IPSec use them access-list 150 permit 50 any any access-list 150 permit 51 any any access-list 150 permit udp any eq 500 any eq 500 !Since you will have two access lists (one inbound and one outbound) !on the serial interface, you will need to allow IKE !and IPSec traffic for both of these interfaces. access-list 101 permit tcp 172.30.1.0 0.0.0.255 172.20.3.0 0.0.0.255 eq 23 access-list 101 permit tcp 172.30.1.0 0.0.0.255 eq 23 172.20.3.0 0.0.0.255 !Why use another access list? You want to encrypt all !data that uses port 23 (Telnet) either coming or going from the main branch. !You will use the number 101 later to define what is encrypted. crypto transform-set encryp-auth esp-des esp-sha-hmac crypto transform-set auth-only ah-sha-hmac !You define the IPSec protection types for use on each type of traffic crypto map BranchOffice 10 ipsec-isakmp match address 101 !Remember that you are watching for the number 101? !This refers to access list number 101, which is used to determine !what traffic should be encrypted set transform-set mytransformset set peer 172.30.2.1 interface Serial0 ip address 172.30.2.2 crypto map branchoffice ip access-group 199 in !You need to allow IKE and IPSec traffic through ip access-group 150 out !You need the traffic to flow both ways