VPN

The Trouble with IPsec VPNs, Part#3: IKE Phase 1 Success

Mark_Lewis — Mon, 27 Oct 2008 11:37:26 -0400

I have surfaced again after a busy few weeks - and I can finally continue my description of IPsec VPN troubleshooting (sorry about the delay). This time I'll take a closer look at IKE Phase 1 (main mode) troubleshooting.

Before getting into an analysis of specific problems that can occur with IKE Phase 1, it's a good idea to use the debug crypto isakmp command to examine an example of successful IKE Phase 1 negotiation. This negotiation takes place between two IPsec VPN gateways called Tokyo and Osaka:

Read more

Fix for Cisco VPN Error 51

Cisco Subnet — Fri, 17 Oct 2008 18:14:15 -0400

I don't use Apple Macs but I do use Cisco VPN client software. However, it appears to me that Cisco VPN and Macs sometimes have problems with each other (that much was pointed out by blogger Rob Slifka back in February).

Read more

DMVPN: How this Cisco IOS technology can help cut 70% off your corporate phone bill, Part 1

Cisco Subnet — Mon, 29 Sep 2008 17:59:25 -0400

If you work with Cisco IOS you need to know about DMVPN - the Dynamic Multipoint Virtual Private Network, which could help to cut up to 70% off your company's telephone bill. George Morton, dual CCIE 18532, Router/Switch & Security of IT consultancy Madison Solutions, has written a whitepaper about this Cisco technology, which we will post over two parts. Part 1 begins today (Update: Part 2 is here.)

Dynamic Multipoint Virtual Private Network, (DMVPN) is an idea whose time has come. Now the telephone companies don’t want you to read about DMVPN. So if you love your telephone company and don’t want to save up to 70% off your current telephone bill stop reading now.

With up to 70% savings over your current MPLS and Frame Relay networks you are going to have understand DMVPN. So even if not today, DMVPN is in your future, so let’s start today.

Part 1 of this series will introduce DMVPN and Part 2 will discuss configurations. Later on, we’ll also publish articles that will discuss DMVPN in various applications that support business-to-business, supplier, customer, employee and stakeholders.

Read more

The Trouble with IPsec VPNs, Part#2: Methodology

Mark_Lewis — Fri, 05 Sep 2008 17:26:02 -0400

A while back, I started blogging on the subject of IPsec troubleshooting. In that blog post, I mentioned that in order to successfully troubleshoot IPsec in a fast and efficient manner it is necessary to have a good knowledge of how IPsec works and to follow a good troubleshooting methodology.

So, in this blog post, I am going to describe a simple and efficient troubleshooting methodology. This methodology is shown in the following figure:

Figure 1: IPsec Troubleshooting Methodology

Read more

Securing the Line Part 5 - Media Encryption

Matthew Nickasch — Tue, 02 Sep 2008 17:12:31 -0400

As discussed earlier, VLANs, ACLs, and firewall policies are extremely important components to any converged network security architecture. However, what these methods do not secure is the content within each call or conversation. The industry is moving towards securing each media path used for voice, video, and data communication. Even internally, there are many threats that may potentially compromise the content within the packets transmitted over an IP network.

Read more

Securing the Line Part 3 - Access Control

Matthew Nickasch — Tue, 26 Aug 2008 13:51:16 -0400

Yesterday we discussed the use of Virtual LANs (VLANs) to segment and separate voice and data networks. This level of separation significantly increases security across both the data and voice networks, and also provides yet another of complication for any would-be hacker. While Voice VLANs sound like a good idea (and they are), they're practically useless without the proper inter-VLAN routing configuration and safeguards. LAN segmentation means virtually nothing without access control lists, firewalls, and policies to route and protect data on both VLANs.

