Cisco CCNA ICND2 640-816

WAN Connections: Concepts of VPN Technology

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

00:00:00 - When CISCO split the CCNA program into 2 separate
00:00:04 - certifications; the CCENT and CCNA, they really freed
00:00:09 - themselves up to add a lot more information to what it would
00:00:13 - be to be a true CCNA.
00:00:16 - One of the things that they added when they did the split was
00:00:19 - VPN technology. And this is a, from their point of
00:00:24 - view, I'm sure this was a tough decision, because VPN's are
00:00:27 - one of the things that are overtaking the world. It's a technology
00:00:31 - that is just becoming more and more popular everywhere you
00:00:34 - go. However, the complexity of it is enough to fill an entire
00:00:39 - course. I could, I could talk about VPN's in all their glory
00:00:44 - from concepts through configuration and it would easily take
00:00:49 - me a series of 30 videos to make that happen. So what they've
00:00:53 - done when they decided to splice VPN's into the CCNA
00:00:57 - program is CISCO thought, how about we give just enough to be
00:01:01 - dangerous? Meaning, just enough of the technology, what it is,
00:01:06 - what it's used for, and how it works to allow you to know
00:01:10 - what's going on, know what VPN's are all about, know where you would
00:01:13 - use them, but then leave the configuration to elsewhere. Thankfully,
00:01:18 - you know what the CISCO SDM is. A graphic interface.
00:01:23 - One of the major reasons CISCO released the SDM for their routers
00:01:26 - was because of VPN connections. To set them up from the
00:01:30 - command line it is so tedious and it can be, it can take so long
00:01:34 - and have so much troubleshooting, they just said, let's just make a wizard
00:01:37 - to do it and they did. So most of the individuals that set up
00:01:41 - VPNs nowadays, on CISCO routers and PIX firewalls use
00:01:45 - graphic interfaces to do it. Even myself, I will throw myself right
00:01:50 - out there. When push comes to shove I will reach for that gui immediately
00:01:54 - because VPN's are a pain to configure. But I get too deep already.
00:01:59 - This is what we're going to talk about as we work through this video. Let's
00:02:02 - talk about what are VPN's?
00:02:06 - First and foremost for you acronym junkies, VPN stands
00:02:10 - for virtual private network. It is a network that is virtually
00:02:15 - private, not really private, and therein lies the whole concept of the VPN.
00:02:21 - Everybody has an internet connection. We have them from home, we
00:02:26 - have them at our offices, even if our office has private lines
00:02:30 - connecting them together like a private T1 line that ties
00:02:34 - your offices together, they probably have an internet connection
00:02:37 - too; so people can surf the internet from the office. You can
00:02:40 - have web servers at your office that people are accessing from
00:02:43 - the internet and all of that. So the whole concept of a VPN is
00:02:47 - since we're all connected to this big network why not use
00:02:51 - this big network a.k.a. the internet to allow all of our
00:02:55 - offices to talk together? So let's say this router
00:03:00 - over here represents an office in Arizona with a 100 users
00:03:02 - connected to a LAN. This is an office in Florida. Now, if we were
00:03:07 - to purchase a we'll say T1 line, a private leased line
00:03:12 - between those offices, we would have to go to a service provider
00:03:16 - in Arizona and that would have to be a service provider that
00:03:19 - is somehow linked to California, sorry, Florida over there and we
00:03:22 - would say okay we will, we need a private line between
00:03:25 - these offices and they would say "ooof, private line";
00:03:29 - it's going to cost you
00:03:31 - 2,000 dollars a month. 2,000 dollars in a month!
00:03:35 - you say as you throw your pen down on the table and and stare at
00:03:39 - them angrily. Yes that is, you know, a typical price of what
00:03:43 - it would cost if you're just going to get a private line between
00:03:46 - your offices. 2000 dollars.
00:03:50 - Now we have these links to the internet which are, you know,
00:03:54 - they're, they can be expensive but I would say overall they're a dime
00:03:57 - a dozen. In Arizona, you know, maybe for a 100 person office you
00:04:00 - might pay for a pretty decent internet speed, I mean a T1
00:04:04 - is about 1.544 megabits per second. And
00:04:08 - in for Arizona for we'll say a 2 to 3 megabit
00:04:13 - per second connection speed, a business class connection, you
00:04:17 - might be paying in the range of we'll say 300 to 500
00:04:21 - dollars a month. Now, that's a business class connection.
