Designing Remote-Access and with FlexVPNd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/BRKSEC-2881.pdf · Designing Remote-Access and Site-to-Site IPSec Networks with FlexVPN Wen Zhang

Designing Remote-Access and Site-to-Site IPSec Networks with FlexVPNWen Zhang

Technical Leader, Cisco Services

BRKSEC-2881

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Objectives & Prerequisites

• Session objectives:

• Introduce IKEv2 & FlexVPN

• Demonstrate the value-add and possibilities of FlexVPN as a unified VPN solution with a variety of peer devices (software & hardware)

• Solve simple & complex use cases using FlexVPN

• Basic understanding of the following topics is required:

• IPSec, IKEv1, PKI, AAA, RADIUS

• Experience with the following features is a plus:

• QoS, MQC, VRF-Lite, iBGP, AnyConnect

3BRKSEC-2881


Related Material

• IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

• By Graham Bartlett, Amjad Inamdar

• Published Aug 16, 2016 by Cisco Press.

• http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9780134426402

4BRKSEC-2881

http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9780134426402


Before We Begin...

“Additional info” slides:

– Rendered in the presentation PDF(download it through the CiscoLive portal)

– Not shown during the live presentation

– Cover extra details or small additional topics

5BRKSEC-2881

Agenda• Introduction

• What is FlexVPN

• IKEv2 Overview

• Tunnel Interfaces

• FlexVPN AAA Integration

• Configuration Building Blocks

• Deployment Scenarios and Use Cases

• Site-to-Site

• Remote Access• AnyConnect

• Windows Native Clients

• FlexVPN Hardware Clients

• Wrap-up

Introduction to FlexVPN


FlexVPN Overview

• Unified overlay VPN

• Combines Site-to-Site, Remote Access, Hub-Spoke & Spoke-Spoke topologies

• IPSec VPN compliant with the IKEv2 standard

• SSLVPN remote access on the roadmap

• FlexVPN highlights

• Unified CLI with Smart Defaults

• Unified infrastructure that leverages point-to-point tunnel interfaces

• Most features available across all topologies (QoS, AAA, VRF, …)

• IWAN NOT supported

• Interoperable with other IKEv2 implementations (ASA, Windows, StrongSwan, ...)

• Easy to learn, market, and manage

8BRKSEC-2881


IKEv2IKEv1

Comparing IKEv1 & IKEv2

NAT-T

DPD ISAKMP

RFC 2408

IPSec DOI

RFC 2407

IKE

RFC 2409

IKEv2

RFC 7296Mode

Config

Authentication

Integrity

Confidentiality

Suite-B

Anti-DoS

EAP Auth.

Hybrid Auth.

PSK, RSA-Sig

Cleaner Identity/Key Exchange

Uses UDP Ports 500 & 4500

Main + Aggressive INITIAL

Acknowledged Notifications

IKEv2 Redirect

RFC 5685

Childless IKEv2

RFC 6023

EAP-Only IKEv2

RFC 5998

Etc. ...

Same

Objectives

More Secure

Authentication

Options

Similar but

Different

9BRKSEC-2881


IKEv2 Exchanges

IKE_SA_INIT

IKE_AUTH

CREATE_CHILD_SA

IKEv2 Security Association (SA) establishment(proposal selection, key exchange)

Mutual authentication & identity exchange

Initial IPSec SAs establishment

Certificate exchange (optional)

Configuration exchange (optional)

Additional IPSec SAs establishment

IKEv2 & IPSec SA rekey

INFORMATIONAL

Initiator (I) Responder (R)

Can be (I R) with ACK or (R I) with ACK

Notifications (SA deletion, liveness check, ...)

Configuration exchange (one or both ways)

10BRKSEC-2881


IKEv2 Configuration Exchange

INFORMATIONAL

INFORMATIONAL

Initiator (RA client) requests configuration parameters from responder (RA server).

INFORMATIONAL

Initiator (I) Responder (R)

CFG_REQUEST

CFG_REPLY

CFG_SET

CFG_ACK

CFG_SET

CFG_ACK

Initiator and/or respondersends unsolicited configuration parameters to its peer.

I would like:

an IPv6 address

a DNS & WINS server

a list of protected IPv6 subnets

Your assigned IPv6 address is ...

Your DNS server is ...

There is no WINS server

My protected IPv6 subnets are ...

My local IPv6 protected subnets are ...

Acknowledged

Derived from peer authorization

Derived from peer authorization

11BRKSEC-2881

Tunnel Interfaces


Dynamic Point-to-Point Virtual Interfaces

FlexVPN Server crypto ikev2 profile default

...

virtual-template 1

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile default

interface Virtual-Access1


tunnel source <local-address>

tunnel destination <remote-address>



service-policy output mobile-QoS







service-policy output traveler-QoS

VT1

VA1 VA2 VA3

S default via Ethernet0/0

L 10.0.1.1/32 local Loopback0

S 10.0.1.10/32 via Virtual-Access1










service-policy output home-office-QoS

10.0.1.11/32 10.0.1.12/32

interface Tunnel0

ip address negotiated

tunnel source Ethernet0/0

tunnel destination <server-address>



Tun0

P2P virtual interface template

Dynamically instantiated P2P interfaces

Static P2P virtual interface

10.42.1.0/24

Server routing table (RIB/FIB)

Security

Policy

10.0.1.10/32

13BRKSEC-2881


Interface Features

Eth0/0 (LAN) Eth0/1(WAN)V-Access1

Cleartext Traffic

(from server LAN)

Encrypted Traffic

(to RA client)

FlexVPN Server

IP L4 Data IP IP L4 DataIPsec

Encrypted

Interface feature (NAT, PBR, QoS, NetFlow, ...)

Interface input features

(apply to cleartext packet)

RIB/FIB (routing table)

Post-encapsulation

interface output features

(apply to encrypted packet)

IPSec encapsulation

(tunnel protection)

Pre-encapsulation interface

output features

(apply to cleartext packet)

14BRKSEC-2881


Tunnel Encapsulation

• IPSec Tunnel Mode (IPv4 or IPv6)

• Classic dVTI: compatibility with software clients(any-to-any or any-to-assigned-address)

• Multi-SA dVTI: compatibility with legacycrypto map peers (ASA, other vendors)

• IPv4 over IPv6 Mixed Mode in IOS-XE3.10

• GRE over IPSec

• Enables tunneling of non-IP protocols (e.g. MPLS)

• Required for dynamic mesh scenarios (aka DMVPN,but with the extra flexibility of point-to-point interfaces)

• "tunnel mode gre ip" is the default on static and dynamic tunnel interfaces


tunnel mode ipsec {ipv4 | ipv6}



tunnel mode gre {ip | ipv6}


IP IP L4 DataIPsec

IP IP L4 DataIPsec GRE

Encrypted

Encrypted

15BRKSEC-2881

Configuration Building Blocks


Configuration Example

crypto ikev2 profile default

match identity remote fqdn domain cisco.com

identity local fqdn router.cisco.com

authentication local rsa-sig

authentication remote eap

pki trustpoint root sign

aaa authentication eap default

aaa authorization user eap

virtual-template 1





IKEv2 identity & profile selection

IKEv2 authentication & certificates

AAA integration (authentication, authorization, accounting)

Native IPSec tunnel or GRE/IPSec

Dynamic point-to-point interfaces

17BRKSEC-2881


crypto ikev2 proposal default

encryption aes-cbc-256 aes-cbc-128 3des

integrity sha512 sha256 sha1 md5

group 5 2

crypto ikev2 policy default

match fvrf any

proposal default

crypto ikev2 keyring IOSKeyring

peer cisco

address 10.0.1.1

pre-shared-key local CISCO

pre-shared-key remote OCSIC

crypto ikev2 authorization policy default

route set interface

route accept any

IKEv2 CLI OverviewProposal, Policy, and Keyring

IKEv2 Proposal

(algorithms for IKEv2 SA)

