Upload
buihuong
View
226
Download
0
Embed Size (px)
Citation preview
VPN Remote Access with IOS & Introduction to FlexVPN BRKSEC-2881
Alex HONORÉ
CCIE #19553 Senior Customer Support Engineer EMEA Technical Assistance Center
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Objectives & Prerequisites
Session objectives:
– Introduce IKEv2 & FlexVPN, with a focus on AAA-based management
– Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution with a variety of clients (software & hardware)
– Solve simple & complex use cases using FlexVPN
Basic understanding of the following topics is required:
– IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect, VRF, QoS
Experience with the following features is a plus:
– Easy VPN, MQC, VRF-Lite, iBGP
More FlexVPN (hub-spoke, dynamic mesh, MPLS over Flex, multicast, ...)
– BRKSEC-3036 – Advanced IPsec designs with FlexVPN by F. Detienne
– Friday 11:30am, North Wing Level -1, Green Hall 3
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Session Agenda
Introduction to FlexVPN
Tunnel Interfaces
Configuration Building Blocks
FlexVPN AAA Integration
– AAA-Based Authentication
– User & Group Authorization
– Connection Accounting
Remote Access Clients
– AnyConnect Software Mobility Client
– Windows Native IKEv2 Client
– FlexVPN Hardware Client
Scenarios & Use Cases
– Full & Split Tunneling
– Network Extension
– Virtualization (VRF)
– Quality of Service
FlexVPN SSL Preview
Wrap-up
4
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Before We Begin...
5
“Additional info” slides:
– Rendered in the presentation PDF (download it through the Cisco Live portal)
– Not shown during the live presentation
– Cover extra details or small additional topics
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN Overview
Unified overlay VPN
– Combines site-to-site, remote access, hub-spoke & spoke-spoke topologies
– IPsec VPN compliant with the IKEv2 standard
– SSL VPN remote access coming soon (AnyConnect Secure Mobility Client)
FlexVPN highlights
– Unified CLI with smart defaults
– Unified infrastructure that leverages point-to-point tunnel interfaces
– Most features available across all topologies (QoS, AAA, VRF, ...)
– Interoperable with other IKEv2 implementations (ASA, Windows, strongSwan, ...)
– Easier to learn, market and manage
7
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Solution Positioning
One VPN to learn and deploy
Everything works – no questions asked
8
Inte
rop
.
Dyn
am
ic
Ro
uti
ng
IPs
ec
Ro
uti
ng
Sp
ok
e t
o
Sp
ok
e
Dir
ec
t
Re
mo
te
Ac
ce
ss
Sim
ple
Fa
ilo
ve
r
So
urc
e
Fa
ilo
ve
r
Co
nfi
g
Pu
sh
Pe
r-P
ee
r
Co
nfi
g
Pe
r-P
ee
r
Qo
S
Fu
ll A
AA
Mg
mt
Easy
VPN No No Yes No Yes Yes No Yes Yes Yes Complex
DMVPN No Yes No Yes No Partial No No No Group No
Crypto
Map Yes No Yes No Yes Poor No No No No No
FlexVPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Why FlexVPN ?
IKEv2 is a major protocol update
– No backward compatibility with IKEv1
– Requires serious consideration and reconfiguration
– Brings in a lot of improvements
Major IOS architecture rework needed to address needs
– Per-peer features (QoS, ZBFW, policies, VRF injection,…)
– Too many overlay technologies – offering was too fragmented
– VPN learning time had grown out of control (1 day techtorial insufficient)
IKEv2 is a good transition point to revisit design and architecture
Ideal for all types of VPNs
– Service aggregation (remote access, site-to-site, ...)
– Improved service management
– Multitenancy
9
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
IKEv2 IKEv1
Comparing IKEv1 & IKEv2
10
NAT-T
DPD ISAKMP
RFC 2408
IPsec DOI
RFC 2407
IKE
RFC 2409
IKEv2
RFC 5996 Mode
Config
Authentication
Integrity
Confidentiality
Suite-B
Anti-DoS
EAP Auth.
Hybrid Auth.
PSK, RSA-Sig
Cleaner Identity/Key Exchange
Uses UDP Ports 500 & 4500
Main + Aggressive INITIAL
Acknowledged Notifications
IKEv2 Redirect
RFC 5685
Childless IKEv2
RFC 6023
EAP-Only IKEv2
RFC 5998
Etc. ...
Same
Objectives
More Secure
Authentication
Options
Similar but
Different
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
IKEv2 Exchanges
11
IKE_SA_INIT
IKE_AUTH
CREATE_CHILD_SA
IKEv2 Security Association (SA) establishment (proposal selection, key exchange)
Mutual authentication & identity exchange
Initial IPsec SAs establishment
Certificate exchange (optional)
Configuration exchange (optional)
Additional IPsec SAs establishment
IKEv2 & IPsec SA rekey
INFORMATIONAL
Initiator (I) Responder (R)
Can be (I R) with ACK or (R I) with ACK
Notifications (SA deletion, liveness check, ...)
Configuration exchange (one or both ways)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
IKEv2 Configuration Exchange
12
IKE_AUTH
INFORMATIONAL
Initiator (RA client) requests configuration parameters from responder (RA server).
INFORMATIONAL
Initiator (I) Responder (R)
CFG_REQUEST
CFG_REPLY
CFG_SET
CFG_ACK
CFG_SET
CFG_ACK
Initiator and/or responder sends unsolicited configuration parameters to its peer.
I would like:
an IPv6 address
a DNS & WINS server
a list of protected IPv6 subnets
Your assigned IPv6 address is ...
Your DNS server is ...
There is no WINS server
My protected IPv6 subnets are ...
My local IPv6 protected subnets are ...
Acknowledged
Derived from peer authorization
Derived from peer authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
IKEv2 Certificate-Based Authentication
13
Root
Sub#1 Sub#2
A B
[IKE_SA_INIT_R]
CERT_REQ(Root)
CERT_REQ(Sub#2)
[IKE_AUTH_I]
CERT_REQ(Root)
CERT_REQ(Sub#1)
CERT(Root → Sub#1)
CERT(Sub#1 → A)
AUTH(HASH_I)
[IKE_AUTH_R]
CERT(Root → Sub#2)
CERT(Sub#2 → B)
AUTH(HASH_R)
Compute
cert chain
Compute
cert chain
B is willing to accept:
– certs issued by Root
– certs issued by Sub#1
A must provide B with:
– its identity certificate
– the Sub#1 certificate
… to complete the chain
[IKE_SA_INIT_I]
Validate chain &
verify signature
(responder) (initiator)
Validate chain &
verify signature
A B
R
S#2
B
R
S#1
A
R
S#1
A
R
S#2
B
S#1
A
S#2
B
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Dynamic Point-to-Point Virtual Interfaces
15
FlexVPN Server crypto ikev2 profile default
...
virtual-template 1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
interface Virtual-Access1
ip unnumbered Loopback0
tunnel source <local-address>
tunnel destination <remote-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
service-policy output mobile-QoS
interface Virtual-Access2
ip unnumbered Loopback0
tunnel source <local-address>
tunnel destination <remote-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
service-policy output traveler-QoS
VT1
VA1 VA2 VA3
S default via Ethernet0/0
L 10.0.1.1/32 local Loopback0
S 10.0.1.10/32 via Virtual-Access1
S 10.0.1.11/32 via Virtual-Access2
S 10.0.1.12/32 via Virtual-Access3
S 10.42.1.0/24 via Virtual-Access3
interface Virtual-Access3
ip unnumbered Loopback0
tunnel source <local-address>
tunnel destination <remote-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
service-policy output home-office-QoS
10.0.1.10/32 10.0.1.11/32 10.0.1.12/32
interface Tunnel0
ip address negotiated
tunnel source Ethernet0/0
tunnel destination <server-address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
Tun0
P2P virtual interface template
Dynamically instantiated P2P interfaces
Static P2P virtual interface
10.42.1.0/24
Server routing table (RIB/FIB)
Security
Policy
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Interface Features
16
Eth0/0 Eth0/1 V-Access1
Cleartext Traffic
(from server LAN)
Encrypted Traffic
(to RA client)
FlexVPN Server
IP L4 Data IP IP L4 Data IPsec
Encrypted
Interface feature (NAT, PBR, QoS, NetFlow, ...)
