IPsec VPNs

IPsec Components and IPsec VPN Features

IPsec Overview

What Is IPsec?
IPsec is an IETF standard that employs cryptographic mechanisms on the network layer: Authentication of every IP packet Verification of data integrity for each packet Confidentiality of packet payload Consists of open standards for securing private communications

Scales from small to very large networks

Is available in Cisco IOS software version 11.3(T) and later Is included in PIX Firewall version 5.0 and later

IPsec Security Features

IPsec is the only standard Layer 3 technology that provides:

Confidentiality Data integrity Authentication Replay detection

IPsec Protocols
IPsec uses three main protocols to create a security framework:
Internet Key Exchange (IKE):

Provides framework for negotiation of security parameters

Establishment of authenticated keys Encapsulating Security Payload (ESP): Provides framework for encrypting, authenticating, and securing of data Authentication Header (AH): Provides framework for authenticating and securing of data

IPsec Headers

IPsec ESP provides the following:

Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP Confidentiality (DES, 3DES, or AES) only with ESP

Peer Authentication

Peer authentication methods:

Username and password
OTP (Pin/Tan) Biometric Preshared keys Digital certificates

Internet Key Exchange

Internet Key Exchange

IKE solves the problems of manual and unscalable implementation of IPsec by automating the entire key exchange process:
Negotiation of SA characteristics Automatic key generation Automatic key refresh Manageable manual configuration

IKE Phases
Phase 1: Authenticate the peers Negotiate a bidirectional SA

Main mode or aggressive mode

Phase 1.5: Xauth Mode config Phase 2: IPsec SAs/SPIs Quick mode

IKE Modes

IKE: Other Functions

IKE: Other Functions

Dead peer detection (DPD): Bidirectional Sent on periodic intervals Sender must receive a reply or disconnect IKE keepalives are unidirectional and are sent every 10 seconds. NAT traversal: Defined in RFC 3947 Encapsulates IPsec packet in UDP packet Mode config (Push Config) and Xauth (User Authentication)

IPsec and NAT: The Problem

IPsec NAT Traversal

Need NAT traversal with IPsec over TCP/UDP:
NAT traversal detection NAT traversal decision

UDP encapsulation of IPsec packets

UDP encapsulated process for software engines

Mode Configuration

Mechanism used to push attributes to IPsec VPN clients

Easy VPN

Dynamically updated: Central services and security policy Offload VPN function from local devices Client and network extension mode

Centralized control: Configuration and security policy pushed at the time of the VPN tunnel establishment

Xauth

Mechanism used for user authentication for VPN clients

ESP and AH

ESP and AH
IPsec protocols:

ESP or AH
ESP uses IP protocol number 50 AH uses IP protocol number 51 IPsec modes:

Tunnel or transport mode

Tunnel mode creates a new additional IP header The Message is concatenated with a symmetric key

ESP and AH Header

ESP allows encryption and authenticates the original packet. AH authenticates the whole packet (including the header) and does not allow encryption.

AH Authentication and Integrity

ESP Protocol

Provides confidentiality with encryption

Provides integrity with authentication

Tunnel and Transport Mode

Message Authentication and Integrity Check

Message Authentication and Integrity Check Using Hash

A MAC is used for message authentication and integrity check. Hashes are widely used for this purpose (HMAC).

Commonly Used Hash Functions

MD5 provides 128-bit output. SHA-1 provides 160-bit output (only first 96 bits used in IPsec). SHA-1 is computationally slower than MD5, but more secure.

Symmetric vs. Asymmetric Encryption Algorithms

Symmetric vs. Asymmetric Encryption Algorithms

Symmetric algorithm: Secret key cryptography Encryption and decryption use the same key Typically used to encrypt the content of a message Examples: DES, 3DES, AES Asymmetric algorithm: Public key cryptography Encryption and decryption use different keys Typically used in digital certification and key management Example: RSA

Key Lengths of Symmetric vs. Asymmetric Encryption Algorithms

Comparable key lengths required for asymmetric keys compared to symmetric keys Symmetric Key Length 80 112 128 192 256 Asymmetric Key Length 1024 2048 3072 7680 15,360

Security Level of Cryptographic Algorithms

Security Level Weak Legacy Baseline Standard High Ultra

Work Factor O(240) O(264) O(280) O(2128) O(2192) O(2256)

Algorithms DES, MD5 RC4, SHA-1 3DES AES-128, SHA-256 AES-192, SHA-384 AES-256, SHA-512

Symmetric Encryption: DES

Symmetric key encryption algorithm Block cipher: Works on 64-bit data block, uses 56-bit key (last bit of each byte used for parity) Mode of operation: Apply DES to encrypt blocks of data

Symmetric Encryption: 3DES

168-bit total key length Mode of operation decides how to process DES three times Normally: encrypt, decrypt, encrypt 3DES requires more processing than DES

Symmetric Encryption: AES

Formerly known as Rijndael Successor to DES and 3DES Symmetric key block cipher

Strong encryption with long expected life

AES can support 128-, 192-, and 256-bit keys; 128-bit key is considered safe

Asymmetric Encryption: RSA

Based on Diffie-Hellman key exchange (IKE) principles

Public key to encrypt data, and to verify digital signatures

Private key to decrypt data, and to sign with a digital signature Perfect for insecure communication channels

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange (Cont.)

PKI Environment

PKI Environment

Certificate Authority
The trust basis of a PKI system Verifies user identity, issues certificates by binding identity of a user to a public key with a digital certificate Revokes certificates and publishes CRL In-house implementation or outsourcing

X.509 v3 Certificate

PKI Message Exchange

PKI Credentials
How to store PKI credentials:
RSA keys and certificates NVRAM

eToken:
Cisco 871, 1800, 2800, 3800 Series router Cisco IOS Release 12.3(14)T image Cisco USB eToken A k9 image

Summary
IPsec provides a mechanism for secure data transmission over IP networks. The IKE protocol is a key management protocol standard used in conjunction with the IPsec standard. IKE has some additional functions: DPD, NAT traversal, encapsulation in UDP packet, config mode, and Xauth. The two IP protocols used in the IPsec standard are ESP and AH. For message authentication and integrity check, an HMAC is used. The two types of encryption are symmetric encryption and asymmetric encryption. PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network.

IPsec VPNs

Site-to-Site IPsec VPN Operation

Site-to-Site IPsec VPN Operations

Five Steps of IPsec

Step 1: Interesting Traffic

Step 2: IKE Phase 1

IKE Policy

Negotiates matching IKE transform sets to protect IKE exchange

Diffie-Hellman Key Exchange

Authenticate Peer Identity

Peer authentication methods:

Preshared keys RSA signatures RSA encrypted nonces

Step 3: IKE Phase 2

Negotiates IPsec security parameters, IPsec transform sets Establishes IPsec SAs Periodically renegotiates IPsec SAs to ensure security Optionally, performs an additional Diffie-Hellman exchange

IPsec Transform Sets

A transform set is a combination of algorithms and protocols that enact a security policy for traffic.

Security Associations
SA database: Destination IP address SPI Protocol (ESP or AH) Security policy database:

Encryption algorithm
Authentication algorithm Mode

Key lifetime

SA Lifetime

Data transmitted-based

Time-based

Step 4: IPsec Session

SAs are exchanged between peers.

The negotiated security services are applied to the traffic.

Step 5: Tunnel Termination

A tunnel is terminated by one of the following:

By an SA lifetime timeout
If the packet counter is exceeded IPsec SA is removed

Configuring IPsec

Configuration Steps for Site-to-Site IPsec VPN

1. Establish ISAKMP policy 2. Configure IPsec transform set 3. Configure crypto ACL

4. Configure crypto map

5. Apply crypto map to the interface 6. Configure interface ACL

Site-to-Site IPsec Configuration: Phase 1

Site-to-Site IPsec Configuration: Phase 1

Site-to-Site IPsec Configuration: Phase 2

Site-to-Site IPsec Configuration: Phase 2

Site-to-Site IPsec Configuration: Apply VPN Configuration

Site-to-Site IPsec Configuration: Apply VPN Configuration

Site-to-Site IPsec Configuration: Interface ACL

Site-to-Site IPsec Configuration: Interface ACL

When filtering at the edge, there is not much to see:
IKE: UDP port 500 ESP and AH: IP protocol numbers 50 and 51, respectively

NAT transparency enabled:

UDP port 4500 TCP (port number has to be configured)

Site-to-Site IPsec Configuration: Interface ACL (Cont.)

Router1#show access-lists access-list 102 permit ahp host 172.16.172.10 host 172.16.171.20 access-list 102 permit esp host 172.16.172.10 host 172.16.171.20 access-list 102 permit udp host 172.16.172.10 host 172.16.171.20 eq isakmp

Ensure that protocols 50 and 51 and UDP port 500 traffic is not blocked on interfaces used by IPsec.

Summary
IPsec operation includes these steps: Initiation by interesting traffic of the IPsec process, IKE Phase 1, IKE Phase 2, data transfer, and IPsec tunnel termination. To configure a site-to-site IPsec VPN: Configure the ISAKMP policy, define the IPsec transform set, create a crypto ACL, create a crypto map, apply crypto map, and configure ACL. To define an IKE policy, use the crypto isakmp policy global configuration command. To define an acceptable combination of security protocols and algorithms used for IPsec, use the crypto ipsec transformset global configuration command. To apply a previously defined crypto map set to an interface, use the crypto map interface configuration command. Configure an ACL to enable the IPsec protocols (protocol 50 for ESP or 51 for AH) and IKE protocol (UDP/500).

IPsec VPNs

Configuring IPsec Site-to-Site VPN Using SDM

Introducing the SDM VPN Wizard Interface

Cisco Router and SDM

What Is Cisco SDM?

SDM is an embedded web-based management tool. Provides intelligent wizards to enable quicker and easier deployments, and does not require knowledge of Cisco IOS CLI or security expertise. Contains tools for more advanced users: ACL editor VPN crypto map editor Cisco IOS CLI preview

Cisco SDM Features

Smart wizards for these frequent router and security configuration issues: Avoid misconfigurations with integrated routing and security Secure the existing network infrastructure easily and costeffectively Uses Cisco TAC- and ICSA-recommended security configurations Startup wizard, one-step router lockdown, policy-based firewall and ACL management (firewall policy), one-step VPN (site-to-site), and inline IPS Guides untrained users through workflow

Introducing the SDM VPN Wizard Interface

1. 3.
Wizards for IPsec solutions Individual IPsec components

2.

Site-to-Site VPN Components

Site-to-Site VPN Components

VPN wizards use two sources to create a VPN connection:
User input during the step-by-step wizard process Preconfigured VPN components SDM provides some default VPN components:

Two IKE policies

IPsec transform set for Quick Setup wizard Other components are created by the VPN wizards. Some components (e.g., PKI) must be configured before the wizards can be used.

Site-to-Site VPN Components (Cont.)

Two main components: IPsec IKE Two optional components: Group Policies for Easy VPN server functionality Public Key Infrastructure for IKE authentication using digital certificates
Individual IPsec components used to build VPNs

Launching the Site-to-Site VPN Wizard

Launching the Site-to-Site VPN Wizard

1.

Launching the Site-to-Site VPN Wizard (Cont.)

2a.

2b.

3.

Quick Setup

Quick Setup (Cont.)

Step-by-Step Setup
Multiple steps are used to configure the VPN connection:
Defining connection settings: Outside interface, peer address, authentication credentials Defining IKE proposals: Priority, encryption algorithm, HMAC, authentication type, Diffie-Hellman group, lifetime Defining IPsec transform sets: Encryption algorithm, HMAC, mode of operation, compression Defining traffic to protect: Single source and destination subnets, ACL Reviewing and completing the configuration

Connection Settings

Connection Settings
1.

2.

3.

4.

IKE Proposals

IKE Proposals

1.

2.

3.

Transform Set

Transform Set

1.

2. 3.

Defining What Traffic to Protect

Option 1: Single Source and Destination Subnet

1.

2.

3.

Option 2: Using an ACL

1. 3.

2.

Option 2: Using an ACL (Cont.)

1.

2.

Option 2: Using an ACL (Cont.)

1. 2.

3.

Completing the Configuration

Review the Generated Configuration

Review the Generated Configuration (Cont.)

Test Tunnel Configuration and Operation

~ ~

~ ~

Monitor Tunnel Operation

1.

3.

2.

Advanced Monitoring
router#

show crypto isakmp sa

Lists active IKE sessions

router#

show crypto ipsec sa

Lists active IPsec security associations

Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands.

Troubleshooting
router#

debug crypto isakmp

Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands

Summary
SDM is a GUI and one of its features is to provide simplified management of security mechanisms on Cisco IOS routers. SDM can manage various types of site-to-site VPNs. SDM can be used to implement a simple site-to-site VPN in three ways: Using the quick setup wizard Using the step-by-step wizard

Configuring individual VPN components

Upon completing the configuration, the SDM converts the configuration into the Cisco IOS CLI format.

IPsec VPNs

Configuring GRE Tunnels over IPsec

Generic Routing Encapsulation

Generic Routing Encapsulation

OSI Layer 3 tunneling protocol:

Uses IP for transport Uses an additional header to support any other OSI Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)

Default GRE Characteristics

Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE

Stateless (no flow control mechanisms)

No security (no confidentiality, data authentication, or integrity assurance) 24-byte overhead by default (20-byte IP header and 4-byte GRE header)

Optional GRE Extensions

GRE can optionally contain any one or more of these fields: Tunnel checksum Tunnel key Tunnel packet sequence number

GRE keepalives can be used to track tunnel path status.

GRE Configuration Example

GRE tunnel is up and protocol up if: Tunnel source and destination are configured Tunnel destination is in routing table GRE keepalives are received (if used) GRE is the default tunnel mode.

Introducing Secure GRE Tunnels

Introducing Secure GRE Tunnels

GRE is good at tunneling: Multiprotocol support Provides virtual point-to-point connectivity, allowing routing protocols to be used GRE is poor at securityonly very basic plaintext authentication can be implemented using the tunnel key (not very secure) GRE cannot accommodate typical security requirements: Confidentiality Data source authentication Data integrity

IPsec Characteristics
IPsec provides what GRE lacks: Confidentiality through encryption using symmetric algorithms (e.g., 3DES or AES) Data source authentication using HMACs (e.g., MD5 or SHA-1) Data integrity verification using HMACs IPsec is not perfect at tunneling: Older Cisco IOS software versions do not support IP multicast over IPsec IPsec was designed to tunnel IP only (no multiprotocol support) Using crypto maps to implement IPsec does not allow the usage of routing protocols across the tunnel IPsec does not tunnel IP protocols; GRE does

GRE over IPsec

GRE over IPsec is typically used to do the following:

Create a logical hub-and-spoke topology of virtual point-topoint connections Secure communication over an untrusted transport network (e.g., Internet)

GRE over IPsec Characteristics

GRE encapsulates arbitrary payload.

IPsec encapsulates unicast IP packet (GRE):

Tunnel mode (default): IPsec creates a new tunnel IP packet Transport mode: IPsec reuses the IP header of the GRE (20 bytes less overhead)

Configuring GRE over IPsec Site-to-Site Tunnel Using SDM

Configuring GRE over IPsec Site-to-Site Tunnel Using SDM

1. 3. 4.

