The previous post talked about setting up an EzVPN server and an EzVPN client on a router. Not the easiest task on hand as the name would suggest. But the reason for setting up an EzVPN server isn’t so much for other routers; the main reason is for an IPSec Client at a remote location to easily connect to the main network. In order to do that with certificates, as was demonstrated in the last post, the IPSec Client must be installed and then manually enroll with the CA server. In production, this would be done while the user is in the office, as the PKI server shouldn’t be exposed to the outside world.
Continue reading »
So it doesn’t really use retsyn, but it does use certs! Get it? Certs…retsyn…
But I digress.
In my award-seeking earlier post, I discussed how to setup a CA server with an IOS router. I then enrolled two additional routers with the CA server and they now have signed certificates. Those very certificates can now be put to use by creating an EzVPN connection using those very certificates rather than pre-shared keys for authentication.
Continue reading »
Most of the time when I am in the field setting up VPNs, I am using pre-shared keys for authentication. Most of my customers are not really concerned about setting up a PKI infrastructure that is required in order to use a certificate based VPN. Nevertheless, allowing routers to use certificates for authentication allows for an additional layer of security by making is more difficult to create “man-in-the-middle” attacks. While it would be nice to create an internal CA and RA infrastructure in a lab, it really isn’t necessary to understand the base concepts of getting certificates installed and used for the purpose of a VPN. In fact, we can use a Cisco router to setup a CA server that issues certificates for this very purpose! Yay!
Continue reading »
IPSec VPN tunnels are pretty straight forward. Define the ISAKMP policy and keys (phase I), define the IPSec transform set, define the interesting traffic (traffic that will be encypted), create a crypto map or ipsec policy, then apply the policy to an interface. All IPSec VPN technologies use this basic format. However, there are various applications for a VPN. There are remote access VPNs (where the endpoint can be anywhere) or site to site VPNs (where the endpoints are static and known). For site to site VPN technologies, the type of traffic and layout of the network can determine the type of VPN tunnel that is being used, whether it is a crypto map, VTI, DMVPN, or GET VPN.
Continue reading »
Earlier I discussed how to use a VTI rather than a standard crypto map for tunneling traffic. The VTI also has the advantages of using a smaller header than a GRE tunnel (which has its advantages and disadvantages). In my previous example, I used a static route in order to send the traffic through the tunnel. Static routes, while quick and easy, are not very scalable. Various routing protocols can be used in order to get traffic to go through a VTI, such as RIP, OSPF, EIGRP, etc. More importantly, these protocols can make use of MD5 authentication to prevent man-in-the-middle style attacks.
Continue reading »
Many people who attempt the CCIE do not pass the first time. Or the second. Add me to that infamous list of people who simply fell short. 
The first time I took the test, I went in with the idea that I probably wouldn’t pass the test the first time. My fellow CCIEs in my workplace have noted on many an occasion that the first time you take the test it is simply to learn how to take the test. They couldn’t be more right. While there is the end of the bell curve that passes the first time through, I can see that taking the test really helps in developing a strategy to pass that cannot really be accomplished by simply studying the material. Learning the environment, what to expect, and seeing what they really want in the testing situation can eat up valuable time. And time really isn’t on your side during the exam.
Continue reading »
Recent Comments