Interface input features
(apply to cleartext packet)
RIB/FIB (routing table)
Post-encapsulation
interface output features
(apply to encrypted packet)
IPsec encapsulation
(tunnel protection)
Pre-encapsulation
interface output features
(apply to cleartext packet)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Tunnel Encapsulation
IPsec Tunnel Mode (IPv4 or IPv6)
– Classic dVTI: compatibility with software clients (any-to-any or any-to-assigned-address)
– Multi-SA dVTI: compatibility with legacy crypto map peers (ASA, other vendors)
GRE over IPsec
– Dual-stack (IPv4 + IPv6 over IPsec) out of the box
– Enables tunneling of non-IP protocols (e.g. MPLS)
– Required for dynamic mesh scenarios (à la DMVPN, but with the extra flexibility of point-to-point interfaces)
– “tunnel mode gre ip” is the default on static & dynamic tunnel interfaces
17
interface Virtual-Template1 type tunnel
tunnel mode ipsec {ipv4 | ipv6}
tunnel protection ipsec profile default
interface Virtual-Template1 type tunnel
tunnel mode gre {ip | ipv6}
tunnel protection ipsec profile default
IP IP L4 Data IPsec
IP IP L4 Data IPsec GRE
Encrypted
Encrypted
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Configuration Example
19
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn router.cisco.com
authentication local rsa-sig
authentication remote eap
pki trustpoint root sign
aaa authentication eap default
aaa authorization user eap
virtual-template 1
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
IKEv2 identity & profile selection
IKEv2 authentication & certificates
AAA integration (authentication, authorization, accounting)
Native IPsec tunnel or GRE/IPsec
Dynamic point-to-point interfaces
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha512 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 keyring IOSKeyring
peer cisco
address 10.0.1.1
pre-shared-key local CISCO
pre-shared-key remote OCSIC
crypto ikev2 authorization policy default
route set interface
route accept any
IKEv2 CLI Overview Proposal, Policy and Keyring
20
IKEv2 Proposal
(algorithms for IKEv2 SA)
IKEv2 Policy
(binds IKEv2 Proposal to
local Layer 3 scope)
IKEv2 Keyring
(supports asymmetric
Pre-Shared Keys)
IKEv2 Authorization Policy
(contains attributes for local
AAA & config. exchange)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
crypto ikev2 profile default
identity local address 10.0.0.1
identity local fqdn local.cisco.com
identity local email [email protected]
identity local dn
match identity remote address 10.0.1.1
match identity remote fqdn remote.cisco.com
match identity remote fqdn domain cisco.com
match identity remote email [email protected]
match identity remote email domain cisco.com
match certificate certificate_map
match fvrf red
match address local 172.168.1.1
authentication local pre-share
authentication local rsa-sig
authentication local eap
authentication remote pre-share
authentication remote rsa-sig
authentication remote eap
keyring local IOSKeyring
keyring aaa AAAlist
pki trustpoint <trustpoint_name>
IKEv2 CLI Overview IKEv2 Profile – Extensive CLI
21
Match on peer IKE identity
or certificate
Match on local address and
front VRF
Self Identity Control
Asymmetric local & remote
authentication methods
Local and AAA-based
Pre-Shared Keyring
Only one local method allowed
Multiple remote methods allowed
Only one local identity allowed
Multiple “match identity” allowed
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
IKEv2 Basic Negotiation
Length
Initiator Responder HDR, SAi1, KEi, Ni
HDR – IKE Header
SAi, SAr – Crypto algorithms proposed/accepted by the peer
KEi, KEr – Initiator Key Exchange material
Ni, Nr – Initiator/Responder Nonce
SK {...} – Payload encrypted and integrity protected
HDR, SAr1, KEr, Nr [CERTREQ]
HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}
HDR, SK {IDr, [CERT], AUTH, TSi, TSr}
IDi, IDr – Initiator/Responder IKE Identity
CERTREQ, CERT – Certificate Request, Certificate Payload
AUTH – Authentication data
SA – Proposal & Transform to create initial CHILD_SA
TSi, TSr – Traffic Selectors (as src/dst proxies)
22
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}
IKEv2 Profile Match Statements
IP Address: 172.16.0.1
FQDN: router.cisco.com
Email: [email protected]
match identity remote address 172.16.0.1
match identity remote fqdn router.cisco.com
match identity remote email [email protected]
Subject: cn=Router, ou=Engineering, o=Cisco
Issuer: cn=PKI Server, ou=IT, o=Cisco
...
match certificate <cert-map>
subject-name co ou = engineering
issuer-name co o = cisco
23
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
crypto ipsec transform-set default esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2 profile default
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel protection ipsec profile default
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 172.16.2.1
tunnel protection ipsec profile default
IPsec CLI Overview Tunnel Protection similar to DMVPN and EasyVPN
24
IPsec profile defines SA
parameters and points to
IKEv2 profile
Transform set unchanged
Tunnel protection points
to IPsec profile
Dynamic point-to-point
interfaces
Static point-to-point
interfaces
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Introducing Smart Defaults Intelligent, reconfigurable defaults
25
crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2-profile default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default
route set interface
route accept any
crypto ikev2 profile default
match identity remote address 10.0.1.1
authentication local rsa-sig
authentication remote rsa-sig
aaa authorization user cert list default default
pki trustpoint root
!
interface Tunnel0
ip address 192.168.0.1 255.255.255.252
tunnel protection ipsec profile default
What you need to specify
crypto ipsec transform-set default
esp-aes 128 esp-sha-hmac
crypto ipsec profile default
set transform-set default
set crypto ikev2-profile default
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default
route set interface
route accept any
These constructs are the Smart Defaults
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Reconfigurable Defaults
Modifying defaults:
Restoring defaults:
Disabling defaults:
All defaults can be modified, deactivated and restored
26
default crypto ikev2 proposal
default crypto ipsec transform-set
crypto ikev2 proposal default
encryption aes-cbc-128
integrity md5
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
no crypto ikev2 proposal default
no crypto ipsec transform-set default
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Static Site-to-Site Example
27
Router 1 Router 2 crypto ikev2 profile default
match identity remote fqdn r1.cisco.com
identity local fqdn r2.cisco.com
authentication remote pre-share key r1r2!
authentication local pre-share key !r2r1
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source Ethernet0/0
tunnel destination 192.0.2.1
tunnel protection ipsec profile default
!
interface Ethernet0/0
ip address 192.0.2.2 255.255.255.0
!
router rip
version 2
network 10.0.0.0
...
My IKE ID is: r1.cisco.com (FQDN)
My PSK authentication payload is...
I want to protect GRE traffic between...
Verify peer’s AUTH payload & produce our own based on configured PSK
Use our own FQDN as IKE ID
Finalize IPsec SAs (GRE between local & remote WAN addresses)
Perform IKE SA agreement & Diffie-Hellman key exchange (not shown)
My IKE ID is: r2.cisco.com (FQDN)
My PSK authentication payload is...
I agree to protect GRE traffic between...