2.

5. 6.

Configuring GRE over IPsec Site-to-Site Tunnel Using SDM (Cont.)

Configuring GRE over IPsec Site-to-Site Tunnel Using SDM (Cont.)

1.

2.

3. 4.

Backup GRE Tunnel Information

Backup GRE Tunnel Information

1. 2.

3.

4.

VPN Authentication Information

VPN Authentication Information

1A 2.

1B

IKE Proposals

IKE Proposals

Creating a Custom IKE Policy

Define all IKE policy parameters:

Priority Encryption algorithm: DES, 3DES, AES HMAC: SHA-1 or MD5 Authentication method: preshared secrets or digital certificates Diffie-Hellman group: 1, 2, or 5 IKE lifetime

Transform Set

Transform Set

1.

2. 3.

Routing Information

Routing Information

Option 1: Static Routing

Option 2: Dynamic Routing Using EIGRP

1.

2.

Option 3: Dynamic Routing Using OSPF

1.
2.

3.

Completing the Configuration

Review the Generated Configuration

Review the Generated Configuration (Cont.)

Test Tunnel Configuration and Operation

1. 3. 5. 2. 4.

6.

Test Tunnel Configuration and Operation (Cont.)

7.

Monitor Tunnel Operation

1.

3.

2.

Advanced Monitoring
router#

show crypto isakmp sa

Lists active IKE sessions
router#

show crypto ipsec sa

Lists active IPsec security associations

router#

show interfaces Lists interface and the statistics including the statistics of tunnel interfaces
Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands.

Troubleshooting
router#

debug crypto isakmp

Debugs IKE communication Advanced troubleshooting can be performed using the Cisco IOS CLI Requires knowledge of Cisco IOS CLI commands

Summary
GRE is a multiprotocol tunneling technology. SDM can be used to implement GRE over IPsec site-to-site VPNs. Backup tunnels can be configured in addition to one primary tunnel. Routing can be configured through the tunnel interfaces: Static for simple sites

OSPF or EIGRP for more complex sites (more networks, multiple tunnels)
Upon completing the configuration, the SDM converts the configuration into the Cisco IOS CLI format.

IPsec VPNs

Cisco High Availability Options

High Availability for Cisco IOS IPsec VPNs

Failures

IPsec VPNs can experience any one of a number of different types of failures: Access link failure Remote peer failure Device failure

Path failure
IPsec should be designed and implemented with redundancy and high-availability mechanisms to mitigate these failures.

Redundancy

Common solutions using one or more of these options:

Two access links to mitigate access-link failures Multiple peers to mitigate peer failure Two local VPN devices to mitigate device failures Multiple independent paths to mitigate all path failures

Failure Detection

Native IPsec uses DPD to detect failures in the path and remote peer failure.
Any form of GRE over IPsec typically uses a routing protocol to detect failures (hello mechanism). HSRP is typically used to detect failures of local devices. VRRP and GLBP have similar failure-detection functionality.

Dead Peer Detection

IKE keepalives: Keepalives in periodic intervals DPD:

Keepalives in periodic intervals if no data transmitted

On-demand option

IPsec Backup Peer

IPsec Backup Peer

One HA design option is to use native IPsec and its HA mechanisms:

DPD to detect failures Backup peers to take over new tunnels when primary peer becomes unavailable

Configuration Example

Router will first try primary peer. If primary peer is not available or becomes unavailable (DPD failure detection), the router tries backup peers in order as listed in the crypto map.

Hot Standby Routing Protocol

Hot Standby Routing Protocol

HSRP can be used at: Headend: Two head-end IPsec devices appear as one to remote peers Remote site: Two IPsec gateways appear as one to local devices Active HSRP device uses a virtual IP and MAC address. Standby HSRP device takes over virtual IP and MAC address when active HSRP device goes down.

