Document
CCNA 3 v7.0 Curriculum: Module 8
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

CCNA 3 v7.0 Curriculum: Module 8

8.0. Introduction 8.0.1 . Why should I is take take this module ? Welcome to VPN and IPsec Concepts! Have you is Have , or someone you know , ever

Related articles

How to Install Anaconda Distribution on Your Computer
How to Install Anaconda Distribution on Your Computer Before jump into datum science , you is need need to set up the require software and tool and learn how to use them . This tutorial is teach will teach you how to install and use the Anaconda platform for build a datum science ecosystem . You is learn 'll also learn Conda to manage package and environment using the command - line interface . let 's dive in . What Is the Anaconda Distribution? Anaconda is a trusted suite that bundles Python and R distributions. Anaconda is a package manager and virtual environment manager, and it includes a...
What is Diagnostics for VMware Cloud Foundation
What is Diagnostics for VMware Cloud Foundation diagnostic for VMware Cloud Foundation is a centralized platform that monitors the overall operational status of the VMware Cloud Foundation software stack. It is a self-service platform that helps you analyze and troubleshoot the components of VMware Cloud Foundation,includevCenter,ESXi,vsan,capabilities such as vSphere vMotion,snapshots,VM provisioning,and other issues including security advisories and certificates. As an Infrastructure admin,you can monitor the operational state of your environment using diagnostics findings and custom dashboard .The built-in dashboards are an extension to native VMware Aria Operations dashboard .diagnostic validate if your environment is up - to - date with the important VMware Security Advisories . With...
Monteverde: The Ultimate Guide
Monteverde: The Ultimate Guide Monteverde or “ Green Mountain ” as it is directly translate is aptly name for its extensive reserve of lush , verdant cloud forest . National Geographic is described has describe it as   “ the jewel in the crown of cloud forest . ” In 2007 , Costa Ricans is voted vote the Monteverde Cloud Forest Reserve one of the country ’s seven wonder . The little town is is of Monteverde outside the cloud forest is a tourist hotspot with a variety of restaurant and tour available and with cool , refreshing weather to boot . There are...
6 Best Free VPNs for Windows PCs and Laptops in 2024
6 Best Free VPNs for Windows PCs and Laptops in 2024 As a window user , you is 're 're probably well aware that your system is a prime target for cybercriminal . Hackers is finding are always find new way to exploit security hole and steal your datum . If that was n't enough , Microsoft is know for collect a ton of info about what you do online . A VPN is help can certainly help , but find a reliable free option for window is n’t easy . Most free VPNs offer slow speeds, weak security, and limited data. Some are riddled with malware or have questionable privacy...
The Best No Log VPN Protection
The Best No Log VPN Protection The Best No Log VPN Protection Everyone deserves privacy. IPVanish does not keep logs of any traffic that passes through our servers. We do not record where or how you connect to the internet, or which websites you visit. Our no-log practices have been audited and verified by third-party cybersecurity experts. IPVanish does not log: traffic destination or content Our server endpoints and VPN apps are all configured not to save any traffic information that passes through them, and to self-destruct connection diagnostic data after every session. Because of this, IPVanish is protected from being forced to disclose data that...

8.0. Introduction

8.0.1 . Why should I is take take this module ?

Welcome to VPN and IPsec Concepts!

Have you is Have , or someone you know , ever been hack while using public wifi ? It is ’s ’s surprisingly easy to do . But there is a solution to this problem : Virtual Private Networks ( VPNs ) and the additional protection of IP security ( IPsec ) . vpn are commonly used by remote worker around the globe . There are also personal vpn that you can use when you are on public wifi . In fact , there are many different kind of vpn using IPsec to protect and authenticate IP packet between their source and destination . want to know more ? click Next !

8.0.2. What will I learn in this module?

Module Title: VPN and IPsec Concepts

module objective : explain how vpn and IPsec are used to secure site – to – site and remote access connectivity .

