1. VPN Introduction
VPN (Virtual Private Network):
- Allow users to connect to private network over Internet through a secure connection. - Provides data encryption and authentication between VPN peer
VPN Connection Type:
- Remote Access (Client to Server)
- Support multi protocols: IPSec, SSL…
- Connect 1 Computer on Internet to protect network behind firewall
- Use Client Software to connect to VPN server
- Site to Site (LAN to LAN)
- Use Standard IPSec
- Connect 2 or more Subnet between 2 or more peers
- Use Appliance to connect each other
VPN Protocol Type:
- IPSec: IP Based
- SSL: Web Based
2. IPSec vs SSL VPN
3. IPSec VPN Topology
4. IPSec VPN Framework
- IPSec Protocol
- AH: Authentication + Integrity
- ESP: Encryption + Authentication + Integrity
- Confidentiality (Encryption Algorithm)
- DES: 56 bits
- 3DES: 56 bits (3 times)
- AES: 128-256 bits
- SEAL: 160 bits
- Integrity (Guarantee data is not altered)
- MD5: 128 bits
- SHA: 160 bits
- Authentication
- PSK: clear text
- RSA: encrypted text
- Diffie-Hellman (Secret key for Encrypt/Decrypt)
- DH1, DH2…
IKE = Internet Key Exchange
- It’s negotiation protocol that help IPsec securely exchange cryptographic keys between ASA & VPN client
5. Configure IPSec VPN
- Configure IP Pool & Add User for VPN Client:
ASA(config)#ip local pool VPN_CLIENT_POOL 172.16.10.10-172.16.10.20
ASA(config)#username vpn1 password 123
- Create VPN Tunnel for Client to connect:
ASA(config)# tunnel-group VPN_CLIENT_TUN type remote-access
ASA(config)# tunnel-group VPN_CLIENT_TUN general-attributes
address-pool VPN_CLIENT_POOL
tunnel-group VPN_CLIENT_TUN ipsec-attributes (wait if this cmd not work)
ikev1 pre-shared-key 44kkaol59636jnfx
- Configuring IKE Policy for Authentication/Encryption Method:
ASA(config)#crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 (enter each cmd)
ASA(config)#crypto ikev1 enable outside
- Create Transform Set (Combine Encryption & Authentication Method):
ASA(config)# crypto ipsec ikev1 transform-set SET1 esp-3des esp-md5-hmac
- Create Dynamic Crypto Map (Policy Template for ASA receive connection from remote peer):
ASA(config)# crypto dynamic-map DYN1 1 set ikev1 transform-set SET1 ( identify the transform set for the connection) ASA(config)# crypto dynamic-map DYN1 1 set reverse-route (ASA learn routing for connected clients)
ASA(config)# crypto map MAP1 1 ipsec-isakmp dynamic DYN1
ASA(config)# crypto map MAP1 interface outside
6. Configure IPSec VPN Split Tunnel
- Configuring ACL & NAT for Split Tunnel & Allow access to LAN:
ASA(config)# access-list SPLIT_TUNNEL_ACL standard permit 10.0.0.0 255.255.255.0
ASA(config)# object network VPN_Network
ASA(config)# object network LAN_Network
ASA(config)# nat (inside,outside) source static LAN-Network LAN-Network destination static VPN-Network VPN-Network
no-proxy-arp route-lookup
- Create & Apply Group Policy:
ASA(config)# group-policy POLI_VPN_GROUP internal
ASA(config)# group-policy POLI_VPN_GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL_ACL
vpn-simultaneous-logins 5
ASA(config)# tunnel-group VPN_CLIENT_TUN general-attributes
default-group-policy VPN_CLIENT_TUN
7. Setup VPN Client
EmoticonEmoticon