00:04:24 - I know some of you home users are like a "Hey, I can get internet at
00:04:27 - home faster than that for, you know, 60 bucks a month." That's
00:04:31 - that's a home connection. So we'll say for business class, you
00:04:34 - know, 200 to 300 dollars there or sorry, 300 to 500
00:04:37 - 300 or 500 dollars here, you not only get access
00:04:41 - to the internet, which you would need anyway, right, but, you can
00:04:45 - also create a VPN
00:04:50 - connection through the internet, a virtual private network
00:04:54 - that links the Arizona and Florida offices and not pay a penny
00:04:59 - more. That's my number 1 benefit for VPN connections
00:05:03 - is that they are cheaper,
00:05:05 - They are also widely available. They're available anywhere the
00:05:09 - internet is available. Now, I'm talking right there of one type of
00:05:12 - VPN that links offices together but there's another type where
00:05:15 - we could have our users
00:05:18 - tie in from home using a VPN connection. And they are
00:05:24 - you know, it's as if we bought a private line for that PC
00:05:28 - or that home to link into the Arizona office. It's available anywhere
00:05:32 - the internet connection is available. So even that 60
00:05:35 - dollar a month internet connection can be used to allow the
00:05:39 - users to perform anything from home that they could as if they
00:05:43 - were actually in the Arizona office. It's VPN technology that
00:05:47 - has really led to the rise of telecommuting. People that work
00:05:51 - from home full time, and do not leave their home, but their home
00:05:56 - is also their office. Leads to happier employees because, men, you get
00:06:01 - to save the drive, the gas, the sitting in the office space that you
00:06:04 - don't really want to sit in, and, you know. It saves the company money
00:06:07 - because they don't have to build a cubicle, they don't have to provide
00:06:10 - you know, more restrooms, and more break rooms and all those services
00:06:13 - they have to provide to the employees on site. So it's a win win situation for
00:06:17 - most people.
00:06:18 - Heavily encrypted and secured is the next thing. VPNs, the
00:06:23 - reason it's called virtual private network is because it's private
00:06:26 - and that privacy comes from the massive amount of encryption
00:06:30 - and security that's thrown on there. Therein is the benefit of
00:06:34 - VPN is it's very very difficult to break into that. It's you
00:06:37 - know, I won't say anything's impossible but it is virtually
00:06:42 - impossible to break into a VPN connection
00:06:46 - from the internet. But there in that 3rd bullet point is its
00:06:50 - weaknesses as well. In that because it is so heavily secured
00:06:55 - and encrypted it takes a lot more overhead on the routers
00:07:01 - than just connecting on a private line. On a private line you
00:07:03 - don't have to encrypt anything you can just let them talk as
00:07:07 - if they were directly connected because it's private. But on
00:07:10 - the internet there's a lot of overhead, a lot of slowdown in
00:07:12 - processor utilization has to take place there.
00:07:15 - Last but not least, the big benefit is many to many connections. For
00:07:19 - instance, if I was in Arizona and Florida, to get a private
00:07:22 - line, it's 2000 bucks a month, we'll say, that the price can
00:07:26 - vary, but you can only connect from Arizona to Florida. If Florida
00:07:31 - wanted to connect over here to California I would have to buy
00:07:34 - another private line. You know either Arizona would have
00:07:37 - to link to California or Florida would have to link California.
00:07:40 - And that's another 2000 bucks a month because, that's
00:07:43 - another private line. With VPN's all you do is buy an internet
00:07:47 - connection in each location and that allows anybody to connect to
00:07:52 - anybody. Many to many connections. Remote users can then
00:07:56 - get into the California office. The site to site users, the Arizona
00:08:00 - to California they can all connect. So VPN is truly an any
00:08:05 - to any connectivity.
00:08:07 - VPN connections come in 2 major styles: site to site or
00:08:12 - what you see here as L to L, land to land. Or remote access.
