Upload
hakhanh
View
245
Download
2
Embed Size (px)
Citation preview
Designing Remote-Access and Site-to-Site IPSec Networks with FlexVPNWen Zhang
Technical Leader, Cisco Services
BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Objectives & Prerequisites
• Session objectives:
• Introduce IKEv2 & FlexVPN
• Demonstrate the value-add and possibilities of FlexVPN as a unified VPN solution with a variety of peer devices (software & hardware)
• Solve simple & complex use cases using FlexVPN
• Basic understanding of the following topics is required:
• IPSec, IKEv1, PKI, AAA, RADIUS
• Experience with the following features is a plus:
• QoS, MQC, VRF-Lite, iBGP, AnyConnect
3BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Related Material
• IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS
• By Graham Bartlett, Amjad Inamdar
• Published Aug 16, 2016 by Cisco Press.
• http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9780134426402
4BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before We Begin...
“Additional info” slides:
– Rendered in the presentation PDF(download it through the CiscoLive portal)
– Not shown during the live presentation
– Cover extra details or small additional topics
5BRKSEC-2881
Agenda• Introduction
• What is FlexVPN
• IKEv2 Overview
• Tunnel Interfaces
• FlexVPN AAA Integration
• Configuration Building Blocks
• Deployment Scenarios and Use Cases
• Site-to-Site
• Remote Access• AnyConnect
• Windows Native Clients
• FlexVPN Hardware Clients
• Wrap-up
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Overview
• Unified overlay VPN
• Combines Site-to-Site, Remote Access, Hub-Spoke & Spoke-Spoke topologies
• IPSec VPN compliant with the IKEv2 standard
• SSLVPN remote access on the roadmap
• FlexVPN highlights
• Unified CLI with Smart Defaults
• Unified infrastructure that leverages point-to-point tunnel interfaces
• Most features available across all topologies (QoS, AAA, VRF, …)
• IWAN NOT supported
• Interoperable with other IKEv2 implementations (ASA, Windows, StrongSwan, ...)
• Easy to learn, market, and manage
8BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2IKEv1
Comparing IKEv1 & IKEv2
NAT-T
DPD ISAKMP
RFC 2408
IPSec DOI
RFC 2407
IKE
RFC 2409
IKEv2
RFC 7296Mode
Config
Authentication
Integrity
Confidentiality
Suite-B
Anti-DoS
EAP Auth.
Hybrid Auth.
PSK, RSA-Sig
Cleaner Identity/Key Exchange
Uses UDP Ports 500 & 4500
Main + Aggressive INITIAL
Acknowledged Notifications
IKEv2 Redirect
RFC 5685
Childless IKEv2
RFC 6023
EAP-Only IKEv2
RFC 5998
Etc. ...
Same
Objectives
More Secure
Authentication
Options
Similar but
Different
9BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Exchanges
IKE_SA_INIT
IKE_AUTH
CREATE_CHILD_SA
IKEv2 Security Association (SA) establishment(proposal selection, key exchange)
Mutual authentication & identity exchange
Initial IPSec SAs establishment
Certificate exchange (optional)
Configuration exchange (optional)
Additional IPSec SAs establishment
IKEv2 & IPSec SA rekey
INFORMATIONAL
Initiator (I) Responder (R)
Can be (I R) with ACK or (R I) with ACK
Notifications (SA deletion, liveness check, ...)
Configuration exchange (one or both ways)
10BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Configuration Exchange
INFORMATIONAL
INFORMATIONAL
Initiator (RA client) requests configuration parameters from responder (RA server).
INFORMATIONAL
Initiator (I) Responder (R)
CFG_REQUEST
CFG_REPLY
CFG_SET
CFG_ACK
CFG_SET
CFG_ACK
Initiator and/or respondersends unsolicited configuration parameters to its peer.
I would like:
an IPv6 address
a DNS & WINS server
a list of protected IPv6 subnets
Your assigned IPv6 address is ...
Your DNS server is ...
There is no WINS server
My protected IPv6 subnets are ...
My local IPv6 protected subnets are ...
Acknowledged
Derived from peer authorization
Derived from peer authorization
11BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Point-to-Point Virtual Interfaces
FlexVPN Server crypto ikev2 profile default
...
virtual-template 1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
interface Virtual-Access1
ip unnumbered Loopback0
tunnel source <local-address>
tunnel destination <remote-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
service-policy output mobile-QoS
interface Virtual-Access2
ip unnumbered Loopback0
tunnel source <local-address>
tunnel destination <remote-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
service-policy output traveler-QoS
VT1
VA1 VA2 VA3
S default via Ethernet0/0
L 10.0.1.1/32 local Loopback0
S 10.0.1.10/32 via Virtual-Access1
S 10.0.1.11/32 via Virtual-Access2
S 10.0.1.12/32 via Virtual-Access3
S 10.42.1.0/24 via Virtual-Access3
interface Virtual-Access3
ip unnumbered Loopback0
tunnel source <local-address>
tunnel destination <remote-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
service-policy output home-office-QoS
10.0.1.11/32 10.0.1.12/32
interface Tunnel0
ip address negotiated
tunnel source Ethernet0/0
tunnel destination <server-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
Tun0
P2P virtual interface template
Dynamically instantiated P2P interfaces
Static P2P virtual interface
10.42.1.0/24
Server routing table (RIB/FIB)
Security
Policy
10.0.1.10/32
13BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interface Features
Eth0/0 (LAN) Eth0/1(WAN)V-Access1
Cleartext Traffic
(from server LAN)
Encrypted Traffic
(to RA client)
FlexVPN Server
IP L4 Data IP IP L4 DataIPsec
Encrypted
Interface feature (NAT, PBR, QoS, NetFlow, ...)
Interface input features
(apply to cleartext packet)
RIB/FIB (routing table)
Post-encapsulation
interface output features
(apply to encrypted packet)
IPSec encapsulation
(tunnel protection)
Pre-encapsulation interface
output features
(apply to cleartext packet)
14BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tunnel Encapsulation
• IPSec Tunnel Mode (IPv4 or IPv6)
• Classic dVTI: compatibility with software clients(any-to-any or any-to-assigned-address)
• Multi-SA dVTI: compatibility with legacycrypto map peers (ASA, other vendors)
• IPv4 over IPv6 Mixed Mode in IOS-XE3.10
• GRE over IPSec
• Enables tunneling of non-IP protocols (e.g. MPLS)
• Required for dynamic mesh scenarios (aka DMVPN,but with the extra flexibility of point-to-point interfaces)
• "tunnel mode gre ip" is the default on static and dynamic tunnel interfaces
interface Virtual-Template1 type tunnel
tunnel mode ipsec {ipv4 | ipv6}
tunnel protection ipsec profile default
interface Virtual-Template1 type tunnel
tunnel mode gre {ip | ipv6}
tunnel protection ipsec profile default
IP IP L4 DataIPsec
IP IP L4 DataIPsec GRE
Encrypted
Encrypted
15BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuration Example
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn router.cisco.com
authentication local rsa-sig
authentication remote eap
pki trustpoint root sign
aaa authentication eap default
aaa authorization user eap
virtual-template 1
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
IKEv2 identity & profile selection
IKEv2 authentication & certificates
AAA integration (authentication, authorization, accounting)
Native IPSec tunnel or GRE/IPSec
Dynamic point-to-point interfaces
17BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 keyring IOSKeyring
peer cisco
address 10.0.1.1
pre-shared-key local CISCO
pre-shared-key remote OCSIC
crypto ikev2 authorization policy default
route set interface
route accept any
IKEv2 CLI OverviewProposal, Policy, and Keyring
IKEv2 Proposal
(algorithms for IKEv2 SA)
IKEv2 Policy
(binds IKEv2 Proposal to
local Layer 3 scope)
IKEv2 Keyring
(supports asymmetric
Pre-Shared Keys)
IKEv2 Authorization Policy
(contains attributes for local
AAA & config. exchange)
18BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto ikev2 profile default
identity local address 10.0.0.1
[identity local fqdn local.cisco.com]
[identity local email [email protected]]
[identity local dn]
match identity remote address 10.0.1.1
match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
match identity remote email [email protected]
match identity remote email domain cisco.com
match certificate certificate_map
match fvrf red
match address local 172.168.1.1
authentication local pre-share
[authentication local rsa-sig]
[authentication local eap]
authentication remote pre-share
authentication remote rsa-sig
authentication remote eap
keyring local IOSKeyring
keyring aaa AAAlist
pki trustpoint <trustpoint_name>
IKEv2 CLI Overview
IKEv2 Profile – Extensive CLI
Match on peer IKE identity
or certificate
Match on local address and
front VRF
Self Identity Control
Asymmetric local & remote
authentication methods
Local and AAA-based
Pre-Shared Keyring
Only one local method allowed
Multiple remote methods allowed
Only one local identity allowed
Multiple “match identity” allowed
19BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto ipsec transform-set default esp-aes 128
esp-sha-hmac
crypto ipsec profile default
set transform-set default
set ikev2-profile default
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel protection ipsec profile default
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 172.16.2.1
tunnel protection ipsec profile default
IPSec CLI Overview
Tunnel Protection similar to DMVPN and EzVPN
IPsec profile defines SA
parameters and points to
IKEv2 profile
Transform set unchanged
Tunnel protection points
to IPsec profile
Dynamic point-to-point
interfaces
Static point-to-point
interfaces
20BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2-profile default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 profile default
match identity remote address 10.0.1.1
authentication local rsa-sig
authentication remote rsa-sig
aaa authorization user cert list default default
pki trustpoint root
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.252
tunnel protection ipsec profile default
What you need to specify
crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set ikev2-profile default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default
route set interface
route accept any
These constructs are the Smart Defaults
21BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reconfigurable Defaults
• Modifying defaults:
• Restoring defaults:
• Disabling defaults:
All defaults can be modified, deactivated, or restored
default crypto ikev2 proposal
default crypto ipsec transform-set
crypto ikev2 proposal default
encryption aes-cbc-128
integrity md5
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
no crypto ikev2 proposal default
no crypto ipsec transform-set default
22BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN and AAA
• IKEv2 communicates with IOS AAA subsystem
• Local database (IKEv2 Authorization Policy)
• Remote database (RADIUS)
• Protocols in play: IKEv2, RADIUS, EAP
• AAA-based authentication:
• Pre-shared keys stored on RADIUS server
• EAP over IKEv2 & RADIUS
• Authorization – a mechanism to apply policies or attributes to connections
• Implicit authorization (re-uses attributes received during authentication)
• Explicit authorization (local or remote, group- & user-level)
• Accounting
Authentication, Authorization & Accounting
aaa new-model
aaa author network local-db local
aaa author network remote-db group radius
AAA list name
24BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
High-Level Interactions
Cert. Authentication
EAP Client Authentication
AAA PSK Retrieval
PSK Authentication
RA ClientIKEv2 InitiatorRADIUS ClientEAP Supplicant
FlexVPN ServerIKEv2 Responder
RADIUS NASEAP Authenticator
AAA ServerRADIUS ServerEAP Backend
Cached & Local Authorization
RADIUS Authorization
RADIUS Accounting
25BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAA Pre-Shared Keys
• Same IKEv2 packet flow as regular PSK authentication
• FlexVPN Server has no IKEv2 keyring configured
• Local & remote pre-shared keys stored on RADIUS server
• Symmetric key (IETF attribute):
• Asymmetric keys (Cisco AV-Pair):
router2 Cleartext-Password := "cisco"
Tunnel-Password = "!cisco?"
router1 Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:ikev2-password-local=cisco!",
Cisco-AVPair += "ipsec:ikev2-password-remote=!ocsic"
27BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAA Pre-Shared Keys – Packet Flow
IKEv2 (IKE_AUTH)
IDi, AUTH(PSK), ...
IKEv2 (IKE_AUTH)
IDr, AUTH(PSK), ...
RADIUS (Access-Request)
RADIUS (Access-Accept)
User-Name: joe.cisco.com
Password: cisco
Local PSK = cisco!
Remote PSK = !ocsic
Other user attributes for joe.cisco.com
AAA Username: joe.cisco.comIKEv2 ID: joe.cisco.com
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
keyring aaa radius
!
configurable
Cached for authorization
FlexVPN ClientIKEv2 InitiatorRADIUS Client
FlexVPN ServerIKEv2 Responder
RADIUS NAS
AAA ServerRADIUS Server
28BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAP Authentication
IKEv2 RADIUSEAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...
Username-Password/Token/Mobile Authentication (One-Way)
RA ClientIKEv2 InitiatorRADIUS ClientEAP Supplicant
FlexVPN ServerIKEv2 Responder
RADIUS NASEAP Authenticator
AAA ServerRADIUS ServerEAP Backend
TLS-Based Certificate Authentication (Mutual)
IKEv2 RADIUSEAP-TLSTLS TLS
IKEv2 RADIUSEAP-PEAP / EAP-TTLS
EAP-MSCHAPv2 / EAP-TLS / ...
TLS-Protected Nested Authentication (One-Way or Mutual)
TLS TLS
IKE
RA server authenticates to client
using IKE certificates (mandatory)
crypto ikev2 profile default
authentication remote eap query-identity
aaa authentication eap frad
29BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization TypesNot mutually exclusive – May be combined
Implicit User Authorization
Explicit User Authorization
Explicit Group Authorization
crypto ikev2 profile default
aaa authorization user {psk|eap} cached
crypto ikev2 profile default
aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
crypto ikev2 profile default
aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
Retrieves user attributes from RADIUS
Retrieves group attributes from RADIUS or local database
RADIUS (Access-Accept)
Local PSK = cisco!
Remote PSK = !ocsic
Other user attributes for joe
Reverse order of precedence (group > user)
Cached for
authorization
31BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attributes – Syntax
• Local Database
• IKEv2 Authorization Policy
• AAA Attribute List (V-Access interfaceconfiguration statements)
• Central/Remote Database (on RADIUS Server)
• Standard IETF Attributes (Framed-IP-Address, etc.)
• Cisco Attribute-Value Pairs (Cisco-AVPair)
crypto ikev2 authorization policy Eng
pool Eng-pool
dns 10.0.1.1
netmask 255.255.255.255
aaa attribute list Eng-list
aaa attribute list Eng-list
attribute type interface-config "vrf forwarding Eng-vrf"
attribute type interface-config "ip unnumbered Loopback1"
Eng Cleartext-Password := "cisco"
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:addr-pool=Eng-pool",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng-vrf",
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"
32BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attributes – Merging
Cached User Attributes
Explicit User Attributes
Merged User Attributes
Explicit Group Attributes
Final Merged Attributes
Attribute Value
Framed-IP-Address 10.0.0.101
ipsec:dns-servers 10.2.2.2
Attribute Value
Framed-IP-Address 10.0.0.102
Attribute Value
Framed-IP-Address 10.0.0.102
ipsec:dns-servers 10.2.2.2
Attribute Value
ipsec:dns-servers 10.2.2.3
ipsec:banner Welcome !