IKEv2 Policy

(binds IKEv2 Proposal to

local Layer 3 scope)

IKEv2 Keyring

(supports asymmetric

Pre-Shared Keys)

IKEv2 Authorization Policy

(contains attributes for local

AAA & config. exchange)

18BRKSEC-2881



identity local address 10.0.0.1

[identity local fqdn local.cisco.com]

[identity local email [email protected]]

[identity local dn]

match identity remote address 10.0.1.1

match identity remote fqdn remote.cisco.com


match identity remote email [email protected]

match identity remote email domain cisco.com

match certificate certificate_map

match fvrf red

match address local 172.168.1.1

authentication local pre-share

[authentication local rsa-sig]

[authentication local eap]

authentication remote pre-share

authentication remote rsa-sig

authentication remote eap

keyring local IOSKeyring

keyring aaa AAAlist

pki trustpoint <trustpoint_name>

IKEv2 CLI Overview

IKEv2 Profile – Extensive CLI

Match on peer IKE identity

or certificate

Match on local address and

front VRF

Self Identity Control

Asymmetric local & remote

authentication methods

Local and AAA-based

Pre-Shared Keyring

Only one local method allowed

Multiple remote methods allowed

Only one local identity allowed

Multiple “match identity” allowed

19BRKSEC-2881


crypto ipsec transform-set default esp-aes 128

esp-sha-hmac

crypto ipsec profile default

set transform-set default

set ikev2-profile default




interface Tunnel0

ip address 10.0.0.1 255.255.255.252


tunnel destination 172.16.2.1


IPSec CLI Overview

Tunnel Protection similar to DMVPN and EzVPN

IPsec profile defines SA

parameters and points to

IKEv2 profile

Transform set unchanged

Tunnel protection points

to IPsec profile

Dynamic point-to-point

interfaces

Static point-to-point

interfaces

20BRKSEC-2881


Introducing Smart Defaults

Intelligent, reconfigurable defaults

crypto ipsec transform-set default

esp-aes 128 esp-sha-hmac



set crypto ikev2-profile default


encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256 sha1 md5

group 5 2


match fvrf any

proposal default


route set interface

route accept any





aaa authorization user cert list default default

pki trustpoint root

!

interface Tunnel0

ip address 192.168.0.1 255.255.255.252


What you need to specify

crypto ipsec transform-set default

esp-aes 128 esp-sha-hmac



set ikev2-profile default


encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256 sha1 md5

group 5 2


match fvrf any

proposal default


route set interface

route accept any

These constructs are the Smart Defaults

21BRKSEC-2881


Reconfigurable Defaults

• Modifying defaults:

• Restoring defaults:

• Disabling defaults:

All defaults can be modified, deactivated, or restored

default crypto ikev2 proposal

default crypto ipsec transform-set


encryption aes-cbc-128

integrity md5

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

no crypto ikev2 proposal default

no crypto ipsec transform-set default

22BRKSEC-2881

FlexVPN AAA Integration


FlexVPN and AAA

• IKEv2 communicates with IOS AAA subsystem

• Local database (IKEv2 Authorization Policy)

• Remote database (RADIUS)

• Protocols in play: IKEv2, RADIUS, EAP

• AAA-based authentication:

• Pre-shared keys stored on RADIUS server

• EAP over IKEv2 & RADIUS

• Authorization – a mechanism to apply policies or attributes to connections

• Implicit authorization (re-uses attributes received during authentication)

• Explicit authorization (local or remote, group- & user-level)

• Accounting

Authentication, Authorization & Accounting

aaa new-model

aaa author network local-db local

aaa author network remote-db group radius

AAA list name

24BRKSEC-2881


High-Level Interactions

Cert. Authentication

EAP Client Authentication

AAA PSK Retrieval

PSK Authentication

RA ClientIKEv2 InitiatorRADIUS ClientEAP Supplicant

FlexVPN ServerIKEv2 Responder

RADIUS NASEAP Authenticator

AAA ServerRADIUS ServerEAP Backend

Cached & Local Authorization

RADIUS Authorization

RADIUS Accounting

25BRKSEC-2881

FlexVPN AAA IntegrationAAA-Based Authentication


AAA Pre-Shared Keys

• Same IKEv2 packet flow as regular PSK authentication

• FlexVPN Server has no IKEv2 keyring configured

• Local & remote pre-shared keys stored on RADIUS server

• Symmetric key (IETF attribute):

• Asymmetric keys (Cisco AV-Pair):

router2 Cleartext-Password := "cisco"

Tunnel-Password = "!cisco?"

router1 Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:ikev2-password-local=cisco!",

Cisco-AVPair += "ipsec:ikev2-password-remote=!ocsic"

27BRKSEC-2881


AAA Pre-Shared Keys – Packet Flow

IKEv2 (IKE_AUTH)

IDi, AUTH(PSK), ...

IKEv2 (IKE_AUTH)

IDr, AUTH(PSK), ...

RADIUS (Access-Request)

RADIUS (Access-Accept)

User-Name: joe.cisco.com

Password: cisco

Local PSK = cisco!

Remote PSK = !ocsic

Other user attributes for joe.cisco.com

AAA Username: joe.cisco.comIKEv2 ID: joe.cisco.com



keyring aaa radius

!

configurable

Cached for authorization

FlexVPN ClientIKEv2 InitiatorRADIUS Client


RADIUS NAS

AAA ServerRADIUS Server

28BRKSEC-2881


EAP Authentication

IKEv2 RADIUSEAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...

Username-Password/Token/Mobile Authentication (One-Way)

RA ClientIKEv2 InitiatorRADIUS ClientEAP Supplicant


RADIUS NASEAP Authenticator

AAA ServerRADIUS ServerEAP Backend

TLS-Based Certificate Authentication (Mutual)

IKEv2 RADIUSEAP-TLSTLS TLS

IKEv2 RADIUSEAP-PEAP / EAP-TTLS

EAP-MSCHAPv2 / EAP-TLS / ...

TLS-Protected Nested Authentication (One-Way or Mutual)

TLS TLS

IKE

RA server authenticates to client

using IKE certificates (mandatory)


authentication remote eap query-identity

aaa authentication eap frad

29BRKSEC-2881

FlexVPN AAA Integration User & Group Authorization


Authorization TypesNot mutually exclusive – May be combined

Implicit User Authorization

Explicit User Authorization

Explicit Group Authorization


aaa authorization user {psk|eap} cached


aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]


aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]

Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication

Retrieves user attributes from RADIUS

Retrieves group attributes from RADIUS or local database

RADIUS (Access-Accept)

Local PSK = cisco!

Remote PSK = !ocsic

Other user attributes for joe

Reverse order of precedence (group > user)

Cached for

authorization

31BRKSEC-2881


Attributes – Syntax

• Local Database

• IKEv2 Authorization Policy

• AAA Attribute List (V-Access interfaceconfiguration statements)

• Central/Remote Database (on RADIUS Server)

• Standard IETF Attributes (Framed-IP-Address, etc.)