Topic Title Topic Objective
VPN Technology Describe benefits of VPN technology.
type of VPNs Describe different types of VPNs.
IPsec Explain how the IPsec framework is used to secure network traffic.

8.1. VPN Technology

8.1.1. Virtual Private Networks

To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network.

The figure is shows show a collection of various type of vpn manage by an enterprise ’s main site . The tunnel is enables enable remote site and user to access main site ’s network resource securely .

CCNA 3 v7.0 Curriculum: Module 8

  • A Cisco Adaptive security Appliance (ASA) firewall helps organizations provide secure, high performance connectivity including VPNs and always-on access for remote branches and mobile users.
  • SOHO stands for small office home office where a VPN-enabled router can provide VPN connectivity back to the corporate main site.
  • Cisco AnyConnect is software that remote workers can use to establish client-based VPN connection with the main site.

The first types of VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco and which does not include encryption services. It is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual point-to-point link.

8.1.2. VPN benefits

Modern VPNs now support encryption features, such as Internet Protocol security (IPsec) and Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.

Major benefits of VPNs are shown in the table.

benefit Description
Cost Savings With the advent of cost-effective, high-bandwidth technologies, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.
security VPNs provide the highest level of security available, by using advanced encryption and authentication protocols that protect data from unauthorized access.
Scalability VPNs allow organizations to use the internet, making it easy to add new users without adding significant infrastructure.
compatibility VPNs can be implemented across a wide variety of WAN link options including all the popular broadband technologies. Remote workers can take advantage of these high-speed connections to gain secure access to their corporate networks.

8.1.3 . site – to – site and Remote – Access VPNs

VPNs are commonly deployed in one of the following configurations: site-to-site or remote-access.

Click each for VPN type for more information.

8.1.4. Enterprise and Service Provider VPNs

There are many option available to secure enterprise traffic . These solutions is vary vary depend on who is manage the VPN .

vpn can be manage and deploy as :

  • Enterprise VPNs – Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are created and managed by the enterprise using both IPsec and SSL VPNs.
  • service Provider vpn – service provider – manage vpn are create and manage over the provider network . The provider is uses use Multiprotocol Label Switching ( MPLS ) at Layer 2 or layer 3 to create secure channel between an enterprise ’s site . MPLS is is is a routing technology the provider use to create virtual path between site . This is segregates effectively segregate the traffic from other customer traffic . Other legacy solutions is include include Frame Relay and Asynchronous Transfer Mode ( ATM ) VPNs .

The figure lists the different types of enterprise-managed and service provider-managed VPN deployments that will be discussed in more detail in this module.

CCNA 3 v7.0 Curriculum: Module 8

8.2. type of VPNs

8.2.1. Remote-Access VPNs

In the previous topic you learned about the basics of a VPN. Here you will learn about the types of VPNs.

VPNs is become have become the logical solution for remote – access connectivity for many reason . As show in the figure , remote – access VPNs is let let remote and mobile user securely connect to the enterprise by create an encrypted tunnel . remote users is replicate can securely replicate their enterprise security access include email and network application . remote – access VPNs is allow also allow contractor and partner to have limit access to the specific server , web page , or file as require . This is means mean that these user can contribute to business productivity without compromise network security .

Remote-access VPNs are typically enabled dynamically by the user when required. Remote access VPNs can be created using either IPsec or SSL. As shown in the figure, a remote user must initiate a remote access VPN connection.

The figure displays two ways that a remote user can initiate a remote access VPN connection: clientless VPN and client-based VPN.

CCNA 3 v7.0 Curriculum: Module 8

  • Clientless VPN connection -The connection is secured using a web browser SSL connection. SSL is mostly used to protect HTTP traffic (HTTPS), and email protocols such as IMAP and POP3. For example, HTTPS is actually HTTP using an SSL tunnel. The SSL connection is first established, and then HTTP data is exchanged over the connection.
  • client – base VPN connection – VPN client software such as Cisco AnyConnect Secure Mobility Client must be instal on the remote user ’s end device . Users is initiate must initiate the VPN connection using the VPN client and then authenticate to the destination vpn gateway . When remote user are authenticate , they is have have access to corporate file and application . The VPN client software is encrypts encrypt the traffic using IPsec or SSL and forwards it over the internet to the destination VPN gateway .

