VPN Remote Access with IOS & Introduction to FlexVPNd2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-2881.pdf · FlexVPN Overview Unified overlay VPN –Combines site-to-site, remote

VPN Remote Access with IOS & Introduction to FlexVPN BRKSEC-2881

Alex HONORÉ

CCIE #19553 Senior Customer Support Engineer EMEA Technical Assistance Center

© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public

Objectives & Prerequisites

Session objectives:

– Introduce IKEv2 & FlexVPN, with a focus on AAA-based management

– Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution with a variety of clients (software & hardware)

– Solve simple & complex use cases using FlexVPN

Basic understanding of the following topics is required:

– IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect, VRF, QoS

Experience with the following features is a plus:

– Easy VPN, MQC, VRF-Lite, iBGP

More FlexVPN (hub-spoke, dynamic mesh, MPLS over Flex, multicast, ...)

– BRKSEC-3036 – Advanced IPsec designs with FlexVPN by F. Detienne

– Friday 11:30am, North Wing Level -1, Green Hall 3

3


Session Agenda

Introduction to FlexVPN

Tunnel Interfaces

Configuration Building Blocks

FlexVPN AAA Integration

– AAA-Based Authentication

– User & Group Authorization

– Connection Accounting

Remote Access Clients

– AnyConnect Software Mobility Client

– Windows Native IKEv2 Client

– FlexVPN Hardware Client

Scenarios & Use Cases

– Full & Split Tunneling

– Network Extension

– Virtualization (VRF)

– Quality of Service

FlexVPN SSL Preview

Wrap-up

4


Before We Begin...

5

“Additional info” slides:

– Rendered in the presentation PDF (download it through the Cisco Live portal)

– Not shown during the live presentation

– Cover extra details or small additional topics

Introduction to FlexVPN


FlexVPN Overview

Unified overlay VPN

– Combines site-to-site, remote access, hub-spoke & spoke-spoke topologies

– IPsec VPN compliant with the IKEv2 standard

– SSL VPN remote access coming soon (AnyConnect Secure Mobility Client)

FlexVPN highlights

– Unified CLI with smart defaults

– Unified infrastructure that leverages point-to-point tunnel interfaces

– Most features available across all topologies (QoS, AAA, VRF, ...)

– Interoperable with other IKEv2 implementations (ASA, Windows, strongSwan, ...)

– Easier to learn, market and manage

7


Solution Positioning

One VPN to learn and deploy

Everything works – no questions asked

8

Inte

rop

.

Dyn

am

ic

Ro

uti

ng

IPs

ec

Ro

uti

ng

Sp

ok

e t

o

Sp

ok

e

Dir

ec

t

Re

mo

te

Ac

ce

ss

Sim

ple

Fa

ilo

ve

r

So

urc

e

Fa

ilo

ve

r

Co

nfi

g

Pu

sh

Pe

r-P

ee

r

Co

nfi

g

Pe

r-P

ee

r

Qo

S

Fu

ll A

AA

Mg

mt

Easy

VPN No No Yes No Yes Yes No Yes Yes Yes Complex

DMVPN No Yes No Yes No Partial No No No Group No

Crypto

Map Yes No Yes No Yes Poor No No No No No

FlexVPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes


Why FlexVPN ?

IKEv2 is a major protocol update

– No backward compatibility with IKEv1

– Requires serious consideration and reconfiguration

– Brings in a lot of improvements

Major IOS architecture rework needed to address needs

– Per-peer features (QoS, ZBFW, policies, VRF injection,…)

– Too many overlay technologies – offering was too fragmented

– VPN learning time had grown out of control (1 day techtorial insufficient)

IKEv2 is a good transition point to revisit design and architecture

Ideal for all types of VPNs

– Service aggregation (remote access, site-to-site, ...)

– Improved service management

– Multitenancy

9


IKEv2 IKEv1

Comparing IKEv1 & IKEv2

10

NAT-T

DPD ISAKMP

RFC 2408

IPsec DOI

RFC 2407

IKE

RFC 2409

IKEv2

RFC 5996 Mode

Config

Authentication

Integrity

Confidentiality

Suite-B

Anti-DoS

EAP Auth.

Hybrid Auth.

PSK, RSA-Sig

Cleaner Identity/Key Exchange

Uses UDP Ports 500 & 4500

Main + Aggressive INITIAL

Acknowledged Notifications

IKEv2 Redirect

RFC 5685

Childless IKEv2

RFC 6023

EAP-Only IKEv2

RFC 5998

Etc. ...

Same

Objectives

More Secure

Authentication

Options

Similar but

Different


IKEv2 Exchanges

11

IKE_SA_INIT

IKE_AUTH

CREATE_CHILD_SA

IKEv2 Security Association (SA) establishment (proposal selection, key exchange)

Mutual authentication & identity exchange

Initial IPsec SAs establishment

Certificate exchange (optional)

Configuration exchange (optional)

Additional IPsec SAs establishment

IKEv2 & IPsec SA rekey

INFORMATIONAL

Initiator (I) Responder (R)

Can be (I R) with ACK or (R I) with ACK

Notifications (SA deletion, liveness check, ...)

Configuration exchange (one or both ways)


IKEv2 Configuration Exchange

12

IKE_AUTH

INFORMATIONAL

Initiator (RA client) requests configuration parameters from responder (RA server).

INFORMATIONAL

Initiator (I) Responder (R)

CFG_REQUEST

CFG_REPLY

CFG_SET

CFG_ACK

CFG_SET

CFG_ACK

Initiator and/or responder sends unsolicited configuration parameters to its peer.

I would like:

an IPv6 address

a DNS & WINS server

a list of protected IPv6 subnets

Your assigned IPv6 address is ...

Your DNS server is ...

There is no WINS server

My protected IPv6 subnets are ...

My local IPv6 protected subnets are ...

Acknowledged

Derived from peer authorization

Derived from peer authorization


IKEv2 Certificate-Based Authentication

13

Root

Sub#1 Sub#2

A B

[IKE_SA_INIT_R]

CERT_REQ(Root)

CERT_REQ(Sub#2)

[IKE_AUTH_I]

CERT_REQ(Root)

CERT_REQ(Sub#1)

CERT(Root → Sub#1)

CERT(Sub#1 → A)

AUTH(HASH_I)

[IKE_AUTH_R]

CERT(Root → Sub#2)

CERT(Sub#2 → B)

AUTH(HASH_R)

Compute

cert chain

Compute

cert chain

B is willing to accept:

– certs issued by Root

– certs issued by Sub#1

A must provide B with:

– its identity certificate

– the Sub#1 certificate

… to complete the chain

[IKE_SA_INIT_I]

Validate chain &

verify signature

(responder) (initiator)

Validate chain &

verify signature

A B

R

S#2

B

R

S#1

A

R

S#1

A

R

S#2

B

S#1

A

S#2

B

Tunnel Interfaces


Dynamic Point-to-Point Virtual Interfaces

15

FlexVPN Server crypto ikev2 profile default

...

virtual-template 1

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile default

interface Virtual-Access1


tunnel source <local-address>

tunnel destination <remote-address>



service-policy output mobile-QoS







service-policy output traveler-QoS

VT1

VA1 VA2 VA3

S default via Ethernet0/0

L 10.0.1.1/32 local Loopback0

S 10.0.1.10/32 via Virtual-Access1










service-policy output home-office-QoS

10.0.1.10/32 10.0.1.11/32 10.0.1.12/32

interface Tunnel0

ip address negotiated

tunnel source Ethernet0/0

tunnel destination <server-address>



Tun0

P2P virtual interface template

Dynamically instantiated P2P interfaces

Static P2P virtual interface

10.42.1.0/24

Server routing table (RIB/FIB)

Security

Policy


Interface Features

16

Eth0/0 Eth0/1 V-Access1

Cleartext Traffic

(from server LAN)

Encrypted Traffic

(to RA client)

FlexVPN Server

IP L4 Data IP IP L4 Data IPsec

Encrypted

Interface feature (NAT, PBR, QoS, NetFlow, ...)