• Cisco Attribute-Value Pairs (Cisco-AVPair)

crypto ikev2 authorization policy Eng

pool Eng-pool

dns 10.0.1.1

netmask 255.255.255.255

aaa attribute list Eng-list


attribute type interface-config "vrf forwarding Eng-vrf"

attribute type interface-config "ip unnumbered Loopback1"

Eng Cleartext-Password := "cisco"

Framed-IP-Netmask = "255.255.255.255",

Cisco-AVPair = "ipsec:addr-pool=Eng-pool",

Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",

Cisco-AVPair += "ip:interface-config=vrf forwarding Eng-vrf",

Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"

32BRKSEC-2881


Attributes – Merging

Cached User Attributes

Explicit User Attributes

Merged User Attributes

Explicit Group Attributes

Final Merged Attributes

Attribute Value

Framed-IP-Address 10.0.0.101

ipsec:dns-servers 10.2.2.2

Attribute Value


Attribute Value



Attribute Value


ipsec:banner Welcome !

Attribute Value



ipsec:banner Welcome !

Merged User Attributes take precedenceexcept if “group override” configured

Explicit User Attributes take precedence

FlexVPN Server AAA ServerReceived during

AAA-based authentication

Received during explicit

user authorization

Received during explicit

group authorization

33BRKSEC-2881


Authorization Example

RA Client FlexVPN Server

aaa authorization network here local


attribute type interface-config "vrf forwarding Eng-vrf"


!


pool Eng-pool

netmask 255.255.255.255


!

crypto pki certificate map cisco-map 1

subject-name co o = Cisco

!

crypto ikev2 name-mangler ou

dn organization-unit

!


match certificate cisco-map

identity local dn



pki trustpoint root

aaa authorization group cert list here name-mangler ou

virtual-template 1

!

ip local pool Eng-pool 10.0.1.10 10.0.1.99

!

interface Loopback1

vrf forwarding Eng-vrf

ip address 10.0.1.1 255.255.255.255

!




My IKE ID is cn=joe-pc, ou=Eng, o=Cisco

Here is my identity certificate

I need an IPv4 address

Run client IKE ID through name-mangler “ou”

Invoke AAA with list “here” (local authorization) & username “Eng”

Clone V-Template1 into V-Access1, apply VRF & IP unnumbered

Allocate IPv4 address from pool “Eng-pool”

Map connection to IKEv2 profile by matching on cert-map “cisco-map”

Your IPv4 address is: 10.0.1.10/32


vrf forwarding Eng-vrf


tunnel source 192.0.2.2




Perform certificate-based authentication (not shown)

“show derived-config ...”

34BRKSEC-2881

FlexVPN AAA Integration Connection Accounting


AAA AccountingRA Client FlexVPN Server RADIUS Server

IKEv2 (EAP) & IPSec

aaa accounting network rad start-stop group frad

aaa group server radius frad

server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t

!



aaa authorization user eap cached

aaa accounting eap frad

Upon client connection:

RADIUS Acct-Request (Start)

Upon client disconnection:

RADIUS Acct-Request (Stop)

RADIUS Acct-Response

RADIUS Acct-Response

Acct-Session-Id = "0000001B"

Cisco-AVPair = "isakmp-phase1-id=acvpn"

Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"

Framed-IP-Address = 10.0.1.101

User-Name = "joe@cisco"

Cisco-AVPair = "connect-progress=No Progress"

Acct-Authentic = Local

Acct-Status-Type = Start

NAS-IP-Address = 10.0.0.1

Acct-Delay-Time = 0

Acct-Session-Id = "0000001B"

Cisco-AVPair = "isakmp-phase1-id=acvpn"

Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"

Framed-IP-Address = 10.0.1.101

User-Name = "joe@cisco"

Acct-Authentic = Local

Cisco-AVPair = "connect-progress=No Progress"

Acct-Session-Time = 104

Acct-Input-Octets = 13906

Acct-Output-Octets = 11040

Acct-Input-Packets = 207

Acct-Output-Packets = 92

Acct-Terminate-Cause = 0

Cisco-AVPair = "disc-cause-ext=No Reason"

Acct-Status-Type = Stop

NAS-IP-Address = 10.0.0.1

Acct-Delay-Time = 0

Accounting-Request (Start)

Accounting-Request (Stop)

192.168.221.129 10.0.0.1

Assigned address: 10.0.1.10110.0.0.2

IKE ID Client public

IP address

Assigned IP address

EAP username

Statistics

36BRKSEC-2881

FlexVPN Deployment Scenarios Site-to-Site


Site-to-Site Use Case

Internet

Site1 LAN Site2 LAN

172.16.1.0/24 172.16.2.0/24

• Requirements:

• Secure site-to-site access over public Internet

• Static routing

38BRKSEC-2881



match identity remote fqdn r1.cisco.com

identity local fqdn r2.cisco.com



keyring local my_keyring

!

interface Tunnel0

ip address 10.0.0.2 255.255.255.252





!

interface Ethernet0/0

ip address 192.0.2.1 255.255.255.0

!


ip address 172.16.2.0 255.255.255.0

!

ip route 172.16.1.0 255.255.255.0 Tunnel0


Internet

Tunnel0

10.0.0.1/30

Tunnel0

10.0.0.2/30

Site1 LAN Site2 LAN

172.16.1.0/24 172.16.2.0/24

• Proposed solution:

• Static Virtual Tunnel Interface

• Local pre-shared keys

• Static route

39BRKSEC-2881



Internet

Site1 LAN Site2 LAN

172.16.1.0/24 172.16.2.0/24

• Requirements:


• Static Dynamic Routing

EIGRP


match identity remote fqdn r1.cisco.com

identity local fqdn r2.cisco.com



keyring local my_keyring

!

interface Tunnel0

ip address 10.0.0.2 255.255.255.252





!


ip address 192.0.2.1 255.255.255.0

!


ip address 172.16.2.0 255.255.255.0

!

router eigrp 100

network 10.0.0.0 0.0.0.3

network 172.16.2.0

40BRKSEC-2881


Site-to-Site Use Case – Hub and Spokes

Internet

172.16.0.0/24• Requirements:


• Large number of spokes

• Minimal security exposure amongst spokes

• Hub and spoke traffic profile

• Simple routing

172.16.1.0/24

41BRKSEC-2881



Internet

172.16.0.0/24• Proposed solution:

• Dynamic Virtual Tunnel Interface on the Hub

• Static Virtual Tunnel Interface on the Spoke

• Certificate authentication

• Overlay routing with EIGRPwith summary route CA Server

172.16.1.0/24

Virtual-Access Interfaces

Static Tunnel Interface

42BRKSEC-2881


Hub and Spokes – Spoke Configuration

Internet

172.16.0.0/24

CA Server



identity local dn



pki trustpoint CA

!

interface Tunnel0

ip unnumbered loopback0




!

router eigrp 100

network 10.0.0.0 0.0.0.255

network 172.16.1.0

172.16.1.0/24

43BRKSEC-2881


Hub and Spokes – Hub Configuration

Internet

172.16.0.0/24

CA Server

172.16.1.0/24



identity local dn



pki trustpoint CA

!

interface virtual-template 1 type tunnel


ip summary-address eigrp 100 172.16.0. 255.255.0.0


!

router eigrp 100

network 10.0.0.0 0.0.0.255

network 172.16.0.0

44BRKSEC-2881



Internet

172.16.0.0/24• Proposed solution (other variations):

• Authentication

• Hybrid Authentication

• AAA managed pre-shared keys

• Address assignment

• Radius

• Local address pool

• Routing

• IKEv2 Routing

• Locally managed

• Radius managed

• BGP

CA Server

172.16.1.0/24

AAA Server

45BRKSEC-2881


Site-to-Site Use Case – Dynamic Mesh

• Proposed Solution:

• Dynamic Virtual Tunnel Interfaces on bothHub and Spoke

• Hub assigned Tunnel addresses on Spokes

• NHRP Short-cut switching with GRE/IPSec

• iBGP routing for scale

• IKEv2 routing to bootstrap BGP neighborcommunication

Internet

172.16.0.0/24

172.16.1.0/24

46BRKSEC-2881


IKEv2 Route Exchange

• Route exchange during IKE negotiation is driven from the IKEv2 authorization profile• This authorization profile is either locally defined or centralized (AAA server)!

C 172.16.1.0/24 Eth0

C 10.0.0.2 Tunnel0

S 0.0.0.0/0 Dialer0

S 10.0.0.254/32 Tunnel0

S 172.16.0.0/16 Tunnel0Routin

g T

able

C 172.16.0.0/24 Eth0

C 10.0.0.254/32 -> Loopback0

S 0.0.0.0/0 Dialer0

S 172.16.0.0/16 Null0

S 10.0.0.2/32 Tunnel0

S 172.16.1.0/24 Tunnel0

Routin

g T

able

Route Accept?

CFG_SET

CFG_ACK

CFG_REQUEST

CFG_REPLY

Route Accept?Routes sent to peer are determined by:

interface (‘route set interface’)

access-list (‘route set access-list’)

direct statement (‘route set remote’)

Initiator sends its own routes to the

responder

Spoke Hub

Inbound route filter (by tag or AD) is possible using ‘route accept’

Default is ‘accept any’!

For maximal security, remote routes

can be denied and route addition can

be controlled locally using ‘route set local’

47BRKSEC-2881


Dynamic mesh – Hub Configuration

Internet

172.16.0.0/24

172.16.1.0/24

aaa new-model

aaa authorization network default local

!



identity local dn



pki trustpoint CA

aaa authorization group cert list default default

virtual-template 1

!

interface virtual-template1 type tunnel


ip nhrp network-id 1

ip nhrp redirect


!

ip route 172.16.0.0 255.255.0.0 Null0

!

router bgp 1

neighbor Spokes peer-group

neighbor Spokes remote-as 1

bgp listen range 10.0.0.0/8 peer-group Spokes

redistribute static

hub#show crypto ikev2 authorization policy

default

IKEv2 Authorization Policy : default

IPV4 Address Pool : mypool

route set interface

route accept any tag : 1 distance : 1

48BRKSEC-2881


Dynamic Mesh – Spoke Configuration

Internet

172.16.0.0/24

172.16.1.0/24

aaa authorization network default local

!


<SNIP>

aaa authorization group cert list default default

virtual-template 1

!

interface Tunnel0




ip nhrp shortcut virtual-template 1



!


ip unnumbered tunnel 0


ip nhrp shortcut virtual-template 1


!

router bgp 1

bgp log-neighbor-changes

neighbor 10.0.0.254 remote-as 1

network 172.16.1.0 mask 255.255.255.0

49BRKSEC-2881


Dynamic Mesh – Packet Flow

• Similar to DMVPN phase3

• Data packet follows routed path

• NHRP redirect from hub

• NHRP resolution request from source spoke

• Destination spoke answers withresolution reply

• Spoke to Spoke tunnel built overVirtual-Access interface

• NHRP route installed

• Subsequent data packetsfollows spoke to spoke path

Internet

172.16.0.0/24

172.16.1.0/24

Routing table

H 172.16.1.0/24 -> V-Access1

50BRKSEC-2881


Dynamic Mesh – Hub Redundancy

• Requirements:

• Redundancy to protect hub failure

• Proposed Solution:

• Dual Hubs at the head end

• Routing-based Active-Active resiliency

• Potential sub-second detection and recovery with BFD

Internet

172.16.0.0/24

172.16.1.0/24

51BRKSEC-2881


Dynamic Mesh – Hub Resiliency

10.0.0.1

Virtual-Access

Interfaces

Static Tunnel

InterfaceVirtual-Access

Interfaces

10.0.0.2

172.16.0.0/24

.1 .2 .254

52BRKSEC-2881


Site-to-Site Use Case – 3rd Party Peers

Internet

172.16.0.0/24• Requirements:


• Mixed environment with some 3rd party peers that can only support crypto map style IPSec

172.16.1.0/24

Red™ VPN Gateway

IOS®

IOS® IOS®

53BRKSEC-2881


Site-to-Site Use Case – 3rd Party Peers

Internet

172.16.0.0/24

172.16.1.0/24

Red™ VPN Gateway

IOS®

IOS® IOS®


• Dynamic Virtual Tunnel Interface on the Hub

with Multi-SA support

• Static Virtual Tunnel Interface IOS peers

• Crypto-map style IPSec configuration on the

3rd party initiator


set security-policy limit 10

set ikev2-profile Flex

!





!

Not required but recommended

54BRKSEC-2881

FlexVPN Remote Access


Remote Access Clients – Overview

AnyConnect

(Desktop Version)

AnyConnect

(Mobile Version)

Windows

Native IKEv2 Client

FlexVPN

Hardware Client

strongSwan

Supported OSes Windows

Mac OS X

Linux

Android

Apple iOS

Windows 7 & 8 Cisco IOS 15.2+

Not on IOS-XE / ASR1k

Not on ISR-G1

Linux, Mac OS X,

Android, FreeBSD, ...

Supported IKEv2

Authentication

Methods

Certificates

EAP

Certificates

EAP

Certificates

EAP

Certificates

EAP

Pre-Shared Key

Certificates

EAP

Pre-Shared Key

Supported EAP

Authentication

Methods

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-MSCHAPv2

EAP-TLS1

EAP-PEAP1

... and more (Win8)

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-MSCHAPv2

EAP-TLS1

EAP-PEAP1

... and more (plugins)

Security Policy

Exchange

Automatic2 (RRI) Automatic2 (RRI) Automatic2 (RRI) Automatic2 (IKEv2)

Dyn. Routing Protocol

Automatic2 (RRI)

Dual Stack

(IPv4 & IPv6)

3.1.05152 (with GRE)

IOS-XE planned

Planned

(client limitation)

Planned

(headend limitation)

Both (with GRE) Planned

(headend limitation)

Split Tunneling Yes Yes Very limited (classful) Yes Yes

1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require TLS certificates on EAP server & RA client

2 IPSec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default

56BRKSEC-2881

Remote Access ClientsAnyConnect Secure Mobility Client


AnyConnect Secure Mobility Client

• Since AnyConnect 3.0, IKEv2/IPSec supported

• Desktop: Windows, Mac OS X, Linux

• Mobile: Apple iOS, Android

• Supported authentication methods:

• Machine/User Certificates (RSA signatures)

• EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)

• EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)

• EAP-MD5 (hash-based authentication)

• Particularities:

• Requires EAP “query-identity” on server (triggers username/password input dialog)

• Requires “no crypto ikev2 http-url cert” on server (aborts the connection otherwise)

• CSCud96246: incompatibility with IOS when using SHA-2 integrity (resolved in 3.1.05)

58BRKSEC-2881


AnyConnect – VPN Profile Editor

Add entry to server list

Connection nameServer FQDN

Only applies to EAP

authentication methods

...

<ServerList>

<HostEntry>

<HostName>FlexVPN</HostName>

<HostAddress>flexra.cisco.com</HostAddress>

<PrimaryProtocol>IPsec

<StandardAuthenticationOnly>true

<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>

<IKEIdentity>acvpn</IKEIdentity>

</StandardAuthenticationOnly>

</PrimaryProtocol>

</HostEntry>

</ServerList>

...