00:08:17 - Now, this picture right here is a site to site VPN connection. This router
00:08:21 - represents some office that is connected to the internet through
00:08:26 - some, some kind of connection. Now you could have inside of that office
00:08:29 - any number of users, hundreds or even thousands of users.
00:08:33 - And whenever they access an IP address that is over at this
00:08:36 - site with however many users inside of it the router recognizes
00:08:40 - that needs to go across the VPN.
00:08:42 - So it will come in, clear text, you know, unprotected, unencrypted,
00:08:47 - as soon as realizes it's going across the VPN it will
00:08:50 - encrypt it and send it through the internet which is a public
00:08:54 - network. It's very unsecure anybody can get that data but
00:08:58 - it's still heavily encrypted that nobody can get to it. It
00:09:01 - reaches the other end which un-encrypts the data and then sends
00:09:04 - it over here to the clients.
00:09:06 - That is the site to site VPN and that is a direct replacement
00:09:10 - for a private line. Something you're paying a lot of monthly
00:09:15 - charges for.
00:09:16 - If the site to site or land to land VPN links are offices,
00:09:21 - remote access VPNs link our homes or our laptops depending
00:09:26 - on where we are in the world. A remote access client is usually
00:09:29 - not always, but usually installed on a PC. You'll for instance
00:09:34 - go to the CISCO website and download the CISCO VPN client.
00:09:38 - Or Microsoft has a VPN client built in. You'll type all the
00:09:43 - information into that VPN client that's needed to authenticate
00:09:47 - or work for the central site. It's user name and password
00:09:51 - or there's many different ways that they can have this.
00:09:55 - Some companies I don't know if you've seen these, have
00:09:59 - token cards, which means they, somebody to get on the VPN pulls
00:10:03 - a token out of their wallets, it it looks like a credit card but it
00:10:06 - has a little electronic screen. They push a button on there
00:10:09 - and it generates a password that will let them connect to the
00:10:11 - VPN for exactly one minute. If they don't type that password in
00:10:15 - in one minute they have to hit the button again to get a new
00:10:17 - password because it's always changing
00:10:20 - based on time. That's pretty secure. So people don't actually
00:10:24 - have a password. They have a token card that generates a password
00:10:27 - for them for that time. They even have bio metric methods nowadays;
00:10:32 - where people will have to, I don't know if you've seen them, I've seen them
00:10:36 - I want one, they're awesome. I don't know why I want one, but they're awesome. They are laptops
00:10:39 - that have thumb print scanners on them. To where to get on
00:10:43 - the VPN you actually have to stick your thumb on the laptop.
00:10:47 - It scans to make sure that you are who you say you are. And
00:10:50 - I mean, I'm thinking, I don't know, you've see Mission Impossible where they're
00:10:54 - lopping people's thumbs off and using them on the doors. And it's
00:10:57 - coming. I'm telling you. They have retina scanners where they'll scan
00:11:00 - your eyeball and
00:11:02 - weird and creepy stuff. So whatever method they have you'll
00:11:06 - authenticate, it goes across the internet to the router and
00:11:10 - that allows that PC to become one with the LAN. It's virtually
00:11:15 - as if that PC was connected to that network for however long
00:11:19 - their connected to the VPN. As soon as they sever that they're now off
00:11:22 - on the internet again. Everything that they send is encrypted
00:11:26 - over the VPN.
00:11:28 - Now I would say the most advancement has been taking place
00:11:32 - in the remote access VPN arena in recent years. Site
00:11:36 - to site VPNs, they work, they're standard, they've been around for
00:11:39 - a long time. Remote access has really been evolving.
00:11:43 - Before recently, we would always have to you know purchase or buy that
00:11:47 - CISCO VPN client and install it on here. Nowadays they
00:11:51 - are setting up people's homes with little routers that make
00:11:55 - the VPN for you. So, you don't actually have to install anything
00:11:58 - on the laptop. You have this little router at home that will almost
00:12:02 - create a site to site style of VPN from your home to the
00:12:06 - corporate office. And that allows any device in your home to
00:12:10 - access the VPN for a time, or however long that's connected.