Interface input features

(apply to cleartext packet)

RIB/FIB (routing table)

Post-encapsulation

interface output features

(apply to encrypted packet)

IPsec encapsulation

(tunnel protection)

Pre-encapsulation

interface output features

(apply to cleartext packet)


Tunnel Encapsulation

IPsec Tunnel Mode (IPv4 or IPv6)

– Classic dVTI: compatibility with software clients (any-to-any or any-to-assigned-address)

– Multi-SA dVTI: compatibility with legacy crypto map peers (ASA, other vendors)

GRE over IPsec

– Dual-stack (IPv4 + IPv6 over IPsec) out of the box

– Enables tunneling of non-IP protocols (e.g. MPLS)

– Required for dynamic mesh scenarios (à la DMVPN, but with the extra flexibility of point-to-point interfaces)

– “tunnel mode gre ip” is the default on static & dynamic tunnel interfaces

17


tunnel mode ipsec {ipv4 | ipv6}



tunnel mode gre {ip | ipv6}


IP IP L4 Data IPsec

IP IP L4 Data IPsec GRE

Encrypted

Encrypted

Configuration Building Blocks

18


Configuration Example

19

crypto ikev2 profile default

match identity remote fqdn domain cisco.com

identity local fqdn router.cisco.com

authentication local rsa-sig

authentication remote eap

pki trustpoint root sign

aaa authentication eap default

aaa authorization user eap

virtual-template 1





IKEv2 identity & profile selection

IKEv2 authentication & certificates

AAA integration (authentication, authorization, accounting)

Native IPsec tunnel or GRE/IPsec

Dynamic point-to-point interfaces


crypto ikev2 proposal default

encryption aes-cbc-256 aes-cbc-128 3des

integrity sha512 sha256 sha1 md5

group 5 2

crypto ikev2 policy default

match fvrf any

proposal default

crypto ikev2 keyring IOSKeyring

peer cisco

address 10.0.1.1

pre-shared-key local CISCO

pre-shared-key remote OCSIC

crypto ikev2 authorization policy default

route set interface

route accept any

IKEv2 CLI Overview Proposal, Policy and Keyring

20

IKEv2 Proposal

(algorithms for IKEv2 SA)

IKEv2 Policy

(binds IKEv2 Proposal to

local Layer 3 scope)

IKEv2 Keyring

(supports asymmetric

Pre-Shared Keys)

IKEv2 Authorization Policy

(contains attributes for local

AAA & config. exchange)



identity local address 10.0.0.1

identity local fqdn local.cisco.com

identity local email [email protected]

identity local dn

match identity remote address 10.0.1.1

match identity remote fqdn remote.cisco.com


match identity remote email [email protected]

match identity remote email domain cisco.com

match certificate certificate_map

match fvrf red

match address local 172.168.1.1

authentication local pre-share


authentication local eap

authentication remote pre-share

authentication remote rsa-sig

authentication remote eap

keyring local IOSKeyring

keyring aaa AAAlist

pki trustpoint <trustpoint_name>

IKEv2 CLI Overview IKEv2 Profile – Extensive CLI

21

Match on peer IKE identity

or certificate

Match on local address and

front VRF

Self Identity Control

Asymmetric local & remote

authentication methods

Local and AAA-based

Pre-Shared Keyring

Only one local method allowed

Multiple remote methods allowed

Only one local identity allowed

Multiple “match identity” allowed


IKEv2 Basic Negotiation

Length

Initiator Responder HDR, SAi1, KEi, Ni

HDR – IKE Header

SAi, SAr – Crypto algorithms proposed/accepted by the peer

KEi, KEr – Initiator Key Exchange material

Ni, Nr – Initiator/Responder Nonce

SK {...} – Payload encrypted and integrity protected

HDR, SAr1, KEr, Nr [CERTREQ]

HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [CERT], AUTH, TSi, TSr}

IDi, IDr – Initiator/Responder IKE Identity

CERTREQ, CERT – Certificate Request, Certificate Payload

AUTH – Authentication data

SA – Proposal & Transform to create initial CHILD_SA

TSi, TSr – Traffic Selectors (as src/dst proxies)

22


HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}

IKEv2 Profile Match Statements

IP Address: 172.16.0.1

FQDN: router.cisco.com

Email: [email protected]


match identity remote fqdn router.cisco.com

match identity remote email [email protected]

Subject: cn=Router, ou=Engineering, o=Cisco

Issuer: cn=PKI Server, ou=IT, o=Cisco

...

match certificate <cert-map>

subject-name co ou = engineering

issuer-name co o = cisco

23


crypto ipsec transform-set default esp-aes 128 esp-sha-hmac

crypto ipsec profile default

set transform-set default

set crypto ikev2 profile default




interface Tunnel0

ip address 10.0.0.1 255.255.255.252


tunnel destination 172.16.2.1


IPsec CLI Overview Tunnel Protection similar to DMVPN and EasyVPN

24

IPsec profile defines SA

parameters and points to

IKEv2 profile

Transform set unchanged

Tunnel protection points

to IPsec profile

Dynamic point-to-point

interfaces

Static point-to-point

interfaces


Introducing Smart Defaults Intelligent, reconfigurable defaults

25

crypto ipsec transform-set default

esp-aes 128 esp-sha-hmac



set crypto ikev2-profile default


encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256 sha1 md5

group 5 2


match fvrf any

proposal default


route set interface

route accept any





aaa authorization user cert list default default

pki trustpoint root

!

interface Tunnel0

ip address 192.168.0.1 255.255.255.252


What you need to specify

crypto ipsec transform-set default

esp-aes 128 esp-sha-hmac



set crypto ikev2-profile default


encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha512 sha384 sha256 sha1 md5

group 5 2


match fvrf any

proposal default


route set interface

route accept any

These constructs are the Smart Defaults


Reconfigurable Defaults

Modifying defaults:

Restoring defaults:

Disabling defaults:

All defaults can be modified, deactivated and restored

26

default crypto ikev2 proposal

default crypto ipsec transform-set


encryption aes-cbc-128

integrity md5


no crypto ikev2 proposal default

no crypto ipsec transform-set default


Static Site-to-Site Example

27

Router 1 Router 2 crypto ikev2 profile default

match identity remote fqdn r1.cisco.com

identity local fqdn r2.cisco.com

authentication remote pre-share key r1r2!

authentication local pre-share key !r2r1

!

interface Tunnel0

ip address 10.0.0.2 255.255.255.252




!

interface Ethernet0/0

ip address 192.0.2.2 255.255.255.0

!

router rip

version 2

network 10.0.0.0

...

My IKE ID is: r1.cisco.com (FQDN)

My PSK authentication payload is...

I want to protect GRE traffic between...

Verify peer’s AUTH payload & produce our own based on configured PSK

Use our own FQDN as IKE ID

Finalize IPsec SAs (GRE between local & remote WAN addresses)

Perform IKE SA agreement & Diffie-Hellman key exchange (not shown)

My IKE ID is: r2.cisco.com (FQDN)

My PSK authentication payload is...

I agree to protect GRE traffic between...

