VIRTUAL PRIVATE NETWORKS USING CISCO IOS ROUTERS

Which security services does IPSec provide? Data integrity, origin authentication, antireplay protection, and confidentiality.

You use encryption to deter a man-in-the-middle attack.

DES, 3DES, AES, and RSA are types of encryption algorithms.

You use Diffie-Hellman (D-H) to derive shared secrets between two IPSec peers.

You use HMACs to provide authentication in IKE Phase 2.

RSA uses asymmetric keys for encryption.

AH does not provide payload encryption.

ESP provides authentication and encryption of the payload.

You can do peer authentication using preshared keys, RSA signatures, and RSA encrypted nonces .

You can have multiple transform sets on each router.

You globally configure lifetime parameters for IPSec using the crypto ipsec security-association lifetime command.

SHA-1 is stronger than MD5.

3DES is stronger than DES.

AES is designed to be more secure than DES and has variable key length. By default, it uses a 128-bit key; however, it can also be configured to use a 192-bit key or a 256-bit key.

RSA signatures are stronger than preshared keys.

You use crypto key zeroize rsa to remove all old keys from a router.

The goal of planning for IKE Phase 1 is to minimize potential misconfiguration.

ESP is IP protocol number 50. AH is protocol number 51. IKE uses UDP port 500.

No user data flows across the IKE Phase 1 tunnel.

By default, the identity command uses the address keyword. Therefore, whatever IP address you configured on a specific interface will be used for authentication.

The ISAKMP policy default protection suite is

Encryption algorithm DES

Hash algorithm SHA

Authentication method RSA signatures

D-H group #1 (768 bit)Lifetime86,400 seconds, no volume limit

The priority values are used internally by a router and have no meaning or significance to the remote IPSec peer router. Commands to create an IKE Phase 1 policy follow:

 crypto isakmp policy  priority  encryption {des  3des} hash {sha  md5} authentication {rsa-sig  rsa-encr  pre-share} group {1  2} lifetime  seconds  

You can use a command to configure a preshared key using the IP address of the remote IPSec peer. If you are using a preshared key of ATLANTIS and the remote's IP address is 30.1.1.1, issue the following command:

 Router(config)# crypto isakmp key ATLANTIS address 30.1.1.1 

A route stores a Certificate Revocation List (CRL) in its memory if the CA does not use an RA. If the CA uses an RA, the router must store multiple CRLs in memory.

If the router already has RSA keys and you need to delete the keys, use the command crypto key zeroize rsa .

The usage-keys keyword is an optional parameter used to generate two RSA key pairs.

Configure CA support using the following commands:

 R1(config)# crypto ca trustpoint name R1(ca-trustpoint)# enrollment url http://SECUR/certsrv/mscep/mscep.dll R1(config)# crypto ca authenticate name R1(config)# crypto ca enroll name 

Crypto ACLs determine whether outbound traffic should be encrypted and what traffic is forwarded in cleartext (bypassed).

Crypto ACLs determine whether received traffic is permitted into the router, the traffic is dropped, or the traffic bypasses the router's IPSec engine.

To configure a transform set, use the command crypto ipsec security-association lifetime {seconds seconds kilobytes kilobytes } .

Before the IPSec is torn down, a new tunnel is renegotiated, and there is no interruption in the flow of data traffic.

The match address command in crypto map configuration mode actually specifies the crypto ACL that will be used.

You can apply only a single crypto map to an interface. However, you can use the same crypto map on multiple interfaces.

Easy VPN consists of an Easy VPN Server and an Easy VPN Remote.

The Easy VPN Server pushes security policies to the Easy VPN Remote device.

The Cisco Easy VPN features require IOS version 12.2(8)T if you are using a router as a head-end device or remote device.

Some of the new features added to IOS version 12.2(8)T are mode configuration, XAUTH, IKE, dead peer detection (DPD), and split tunneling.

Easy VPN supports HMAC-MD5 and HMAC-SHA1.

Easy VPN supports preshared keys and RSA signatures.

Easy VPN supports D-H groups 2 and 5.

Easy VPN supports DES and 3DES for IKE encryption.

Easy VPN supports DES, 3DES, and NULL for IPSec encryption.

Easy VPN supports ESP and IPCOMP-LZS. Compression is implemented using IPCOMP-LZS.

Easy VPN supports tunnel mode only.

Easy VPN does not support Digital Signature Standard, AH, and PFS.

IOS version 12.2(8)YJ supported Easy VPN Remote Phase II features.

Easy VPN Remote devices do not support subinterfaces, PFS, and multiple peers. Only D-H group 2 is supported.

Disable the Easy VPN Remote Web Manager by using the command no ip http ezvpn . Enable the Cable Monitor Web interface with the command ip http cable-monitor .

Use the key command to configure a preshared key for a specific group in ISAKMP group configuration mode.

You can define a maximum of two DNS servers and two WINS servers.

The fields for the preshared key are labeled Password and Confirm Password. Do not get confused ; the password fields are the preshared key that is used for authentication during IKE Phase 1.

MTU size options are default, 576, 1400, and custom. The default MTU size is about 1420 bytes. If you select custom, you can enter any MTU size in the field provided.

SSL is used between the clients and the Router MC. SSH is used between the Router MC and the managed router.

The two ways to populate the Router MC inventory database is through device discovery or configuration file import.