00:12:14 - The reason that's pretty cool is because now people can connect
00:12:17 - telephones, voice over IP phones, to the network in their
00:12:22 - home and they could actually have their work extension, we'll
00:12:25 - say extension 1003 sitting in their office that
00:12:28 - goes through the VPN and it's like having a telephone at the work
00:12:32 - site. But, it's at their home. People are dialing 1003
00:12:36 - and going over VPN and making somebody's home phone ring
00:12:39 - and they never know that because it's through the VPN. It's
00:12:43 - invisible. They also have a new technology in the remote access
00:12:47 - arena that is being called two names, either an SSL
00:12:51 - VPN
00:12:54 - or a Web VPN. These are two names for the same saying.
00:12:58 - Installing the clients on the PC is painful. Meaning, you as
00:13:04 - an administrator have to go to that person's laptop, get them
00:13:07 - set up, get them with the token card if you're using that. Or retina
00:13:11 - scanner, you know, whatever you're using. Get them all tweaked out and
00:13:14 - then they'll be able to go and authenticate. It's fine when you've got
00:13:17 - one, two, five users, you know, kind of thing, but when you've got
00:13:22 - fifty or sixty users that need to access the VPN that's
00:13:27 - a lot of time. So what SSL and Web VPNs do is they'll
00:13:31 - allow this router to generate a web page. Somebody will
00:13:38 - open their PC and it connects to the router and it will display
00:13:42 - this web page, and it will say, you know, type in your username and password.
00:13:46 - It'll have a field on there, or your token code for the minutes that
00:13:49 - it's valid. You type it in there and what will happen is the
00:13:53 - router will install a mini. It's like a mini-me version
00:13:57 - of the VPN clients on your laptop for as long as you are connected
00:14:02 - to that VPN and that will establish a VPN connection
00:14:05 - without ever having to install a client on the laptop or the
00:14:09 - PC. It's pretty awesome. And as soon as you close that page, VPN
00:14:13 - closes down and everything's eliminated. It actually tunnels all
00:14:18 - that information through that web page. So we will call that SSL
00:14:22 - tunneling. But that's where remote access connections are evolving to.
00:14:28 - That's the logical connections of how VPNs work. Now
00:14:32 - let's get a little bit technical and into the protocols that
00:14:36 - give them the power to do what they do.
00:14:39 - Just about everything that deals with VPN technology is
00:14:43 - worked all around this protocol known as IPSEC. IPSEC is
00:14:48 - the protocol that makes VPNs possible. It is the security
00:14:50 - protocol that does all the heavy encryption and so on. Now
00:14:54 - IPSEC works with TCP/IP, we know what TCP/IP is.
00:14:59 - It's the protocol of communication that lets you talk over
00:15:02 - the network. You've got things like TCP and UDP. IPSEC is
00:15:06 - just another one of those protocols. It actually works at
00:15:09 - the transport layer, like TCP and UDP you have a choice.
00:15:13 - Your computer or your VPN can also choose to use IPSEC when
00:15:17 - communicating over TCP/IP network. And IPSEC is not just
00:15:22 - one protocol. Just like when you say TCP/IP, there's many
00:15:26 - protocols that make that work like UDP and ARP and all
00:15:30 - these different protocols. IPSEC is the same way. Inside
00:15:33 - of it, it has all these different, what I call, chunks, the
00:15:37 - chunks that build the IPSEC. IPSEC is built of three
00:15:41 - major, or sorry, four major categories of protocols. The first,
00:15:46 - well I'll take them on of order; is an encryption protocol.
00:15:50 - You get to choose one of those, and you can see the three in the list,
00:15:54 - encryption protocols to secure your data.
00:15:58 - And that is a list from strongest to weakest. The, or I'm sorry, it's from
00:16:02 - weakest to strongest. This is the weakest, DES, one of the first
00:16:06 - encryption protocols to come out. Triple DES is essentially triple
00:16:10 - the strength of DES and AES is the new U.S. Government standard
00:16:13 - that is the most powerful encryption that we have currently
00:16:18 - and that excludes, you know, all of the under the
00:16:22 - cover men in black style encryption that, you know, nobody really
00:16:26 - knows about or is proprietary and things like that. The
00:16:31 - benefit, I guess, is the weaker your encryption the less processing
00:16:36 - it takes and the overall faster connection you have. The stronger
00:16:41 - your encryption the more secure you are, the less chance you
00:16:44 - have of somebody breaking your VPN and getting into your organization
00:16:48 - but the more overhead you have and the longer it takes to do
00:16:51 - that encryption.