Map connection to IKEv2 profile “default” by matching on peer FQDN

Establish routing protocol neighborship & exchange prefixes

FlexVPN AAA Integration

28


FlexVPN AAA

IKEv2 communicates with IOS AAA subsystem

– Local database (IKEv2 Authorization Policy)

– Remote database (RADIUS)

Protocols in play: IKEv2, RADIUS, EAP

AAA-based authentication:

– Pre-shared keys stored on RADIUS server

– EAP over IKEv2 & RADIUS

Authorization:

– Implicit authorization (re-uses attributes received during authentication)

– Explicit authorization (local or remote, group- & user-level)

Accounting

Authentication, Authorization & Accounting

29

aaa new-model

aaa author network local-db local

aaa author network remote-db group radius

AAA list name


High-Level Interactions

30

Cert. Authentication

EAP Client Authentication

AAA PSK Retrieval PSK Authentication

RA Client IKEv2 Initiator RADIUS Client EAP Supplicant

FlexVPN Server IKEv2 Responder

RADIUS NAS EAP Authenticator

AAA Server RADIUS Server EAP Backend

Cached & Local Authorization

RADIUS Authorization

RADIUS Accounting

(optional)


Building Block – IKEv2 Name Mangler

Start with the peer’s IKE or EAP identity

Derive a username that is meaningful to AAA (local or RADIUS)

31

IKEv2 Exchange

RA Client Identity

IKEv2 Name Mangler

AAA Username: joe

RADIUS AAA Request

Username: joe, password: cisco

Local AAA Request

Username: joe

crypto ikev2 name-mangler extract-user

fqdn hostname

email username

dn common-name

eap prefix delimiter @

FQDN: joe.cisco.com

Email: [email protected]

DN: cn=joe,ou=IT,o=Cisco

EAP: joe@cisco

Static password

(configurable)

RA Client IKEv2 Initiator RADIUS Client


RADIUS NAS

AAA Server RADIUS Server

FlexVPN AAA Integration › AAA-Based Authentication


AAA Pre-Shared Keys

Same IKEv2 packet flow as regular PSK authentication

FlexVPN Server has no IKEv2 keyring configured

Local & remote pre-shared keys stored on RADIUS server

Symmetric key (IETF attribute):

Asymmetric keys (Cisco AV-Pair):

33

router2 Cleartext-Password := "cisco"

Tunnel-Password = "!cisco?"

router1 Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:ikev2-password-local=cisco!",

Cisco-AVPair += "ipsec:ikev2-password-remote=!ocsic"


AAA Pre-Shared Keys – Packet Flow

34

IKEv2 (IKE_AUTH)

IDi, AUTH(PSK), ...

IKEv2 (IKE_AUTH)

IDr, AUTH(PSK), ...

RADIUS (Access-Request)

RADIUS (Access-Accept)

User-Name: joe

Password: cisco

Local PSK = cisco!

Remote PSK = !ocsic

Other user attributes for joe

IKEv2 Name Mangler

(FDQN hostname) AAA Username: joe IKEv2 ID: joe.cisco.com



keyring aaa list radius name-mangler extract-host

!

crypto ikev2 name-mangler extract-host

fqdn hostname

Static password (configurable)

Cached for authorization

FlexVPN Client IKEv2 Initiator RADIUS Client


RADIUS NAS

AAA Server RADIUS Server


EAP Authentication

Extensible Authentication Protocol (RFC 3748)

– Provides common functions for a variety of authentication methods

– Tunneling methods (costly): EAP-TTLS, EAP-PEAP, …

– Non-tunneling (recommended): EAP-MSCHAPv2, EAP-GTC, EAP-MD5, …

Implemented in IKEv2 as additional IKE_AUTH packets

– RA client initiates EAP authentication by omitting AUTH payload in IKE_AUTH

– RA server must authenticate itself using certificates (mandatory)

– Authentication takes place between RA client and EAP backend authentication server

EAP packets are relayed by RA server

– Between RA client and RA server: tunneled inside IKEv2

– Between RA server and EAP backend: tunneled inside RADIUS

EAP method is transparent to RA server

– Only needs to be supported by RA client and EAP backend

35


EAP Authentication

36

IKEv2

RADIUS

EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...

Username-Password/Token/Mobile Authentication (One-Way)





TLS-Based Certificate Authentication (Mutual)

IKEv2

RADIUS

EAP-TLS TLS TLS

IKEv2

RADIUS

EAP-PEAP / EAP-TTLS

EAP-MSCHAPv2 / EAP-TLS / ...

TLS-Protected Nested Authentication (One-Way or Mutual)

TLS TLS

IKE

RA server authenticates to client

using IKE certificates (mandatory)


authentication remote eap query-identity

aaa authentication eap frad


EAP Authentication – Packet Flow

37

IKEv2 (IKE_AUTH)

IDi, CFG_REQ, no AUTH

IKEv2 (IKE_AUTH)

IDr, AUTH(RSA), EAP(ID-Request)


IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)

IKEv2 (IKE_AUTH)

AUTH(MSK)

EAP(EAP-Method-Pkt#1)

IKEv2 (IKE_AUTH) RADIUS (Access-Request)

EAP(EAP-Method-Pkt#2)

IKEv2 (IKE_AUTH) RADIUS (Access-Accept)

EAP(Success)

MSK MSK

IKEv2 (IKE_AUTH)

CFG_REPLY, AUTH(MSK)

EAP(ID-Response: IDEAP)

EAP(Success), MSK, User-Name,

Other user attributes

IKEv2 (IKE_AUTH)




Cached for authorization





EAP Username


EAP Authentication – Initiation

38

IKEv2 (IKE_AUTH)


IKEv2 (IKE_AUTH)

IDr, AUTH(RSA), EAP(ID-Request)



IKEv2 (IKE_AUTH)


With “query-identity”

EAP ID provided by client

IKEv2 (IKE_AUTH)


IKEv2 (IKE_AUTH)

IDr, AUTH(RSA)


EAP(ID-Response: IDi)

Without “query-identity”

IKE ID used as EAP ID

“query-identity” recommended

several clients jam if not configured

not the default ... but it should be





FlexVPN AAA Integration › User & Group Authorization


Authorization Types Not mutually exclusive – May be combined

40

Implicit User Authorization

Explicit User Authorization

Explicit Group Authorization


aaa authorization user {psk|eap} cached


aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]


aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]

Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication

Retrieves user attributes from RADIUS (local database not supported)

Retrieves group attributes from RADIUS or local database

RADIUS (Access-Accept)

Local PSK = cisco!

Remote PSK = !ocsic

Other user attributes for joe

Reverse order of precedence (group > user)

Cached for

authorization


Attributes – Syntax

Local Database

– IKEv2 Authorization Policy

– AAA Attribute List (V-Access interface configuration statements)

Central/Remote Database (on RADIUS Server)

– Standard IETF Attributes (Framed-IP-Address, etc.)

– Cisco Attribute-Value Pairs (Cisco-AVPair)

41

crypto ikev2 authorization policy Eng

pool Eng

dns 10.0.1.1

netmask 255.255.255.255

aaa attribute list Eng


attribute type interface-config "vrf forwarding Eng"

attribute type interface-config "ip unnumbered Loopback1"

Eng Cleartext-Password := "cisco"

Framed-IP-Netmask = "255.255.255.255",

Cisco-AVPair = "ipsec:addr-pool=Eng",

Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",

Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",

Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"


Attributes – Merging

42

Cached User Attributes

Explicit User Attributes

Merged User Attributes

Explicit Group Attributes

Final Merged Attributes

Attribute Value

Framed-IP-Address 10.0.0.101

ipsec:dns-servers 10.2.2.2

Attribute Value


Attribute Value



Attribute Value


ipsec:banner Welcome !

Attribute Value



ipsec:banner Welcome !

Merged User Attributes take precedence except if “group override” configured

Explicit User Attributes take precedence

FlexVPN Server AAA Server Received during

AAA-based authentication

Received during explicit

user authorization

Received during explicit

group authorization


Attributes – Interface Config Ordering

Interface config strings do not override each other during merging

Instead, higher precedence statements are applied last

Pay attention to command-specific behavior (overwrites / stacks up / collides ?)

43

Attribute Value

Interface-Config zone-member security high

Interface-Config service-policy output gold

Attribute Value

Interface-Config zone-member security medium

Interface-Config service-policy output silver

Received during explicit user authorization

Received during explicit group authorization

Attribute Value

Interface-Config zone-member security medium

Interface-Config service-policy output silver

Interface-Config zone-member security high

Interface-Config service-policy output gold

OK – will be overridden by subsequent

“zone-member” statement

NOK – will collide with previous “service-policy” statement: “Policy map silver is already attached”


Attributes – Scope

44

RA Client FlexVPN Server

Remote Attributes (Sent to Peer)

IPv4/IPv6 Address Standard

IPv4/IPv6 Netmask Standard

IPv4/IPv6 Subnets Standard

DNS/WINS Servers Standard

DNS Domain Name Cisco Unity

Logon Banner Cisco Unity

Backup Gateways Cisco Unity

Config Version/URL FlexVPN

...

