What Is VPN

Module 18: VPNs
Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: VPNs
Module Objective: Explain the purpose of VPNs.
Topic Title Topic Objective

VPN Overview Describe VPNs and their benefits.
VPN Topologies Compare remote-access and site-to-site VPNs.
Introducing IPsec Describe the IPsec protocol and its basic functions.
IPsec Protocols Compare AH and ESP protocols.
Internet Key Exchange Describe the IKE protocol.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
18.1 VPN Overview
VPN Overview
Virtual Private Networks
To secure network traffic between sites and
users, organizations use virtual private
networks (VPNs) to create end-to-end private
network connections. A VPN is virtual in that
it carries information within a private network,
but that information is transported over a
public network. A VPN is private in that the
traffic is encrypted to keep the data
confidential while it is transported across the
public network. The figure shows a collection
of various types of VPNs managed by an
enterprise’s main site. The tunnel enables
remote sites and users to access main site’s
network resources securely.
VPN Overview
VPN Benefits
Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and Secure
Sockets Layer (SSL) VPNs to secure network traffic between sites.
Major benefits of VPNs are shown in the table.

Benefit Description
Cost Savings With the advent of cost-effective, high-bandwidth technologies, organizations can
use VPNs to reduce their connectivity costs while simultaneously increasing remote
connection bandwidth.
Security VPNs provide the highest level of security available, by using advanced encryption
and authentication protocols that protect data from unauthorized access.
Scalability VPNs allow organizations to use the internet, making it easy to add new users
without adding significant infrastructure.
Compatibility VPNs can be implemented across a wide variety of WAN link options including all
the popular broadband technologies. Remote workers can take advantage of these
high-speed connections to gain secure access to their corporate networks.
18.2 VPN Topologies
VPN Topologies
Site-to-Site and Remote-Access VPNs
A site-to-site VPN is created

when VPN terminating devices,
also called VPN gateways, are
preconfigured with information
to establish a secure tunnel.
VPN traffic is only encrypted
between these devices. Internal
hosts have no knowledge that a
VPN is being used.
VPN Topologies
Site-to-Site and Remote-Access VPNs (Cont.)
A remote-access VPN is
dynamically created to
establish a secure
connection between a client
and a VPN terminating
device. For example, a
remote access SSL VPN is
used when you check your
banking information online.
VPN Topologies
Remote-Access VPNs
Remote-access VPNs are

typically enabled dynamically
by the user when required.
Remote access VPNs can be
created using either IPsec or
SSL. A remote user must
initiate a remote access VPN
connection. The figure displays
two ways that a remote user
can initiate a remote access
VPN connection: clientless
VPN and client-based VPN.
VPN Topologies
SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate peers. Both IPsec and SSL
VPN technologies offer access to virtually any network application or resource. However, when security
is an issue, IPsec is the superior choice. If support and ease of deployment are the primary issues,
consider SSL. The type of VPN method implemented is based on the access requirements of the users
and the organization’s IT processes. The table compares IPsec and SSL remote access deployments.
Feature IPsec SSL
Applications supported Extensive - All IP-based applications are Limited - Only web-based applications and
supported. file sharing are supported.
Authentication strength Strong - Uses two-way authentication with Moderate - Using one-way or two-way
shared keys or digital certificates. authentication.
Encryption strength Strong - Uses key lengths from 56 bits to 256 Moderate to strong - With key lengths from
bits. 40 bits to 256 bits.
Connection complexity Medium - Because it requires a VPN client Low - It only requires a web browser on a
pre-installed on a host. host.
Connection option Limited - Only specific devices with specific Extensive - Any device with a web browser
configurations can connect. can connect.
VPN Topologies
Site-to-Site IPsec VPNs
The VPN gateway

encapsulates and encrypts
outbound traffic. It then sends
the traffic through a VPN
tunnel over the internet to a
VPN gateway at the target site.
Upon receipt, the receiving
VPN gateway strips the
headers, decrypts the content,
and relays the packet toward
the target host inside its private
network. Site-to-site VPNs are
typically created and secured
using IP security (IPsec).
18.3 IPsec Overview
IPsec Overview
Video - IPsec Concepts
This video will cover the following:

• The purpose of IPsec
• IPsec Protocols
IPsec Overview
IPsec Technologies
Using the IPsec framework, IPsec provides
these essential security functions:
• Confidentiality - IPsec uses encryption
algorithms to prevent cybercriminals from
reading the packet contents.
• Integrity - IPsec uses hashing
algorithms to ensure that packets have
not been altered between source and
destination.
• Origin authentication - IPsec uses the
Internet Key Exchange (IKE) protocol to
authenticate source and destination.
Methods of authentication including using
pre-shared keys (passwords), digital
certificates, or RSA certificates.
• Diffie-Hellman - Secure key exchange
typically using various groups of the DH
algorithm.
IPsec Overview
IPsec Technologies (Cont.)
The IPsec security functions are list in the table.
IPsec Function Description
IPsec Protocol The choices for IPsec Protocol include Authentication Header (AH) or Encapsulation Security
Protocol (ESP). AH authenticates the Layer 3 packet. ESP encrypts the Layer 3 packet. Note: ESP+AH
is rarely used as this combination will not successfully traverse a NAT device.
Confidentiality Encryption ensures confidentiality of the Layer 3 packet. Choices include Data Encryption Standard
(DES), Triple DES (3DES), Advanced Encryption Standard (AES), or Software-Optimized Encryption
Algorithm (SEAL).
Integrity Ensures that data arrives unchanged at the destination using a hash algorithm, such as message-
digest 5 (MD5) or Secure Hash Algorithm (SHA).
Authentication IPsec uses Internet Key Exchange (IKE) to authenticate users and devices that can carry out
communication independently. IKE uses several types of authentication, including username and
password, one-time password, biometrics, pre-shared keys (PSKs), and digital certificates using the
Rivest, Shamir, and Adleman (RSA) algorithm.
Diffie-Hellman IPsec uses the DH algorithm to provide a public key exchange method for two peers to establish a
shared secret key. There are several different groups to choose from including DH14, 15, 16 and DH
19, 20, 21 and 24. DH1, 2 and 5 are no longer recommended.
IPsec Overview
IPsec Protocol Encapsulation
Choosing the IPsec protocol