Read more

For downtown Denver businesses, DNC conference sparks mass roll out of work from home solutions

jheary — Mon, 25 Aug 2008 20:47:25 -0400

The Democratic National Convention is in my home state this year. Many of my downtown Denver customers and friends have worked diligently over the past couple months to setup a remote access teleworker solution for their businesses. Projects and timetables were linked to the coming of the DNC, surprise, surprise. Downtown Denver businesses are worried that their employees might not be able to commute in for work everyday. Things like increase in traffic, closings of streets due to motorcades, and the possibility of a perimeter lockdown of the City due to security incidents or threats are all top of mind. This has caused many businesses to look to teleworker solutions as a way to have employees work from home during the DNC and beyond.

Read more

The Trouble with IPsec VPNs, Part#1

Mark_Lewis — Mon, 14 Jul 2008 13:26:12 -0400

Depending on their size and configuration, IPsec VPNs can be relatively easy to design and deploy, even if you are not all that knowledgeable about how IPsec actually works. But, if you don't understand how IPsec works and you don't apply a good troubleshooting methodology, then when your IPsec VPN breaks or doesn't work in the first place, you'll probably have to resort to what I call ‘stab-in-the-dark' (SITD) troubleshooting.

Read more

iPhone to include Cisco VPN

Cisco Subnet — Tue, 10 Jun 2008 00:12:30 -0400

As expected, Apple revealed the new iPhone 2.0 Monday. Windows into Silicon Valley blogger Alex Lewis reports that it will ship with the Cisco VPN as well as the new 2.0 software including Exchange ActiveSync, and A-GPS. Also see: iPhone 2.0 release slated for early July

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

Security concerns arise for home workers allowed to VPN into company networks, Cisco 800 Series was the perfect fit.

Larry Chaffin — Mon, 19 May 2008 19:57:46 -0400

Security concerns arise for home workers allowed to VPN into company networks

I was recently brought in by a company who had a security breach due to a home user who was allowed to create a VPN tunnel back to the home office. This was done by creating an end point to end point connection from the users home wlan router which has a vpn option on it to the home office vpn router. Normally this would not be an issue but the user set up different ssid's for home and work, the only ssid that had any type of WEP on it was the one used for the company laptop. The other ssid's created for home users and children did not have a WEP settings created.

Read more

MPLS: How does it work?

andrenym00 — Sun, 06 Apr 2008 02:09:34 -0400

It is in some ways similar to an internet based VPN (Virtual Private Network) in the setup... but very different as well.

MPLS in its root is a signal formatting that allows traffic to be tagged and prioritized. Ultimately, carriers either run MPLS over their IP network cloud or some maintain a separate network cloud for MPLS only. Either way, you connect into the cloud via whatever you need. Could be a T1 or bonded T1s for one location, full or fractional DS3 for others, etc.

Read more

Configuring an L2TPv3 Ethernet Pseudowire

Mark_Lewis — Mon, 24 Mar 2008 18:18:04 -0400

As I mentioned last time, L2TPv3 has a plethora of capabilities, including the capability to be used for remote access VPNs, the capability to transport a number of Layer-2 protocols in a pseudowire configuration, the capability to transport MPLS Layer-3 VPN traffic, and the capability to transport IPv6 over an IPv4 backbone network.

In this blog post, I am going to focus on the most popular application for L2TPv3 - pseudowires.

The first question to answer in regard to L2TPv3 pseudowire configuration is, ‘What is a pseudowire?'. As I mentioned briefly last time, a pseudowire is simply an emulated circuit. By using L2TPv3, it is possible to extend a number of layer-2 circuit types over an IP backbone network.

Read more

Apple integrates Cisco’s VPN Client into the iPhone

jheary — Thu, 06 Mar 2008 23:18:26 -0500

Today Apple announced the details of the iPhone 2.0 software beta. Many new features are coming to the coolest gadget on the planet. Of particular interest to me is the integration of Cisco’s VPN client software into the iPhone. This will be a full blown IPSEC client that will even support the use of certificates or password based multi-factor authentication. Very nice! The iPhone VPN client will be able to connect to Cisco VPN gateway devices, like the Cisco ASA and older Cisco PIX. Apple also announced support for WPA enterprise with 802.1x authentication coming in the 2.0 code. This will enable more enterprises to allow the iPhone to connect securely to their wireless infrastructure.