00:16:53 - So as an administrator when you set up your VPN you get
00:16:56 - to choose what kind of encryption to use.
00:16:59 - Authentication is the second piece.
00:17:02 - Authentication does a lot of things but primarily is focused
00:17:06 - around making sure data does not change from one end to the
00:17:10 - other. For example, if you have a client that is connected
00:17:15 - to a VPN. Here's our internet and is connected to a router
00:17:20 - that connects to the corporate network and there's a server.
00:17:22 - When somebody is trying to hack your network they may not
00:17:26 - understand all those packets that are going across because
00:17:29 - they're all encrypted. So they can't really see what they are
00:17:32 - but what they could do, let's say we've got a intruder here,
00:17:35 - remember the internet's a public network so anybody can get
00:17:38 - on. We have this intruder who may not understand what you're sending
00:17:43 - by what they can do is spoof packets. Meaning, send fake
00:17:48 - packets that look like you that kind of pretend to be you, but aren't
00:17:52 - really you. This is known as a man in the middle, a MIM, a
00:17:58 - man in the middle attack where he's in the middle of the conversation
00:18:01 - kind of taking packets, and pretending to be you and trying to decrypt
00:18:06 - the packets as it goes. You know, trying to break into that connection and
00:18:09 - what authentication does is prevent those kind of attacks. So
00:18:13 - authentication makes sure that the stuff that is being sent
00:18:17 - is from the original person sending it. And it detects if somebody
00:18:21 - changes your packets, like as it's going across maybe he grabs your packet
00:18:25 - and sends his own in place of it to try and, you know, pretend
00:18:29 - to be you and inject some stuff into the network that doesn't belong there.
00:18:34 - Well that's what authentication stops.
00:18:37 - Now, protection, I'll talk about that one third; the third chunk is what
00:18:41 - allows you to do all of this over a public network. Here's a thought you
00:18:48 - may not have thought through yet.
00:18:51 - If this guy is encrypting then he has to have an encryption
00:18:56 - key, right?
00:18:58 - I'll draw it like this. An encryption formula that allows him to scramble
00:19:02 - the data before he sends it. Now
00:19:06 - in order for this to work, this guy over here has to have the
00:19:11 - same encryption key. Meaning, he has to be able to unencrypt
00:19:15 - what you're sending him in order for it to be of any use at
00:19:18 - all. So when that PC connects to the VPN, somehow it
00:19:24 - has to get the encryption key it's going to use over to the
00:19:27 - router. Or vice versa the router would have to send the encryption
00:19:30 - key that it's going to use to the PC.
00:19:33 - Therein lies the problem. How do you send an encryption
00:19:37 - key over the internet
00:19:41 - to this person so that they can have it without this, this, you
00:19:45 - know, XX guy over here, the man in the middle, grabbing that key;
00:19:48 - because the internet's a public place. You can grab just about
00:19:51 - anything you want off of it. Without this guy grabbing
00:19:54 - that key and then having the encryption and decryption formula
00:19:58 - and breaking into the VPN that way. Well, that's what protection
00:20:02 - is all about. Diffy Hellman is what that DH stands for a
00:20:06 - to talk about the specifics of how this is possible next.
00:20:11 - The fourth chunk of IPSEC is, I guess, what you could
00:20:16 - call the engine.
00:20:18 - The idea behind IPSEC is they never wanted it to become out-dated.
00:20:23 - Meaning, new stuff comes out all the time. New encryption formulas
00:20:28 - are released, I mean, DH, or sorry, DES you see it right
00:20:32 - there under the encryption. When this originally came out
00:20:35 - it was back in probably the late seventies early eighties that
00:20:39 - was, that was like, oh, you are not breaking this. This is unbreakable.