Map connection to IKEv2 profile “default” by matching on peer FQDN
Establish routing protocol neighborship & exchange prefixes
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN AAA
IKEv2 communicates with IOS AAA subsystem
– Local database (IKEv2 Authorization Policy)
– Remote database (RADIUS)
Protocols in play: IKEv2, RADIUS, EAP
AAA-based authentication:
– Pre-shared keys stored on RADIUS server
– EAP over IKEv2 & RADIUS
Authorization:
– Implicit authorization (re-uses attributes received during authentication)
– Explicit authorization (local or remote, group- & user-level)
Accounting
Authentication, Authorization & Accounting
29
aaa new-model
aaa author network local-db local
aaa author network remote-db group radius
AAA list name
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
High-Level Interactions
30
Cert. Authentication
EAP Client Authentication
AAA PSK Retrieval PSK Authentication
RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder
RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend
Cached & Local Authorization
RADIUS Authorization
RADIUS Accounting
(optional)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Building Block – IKEv2 Name Mangler
Start with the peer’s IKE or EAP identity
Derive a username that is meaningful to AAA (local or RADIUS)
31
IKEv2 Exchange
RA Client Identity
IKEv2 Name Mangler
AAA Username: joe
RADIUS AAA Request
Username: joe, password: cisco
Local AAA Request
Username: joe
crypto ikev2 name-mangler extract-user
fqdn hostname
email username
dn common-name
eap prefix delimiter @
FQDN: joe.cisco.com
Email: [email protected]
DN: cn=joe,ou=IT,o=Cisco
EAP: joe@cisco
Static password
(configurable)
RA Client IKEv2 Initiator RADIUS Client
FlexVPN Server IKEv2 Responder
RADIUS NAS
AAA Server RADIUS Server
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AAA Pre-Shared Keys
Same IKEv2 packet flow as regular PSK authentication
FlexVPN Server has no IKEv2 keyring configured
Local & remote pre-shared keys stored on RADIUS server
Symmetric key (IETF attribute):
Asymmetric keys (Cisco AV-Pair):
33
router2 Cleartext-Password := "cisco"
Tunnel-Password = "!cisco?"
router1 Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:ikev2-password-local=cisco!",
Cisco-AVPair += "ipsec:ikev2-password-remote=!ocsic"
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AAA Pre-Shared Keys – Packet Flow
34
IKEv2 (IKE_AUTH)
IDi, AUTH(PSK), ...
IKEv2 (IKE_AUTH)
IDr, AUTH(PSK), ...
RADIUS (Access-Request)
RADIUS (Access-Accept)
User-Name: joe
Password: cisco
Local PSK = cisco!
Remote PSK = !ocsic
Other user attributes for joe
IKEv2 Name Mangler
(FDQN hostname) AAA Username: joe IKEv2 ID: joe.cisco.com
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
keyring aaa list radius name-mangler extract-host
!
crypto ikev2 name-mangler extract-host
fqdn hostname
Static password (configurable)
Cached for authorization
FlexVPN Client IKEv2 Initiator RADIUS Client
FlexVPN Server IKEv2 Responder
RADIUS NAS
AAA Server RADIUS Server
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
EAP Authentication
Extensible Authentication Protocol (RFC 3748)
– Provides common functions for a variety of authentication methods
– Tunneling methods (costly): EAP-TTLS, EAP-PEAP, …
– Non-tunneling (recommended): EAP-MSCHAPv2, EAP-GTC, EAP-MD5, …
Implemented in IKEv2 as additional IKE_AUTH packets
– RA client initiates EAP authentication by omitting AUTH payload in IKE_AUTH
– RA server must authenticate itself using certificates (mandatory)
– Authentication takes place between RA client and EAP backend authentication server
EAP packets are relayed by RA server
– Between RA client and RA server: tunneled inside IKEv2
– Between RA server and EAP backend: tunneled inside RADIUS
EAP method is transparent to RA server
– Only needs to be supported by RA client and EAP backend
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
EAP Authentication
36
IKEv2
RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...
Username-Password/Token/Mobile Authentication (One-Way)
RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder
RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend
TLS-Based Certificate Authentication (Mutual)
IKEv2
RADIUS
EAP-TLS TLS TLS
IKEv2
RADIUS
EAP-PEAP / EAP-TTLS
EAP-MSCHAPv2 / EAP-TLS / ...
TLS-Protected Nested Authentication (One-Way or Mutual)
TLS TLS
IKE
RA server authenticates to client
using IKE certificates (mandatory)
crypto ikev2 profile default
authentication remote eap query-identity
aaa authentication eap frad
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
EAP Authentication – Packet Flow
37
IKEv2 (IKE_AUTH)
IDi, CFG_REQ, no AUTH
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA), EAP(ID-Request)
RADIUS (Access-Request)
IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)
IKEv2 (IKE_AUTH)
AUTH(MSK)
EAP(EAP-Method-Pkt#1)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(EAP-Method-Pkt#2)
IKEv2 (IKE_AUTH) RADIUS (Access-Accept)
EAP(Success)
MSK MSK
IKEv2 (IKE_AUTH)
CFG_REPLY, AUTH(MSK)
EAP(ID-Response: IDEAP)
EAP(Success), MSK, User-Name,
Other user attributes
IKEv2 (IKE_AUTH)
crypto ikev2 profile default
authentication remote eap query-identity
aaa authentication eap frad
Cached for authorization
RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder
RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend
EAP Username
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
EAP Authentication – Initiation
38
IKEv2 (IKE_AUTH)
IDi, CFG_REQ, no AUTH
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA), EAP(ID-Request)
RADIUS (Access-Request)
EAP(ID-Response: IDEAP)
IKEv2 (IKE_AUTH)
EAP(ID-Response: IDEAP)
With “query-identity”
EAP ID provided by client
IKEv2 (IKE_AUTH)
IDi, CFG_REQ, no AUTH
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA)
RADIUS (Access-Request)
EAP(ID-Response: IDi)
Without “query-identity”
IKE ID used as EAP ID
“query-identity” recommended
several clients jam if not configured
not the default ... but it should be
RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder
RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Authorization Types Not mutually exclusive – May be combined
40
Implicit User Authorization
Explicit User Authorization
Explicit Group Authorization
crypto ikev2 profile default
aaa authorization user {psk|eap} cached
crypto ikev2 profile default
aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
crypto ikev2 profile default
aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
Retrieves user attributes from RADIUS (local database not supported)
Retrieves group attributes from RADIUS or local database
RADIUS (Access-Accept)
Local PSK = cisco!
Remote PSK = !ocsic
Other user attributes for joe
Reverse order of precedence (group > user)
Cached for
authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Attributes – Syntax
Local Database
– IKEv2 Authorization Policy
– AAA Attribute List (V-Access interface configuration statements)
Central/Remote Database (on RADIUS Server)
– Standard IETF Attributes (Framed-IP-Address, etc.)
– Cisco Attribute-Value Pairs (Cisco-AVPair)
41
crypto ikev2 authorization policy Eng
pool Eng
dns 10.0.1.1
netmask 255.255.255.255
aaa attribute list Eng
aaa attribute list Eng
attribute type interface-config "vrf forwarding Eng"
attribute type interface-config "ip unnumbered Loopback1"
Eng Cleartext-Password := "cisco"
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:addr-pool=Eng",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Attributes – Merging
42
Cached User Attributes
Explicit User Attributes
Merged User Attributes
Explicit Group Attributes
Final Merged Attributes
Attribute Value
Framed-IP-Address 10.0.0.101
ipsec:dns-servers 10.2.2.2
Attribute Value
Framed-IP-Address 10.0.0.102
Attribute Value
Framed-IP-Address 10.0.0.102
ipsec:dns-servers 10.2.2.2
Attribute Value
ipsec:dns-servers 10.2.2.3
ipsec:banner Welcome !