Attribute Value
Framed-IP-Address 10.0.0.102
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !
Merged User Attributes take precedenceexcept if “group override” configured
Explicit User Attributes take precedence
FlexVPN Server AAA ServerReceived during
AAA-based authentication
Received during explicit
user authorization
Received during explicit
group authorization
33BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization Example
RA Client FlexVPN Server
aaa authorization network here local
aaa attribute list Eng-list
attribute type interface-config "vrf forwarding Eng-vrf"
attribute type interface-config "ip unnumbered Loopback1"
!
crypto ikev2 authorization policy Eng
pool Eng-pool
netmask 255.255.255.255
aaa attribute list Eng-list
!
crypto pki certificate map cisco-map 1
subject-name co o = Cisco
!
crypto ikev2 name-mangler ou
dn organization-unit
!
crypto ikev2 profile default
match certificate cisco-map
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list here name-mangler ou
virtual-template 1
!
ip local pool Eng-pool 10.0.1.10 10.0.1.99
!
interface Loopback1
vrf forwarding Eng-vrf
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
My IKE ID is cn=joe-pc, ou=Eng, o=Cisco
Here is my identity certificate
I need an IPv4 address
Run client IKE ID through name-mangler “ou”
Invoke AAA with list “here” (local authorization) & username “Eng”
Clone V-Template1 into V-Access1, apply VRF & IP unnumbered
Allocate IPv4 address from pool “Eng-pool”
Map connection to IKEv2 profile by matching on cert-map “cisco-map”
Your IPv4 address is: 10.0.1.10/32
interface Virtual-Access1
vrf forwarding Eng-vrf
ip unnumbered Loopback1
tunnel source 192.0.2.2
tunnel mode ipsec ipv4
tunnel destination 192.168.221.129
tunnel protection ipsec profile default
Perform certificate-based authentication (not shown)
“show derived-config ...”
34BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AAA AccountingRA Client FlexVPN Server RADIUS Server
IKEv2 (EAP) & IPSec
aaa accounting network rad start-stop group frad
aaa group server radius frad
server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t
!
crypto ikev2 profile default
aaa authentication eap frad
aaa authorization user eap cached
aaa accounting eap frad
Upon client connection:
RADIUS Acct-Request (Start)
Upon client disconnection:
RADIUS Acct-Request (Stop)
RADIUS Acct-Response
RADIUS Acct-Response
Acct-Session-Id = "0000001B"
Cisco-AVPair = "isakmp-phase1-id=acvpn"
Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"
Framed-IP-Address = 10.0.1.101
User-Name = "joe@cisco"
Cisco-AVPair = "connect-progress=No Progress"
Acct-Authentic = Local
Acct-Status-Type = Start
NAS-IP-Address = 10.0.0.1
Acct-Delay-Time = 0
Acct-Session-Id = "0000001B"
Cisco-AVPair = "isakmp-phase1-id=acvpn"
Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"
Framed-IP-Address = 10.0.1.101
User-Name = "joe@cisco"
Acct-Authentic = Local
Cisco-AVPair = "connect-progress=No Progress"
Acct-Session-Time = 104
Acct-Input-Octets = 13906
Acct-Output-Octets = 11040
Acct-Input-Packets = 207
Acct-Output-Packets = 92
Acct-Terminate-Cause = 0
Cisco-AVPair = "disc-cause-ext=No Reason"
Acct-Status-Type = Stop
NAS-IP-Address = 10.0.0.1
Acct-Delay-Time = 0
Accounting-Request (Start)
Accounting-Request (Stop)
192.168.221.129 10.0.0.1
Assigned address: 10.0.1.10110.0.0.2
IKE ID Client public
IP address
Assigned IP address
EAP username
Statistics
36BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case
Internet
Site1 LAN Site2 LAN
172.16.1.0/24 172.16.2.0/24
• Requirements:
• Secure site-to-site access over public Internet
• Static routing
38BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto ikev2 profile default
match identity remote fqdn r1.cisco.com
identity local fqdn r2.cisco.com
authentication remote pre-share
authentication local pre-share
keyring local my_keyring
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 192.0.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
interface Ethernet0/0
ip address 192.0.2.1 255.255.255.0
!
interface Ethernet0/1
ip address 172.16.2.0 255.255.255.0
!
ip route 172.16.1.0 255.255.255.0 Tunnel0
Site-to-Site Use Case
Internet
Tunnel0
10.0.0.1/30
Tunnel0
10.0.0.2/30
Site1 LAN Site2 LAN
172.16.1.0/24 172.16.2.0/24
• Proposed solution:
• Static Virtual Tunnel Interface
• Local pre-shared keys
• Static route
39BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case
Internet
Site1 LAN Site2 LAN
172.16.1.0/24 172.16.2.0/24
• Requirements:
• Secure site-to-site access over public Internet
• Static Dynamic Routing
EIGRP
crypto ikev2 profile default
match identity remote fqdn r1.cisco.com
identity local fqdn r2.cisco.com
authentication remote pre-share
authentication local pre-share
keyring local my_keyring
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 192.0.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
interface Ethernet0/0
ip address 192.0.2.1 255.255.255.0
!
interface Ethernet0/1
ip address 172.16.2.0 255.255.255.0
!
router eigrp 100
network 10.0.0.0 0.0.0.3
network 172.16.2.0
40BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case – Hub and Spokes
Internet
172.16.0.0/24• Requirements:
• Secure site-to-site access over public Internet
• Large number of spokes
• Minimal security exposure amongst spokes
• Hub and spoke traffic profile
• Simple routing
172.16.1.0/24
41BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case – Hub and Spokes
Internet
172.16.0.0/24• Proposed solution:
• Dynamic Virtual Tunnel Interface on the Hub
• Static Virtual Tunnel Interface on the Spoke
• Certificate authentication
• Overlay routing with EIGRPwith summary route CA Server
172.16.1.0/24
Virtual-Access Interfaces
Static Tunnel Interface
42BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub and Spokes – Spoke Configuration
Internet
172.16.0.0/24
CA Server
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
!
interface Tunnel0
ip unnumbered loopback0
tunnel source Ethernet0/0
tunnel destination 192.0.1.1
tunnel protection ipsec profile default
!
router eigrp 100
network 10.0.0.0 0.0.0.255
network 172.16.1.0
172.16.1.0/24
43BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hub and Spokes – Hub Configuration
Internet
172.16.0.0/24
CA Server
172.16.1.0/24
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
!
interface virtual-template 1 type tunnel
ip unnumbered loopback0
ip summary-address eigrp 100 172.16.0. 255.255.0.0
tunnel protection ipsec profile default
!
router eigrp 100
network 10.0.0.0 0.0.0.255
network 172.16.0.0
44BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case – Hub and Spokes
Internet
172.16.0.0/24• Proposed solution (other variations):
• Authentication
• Hybrid Authentication
• AAA managed pre-shared keys
• Address assignment
• Radius
• Local address pool
• Routing
• IKEv2 Routing
• Locally managed
• Radius managed
• BGP
CA Server
172.16.1.0/24
AAA Server
45BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case – Dynamic Mesh
• Proposed Solution:
• Dynamic Virtual Tunnel Interfaces on bothHub and Spoke
• Hub assigned Tunnel addresses on Spokes
• NHRP Short-cut switching with GRE/IPSec
• iBGP routing for scale
• IKEv2 routing to bootstrap BGP neighborcommunication
Internet
172.16.0.0/24
172.16.1.0/24
46BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IKEv2 Route Exchange
• Route exchange during IKE negotiation is driven from the IKEv2 authorization profile• This authorization profile is either locally defined or centralized (AAA server)!
C 172.16.1.0/24 Eth0
C 10.0.0.2 Tunnel0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 172.16.0.0/16 Tunnel0Routin
g T
able
C 172.16.0.0/24 Eth0
C 10.0.0.254/32 -> Loopback0
S 0.0.0.0/0 Dialer0
S 172.16.0.0/16 Null0
S 10.0.0.2/32 Tunnel0
S 172.16.1.0/24 Tunnel0
Routin
g T
able
Route Accept?
CFG_SET
CFG_ACK
CFG_REQUEST
CFG_REPLY
Route Accept?Routes sent to peer are determined by:
interface (‘route set interface’)
access-list (‘route set access-list’)
direct statement (‘route set remote’)
Initiator sends its own routes to the
responder
Spoke Hub
Inbound route filter (by tag or AD) is possible using ‘route accept’
Default is ‘accept any’!
For maximal security, remote routes
can be denied and route addition can
be controlled locally using ‘route set local’
47BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic mesh – Hub Configuration
Internet
172.16.0.0/24
172.16.1.0/24
aaa new-model
aaa authorization network default local
!
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
aaa authorization group cert list default default
virtual-template 1
!
interface virtual-template1 type tunnel
ip unnumbered Loopback0
ip nhrp network-id 1
ip nhrp redirect
tunnel protection ipsec profile default
!
ip route 172.16.0.0 255.255.0.0 Null0
!
router bgp 1
neighbor Spokes peer-group
neighbor Spokes remote-as 1
bgp listen range 10.0.0.0/8 peer-group Spokes
redistribute static
hub#show crypto ikev2 authorization policy
default
IKEv2 Authorization Policy : default
IPV4 Address Pool : mypool
route set interface
route accept any tag : 1 distance : 1
48BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Mesh – Spoke Configuration
Internet
172.16.0.0/24
172.16.1.0/24
aaa authorization network default local
!
crypto ikev2 profile default
<SNIP>
aaa authorization group cert list default default
virtual-template 1
!
interface Tunnel0
ip address negotiated
tunnel source Ethernet0/0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel destination 192.0.1.1
tunnel protection ipsec profile default
!
interface virtual-template 1 type tunnel
ip unnumbered tunnel 0
ip nhrp network-id 1
ip nhrp shortcut virtual-template 1
tunnel protection ipsec profile default
!
router bgp 1
bgp log-neighbor-changes
neighbor 10.0.0.254 remote-as 1
network 172.16.1.0 mask 255.255.255.0
49BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Mesh – Packet Flow
• Similar to DMVPN phase3
• Data packet follows routed path
• NHRP redirect from hub
• NHRP resolution request from source spoke
• Destination spoke answers withresolution reply
• Spoke to Spoke tunnel built overVirtual-Access interface
• NHRP route installed
• Subsequent data packetsfollows spoke to spoke path
Internet
172.16.0.0/24
172.16.1.0/24
Routing table
H 172.16.1.0/24 -> V-Access1
50BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Mesh – Hub Redundancy
• Requirements:
• Redundancy to protect hub failure
• Proposed Solution:
• Dual Hubs at the head end
• Routing-based Active-Active resiliency
• Potential sub-second detection and recovery with BFD
Internet
172.16.0.0/24
172.16.1.0/24
51BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Mesh – Hub Resiliency
10.0.0.1
Virtual-Access
Interfaces
Static Tunnel
InterfaceVirtual-Access
Interfaces
10.0.0.2
172.16.0.0/24
.1 .2 .254
52BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case – 3rd Party Peers
Internet
172.16.0.0/24• Requirements:
• Secure site-to-site access over public Internet
• Mixed environment with some 3rd party peers that can only support crypto map style IPSec
172.16.1.0/24
Red™ VPN Gateway
IOS®
IOS® IOS®
53BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site-to-Site Use Case – 3rd Party Peers
Internet
172.16.0.0/24
172.16.1.0/24
Red™ VPN Gateway
IOS®
IOS® IOS®
• Proposed solution:
• Dynamic Virtual Tunnel Interface on the Hub
with Multi-SA support
• Static Virtual Tunnel Interface IOS peers
• Crypto-map style IPSec configuration on the
3rd party initiator
crypto ipsec profile default
set security-policy limit 10
set ikev2-profile Flex
!
interface virtual-template 1 type tunnel
ip unnumbered loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
Not required but recommended
54BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote Access Clients – Overview
AnyConnect
(Desktop Version)
AnyConnect
(Mobile Version)
Windows
Native IKEv2 Client
FlexVPN
Hardware Client
strongSwan
Supported OSes Windows
Mac OS X
Linux
Android
Apple iOS
Windows 7 & 8 Cisco IOS 15.2+
Not on IOS-XE / ASR1k
Not on ISR-G1
Linux, Mac OS X,
Android, FreeBSD, ...
Supported IKEv2
Authentication
Methods
Certificates
EAP
Certificates
EAP
Certificates
EAP
Certificates
EAP
Pre-Shared Key
Certificates
EAP
Pre-Shared Key
Supported EAP
Authentication
Methods
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
EAP-MSCHAPv2
EAP-TLS1
EAP-PEAP1
... and more (Win8)
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
EAP-MSCHAPv2
EAP-TLS1
EAP-PEAP1
... and more (plugins)
Security Policy
Exchange
Automatic2 (RRI) Automatic2 (RRI) Automatic2 (RRI) Automatic2 (IKEv2)
Dyn. Routing Protocol
Automatic2 (RRI)
Dual Stack
(IPv4 & IPv6)
3.1.05152 (with GRE)
IOS-XE planned
Planned
(client limitation)
Planned
(headend limitation)
Both (with GRE) Planned
(headend limitation)
Split Tunneling Yes Yes Very limited (classful) Yes Yes
1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require TLS certificates on EAP server & RA client
2 IPSec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default
56BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Secure Mobility Client
• Since AnyConnect 3.0, IKEv2/IPSec supported
• Desktop: Windows, Mac OS X, Linux
• Mobile: Apple iOS, Android
• Supported authentication methods:
• Machine/User Certificates (RSA signatures)
• EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
• EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)
• EAP-MD5 (hash-based authentication)
• Particularities:
• Requires EAP “query-identity” on server (triggers username/password input dialog)
• Requires “no crypto ikev2 http-url cert” on server (aborts the connection otherwise)
• CSCud96246: incompatibility with IOS when using SHA-2 integrity (resolved in 3.1.05)
58BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – VPN Profile Editor
Add entry to server list
Connection nameServer FQDN
Only applies to EAP
authentication methods
...
<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>
<IKEIdentity>acvpn</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
...
Resulting XML Profile
59BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect Mobile – Manual Connection
Connection name
Server FQDN
Enable IKEv2
Select authentication method
Create new
manual connection
Cisco ASA/IOS only
Specify IKE ID for EAP methods
Certificate selection
60BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – Profile Deployment Options
OS Default Location
Windows %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Mac OS, Linux /opt/cisco/anyconnect/profile
Push using a Software Management System
XML
XML
anyconnect://import?type=profile&uri=location
Example location: http%3A%2F%2Fexample.com%2FFlexVPN.xml
AnyConnectDesktop
AnyConnectMobile
Add to the AnyConnect installation package
Send via e-mail
Install manually on local hard disk
Import from local filesystem
Import or create via URI handler
Configure connection manually
XML
Send via e-mail
61BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – Mutual RSA Signatures• Mutual IKE certificate-based authentication
• AnyConnect picks best available identity certificate
• Based on selection rules in XML profile (if any)
• Certificate with EKU preferred over non-EKU
• Client IKE ID = certificate subject DN
• Server selects IKE profile based on certificate match
• Matching is done on certificate itself, not on IKE ID
• Explicit user/group authorization
• Non-AAA authentication no cached attributes
• Extract CN/OU field from DN using name-mangler
• Retrieve user/group attributes from RADIUS
# Group definition
Eng
Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
# User definition
joe
Cleartext-Password := "cisco"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
virtual-template 1
IKEv2 RADIUS
IKE Certificate Authentication
Explicit Authorization
IKE IKE
62BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building Block – IKEv2 Name Mangler
• Start with the peer’s IKE or EAP identity
• Derive a username that is meaningful to AAA (local or RADIUS)
IKEv2 Exchange
RA Client Identity
IKEv2 Name Mangler
AAA Username: joe
RADIUS AAA Request
Username: joe, password: cisco
Local AAA Request
Username: joe
crypto ikev2 name-mangler extract-user
fqdn hostname
email username
dn common-name
eap prefix delimiter @
FQDN: joe.cisco.com
Email: [email protected]
DN: cn=joe,ou=IT,o=Cisco
EAP: joe@cisco
Configurable
password
RA ClientIKEv2 InitiatorRADIUS Client
FlexVPN ServerIKEv2 Responder
RADIUS NAS
AAA ServerRADIUS Server
63BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – EAP (All Methods)• EAP-GTC / EAP-MD5 / EAP-MSCHAPv2
• Client IKE ID = KEY-ID string configured in XML profile
• Server selects IKEv2 profile based on KEYID string
• EAP “query-identity” prompts user for credentials
• EAP ID = username entered by user
• Password authentication against AAA user database
• Returned attributes cached for implicit authorization# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote key-id acvpn
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
IKEv2 RADIUSEAP-GTC / EAP-MD5 / EAP-MSCHAPv2
EAP Username-Password Authentication
IKE
64BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – Certificate Requirements
• 1 Required in AC 3.0.8 to 3.0.10 (CSCuc07598)
• 2 Required in AC 3.0 (all versions), lifted in 3.1
• 3 Not required: may be omitted or set to any value – Optional: may be omitted or set to the specified value
AnyConnect Client
IKEv2 Certificate
FlexVPN Server
IKEv2 Certificate
Used for Mutual RSA-SIG Mutual RSA-SIG
EAP (all types)
Common Name (CN) Anything Anything (if SAN field present)
Server FQDN (if no SAN field)
Key Usage (KU) Digital Signature Digital Signature
Key Encipherment or Key Agreement
Extended Key Usage (EKU) Optional1,3
If present: TLS Client Authentication
Optional2,3
If present: TLS Server Authentication or IKE Intermediate
Subject Alternative Name (SAN) Not required3 Optional3
If present: Server FQDN
65BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Windows 7 – VPN Connection SettingsDNS-resolvable FQDN – must be found in:
CN/SAN of FlexVPN Server IKE certificate
CN of EAP Server TLS certificate
Type of VPN: IKEv2
“Require encryption” & “Strongest encryption”
require AES-256 in the IPsec transform set
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
EAP-MSCHAPv2
RSA Signatures
67BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
virtual-template 1
# Group definition
Eng
Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
# User definition
joe
Cleartext-Password := "cisco"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
Windows – Mutual RSA Signatures
• Mutual IKE certificate-based authentication
• Windows can only use local machine certificates
• IKEv2 Profile selection on server
• Client IKE ID = certificate subject DN
• Server selects profile based on certificate map
• Matching is done on certificate itself, not on IKE ID
• Explicit user/group authorization
• Non-AAA authentication no cached attributes
• Extract CN/OU field from DN using name-mangler
• Retrieve user/group attributes from RADIUS
IKEv2 RADIUS
IKE Certificate Authentication
Explicit Authorization
IKE IKE
68BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – Backup Server List
Add backup server(s) to list
...
<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<BackupServerList>
<HostAddress>flexra2.cisco.com</HostAddress>
</BackupServerList>
...
Resulting XML Profile
WAN
Primary server stops responding
Client will try connecting to backup server(s)
Primary Backup
70BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
AnyConnect – Seamless Auto-Reconnect
WAN
2: Network failure detected
Client will attempt to
reconnect automatically
1: Connected
4: ISP/WAN comes back up
Session resumed without
any user intervention
crypto ikev2 profile default
reconnect [timeout <seconds>]
3: Server marks session
as “inactive”, keeps it alive
until the configured timeout
WAN
1: Connected
over 3G
crypto ikev2 profile default
reconnect [timeout <seconds>]
2: Switching to WiFi
Different IP address
3: Session resumed
over WiFi link without
any user intervention
Also works when computer suspends & resumes (behavior controllable through XML profile)
71BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
RA Use Case: Windows – Full TunnelingFlexVPN Server
10.42.1.0/2410.0.0.0/16WAN
Lo1: 10.0.1.1/32Assigned VPN IP:10.0.1.22/32
IPv4 Route Table
============================================================
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection
0.0.0.0/0 On-link FlexVPN Connection
192.0.2.2/32 10.42.1.1 Local Area Connection
10.42.1.0/24 On-link Local Area Connection
192.0.2.2
Local LAN still reachable
If un-checked: default route replaced with a single
classful route based on assigned VPN IP address
(e.g. 10.0.0.0/8 10.0.1.22)
= rudimentary split tunneling
Server reachable in the clear via ISP
10.42.1.1
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
S 10.0.1.22/32 is directly connected, Virtual-Access1
Assigned IP address reachable over client VA (automatic – RRI)Default route changed to point through VPN tunnel
73BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
RA Use Case: AnyConnect – Full Tunneling
FlexVPN Server
10.42.1.0/2410.0.0.0/16WAN
Lo1: 10.0.1.1/32Assigned VPN IP:10.0.1.22/32
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
S 10.0.1.22/32 is directly connected, Virtual-Access1IPv4 Route Table
============================================================
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection
0.0.0.0/0 On-link FlexVPN Connection
192.0.2.2/32 10.42.1.1 Local Area Connection
10.42.1.0/24 On-link Local Area Connection
192.0.2.2
Local LAN removed from routing table
Cisco-AVPair += "ipsec:split-exclude=0.0.0.0/255.255.255.255"To enable full tunneling with local LAN access:
IOS “include-local-lan” attribute not supported by
AnyConnect use RADIUS-only Cisco-AV-Pair
“ipsec:split-exclude” with special value 0.0.0.0/32
In addition, “Local Lan Access” must be
enabled in AnyConnect XML Profile
(supported in 15.2(4)M6, 15.2(4)S5 and 15.4(2)T/S onwards)
10.42.1.1
Default route changed to point through VPN tunnel
Server in the clear via ISP
74BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
RA Use Case: AnyConnect – Split Tunneling
FlexVPN Server
10.42.1.0/2410.0.0.0/16WAN
Lo1: 10.0.1.1/32Assigned VPN IP:10.0.1.22/32
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
IPv4 Route Table
============================================================
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection
10.0.0.0/16 On-link FlexVPN Connection
10.42.1.0/24 On-link Local Area Connection
192.0.2.2
Specific route(s) pointing through VPN tunnel
Local LAN still reachable
S 10.0.1.22/32 is directly connected, Virtual-Access1
route set remote ipv4 10.0.0.0 255.255.0.0
Authorization: one or more subnets to include in split tunnel
Split tunnel policy pushed by server within IKEv2 Config Exchange
10.42.1.1
Original default gateway used for internet traffic + server reachability
75BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hardware Client – Overview
• IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct
• Supported authentication methods:
• Certificates (RSA signatures)
• Various EAP methods (EAP-MSCHAPv2/EAP-GTC/EAP-MD5)
• Pre-Shared Keys
• Routing on FlexVPN server and client:
• IKEv2 Routing (bidirectional Configuration Exchange)
• Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing)
• IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces
• Remote Access client in CVO/SmartGrid deployments and much more!
77BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hardware Client – Example• Sample configuration:
• Static tunnel interface driven by FlexVPN Client Profile
• Local AAA authorization (default IKEv2 author. policy)
• Certificate-based mutual authentication (no EAP)
• Single peer (name resolution of FQDN on connection)
• Tunnel interface configuration:
• IP address assigned through IKEv2 Configuration Exchange
• Tunnel destination set dynamically by FlexVPN Client logic
• IKEv2/IPsec initiation triggered by FlexVPN Client logic
• Default IKEv2 routing between client & server:
• Client advertises route for Tunnel0 assigned IP address
• Client installs prefixes advertised by server (egress Tun0)
aaa new-model
aaa authorization network here local
!
crypto pki trustpoint root
rsakeypair root
!
crypto pki certificate map cisco 1
subject-name co o = cisco
!
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list here default
!
crypto ikev2 client flexvpn flexra
peer 1 fqdn flexra.cisco.com dynamic
client connect Tunnel0
!
interface Tunnel0
ip address negotiated
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile default
client#show crypto ikev2 authorization policy default
IKEv2 Authorization Policy : default
route set interface
route accept any tag : 1 distance : 1
78BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Hardware Client – Key Features
• Peer list with object tracking:
• Ordered list of FlexVPN servers (by address or FQDN)
• Enable/disable entries based on tracking object state
• Additional peers can be pushed by server during Config Exchange
• Connection modes:
• Automatic (infinite loop, 10 seconds between tries)
• When tracking object goes up/down (enables dial backup)
• Manual (CLI-triggered)
• EAP local authentication (IKEv2 initiator only):
• Username prompt only if server does “query-identity”
• Alternative: static credentials in IKEv2 profile
crypto ikev2 client flexvpn flexra
peer 1 <address>
peer 2 <address> track 10 up
peer 3 <address> track 20 down
!
track 10 interface <name> line-protocol
track 20 ip route <prefix> reachability
connect auto
connect track 10 up
connect manual
crypto ikev2 profile default
authentication local eap
client#crypto ikev2 client flexvpn connect
Enter the command 'crypto eap credentials flexra'
client#crypto eap credentials flexra
Enter the Username for profile flexra: joe@cisco
Enter the password for username joe@cisco:
79BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN HW Client – Routing Review
• IKEv2 Routing (Configuration Exchange)
• IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads
• Static routes added to the RIB on both sides
• Remote Access: currently only supported with FlexVPN hardware client
• IPSec Reverse Route Injection (RRI)
• Static routes added to RIB for protected remote networks (remote proxies)
• No configuration required (automatic for Virtual-Access with non-any-any proxies)
• Remote Access: supported with software clients (AnyConnect, Windows 7+, ...)
• Dynamic Routing Protocol
• Pros: more powerful/flexible/adaptive
• Cons: more complex/resource-intensive
• Remote Access: only supported with FlexVPN hardware client
81BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN Routing – Events & Sources
Config. Exchange
Routing Table (RIB/FIB)
SA Up / Down
Routing Update
Routing ProtocolIKEv2 IPsec
Authorization
NHRP
Prefixes listed in “route set local” authorization attribute(s)
Prefixes received during Configuration Exchange
within IPv4/IPv6 SUBNET attributes
(handling controlled by local “route accept” attribute)
route set local {ipv4 | ipv6} prefix
route accept any [distance ...][tag ...]
Local configuration
route set interface [ifc-name]
route set remote {ipv4 | ipv6} prefix
route set access-list ...
Remote configuration
Prefixes corresponding to negotiated IPsec SA remote proxies
(not applicable to any-any VTI or GRE/IPsec)
Prefixes advertised by peer over dynamic
routing protocol neighborship
IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes
Shortcut Creation
NHRP Static Routes
Spoke-to-Spoke
tunnels established
82BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario: HW Client – Single Address PAT
interface Tunnel0
ip address negotiated
ip nat outside
!
ip nat inside source route-map vpn interface Tunnel0 overload
!
route-map vpn permit 10
match interface Tunnel0
FlexVPN ServerFlexVPN Client
10.42.1.0/24 Eth0/110.0.0.0/16WAN
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
route set interface route set interface
route set remote ipv4 10.0.0.0 255.255.0.0
Lo1: 10.0.1.1/32Eth0/0
S 10.0.0.0/16 is directly connected, Tunnel0
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
S 10.0.1.22/32 is directly connected, Virtual-Access1
Traffic from LAN to remote VPN networks:
PAT to Tunnel0 assigned IP address
Summary prefix reachable through tunnel Assigned IP address reachable over client VA
Assigned IP: 10.0.1.22/32
Works, but not recommended
Lacks flexibility and features
AuthorizationAuthorization
84BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
HW Client Use Case – Network Extension
interface Tunnel0
ip address negotiated
!
interface Ethernet0/1
ip address 10.42.1.1 255.255.255.0
FlexVPN ServerFlexVPN Client
10.42.1.0/24 Eth0/110.0.0.0/16WAN
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
route set interface
route set interface ethernet0/1
route set interface
route set remote ipv4 10.0.0.0 255.255.0.0
Lo1: 10.0.1.1/32Eth0/0
S 10.0.1.22/32 is directly connected, Virtual-Access1
S 10.42.1.0/24 is directly connected, Virtual-Access1
Client LAN directly reachable over tunnel
(prefix can be redistributed into IGP)
Assigned IP: 10.0.1.22/32
Assigned IP address reachable over client VA
Recommended design
Equivalent to NEM+ in EzVPN
S 10.0.0.0/16 is directly connected, Tunnel0
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Local/remote addresses & prefixes exchanged using IKEv2 routing
Summary prefix reachable through tunnel
AuthorizationAuthorization
85BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
HW Client Use Case – Extranet with AAA
FlexVPN ServerFlexVPN Client
10.42.1.0/24 Eth0/110.0.0.0/16WAN
Eth0/0
Assigned IP: 10.0.1.22/32
• Requirements:• Extranet for partner access
• Centralized route management
• Proposed solution:• IKEv2 routing
• AAA managed routes
• Locally configured IKEv2 routes on hub vs. accepting routes from spokes
RADIUS/EAP Server
Lo1: 10.0.1.1/32
R1 CleartextPassword := "cisco",
ipsec:ikev2-password-remote=xyz,
Framed-IP-Address = 10.0.1.22,
Cisco-AVPair += "ipsec:route-set = interface",
Cisco-AVPair += "ipsec:route-set = remote ipv4 10.0.0.0 255.255.0.0
Cisco-AVPair += "ipsec:route-set = local ipv4 10.42.1.0 255.255.255.0
aaa authorization network default local group radius
!
crypto ikev2 profile default1
match identity remote fqdn domain example.com
identity local fqdn client1.example.com
authentication remote pre-share
authentication local pre-share
keyring aaa default name-mangler extract-host
aaa authorization user psk cached
virtual-template 1
86BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ideal for M2M, IoT, Field, B2B, Managed Svc,…
SmartGrid and all Utilities
Connected Vehicle
ISP Managed Service ATM’s
Fleet Connectivity
Construction, Oil, and all field deployments
Elevators and IoT via Field Area Routers
Virtual Office, Retails,…
87BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
HW Client Use Case – Dynamic Routing (iBGP)
router bgp 65100
neighbor 10.0.1.1 remote-as 65100
neighbor 10.0.1.1 update-source Tunnel0
address-family ipv4
network 10.42.1.0 mask 255.255.255.0
neighbor 10.0.1.1 activate
exit-address-family
FlexVPN ServerFlexVPN Client
10.42.1.0/24 Eth0/110.0.0.0/16WAN
router bgp 65100
bgp listen range 10.0.1.0/24 peer-group clients
neighbor clients peer-group
neighbor clients remote-as 65100
neighbor clients update-source Loopback1
address-family ipv4
network 10.0.0.0 mask 255.255.0.0
neighbor clients activate
exit-address-family
route set interface
Lo1: 10.0.1.1/32Eth0/0
route set interface
S 10.0.1.22/32 is directly connected, Virtual-Access1
B 10.42.1.0/24 [200/0] via 10.0.1.22 (Virtual-Access1)
Client LAN directly reachable over tunnel
(prefix can be redistributed into IGP)
Assigned IP: 10.0.1.22/32
BGP Dynamic Neighbor – easy configuration
Assigned IP address reachable over client VA
Dynamic, flexible & powerful but closer to Site-Site than RA
B 10.0.0.0/16 [200/0] via 10.0.1.1 (Tunnel0)
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Summary prefix reachable through tunnel
Addresses for BGP unicast peering exchanged using IKEv2
Local/remote prefixes exchanged using iBGP
AuthorizationAuthorization
88BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Support Summary
IPv4 IPv6
IPv4 ✔ ✔
IPv6 ✔ ✔
• GRE over IPSec
• Dual-stack (IPv4 + IPv6 over IPSec) out of the box
• IPSec Tunnel Mode
• No dual-stack support
• IPv4 over IPv6 mixed-mode
Passenger Protocol
Tra
nsp
ort
Pro
toco
l
IPv4 IPv6
IPv4 ✔ ✗IPv6 ✔
(Since XE3.10)
✔
Passenger Protocol
Tra
nsp
ort
Pro
toco
l
90BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Use Case
IPv4
IPv6
• Requirements:
• Single FlexVPN Hub terminating:
• Mixed IPv4 and IPv6 transport environment
• Mixed tunnel encapsulation protocols
• No unique identity to distinguish
between different Spokes
FlexVPN Hub
interface tunnel 1
tunnel mode gre ip
interface tunnel 1
tunnel mode ipsec ipv4
interface tunnel 1
tunnel mode gre ipv6
interface tunnel 1
tunnel mode ipsec ipv6
91BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6 Use Case
IPv4
IPv6
• Proposed Solution:• Tunnel Auto Mode
• Automatic transport and encapsulation
protocol detection
• V-Access interface dynamically
adjusted to transport/encap type
crypto ikev2 profile ALL-SPOKES
virtual-template 1 mode auto
!
interface virtual-template 1 type tunnel
tunnel mode gre ip
FlexVPN Hub
interface tunnel 1
tunnel mode gre ip
interface tunnel 1
tunnel mode ipsec ipv4
interface tunnel 1
tunnel mode gre ipv6
interface tunnel 1
tunnel mode ipsec ipv6
92BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Requirements:
• Single responder for softwareclients & remote branches (spokes)
• Spoke-to-spoke tunnels
• Branches use IKE certificates, clientsuse EAP (password or TLS certificates)
• Proposed solution:
• Single IKEv2 profile & V-Template
• Differentiated AAA authorizationdepending on authentication method
Tunnel Auto Mode – Another Use Case
Internet
FlexVPN Hub
shortcuttunnel
RADIUS/EAP Server
Windows native Client
AnyConnect Client
Mobile Client
BRKSEC-2881 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
interface-config=policy-map PM out
framed-ip=10.0.0.1
ipsec:route-set=interface
ipsec:route-set=prefix 10.0.0.0/8
ipsec:route-accept=any
Cleartext-Password := ”MyPass”,
Pool-Name := "flex_pool”
ipsec:route-accept=any
ipsec:route-set=interface”
Tunnel Auto Mode – Another Use Case
Internet
FlexVPN Hub
shortcuttunnel
RADIUS/EAP Server
Windows7 native Client
AnyConnect Client
Mobile Client
aaa authentication login RA group R
aaa accounting network default start-stop group R
!
crypto ikev2 profile default
match identity remote address 0.0.0.0
match identity key-id cisco.com
match identity fqdn domain cisco.com
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint CA
aaa authorization user rsa-sig
authentication remote eap query-identity
aaa authentication user eap RA
aaa authorization user eap cached
aaa accounting eap default
authentication remote pre-shared-key
keyring aaa default
virtual-template 1 mode auto
Windows Clients
AnyConnect
Routers
PKI Auth
EAP Auth
PSK Auth
ikev2-password-remote=xyz
interface-config=ip unnumbered loop0
interface-config=policy-map PM out
framed-ip=[from RADIUS pool]
ipsec:route-set=interface
ipsec:route-set=prefix 0.0.0.0/0
ipsec:route-accept=any
94BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Redundancy Considerations
• Failure domain assessment
• Device Failure
• Link Failure
• Provider Failure
• Redundancy Options in Remote Access deployments
• Dual Headend
• Multiple circuits
• Failure detection and Recovery mechanisms
• Routing convergence
• IP SLA/track object
Hub
Spoke
Internet
96BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FlexVPN HW Client Redundancy Configurations
Backup Gateway IKEv2 Load Balancer Tunnel Pivot
Hub Hub
Hub HubHub
SpokeHub Hub
ISP1 ISP2
HSRP VIP
• IP SLA/track failure detection
• Multiple peer definition under
client block
• Dynamic tunnel destination
• HSRP for clustering
• IKEv2 Redirect based on
Least Loaded Gateway
• IP SLA/track failure detection
• Multiple tunnel source
definition under client block
• Dynamic tunnel source
97BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Routing & Forwarding
• Router maintains separate L3 forwarding information for eachVRF instance (RIB, FIB, routing protocols)
• Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only)
• Each interface on the router belongs to a single VRF
• For “ip unnumbered”, reference interface must belong to the same VRF
• If no VRF specified, interface belongs to the global VRF
• VRF definition and assignment:
ip vrf red
rd 1:1
interface Ethernet0/0
ip vrf forwarding red
...
vrf definition red
rd 1:1
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
interface Ethernet0/0
vrf forwarding red
...
Old CLI: single-protocol VRF (IPv4-only)
New CLI: multi-protocol VRF (IPv4/IPv6)
99BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tunnels – iVRF & fVRF
Blue RIB/FIB Global RIB/FIB
interface Eth0/0
ip address 10.0.0.1/24
vrf forwarding blue
!
interface Eth0/1
ip address 10.0.1.1/24
vrf forwarding blue
interface Eth1/1
ip address 10.1.1.1/24
vrf forwarding red
!
interface Eth1/2
ip address 10.1.2.1/24
!
interface Tunnel1
ip address 172.16.1.1/30
vrf forwarding red
tunnel source Eth1/2
interface Eth2/1
ip address 10.2.1.1/24
vrf forwarding green
!
interface Eth2/2
ip address 10.2.2.1/24
vrf forwarding orange
!
interface Tunnel2
ip address 172.16.2.1/30
vrf forwarding green
tunnel vrf orange
tunnel source Eth2/2
Inside VRF (iVRF)
Explicit fVRF
Orange RIB/FIBGreen RIB/FIB
iVRF
Physical device
Red RIB/FIB
iVRF fVRFiVRFfVRF
Front-door VRF (fVRF) = Global VRF (default)
Tunnel interface address
resides in iVRF
Eth
0/0
Eth
0/1
Eth
1/1
Eth
1/2
Eth
2/1
Eth
1/0
Eth
1/3
Eth
2/0
Eth
2/2
Eth
2/3
Tun1 Tun2
Encaps. Encaps.
BRKSEC-2881 100
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VRF Use Case
• Requirements:
• Traffic segregation between two departments
• Single VPN endpoint in global VRF
• AnyConnect software client
• EAP user authentication
• Proposed solution:
• Single IKEv2 profile & V-Template
• Local group authorization
• Interface configuration strings
• EAP solely for authentication(no caching of RADIUS attributes)
Joe (Engineering) Tom (Finance)
Engineering VRF Finance VRF
Global VRF
Eth0/0
Eth0/2Eth0/1
Tom’s V-AccessJoe’s V-Access
WAN
101BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VRF Use Case – Configuration
aaa attribute list Eng
attribute type interface-config "vrf forwarding Eng"
attribute type interface-config "ip unnumbered Loopback1"
!
crypto ikev2 authorization policy Eng
pool Eng
dns 10.0.1.1
aaa attribute list Eng
!
interface Loopback1
vrf forwarding Eng
ip address 10.0.1.1 255.255.255.255
!
ip local pool Eng 10.0.1.10 10.0.1.99
aaa authentication login frad group frad
aaa authorization network here local
!
crypto ikev2 name-mangler dept
eap suffix delimiter @
!
crypto ikev2 profile default
match identity remote key-id vpn@cisco
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root
aaa authentication eap frad
aaa authorization group eap list here name-mangler dept
virtual-template 1
!
no crypto ikev2 http-url cert
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
aaa attribute list Fin
attribute type interface-config "vrf forwarding Fin"
attribute type interface-config "ip unnumbered Loopback101"
!
crypto ikev2 authorization policy Fin
pool Fin
dns 10.0.1.101
aaa attribute list Fin
!
interface Loopback101
vrf forwarding Fin
ip address 10.0.1.101 255.255.255.255
!
ip local pool Fin 10.0.1.110 10.0.1.199
joe@Eng Cleartext-Password := "joe123"
tom@Fin Cleartext-Password := "tom456"
RADIUS User Database
Global ConfigurationPer-Department Configuration
Applied to V-Access
during V-Template cloning
Single IKEv2 profile
Single AnyConnect profile
Authorization based on
username@domain suffix
No attributes required on AAA server
EAP authenticates username & domain
2
3
4
1
102BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other Use Cases...
QoS
ZBF
ACLNetflow
Per-user
Per-Group Local Policy
AAAIP Accounting
103BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Need for QoS on VPN
• QoS is crucial on VPN links for:
• Sharing network bandwidth
• Marshaling bandwidth usage of applications
• Meeting application latency & speed requirements
• The classical “greedy spoke” problem:
HubSpoke 1
(greedy)
CE 1
Client 2 Spoke 3
Crypto engine or WAN link Interface w/ limited downstream rate
Packets are lost, AND other
spokes/clients are starved
Packets are lost
Most common problem
105BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Server-Side Hierarchical Shaper
• Tunnel bandwidth parent policy:
• Each VPN tunnel is given a maximum bandwidth
• A shaper provides the backpressure mechanism
• Protected packets are processed by the child policy:
• There would be several policies: bandwidth, LLQ, etc.
Parent shaper limits
total bandwidth
BW Reservation
Low-Latency Queuing
Fair Queuing
class-map control
match ip precedence 6
class-map voice
match ip precedence 5
...
!
policy-map child-common
class control
bandwidth 20
class voice
priority percent 60
...
!
policy-map parent-branch
class class-default
shape average 5000000
service-policy inner
!
policy-map parent-client
class class-default
shape average 1000000
service-policy inner
Different policies for
different traffic classes
Hub
Branch
RA Client
106BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QoS Use Case
• Requirements:
• Traffic segregation between departments
• Single VPN endpoint in global VRF
• AnyConnect software client
• EAP user authentication
• Per-user QoS policy
• Proposed solution:
• Single IKEv2 profile & V-Template
• Interface configuration strings
• Explicit RADIUS group authorization
• Implicit RADIUS user authorization(user attributes cached during EAP)
Joe (Engineering) Tom (Finance)
Engineering VRF Finance VRF
Global VRF
Eth0/0
Eth0/2Eth0/1
Tom’s V-AccessJoe’s V-Access
WAN
High B/W (10 Mbps) Low B/W (5 Mbps)
107BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QoS Use Case – Configuration
interface Loopback1
vrf forwarding Eng
ip address 10.0.1.1 255.255.255.255
!
ip local pool Eng 10.0.1.10 10.0.1.99
aaa authentication login frad group frad
aaa authorization network frad group frad
!
crypto ikev2 name-mangler dept
eap suffix delimiter @
!
crypto ikev2 profile default
match identity remote key-id vpn@cisco
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root
aaa authentication eap frad
aaa authorization group eap list frad name-mangler dept
aaa authorization user eap cached
virtual-template 1
!
no crypto ikev2 http-url cert
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
policy-map high
...
interface Loopback101
vrf forwarding Fin
ip address 10.0.1.101 255.255.255.255
!
ip local pool Fin 10.0.1.110 10.0.1.199
joe@Eng Cleartext-Password := "joe123"
Cisco-AVPair = "ip:interface-config=service-policy output high"
tom@Fin Cleartext-Password := "tom456"
Cisco-AVPair = "ip:interface-config=service-policy output low"
Eng Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:addr-pool=Eng",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"
Fin Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:addr-pool=Fin",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.101",
Cisco-AVPair += [...]
RADIUS User Database
Global Configuration
Per-Department Configuration
Per-user QoS policyGroup authorization
based on domain
Apply per-user
attributes from EAP
All attributes centralized on
AAA server QoS policies defined locally
on FlexVPN server
108BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
"Why Flex"?• Applicability
• Utilities/IoT/SmartGrid• Service provider• Enterprise
• "Flex"ibility• NAT/PAT friendly• 3rd Party• Per-branch L3 features (e.g., tcp-mss adjustment)• IPv4/IPv6
• Augmented security • Suite-B• Controlled IKEv2 routing• Per-branch security policy (ZBF, ACL…)• uRPF check
• Ease to deploy and operationalize
110BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Where is FlexVPN used – Some Examples
CSIRT Intercloud
Cloud Web Security
Network Orchestration MEVONetwork management platform for Enterprises, Government, Service Providers / SMB
111BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
112BRKSEC-2881
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
113BRKSEC-2881