00:20:43 - Nobody can mess with this and it's, this is the encryption
00:20:47 - formula that will end encryption formulas. We thought that was that
00:20:51 - was it. And then
00:20:53 - a twelve year old girl in Sweden, I'm not making this up, broke
00:20:59 - that encryption formula. A twelve year old girl figured out
00:21:03 - how to break the encryption formula that DES uses in a day; I
00:21:08 - think it was like within twenty four hours or less using her formula
00:21:11 - you could break in and pretty much tear that thing to shreds. Twelve
00:21:15 - year old girl.
00:21:17 - Unbelievable. She's now dead. The government got her.
00:21:20 - No, I don't know what happened to her. She's probably working for
00:21:22 - the CIA somewhere. But that's the idea, you know, encryption
00:21:26 - formulas change, you know, AES just came out, it's fairly new, and everybody's saying;
00:21:29 - oh, that thing's so powerful. But, you know, give it twenty years
00:21:33 - well ten years at the rate things are going and then it'll be, you know,
00:21:37 - people will be like, oh, yeah some two year old in Massachusetts totally
00:21:41 - tore that thing apart. It's always going to change, is my point. So what
00:21:44 - this negotiation protocol is there to do is be kind of a
00:21:51 - changer I guess. That's a horrible way to describe it, but it's essentially
00:21:57 - a piece of IPSEC that lets everything in IPSEC
00:22:02 - be changeable.
00:22:04 - Think about it this way. If IPSEC were a car this would be
00:22:08 - the engine of it. And you can actually change out the whole
00:22:12 - engine of IPSEC. If you had a four cylinder you could
00:22:15 - go on and swap it and put in an eight cylinder. That's what this a AH, ESP
00:22:20 - and ESP plus AH is. AH was the original engine that came out
00:22:24 - with IPSEC. The problem is that AH or it's known as the authentication
00:22:29 - header, couldn't do encryption. That was back when IPSEC was
00:22:32 - just in its infancy. And so they came out with the
00:22:36 - ESP, think of that like the v6 engine for the IPDEC protocol.
00:22:40 - And that allowed it to do encryption and authentication and the protection,
00:22:44 - the chunks that you see on there. ESP plus AH came out
00:22:47 - which allows you to double up on things. That's like the v8
00:22:50 - engine. The, it's more powerful but sucks more gas you know, it's
00:22:53 - kind of a resource consuming chunk. And they can come
00:22:58 - out with new engines, you know, someday down the road they'll come out
00:23:01 - with jay five nine or something as a new engine of IPSEC
00:23:04 - that adds even more protection. That's the goal, is they don't
00:23:07 - want it to change. When you, when you think about TCP/IP,
00:23:11 - we currently use version four, but the problem is, is they're
00:23:15 - having to replace it. TCP/IP version four reached its max.
00:23:19 - Ir got maxed out, if you will, the IP addresses ran out. So TCP/IP
00:23:24 - version six is coming to replace it. They never wanted
00:23:27 - to have to do that with IPSEC.
00:23:31 - Alright, the last piece of VPN technology that we'll talk about
00:23:34 - here, is how does it all work? I mean, how is it possible to get
00:23:38 - true security over a public network when you have to send those
00:23:42 - encryption keys to each other,
00:23:45 - where anybody could grab them? Well here's the idea. The way VPN's work
00:23:49 - is through a combination of security keys.
00:23:54 - First and foremost I need to identify a big difference in
00:23:58 - technology. There are really two types of encryption and decryption.
00:24:02 - First I'll talk about symmetric.
00:24:06 - Symmetric encryption is encryption that uses the same key
00:24:12 - to encrypt and decrypt. Meaning, if you've got that key, this
00:24:16 - is known as a shared secret key you can, you can, take data you
00:24:20 - know, say somebody over here sends some data into the router
00:24:23 - you can take that and encrypt it and then when it gets over here
00:24:26 - to the internet and is received at the other side they can
00:24:30 - use the same exact key that you used to decrypt it.