HSRP for Default Gateway at Remote Site

All remote devices use virtual IP as default gateway. Backup router is only used when primary router is down.

HSRP for Head-End IPsec Routers

Remote sites peer with virtual IP address (HSRP) of the headend. RRI or HSRP can be used on inside interface to ensure proper return path.

IPsec Stateful Failover

IPsec Stateful Failover

IPsec VPNs using DPD, HSRP, or IGPs to mitigate failures only provide stateless failover.
IPsec stateful failover requires: Identical hardware and software configuration of IPsec on active and standby device Exchange of IPsec state between active and standby device (i.e., complete SA information)

IPsec Stateful Failover (Cont.)

IPsec stateful failover works in combination with HSRP and SSO. SSO is responsible to synchronize ISAKMP and IPsec SA database between HSRP active and standby routers. RRI is optionally used to inject the routes into the internal network.

IPsec Stateful Failover Example

Configure IPC to exchange state information between head-end devices. Enable stateful redundancy.

Backing Up a WAN Connection with an IPsec VPN

Backing Up a WAN Connection with an IPsec VPN

IPsec VPNs can be used as cost-effective and fast backups for an existing WAN.

Switchover options: Using an IGP (e.g., GRE over IPsec or VTI): Use IGP metrics to influence primary path selection Optionally, use HSRP to track PVC status on remote site Using floating static routes for VPN destinations

Backing Up a WAN Connection with an IPsec VPN: Example Using GRE over IPsec

IGP used to detect PVC failures Reroute to GRE over IPsec tunnel

Summary
High availability requires two components: Redundant device, links, or paths High availability mechanisms to detect failures and reroute Native IPsec can be configured with backup peers in crypto maps in combination with DPD. HSRP can be used instead of backup peers.

IPsec stateful failover can augment HSRP to minimize downtime upon head-end device failures.
IPsec VPNs can be used as a backup for other types of networks.

IPsec VPNs

Configuring Cisco Easy VPN and Easy VPN Server Using SDM

Introducing Cisco Easy VPN

Introducing Cisco Easy VPN

Cisco Easy VPN has two main functions:
Simplify client configuration Centralize client configuration and dynamically push the configuration to clients How are these two goals achieved? IKE Mode Config functionality is used to download some configuration parameters to clients. Clients are preconfigured with a set of IKE policies and IPsec transform sets.

Cisco Easy VPN Components

Easy VPN Server: Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, in which the remote office devices are using the Cisco Easy VPN Remote feature Easy VPN Remote: Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Hardware Clients or Software Clients to act as remote VPN clients

Remote Access Using Cisco Easy VPN

Describe Easy VPN Server and Easy VPN Remote

Cisco Easy VPN Remote Connection Process

1. The VPN client initiates the IKE Phase 1 process. 2. The VPN client establishes an ISAKMP SA. 3. The Easy VPN Server accepts the SA proposal.

4. The Easy VPN Server initiates a username and password challenge.

5. The mode configuration process is initiated. 6. The RRI process is initiated.

7. IPsec quick mode completes the connection.

Step 1: The VPN Client Initiates the IKE Phase 1 Process

Using pre-shared keys? Initiate aggressive mode. Using digital certificates? Initiate main mode.

Step 2: The VPN Client Establishes an ISAKMP SA

The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following: Encryption and hash algorithms Authentication methods Diffie-Hellman group sizes

Step 3: The Cisco Easy VPN Server Accepts the SA Proposal

The Easy VPN Server searches for a match: The first proposal to match the server list is accepted (highestpriority match). The most secure proposals are always listed at the top of the Easy VPN Server proposal list (highest priority). The ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.

Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge

If the Easy VPN Server is configured for Xauth, the VPN client waits for a username/password challenge: The user enters a username/password combination. The username/password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication.

