I was able to establish a site-to-site VPN in my lab over my existing frame-relay topology. Usually when people think of VPNs, they think of two VPN gateways establishing a secure private tunnel over then internet. In most practical cases, this is true. However, a VPN can be tunneled over almost any routed infrastructure including a private frame-relay or MPLS network. As long as the two VPN server/gateways (usually a firewall) can talk to each other and agree on hashing, authentication, group, lifetime, encryption protocols, and allowed traffic, you should be able to establish a site-to-site VPN. Below is a sample of my site-to-site VPN lab.
 | |||||
| This device is my Zone Based Firewall (Cisco 2821 Router). The caption above is a simple monitoring tab of the site-to-site VPN. This router runs the Advanced Security IOS supported by the Cisco Configuration Professional feature. |
 |
| My ASA at the HQ site is the peer device to the Zone Based Firewall. Both devices negotiate VPN parameters and establish the SA(Security Association) and IPsec Tunnel. I tested the tunnel for over 14.5 hours without failure. |
The goal of this site-to-site VPN was to permit traffic from 10.11.1.0/24 network and 10.11.2.0/24 networks behind the Zone Based Firewall to networks 10.0.2.16/24 behind the HQ ASA and 192.168.3.0/24 behind the my Internet Gateway/Core Router WITHOUT any advertising of those networks via static or dynamic routing protocols.
VPN is very simple in nature yet very complex at the same time. The key to configuring a site-to-site VPN is making sure that both sides agree to the same protocols. As you can see in my VPN I used:
Hashing - SHA1
Authentication - PSK
Group - DH2
Lifetime - 86400
Encryption - AES128
I used these parameters for both tunnels; IKE phase 1 and IKE phase 2. The first tunnel simply establishes is the VPN gateways are willing to talk to each other. If those conditions are met, then the second tunnel establishes the condition for traffic that will be allowed over the VPN coming from nodes on their respective networks. If you get ONE parameter off, everything fails. The only flexibility is in the lifetime. Other than that, everything has to match.
I highly recommend watching both Jeremy Cioara (2008) and Keith Barker's (2012) Nuggets on site-to-site VPN. They both make it a lot easier by explaining the basic fundamentals of establishing a site-to-site VPN and Keith also introduces a very creative way to remember the VPN tunnel parameters required in the acronym HAGLE: Hashing, Authentication, Lifetime, Encryption.
On another side-note, Keith Barker also taught me an important lesson at the end of his CCNA Security series. When building a network, have security in mind before and during the implementation; not after. When establishing an enterprise (or larger) level network, we as network administrators should always be thinking of ways to secure the network in the planning phases because it is so much more difficult to implement security after the network has been established, or worse; after it has been compromised.
I REALLY enjoyed performing this lab and watching the VPN come to life. I will probably practice more with site-to-site VPNs and get more comfortable configuring them in different and more complex scenarios. Other than that, next stop, CCNP!
No comments:
Post a Comment