00:24:34 - The benefit of symmetric encryption is it's really fast and
00:24:39 - it's really easy on your processor. When we talked about DES and
00:24:43 - triple DES three DES excuse me, and AES
00:24:48 - those are all forms of symmetric encryption. Meaning, they
00:24:51 - use the same key to encrypt and decrypt. Now that's great and
00:24:55 - it's it's very fast but the problem is when one of these routers
00:24:59 - is going to generate that key every single time somebody
00:25:03 - connects to the VPN and it has to send it over the internet to
00:25:06 - the other side so they've got that key to do the encryption
00:25:08 - and decryption. That's the problem I described before. So how
00:25:13 - do you do that without somebody grabbing that key in the middle and
00:25:16 - then, you know, using that to tear apart all your VPN and
00:25:19 - they can decrypt anything that you send. That's where Diffy
00:25:23 - Hellman came in. Diffy Hellman is actually the name of two
00:25:27 - guys that created a system for doing this. Diffy and Hellman actually
00:25:33 - worked together and here's the idea. Diffy Hellman security uses
00:25:37 - something known as asymmetric
00:25:43 - encryption. What that means is you have a two key system.
00:25:49 - A public and private. The public key, anything that it encrypts
00:25:54 - can be decrypted with the private key.
00:25:58 - And anything the private key encrypts can be decrypted
00:26:01 - with the public key. They can do both but they're complete
00:26:04 - opposites of each other. Now they're called public and
00:26:09 - private key for a reason.
00:26:12 - When somebody connects to the VPN, let's say this is a site to site;
00:26:17 - I'll put S to S. Site to site VPN between these two routers. When somebody
00:26:22 - brings up that VPN connection, the first thing that happens
00:26:26 - is the router that receives the connection sends a key. Let's
00:26:31 - say that the right router connected to the left router.
00:26:34 - The left router will send the right router its Diffy Hellman
00:26:40 - public key. Check out
00:26:41 - that animation, pretty sophisticated. So now this right router
00:26:45 - has an encryption formula. Anything encrypted with this public
00:26:50 - key can only be decrypted with the private key. Now there's
00:26:54 - the secret. That private key is kept hidden behind this router,
00:26:58 - or in that router. It will never be given out to anybody that's
00:27:02 - why they call it a private key. So the router on the right generates
00:27:06 - that shared secret key
00:27:10 - and encrypts it with this public key. Encrypted.
00:27:15 - So it sends this encrypted version of the shared secret key
00:27:19 - tracking across the internet here over here and that is completely
00:27:23 - scrambled and the only thing that can decrypt that is the
00:27:27 - private key.
00:27:29 - Likewise if we were to connect the other way, you know,
00:27:32 - the right router
00:27:36 - would send its public key over here and then its private key
00:27:39 - would be used to decrypt anything that the left router encrypted.
00:27:43 - But we're only using one set for now, so let me move these out of here
00:27:46 - so we're not confusing. Once this router on the left hand side
00:27:51 - has the shared secret key
00:27:54 - right here, it's able to decrypt it with private and then they
00:27:57 - now have, they both have the same symmetric
00:28:01 - encryption and decryption key that they can use for that session.
00:28:04 - Now once that VPN connection is done and over
00:28:08 - with. Meaning, okay we're ready to tear it down, that shared secret
00:28:11 - is thrown away. Off it goes. And the next time the connection
00:28:16 - happens a new shared secret key is going to be generated. So
00:28:20 - the point is, is that the encryption keys that are being used
00:28:23 - to encrypt all the data over the VPN are constantly changing.
00:28:27 - They're always being regenerated and renewed. Even if this is
00:28:31 - a site to site VPN connection that's always connected, it's always
00:28:34 - up always-on, after a certain amount of time it will say okay
00:28:38 - we've used these keys long enough let's scrap them and regenerate them again and
00:28:42 - then use these Diffy Hellman keys to secure the exchange
00:28:46 - of that shared secret.
00:28:48 - Now, you might be thinking. Couple, couple of thoughts I had when
00:28:52 - I first got into cryptography
00:28:54 - and how all this works. Maybe you're thinking, well first off if you've
00:28:58 - got this encryption formula right here, Diffy Hellman public and you're
00:29:03 - sending that all over the place, meaning, that's being sent in
00:29:05 - clear text across the internet, can't somebody get that key and
00:29:11 - you know, kind of reverse the formula to figure out the private. I mean,
00:29:16 - the way, the way I was thinking about it, I thought, you know, why
00:29:19 - took algebra, I even took calculus, you know, if the Diffy Hellman
00:29:24 - public key is X plus one equals, you know, two; I can do
00:29:29 - the math subtract it out and be like, oh well then X really equals
00:29:32 - one, now I've got the secret. Well the, this, you can tell
00:29:38 - the brilliance of my mathematics. I'm like, that's difficult right there.