Resulting XML Profile

59BRKSEC-2881


AnyConnect Mobile – Manual Connection

Connection name

Server FQDN

Enable IKEv2

Select authentication method

Create new

manual connection

Cisco ASA/IOS only

Specify IKE ID for EAP methods

Certificate selection

60BRKSEC-2881


AnyConnect – Profile Deployment Options

OS Default Location

Windows %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Mac OS, Linux /opt/cisco/anyconnect/profile

Push using a Software Management System

XML

XML

anyconnect://import?type=profile&uri=location

Example location: http%3A%2F%2Fexample.com%2FFlexVPN.xml

AnyConnectDesktop

AnyConnectMobile

Add to the AnyConnect installation package

Send via e-mail

Install manually on local hard disk

Import from local filesystem

Import or create via URI handler

Configure connection manually

XML

Send via e-mail

61BRKSEC-2881


AnyConnect – Mutual RSA Signatures• Mutual IKE certificate-based authentication

• AnyConnect picks best available identity certificate

• Based on selection rules in XML profile (if any)

• Certificate with EKU preferred over non-EKU

• Client IKE ID = certificate subject DN

• Server selects IKE profile based on certificate match

• Matching is done on certificate itself, not on IKE ID

• Explicit user/group authorization

• Non-AAA authentication no cached attributes

• Extract CN/OU field from DN using name-mangler

• Retrieve user/group attributes from RADIUS

# Group definition

Eng

Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"

# User definition

joe


Framed-IP-Address = "10.0.1.101",

Framed-IP-Netmask = "255.255.255.255"


match certificate cisco

identity local dn



pki trustpoint root

aaa authorization group cert list frad name-mangler ou

aaa authorization user cert list frad name-mangler cn

virtual-template 1

IKEv2 RADIUS

IKE Certificate Authentication

Explicit Authorization

IKE IKE

62BRKSEC-2881


Building Block – IKEv2 Name Mangler

• Start with the peer’s IKE or EAP identity

• Derive a username that is meaningful to AAA (local or RADIUS)

IKEv2 Exchange

RA Client Identity

IKEv2 Name Mangler

AAA Username: joe

RADIUS AAA Request

Username: joe, password: cisco

Local AAA Request

Username: joe

crypto ikev2 name-mangler extract-user

fqdn hostname

email username

dn common-name

eap prefix delimiter @

FQDN: joe.cisco.com

Email: [email protected]

DN: cn=joe,ou=IT,o=Cisco

EAP: joe@cisco

Configurable

password

RA ClientIKEv2 InitiatorRADIUS Client


RADIUS NAS

AAA ServerRADIUS Server

63BRKSEC-2881


AnyConnect – EAP (All Methods)• EAP-GTC / EAP-MD5 / EAP-MSCHAPv2

• Client IKE ID = KEY-ID string configured in XML profile

• Server selects IKEv2 profile based on KEYID string

• EAP “query-identity” prompts user for credentials

• EAP ID = username entered by user

• Password authentication against AAA user database

• Returned attributes cached for implicit authorization# User definition

joe@cisco

Cleartext-Password := "c1sc0!"


Framed-IP-Netmask = "255.255.255.255",



match identity remote key-id acvpn

identity local dn



pki trustpoint root sign



virtual-template 1

IKEv2 RADIUSEAP-GTC / EAP-MD5 / EAP-MSCHAPv2

EAP Username-Password Authentication

IKE

64BRKSEC-2881


AnyConnect – Certificate Requirements

• 1 Required in AC 3.0.8 to 3.0.10 (CSCuc07598)

• 2 Required in AC 3.0 (all versions), lifted in 3.1

• 3 Not required: may be omitted or set to any value – Optional: may be omitted or set to the specified value

AnyConnect Client

IKEv2 Certificate

FlexVPN Server

IKEv2 Certificate

Used for Mutual RSA-SIG Mutual RSA-SIG

EAP (all types)

Common Name (CN) Anything Anything (if SAN field present)

Server FQDN (if no SAN field)

Key Usage (KU) Digital Signature Digital Signature

Key Encipherment or Key Agreement

Extended Key Usage (EKU) Optional1,3

If present: TLS Client Authentication

Optional2,3

If present: TLS Server Authentication or IKE Intermediate

Subject Alternative Name (SAN) Not required3 Optional3

If present: Server FQDN

65BRKSEC-2881

Remote Access ClientsWindows Native IKEv2 Client


Windows 7 – VPN Connection SettingsDNS-resolvable FQDN – must be found in:

CN/SAN of FlexVPN Server IKE certificate

CN of EAP Server TLS certificate

Type of VPN: IKEv2

“Require encryption” & “Strongest encryption”

require AES-256 in the IPsec transform set

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

EAP-MSCHAPv2

RSA Signatures

67BRKSEC-2881




identity local dn



pki trustpoint root

aaa authorization group cert list frad name-mangler ou

aaa authorization user cert list frad name-mangler cn

virtual-template 1

# Group definition

Eng



# User definition

joe



Framed-IP-Netmask = "255.255.255.255"

Windows – Mutual RSA Signatures

• Mutual IKE certificate-based authentication

• Windows can only use local machine certificates

• IKEv2 Profile selection on server

• Client IKE ID = certificate subject DN

• Server selects profile based on certificate map

• Matching is done on certificate itself, not on IKE ID

• Explicit user/group authorization

• Non-AAA authentication no cached attributes

• Extract CN/OU field from DN using name-mangler

• Retrieve user/group attributes from RADIUS

IKEv2 RADIUS

IKE Certificate Authentication

Explicit Authorization

IKE IKE

68BRKSEC-2881

Software Client Use CasesRedundancy and Auto-Reconnect


AnyConnect – Backup Server List

Add backup server(s) to list

...

<ServerList>

<HostEntry>

<HostName>FlexVPN</HostName>

<HostAddress>flexra.cisco.com</HostAddress>

<BackupServerList>

<HostAddress>flexra2.cisco.com</HostAddress>

</BackupServerList>

...

Resulting XML Profile

WAN

Primary server stops responding

Client will try connecting to backup server(s)

Primary Backup

70BRKSEC-2881


AnyConnect – Seamless Auto-Reconnect

WAN

2: Network failure detected

Client will attempt to

reconnect automatically

1: Connected

4: ISP/WAN comes back up

Session resumed without

any user intervention


reconnect [timeout <seconds>]

3: Server marks session

as “inactive”, keeps it alive

until the configured timeout

WAN

1: Connected

over 3G


reconnect [timeout <seconds>]

2: Switching to WiFi

Different IP address

3: Session resumed

over WiFi link without

any user intervention

Also works when computer suspends & resumes (behavior controllable through XML profile)

71BRKSEC-2881

Remote Access Use CasesFull & Split Tunneling


RA Use Case: Windows – Full TunnelingFlexVPN Server

10.42.1.0/2410.0.0.0/16WAN

Lo1: 10.0.1.1/32Assigned VPN IP:10.0.1.22/32

IPv4 Route Table

============================================================

Destination Gateway Interface

0.0.0.0/0 10.42.1.1 Local Area Connection

0.0.0.0/0 On-link FlexVPN Connection


10.42.1.0/24 On-link Local Area Connection

192.0.2.2

Local LAN still reachable

If un-checked: default route replaced with a single

classful route based on assigned VPN IP address

(e.g. 10.0.0.0/8 10.0.1.22)

= rudimentary split tunneling

Server reachable in the clear via ISP

10.42.1.1

interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



S 10.0.1.22/32 is directly connected, Virtual-Access1

Assigned IP address reachable over client VA (automatic – RRI)Default route changed to point through VPN tunnel