Step 5: The Mode Configuration Process Is Initiated

If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server: Mode configuration starts. The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.

Step 6: The RRI Process Is Initiated

RRI should be used when the following conditions occur: More than one VPN server is used Per-client static IP addresses are used with some clients (instead of using per-VPN-server IP pools) RRI ensures the creation of static routes. Redistributing static routes into an IGP allows the servers site routers to find the appropriate Easy VPN Server for return traffic to clients.

Step 7: IPsec Quick Mode Completes the Connection

After the configuration parameters have been successfully received by the VPN client, IPsec quick mode is initiated to negotiate IPsec SA establishment. After IPsec SA establishment, the VPN connection is complete.

Cisco Easy VPN Server Configuration Tasks

Cisco Easy VPN Server Configuration Tasks Using SDM

Configuring the Easy VPN Server requires these tasks:
Configuring a privileged user Configuring enable secret

Enabling AAA using the local database

Configuring the Easy VPN Server using a configuration wizard

Cisco Easy VPN Server Configuration Tasks for the Easy VPN Server Wizard
The Easy VPN server wizard includes these tasks:
Selecting the interface on which to terminate IPsec IKE policies

Group policy lookup method

User authentication Local group policies IPsec transform set

Configuring Easy VPN Server

Configuring Easy VPN Server

Use a browser to connect to the Easy VPN Server router.
Click on the link to the SDM. Prepare a design before implementing the VPN server: IKE authentication method

User authentication method

IP addressing and routing for clients Install all prerequisite services (depending on the chosen design), for example:

RADIUS/TACACS+ server
CA and enrollment with the CA DNS resolution for the VPN server addresses

VPN Wizards
1.

3.

2.

Enabling AAA

2.

1.

Local User Management

3. 2.

1.

Creating Users

1.

2.
7. 3. 4. 8.

5.

6.

Enabling AAA

1.

2.

Starting the Easy VPN Server Wizard

Select Interface for Terminating IPsec

1.

2.

IKE Proposals

IKE Proposals

2.

1.

3.

Transform Set

Transform Set

3. 1.

2. 4.

Group Policy Configuration Location

Option 1: Local Router Configuration

1.

2.

Option 2: External Location via RADIUS

1.

2.

Option 2: External Location via RADIUS (Cont.)

1. 2.

3.

4.

User Authentication

Option 1: Local User Database

1. 2.

3.

Local User DatabaseAdding Users

1.

6.

2.

3.

4. 5.

Option 2: External User Database via RADIUS

1.

2.

3.

Local Group Policies

Local Group Policies

General Parameters
1.

2.

3A.

3B.

Domain Name System

1.

2.

Split Tunneling

1. 2. 3.

4.

5.

Advanced Options

1. 3.

4.
2.

Xauth Options
3. 1.

2.

4.

Completing the Configuration

Review the Generated Configuration

Review the Generated Configuration (Cont.)

Verify the Easy VPN Server Configuration

1. 2.

3.

Verify the Easy VPN Server Configuration (Cont.)

Monitoring Easy VPN Server

1.

3.

4.
2.

5.

Advanced Monitoring
router#

show crypto isakmp sa

Lists active IKE sessions

router#

show crypto ipsec sa

Lists active IPsec security associations

Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands.

Troubleshooting
router#

debug crypto isakmp

Debugs IKE communication

router#

debug aaa authentication

Debugs user authentication via local user database or RADIUS

router#

debug aaa authorization

Debugs IKE Mode Config

router#

debug radius

Debugs RADIUS communication

Advanced troubleshooting can be performed using the Cisco IOS CLI. Requires knowledge of Cisco IOS CLI commands.

Summary
Cisco Easy VPN consists of two components: Easy VPN Server and Easy VPN Remote. Cisco Easy VPN Server can be configured using SDM. If you are using a local IP address pool, you need to configure that pool for use with Easy VPN. AAA is enabled for policy lookup. ISAKMP policies are configured for VPN clients.