00:29:41 - But the
00:29:43 - public keys and the formulas that they use in those
00:29:47 - Diffy Hellman public keys are so sophisticated and so advanced it
00:29:52 - is theoretically impossible to figure out what the reverse
00:29:57 - encryption of that is or what the reverse of it is. If you just
00:30:01 - have one side of the key. Meaning, inside of there they use logarithmic
00:30:05 - functions and things they just cannot be reversed. There's, there's
00:30:09 - a billion possible answers to what the reverse of
00:30:13 - that could be so, you know, you'll just have to trust me; that
00:30:16 - doesn't all make sense. It is impossible to create or reverse
00:30:22 - engineer a private key if you just have the public key.
00:30:26 - Second thought I had when I first was learning about this. If
00:30:29 - the public key and private key system is so super-duper
00:30:34 - secure, why do you even need this shared secret thing? I mean,
00:30:39 - why can't you just, you know, get
00:30:43 - the shared secrets out of here and, you know, reduce some of the complexity
00:30:46 - right? And just, just say okay we'll just use the public and I'll
00:30:50 - send you my public and you'll send me your your public and
00:30:54 - then I'll use this to encrypt everything and you can decrypt it
00:30:57 - with your private. And you can, you know, you can use; let
00:31:01 - me put these keys in the right place. You can encrypt anything you
00:31:04 - need to send me with your public and I'll decrypt it with my private,
00:31:07 - you know, then kind of swap it that way. Well honestly that would work
00:31:10 - in that it would, it would secure but these formulas; it kind of
00:31:16 - goes along with the last answer I gave you. These formulas
00:31:19 - are so massive and so super complex that they cause a ton
00:31:24 - of overhead. Asymmetric is like a hundred times more processing
00:31:29 - than what a symmetric key would be. It really burdens down your
00:31:33 - router and that's why the routers only use them for an instant.
00:31:37 - They just use that encryption formula and that system to get
00:31:40 - the symmetric key across and then it says okay I'm done with
00:31:43 - you because you, max out my processor. Otherwise that would be
00:31:47 - the perfect encryption solution.
00:31:50 - That's the idea behind VPN connections. At least at the
00:31:54 - CCNA level. I encourage you, if you want to know more about
00:31:58 - VPNs, CISCO has now added it to the CCNP track. It's actually
00:32:03 - in the CCNP now under the ISCW exam. So if you want
00:32:09 - to check out CBTNuggets, they offer that video. And also if you
00:32:12 - want the full scoop, the ICW gives you a much more than what
00:32:16 - I just gave you, it's about eight videos on it. But if you want the
00:32:19 - full scoop on what VPNs are, how to set them up, how to work with
00:32:22 - them, all that, that's what the CCSP track is all about.
00:32:26 - The security track for, did I say CCSP? I think I did. CCSP. The security
00:32:32 - track for CISCO that's where they talk fully about them. In
00:32:35 - here we talk about why use VPN connections. And to review,
00:32:39 - we use VPN connections because they're cheaper. They allow
00:32:43 - more flexibility, you can connect to more places and you can
00:32:46 - just use your existing internet connection to make that happen.
00:32:48 - They're very flexible. We looked at the different styles of VPN connections,
00:32:53 - which was really divided into site to site and remote access
00:32:56 - VPNs. Where remote access is seeing the most evolution right
00:32:59 - now as we move in to technologies like web VPNs. Finally
00:33:03 - we looked at a high level overview of VPN connectivity. Talked
00:33:07 - about the IPSEC protocol suite that allows VPNs to
00:33:10 - happen. And how IPSEC and how VPNs can securely communicate
00:33:15 - over a public network. I hope this has been informative for you and I'd like
00:33:19 - to thank you for viewing.

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS