ISAKMP and IPSEC Configuration for Secure VPN Exchange


Added on  2019-09-16

25 Pages6319 Words163 Views
CHAPTER 33.0 RESEARCH METHODOLOGYThe purpose of this project is to design virtual private network within the campus environmentby connecting various department together using highly secure network system which lead meto multiple research collection on how to design a secure remote network system by connectingall their department together using Dynamic Multiple virtual Private Network (DMVPN).In order to implement Dynamic multiple virtual private network the methodologies were collectedfrom the study of remote virtual private network using leased private line internet from existingwireless network and cisco certified network associate by Todd Lammle and also Ciscocertified network professional by Chris Brown (CCIE). Dynamic Multipoint VPN (DMVPN) is a Cisco VPN solution for building a Virtual Private Networkhaving branch sites at different locations using a scalable architecture. DMVPN architecture provides an easy approach towards implementation and management for deployments that require access controls for diverse user communities, including mobile employees, departments, and different remote sites. The Cisco DMVPN provides an environment to connect different branch locations to help communicate directly between branches over the WAN, such as when using different communication protocols like voice over IP between two branch offices, but does not require a permanent VPN connection between sites. It also provides a zero touch deployment of IPsec VPNs that improves network performance. This also minimizes the deployment time, reduces the cost in integrating voice, video with IPSEC VPN security. Helps us to enable direct communication between branches for variety of business applications. It has all the benefits of routing with standard IPsec security technology.VPN using Internet Leased Line for Wired and Wireless Private Networks:A VPN is secure connection between sites that can be established by using a Internet Leased Line or any of the existing Wireless or Wired connection.The VPN deployment only needs IP connectivity between the sites. There are different methods for remote VPNs between sites like DMVPN, SSL VPN etc.As explained above DMVPN helps us to connect site using a HUB and SPOKE topology.SSL VPN is specially used for remote users with no hardware requirement. Only requires you toinstall a VPN software which connects to the VPN HUB which then connects the PC to the Private network of the company/organization.
ISAKMP and IPSEC Configuration for Secure VPN Exchange_1

3.1 SOFTWARE REQUIREMENT FOR THE VPN DESIGNThis design is in real life scenario and would require CISCO configurable router 2900 series butis too expensive due to that, I will use PACKET TRACER SIMULATION for the lab design andtesting of the network security.For setting up VPN we will need CISCO IOS routers 1900 or 2900 series with IOS version 15.x and above. As we have limitation for the physical devices so we have chosen CISCO Packet Tracer to simulate the VPN setup for this implementation.Cisco Packet tracer enables us to simulate network devices which we can use to create networktopologies which help us to implement and practice network scenarios. Before implementation. Packet tracer provides different types of cisco devices Router Switches Firewall Etc. and many different connection options which then help the user to create a vast number of design options. In our case we will be implementing VPN of different media types including wireless and wired topology. And connect the private network through VPN and secure it through IPSEC.3.2 HARDWARE REQUIREMENT FOR THE VPN DESIGNThe following network devices are required5 Cisco 1841 or 2900 seriesInternet service provider private modem with lease line4 Cisco wireless router5 server systemCat 6 network cableSerial cableWireless computers For the DMVPN the hardware requirement may vary from scenario to scenario as is depends onvarious factors like Routing protocols, the number of sites, number of users as well as the amount of traffic.As for a basic DMVPN setup, we will need a CISCO IOS router (2911 or 1841) as an edge router for each site or department. These routers are good for small offices and branches with medium traffic load and are suitable for a limited number of VPN connections. These routers willbe connecting us to the ISP which will be providing us with the internet leased line connectivity; we will be calling as WAN or Public Network. These departments or site may have their wired orwireless connectivity to their respective local area devices and allocate them with private IP addresses.For Internet leased line we will be using serial connection provided by our ISP and for our LAN we are using a CISCO wireless routers for providing wireless connectivity to our wireless PCs and Devices using Wi-Fi. The wired connectivity will be provided by CAT6 Ethernet cables.These cables are capable to provide 100 Mbps speeds on LAN. Also, we are using different servers for various purposes in our different departments which will be giving access to services to the users on the network.3.5 NEW SYSTEM DESIGN
ISAKMP and IPSEC Configuration for Secure VPN Exchange_2

The prescribed solution is to design a Virtual private Network in a campus environment usingthe university wireless network of Sheffield Hallam University via the school existing wirelessnetwork by connecting the following department together such as:Administration departmentComputer scienceBusiness schoolEngineering and Medical departmentConnecting the above department together remotely using virtual private network design it willinvolve the following procedures:Default routing protocol: This will be used in order to connect to the ISP network also can be called as theInternet as we are not running any protocols with the ISP we need the traffic to be routedtowards the ISP so we will be directing this using the default route. So all the traffic goingtowards the public will be forwarded to the ISP’s router. The ISP will then forward theroute to the destination.The default route is generally used when we do not want to give any specific route to thedestination or we do not have any protocols running for many routes / destination.This allows us to forward all our nonspecific traffic towards a mentioned destination.The syntax of default route is. ip route <forwarding router’s address> This is the forwarding of all network traffic towards a specific router destination (Admindepartment).Dynamic routing protocol: Dynamic routing is way of getting the routes in a network of many routers and devicesby running a dynamic routing protocol. The dynamic routing helps us to get routes easilywithout manual entry into the routing table also helps us to populate the routing table byusing the best route from the different routes available with the router. There are manydynamic routing protocols available. Routing information protocol (RIP), Enhancedinterior gateway routing protocol (EIGRP), Open Shortest Path First (OSPF). Each routing protocol works in a different way, they use different Algorithms for thebest path selections. Some of them choose the best route by using hop counts as metricsome calculate cost and type of link to select the best possible route for the destination.The packets exchanged by the dynamic routing protocols are called routing updatedtheses updates carry the routes or networks that are connected to the routers which arethen passed on the other router running the same protocols. In this way all the routersget their routes from each other's. And populate their routing tables. The benefit is that itcan be configured on large network easily to exchange routes. But the downside is thatis consumes more bandwidth than static routing. This involves the advertisement of network address in each routing table with otherneighboring router that are connected together to enable information sharing via thenetwork however on this design Enhanced interior gateway routing protocol(EIGRP) willbe configure.Generic Route Encapsulation (GRE)It is routing based VPN which helps users / sites to connect their private networks viathe public network by using simple encapsulation. The GRE is used by routers toencapsulate their private IPs.
ISAKMP and IPSEC Configuration for Secure VPN Exchange_3

