A site-to-site virtual secret network (Vpn) allows you to contend a gather "always-on" relationship between two physically separate sites using an existing non-secure network such as the collective Internet. Traffic between the two sites is transmitted over an encrypted tunnel to prevent snooping or other types of data attacks.
This configuration requires an Ios software image that supports cryptography. The one used in the examples is c870-advipservicesk9-mz.124-15.T6.bin.
Remote Control Codes List
There are some protocols used in creating the Vpn along with protocols used for a key change between the peers, those used to encrypt the tunnel, and hashing technologies which yield message digests.
Acoustic Research ARRX15G Xsight Color Universal 15 Device Remote Control Best
Rate This Product :
Acoustic Research ARRX15G Xsight Color Universal 15 Device Remote Control Feature
- Controls up to 15 devices from thousands of manufacturers
- Capable of learning button commands from your current remote
- Full color screen with single choice activities like Watch TV, Watch Movie, Listen to Music, and more
- Remote guided set up with no manual required and simple one-touch entertainment activities
- Red, Yellow, Green, Blue Keys function support
Acoustic Research ARRX15G Xsight Color Universal 15 Device Remote Control Overview
Xsight Color Universal Remote
Customer Reviews
*** Product Information and Prices Stored: Feb 16, 2012 03:12:36
Vpn Protocols
Ipsec: Internet Protocol protection (Ipsec) is a suite of protocols that are used to gather Ip communications. Ipsec involves both key exchanges and tunnel encryption. You can think of Ipsec as a framework for implementing security. When creating an Ipsec Vpn, you can pick from a variety of protection technologies to implement the tunnel.
Isakmp (Ike): Internet protection relationship and Key administration Protocol (Isakmp) provides a means for authenticating the peers in a gather communication. It typically uses Internet Key change (Ike), but other technologies can also be used. collective keys or a pre-shared key are used to authenticate the parties to the communication.
Md5: Message-Digest algorithm 5 (Md5) is an often used, but partially insecure cryptographic hash function with a 128-bit hash value. A cryptographic hash function is a way of taking an arbitrary block of data and returning a fixed-size bit string, the hash value based on the original block of data. The hashing process is designed so that a convert to the data will also convert the hash value. The hash value is also called the message digest.
Sha: gather Hash Algorithm (Sha) is a set of cryptographic hash functions designed by the National protection agency (Nsa). The three Sha algorithms are structured differently and are excellent as Sha-0,Sha-1, and Sha-2. Sha-1 is a generally used hashing algorithm with a approved key length of 160 bits.
Esp: Encapsulating protection Payload (Esp) is a member of the Ipsec protocol suite that provides origin authenticity, integrity, and confidentiality protection of packets. Esp also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. Unlike the other Ipsec protocol, Authentication Header (Ah), Esp does not protect the Ip packet header. This variation makes Esp adored for use in a Network Address Translation configuration. Esp operates directly on top of Ip, using Ip protocol estimate 50.
Des: The Data Encryption approved (Des) provides 56-bit encryption. It is no longer considered a gather protocol because its short key-length makes it vulnerable to brute-force attacks.
3Des: Three Des was designed to overcome the limitations and weaknesses of Des by using three different 56-bit keys in a encrypting, decrypting, and re-encrypting operation. 3Des keys are 168 bits in length. When using 3Des, the data is first encrypted with one 56-bit key, then decrypted with a different 56-bit key, the output of which is then re-encrypted with a third 56-bit key.
Aes: The industrialized Encryption approved (Aes) was designed as a change for Des and 3Des. It is ready in varying key lengths and is generally considered to be about six times faster than 3Des.
Hmac: The Hashing Message Authentication Code (Hmac) is a type of message authentication code (Mac). Hmac is calculated using a definite algorithm spirited a cryptographic hash function in compound with a secret key.
Configuring a Site-to-Site Vpn
The process of configuring a site-to-site Vpn involves some steps:
Phase One configuration involves configuring the key exchange. This process uses Isakmp to recognize the hashing algorithm and authentication method. It is also one of two places where you must recognize the peer at the opposite end of the tunnel. In this example, we chose Sha as the hashing algorithm due to its more robust nature, along with its 160-bit key. The key "vpnkey" must be same on both ends of the tunnel. The address "192.168.16.105" is the exterior interface of the router at the opposite end of the tunnel.
Sample phase one configuration:
tukwila(config)#crypto isakmp procedure 10
tukwila(config-isakmp)#hash sha
tukwila(config-isakmp)#authentication pre-share
tukwila(config-isakmp)#crypto isakmp key vpnkey address 192.168.16.105
Phase Two configuration involves configuring the encrypted tunnel. In Phase Two configuration, you generate and name a transform set which identifies the encrypting protocols used to generate the gather tunnel. You must also generate a crypto map in which you recognize the peer at the opposite end of the tunnel, specify the transform-set to be used, and specify which way control list will recognize permitted traffic flows. In this example, we chose Aes due to its heightened protection and enhanced performance. The statement "set peer 192.168.16.25" identifies the exterior interface of the router at the opposite end of the tunnel. The statement "set transform-set vpnset" tells the router to use the parameters specified in the transform-set vpnset in this tunnel. The "match address 100" statement is used to connect the tunnel with access-list 100 which will be defined later.
Sample phase two configuration:
tukwila(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
tukwila(cfg-crypto-trans)#exit
tukwila(config)#crypto map vpnset 10 ipsec-isakmp
% Note: This new crypto map will remain disabled until a peer
and a valid way list have been configured.
tukwila(config-crypto-map)#set peer 192.168.16.105
tukwila(config-crypto-map)#set transform-set vpnset
tukwila(config-crypto-map)#match address 100
The crypto map must be applied to your exterior interface (in this example, interface FastEthernet 4):
tukwila(config)#int f4
tukwila(config-if)#crypto map vpnset
You must generate an way control list to explicitly allow traffic from the router's inside Lan across the tunnel to the other router's inside Lan (in this example, the router tukwila's inside Lan network address is 10.10.10.0/24 and the other router's inside Lan network address is 10.20.0.0/24):
tukwila(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.0.255
(For more information about the syntax of access-control lists, see my other articles on creating and managing Cisco router access-control lists.)
You must also generate a default gateway (also known as the "gateway of last resort"). In this example, the default gateway is at 192.168.16.1:
tukwila(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.1
Verifying Vpn Connections
The following two commands can be used to verify Vpn connections:
Router#show crypto ipsec sa
This command displays the settings used by the current protection Associations (Sas).
Router#show crypto isakmp sa
This command displays current Ike protection Associations.
Troubleshooting Vpn Connections
After confirming bodily connectivity, audit both ends of the Vpn relationship to ensure they mirror each other.
Use debugging to analyze Vpn relationship difficulties:
Router#debug crypto isakmp
This command allows you to survey Phase 1 Isakmp negotiations.
Router#debug crypto ipsec
This command allows you to survey Phase 2 Ipsec negotiations.
Copyright (c) 2008 Don R. Crawley
Configuring a Site-to-Site Vpn between Two Cisco Routers
No comments:
Post a Comment