Cisco Cisco Firepower Management Center 4000
11-2
FireSIGHT System User Guide
Chapter 11 Using Gateway VPNs
Understanding VPN Deployments
Security associations (SA) establish shared security attributes between two devices and allow VPN
endpoints to support secure communication. An SA allows two VPN endpoints to handle the parameters
for how the VPN tunnel is secured between them.
endpoints to support secure communication. An SA allows two VPN endpoints to handle the parameters
for how the VPN tunnel is secured between them.
The system uses the Internet Security Association and Key Management Protocol (ISAKMP) during the
initial phase of negotiating the IPSec connection to establish the VPN between endpoints and the
authenticated key exchange. The IKE protocol resides within ISAKMP. See
initial phase of negotiating the IPSec connection to establish the VPN between endpoints and the
authenticated key exchange. The IKE protocol resides within ISAKMP. See
for more information about the IKE protocol.
The AH security protocol provides protection for packet headers and data, but it cannot encrypt them.
ESP provides encryption and protection for packets, but it cannot secure the outermost IP header. In
many cases, this protection is not required, and most VPN deployments use ESP more frequently than
AH because of its encryption capabilities. Since VPN only operates in tunnel mode, the system encrypts
and authenticates the entire packet from Layer 3 and up in the ESP protocol. ESP in tunnel mode
encrypts the data as well as providing the latter’s encryption capabilities.
ESP provides encryption and protection for packets, but it cannot secure the outermost IP header. In
many cases, this protection is not required, and most VPN deployments use ESP more frequently than
AH because of its encryption capabilities. Since VPN only operates in tunnel mode, the system encrypts
and authenticates the entire packet from Layer 3 and up in the ESP protocol. ESP in tunnel mode
encrypts the data as well as providing the latter’s encryption capabilities.
Understanding IKE
The FireSIGHT System uses the IKE protocol to mutually authenticate the two gateways against each
other as well as to negotiate the SA for the tunnel. The process consists of two phases.
other as well as to negotiate the SA for the tunnel. The process consists of two phases.
IKE phase 1 establishes a secure authenticated communication channel by using the Diffie-Hellman key
exchange to generate a pre-shared key to encrypt further IKE communications. This negotiation results
in a bidirectional ISAKMP security association. The system allows you to perform the authentication
using a pre-shared key. Phase 1 operates in main mode, which seeks to protect all data during the
negotiation, while also protecting the identity of the peers.
exchange to generate a pre-shared key to encrypt further IKE communications. This negotiation results
in a bidirectional ISAKMP security association. The system allows you to perform the authentication
using a pre-shared key. Phase 1 operates in main mode, which seeks to protect all data during the
negotiation, while also protecting the identity of the peers.
During IKE phase 2, the IKE peers use the secure channel established in phase 1 to negotiate security
associations on behalf of IPSec. The negotiation results in a minimum of two unidirectional security
associations, one inbound and one outbound.
associations on behalf of IPSec. The negotiation results in a minimum of two unidirectional security
associations, one inbound and one outbound.
Understanding VPN Deployments
A VPN deployment specifies the endpoints and networks that are included in a VPN and how they
connect to each other. After you configure a VPN deployment, you can then apply it to your managed
devices or devices managed by another Defense Center.
connect to each other. After you configure a VPN deployment, you can then apply it to your managed
devices or devices managed by another Defense Center.
The system supports three types of VPN deployments: point-to-point, star, and mesh. See the following
sections for more information about these VPN deployments:
sections for more information about these VPN deployments:
•
•
•
Understanding Point-to-Point VPN Deployments
In a point-to-point VPN deployment, two endpoints communicate directly with each other. You
configure the two endpoints as peer devices, and either device can initiate the secured connection. Each
of the devices in this configuration must be a VPN-enabled managed device.
configure the two endpoints as peer devices, and either device can initiate the secured connection. Each
of the devices in this configuration must be a VPN-enabled managed device.
The following diagram displays a typical point-to-point VPN deployment.