ipsec

• ASA 1000V VPN - IKEv1 Phase1/2
• ASA 1000V VPN - IPSec
• ASA 1000V NAT Bypass (ie. Self-NAT)

• VPN Interface Policy only take affect when applied to an outside interface

• ASA 1000V VPN Device Policy (Phase 1)
  • IKE Policy

The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco ASA firewall. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec, IPSec over UDP and IPSec over TCP. The order of precedence on encapsulation types will be investigated when they are all enabled simultaneously. 

The video takes the site-to-site L2L IPSec VPN to the next level by combining what we have learnt from the previous videos with the concept of Virtual Routing Forwarding (VRF). We will look at how you can segregate different type of L2L VPN into their own logical routing domain, while they all share the same physical hardware. Basic understanding of VRF is recommended before viewing this video

The video walks you through configuring site-to-site (L2L) IPSec VPN tunnel between Cisco router and ASA firewall using certificate authentication. You will see that choosing the type of identity to send and match becomes very important as the certificate does not get exchanged until later in Phase 1 negotiation. Using aggressive mode allows the device identity contained in the certificate to be revealed sooner but at a risk of identity exposure. Aggressive mode will also be reviewed in this video.

The video walks you through configuring site-to-site (L2L) IPSec VPN tunnel between Cisco router and ASA firewall. This is probably the simplest form of L2L IPSec using 'crypto map' and crypto ACL to match interesting traffic. You will see that you can apply the same configuration thought process to both router and ASA, while ASA having slight variation on the use of Tunnel-group and Group-policy. We will also look at how to restrict traffic over the tunnel using an access-list (ACL). 

The video demonstrates configuration of remote access IPSec VPN with Windows software client on Cisco router. We will look at both simple pre-shared key authentication as well as using client certificate. The client is placed behind a NAT router to demonstrate the significance of NAT Transparency, and compare it to raw IPSec and cTCP (IPSec over TCP). The video finishes off by showing how client can be allowed access to local subnet when a non-split tunnel is used.

The video shows you how to enable Cisco Tunneling Control Protocol, also known as, IPSec over TCP, on Cisco router Easy VPN (EZVPN) connection. cTCP can potentially be a solution when you need to establish a VPN through a device or network that does not support ESP protocol. TCP encapsulation makes IPSec traffic NAT-friendly at the cost of additional overhead of TCP header. In this lab, we will simulate an unsupported network using ACL to block ESP and shows how cTCP provides a workaround.

• EZVPN with cTCP (aka IPSec over TCP)