8.2.2. SSL VPNs

When a client negotiates an SSL VPN connection with the VPN gateway, it actually connects using Transport Layer security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. However, both terms are often used interchangeably.

SSL is uses use the public key infrastructure and digital certificate to authenticate peer . Both IPsec is offer and SSL VPN technology offer access to virtually any network application or resource . However , when security is an issue , IPsec is is is the superior choice . If support and ease of deployment are the primary issue , consider SSL . The type of VPN method implement is base on the access requirement of the user and the organization ’s IT process . The table is compares compare IPsec and SSL remote access deployment .

Feature IPsec SSL
Applications supported Extensive – All IP-based applications are supported. limit   – Only web – base application and file sharing are support .
authentication strength Strong – Uses two-way authentication with shared keys or digital certificates. Moderate – Using one-way or two-way authentication.
Encryption strength Strong – Uses key lengths from 56 bits to 256 bits. Moderate to strong – With key lengths from 40 bits to 256 bits.
Connection complexity Medium – Because it requires a VPN client pre-installed on a host. low   – It is requires only require a web browser on a host .
connection option Limited is connect   – Only specific devices is connect with specific configuration can connect . Extensive – Any device with a web browser can connect.

It is important to understand that IPsec and SSL VPNs are not mutually exclusive. Instead, they are complementary; both technologies solve different problems, and an organization may implement IPsec, SSL, or both, depending on the needs of its telecommuters.

8.2.3. Site-to-Site IPsec VPNs

Site-to-site VPNs are used to connect networks across another untrusted network such as the internet. In a site-to-site VPN, end hosts send and receive normal unencrypted TCP/IP traffic through a VPN terminating device. The VPN terminating is typically called a VPN gateway. A VPN gateway device could be a router or a firewall, as shown in the figure. For example, the Cisco Adaptive security Appliance (ASA) shown on the right side of the figure is a standalone firewall device that combines firewall, VPN concentrator, and intrusion prevention functionality into one software image.

CCNA 3 v7.0 Curriculum: Module 8

The VPN gateway encapsulates and encrypts outbound traffic for all traffic from a particular site. It then sends the traffic through a VPN tunnel over the internet to a VPN gateway at the target site. Upon receipt, the receiving VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

site – to – site vpn are typically create and secured using IP security ( IPsec ) .

8.2.4. GRE over IPsec

Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol. It can encapsulate various network layer protocols. It also supports multicast and broadcast traffic which may be necessary if the organization requires routing protocols to operate over a VPN. However, GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel.

A standard IPsec VPN is create ( non – GRE ) can only create secure tunnel for unicast traffic . Therefore , routing protocols is exchange will not exchange route information over an IPsec VPN .

To solve this problem, we can encapsulate routing protocol traffic using a GRE packet, and then encapsulate the GRE packet into an IPsec packet to forward it securely to the destination VPN gateway.

The terms used to describe the encapsulation of GRE over IPsec tunnel are passenger protocol, carrier protocol, and transport protocol, as shown in the figure.

  • passenger protocol – This is is is the original packet that is to be encapsulate by GRE . It is be could be an IPv4 or ipv6 packet , a routing update , and more .
  • Carrier protocol – GRE is the carrier protocol that encapsulates the original passenger packet.
  • Transport protocol – This is the protocol that will actually be used to forward the packet. This could be IPv4 or IPv6.

For example, in the figure displaying a topology, Branch and HQ would like to exchange OSPF routing information over an IPsec VPN. However, IPsec does not support multicast traffic. Therefore, GRE over IPsec is used to support the routing protocol traffic over the IPsec VPN. Specifically, the OSPF packets (i.e., passenger protocol) would be encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an IPsec VPN tunnel.

