Cisco® CCNA Exam Cram Notes :VPN

VIII. Security Fundamentals

11. VPN

1. Remote access VPNs: In remote access VPN a teleworker may access head quarters securely using VPN access using public Internet. Remote-access VPNs can use IPsec or SSL technologies for their VPN. Remote access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization's server. The user may not be aware of the networking used as it appears logically that the data is sent over a dedicated private link.

2. Site-to-site VPNs: In site-to-site VPN , the VPN connectivity is provided between two sites. By this, anybody accessing any host on the second site can connect and transfer information securely even though there is no secure connectivity from the host. Communication will be secured when the packet leaves the corporate network. The VPN tunnel ends after it enters the remote site. Site-to-site VPNs traditionally use a collection of VPN technologies called Ipsec.

Gateway-to-Gateway VPN: A gateway-to-gateway VPN connection allows for two routers to securely connect to each other and for a client on one end to logically appear as if they are a part of the network on the other end. This enables data and resources to be shared more easily and securely over the Internet. Configuration must be done on both routers to enable a gateway-to-gateway VPN.

The benefits of implementing Virtual Private Networks (VPNs) include the following:

1. Data integrity - the data contained in the packets can't be changed by attacker

2. Data confidentiality or privacy - an attacker will not be able to see or read the data

3. Authentication - the sender is the one who claims to be.

4. No replay - it is not possible to replay properly configured, secure VPN communication.

5. Split tunnel option enables AnyConnect and Remote Access VPNs to send traffic down the VPN only if it is destined for specific networks located at the headquarter site. All other traffic is sent normally, outside the VPN. This way, the bandwidth could be saved as there will be less amount of traffic traversing VPN tunnel via head-quarters. However, note that there is some amount of compromise on the security aspect, as the split tunnel is not secure as the outside traffic is sent normally and no encryption takes place.

IPSec VPN negotiations: The devices at either end of an IPSec VPN tunnel are IPSec peers. To build the VPN tunnel, IPSec peers exchange a series of messages about encryption and authentication, and attempt to agree on many different parameters. This process is known as VPN negotiations. One device in the negotiation sequence is the initiator and the other device is the responder. VPN negotiations happen in two distinct phases: Phase 1 and Phase 2.

Phase 1: The main purpose of Phase 1 is to set up a secure encrypted channel through which the two peers can negotiate Phase 2. When Phase 1 finishes successfully, the peers quickly move on to Phase 2 negotiations. If Phase 1 fails, the devices cannot begin Phase 2.

Phase 2: The purpose of Phase 2 negotiations is for the two peers to agree on a set of parameters that define what traffic can go through the VPN, and how to encrypt and authenticate the traffic. This agreement is called a Security Association.


The Phase 1 and Phase 2 configurations must match for the devices on either end of the tunnel.

Phase 1 negotiations include these steps:

1. The devices exchange credentials: The credentials can be a certificate or a pre-shared key. Both gateway endpoints must use the same credential method. If one peer uses a pre-shared key, the other peer must also use a pre-shared key, and the keys must match. If one peer uses a certificate, the other peer must also use a certificate.

2. The devices identify each other: Each device provides a Phase 1 identifier, which can be an IP address, domain name, domain information, or an X500 name. The VPN configuration on each peer contains the Phase 1 identifier of the local and the remote device, and the configurations must match.

3. For IKEv1, the peers decide whether to use Main Mode or Aggressive Mode: For IKEv1, phase 1 negotiations can use one of two different modes: Main Mode or Aggressive Mode. The device that starts the IKE negotiations (the initiator) sends either a Main Mode proposal or an Aggressive Mode proposal. The responder can reject the proposal if it is not configured to use that mode. Aggressive Mode is less secure but faster than Main Mode.

When you use Aggressive mode, the number of exchanges between two endpoints is fewer than it would be if you used Main Mode, and the exchange relies mainly on the ID types used in the exchange by both appliances. Aggressive Mode does not ensure the identity of the peer. Main Mode ensures the identity of both peers, but can only be used if both sides have a static IP address.

4. The peers agree on Phase 1 parameters.

5. The peers agree on Phase 1 Transform settings: Transform settings include a set of authentication and encryption parameters, and the maximum amount of time for the Phase 1 SA. The settings in the Phase 1 transform must exactly match a Phase 1 transform on the IKE peer, or IKE negotiations fail.

Phase 2 Negotiations: After the two IPSec peers complete Phase 1 negotiations, Phase 2 negotiations begin. The purpose of Phase 2 negotiations is to establish the Phase 2 SA (sometimes called the IPSec SA). The IPSec SA is a set of traffic specifications that tell the device what traffic to send over the VPN, and how to encrypt and authenticate that traffic. In Phase 2 negotiations, the two peers agree on a set of communication parameters. Because the peers use the Phase 1 SA to secure the Phase 2 negotiations, and you define the Phase 1 SA settings to use for each tunnel.

Previous    Contents    Next

CCNA Cram Notes Contents
certexams ad

simulationexams ad