Attribute Value
Framed-IP-Address 10.0.0.102
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !
Merged User Attributes take precedence except if “group override” configured
Explicit User Attributes take precedence
FlexVPN Server AAA Server Received during
AAA-based authentication
Received during explicit
user authorization
Received during explicit
group authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Attributes – Interface Config Ordering
Interface config strings do not override each other during merging
Instead, higher precedence statements are applied last
Pay attention to command-specific behavior (overwrites / stacks up / collides ?)
43
Attribute Value
Interface-Config zone-member security high
Interface-Config service-policy output gold
Attribute Value
Interface-Config zone-member security medium
Interface-Config service-policy output silver
Received during explicit user authorization
Received during explicit group authorization
Attribute Value
Interface-Config zone-member security medium
Interface-Config service-policy output silver
Interface-Config zone-member security high
Interface-Config service-policy output gold
OK – will be overridden by subsequent
“zone-member” statement
NOK – will collide with previous “service-policy” statement: “Policy map silver is already attached”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Attributes – Scope
44
RA Client FlexVPN Server
Remote Attributes (Sent to Peer)
IPv4/IPv6 Address Standard
IPv4/IPv6 Netmask Standard
IPv4/IPv6 Subnets Standard
DNS/WINS Servers Standard
DNS Domain Name Cisco Unity
Logon Banner Cisco Unity
Backup Gateways Cisco Unity
Config Version/URL FlexVPN
...
Locally Relevant Attributes
IPv4/IPv6 Address Pool
DHCP Server
IKEv2 Routing (“route set” statements)
V-Access Interface Configuration
...
Some remote attributes may
be derived from local attributes
IOS AAA attributes are translated into
IKEv2 Configuration Exchange attributes
Peer Authorization AAA authorization enables the
IKEv2 Configuration Exchange
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Attributes – IP Address Assignment
User-specific statically assigned IP address
– Returned as RADIUS IETF Framed-IP-Address
– External DB only, not configurable in IKEv2 Authorization Policy
IOS-managed address pool
– Referenced in user or group attributes
– IOS pool name can be passed by RADIUS server
– Allocation/deallocation entirely managed by IOS
DHCP-assigned IP addresses
– Request placed by IOS on behalf of RA client
– DHCP server can be passed by RADIUS
RADIUS-managed address pool
– Address allocated by RADIUS server and returned as Framed-IP-Address
– Accounting must be configured (to release addresses when clients disconnect)
45
crypto ikev2 authorization policy Eng
pool Eng
!
ip local pool Eng 10.0.1.10 10.0.1.99
Eng
Cisco-AVPair = "ipsec:addr-pool=Eng"
joe
Framed-IP-Address = "10.0.1.101"
Framed-IP-Netmask = "255.255.255.255"
crypto ikev2 authorization policy Eng
dhcp server 10.2.2.2
Eng
Cisco-AVPair = "ipsec:group-dhcp-server=10.2.2.2"
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Authorization Example
46
RA Client FlexVPN Server
aaa authorization network here local
aaa attribute list Eng
attribute type interface-config "vrf forwarding Eng"
attribute type interface-config "ip unnumbered Loopback1"
!
crypto ikev2 authorization policy Eng
pool Eng
netmask 255.255.255.255
aaa attribute list Eng
!
crypto pki certificate map cisco 1
subject-name co o = cisco
!
crypto ikev2 name-mangler ou
dn organization-unit
!
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list here name-mangler ou
virtual-template 1
!
ip local pool Eng 10.0.1.10 10.0.1.99
!
interface Loopback1
vrf forwarding Eng
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
My IKE ID is cn=joe-pc, ou=Eng, o=Cisco
Here is my identity certificate
I need an IPv4 address
Run client IKE ID through name-mangler “ou”
Invoke AAA with list “here” (local authorization) & username “Eng”
Clone V-Template1 into V-Access1, apply VRF & IP unnumbered
Allocate IPv4 address from pool “Eng”
Map connection to IKEv2 profile “default” by matching on cert-map “cisco”
Your IPv4 address is: 10.0.1.10/32
interface Virtual-Access1
vrf forwarding Eng
ip unnumbered Loopback1
tunnel source 192.0.2.2
tunnel mode ipsec ipv4
tunnel destination 192.168.221.129
tunnel protection ipsec profile default
Perform certificate-based authentication (not shown)
“show derived-config ...”
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Accounting
48
RA Client FlexVPN Server RADIUS Server
IKEv2 (EAP) & IPsec
aaa accounting network frad start-stop group frad
aaa group server radius frad
server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t
!
crypto ikev2 profile default
aaa authentication eap frad
aaa authorization user eap cached
aaa accounting eap frad
Upon client connection:
RADIUS Acct-Request (Start)
Upon client disconnection:
RADIUS Acct-Request (Stop)
RADIUS Acct-Response
RADIUS Acct-Response
Acct-Session-Id = "0000001B"
Cisco-AVPair = "isakmp-phase1-id=acvpn"
Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"
Framed-IP-Address = 10.0.1.101
User-Name = "joe@cisco"
Cisco-AVPair = "connect-progress=No Progress"
Acct-Authentic = Local
Acct-Status-Type = Start
NAS-IP-Address = 10.0.0.1
Acct-Delay-Time = 0
Acct-Session-Id = "0000001B"
Cisco-AVPair = "isakmp-phase1-id=acvpn"
Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"
Framed-IP-Address = 10.0.1.101
User-Name = "joe@cisco"
Acct-Authentic = Local
Cisco-AVPair = "connect-progress=No Progress"
Acct-Session-Time = 104
Acct-Input-Octets = 13906
Acct-Output-Octets = 11040
Acct-Input-Packets = 207
Acct-Output-Packets = 92
Acct-Terminate-Cause = 0
Cisco-AVPair = "disc-cause-ext=No Reason"
Acct-Status-Type = Stop
NAS-IP-Address = 10.0.0.1
Acct-Delay-Time = 0
Accounting-Request (Start)
Accounting-Request (Stop)
192.168.221.129 10.0.0.1 Assigned address: 10.0.1.101
10.0.0.2
IKE ID Client public
IP address
Assigned IP address
EAP username
Statistics
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Remote Access Clients – Overview
50
AnyConnect 3.1
(Desktop Version)
AnyConnect 3.0
(Mobile Version)
Windows
Native IKEv2 Client
FlexVPN
Hardware Client
strongSwan
Supported OSes Windows
Mac OS X
Linux
Android
Apple iOS
Windows 7 & 8 Cisco IOS 15.2+
Not on IOS-XE / ASR1k
Not on ISR-G1
Linux, Mac OS X,
Android, FreeBSD, ...