Read more

Cyber Warfare: Frontline combat power gets a boost with the new Cisco ASR 1000 Router Series

jheary — Wed, 05 Mar 2008 15:51:12 -0500

Yesterday, Cisco officially announced its next generation, frontline, cyber superiority Battlestar, known as the Cisco ASR 1000 series routers. This new edge router series offers a 10 fold+ increase in routing, IPSEC, and Firewall performance versus previous midrange aggregation routers with these services enabled. Much has already been reported on it, but I wanted to focus on security. Is the new Cisco ASR 1000 Series unmatched in the raw combat power it is capable of unleashing on its enemies in cyberspace? Let’s dig into the performance characteristics and combat power of this next-gen edge router to see. And keeping in mind that raw combat power per se cannot guarantee cyber combat success, we’ll also look into the technological advances that it offers.

Read more

What is MPLS?

andrenym00 — Fri, 29 Feb 2008 02:08:44 -0500

It is in some ways similar to an internet based VPN (Virtual Private Network) in the setup... but very different as well.

L2TPv3 Pseudowhat?

Mark_Lewis — Mon, 25 Feb 2008 17:48:32 -0500

L2TPv3 has been around for a while now, but it seems to be one of those things that not too many people know about.

Typically, when I raise the subject of L2TPv3, I get one of the following reactions:

‘L2TPv3 pseudowhat?'

‘Nobody uses that anymore - it's obsolete, isn't it?'

‘That's a good solution for tunnelling PPP, but we're talking about Ethernet.'

So, for those who aren't really aware of L2TPv3 or what it can do, I thought I'd blog a little on the subject.

The first thing to say about L2TPv3 is that it is not L2TPv2, but it is based on L2TPv2. And the first thing to say about L2TPv2 is that it is neither L2F nor PPTP, but it is based on both of those protocols.

Read more

10 wishes for router security

Gregg_and_Dave — Tue, 12 Feb 2008 11:43:58 -0500

Reader Shaun wrote in with 10 points he'd like to see in router security (our responses are below):

1. Stand-alone Router secured

2. Stand-alone switch secured. Including Port Security features.

3. Stand-alone Router supporting a single secured incoming VPN connection

4. Stand-alone Router supporting maximum secured Wireless

5. Stand-alone Router supporting a VPN across a maximum secured Wireless

6. RIP2/OSPF/EIGRP routing between 2 or more routers done securely with full explanation on how key chains works and what are the relevent/significant parts of configuring key chains.

7. Securing Multiple switches, VLAN's and VTP Domains.

8. Setting up secure in band Managment Networks

Read more

Understanding MPLS VPNs, Part I

jdoyle — Wed, 06 Feb 2008 21:57:49 -0500

One of the most compelling drivers for MPLS in service provider networks is its support for Virtual Private Networks (VPNs), in which the provider’s customers can connect geographically diverse sites across the provider’s network.

There are three kinds of MPLS-based VPN:

Read more

Choosing the Right Remote Access VPN: 9 Important Questions

Mark_Lewis — Thu, 27 Dec 2007 16:10:29 -0500

Last time I looked at some important questions to ask when selecting a site-to-site VPN protocol or technology. This time I will discuss some the important questions to ask when choosing a remote access VPN.

Read more

Which Site-to-Site VPN: 10 Important Questions

Mark_Lewis — Sat, 22 Dec 2007 21:56:21 -0500

One of the most common questions that I am asked is what type of VPN an organization should deploy. So, in the hope that it will save some people some time, I thought I’d just go through some of the most basic considerations when choosing a VPN protocol.

Let’s suppose you’ve decided to deploy a VPN to connect your organization’s/customers’ sites (a site-to-site VPN). But you are not sure which VPN technology and type you should deploy – should it be IPsec, MPLS layer-3, MPLS layer-2, L2TPv3-based, or another technology?

Read more