73BRKSEC-2881


RA Use Case: AnyConnect – Full Tunneling

FlexVPN Server

10.42.1.0/2410.0.0.0/16WAN


interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



S 10.0.1.22/32 is directly connected, Virtual-Access1IPv4 Route Table

============================================================






192.0.2.2

Local LAN removed from routing table

Cisco-AVPair += "ipsec:split-exclude=0.0.0.0/255.255.255.255"To enable full tunneling with local LAN access:

IOS “include-local-lan” attribute not supported by

AnyConnect use RADIUS-only Cisco-AV-Pair

“ipsec:split-exclude” with special value 0.0.0.0/32

In addition, “Local Lan Access” must be

enabled in AnyConnect XML Profile

(supported in 15.2(4)M6, 15.2(4)S5 and 15.4(2)T/S onwards)

10.42.1.1

Default route changed to point through VPN tunnel

Server in the clear via ISP

74BRKSEC-2881


RA Use Case: AnyConnect – Split Tunneling

FlexVPN Server

10.42.1.0/2410.0.0.0/16WAN


interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



IPv4 Route Table

============================================================





192.0.2.2

Specific route(s) pointing through VPN tunnel

Local LAN still reachable


route set remote ipv4 10.0.0.0 255.255.0.0

Authorization: one or more subnets to include in split tunnel

Split tunnel policy pushed by server within IKEv2 Config Exchange

10.42.1.1

Original default gateway used for internet traffic + server reachability

75BRKSEC-2881

Remote Access ClientsFlexVPN Hardware Client


FlexVPN Hardware Client – Overview

• IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct

• Supported authentication methods:

• Certificates (RSA signatures)

• Various EAP methods (EAP-MSCHAPv2/EAP-GTC/EAP-MD5)

• Pre-Shared Keys

• Routing on FlexVPN server and client:

• IKEv2 Routing (bidirectional Configuration Exchange)

• Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing)

• IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces

• Remote Access client in CVO/SmartGrid deployments and much more!

77BRKSEC-2881


FlexVPN Hardware Client – Example• Sample configuration:

• Static tunnel interface driven by FlexVPN Client Profile

• Local AAA authorization (default IKEv2 author. policy)

• Certificate-based mutual authentication (no EAP)

• Single peer (name resolution of FQDN on connection)

• Tunnel interface configuration:

• IP address assigned through IKEv2 Configuration Exchange

• Tunnel destination set dynamically by FlexVPN Client logic

• IKEv2/IPsec initiation triggered by FlexVPN Client logic

• Default IKEv2 routing between client & server:

• Client advertises route for Tunnel0 assigned IP address

• Client installs prefixes advertised by server (egress Tun0)

aaa new-model


!

crypto pki trustpoint root

rsakeypair root

!

crypto pki certificate map cisco 1

subject-name co o = cisco

!



identity local dn



pki trustpoint root

aaa authorization group cert list here default

!

crypto ikev2 client flexvpn flexra

peer 1 fqdn flexra.cisco.com dynamic

client connect Tunnel0

!

interface Tunnel0




tunnel destination dynamic


client#show crypto ikev2 authorization policy default

IKEv2 Authorization Policy : default

route set interface

route accept any tag : 1 distance : 1

78BRKSEC-2881


FlexVPN Hardware Client – Key Features

• Peer list with object tracking:

• Ordered list of FlexVPN servers (by address or FQDN)

• Enable/disable entries based on tracking object state

• Additional peers can be pushed by server during Config Exchange

• Connection modes:

• Automatic (infinite loop, 10 seconds between tries)

• When tracking object goes up/down (enables dial backup)

• Manual (CLI-triggered)

• EAP local authentication (IKEv2 initiator only):

• Username prompt only if server does “query-identity”

• Alternative: static credentials in IKEv2 profile

crypto ikev2 client flexvpn flexra

peer 1 <address>

peer 2 <address> track 10 up

peer 3 <address> track 20 down

!

track 10 interface <name> line-protocol

track 20 ip route <prefix> reachability

connect auto

connect track 10 up

connect manual


authentication local eap

client#crypto ikev2 client flexvpn connect

Enter the command 'crypto eap credentials flexra'

client#crypto eap credentials flexra

Enter the Username for profile flexra: joe@cisco

Enter the password for username joe@cisco:

79BRKSEC-2881

FlexVPN Routing


FlexVPN HW Client – Routing Review

• IKEv2 Routing (Configuration Exchange)

• IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads

• Static routes added to the RIB on both sides

• Remote Access: currently only supported with FlexVPN hardware client

• IPSec Reverse Route Injection (RRI)

• Static routes added to RIB for protected remote networks (remote proxies)

• No configuration required (automatic for Virtual-Access with non-any-any proxies)

• Remote Access: supported with software clients (AnyConnect, Windows 7+, ...)

• Dynamic Routing Protocol

• Pros: more powerful/flexible/adaptive

• Cons: more complex/resource-intensive

• Remote Access: only supported with FlexVPN hardware client

81BRKSEC-2881


FlexVPN Routing – Events & Sources

Config. Exchange

Routing Table (RIB/FIB)

SA Up / Down

Routing Update

Routing ProtocolIKEv2 IPsec

Authorization

NHRP

Prefixes listed in “route set local” authorization attribute(s)

Prefixes received during Configuration Exchange

within IPv4/IPv6 SUBNET attributes

(handling controlled by local “route accept” attribute)

route set local {ipv4 | ipv6} prefix

route accept any [distance ...][tag ...]

Local configuration

route set interface [ifc-name]

route set remote {ipv4 | ipv6} prefix

route set access-list ...

Remote configuration

Prefixes corresponding to negotiated IPsec SA remote proxies

(not applicable to any-any VTI or GRE/IPsec)

Prefixes advertised by peer over dynamic

routing protocol neighborship

IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes

Shortcut Creation

NHRP Static Routes

Spoke-to-Spoke

tunnels established

82BRKSEC-2881

Remote Access Use Cases Network Extension


Scenario: HW Client – Single Address PAT

interface Tunnel0


ip nat outside

!

ip nat inside source route-map vpn interface Tunnel0 overload

!

route-map vpn permit 10

match interface Tunnel0

FlexVPN ServerFlexVPN Client

10.42.1.0/24 Eth0/110.0.0.0/16WAN

interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



route set interface route set interface


Lo1: 10.0.1.1/32Eth0/0

S 10.0.0.0/16 is directly connected, Tunnel0


C 10.0.1.22/32 is directly connected, Tunnel0

C 10.42.1.0/24 is directly connected, Ethernet0/1


Traffic from LAN to remote VPN networks:

PAT to Tunnel0 assigned IP address

Summary prefix reachable through tunnel Assigned IP address reachable over client VA

Assigned IP: 10.0.1.22/32

Works, but not recommended

Lacks flexibility and features

AuthorizationAuthorization

84BRKSEC-2881


HW Client Use Case – Network Extension

interface Tunnel0


!


ip address 10.42.1.1 255.255.255.0


10.42.1.0/24 Eth0/110.0.0.0/16WAN

interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



route set interface

route set interface ethernet0/1

route set interface


Lo1: 10.0.1.1/32Eth0/0



Client LAN directly reachable over tunnel

(prefix can be redistributed into IGP)