Supported IKEv2
Authentication
Methods
Certificates
EAP
Certificates
EAP
Certificates
EAP
Certificates
EAP
Pre-Shared Key
Certificates
EAP
Pre-Shared Key
Supported EAP
Authentication
Methods
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
EAP-MSCHAPv2
EAP-TLS1
EAP-PEAP1
... and more (Win8)
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
EAP-MSCHAPv2
EAP-TLS1
EAP-PEAP1
... and more (plugins)
Security Policy
Exchange
Automatic2 (RRI) Automatic2 (RRI) Automatic2 (RRI) Automatic2 (IKEv2)
Dyn. Routing Protocol
Automatic2 (RRI)
Dual Stack
(IPv4 & IPv6)
3.1.05152 (with GRE)
IOS-XE 3.14 (TBC)
Planned
(client limitation)
Planned
(headend limitation)
Both (with GRE) Planned
(headend limitation)
Split Tunneling Yes Yes Very limited (classful) Yes Yes
1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client
2 IPsec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect Secure Mobility Client
Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS)
– Desktop: Windows, Mac OS X, Linux
– Mobile: Apple iOS, Android
Supported authentication methods:
– Machine/User Certificates (RSA signatures)
– EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
– EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)
– EAP-MD5 (hash-based authentication)
Particularities:
– Requires EAP “query-identity” on server (triggers username/password input dialog)
– Requires “no crypto ikev2 http-url cert” on server (aborts the connection otherwise)
– CSCud96246: incompatibility with IOS when using SHA-2 integrity (resolved in 3.1.05, Dec 2013)
For more on AnyConnect management & deployment:
– BRKSEC-3033 – Advanced AnyConnect Deployment and Troubleshooting with ASA by H. Nohre
– Focuses on ASA as headend, but many topics also relevant for FlexVPN
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – VPN Profile Editor
53
Add entry to server list
Connection name Server FQDN
Only applies to EAP
authentication methods
...
<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>
<IKEIdentity>acvpn</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
...
Resulting XML Profile
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – Backup Server List
54
Add backup server(s) to list
...
<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<BackupServerList>
<HostAddress>flexra2.cisco.com</HostAddress>
</BackupServerList>
...
Resulting XML Profile
WAN
Primary server stops responding
Client will try connecting to backup server(s)
Primary Backup
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – Seamless Auto-Reconnect
55
Seamless reconnection after:
– transient loss of connectivity
– switching between networks (e.g. moving from 3G to WiFi)
– suspend/resume computer
Supported by AnyConnect desktop & mobile for both SSL & IKEv2
– FlexVPN server-side support introduced in IOS 15.4(1)T & IOS-XE 15.4(1)S / 3.11S
Suspend/resume client behavior configurable separately:
– DisconnectOnSuspend: release VPN session resources upon suspend, do not reconnect
– ReconnectAfterResume: try to reconnect after operating system resumes
Proprietary method:
– Session token exchanged during initial session establishment (configuration exchange)
– Reconnection attempts use session token as pre-shared key in IKE_AUTH
– Mutually exclusive with PSK configuration in IKEv2 profile
– Session expires on server after configured timeout (default: 30 minutes)
crypto ikev2 profile default
...
reconnect [timeout <seconds>]
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – Seamless Auto-Reconnect
56
WAN
2: Network failure detected
Client will attempt to
reconnect automatically
1: Connected
4: ISP/WAN comes back up
Session resumed without
any user intervention
crypto ikev2 profile default
reconnect [timeout <seconds>]
3: Server marks session
as “inactive”, keps it alive
until the configured timeout
WAN
1: Connected
over 3G
crypto ikev2 profile default
reconnect [timeout <seconds>]
2: Switching to WiFi
Different IP address
3: Session resumed
over WiFi link without
any user intervention
Also works when computer suspends & resumes (behavior controllable through XML profile)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – Profile Deployment Options
57
OS Default Location
Windows %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Mac OS, Linux /opt/cisco/anyconnect/profile
Push using a Software Management System
XML
XML
anyconnect://import?type=profile&uri=location
Example location: http%3A%2F%2Fexample.com%2FFlexVPN.xml
AnyConnect Desktop
AnyConnect Mobile
Add to the AnyConnect installation package
Send via e-mail
Install manually on local hard disk
Import from local filesystem
Import or create via URI handler
Configure connection manually
XML
Send via e-mail
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect Mobile – Manual Connection
58
Connection name
Server FQDN
Enable IKEv2
Select authentication method
Create new
manual connection
Cisco ASA only
Specify IKE ID for EAP methods
Certificate selection
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect Mobile – URI Handler
“anyconnect://” URI handler on Apple iOS & Android
– Import XML profile
– Create connection entry
– Connect & disconnect VPN
59
anyconnect://create/?name=FlexVPN&host=flexra.cisco.com
&protocol=IPsec&authentication=EAP-MD5&ike-identity=acvpn
“Prompt” or “Enabled” required
Connection successfully created
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect Mobile – Certificate Deployment
Package certificate & keypair into PKCS#12 file
Apple iOS
– Import PKCS#12 from URL or email attachment
– Provision credentials or set up SCEP enrollment using configuration profile (e.g. via iPhone Configuration Utility)
Android
– Import PKCS#12 from URL, email or filesystem
– Use existing credentials from Credential Storage
60
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – Mutual RSA Signatures
Mutual IKE certificate-based authentication
– AnyConnect picks best available identity certificate
Based on selection rules in XML profile (if any)
Certificate with EKU preferred over non-EKU
– Client IKE ID = certificate subject DN
– Server selects IKE profile based on certificate match
– Matching is done on certificate itself, not on IKE ID
Explicit user/group authorization
– Non-AAA authentication no cached attributes
– Extract CN/OU field from DN using name-mangler
– Retrieve user/group attributes from RADIUS
61
# Group definition
Eng
Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
# User definition
joe
Cleartext-Password := "cisco"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
virtual-template 1
IKEv2 RADIUS
IKE Certificate Authentication
Explicit Authorization
IKE IKE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – EAP
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2
– Client IKE ID = KEY-ID string configured in XML profile
– Server selects IKEv2 profile based on KEYID string
– EAP “query-identity” prompts user for credentials
– EAP ID = username entered by user
– Password authentication against AAA user database
– Returned attributes cached for implicit authorization
62
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote key-id acvpn
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
IKEv2
RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2
EAP Username-Password Authentication
IKE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
AnyConnect – Certificate Requirements
1 Required in AC 3.0.8 to 3.0.10 (CSCuc07598)
2 Required in AC 3.0 (all versions), lifted in 3.1
3 Not required: may be omitted or set to any value – Optional: may be omitted or set to the specified value
63
AnyConnect Client
IKEv2 Certificate
FlexVPN Server
IKEv2 Certificate
Used for Mutual RSA-SIG Mutual RSA-SIG
EAP (all types)
Common Name (CN) Anything Anything (if SAN field present)
Server FQDN (if no SAN field)
Key Usage (KU) Digital Signature Digital Signature
Key Encipherment or Key Agreement
Extended Key Usage (EKU) Optional1,3
If present: TLS Client Authentication
Optional2,3
If present: TLS Server Authentication or IKE Intermediate
Subject Alternative Name (SAN) Not required3 Optional3
If present: Server FQDN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows Native IKEv2 Client
Since Windows 7, IKEv2/IPsec natively supported for RA connections
Supported authentication methods:
– Machine Certificates (RSA signatures)
– EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
– EAP-TLS (certificate authentication, based on TLS handshake)
– EAP-PEAP (tunnels another EAP method within TLS)
– EAP-TTLS (Windows 8 – tunnels EAP or non-EAP authentication within TLS)
– EAP-AKA / EAP-AKA’ / EAP-SIM (Windows 8 – SIM card & mobile network authentication)
Particularities:
– Requires EAP “query-identity” on server (fails to respond to EAP otherwise)
– Requires AES-256 in IPsec transform set (current IOS default is AES-128)
– RSA authentication will fail if more than 100 CA’s in client Local Machine Trusted Roots store
– KB975488: Windows 7 only sends IP address as IKE Identity (except when using certs)
– KB814394: Certificate requirements for EAP-TLS and PEAP-EAP-TLS
– KB939616: Certificate keypair lost when copying from user store to machine store
65
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – VPN Connection Settings (1)
66
DNS-resolvable FQDN – must be found in:
CN/SAN of FlexVPN Server IKE certificate
CN of EAP Server TLS certificate
Type of VPN: IKEv2
“Require encryption” & “Strongest encryption”
require AES-256 in the IPsec transform set
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
EAP-MSCHAPv2
RSA Signatures
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
virtual-template 1
# Group definition
Eng
Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
# User definition
joe
Cleartext-Password := "cisco"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
Windows – Mutual RSA Signatures
Mutual IKE certificate-based authentication
– Windows can only use local machine certificates
IKEv2 Profile selection on server
– Client IKE ID = certificate subject DN
– Server selects profile based on certificate map
– Matching is done on certificate itself, not on IKE ID
Explicit user/group authorization
– Non-AAA authentication no cached attributes
– Extract CN/OU field from DN using name-mangler
– Retrieve user/group attributes from RADIUS
67
IKEv2 RADIUS
IKE Certificate Authentication
Explicit Authorization
IKE IKE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows – EAP Considerations
IKEv2 mandates certificate-based server authentication
Profile selection based on client IKE ID
– Windows 7 with fix for KB975488: IKE ID = user@domain
Selection can be based on “email domain” match
– Windows 7 w/o fix or 8 w/ regression: IKE ID = client IP address
Only option: single IKE profile and VTemplate for all groups
Leverage AAA to provide service differentiation
EAP ID provided by client during authentication
– Requires “query-identity” (client cannot perform EAP otherwise)
– EAP server will query AAA database for attributes
– Attributes can be reused for implicit user authorization
– Server sends updated EAP ID in final Access-Accept reply (usually same value as the initial client-provided EAP ID)
– Final EAP ID can be reused for additional authorization if needed
68
authentication remote eap query-identity
aaa authentication eap frad
aaa authorization user eap cached
crypto ikev2 profile default
identity local dn
authentication local rsa-sig
pki trustpoint root [sign]
match identity remote email domain cisco
match identity remote address 0.0.0.0
aaa authorization group eap list here ...