encapsulation is the first building block
of the framework. IPsec encapsulates
packets using Authentication Header
(AH) or Encapsulation Security Protocol
(ESP). The choice of AH or ESP
establishes which other building blocks
are available. AH is appropriate only
when confidentiality is not required or
permitted. ESP provides both
confidentiality and authentication.
IPsec Overview
Confidentiality
Confidentiality is achieved by encrypting the
data. The degree of confidentiality depends
on the encryption algorithm and the length
of the key used in the encryption algorithm.
The shorter the key, the easier it is to break.
• DES uses a 56-bit key and should be
avoided.
• 3DES uses three 56-bit encryption keys
per 64-bit block.
• AES offers three different key lengths:
128 bits, 192 bits, and 256 bits.
• SEAL is a stream cipher, encrypting data
continuously. It uses a 160-bit key.
IPsec Overview
Integrity
Data integrity means that the data that is
received is exactly the same data that was
sent.
• Message-Digest 5 (MD5) uses a 128-bit
shared-secret key. The variable-length
message and 128-bit shared-secret key
are combined and run through the
HMAC-MD5 hash algorithm producing a
128-bit hash.
• The Secure Hash Algorithm (SHA) uses
a 160-bit secret key. The variable-length
message and 160-bit shared-secret key
are combined and run through the
HMAC-SHA-1 algorithm producing a
160-bit hash.
IPsec Overview
Authentication
When conducting business long
distance, the device on the other end
of the VPN tunnel must be
authenticated before the
communication path is considered
secure.
• A pre-shared secret key (PSK)
value is entered into each peer
manually. The PSK is combined
with other information to form the
authentication key.
• Rivest, Shamir, and Adleman
(RSA) authentication uses digital
certificates to authenticate peers.
IPsec Overview
Authentication (Cont.)
IPsec Overview
Secure Key Exchange with Diffie-Hellman
Encryption algorithms require a symmetric,
shared secret key to perform encryption and
decryption. How do the encrypting and
decrypting devices get the shared secret key?
The easiest key exchange method is to use a
public key exchange method, such as Diffie-
Hellman (DH). DH provides a way for two
peers to establish a shared secret key that only
they know, even though they are
communicating over an insecure channel.
Variations of the DH key exchange are
specified as DH groups. The DH group you
choose must be strong enough, or have
enough bits, to protect the IPsec keys during
negotiation.
IPsec Overview
Video - IPsec Transport and Tunnel Modes
This video will explain the process of IPv4 packet with ESP in transport mode
and in tunnel mode.
18.4 IPsec Protocols
IPsec Protocols
IPsec Protocol Overview
The two main IPsec protocols are
Authentication Header (AH) and Encapsulation
Security Protocol (ESP). The IPsec protocol is
the first building block of the framework. The
choice of AH or ESP establishes which other
building blocks are available. AH uses IP
protocol 51 and is appropriate only when
confidentiality is not required or permitted. It
provides data authentication and integrity, but it
does not provide data confidentiality
(encryption). All text is transported
unencrypted. ESP uses IP protocol 50 and
provides both confidentiality and
authentication. Authentication provides data
origin authentication and data integrity.
IPsec Protocols
Authentication Header
The AH function is applied to the entire packet, except for any IP header fields that normally
change in transit. Fields that normally change during transit are called mutable fields. For
example, the Time to Live (TTL) field is considered mutable because routers modify this field.
The AH process occurs in this order:
1. The IP header and data payload are hashed using the shared secret key.
2. The hash builds a new AH header, which is inserted into the original packet.
3. The new packet is transmitted to the IPsec peer router.
4. The peer router hashes the IP header and data payload using the shared secret key,
extracts the transmitted hash from the AH header, and compares the two hashes.
The hashes must match exactly. If one bit is changed in the transmitted packet, the hash
output on the received packet changes and the AH header will not match. AH supports MD5
and SHA algorithms.
IPsec Protocols
Encapsulation Security Protocol
If ESP is selected as the IPsec protocol, an encryption algorithm must also be selected. The default
algorithm for IPsec is 56-bit DES. ESP can also provide integrity and authentication. First, the payload is
encrypted. Next, the encrypted payload is sent through a hash algorithm. The hash provides authentication
and data integrity for the data payload.
Optionally, ESP can also enforce anti-replay protection which verifies that each packet is unique and is not
duplicated. This protection ensures that a hacker cannot intercept packets and insert changed packets into
the data stream. Anti-replay works by keeping track of packet sequence numbers and using a sliding window
on the destination end.
When a connection is established between a source and destination, their counters are initialized at zero.
Each time a packet is sent, a sequence number is appended to the packet by the source. The destination
uses the sliding window to determine which sequence numbers are expected. The destination verifies that
the sequence number of the packet is not duplicated and is received in the correct order.
IPsec Protocols
ESP Encrypts and Authenticates
When both authentication and encryption are
selected, encryption is performed first. One reason
for this order of processing is that it facilitates rapid
detection and rejection of replayed or bogus
packets by the receiving device. Prior to decrypting
the packet, the receiver can authenticate inbound
packets.
IPsec was initially established to provide security

for IPv6 packets. Therefore, the IPsec
implementations for IPv4 and IPv6 are similar as far
as the standards are concerned. In IPv4, AH and
ESP are IP protocol headers. IPv6 uses the
extension headers with a next-header value of 50
for ESP and 51 for AH.
IPsec Protocols
Transport and Tunnel Modes
• Transport Mode - In transport mode, security

is provided only for the transport layer of the
OSI model and above. Transport mode
protects the payload of the packet but leaves
the original IP address in plaintext. The original
IP address is used to route the packet through
the internet. ESP transport mode is used
between hosts.
• Tunnel Mode - Tunnel mode provides security
for the complete original IP packet. The original
IP packet is encrypted and then it is
encapsulated in another IP packet. This is
known as IP-in-IP encryption. The IP address
on the outside IP packet is used to route the
packet through the internet. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
18.5 Internet Key Exchange
Internet Key Exchange
The IKE Protocol
IKE enhances IPsec by adding features and
simplifies configuration for the IPsec standard.
IKE is a hybrid protocol that implements key

exchange protocols inside the Internet Security
Association Key Management Protocol (ISAKMP)
framework.
Instead of transmitting keys directly across a

network, IKE calculates shared keys based on the
exchange of a series of data packets.
UDP port 500 packets must be permitted on any

