Book description
Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN
The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.
The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.
IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.
Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more
Implement modern secure VPNs with Cisco IOS and IOS-XE
Plan and deploy IKEv2 in diverse real-world environments
Configure IKEv2 proposals, policies, profiles, keyrings, and authorization
Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation
Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure
Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures
Deploy, configure, and customize FlexVPN clients
Configure, manage, and troubleshoot the FlexVPN Load Balancer
Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels
Monitor IPsec VPNs with AAA, SNMP, and Syslog
Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing
Calculate IPsec overhead and fragmentation
Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more
Table of contents
- About This E-Book
- Title Page
- Copyright Page
- About the Authors
- Note from the Authors
- About the Technical Reviewers
- Dedications
- Acknowledgments
- Contents at a Glance
- Contents
- Foreword
- Icons Used in This Book
- Command Syntax Conventions
-
Introduction
- Goals and Methods
- Who Should Read This Book?
-
How This Book is Organized
- Chapter 1 Introduction to IPsec VPNs
- Chapter 2 IKEv2: The Protocol
- Chapter 3 Comparison of IKEv1 and IKEv2
- Chapter 4 IOS IPsec Implementation
- Chapter 5 IKEv2 Configuration
- Chapter 6 Advanced IKEv2 Features
- Chapter 7 IKEv2 Deployments
- Chapter 8 Introduction to FlexVPN
- Chapter 9 FlexVPN Server
- Chapter 10 FlexVPN Client
- Chapter 11 FlexVPN Load Balancer
- Chapter 12 FlexVPN Deployments
- Chapter 13 Monitoring IPsec VPNs
- Chapter 14 Troubleshooting IPsec VPNs
- Chapter 15 IPsec Overhead and Fragmentation
- Chapter 16 Migration Strategies
- Part I: Understanding IPsec VPNs
-
Part II: Understanding IKEv2
-
Chapter 2. IKEv2: The Protocol
- IKEv2 Overview
- The IKEv2 Exchange
- IKE_SA_INIT
- Key Material Generation
- IKE_AUTH
- CREATE_CHILD_SA
- IKEv2 Packet Structure Overview
- The INFORMATIONAL Exchange
- IKEv2 and Network Address Translation
-
Additions to RFC7296
- RFC5998 An Extension for EAP-Only Authentication in IKEv2
- RFC5685 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
- RFC6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
- RFC6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
- Summary
- References
-
Chapter 3. Comparison of IKEv1 and IKEv2
- Brief History of IKEv1
- Exchange Modes
- Anti-Denial of Service
- Lifetime
- Authentication
- High Availability
- Traffic Selectors
- Use of Identities
- Network Address Translation
- Configuration Payload
- Mobility & Multi-homing
- Matching on Identity
- Reliability
- Cryptographic Exchange Bloat
- Combined Mode Ciphers
- Continuous Channel Mode
- Summary
- References
-
Chapter 2. IKEv2: The Protocol
- Part III: IPsec VPNs on Cisco IOS
- Part IV: IKEv2 Implementation
-
Part V: FlexVPN
- Chapter 8. Introduction to FlexVPN
-
Chapter 9. FlexVPN Server
- Sequence of Events
- EAP Authentication
- AAA-based Pre-shared Keys
- Accounting
- Per-Session Interface
- Auto Detection of Tunnel Transport and Encapsulation
- RADIUS Packet of Disconnect
- RADIUS Change of Authorization (CoA)
- IKEv2 Auto-Reconnect
- User Authentication, Using AnyConnect-EAP
- Dual-factor Authentication, Using AnyConnect-EAP
- RADIUS Attributes Supported by the FlexVPN Server
- Remote Access Clients Supported by FlexVPN Server
- Summary
- Reference
-
Chapter 10. FlexVPN Client
- Introduction
- FlexVPN Client Overview
- Setting up the FlexVPN Server
- EAP Authentication
- Split-DNS
- Windows Internet Naming Service (WINS)
- Domain Name
- FlexVPN Client Profile
- Backup Gateways
- Tunnel Interface
- Tunnel Initiation
- Dial Backup
- Backup Group
- Network Address Translation
- Design Considerations
- Troubleshooting FlexVPN Client
- Summary
- Chapter 11. FlexVPN Load Balancer
-
Chapter 12. FlexVPN Deployments
- Introduction
- FlexVPN AAA-Based Pre-Shared Keys
- FlexVPN User and Group Authorization
- FlexVPN Routing, Dual Stack, and Tunnel Mode Auto
- FlexVPN Client NAT to the Server-Assigned IP Address
- FlexVPN WAN Resiliency, Using Dynamic Tunnel Source
- FlexVPN Hub Resiliency, Using Backup Peers
- FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation
- Summary
-
Part VI: IPsec VPN Maintenance
- Chapter 13. Monitoring IPsec VPNs
- Chapter 14. Troubleshooting IPsec VPNs
- Part VII: IPsec Overhead
-
Part VIII: Migration to IKEv2
-
Chapter 16. Migration Strategies
- Introduction to Migrating to IKEv2 and FlexVPN
-
Consideration when Migrating to IKEv2
- Hardware Limitations
- Current VPN Technology
- Routing Protocol Selection
- Restrictions When Running IKEv1 and IKEv2 Simultaneously
- Current Capacity
- IP Addresses
- Software
- Amending the VPN Gateway
- Global IKE and IPsec Commands
- FlexVPN Features
- Familiarization
- Client Awareness
- Public Key Infrastructure
- Internet Protocol Version 6
- Authentication
- High Availability
- Asymmetric Routing
- Migration Strategies
- Migration Verification
- Consideration for Topologies
- Summary
-
Chapter 16. Migration Strategies
- Index
- Inside Front Cover
- Inside Back Cover
- Code Snippets
Product information
- Title: IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS
- Author(s):
- Release date: September 2016
- Publisher(s): Cisco Press
- ISBN: 9780134426396
You might also like
book
IPsec Virtual Private Network Fundamentals
An introduction to designing and configuring Cisco IPsec VPNs Understand the basics of the IPsec protocol …
video
Understanding the Cisco ASA Firewall
This is a best practices course on how to set-up, manage, and troubleshoot firewalls and VPNs …
book
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide
Trust the best-selling Official Cert Guide series from Cisco Press to help you learn, prepare, and …
book
IP Multicast, Volume 1: Cisco IP Multicast Networking
IP Multicast Volume I: Cisco IP Multicast Networking Design, deploy, and operate modern Cisco IP multicast …