... name-mangler domain
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – EAP-MSCHAPv2
EAP-MSCHAPv2
– EAP ID = user or user@domain
– Password authentication against EAP server database
69
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote email domain cisco
match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
IKEv2
RADIUS
EAP-MSCHAPv2
EAP Username-Password Authentication
IKE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – EAP-TLS
EAP-TLS
– Client performs TLS handshake w/ EAP server
– Mutual authentication using TLS certificates
– Client authentication mandatory (unlike EAP-PEAP)
– EAP ID = TLS certificate UPN (or CN if none)
70
EAP Certificate/TLS-Based Authentication
IKEv2
RADIUS
EAP-TLS
IKE
TLS TLS
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote email domain cisco
match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – EAP-TLS Settings
71
Server name – must be found in
CN of EAP Server TLS certificate
Trusted root authorities for
EAP server authentication
Get certificate from Current
User certificate store
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – EAP-PEAP
EAP-PEAP
– Client performs TLS handshake w/ EAP server
– Client authenticates EAP server using TLS certificate
– Provides protection for inner EAP exchange
– Inner (tunneled) EAP method authenticates the user
– Outer EAP method returns user attributes to server
Tunneled EAP-MSCHAPv2
– EAP ID = user or user@domain
Tunneled EAP-TLS
– EAP ID = TLS certificate UPN (or CN if none)
72
IKEv2
RADIUS
EAP-PEAP (TLS)
EAP-MSCHAPv2 or EAP-TLS
EAP Certificate/TLS-Based or Username-Password Authentication
IKE
TLS TLS
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote email domain cisco
match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – EAP-PEAP Settings
73
Server name – must be found in
CN of EAP Server TLS certificate
Trusted root authorities for
EAP server authentication
Inner (tunneled) EAP method
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – Certificate Requirements
1 Not required: may be omitted or set to any value – Optional: may be omitted or set to the specified value
2 UPN (User Principal Name): Microsoft proprietary “user@domain” SAN extension (OID 1.3.6.1.4.1.311.20.2.3)
74
Win7 Client
IKEv2 Certificate
FlexVPN Server
IKEv2 Certificate
Win7 Client
TLS Certificate
EAP Server
TLS Certificate
Used for Mutual RSA-SIG Mutual RSA-SIG
EAP (all types)
EAP-TLS
EAP-PEAP (optional)
EAP-TLS
EAP-PEAP
Certificate Store Local Computer N/A Current User N/A
Common Name
(CN)
Anything Anything (if SAN field present)
Server FQDN (if no SAN field)
Anything (if UPN present)
user@domain (if no UPN2)
Server name (as configured
in Client EAP Settings)
Key Usage
(KU)
Digital Signature Digital Signature Digital Signature Digital Signature
Key Encipherment
Extended Key
Usage (EKU)
Not required1 TLS Server Authentication TLS Client Authentication TLS Server Authentication
Subject Alternative
Name (SAN)
Not required1 Optional1
If present: Server FQDN
Optional1
If present: UPN2
Server FQDN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Windows 7 – Certificate Import
Client keypair & certificate can be issued by CA and provisioned to client PC
Import keypair, identity cert and issuer cert from PFX / PKCS#12 package
Due to KB939616, machine IKEv2 cert must be imported explicitly into machine store
75
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN Hardware Client – Overview
IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct
Supported authentication methods:
– Certificates (RSA signatures)
– EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
– EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)
– EAP-MD5 (hash-based authentication)
– Pre-Shared Keys
Routing on FlexVPN server and client:
– IKEv2 Routing (bidirectional Configuration Exchange)
– Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing)
IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces
More than a Remote Access client, useful also in hub-and-spoke designs where advanced initiator logic is required (dial backup, object tracking, ...)
77
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN Hardware Client – Example
Sample configuration:
– Static tunnel interface driven by FlexVPN Client Profile
– Local AAA authorization (default IKEv2 author. policy)
– Certificate-based mutual authentication (no EAP)
– Single peer (name resolution of FQDN on connection)
Tunnel interface configuration:
– IP address assigned through IKEv2 Configuration Exchange
– Tunnel destination set dynamically by FlexVPN Client logic
– IKEv2/IPsec initiation triggered by FlexVPN Client logic
Default IKEv2 routing between client & server:
– Client advertises route for Tunnel0 assigned IP address
– Client installs prefixes advertised by server (egress Tun0)
78
aaa new-model
aaa authorization network here local
!
crypto pki trustpoint root
rsakeypair root
!
crypto pki certificate map cisco 1
subject-name co o = cisco
!
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list here default
!
crypto ikev2 client flexvpn flexra
peer 1 fqdn flexra.cisco.com dynamic
client connect Tunnel0
!
interface Tunnel0
ip address negotiated
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile default
client#show crypto ikev2 authorization policy default
IKEv2 Authorization Policy : default
route set interface
route accept any tag : 1 distance : 1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN Hardware Client – Key Features
Peer list with object tracking:
– Ordered list of FlexVPN servers (by address or FQDN)
– Enable/disable entries based on tracking object state
– Additional peers can be pushed by server during Config Exchange
Connection modes:
– Automatic (infinite loop, 10 seconds between tries)
– When tracking object goes up/down (enables dial backup)
– Manual (CLI-triggered)
EAP local authentication (IKEv2 initiator only):
– Username prompt only if server does “query-identity”
– Alternative: static credentials in IKEv2 profile
79
crypto ikev2 client flexvpn flexra
peer 1 <address>
peer 2 <address> track 10 up
peer 3 <address> track 20 down
!
track 10 interface <name> line-protocol
track 20 ip route <prefix> reachability
connect auto
connect track 10 up
connect manual
crypto ikev2 profile default
authentication local eap
client#crypto ikev2 client flexvpn connect
Enter the command 'crypto eap credentials flexra'
client#crypto eap credentials flexra
Enter the Username for profile flexra: joe@cisco
Enter the password for username joe@cisco:
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Review – Mutual RSA Signatures
Certificate selection depends on client
– AnyConnect picks best available ID certificate Based on selection rules in XML profile (if any)
Certificate with EKU preferred over non-EKU
– Windows uses local machine certificate
– FlexVPN Client uses trustpoint in initiator IKEv2 profile
IKEv2 Profile selection on server
– Client IKE ID = certificate subject DN
– Server selects profile based on certificate map
– Matching is done on certificate itself, not on IKE ID
Explicit user/group authorization
– Non-AAA authentication no cached attributes
– Extract CN/OU fields from DN using name-mangler
– Retrieve user/group attributes from RADIUS
– Assign IP address based on pool or Framed-IP
81
# Group definition
Eng
Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
# User definition
joe
Cleartext-Password := "cisco"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
crypto ikev2 profile default
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint root
aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
virtual-template 1
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Review – EAP Authentication (1)
IKE identity depends on client type
– AnyConnect: KEY-ID string in XML profile
– Windows 7 with fix for bug KB975488: user@domain
– Windows 7 w/o fix, 7 or 8 with regression: client IP address
Only option: single IKE profile and VT for all groups
Leverage AAA to provide service differentiation
– FlexVPN Client: configurable (in initiator IKEv2 profile)
82
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote key-id acvpn
match identity remote email domain cisco
match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
crypto ikev2 profile default
identity local ...
AnyConnect
Windows
Windows (bug)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Review – EAP Authentication (2)
EAP identity depends on client type & EAP method
– AnyConnect: user[@domain] entered by user
– Windows 7 + non-TLS EAP: user[@domain] entered by user
– Windows 7 + TLS-based EAP: TLS certificate UPN (CN if none)
– FlexVPN Client: user[@domain] entered by user or configured in initiator IKEv2 profile
83
# User definition
joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
crypto ikev2 profile default
match identity remote key-id acvpn
match identity remote email domain cisco
match identity remote address 0.0.0.0
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root sign
aaa authentication eap frad
aaa authorization user eap cached
virtual-template 1
crypto ikev2 profile default
authentication local eap mschapv2 username joe@cisco password 0 c1sc0!
EAP Server returns user attributes for the EAP ID
can be cached and reused for authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN Routing – Overview
IKEv2 Routing (Configuration Exchange)
– IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads
– Static routes added to the RIB on both sides
– Remote Access: currently only supported with FlexVPN hardware client
IPsec Reverse Route Injection (RRI)
– Static routes added to RIB for protected remote networks (remote proxies)
– No configuration required (automatic for Virtual-Access with non-any-any proxies)
– Remote Access: supported with software clients (AnyConnect, Windows 7+, ...)
Dynamic Routing Protocol
– Pros: more powerful/flexible/adaptive
– Cons: more complex/resource-intensive
– Remote Access: only supported with FlexVPN hardware client
NHRP Routes
– Not applicable to Remote Access (Dynamic Mesh scenarios only)
85
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN Routing – Events & Sources
86
Config. Exchange
Routing Table (RIB/FIB)
SA Up / Down
Routing Update
Routing Protocol IKEv2 IPsec
Authorization
NHRP
Prefixes listed in “route set local” authorization attribute(s)
Prefixes received during Configuration Exchange
within IPv4/IPv6 SUBNET attributes
(handling controlled by local “route accept” attribute)
route set local {ipv4 | ipv6} prefix
route accept any [distance ...] [tag ...]
Local configuration
route set interface [ifc-name]
route set remote {ipv4 | ipv6} prefix
route set access-list ...
Remote configuration
Prefixes corresponding to negotiated IPsec SA remote proxies
(not applicable to any-any VTI or GRE/IPsec)
Prefixes advertised by peer over
dynamic routing protocol neighborship
IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes
Shortcut Creation
NHRP Static Routes
Spoke-to-Spoke
tunnels established
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Scenario: Windows – Full Tunneling
88
FlexVPN Server
10.42.1.0/24 10.0.0.0/16 WAN
Lo1: 10.0.1.1/32 Assigned VPN IP: 10.0.1.22/32
IPv4 Route Table
============================================================
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection
0.0.0.0/0 On-link FlexVPN Connection
192.0.2.2/32 10.42.1.1 Local Area Connection
10.42.1.0/24 On-link Local Area Connection
192.0.2.2
Local LAN still reachable
If un-checked: default route replaced with a single
classful route based on assigned VPN IP address
(e.g. 10.0.1.22 10.0.0.0/8)
= rudimentary split tunneling
Server reachable in the clear via ISP
10.42.1.1
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
S 10.0.1.22/32 is directly connected, Virtual-Access1
Assigned IP address reachable over client VA (automatic – RRI) Default route changed to point through VPN tunnel
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Scenario: AnyConnect – Full Tunneling
89
FlexVPN Server
10.42.1.0/24 10.0.0.0/16 WAN
Lo1: 10.0.1.1/32 Assigned VPN IP: 10.0.1.22/32
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
S 10.0.1.22/32 is directly connected, Virtual-Access1 IPv4 Route Table
============================================================
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection
0.0.0.0/0 On-link FlexVPN Connection
192.0.2.2/32 10.42.1.1 Local Area Connection
10.42.1.0/24 On-link Local Area Connection
192.0.2.2
Local LAN removed from routing table
Cisco-AVPair += "ipsec:split-exclude=0.0.0.0/255.255.255.255" To enable full tunneling with local LAN access:
IOS “include-local-lan” attribute not supported by
AnyConnect use RADIUS-only Cisco-AV-Pair
“ipsec:split-exclude” with special value 0.0.0.0/32
In addition, “Local Lan Access” must be
enabled in AnyConnect XML Profile
(supported in 15.2(4)M6, 15.2(4)S5 and 15.4(2)T/S onwards)
10.42.1.1
Default route changed to point through VPN tunnel
Server in the clear via ISP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Scenario: AnyConnect – Split Tunneling
90
FlexVPN Server
10.42.1.0/24 10.0.0.0/16 WAN
Lo1: 10.0.1.1/32 Assigned VPN IP: 10.0.1.22/32
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
IPv4 Route Table
============================================================
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection
10.0.0.0/16 On-link FlexVPN Connection
10.42.1.0/24 On-link Local Area Connection
192.0.2.2
Specific route(s) pointing through VPN tunnel
Local LAN still reachable
S 10.0.1.22/32 is directly connected, Virtual-Access1
route set remote ipv4 10.0.0.0 255.255.0.0
Authorization: one or more subnets to include in split tunnel
Split tunnel policy pushed by server within IKEv2 Config Exchange
10.42.1.1
Original default gateway used for internet traffic + server reachability
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Scenario: HW Client – Single Address PAT
92
interface Tunnel0
ip address negotiated
ip nat outside
!
ip nat inside source route-map vpn interface Tunnel0 overload
!
route-map vpn permit 10
match interface Tunnel0
FlexVPN Server FlexVPN Client
10.42.1.0/24 Eth0/1 10.0.0.0/16 WAN
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
route set interface route set interface
route set remote ipv4 10.0.0.0 255.255.0.0
Lo1: 10.0.1.1/32 Eth0/0
S 10.0.0.0/16 is directly connected, Tunnel0
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
S 10.0.1.22/32 is directly connected, Virtual-Access1
Traffic from LAN to remote VPN networks:
PAT to Tunnel0 assigned IP address
Summary prefix reachable through tunnel Assigned IP address reachable over client VA
Assigned IP: 10.0.1.22/32
Works, but not recommended
Case generator – clumsy / impractical
Authorization Authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Scenario: HW Client – Network Extension
93
interface Tunnel0
ip address negotiated
!