Locally Relevant Attributes

IPv4/IPv6 Address Pool

DHCP Server

IKEv2 Routing (“route set” statements)

V-Access Interface Configuration

...

Some remote attributes may

be derived from local attributes

IOS AAA attributes are translated into

IKEv2 Configuration Exchange attributes

Peer Authorization AAA authorization enables the

IKEv2 Configuration Exchange


Attributes – IP Address Assignment

User-specific statically assigned IP address

– Returned as RADIUS IETF Framed-IP-Address

– External DB only, not configurable in IKEv2 Authorization Policy

IOS-managed address pool

– Referenced in user or group attributes

– IOS pool name can be passed by RADIUS server

– Allocation/deallocation entirely managed by IOS

DHCP-assigned IP addresses

– Request placed by IOS on behalf of RA client

– DHCP server can be passed by RADIUS

RADIUS-managed address pool

– Address allocated by RADIUS server and returned as Framed-IP-Address

– Accounting must be configured (to release addresses when clients disconnect)

45


pool Eng

!

ip local pool Eng 10.0.1.10 10.0.1.99

Eng

Cisco-AVPair = "ipsec:addr-pool=Eng"

joe

Framed-IP-Address = "10.0.1.101"

Framed-IP-Netmask = "255.255.255.255"


dhcp server 10.2.2.2

Eng

Cisco-AVPair = "ipsec:group-dhcp-server=10.2.2.2"


Authorization Example

46

RA Client FlexVPN Server

aaa authorization network here local




!


pool Eng

netmask 255.255.255.255


!

crypto pki certificate map cisco 1

subject-name co o = cisco

!

crypto ikev2 name-mangler ou

dn organization-unit

!


match certificate cisco

identity local dn



pki trustpoint root

aaa authorization group cert list here name-mangler ou

virtual-template 1

!

ip local pool Eng 10.0.1.10 10.0.1.99

!

interface Loopback1

vrf forwarding Eng

ip address 10.0.1.1 255.255.255.255

!


no ip address



My IKE ID is cn=joe-pc, ou=Eng, o=Cisco

Here is my identity certificate

I need an IPv4 address

Run client IKE ID through name-mangler “ou”

Invoke AAA with list “here” (local authorization) & username “Eng”

Clone V-Template1 into V-Access1, apply VRF & IP unnumbered

Allocate IPv4 address from pool “Eng”

Map connection to IKEv2 profile “default” by matching on cert-map “cisco”

Your IPv4 address is: 10.0.1.10/32


vrf forwarding Eng


tunnel source 192.0.2.2




Perform certificate-based authentication (not shown)

“show derived-config ...”

FlexVPN AAA Integration › Connection Accounting


Accounting

48

RA Client FlexVPN Server RADIUS Server

IKEv2 (EAP) & IPsec

aaa accounting network frad start-stop group frad

aaa group server radius frad

server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t

!



aaa authorization user eap cached

aaa accounting eap frad

Upon client connection:

RADIUS Acct-Request (Start)

Upon client disconnection:

RADIUS Acct-Request (Stop)

RADIUS Acct-Response

RADIUS Acct-Response

Acct-Session-Id = "0000001B"

Cisco-AVPair = "isakmp-phase1-id=acvpn"

Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"

Framed-IP-Address = 10.0.1.101

User-Name = "joe@cisco"

Cisco-AVPair = "connect-progress=No Progress"

Acct-Authentic = Local

Acct-Status-Type = Start

NAS-IP-Address = 10.0.0.1

Acct-Delay-Time = 0

Acct-Session-Id = "0000001B"

Cisco-AVPair = "isakmp-phase1-id=acvpn"

Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"

Framed-IP-Address = 10.0.1.101

User-Name = "joe@cisco"

Acct-Authentic = Local

Cisco-AVPair = "connect-progress=No Progress"

Acct-Session-Time = 104

Acct-Input-Octets = 13906

Acct-Output-Octets = 11040

Acct-Input-Packets = 207

Acct-Output-Packets = 92

Acct-Terminate-Cause = 0

Cisco-AVPair = "disc-cause-ext=No Reason"

Acct-Status-Type = Stop

NAS-IP-Address = 10.0.0.1

Acct-Delay-Time = 0

Accounting-Request (Start)

Accounting-Request (Stop)

192.168.221.129 10.0.0.1 Assigned address: 10.0.1.101

10.0.0.2

IKE ID Client public

IP address

Assigned IP address

EAP username

Statistics

Remote Access Clients

49


Remote Access Clients – Overview

50

AnyConnect 3.1

(Desktop Version)

AnyConnect 3.0

(Mobile Version)

Windows

Native IKEv2 Client

FlexVPN

Hardware Client

strongSwan

Supported OSes Windows

Mac OS X

Linux

Android

Apple iOS

Windows 7 & 8 Cisco IOS 15.2+

Not on IOS-XE / ASR1k

Not on ISR-G1

Linux, Mac OS X,

Android, FreeBSD, ...

Supported IKEv2

Authentication

Methods

Certificates

EAP

Certificates

EAP

Certificates

EAP

Certificates

EAP

Pre-Shared Key

Certificates

EAP

Pre-Shared Key

Supported EAP

Authentication

Methods

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-MSCHAPv2

EAP-TLS1

EAP-PEAP1

... and more (Win8)

EAP-MSCHAPv2

EAP-GTC

EAP-MD5

EAP-MSCHAPv2

EAP-TLS1

EAP-PEAP1

... and more (plugins)

Security Policy

Exchange

Automatic2 (RRI) Automatic2 (RRI) Automatic2 (RRI) Automatic2 (IKEv2)

Dyn. Routing Protocol

Automatic2 (RRI)

Dual Stack

(IPv4 & IPv6)

3.1.05152 (with GRE)

IOS-XE 3.14 (TBC)

Planned

(client limitation)

Planned

(headend limitation)

Both (with GRE) Planned

(headend limitation)

Split Tunneling Yes Yes Very limited (classful) Yes Yes

1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client

2 IPsec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default

Remote Access Clients › AnyConnect Secure Mobility Client


AnyConnect Secure Mobility Client

Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS)

– Desktop: Windows, Mac OS X, Linux

– Mobile: Apple iOS, Android

Supported authentication methods:

– Machine/User Certificates (RSA signatures)

– EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)

– EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)

– EAP-MD5 (hash-based authentication)

Particularities:

– Requires EAP “query-identity” on server (triggers username/password input dialog)

– Requires “no crypto ikev2 http-url cert” on server (aborts the connection otherwise)

– CSCud96246: incompatibility with IOS when using SHA-2 integrity (resolved in 3.1.05, Dec 2013)

For more on AnyConnect management & deployment:

– BRKSEC-3033 – Advanced AnyConnect Deployment and Troubleshooting with ASA by H. Nohre

– Focuses on ASA as headend, but many topics also relevant for FlexVPN

52


AnyConnect – VPN Profile Editor

53

Add entry to server list

Connection name Server FQDN

Only applies to EAP

authentication methods

...

<ServerList>

<HostEntry>

<HostName>FlexVPN</HostName>

<HostAddress>flexra.cisco.com</HostAddress>

<PrimaryProtocol>IPsec

<StandardAuthenticationOnly>true

<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>

<IKEIdentity>acvpn</IKEIdentity>

</StandardAuthenticationOnly>

</PrimaryProtocol>

</HostEntry>

</ServerList>

...

Resulting XML Profile


AnyConnect – Backup Server List

54

Add backup server(s) to list

...

<ServerList>

<HostEntry>

<HostName>FlexVPN</HostName>

<HostAddress>flexra.cisco.com</HostAddress>

<BackupServerList>

<HostAddress>flexra2.cisco.com</HostAddress>

</BackupServerList>

...

