Foundation Summary
The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.There are three different VPN types: access, intranet, and extranet. Access VPNs are used for remote users and normally require client software. Intranet and extranet VPNs are configured as site-to-site VPNs.VPN peers need to authenticate each other and negotiate the IPSec SA. The negotiation is completed automatically using IKE. The authentication is completed using preshared keys, RSA signatures (certificates), or RSA nonces. The PIX Firewall does not support RSA nonces. To configure IKE on the PIX, you use the following commands:- isakmp policy
- - Configures the authentication type- Configures the message encryption algorithm- Configures the message integrity algorithm- Configures the key exchange parameters- Defines the SA lifetime (reinitiates the Diffie-Hellman key exchange)
- isakmp enable Applies the ISAKMP policy to an interface, allowing that interface to receive UDP 500 traffic
- isakmp identity Identifies the local peer by IP address or host name
- isakmp key If you are using a preshared key, defines the key and the peer (by IP address)
After you configure IKE, you are ready to configure IPSec. Follow these steps:
| Step 1. | Use the access-list command to configure the access list so that the PIX knows which traffic should be encrypted. | | Step 2. | Use the transform-set command to create transform sets to define the encryption and integrity to be used for the session. | | Step 3. | Use the ipsec security-association lifetime command (optional) to define the SA lifetime to reduce the opportunity of others to crack your encryption. | | Step 4. | Configure the crypto map:- Define the SA negotiation (manual or IKE)
- Apply the access list to the crypto map
- Apply the transform set to the crypto map
- Identify the SA peer by IP address or host name
- Apply the crypto map to an interface
|
Three commands (and many options for each) are available to troubleshoot VPN connectivity:- show Displays the current configuration or current SA status
- clear Removes the current configuration or setting (usually used to regenerate the connection)
- debug Allows you to see ongoing sessions and key negotiations
Cisco VPN Client is used to connect remote users to internal resources by an encrypted tunnel. The package handles all the negotiation and encryption and can operate using any connection to the Internet.To develop a scalable VPN solution, you must implement a dynamic means of authentication. The most effective and scalable method today is the use of IKE and certification authorities. |
لطفا منتظر باشید ...