Assigned IP address reachable over client VA

Recommended design

Equivalent to NEM+ in EzVPN





Local/remote addresses & prefixes exchanged using IKEv2 routing

Summary prefix reachable through tunnel


85BRKSEC-2881


HW Client Use Case – Extranet with AAA


10.42.1.0/24 Eth0/110.0.0.0/16WAN

Eth0/0


• Requirements:• Extranet for partner access

• Centralized route management

• Proposed solution:• IKEv2 routing

• AAA managed routes

• Locally configured IKEv2 routes on hub vs. accepting routes from spokes

RADIUS/EAP Server

Lo1: 10.0.1.1/32

R1 CleartextPassword := "cisco",

ipsec:ikev2-password-remote=xyz,

Framed-IP-Address = 10.0.1.22,

Cisco-AVPair += "ipsec:route-set = interface",

Cisco-AVPair += "ipsec:route-set = remote ipv4 10.0.0.0 255.255.0.0

Cisco-AVPair += "ipsec:route-set = local ipv4 10.42.1.0 255.255.255.0

aaa authorization network default local group radius

!

crypto ikev2 profile default1

match identity remote fqdn domain example.com

identity local fqdn client1.example.com



keyring aaa default name-mangler extract-host

aaa authorization user psk cached

virtual-template 1

86BRKSEC-2881


Ideal for M2M, IoT, Field, B2B, Managed Svc,…

SmartGrid and all Utilities

Connected Vehicle

ISP Managed Service ATM’s

Fleet Connectivity

Construction, Oil, and all field deployments

Elevators and IoT via Field Area Routers

Virtual Office, Retails,…

87BRKSEC-2881


HW Client Use Case – Dynamic Routing (iBGP)

router bgp 65100

neighbor 10.0.1.1 remote-as 65100

neighbor 10.0.1.1 update-source Tunnel0

address-family ipv4

network 10.42.1.0 mask 255.255.255.0

neighbor 10.0.1.1 activate

exit-address-family


10.42.1.0/24 Eth0/110.0.0.0/16WAN

router bgp 65100

bgp listen range 10.0.1.0/24 peer-group clients

neighbor clients peer-group

neighbor clients remote-as 65100

neighbor clients update-source Loopback1

address-family ipv4

network 10.0.0.0 mask 255.255.0.0

neighbor clients activate

exit-address-family

route set interface

Lo1: 10.0.1.1/32Eth0/0

route set interface


B 10.42.1.0/24 [200/0] via 10.0.1.22 (Virtual-Access1)

Client LAN directly reachable over tunnel

(prefix can be redistributed into IGP)


BGP Dynamic Neighbor – easy configuration

Assigned IP address reachable over client VA

Dynamic, flexible & powerful but closer to Site-Site than RA

B 10.0.0.0/16 [200/0] via 10.0.1.1 (Tunnel0)




Summary prefix reachable through tunnel

Addresses for BGP unicast peering exchanged using IKEv2

Local/remote prefixes exchanged using iBGP


88BRKSEC-2881

Remote Access Use CaseIPv6 Integration


IPv6 Support Summary

IPv4 IPv6

IPv4 ✔ ✔

IPv6 ✔ ✔

• GRE over IPSec

• Dual-stack (IPv4 + IPv6 over IPSec) out of the box

• IPSec Tunnel Mode

• No dual-stack support

• IPv4 over IPv6 mixed-mode

Passenger Protocol

Tra

nsp

ort

Pro

toco

l

IPv4 IPv6

IPv4 ✔ ✗IPv6 ✔

(Since XE3.10)

✔

Passenger Protocol

Tra

nsp

ort

Pro

toco

l

90BRKSEC-2881


IPv6 Use Case

IPv4

IPv6

• Requirements:

• Single FlexVPN Hub terminating:

• Mixed IPv4 and IPv6 transport environment

• Mixed tunnel encapsulation protocols

• No unique identity to distinguish

between different Spokes

FlexVPN Hub

interface tunnel 1

tunnel mode gre ip

interface tunnel 1


interface tunnel 1

tunnel mode gre ipv6

interface tunnel 1


91BRKSEC-2881


IPv6 Use Case

IPv4

IPv6

• Proposed Solution:• Tunnel Auto Mode

• Automatic transport and encapsulation

protocol detection

• V-Access interface dynamically

adjusted to transport/encap type

crypto ikev2 profile ALL-SPOKES

virtual-template 1 mode auto

!


tunnel mode gre ip

FlexVPN Hub

interface tunnel 1

tunnel mode gre ip

interface tunnel 1


interface tunnel 1

tunnel mode gre ipv6

interface tunnel 1


92BRKSEC-2881


• Requirements:

• Single responder for softwareclients & remote branches (spokes)

• Spoke-to-spoke tunnels

• Branches use IKE certificates, clientsuse EAP (password or TLS certificates)


• Single IKEv2 profile & V-Template

• Differentiated AAA authorizationdepending on authentication method

Tunnel Auto Mode – Another Use Case

Internet

FlexVPN Hub

shortcuttunnel

RADIUS/EAP Server

Windows native Client

AnyConnect Client

Mobile Client

BRKSEC-2881 93


interface-config=policy-map PM out

framed-ip=10.0.0.1

ipsec:route-set=interface

ipsec:route-set=prefix 10.0.0.0/8

ipsec:route-accept=any

[email protected]

Cleartext-Password := ”MyPass”,

Pool-Name := "flex_pool”


ipsec:route-set=interface”

Tunnel Auto Mode – Another Use Case

Internet

FlexVPN Hub

shortcuttunnel

RADIUS/EAP Server

Windows7 native Client

AnyConnect Client

Mobile Client

aaa authentication login RA group R

aaa accounting network default start-stop group R

!



match identity key-id cisco.com

match identity fqdn domain cisco.com

identity local dn



pki trustpoint CA

aaa authorization user rsa-sig


aaa authentication user eap RA


aaa accounting eap default

authentication remote pre-shared-key

keyring aaa default

virtual-template 1 mode auto

Windows Clients

AnyConnect

Routers

PKI Auth

EAP Auth

PSK Auth

ikev2-password-remote=xyz

interface-config=ip unnumbered loop0

interface-config=policy-map PM out

framed-ip=[from RADIUS pool]

ipsec:route-set=interface

ipsec:route-set=prefix 0.0.0.0/0


94BRKSEC-2881

mailto:[email protected]

Remote Access Use CasesRedundancy


Redundancy Considerations

• Failure domain assessment

• Device Failure

• Link Failure

• Provider Failure

• Redundancy Options in Remote Access deployments

• Dual Headend

• Multiple circuits

• Failure detection and Recovery mechanisms

• Routing convergence

• IP SLA/track object

Hub

Spoke

Internet

96BRKSEC-2881


FlexVPN HW Client Redundancy Configurations

Backup Gateway IKEv2 Load Balancer Tunnel Pivot

Hub Hub

Hub HubHub

SpokeHub Hub

ISP1 ISP2

HSRP VIP

• IP SLA/track failure detection

• Multiple peer definition under

client block

• Dynamic tunnel destination

• HSRP for clustering

• IKEv2 Redirect based on

Least Loaded Gateway

• IP SLA/track failure detection

• Multiple tunnel source

definition under client block

• Dynamic tunnel source

97BRKSEC-2881

Remote Access Use CasesVirtualization (VRF)


Virtual Routing & Forwarding

• Router maintains separate L3 forwarding information for eachVRF instance (RIB, FIB, routing protocols)

• Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only)

• Each interface on the router belongs to a single VRF

• For “ip unnumbered”, reference interface must belong to the same VRF

• If no VRF specified, interface belongs to the global VRF

• VRF definition and assignment:

ip vrf red

rd 1:1


ip vrf forwarding red

...

vrf definition red

rd 1:1

address-family ipv4

exit-address-family

address-family ipv6

exit-address-family


vrf forwarding red

...