Resulting XML Profile

WAN

Primary server stops responding

Client will try connecting to backup server(s)

Primary Backup


AnyConnect – Seamless Auto-Reconnect

55

Seamless reconnection after:

– transient loss of connectivity

– switching between networks (e.g. moving from 3G to WiFi)

– suspend/resume computer

Supported by AnyConnect desktop & mobile for both SSL & IKEv2

– FlexVPN server-side support introduced in IOS 15.4(1)T & IOS-XE 15.4(1)S / 3.11S

Suspend/resume client behavior configurable separately:

– DisconnectOnSuspend: release VPN session resources upon suspend, do not reconnect

– ReconnectAfterResume: try to reconnect after operating system resumes

Proprietary method:

– Session token exchanged during initial session establishment (configuration exchange)

– Reconnection attempts use session token as pre-shared key in IKE_AUTH

– Mutually exclusive with PSK configuration in IKEv2 profile

– Session expires on server after configured timeout (default: 30 minutes)


...

reconnect [timeout <seconds>]


AnyConnect – Seamless Auto-Reconnect

56

WAN

2: Network failure detected

Client will attempt to

reconnect automatically

1: Connected

4: ISP/WAN comes back up

Session resumed without

any user intervention



3: Server marks session

as “inactive”, keps it alive

until the configured timeout

WAN

1: Connected

over 3G



2: Switching to WiFi

Different IP address

3: Session resumed

over WiFi link without

any user intervention

Also works when computer suspends & resumes (behavior controllable through XML profile)


AnyConnect – Profile Deployment Options

57

OS Default Location

Windows %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Mac OS, Linux /opt/cisco/anyconnect/profile

Push using a Software Management System

XML

XML

anyconnect://import?type=profile&uri=location

Example location: http%3A%2F%2Fexample.com%2FFlexVPN.xml

AnyConnect Desktop

AnyConnect Mobile

Add to the AnyConnect installation package

Send via e-mail

Install manually on local hard disk

Import from local filesystem

Import or create via URI handler

Configure connection manually

XML

Send via e-mail


AnyConnect Mobile – Manual Connection

58

Connection name

Server FQDN

Enable IKEv2

Select authentication method

Create new

manual connection

Cisco ASA only

Specify IKE ID for EAP methods

Certificate selection


AnyConnect Mobile – URI Handler

“anyconnect://” URI handler on Apple iOS & Android

– Import XML profile

– Create connection entry

– Connect & disconnect VPN

59

anyconnect://create/?name=FlexVPN&host=flexra.cisco.com

&protocol=IPsec&authentication=EAP-MD5&ike-identity=acvpn

“Prompt” or “Enabled” required

Connection successfully created


AnyConnect Mobile – Certificate Deployment

Package certificate & keypair into PKCS#12 file

Apple iOS

– Import PKCS#12 from URL or email attachment

– Provision credentials or set up SCEP enrollment using configuration profile (e.g. via iPhone Configuration Utility)

Android

– Import PKCS#12 from URL, email or filesystem

– Use existing credentials from Credential Storage

60


AnyConnect – Mutual RSA Signatures

Mutual IKE certificate-based authentication

– AnyConnect picks best available identity certificate

Based on selection rules in XML profile (if any)

Certificate with EKU preferred over non-EKU

– Client IKE ID = certificate subject DN

– Server selects IKE profile based on certificate match

– Matching is done on certificate itself, not on IKE ID

Explicit user/group authorization

– Non-AAA authentication no cached attributes

– Extract CN/OU field from DN using name-mangler

– Retrieve user/group attributes from RADIUS

61

# Group definition

Eng

Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"

# User definition

joe


Framed-IP-Address = "10.0.1.101",




identity local dn



pki trustpoint root

aaa authorization group cert list frad name-mangler ou

aaa authorization user cert list frad name-mangler cn

virtual-template 1

IKEv2 RADIUS

IKE Certificate Authentication

Explicit Authorization

IKE IKE


AnyConnect – EAP

EAP-GTC / EAP-MD5 / EAP-MSCHAPv2

– Client IKE ID = KEY-ID string configured in XML profile

– Server selects IKEv2 profile based on KEYID string

– EAP “query-identity” prompts user for credentials

– EAP ID = username entered by user

– Password authentication against AAA user database

– Returned attributes cached for implicit authorization

62

# User definition

joe@cisco

Cleartext-Password := "c1sc0!"





match identity remote key-id acvpn

identity local dn






virtual-template 1

IKEv2

RADIUS

EAP-GTC / EAP-MD5 / EAP-MSCHAPv2

EAP Username-Password Authentication

IKE


AnyConnect – Certificate Requirements

1 Required in AC 3.0.8 to 3.0.10 (CSCuc07598)

2 Required in AC 3.0 (all versions), lifted in 3.1

3 Not required: may be omitted or set to any value – Optional: may be omitted or set to the specified value

63

AnyConnect Client

IKEv2 Certificate

FlexVPN Server

IKEv2 Certificate

Used for Mutual RSA-SIG Mutual RSA-SIG

EAP (all types)

Common Name (CN) Anything Anything (if SAN field present)

Server FQDN (if no SAN field)

Key Usage (KU) Digital Signature Digital Signature

Key Encipherment or Key Agreement

Extended Key Usage (EKU) Optional1,3

If present: TLS Client Authentication

Optional2,3

If present: TLS Server Authentication or IKE Intermediate

Subject Alternative Name (SAN) Not required3 Optional3

If present: Server FQDN

Remote Access Clients › Windows Native IKEv2 Client


Windows Native IKEv2 Client

Since Windows 7, IKEv2/IPsec natively supported for RA connections


– Machine Certificates (RSA signatures)


– EAP-TLS (certificate authentication, based on TLS handshake)

– EAP-PEAP (tunnels another EAP method within TLS)

– EAP-TTLS (Windows 8 – tunnels EAP or non-EAP authentication within TLS)

– EAP-AKA / EAP-AKA’ / EAP-SIM (Windows 8 – SIM card & mobile network authentication)

Particularities:

– Requires EAP “query-identity” on server (fails to respond to EAP otherwise)

– Requires AES-256 in IPsec transform set (current IOS default is AES-128)

– RSA authentication will fail if more than 100 CA’s in client Local Machine Trusted Roots store

– KB975488: Windows 7 only sends IP address as IKE Identity (except when using certs)

– KB814394: Certificate requirements for EAP-TLS and PEAP-EAP-TLS

– KB939616: Certificate keypair lost when copying from user store to machine store

65


Windows 7 – VPN Connection Settings (1)

66

DNS-resolvable FQDN – must be found in:

CN/SAN of FlexVPN Server IKE certificate

CN of EAP Server TLS certificate

Type of VPN: IKEv2

“Require encryption” & “Strongest encryption”

require AES-256 in the IPsec transform set


EAP-MSCHAPv2

RSA Signatures




identity local dn



pki trustpoint root



virtual-template 1

# Group definition

Eng



# User definition

joe




Windows – Mutual RSA Signatures

Mutual IKE certificate-based authentication

– Windows can only use local machine certificates

IKEv2 Profile selection on server


– Server selects profile based on certificate map




– Extract CN/OU field from DN using name-mangler


67

IKEv2 RADIUS

IKE Certificate Authentication

Explicit Authorization

IKE IKE


Windows – EAP Considerations

IKEv2 mandates certificate-based server authentication

Profile selection based on client IKE ID

– Windows 7 with fix for KB975488: IKE ID = user@domain

Selection can be based on “email domain” match

– Windows 7 w/o fix or 8 w/ regression: IKE ID = client IP address

Only option: single IKE profile and VTemplate for all groups

Leverage AAA to provide service differentiation

EAP ID provided by client during authentication

– Requires “query-identity” (client cannot perform EAP otherwise)

– EAP server will query AAA database for attributes

– Attributes can be reused for implicit user authorization

– Server sends updated EAP ID in final Access-Accept reply (usually same value as the initial client-provided EAP ID)

– Final EAP ID can be reused for additional authorization if needed

68





identity local dn


pki trustpoint root [sign]

match identity remote email domain cisco


aaa authorization group eap list here ...