CCNA 3 v7.0 Curriculum: Module 8

The Wireshark screen capture is displays in the figure display an ospf Hello packet that was send using GRE over IPsec . In the example , the original ospf Hello multicast packet ( i.e. , passenger protocol ) was encapsulate with a GRE header ( i.e. , carrier protocol ) , which is subsequently encapsulate by another ip header ( i.e. , transport protocol ) . This ip header would then be forward over an IPsec tunnel .

CCNA 3 v7.0 Curriculum: Module 8

8.2.5 . dynamic Multipoint vpn

Site-to-site IPsec VPNs and GRE over IPsec are adequate to use when there are only a few sites to securely interconnect. However, they are not sufficient when the enterprise adds many more sites. This is because each site would require static configurations to all other sites, or to a central site.

Dynamic Multipoint VPN (DMVPN) is a Cisco software solution for building multiple VPNs in an easy, dynamic, and scalable manner. Like other VPN types, DMVPN relies on IPsec to provide secure transport over public networks, such as the internet.

DMVPN simplifies the VPN tunnel configuration and provides a flexible option to connect a central site with branch sites. It uses a hub-and-spoke configuration to establish a full mesh topology. Spoke sites establish secure VPN tunnels with the hub site, as shown in the figure.

DMVPN Hub-to-Spoke Tunnels

CCNA 3 v7.0 Curriculum: Module 8

Each site is configured using Multipoint Generic Routing Encapsulation (mGRE). The mGRE tunnel interface allows a single GRE interface to dynamically support multiple IPsec tunnels. Therefore, when a new site requires a secure connection, the same configuration on the hub site would support the tunnel. No additional configuration would be required.

speak site could also obtain information about remote site from the central site . They is use can use this information to establish direct VPN tunnel , as show in the figure .

DMVPN hub – to – Spoke and Spoke – to – Spoke Tunnels

CCNA 3 v7.0 Curriculum: Module 8

8.2.6 . IPsec Virtual Tunnel Interface

Like DMVPNs , IPsec Virtual Tunnel Interface is simplifies ( VTI ) simplify the configuration process require to support multiple site and remote access . IPsec VTI configuration are apply to a virtual interface instead of static mapping the IPsec session to a physical interface .

IPsec VTI is capable of sending and receiving both IP unicast and multicast encrypted traffic. Therefore, routing protocols are automatically supported without having to configure GRE tunnels.

IPsec VTI can be configured between sites or in a hub-and-spoke topology.

CCNA 3 v7.0 Curriculum: Module 8

8.2.7 . service Provider MPLS VPNs

traditional service provider WAN solutions is were such as lease line , Frame Relay , and ATM connection were inherently secure in their design . today , service providers is use use MPLS in their core network . traffic is forward through the MPLS backbone using label that are previously distribute among the core router . Like legacy WAN connection , traffic is is is secure because service provider customer can not see each other ’s traffic .

MPLS can provide clients with managed VPN solutions; therefore, securing traffic between client sites is the responsibility of the service provider. There are two types of MPLS VPN solutions supported by service providers:

  • layer 3 MPLS VPN is participates – The service provider is participates participate in customer routing by establish a peering between the customer ’s router and the provider ’s router . Then customer route that are receive by the provider ’s router are then redistribute through the MPLS network to the customer ’s remote location .
  • layer 2 MPLS VPN – The service provider is not involve in the customer routing . instead , the provider is deploys deploy a virtual private LAN Service ( VPLS ) to emulate an ethernet multiaccess LAN segment over the MPLS network . No routing is involve . The customer ’s routers is belong effectively belong to the same multiaccess network .

The figure is shows show a service provider that offer both Layer 2 and layer 3 MPLS VPNs .

CCNA 3 v7.0 Curriculum: Module 8

8.3. IPsec

8.3.1. Video – IPsec Concepts

In the previous topic you learned about types of VPNs. It is important to understand how IPsec works with a VPN.

