Pages

Tuesday, December 8, 2015

Site to Site IPsec VPN



IKEv1 compared to IKEv2
Policies: for IKE tunnel, transforms: for IPSEC tunnel, crypto ACLs, Crypto maps: to encrypt traffic outbound if it match crypto ACL.
Reverse route injection (RRI): to redistribute routes between ASA and routers. To have remote end networks inside routing table on internal networks.
Troubleshooting

IKEv2:
IKEv2 have two tunnels.
IKE tunnel and : this is control tunnel, protocol 50
Child or ESP tunnel or ipsec tunnel : used for actual encryption of user traffic, use UDP 500

Benefits for IKEv2
Dead peer detection, also known as keep-alive time
NAT-T : even IKEv1 has this feature but in IKEv2 this is integrated with specs.
Less overhead : re-keying is done in better way incase of  lifetime is over 
Better way to mitigate DOS attack using cookies
PSK : no need to use same pre-shared key on both sides.

Notes :
The deny lines in the crypto ACL means don’t encrypt that traffic.
In Ikev1, the IKE Phase 2 policies are called “Transform Sets” and are part of the IKE Phase 2 negotiations.
VPN client does not support IKEv2, we need to have any connect client.
IKEv1 “Transform-sets” are the same function as the IKEv2 “IPsec proposals”
IKEv2 is not compatible with IKEv1 i.e at both ends we need to have same IKE version
IKEv1 PSK’s must be same. IKEv2, different local and remote PSKs can be used.

ASDM navigation for site to site:
Config -> site to site VPN ->

Show commands:
show crypto ikev2 sa
show crypto ipsec sa

To enable RRI in ASDM
conifg -> site to site -> Advanced -> crypto map -> Reverse Route Enabled
and redistribute static routes to routing protocol


Site-to-Site IPsec VPN (Virtual Private Network) is a type of VPN connectivity that establishes secure communication between two or more geographically dispersed networks or sites over the internet. In a Site-to-Site IPsec VPN, VPN gateways or routers located at each site create encrypted tunnels between them, allowing secure transmission of data between the interconnected networks.

Here's how Site-to-Site IPsec VPN works:

1. **VPN Gateway Configuration**: Each site involved in the VPN connection has a VPN gateway or router configured to support IPsec VPN tunnels. These VPN gateways serve as endpoints for the VPN connection and handle the encryption and decryption of data traffic.

2. **Tunnel Establishment**: When a VPN connection is initiated, the VPN gateways at each site negotiate security parameters, authenticate each other's identities, and establish encrypted tunnels using the IPsec protocol suite (typically using IKEv1 or IKEv2 for key exchange).

3. **Encryption and Authentication**: Once the VPN tunnels are established, data traffic between the interconnected networks is encrypted using IPsec encryption algorithms (such as AES, 3DES, or DES) to ensure confidentiality. Data integrity and authenticity are ensured through the use of cryptographic hash functions and digital signatures.

4. **Data Transmission**: Encrypted data packets are transmitted between the interconnected networks over the VPN tunnels. The VPN gateways decrypt incoming packets, inspect the payload, and forward them to the appropriate destination within the local network.

5. **Routing and Network Integration**: Site-to-Site IPsec VPN integrates the interconnected networks seamlessly, allowing them to communicate as if they were part of a single, unified network. Routing protocols, such as OSPF (Open Shortest Path First) or BGP (Border Gateway Protocol), can be used to exchange routing information between the interconnected networks and ensure optimal packet routing.

Use cases of Site-to-Site IPsec VPN include:

1. **Inter-Office Connectivity**: Site-to-Site IPsec VPN enables secure communication between multiple office locations or branches of an organization, allowing employees to access shared resources, applications, and services across geographically dispersed sites.

2. **Data Center Interconnectivity**: Site-to-Site IPsec VPN is used to establish secure connectivity between on-premises data centers and cloud environments or between multiple data centers owned by the same organization. This allows for efficient data replication, disaster recovery, and workload migration between data centers.

3. **Partner Connectivity**: Site-to-Site IPsec VPN enables secure communication between organizations and their business partners, suppliers, or customers, facilitating collaboration and data exchange while ensuring confidentiality and integrity of sensitive information.

4. **Remote Access Extension**: Site-to-Site IPsec VPN can be used to extend remote access capabilities to mobile users or remote offices by connecting them to the corporate network securely over the internet. This allows remote users to access internal resources and applications securely as if they were physically located on-site.

5. **Branch Office Connectivity**: Site-to-Site IPsec VPN provides secure connectivity for branch offices or remote sites to the main corporate network, enabling seamless integration and access to centralized resources, such as file shares, databases, and applications.

Overall, Site-to-Site IPsec VPNs offer a cost-effective and scalable solution for establishing secure communication between geographically dispersed networks or sites, enabling organizations to extend their network infrastructure securely and facilitate collaboration, data exchange, and resource sharing across distributed environments.

No comments:

Post a Comment