GRE is a IPv4 tunneling protocol that provides simple and generic encapsulationapproach to transport IPv4 packets of one protocol over another protocol by the help ofencapsulation. GRE encapsulates its packets called payload, and packs it in an innerpacket which then needs to be delivered to a destination network inside the public IPwhich is an an outer IP packet. With GRE tunneling endpoints can send their payloadsthrough encapsulated tunnels by routing-encapsulated packets through an interveningby IP networks. Other IP routers like the ISP routers or other routers along the way areunable to resolve the payload (encapsulated DATA packet), they are only able to resolvethe outer IPv4 packet while forwarding it towards the destination which is the GRE tunnelendpoint. While reaching the tunnel destination, the GRE encapsulation is removed bythe receiving router and the payload (original IPv4 DATA) is then forwarded to it’s finaldestination which is the private network of the other remote location which is connectedby public network. This involves the encapsulation of data shared within the network source and destinationby preventing it from unauthorized access.Virtual Private Network (VPN) : VPN stands for Virtual Private Network. VPN is built on an existing network. It works bytransferring the traffic generated by private networks and sending it to the other privatenetwork over the public domain, which helps in reducing the costs for connectivity overlong distances significantly. As the data which is transferred over the public domain is inplain text and can be seen and read by other devices, the confidentiality of the data mustbe protected. For this we use various techniques of encryption. There are two maintypes of encryptions which are generally used, Symmetric and Asymmetric. With symmetric cryptography techniques, the key which is used encryption is also usedfor decryption of the messages. On the other hand, with the use of asymmetric cryptography techniques, two differentkeys are used for encryption and decryption. The mostly used encryption technique isthe asymmetric encryption which is used to authenticate the each other sites, while thesymmetric encryption technique is applied to ensure the confidentiality of the IP data.The popular symmetric encryption algorithms are 3DES, DES, AES256 etc. the widelyused asymmetric algorithm are RSA, DSA, etc.IPsec is a suite of containing some special internet protocols to ensure a secure data istransferred over the network layer using the standards of cryptographic techniques. TheIP (Internet Protocol) in general does not support or has any security mechanism when itwas primarily designed. With increasing demands of the data security and internetsecurity, there was a need for new protocols which have been developed for ensuringthe security confidentiality of the data behind the network layer, like ESP(encapsulatedsecurity payload) and AH(Authentication Header) Protocols etc. IPsec is a suite whichcomprises of these protocols in order to provide a complete secure transmission of data.It involves the securing of data within the network by using a timing authentication keywhich allow only user with the access key to get the data while those without the key aredeny total access to the data. It also gives uses different access level within the network.CHAPTER 44.0 ANALYSIS AND RESULTS
ISAKMP and IPSEC Configuration for Secure VPN Exchange_4

4.1 DISCUSSIONMeanwhile the VPN secure network procedure will be implemented in the lab design belowusing packet tracer and 1841 router series. Due to the limitation of the application routersmultiple tunnels will only demonstrate single generic routing encapsulation from the computerscience department to Business school department which will apply the VPN to both of them.Also the router multiple Generic route encapsulations and multiple VPN will also work perfectlyin various departments.We will implement GRE to connect the private networks of the different department namelyAdministration, Business school, Medical, Computer Science Department and EngineeringDepartment.For this setup we have taken Cisco 1841 routers at each site and they are connected by WANIPs as mentioned in the table below. And the diagram illustrates the connectivity and location ofthe different departments. The need is to connect these departments by configuring GRE VPN and test the connectivity ofthese departments by having them communicate with each other.The LAN present on each site comprises of different PCs, servers laptops and wired as well aswireless network we will be considering all of them as the private network of each site.There is a complete configuration explained below which demonstrates the configuration andprocessoftheabovementionedimplementation.
ISAKMP and IPSEC Configuration for Secure VPN Exchange_5

Fig A. Setting up a VPN between the University Departments of Sheffield Hallam University in aCampus Environment.4.2 IP ADDRESS USED IN THIS CONFIGURATION TABLE 1DESCRIPTIONComputerscience ipAddressAdmin ipAddrBusinessschool ipAddrEngr dept ipAddrMed dept IPAddrLAN IP192.168.1.33/27192.168.1.65192.168.1.97192.168.1.129WAN IP200.10.0.5/30200.10.0.6/30200.20.0.9/30200.40.0.17/30200.20.0.10/30200.30.0.14/30200.40.0.18
ISAKMP and IPSEC Configuration for Secure VPN Exchange_6

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents