IPSEC VPN, GRE, SSL and Webvpn: IPSEC VPN site to site tunnel:
IPSEC VPN can encrypt your traffic to move via internet cloud as hidden payload to secure enterprise and confidential data so that hackers don't harm your privacy. one can both the unit which are agree to established IPSEC tunnels have to be identical in terms of configuration there are two phases one is main mode and second is aggressive mode. Main Mode Main mode has three two-way exchanges between the initiator and receiver. First exchange—The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer. Second exchange—This exchange uses a Diffie-Hellman exchange to generate shared secret keying material used to generate shared secret keys and to pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity. Third exchange—This exchange verifies the other side's identity. The identity value is the IPSec peer's IP address in encrypted form. The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange: the authentication method used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the IKE SA in seconds or kilobytes, and the shared secret key values for the encryption algorithms. The IKE SA in each peer is bidirectional. main mode which is (phase-I) DF Group: Authentication type: Encryption type: Hashing type: Aggressive Mode In the aggressive mode, fewer exchanges are done and with fewer packets. In the first exchange, almost everything is squeezed into the proposed IKE SA values, the Diffie-Hellman public key, a nonce that the other party signs, and an identity packet, which can be used to verify the initiator's identity through a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using the aggressive mode is that both sides have exchanged information before there is a secure channel. Therefore, it is possible to sniff the wire and discover who formed the new SA. However, aggressive mode is faster Aggressive mode (Phase-11) Encryption payload encryption Hashing Identity information Lifetime PFS group Mode Tunnel or transport or Tunnel Link: https://learningnetwork.cisco.com/docs/DOC-8696 Remote IPSEC VPN: same concepts features are used for remote IPSEC VPN but remote user have to use VPN client such as Cisco VPN client. GRE Tunnel: Because IPSEC cant support dynamic routing so one must have to use GRE to carry the dynamic routing information its is only require when you have to use OSPF, RIP, EIGRP or BGP between two sites. Its is called IPSEC over GRE tunnel. IPSEC with GRE: https://learningnetwork.cisco.com/docs/DOC-2457 SSL VPN or : It has to be clientless like remote IPSEC VPN this type dosnt need any client software to be used only thing which is required is internet browser natively supports Secure Socket Layer (SSL) encryption. or they can make connections using a full client (such as AnyConnect) SSL VPN: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/ravpnbas.html Webvpn: WebVPN http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml Difference between SSL and Web VPN: Clientless SSL VPN (WebVPN)In my words SSL VPN is actually WebVPN means both are same because both use browser and SSL/TLS security. Both are same: https://supportforums.cisco.com/docs/DOC-2213 https://supportforums.cisco.com/thread/242849 http://www.networkworld.com/community/node/17677 Regards Sheraz Latif _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