Old CLI: single-protocol VRF (IPv4-only)

New CLI: multi-protocol VRF (IPv4/IPv6)

99BRKSEC-2881


Tunnels – iVRF & fVRF

Blue RIB/FIB Global RIB/FIB

interface Eth0/0

ip address 10.0.0.1/24

vrf forwarding blue

!

interface Eth0/1


vrf forwarding blue

interface Eth1/1


vrf forwarding red

!

interface Eth1/2


!

interface Tunnel1

ip address 172.16.1.1/30

vrf forwarding red

tunnel source Eth1/2

interface Eth2/1


vrf forwarding green

!

interface Eth2/2


vrf forwarding orange

!

interface Tunnel2

ip address 172.16.2.1/30

vrf forwarding green

tunnel vrf orange

tunnel source Eth2/2

Inside VRF (iVRF)

Explicit fVRF

Orange RIB/FIBGreen RIB/FIB

iVRF

Physical device

Red RIB/FIB

iVRF fVRFiVRFfVRF

Front-door VRF (fVRF) = Global VRF (default)

Tunnel interface address

resides in iVRF

Eth

0/0

Eth

0/1

Eth

1/1

Eth

1/2

Eth

2/1

Eth

1/0

Eth

1/3

Eth

2/0

Eth

2/2

Eth

2/3

Tun1 Tun2

Encaps. Encaps.

BRKSEC-2881 100


VRF Use Case

• Requirements:

• Traffic segregation between two departments

• Single VPN endpoint in global VRF

• AnyConnect software client

• EAP user authentication



• Local group authorization

• Interface configuration strings

• EAP solely for authentication(no caching of RADIUS attributes)

Joe (Engineering) Tom (Finance)

Engineering VRF Finance VRF

Global VRF

Eth0/0

Eth0/2Eth0/1

Tom’s V-AccessJoe’s V-Access

WAN

101BRKSEC-2881


VRF Use Case – Configuration

aaa attribute list Eng

attribute type interface-config "vrf forwarding Eng"


!


pool Eng

dns 10.0.1.1

aaa attribute list Eng

!

interface Loopback1

vrf forwarding Eng

ip address 10.0.1.1 255.255.255.255

!

ip local pool Eng 10.0.1.10 10.0.1.99

aaa authentication login frad group frad


!

crypto ikev2 name-mangler dept

eap suffix delimiter @

!


match identity remote key-id vpn@cisco

identity local dn



pki trustpoint root


aaa authorization group eap list here name-mangler dept

virtual-template 1

!

no crypto ikev2 http-url cert

!


no ip address



aaa attribute list Fin

attribute type interface-config "vrf forwarding Fin"


!

crypto ikev2 authorization policy Fin

pool Fin

dns 10.0.1.101

aaa attribute list Fin

!

interface Loopback101

vrf forwarding Fin

ip address 10.0.1.101 255.255.255.255

!

ip local pool Fin 10.0.1.110 10.0.1.199

joe@Eng Cleartext-Password := "joe123"

tom@Fin Cleartext-Password := "tom456"

RADIUS User Database

Global ConfigurationPer-Department Configuration

Applied to V-Access

during V-Template cloning

Single IKEv2 profile

Single AnyConnect profile

Authorization based on

username@domain suffix

No attributes required on AAA server

EAP authenticates username & domain

2

3

4

1

102BRKSEC-2881


Other Use Cases...

QoS

ZBF

ACLNetflow

Per-user

Per-Group Local Policy

AAAIP Accounting

103BRKSEC-2881

Scenarios & Use Cases Quality of Service


The Need for QoS on VPN

• QoS is crucial on VPN links for:

• Sharing network bandwidth

• Marshaling bandwidth usage of applications

• Meeting application latency & speed requirements

• The classical “greedy spoke” problem:

HubSpoke 1

(greedy)

CE 1

Client 2 Spoke 3

Crypto engine or WAN link Interface w/ limited downstream rate

Packets are lost, AND other

spokes/clients are starved

Packets are lost

Most common problem

105BRKSEC-2881


Server-Side Hierarchical Shaper

• Tunnel bandwidth parent policy:

• Each VPN tunnel is given a maximum bandwidth

• A shaper provides the backpressure mechanism

• Protected packets are processed by the child policy:

• There would be several policies: bandwidth, LLQ, etc.

Parent shaper limits

total bandwidth

BW Reservation

Low-Latency Queuing

Fair Queuing

class-map control

match ip precedence 6

class-map voice

match ip precedence 5

...

!

policy-map child-common

class control

bandwidth 20

class voice

priority percent 60

...

!

policy-map parent-branch

class class-default

shape average 5000000

service-policy inner

!

policy-map parent-client

class class-default

shape average 1000000

service-policy inner

Different policies for

different traffic classes

Hub

Branch

RA Client

106BRKSEC-2881


QoS Use Case

• Requirements:

• Traffic segregation between departments

• Single VPN endpoint in global VRF

• AnyConnect software client

• EAP user authentication

• Per-user QoS policy



• Interface configuration strings

• Explicit RADIUS group authorization

• Implicit RADIUS user authorization(user attributes cached during EAP)

Joe (Engineering) Tom (Finance)

Engineering VRF Finance VRF

Global VRF

Eth0/0

Eth0/2Eth0/1

Tom’s V-AccessJoe’s V-Access

WAN

High B/W (10 Mbps) Low B/W (5 Mbps)

107BRKSEC-2881


QoS Use Case – Configuration

interface Loopback1

vrf forwarding Eng

ip address 10.0.1.1 255.255.255.255

!

ip local pool Eng 10.0.1.10 10.0.1.99

aaa authentication login frad group frad

aaa authorization network frad group frad

!

crypto ikev2 name-mangler dept

eap suffix delimiter @

!


match identity remote key-id vpn@cisco

identity local dn



pki trustpoint root


aaa authorization group eap list frad name-mangler dept


virtual-template 1

!

no crypto ikev2 http-url cert

!


no ip address



!

policy-map high

...

interface Loopback101

vrf forwarding Fin

ip address 10.0.1.101 255.255.255.255

!

ip local pool Fin 10.0.1.110 10.0.1.199

joe@Eng Cleartext-Password := "joe123"

Cisco-AVPair = "ip:interface-config=service-policy output high"

tom@Fin Cleartext-Password := "tom456"

Cisco-AVPair = "ip:interface-config=service-policy output low"

Eng Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:addr-pool=Eng",


Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",

Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"

Fin Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:addr-pool=Fin",


Cisco-AVPair += [...]

RADIUS User Database

Global Configuration

Per-Department Configuration

Per-user QoS policyGroup authorization

based on domain

Apply per-user

attributes from EAP

All attributes centralized on

AAA server QoS policies defined locally

on FlexVPN server

108BRKSEC-2881

Wrapping up...


"Why Flex"?• Applicability

• Utilities/IoT/SmartGrid• Service provider• Enterprise

• "Flex"ibility• NAT/PAT friendly• 3rd Party• Per-branch L3 features (e.g., tcp-mss adjustment)• IPv4/IPv6

• Augmented security • Suite-B• Controlled IKEv2 routing• Per-branch security policy (ZBF, ACL…)• uRPF check

• Ease to deploy and operationalize

110BRKSEC-2881


Where is FlexVPN used – Some Examples

CSIRT Intercloud

Cloud Web Security

Network Orchestration MEVONetwork management platform for Enterprises, Government, Service Providers / SMB

111BRKSEC-2881


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

112BRKSEC-2881

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

113BRKSEC-2881

Thank you

Documents

Designing Remote-Access and with FlexVPNd2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/BRKSEC-2881.pdf · Designing Remote-Access and Site-to-Site IPSec Networks with FlexVPN Wen Zhang