IP interface that is connecting a security gateway
peer.
Phase 1 and 2 Key Negotiation
IKE uses ISAKMP for phase 1 and phase 2 of key

negotiation. Phase 1 negotiates a security association
(a key) between two IKE peers. The key negotiated in
phase 1 enables IKE peers to communicate securely
in phase 2. During phase 2 negotiation, IKE
establishes keys (security associations) for other
applications, such as IPsec.
In Phase 1, two IPsec peers perform the initial

negotiation of SAs. The basic purpose of Phase 1 is to
negotiate ISAKMP policy, authenticate the peers, and
set up a secure tunnel between the peers. This tunnel
will then be used in Phase 2 to negotiate the IPsec
policy.
Phase 2: Negotiating SAs
IKE Phase 2 is called quick mode and can only occur after IKE has established a secure tunnel in Phase 1.
Quick mode negotiates the IKE Phase 2 SAs. In this phase, the SAs that IPsec uses are unidirectional;
therefore, a separate key exchange is required for each data flow.
Video - IKE Phase 1 and Phase 2
This video will explain IPsec: Confidentiality, Integrity, Authentication, and Secure
Key Exchange.
18.6 VPNs Summary
VPNs Summary
What Did I Learn in this Module?
• Organizations use virtual private networks (VPNs) to create end-to-end private network
connections that are transported over a public network.
• VPNs support encryption features, such as IPsec and SSL to secure network traffic between
sites.
• Site-to-site VPNs are created when VPN gateways are preconfigured with information to establish
a secure tunnel.
• Remote access VPNs (clientless and client-based) are used to securely connect remote and
mobile users to the enterprise by creating a secure tunnel.
• IPsec is a framework used to define how a VPN connection will ensure confidentiality, integrity,
and origin authentication.
• When establishing a VPN link, the peers must share the same SA to negotiate key exchange
parameters, establish a shared key, authenticate each other, and negotiate the encryption
parameters.
• The two main IPsec protocols are AH and ESP, which can be applied to IP packets using transport
mode or tunnel mode. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
VPNs Summary
What Did I Learn in this Module? (Cont.)
• The IKE protocol is a key management protocol standard that is used to automatically negotiate IPsec
security associations and enable IPsec secure communications.
• IKE uses ISAKMP for phase 1 and phase 2 of key negotiation. Phase 1 negotiates a security association (a
key) between two IKE peers. During phase 2 negotiation, IKE establishes keys (security associations) for
other applications, such as IPsec.
VPNs
New Terms and Commands
• virtual private networks (VPNs)
• tunnel mode
• Authentication Header (AH)
• remote-access VPN
• Internet Protocol Security (IPsec)
• Internet Security Association Key Management
Protocol (ISAKMP)
• Encapsulation Security Protocol (ESP)
• security association (SA)
• site-to-site VPN
• transport mode
• pre-shared secret key (PSK)

What Is VPN

Uploaded by

Copyright:

Available Formats

What Is VPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

What Is VPN

Uploaded by

Copyright:

Available Formats

Module 18: VPNs

Networking Security v1.0

Module Objective: Explain the purpose of VPNs.

Topic Title Topic Objective

Major benefits of VPNs are shown in the table.

A site-to-site VPN is created

Remote-access VPNs are

The VPN gateway

This video will cover the following:

Choosing the IPsec protocol

IPsec was initially established to provide security

• Transport Mode - In transport mode, security

IKE is a hybrid protocol that implements key

Instead of transmitting keys directly across a

UDP port 500 packets must be permitted on any

IKE uses ISAKMP for phase 1 and phase 2 of key

In Phase 1, two IPsec peers perform the initial

You might also like