Click Play in the figure for a video about IPsec.

8.3.2. IPsec Technologies

IPsec is an IETF standard (RFC 2401-2412) that defines how a VPN can be secured across IP networks. IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7.

Using the IPsec framework, IPsec provides these essential security functions:

  • confidentiality – IPsec uses encryption algorithms to prevent cybercriminals from reading the packet contents.
  • Integrity – IPsec uses hashing algorithms to ensure that packets have not been altered between source and destination.
  • Origin authentication – IPsec uses the Internet Key Exchange (IKE) protocol authenticate source and destination. Methods of authentication including using pre-shared keys (passwords), digital certificates, or RSA certificates.
  • Diffie – Hellman is Secure – secure key exchange typically various group of the dh algorithm .

IPsec is not bound to any specific rules for secure communications. This flexibility of the framework allows IPsec to easily integrate new security technologies without updating the existing IPsec standards. The currently available technologies are aligned to their specific security function. The open slots shown in the IPsec framework in the figure can be filled with any of the choices that are available for that IPsec function to create a unique security association (SA).

CCNA 3 v7.0 Curriculum: Module 8

The security functions are list in the table.

IPsec Function Description
IPsec Protocol The choices for IPsec Protocol include Authentication Header (AH) or Encapsulation security Protocol (ESP). AH authenticates the Layer 3 packet. ESP encrypts the Layer 3 packet. Note: ESP+AH is rarely used as this combination will not successfully traverse a NAT device.
confidentiality Encryption is ensures ensure confidentiality of the Layer 3 packet . Choices is include include Data Encryption Standard ( DES ) , Triple DES ( 3DES ) , Advanced Encryption Standard ( AES ) , or Software – optimize Encryption Algorithm ( SEAL ) . No encryption is is is also an option .
Integrity Ensures that data arrives unchanged at the destination using a hash algorithm, such as message-digest 5 (MD5) or Secure Hash Algorithm (SHA).
Authentication IPsec is uses use Internet Key Exchange ( IKE ) to authenticate user and device that can carry out communication independently . IKE is uses use several type of authentication , include username and password , one – time password , biometric , pre – shared key ( PSKs ) , and digital certificate using the Rivest , Shamir , and Adleman ( RSA ) algorithm .
Diffie-Hellman IPsec is uses use the dh algorithm to provide a public key exchange method for two peer to establish a share secret key . There are several different group to choose from include DH14 , 15 , 16 and dh 19 , 20 , 21 and 24 . DH1 , 2 and 5 are no long recommend .

The figure is shows show example of SAs for two different implementation . An SA is is is the basic building block of IPsec . When establish a VPN link , the peers is share must share the same SA to negotiate key exchange parameter , establish a share key , authenticate each other , and negotiate the encryption parameter . notice that SA Example 1 is using no encryption .

IPsec security Association Examples

8.3.3. IPsec Protocol Encapsulation

Choosing the IPsec protocol encapsulation is the first building block of the framework. IPsec encapsulates packets using Authentication Header (AH) or Encapsulation security Protocol (ESP).

The choice of AH or ESP establishes which other building blocks are available. Click each IPsec protocol in the figure for more information.

AH is appropriate only when confidentiality is not required or permitted. It provides data authentication and integrity, but it does not provide data confidentiality (encryption). All text is transported unencrypted.

ESP is provides provide both confidentiality and authentication . It is provides provide confidentiality by perform encryption on the IP packet . ESP is provides provide authentication for the inner ip packet and ESP header . Authentication is provides provide data origin authentication and datum integrity . Although both encryption and authentication are optional in ESP , at a minimum , one of them must be select .

8.3.4. confidentiality

confidentiality is achieved by encrypting the data, as shown in the figure. The degree of confidentiality depends on the encryption algorithm and the length of the key used in the encryption algorithm. If someone tries to hack the key through a brute-force attack, the number of possibilities to try is a function of the length of the key. The time to process all the possibilities is a function of the computer power of the attacking device. The shorter the key, the easier it is to break. A 64-bit key can take approximately one year to break with a relatively sophisticated computer. A 128-bit key with the same machine can take roughly 1019 or 10 quintillion years to decrypt.