... name-mangler domain


Windows 7 – EAP-MSCHAPv2

EAP-MSCHAPv2

– EAP ID = user or user@domain

– Password authentication against EAP server database

69

# User definition

joe@cisco








identity local dn






virtual-template 1

IKEv2

RADIUS

EAP-MSCHAPv2

EAP Username-Password Authentication

IKE


Windows 7 – EAP-TLS

EAP-TLS

– Client performs TLS handshake w/ EAP server

– Mutual authentication using TLS certificates

– Client authentication mandatory (unlike EAP-PEAP)

– EAP ID = TLS certificate UPN (or CN if none)

70

EAP Certificate/TLS-Based Authentication

IKEv2

RADIUS

EAP-TLS

IKE

TLS TLS

# User definition

joe@cisco








identity local dn






virtual-template 1


Windows 7 – EAP-TLS Settings

71

Server name – must be found in


Trusted root authorities for

EAP server authentication

Get certificate from Current

User certificate store


Windows 7 – EAP-PEAP

EAP-PEAP

– Client performs TLS handshake w/ EAP server

– Client authenticates EAP server using TLS certificate

– Provides protection for inner EAP exchange

– Inner (tunneled) EAP method authenticates the user

– Outer EAP method returns user attributes to server

Tunneled EAP-MSCHAPv2

– EAP ID = user or user@domain

Tunneled EAP-TLS

– EAP ID = TLS certificate UPN (or CN if none)

72

IKEv2

RADIUS

EAP-PEAP (TLS)

EAP-MSCHAPv2 or EAP-TLS

EAP Certificate/TLS-Based or Username-Password Authentication

IKE

TLS TLS

# User definition

joe@cisco








identity local dn






virtual-template 1


Windows 7 – EAP-PEAP Settings

73

Server name – must be found in


Trusted root authorities for

EAP server authentication

Inner (tunneled) EAP method


Windows 7 – Certificate Requirements

1 Not required: may be omitted or set to any value – Optional: may be omitted or set to the specified value

2 UPN (User Principal Name): Microsoft proprietary “user@domain” SAN extension (OID 1.3.6.1.4.1.311.20.2.3)

74

Win7 Client

IKEv2 Certificate

FlexVPN Server

IKEv2 Certificate

Win7 Client

TLS Certificate

EAP Server

TLS Certificate

Used for Mutual RSA-SIG Mutual RSA-SIG

EAP (all types)

EAP-TLS

EAP-PEAP (optional)

EAP-TLS

EAP-PEAP

Certificate Store Local Computer N/A Current User N/A

Common Name

(CN)

Anything Anything (if SAN field present)

Server FQDN (if no SAN field)

Anything (if UPN present)

user@domain (if no UPN2)

Server name (as configured

in Client EAP Settings)

Key Usage

(KU)

Digital Signature Digital Signature Digital Signature Digital Signature

Key Encipherment

Extended Key

Usage (EKU)

Not required1 TLS Server Authentication TLS Client Authentication TLS Server Authentication

Subject Alternative

Name (SAN)

Not required1 Optional1

If present: Server FQDN

Optional1

If present: UPN2

Server FQDN


Windows 7 – Certificate Import

Client keypair & certificate can be issued by CA and provisioned to client PC

Import keypair, identity cert and issuer cert from PFX / PKCS#12 package

Due to KB939616, machine IKEv2 cert must be imported explicitly into machine store

75

Remote Access Clients › FlexVPN Hardware Client


FlexVPN Hardware Client – Overview

IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct


– Certificates (RSA signatures)


– EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)

– EAP-MD5 (hash-based authentication)

– Pre-Shared Keys

Routing on FlexVPN server and client:

– IKEv2 Routing (bidirectional Configuration Exchange)

– Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing)

IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces

More than a Remote Access client, useful also in hub-and-spoke designs where advanced initiator logic is required (dial backup, object tracking, ...)

77


FlexVPN Hardware Client – Example

Sample configuration:

– Static tunnel interface driven by FlexVPN Client Profile

– Local AAA authorization (default IKEv2 author. policy)

– Certificate-based mutual authentication (no EAP)

– Single peer (name resolution of FQDN on connection)

Tunnel interface configuration:

– IP address assigned through IKEv2 Configuration Exchange

– Tunnel destination set dynamically by FlexVPN Client logic

– IKEv2/IPsec initiation triggered by FlexVPN Client logic

Default IKEv2 routing between client & server:

– Client advertises route for Tunnel0 assigned IP address

– Client installs prefixes advertised by server (egress Tun0)

78

aaa new-model


!

crypto pki trustpoint root

rsakeypair root

!

crypto pki certificate map cisco 1

subject-name co o = cisco

!



identity local dn



pki trustpoint root

aaa authorization group cert list here default

!

crypto ikev2 client flexvpn flexra

peer 1 fqdn flexra.cisco.com dynamic

client connect Tunnel0

!

interface Tunnel0




tunnel destination dynamic


client#show crypto ikev2 authorization policy default

IKEv2 Authorization Policy : default

route set interface

route accept any tag : 1 distance : 1


FlexVPN Hardware Client – Key Features

Peer list with object tracking:

– Ordered list of FlexVPN servers (by address or FQDN)

– Enable/disable entries based on tracking object state

– Additional peers can be pushed by server during Config Exchange

Connection modes:

– Automatic (infinite loop, 10 seconds between tries)

– When tracking object goes up/down (enables dial backup)

– Manual (CLI-triggered)

EAP local authentication (IKEv2 initiator only):

– Username prompt only if server does “query-identity”

– Alternative: static credentials in IKEv2 profile

79

crypto ikev2 client flexvpn flexra

peer 1 <address>

peer 2 <address> track 10 up

peer 3 <address> track 20 down

!

track 10 interface <name> line-protocol

track 20 ip route <prefix> reachability

connect auto

connect track 10 up

connect manual


authentication local eap

client#crypto ikev2 client flexvpn connect

Enter the command 'crypto eap credentials flexra'

client#crypto eap credentials flexra

Enter the Username for profile flexra: joe@cisco

Enter the password for username joe@cisco:

Configuration Review


Review – Mutual RSA Signatures

Certificate selection depends on client

– AnyConnect picks best available ID certificate Based on selection rules in XML profile (if any)

Certificate with EKU preferred over non-EKU

– Windows uses local machine certificate

– FlexVPN Client uses trustpoint in initiator IKEv2 profile

IKEv2 Profile selection on server


– Server selects profile based on certificate map




– Extract CN/OU fields from DN using name-mangler


– Assign IP address based on pool or Framed-IP

81

# Group definition

Eng



# User definition

joe






identity local dn



pki trustpoint root



virtual-template 1


Review – EAP Authentication (1)

IKE identity depends on client type

– AnyConnect: KEY-ID string in XML profile

– Windows 7 with fix for bug KB975488: user@domain

– Windows 7 w/o fix, 7 or 8 with regression: client IP address

Only option: single IKE profile and VT for all groups

Leverage AAA to provide service differentiation

– FlexVPN Client: configurable (in initiator IKEv2 profile)

82

# User definition

joe@cisco









identity local dn






virtual-template 1


identity local ...

AnyConnect

Windows

Windows (bug)


Review – EAP Authentication (2)

EAP identity depends on client type & EAP method

– AnyConnect: user[@domain] entered by user

– Windows 7 + non-TLS EAP: user[@domain] entered by user

– Windows 7 + TLS-based EAP: TLS certificate UPN (CN if none)

– FlexVPN Client: user[@domain] entered by user or configured in initiator IKEv2 profile

83

# User definition

joe@cisco









identity local dn






virtual-template 1


authentication local eap mschapv2 username joe@cisco password 0 c1sc0!

EAP Server returns user attributes for the EAP ID

can be cached and reused for authorization

FlexVPN Routing


FlexVPN Routing – Overview

IKEv2 Routing (Configuration Exchange)

– IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads

– Static routes added to the RIB on both sides

– Remote Access: currently only supported with FlexVPN hardware client

IPsec Reverse Route Injection (RRI)

– Static routes added to RIB for protected remote networks (remote proxies)

– No configuration required (automatic for Virtual-Access with non-any-any proxies)

– Remote Access: supported with software clients (AnyConnect, Windows 7+, ...)