Summary (Cont.)
The steps for defining group policy include configuring the following: Policy profile of the group that will be defined Preshared key DNS servers WINS servers DNS domain

Local IP address pool

Verify the Easy VPN operation.

IPsec VPNs

Implementing the Cisco VPN Client

Cisco VPN Client Configuration Tasks

Cisco VPN Client Configuration Tasks

1. Install Cisco VPN Client. 2. Create a new client connection entry. 3. Configure the client authentication properties.

4. Configure transparent tunneling.

5. Enable and add backup servers. 6. Configure a connection to the Internet through dial-up networking.

Use the Cisco VPN Client to Establish an RA VPN Connection and Verify the Connection Status

Use the Cisco VPN Client to Establish a VPN Connection and Verify the Connection Status
Installation process:
Download the latest version of the Cisco VPN Client from the CCO. Remove any previous versions of the Cisco VPN Client. Start the setup process that will guide you through the installation steps. Configuration process: Start the VPN Client. Create and configure VPN connections. Test VPN connections.

Task 1: Install Cisco VPN Client

Task 2: Create a New Client Connection Entry

1.

2.

Task 2: Create a New Client Connection Entry (Cont.)

3.
4. 5.

6.

Task 3: Configure Client Authentication Properties

1.

2. 3.

4.

Authentication options:
Group preshared secrets (group name and group secret) Mutual authentication (import CA certificate first; group name and secret) Digital certificates (enroll with the CA first; select the certificate)

Mutual Group Authentication

1.

2.

Mutual authentication should be used instead of group preshared secrets. Group preshared secrets are vulnerable to man-in-the-middle attacks if the attacker knows the group preshared secret.

Task 4: Configure Transparent Tunneling

1. 2.

On by default. NAT-T enables IPsec and IKE over a standard UDP port 4500, allowing the VPN Client to be behind a NAT or PAT device.

Routing Table
2. 1.

The Statistics window provides information about tunnel details, routing table, and personal firewall.

Task 5: Enable and Add Backup Servers

1. 2.

3.

List backup VPN servers to be used in case the primary VPN server is not reachable.

Task 6: Configure Connection to the Internet Through Dial-Up Networking

Optionally, tie a VPN connection to a dial-up connection defined in the Networking section of Windows.

Summary
You can install the VPN Client on your system through either of two different applications: InstallShield and MSI. Connection entries include: The VPN device (the remote server) to access Preshared keys Certificates Optional parameters

Authentication methods include:

Group authentication Mutual group authentication Certificate authentication

Summary (Cont.)
Transparent tunneling allows secure transmission through a router serving as a firewall, which may also be performing NAT or PAT. Access to local LAN resources can be made available. The private network may include one or more backup VPN servers to use if the primary server is not available. You can connect to the Internet using the VPN Client application in either of the following ways: Microsoft Dial-Up Networking A third-party dial-up program, usually from your ISP

Module Summary
The IKE protocol is a key management protocol standard used in conjunction with the IPsec standard. IPsec is used to create secure remote access VPNs. GRE is used to support non-IP protocols. GRE can be run inside IPsec for added security. SDM is an easy-to-use Internet browser-based device management tool that is embedded within the Cisco IOS 800 3800 Series access routers at no cost. SDM has a unique Security Audit wizard that provides a comprehensive router security audit.

Module Summary (Cont.)

GRE is a tunneling protocol initially developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. The multiprotocol functionality is provided by adding an additional GRE header between the payload and the tunneling IP header. IPsec VPNs requiring high availability should be designed and implemented with redundancy in order to survive single failures. Cisco Easy VPN consists of two components: Cisco Easy VPN Server (can be configured using SDM) and Cisco Easy VPN Remote. The Cisco VPN client software can be used to enable Microsoft Windows operating systems to use native IPsec.