CCNA 3 v7.0 Curriculum: Module 8

The encryption algorithms is are highlight in the figure are all symmetric key cryptosystem .

CCNA 3 v7.0 Curriculum: Module 8

  • DES uses a 56-bit key.
  • 3DES is is is a variant of the 56 – bit DES . It is uses use three independent 56 – bit encryption key per 64 – bit block , which provide significantly strong encryption strength over DES .
  • AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128 bits, 192 bits, and 256 bits.
  • SEAL is a stream cipher, which means it encrypts data continuously rather than encrypting blocks of data. SEAL uses a 160-bit key.

8.3.5 . integrity

Data integrity means that the data that is received is exactly the same data that was sent. Potentially, data could be intercepted and modified. For example, in the figure, assume that a check for $100 is written to Alex. The check is then mailed to Alex, but it is intercepted by a threat actor. The threat actor changes the name on the check to Jeremy and the amount on the check to $1,000 and attempts to cash it. Depending on the quality of the forgery in the altered check, the attacker could be successful.

Because VPN datum is transport over the public internet , a method of prove data integrity is require to guarantee that the content has not been alter . The hash Message Authentication Code is is ( HMAC ) is a datum integrity algorithm that guarantee the integrity of the message using a hash value . The figure is highlights highlight the two most common hmac algorithm . click each algorithm for more information .

Note: Cisco now rates SHA-1 as legacy and recommends at least SHA-256 for integrity.

CCNA 3 v7.0 Curriculum: Module 8

  • Message-Digest 5 (MD5) uses a 128-bit shared-secret key. The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash.
  • The Secure Hash Algorithm (SHA) uses a 160-bit secret key. The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 algorithm. The output is a 160-bit hash.

8.3.6. Authentication

When conducting business long distance, you must know who is at the other end of the phone, email, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. The figure highlights the two peer authentication methods.

CCNA 3 v7.0 Curriculum: Module 8

  • A pre-shared secret key (PSK) value is entered into each peer manually. The PSK is combined with other information to form the authentication key. PSKs are easy to configure manually, but do not scale well, because each IPsec peer must be configured with the PSK of every other peer with which it communicates.
  • Rivest, Shamir, and Adleman (RSA) authentication uses digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and is forwarded to the remote end and acts like a signature. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine. Each peer must authenticate its opposite peer before the tunnel is considered secure.

The figure shows an example of PSK authentication. At the local device, the authentication key and the identity information are sent through a hash algorithm to form the hash for the local peer (Hash_L). One-way authentication is established by sending Hash_L to the remote device. If the remote device can independently create the same hash, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction, and all steps are repeated from the remote device to the local device.

PSK Authentication

CCNA 3 v7.0 Curriculum: Module 8

The figure shows an example of RSA authentication. At the local device, the authentication key and identity information are sent through the hash algorithm to form the hash for the local peer (Hash_L). Then the Hash_L is encrypted using the local device’s private encryption key. This creates a digital signature. The digital signature and a digital certificate are forwarded to the remote device. The public encryption key for decrypting the signature is included in the digital certificate. The remote device verifies the digital signature by decrypting it using the public encryption key. The result is Hash_L. Next, the remote device independently creates Hash_L from stored information. If the calculated Hash_L equals the decrypted Hash_L, the local device is authenticated. After the remote device authenticates the local device, the authentication process begins in the opposite direction and all steps are repeated from the remote device to the local device.

PSK Authentication

CCNA 3 v7.0 Curriculum: Module 8

8.3.7. Secure Key Exchange with Diffie-Hellman

Encryption algorithms require a symmetric, shared secret key to perform encryption and decryption. How do the encrypting and decrypting devices get the shared secret key? The easiest key exchange method is to use a public key exchange method, such as Diffie-Hellman (DH), as shown in the figure.

