Cisco® CCNA Security Exam Notes : Vpn Concepts


Go to latest CCNA Exam Cram

3. VPN

3.1 VPN Concepts

Two types of VPNs that are widely used:

1. Remote access VPNs - here a teleworker may access head quarters securely using VPN access using public Internet. Remote-access VPNs can use IPsec or SSL technologies for their VPN.

2. Site-to-site VPNs - here, the VPN connectivity is provided between two sites. By this, anybody accessing any host on the second site can connect and transfer information securely even though there is no secure connectivity from the host. Communication will be secured when the packet leaves the corporate network. The VPN tunnel ends after it enters the remote site. Site-to-site VPNs traditionally use a collection of VPN technologies called Ipsec.

The benefits of implementing Virtual Private Networks (VPNs) include the following:

The benefits of implementing Virtual Private Networks (VPNs) include the following:

1. Data integrity - the data contained in the packets can't be changed by attacker

2. Data confidentiality or privacy - an attacker will not be able to see or read the data

3. Authentication - the sender is the one who claims to be.

4. No replay - it is not possible to replay properly configured, secure VPN communication.

The VPN can be implemented in any of the following combinations:

1. Gateway-to-gateway VPN

2. Gateway-to-host VPN

3. Host-to-gateway VPN

4. Host-to-host VPN


The host-to-host configuration provides the highest security for the data. However, a Gate-to-Gateway VPN is transparent to the end users.

IKE Phase 1 configuration:

1. Specify the interface to be used for VPN

2. Specify the remote peer IP address

3. Provide pre-shared key (or digital certificate). Required for authenticating itself with the peer.

4. Specify IKE Phase 1 Policies (Optional, you may use default or custom)

IKE Phase 2 configuration:

1. Define transform-sets (Optional): The policies used for IKE Phase 2 are called transform sets. A transform set refers to the methods of encryption and hashing that you want to use for the IKE Phase 2 tunnels. Remember that whatever you choose here, you also need to configure on the other router, as well.

2. Configuring the ACL used to classify which traffic should be protected by IPsec

3. Finish or commit the configuration changes.

The next step would be to configure the peer router. For this purpose, an option called "Configure Mirror" is available soon after finishing one end. You can make necessary changes (if any) and commit the configuration to the peer router with one click.

IKE Phase 1 steps:

Step 1: Negotiate the IKE Phase 1 Tunnel. The end points of the VPN tunnel need to agree on:

  • Hash algorithm: This could be message digest 5 algorithm (MD5) or Secure Hash (SHA) on most devices.
  • Encryption algorithm: This could be DES/3DES/AES
  • Diffie-Hellman (DH) group to use: Group 1 uses 768 bits, group 2 uses 1024, and group 5 uses 1536.
  • Authentication method: Used for verifying the identity of the VPN peer on the other side of the tunnel. Uses pre-shared key (PSK) or RSA signatures
  • Lifetime: How long until this IKE Phase 1 tunnel should be torn down

Step 2: Run the DH Key Exchange

Step 3: Authenticate the Peer; the authentication could be done either using a PSK or using RSA digital signatures.

The purpose of IKE phase 2 is to negotiate IPSec SAs to set up the IPSec tunnel. IKE phase 2 performs the following functions:

  • Negotiates IPSec SA parameters protected by an existing IKE SA
  • Establishes IPSec security associations
  • Periodically renegotiates IPSec SAs to ensure security
  • Optionally performs an additional Diffie-Hellman exchange

This IKE Phase 1 tunnel is used for only management purpose. To protect the end user's packets, the two VPN devices build a second tunnel for the sole purpose of encrypting the end-user packets. This second tunnel is called the IKE Phase 2 tunnel; it is also commonly referred to as the IPsec tunnel. The basic configuration steps are as given below.

Given below are the steps involved in configuring clientless VPN connection using ASASDM:

  • Enter Connection profile name and SSL VPN Interface
  • Select the Digital Certificate to used to authenticate the ASA
  • Connection Group Alias/URL
  • User Authentication
  • Create/Modify User Group Policy
  • Create/Edit Bookmark Lists

Note that a clientless VPN connection does not require any software be installed specially on the client machine.


There are several types of VPN technologies available, and not all are used for the same purpose. MPLS VPN, GRE, and IPSec are most popular VPN technologies used in site-to-site VPN.

IPSec and SSL are most widely used for remote access VPN.

Previous   Contents   Next