Dynamic Routing Protocol

– Pros: more powerful/flexible/adaptive

– Cons: more complex/resource-intensive

– Remote Access: only supported with FlexVPN hardware client

NHRP Routes

– Not applicable to Remote Access (Dynamic Mesh scenarios only)

85


FlexVPN Routing – Events & Sources

86

Config. Exchange

Routing Table (RIB/FIB)

SA Up / Down

Routing Update

Routing Protocol IKEv2 IPsec

Authorization

NHRP

Prefixes listed in “route set local” authorization attribute(s)

Prefixes received during Configuration Exchange

within IPv4/IPv6 SUBNET attributes

(handling controlled by local “route accept” attribute)

route set local {ipv4 | ipv6} prefix

route accept any [distance ...] [tag ...]

Local configuration

route set interface [ifc-name]

route set remote {ipv4 | ipv6} prefix

route set access-list ...

Remote configuration

Prefixes corresponding to negotiated IPsec SA remote proxies

(not applicable to any-any VTI or GRE/IPsec)

Prefixes advertised by peer over

dynamic routing protocol neighborship

IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes

Shortcut Creation

NHRP Static Routes

Spoke-to-Spoke

tunnels established

Scenarios & Use Cases › Full & Split Tunneling


Scenario: Windows – Full Tunneling

88

FlexVPN Server

10.42.1.0/24 10.0.0.0/16 WAN

Lo1: 10.0.1.1/32 Assigned VPN IP: 10.0.1.22/32

IPv4 Route Table

============================================================

Destination Gateway Interface

0.0.0.0/0 10.42.1.1 Local Area Connection

0.0.0.0/0 On-link FlexVPN Connection


10.42.1.0/24 On-link Local Area Connection

192.0.2.2

Local LAN still reachable

If un-checked: default route replaced with a single

classful route based on assigned VPN IP address

(e.g. 10.0.1.22 10.0.0.0/8)

= rudimentary split tunneling

Server reachable in the clear via ISP

10.42.1.1

interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



S 10.0.1.22/32 is directly connected, Virtual-Access1

Assigned IP address reachable over client VA (automatic – RRI) Default route changed to point through VPN tunnel


Scenario: AnyConnect – Full Tunneling

89

FlexVPN Server

10.42.1.0/24 10.0.0.0/16 WAN


interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



S 10.0.1.22/32 is directly connected, Virtual-Access1 IPv4 Route Table

============================================================






192.0.2.2

Local LAN removed from routing table

Cisco-AVPair += "ipsec:split-exclude=0.0.0.0/255.255.255.255" To enable full tunneling with local LAN access:

IOS “include-local-lan” attribute not supported by

AnyConnect use RADIUS-only Cisco-AV-Pair

“ipsec:split-exclude” with special value 0.0.0.0/32

In addition, “Local Lan Access” must be

enabled in AnyConnect XML Profile

(supported in 15.2(4)M6, 15.2(4)S5 and 15.4(2)T/S onwards)

10.42.1.1

Default route changed to point through VPN tunnel

Server in the clear via ISP


Scenario: AnyConnect – Split Tunneling

90

FlexVPN Server

10.42.1.0/24 10.0.0.0/16 WAN


interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



IPv4 Route Table

============================================================





192.0.2.2

Specific route(s) pointing through VPN tunnel

Local LAN still reachable


route set remote ipv4 10.0.0.0 255.255.0.0

Authorization: one or more subnets to include in split tunnel

Split tunnel policy pushed by server within IKEv2 Config Exchange

10.42.1.1

Original default gateway used for internet traffic + server reachability

Scenarios & Use Cases › Network Extension


Scenario: HW Client – Single Address PAT

92

interface Tunnel0


ip nat outside

!

ip nat inside source route-map vpn interface Tunnel0 overload

!

route-map vpn permit 10

match interface Tunnel0

FlexVPN Server FlexVPN Client

10.42.1.0/24 Eth0/1 10.0.0.0/16 WAN

interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



route set interface route set interface


Lo1: 10.0.1.1/32 Eth0/0

S 10.0.0.0/16 is directly connected, Tunnel0


C 10.0.1.22/32 is directly connected, Tunnel0

C 10.42.1.0/24 is directly connected, Ethernet0/1


Traffic from LAN to remote VPN networks:

PAT to Tunnel0 assigned IP address

Summary prefix reachable through tunnel Assigned IP address reachable over client VA

Assigned IP: 10.0.1.22/32

Works, but not recommended

Case generator – clumsy / impractical

Authorization Authorization


Scenario: HW Client – Network Extension

93

interface Tunnel0


!


ip address 10.42.1.1 255.255.255.0


10.42.1.0/24 Eth0/1 10.0.0.0/16 WAN

interface Loopback1

ip address 10.0.1.1 255.255.255.255

!



route set interface


route set interface


Lo1: 10.0.1.1/32 Eth0/0

C 10.0.1.1/32 is directly connected, Loopback0



Client LAN directly reachable over tunnel

(prefix can be redistributed into IGP)


Assigned IP address reachable over client VA

Recommended design

Equivalent to NEM+ in Easy VPN





Local/remote addresses & prefixes exchanged using IKEv2 routing

Summary prefix reachable through tunnel



Scenario: HW Client – Dynamic Routing

94

router bgp 65100

neighbor 10.0.1.1 remote-as 65100

neighbor 10.0.1.1 update-source Tunnel0

address-family ipv4

network 10.42.1.0 mask 255.255.255.0

neighbor 10.0.1.1 activate

exit-address-family


10.42.1.0/24 Eth0/1 10.0.0.0/16 WAN

router bgp 65100

bgp listen range 10.0.1.0/24 peer-group clients

neighbor clients peer-group

neighbor clients remote-as 65100

neighbor clients update-source Loopback1

address-family ipv4

network 10.0.0.0 mask 255.255.0.0

neighbor clients activate

exit-address-family

route set interface

Lo1: 10.0.1.1/32 Eth0/0

route set interface


B 10.42.1.0/24 [200/0] via 10.0.1.22 (Virtual-Access1)

Client LAN directly reachable over tunnel

(prefix can be redistributed into IGP)


BGP Dynamic Neighbor – easy configuration

Assigned IP address reachable over client VA

Dynamic, flexible & powerful but closer to Site-Site than RA

B 10.0.0.0/16 [200/0] via 10.0.1.1 (Tunnel0)




Summary prefix reachable through tunnel

Addresses for BGP unicast peering exchanged using IKEv2

Local/remote prefixes exchanged using iBGP


Scenarios & Use Cases › Virtualization (VRF)


Virtual Routing & Forwarding

Router maintains separate L3 forwarding information for each VRF instance (RIB, FIB, routing protocols)

Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only)

Each interface on the router belongs to a single VRF

For “ip unnumbered”, reference interface must belong to the same VRF

If no VRF specified, interface belongs to the global VRF

VRF definition and assignment:

96

ip vrf red

rd 1:1


ip vrf forwarding red

...

vrf definition red

rd 1:1

address-family ipv4

exit-address-family

address-family ipv6

exit-address-family


vrf forwarding red

...

Old CLI: single-protocol VRF (IPv4-only)

New CLI: multi-protocol VRF (IPv4/IPv6)


Tunnels – iVRF & fVRF

97

Blue RIB/FIB Global RIB/FIB

interface Eth0/0

ip address 10.0.0.1/24

vrf forwarding blue

!

interface Eth0/1


vrf forwarding blue

interface Eth1/1


vrf forwarding red

!

interface Eth1/2


!

interface Tunnel1

ip address 172.16.1.1/30

vrf forwarding red

tunnel source Eth1/2

interface Eth2/1


vrf forwarding green

!

interface Eth2/2


vrf forwarding orange

!

interface Tunnel2

ip address 172.16.2.1/30

vrf forwarding green

tunnel vrf orange

tunnel source Eth2/2

Inside VRF (iVRF)

Explicit fVRF

Orange RIB/FIB Green RIB/FIB

iVRF

Physical device

Red RIB/FIB

iVRF fVRF iVRF fVRF

Front-door VRF (fVRF) = Global VRF (default)

Tunnel interface

address resides in iVRF

Eth

0/0

Eth

0/1

Eth

1/1

Eth

1/2

Eth

2/1

Eth

1/0

Eth

1/3

Eth

2/0

Eth

2/2

Eth

2/3

Tun1 Tun2

Encaps. Encaps.