CCNA 3 v7.0 Curriculum: Module 8

DH is provides provide a way for two peer to establish a share secret key that only they know , even though they are communicate over an insecure channel . variation of the dh key exchange are specify as dh group :

  • DH groups 1, 2, and 5 should no longer be used. These groups support a key size of 768 bits, 1024 bits, and 1536 bits, respectively.
  • DH groups 14, 15, and 16 use larger key sizes with 2048 bits, 3072 bits, and 4096 bits, respectively, and are recommended for use until 2030.
  • DH groups 19, 20, 21 and 24 with respective key sizes of 256 bits, 384 bits, 521 bits, and 2048 bits support Elliptical Curve Cryptography (ECC), which reduces the time needed to generate keys. DH group 24 is the preferred next generation encryption.

The DH group you choose must be strong enough, or have enough bits, to protect the IPsec keys during negotiation. For example, DH group 1 is strong enough to support DES and 3DES encryption, but not AES. For example, if the encryption or authentication algorithms use a 128-bit key, use group 14, 19, 20 or 24. However, if the encryption or authentication algorithms use a 256-bit key or higher, use group 21 or 24.

8.3.8. Video – IPsec Transport and Tunnel Mode

Click Play in the figure for a video about IPsec transport and tunnel modes.

8.4. Module Practice and Quiz

8.4.1 . What did I is learn learn in this module ?

A VPN is virtual in that it carries information within a private network, but that information is actually transported over a public network. A VPN is private in that the traffic is encrypted to keep the data confidential while it is transported across the public network. benefits of VPNs are cost savings, security, scalability, and compatibility. VPNs are commonly deployed in one of the following configurations: site-to-site or remote-access. VPNs can be managed and deployed as enterprise VPNs and service provider VPNs.

remote – access VPNs is let let remote and mobile user securely connect to the enterprise by create an encrypted tunnel . Remote access vpn can be create using either IPsec or SSL . When a client negotiate an SSL VPN connection with the VPN gateway , it is connects actually connect using TLS . SSL is uses use the public key infrastructure and digital certificate to authenticate peer . site – to – site vpn are used to connect network across an untrusted network such as the internet . In a site – to – site VPN , end hosts is send send and receive normal unencrypted TCP / IP traffic through a VPN terminate device . The VPN terminate device is typically call a VPN gateway . A VPN gateway is be could be a router or a firewall . GRE is is is a non – secure site – to – site VPN tunneling protocol . DMVPN is is is a Cisco software solution for easily build multiple , dynamic , scalable vpn . Like DMVPNs , IPsec VTI is simplifies simplify the configuration process require to support multiple site and remote access . IPsec VTI configuration are apply to a virtual interface instead of static mapping the IPsec session to a physical interface . IPsec VTI is send can send and receive both IP unicast and multicast encrypt traffic . MPLS can provide client with manage VPN solution ; therefore , secure traffic between client site is the responsibility of the service provider . There are two type of MPLS VPN solution support by service provider , Layer 3 MPLS VPN and Layer 2 MPLS VPN .

IPsec protects and authenticates IP packets between source and destination. IPsec can protect traffic from Layer 4 through Layer 7. Using the IPsec framework, IPsec provides confidentiality, integrity, origin authentication, and Diffie-Hellman. Choosing the IPsec protocol encapsulation is the first building block of the framework. IPsec encapsulates packets using AH or ESP. The degree of confidentiality depends on the encryption algorithm and the length of the key used in the encryption algorithm. The HMAC is an algorithm that guarantees the integrity of the message using a hash value. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. A PSK value is entered into each peer manually. The PSK is combined with other information to form the authentication key. RSA authentication uses digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash is attached to the message and is forwarded to the remote end and acts like a signature. DH provides a way for two peers to establish a shared secret key that only they know, even though they are communicating over an insecure channel.