Configuring IPsec Site-to-Site VPN Using SDM

The Presentation inside:

Slide 0

IPsec VPNs Configuring IPsec Site-to-Site VPN Using SDM

Slide 1

Introducing the SDM VPN Wizard Interface

Slide 2

Cisco Router and SDM

Slide 3

SDM is an embedded web-based management tool. Provides intelligent wizards to enable quicker and easier deployments, and does not require knowledge of Cisco IOS CLI or security expertise. Contains tools for more advanced users: ACL editor VPN crypto map editor Cisco IOS CLI preview What Is Cisco SDM?

Slide 4

Cisco SDM Features Smart wizards for these frequent router and security configuration issues: Avoid misconfigurations with integrated routing and security Secure the existing network infrastructure easily and cost-effectively Uses Cisco TAC- and ICSA-recommended security configurations Startup wizard, one-step router lockdown, policy-based firewall and ACL management (firewall policy), one-step VPN (site-to-site), and inline IPS Guides untrained users through workflow

Slide 5

Introducing the SDM VPN Wizard Interface 2. 1. 3. Wizards for IPsec solutions Individual IPsec components

Slide 6

Site-to-Site VPN Components

Slide 7

Site-to-Site VPN Components VPN wizards use two sources to create a VPN connection: User input during the step-by-step wizard process Preconfigured VPN components SDM provides some default VPN components: Two IKE policies IPsec transform set for Quick Setup wizard Other components are created by the VPN wizards. Some components (e.g., PKI) must be configured before the wizards can be used.

Slide 8

Site-to-Site VPN Components (Cont.) Two main components: IPsec IKE Two optional components: Group Policies for Easy VPN server functionality Public Key Infrastructure for IKE authentication using digital certificates Individual IPsec components used to build VPNs

Slide 9

Launching the Site-to-Site VPN Wizard

Slide 10

Launching the Site-to-Site VPN Wizard 1.

Slide 11

Launching the Site-to-Site VPN Wizard (Cont.) 2a. 2b. 3.

Slide 12

Quick Setup

Slide 13

Quick Setup (Cont.)

Slide 14

Step-by-Step Setup Multiple steps are used to configure the VPN connection: Defining connection settings: Outside interface, peer address, authentication credentials Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression Defining traffic to protect: Single source and destination subnets, ACL Reviewing and completing the configuration

Slide 15

Connection Settings

Slide 16

Connection Settings 1. 2. 3. 4.

Slide 17

IKE Proposals

Slide 18

IKE Proposals 1. 2. 3.

Slide 19

Transform Set

Slide 20

Transform Set 1. 2. 3.

Slide 21

Defining What Traffic to Protect

Slide 22

Option 1: Single Source and Destination Subnet 1. 2. 3.

Slide 23

Option 2: Using an ACL 1. 2. 3.

Slide 24

Option 2: Using an ACL (Cont.) 1. 2.

Slide 25

Option 2: Using an ACL (Cont.) 2. 3. 1.

Slide 26

Completing the Configuration

Slide 27

Review the Generated Configuration

Slide 28

Review the Generated Configuration (Cont.)

Slide 29

Test Tunnel Configuration and Operation ~ ~ ~ ~

Slide 30

Monitor Tunnel Operation 1. 2. 3.

Slide 31

Advanced Monitoring Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. show crypto isakmp sa Lists active IKE sessions show crypto ipsec sa Lists active IPsec security associations router# router#

Slide 32

Troubleshooting debug crypto isakmp router# Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands

Slide 33

Summary SDM is a GUI and one of its features is to provide simplified management of security mechanisms on Cisco IOS routers. SDM can manage various types of site-to-site VPNs. SDM can be used to implement a simple site-to-site VPN in three ways: Using the quick setup wizard Using the step-by-step wizard Configuring individual VPN components Upon completing the configuration, the SDM converts the configuration into the Cisco IOS CLI format.

Slide 34