VRF Use Case

Requirements:

– Traffic segregation between two departments

– Single VPN endpoint in global VRF

– AnyConnect software client

– EAP user authentication

Proposed solution:

– Single IKEv2 profile & V-Template

– Local group authorization

– Interface configuration strings

– EAP solely for authentication (no caching of RADIUS attributes)

98

Joe (Engineering) Tom (Finance)

Engineering VRF Finance VRF

Global VRF

Eth0/0

Eth0/2 Eth0/1

Tom’s V-Access Joe’s V-Access

WAN


VRF Use Case – Configuration

99




!


pool Eng

dns 10.0.1.1


!

interface Loopback1

vrf forwarding Eng

ip address 10.0.1.1 255.255.255.255

!

ip local pool Eng 10.0.1.10 10.0.1.99

aaa authentication login frad group frad


!

crypto ikev2 name-mangler dept

eap suffix delimiter @

!


match identity remote key-id vpn@cisco

identity local dn



pki trustpoint root


aaa authorization group eap list here name-mangler dept

virtual-template 1

!

no crypto ikev2 http-url cert

!


no ip address



aaa attribute list Fin

attribute type interface-config "vrf forwarding Fin"


!

crypto ikev2 authorization policy Fin

pool Fin

dns 10.0.1.101

aaa attribute list Fin

!

interface Loopback101

vrf forwarding Fin

ip address 10.0.1.101 255.255.255.255

!

ip local pool Fin 10.0.1.110 10.0.1.199

joe@Eng Cleartext-Password := "joe123"

tom@Fin Cleartext-Password := "tom456"

RADIUS User Database

Global Configuration Per-Department Configuration

Applied to V-Access

during V-Template cloning

Single IKEv2 profile

Single AnyConnect profile

Authorization based on

username@domain suffix

No attributes required on AAA server

EAP authenticates username & domain

Scenarios & Use Cases › Quality of Service


The Need for QoS on VPN

QoS is crucial on VPN links for:

– Sharing network bandwidth

– Marshaling bandwidth usage of applications

– Meeting application latency & speed requirements

The classical “greedy spoke” problem:

101

Hub Spoke 1

(greedy)

CE 1

Client 2 Spoke 3

Crypto engine or WAN link Interface w/ limited downstream rate

Packets are lost, AND other

spokes/clients are starved

Packets are lost

Most common problem


Server-Side Hierarchical Shaper

Tunnel bandwidth parent policy:

– Each VPN tunnel is given a maximum bandwidth

– A shaper provides the backpressure mechanism

Protected packets are processed by the child policy:

– There would be several policies: bandwidth, LLQ, etc.

102

Parent shaper limits

total bandwidth

BW Reservation

Low-Latency Queuing

Fair Queuing

class-map control

match ip precedence 6

class-map voice

match ip precedence 5

...

!

policy-map child-common

class control

bandwidth 20

class voice

priority percent 60

...

!

policy-map parent-branch

class class-default

shape average 5000000

service-policy inner

!

policy-map parent-client

class class-default

shape average 1000000

service-policy inner

Different policies for

different traffic classes

Hub

Branch

RA Client


QoS Use Case

Requirements:

– Traffic segregation between departments

– Single VPN endpoint in global VRF

– AnyConnect software client

– EAP user authentication

– Per-user QoS policy

Proposed solution:

– Single IKEv2 profile & V-Template

– Interface configuration strings

– Explicit RADIUS group authorization

– Implicit RADIUS user authorization (user attributes cached during EAP)

103

Joe (Engineering) Tom (Finance)

Engineering VRF Finance VRF

Global VRF

Eth0/0

Eth0/2 Eth0/1

Tom’s V-Access Joe’s V-Access

WAN

High B/W (10 Mbps) Low B/W (5 Mbps)


QoS Use Case – Configuration

104

interface Loopback1

vrf forwarding Eng

ip address 10.0.1.1 255.255.255.255

!

ip local pool Eng 10.0.1.10 10.0.1.99

aaa authentication login frad group frad

aaa authorization network frad group frad

!

crypto ikev2 name-mangler dept

eap suffix delimiter @

!


match identity remote key-id vpn@cisco

identity local dn



pki trustpoint root


aaa authorization group eap list frad name-mangler dept


virtual-template 1

!

no crypto ikev2 http-url cert

!


no ip address



!

policy-map high

...

interface Loopback101

vrf forwarding Fin

ip address 10.0.1.101 255.255.255.255

!

ip local pool Fin 10.0.1.110 10.0.1.199

joe@Eng Cleartext-Password := "joe123"

Cisco-AVPair = "ip:interface-config=service-policy output high"

tom@Fin Cleartext-Password := "tom456"

Cisco-AVPair = "ip:interface-config=service-policy output low"

Eng Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:addr-pool=Eng",


Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",

Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"

Fin Cleartext-Password := "cisco"

Cisco-AVPair = "ipsec:addr-pool=Fin",


Cisco-AVPair += [...]

RADIUS User Database

Global Configuration Per-Department Configuration

Per-user QoS policy Group authorization

based on domain

Apply per-user

attributes from EAP

All attributes centralized

on AAA server QoS policies defined locally

on FlexVPN server

FlexVPN SSL Preview TENTATIVE

Still in development !


FlexVPN SSL – Overview

Roadmap:

– IOS-XE 3.12S / 15.4(2)S : CSR1000v support

– IOS-XE 3.13S / 15.4(3)S : ASR1000 support

Client-based only (AnyConnect – all platforms)

– No support for clientless aka WebVPN

Integrated into FlexVPN framework

– AAA integration

– Virtual tunnel interfaces

– Smart defaults

– CLI consistency

Initial baseline release, features to be added progressively

– Virtual Hosting, HostScan / Posture, Two-Factor, DTLS, Mixed-Mode / Dual-Stack, ...

106

TENTATIVE


FlexVPN SSL – CLI

107

crypto ssl proposal my-proposal

protection dhe-rsa-aes256-sha rsa-aes256-sha1

crypto ssl policy my-policy

match address local fvrf wan any port 443

pki trustpoint my-root sign

ssl proposal my-proposal

no shutdown

crypto ssl profile my-profile

match policy my-policy

match url fqdn eng-sslvpn.example.com

authentication remote user-pass

aaa authentication user-pass list my-radius

aaa authorization user user-pass cached

aaa authorization group user-pass list my-radius eng-group

virtual-template 1

no shutdown

Cryptographic algorithms

Key exchange method

Local endpoint matching criteria

Apply SSL proposal

Configure SSL server certificate

Match on SSL policy

Match on URL (FQDN, hostname, path, ...)

Authentication (certificate, username/password)

Authorization (cached, user, group)

Accounting

Virtual interface template

TENTATIVE

Wrapping up...


Call to Action...

Visit the Cisco Campus at the World of Solutions

BRKSEC-3036 – Advanced IPsec designs with FlexVPN by Frédéric Detienne

Friday 11:30am, North Wing Level -1, Green Hall 3

Meet the Engineer

Alex Honoré, Frédéric Detienne, Olivier Pélerin (TAC EMEA),

Raffaele Brancaleoni (Advanced Services EMEA),

Wen Zhang (TAC US), Tom Alexander (TAC GCE)

Discuss your project’s challenges at the Technical Solutions Clinics

Attend one of the Lunch Time Table Topics, held in the main Catering Hall

Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014

CL365 -Visit us online after the event for updated PDFs and on-demand session videos. www.CiscoLiveEU.com

109

http://www.pearson-books.com/CLMilan2014



http://www.ciscoliveeu.com/


Complete your online session evaluation

Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt

Complete Your Online Session Evaluation

110

Documents

VPN Remote Access with IOS & Introduction to FlexVPNd2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-2881.pdf · FlexVPN Overview Unified overlay VPN –Combines site-to-site, remote