interface Ethernet0/1
ip address 10.42.1.1 255.255.255.0
FlexVPN Server FlexVPN Client
10.42.1.0/24 Eth0/1 10.0.0.0/16 WAN
interface Loopback1
ip address 10.0.1.1 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
route set interface
route set remote ipv4 10.42.1.0 255.255.255.0
route set interface
route set remote ipv4 10.0.0.0 255.255.0.0
Lo1: 10.0.1.1/32 Eth0/0
C 10.0.1.1/32 is directly connected, Loopback0
S 10.0.1.22/32 is directly connected, Virtual-Access1
S 10.42.1.0/24 is directly connected, Virtual-Access1
Client LAN directly reachable over tunnel
(prefix can be redistributed into IGP)
Assigned IP: 10.0.1.22/32
Assigned IP address reachable over client VA
Recommended design
Equivalent to NEM+ in Easy VPN
S 10.0.0.0/16 is directly connected, Tunnel0
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Local/remote addresses & prefixes exchanged using IKEv2 routing
Summary prefix reachable through tunnel
Authorization Authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Scenario: HW Client – Dynamic Routing
94
router bgp 65100
neighbor 10.0.1.1 remote-as 65100
neighbor 10.0.1.1 update-source Tunnel0
address-family ipv4
network 10.42.1.0 mask 255.255.255.0
neighbor 10.0.1.1 activate
exit-address-family
FlexVPN Server FlexVPN Client
10.42.1.0/24 Eth0/1 10.0.0.0/16 WAN
router bgp 65100
bgp listen range 10.0.1.0/24 peer-group clients
neighbor clients peer-group
neighbor clients remote-as 65100
neighbor clients update-source Loopback1
address-family ipv4
network 10.0.0.0 mask 255.255.0.0
neighbor clients activate
exit-address-family
route set interface
Lo1: 10.0.1.1/32 Eth0/0
route set interface
S 10.0.1.22/32 is directly connected, Virtual-Access1
B 10.42.1.0/24 [200/0] via 10.0.1.22 (Virtual-Access1)
Client LAN directly reachable over tunnel
(prefix can be redistributed into IGP)
Assigned IP: 10.0.1.22/32
BGP Dynamic Neighbor – easy configuration
Assigned IP address reachable over client VA
Dynamic, flexible & powerful but closer to Site-Site than RA
B 10.0.0.0/16 [200/0] via 10.0.1.1 (Tunnel0)
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Summary prefix reachable through tunnel
Addresses for BGP unicast peering exchanged using IKEv2
Local/remote prefixes exchanged using iBGP
Authorization Authorization
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Virtual Routing & Forwarding
Router maintains separate L3 forwarding information for each VRF instance (RIB, FIB, routing protocols)
Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only)
Each interface on the router belongs to a single VRF
For “ip unnumbered”, reference interface must belong to the same VRF
If no VRF specified, interface belongs to the global VRF
VRF definition and assignment:
96
ip vrf red
rd 1:1
interface Ethernet0/0
ip vrf forwarding red
...
vrf definition red
rd 1:1
address-family ipv4
exit-address-family
address-family ipv6
exit-address-family
interface Ethernet0/0
vrf forwarding red
...
Old CLI: single-protocol VRF (IPv4-only)
New CLI: multi-protocol VRF (IPv4/IPv6)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Tunnels – iVRF & fVRF
97
Blue RIB/FIB Global RIB/FIB
interface Eth0/0
ip address 10.0.0.1/24
vrf forwarding blue
!
interface Eth0/1
ip address 10.0.1.1/24
vrf forwarding blue
interface Eth1/1
ip address 10.1.1.1/24
vrf forwarding red
!
interface Eth1/2
ip address 10.1.2.1/24
!
interface Tunnel1
ip address 172.16.1.1/30
vrf forwarding red
tunnel source Eth1/2
interface Eth2/1
ip address 10.2.1.1/24
vrf forwarding green
!
interface Eth2/2
ip address 10.2.2.1/24
vrf forwarding orange
!
interface Tunnel2
ip address 172.16.2.1/30
vrf forwarding green
tunnel vrf orange
tunnel source Eth2/2
Inside VRF (iVRF)
Explicit fVRF
Orange RIB/FIB Green RIB/FIB
iVRF
Physical device
Red RIB/FIB
iVRF fVRF iVRF fVRF
Front-door VRF (fVRF) = Global VRF (default)
Tunnel interface
address resides in iVRF
Eth
0/0
Eth
0/1
Eth
1/1
Eth
1/2
Eth
2/1
Eth
1/0
Eth
1/3
Eth
2/0
Eth
2/2
Eth
2/3
Tun1 Tun2
Encaps. Encaps.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
VRF Use Case
Requirements:
– Traffic segregation between two departments
– Single VPN endpoint in global VRF
– AnyConnect software client
– EAP user authentication
Proposed solution:
– Single IKEv2 profile & V-Template
– Local group authorization
– Interface configuration strings
– EAP solely for authentication (no caching of RADIUS attributes)
98
Joe (Engineering) Tom (Finance)
Engineering VRF Finance VRF
Global VRF
Eth0/0
Eth0/2 Eth0/1
Tom’s V-Access Joe’s V-Access
WAN
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
VRF Use Case – Configuration
99
aaa attribute list Eng
attribute type interface-config "vrf forwarding Eng"
attribute type interface-config "ip unnumbered Loopback1"
!
crypto ikev2 authorization policy Eng
pool Eng
dns 10.0.1.1
aaa attribute list Eng
!
interface Loopback1
vrf forwarding Eng
ip address 10.0.1.1 255.255.255.255
!
ip local pool Eng 10.0.1.10 10.0.1.99
aaa authentication login frad group frad
aaa authorization network here local
!
crypto ikev2 name-mangler dept
eap suffix delimiter @
!
crypto ikev2 profile default
match identity remote key-id vpn@cisco
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root
aaa authentication eap frad
aaa authorization group eap list here name-mangler dept
virtual-template 1
!
no crypto ikev2 http-url cert
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
aaa attribute list Fin
attribute type interface-config "vrf forwarding Fin"
attribute type interface-config "ip unnumbered Loopback101"
!
crypto ikev2 authorization policy Fin
pool Fin
dns 10.0.1.101
aaa attribute list Fin
!
interface Loopback101
vrf forwarding Fin
ip address 10.0.1.101 255.255.255.255
!
ip local pool Fin 10.0.1.110 10.0.1.199
joe@Eng Cleartext-Password := "joe123"
tom@Fin Cleartext-Password := "tom456"
RADIUS User Database
Global Configuration Per-Department Configuration
Applied to V-Access
during V-Template cloning
Single IKEv2 profile
Single AnyConnect profile
Authorization based on
username@domain suffix
No attributes required on AAA server
EAP authenticates username & domain
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
The Need for QoS on VPN
QoS is crucial on VPN links for:
– Sharing network bandwidth
– Marshaling bandwidth usage of applications
– Meeting application latency & speed requirements
The classical “greedy spoke” problem:
101
Hub Spoke 1
(greedy)
CE 1
Client 2 Spoke 3
Crypto engine or WAN link Interface w/ limited downstream rate
Packets are lost, AND other
spokes/clients are starved
Packets are lost
Most common problem
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Server-Side Hierarchical Shaper
Tunnel bandwidth parent policy:
– Each VPN tunnel is given a maximum bandwidth
– A shaper provides the backpressure mechanism
Protected packets are processed by the child policy:
– There would be several policies: bandwidth, LLQ, etc.
102
Parent shaper limits
total bandwidth
BW Reservation
Low-Latency Queuing
Fair Queuing
class-map control
match ip precedence 6
class-map voice
match ip precedence 5
...
!
policy-map child-common
class control
bandwidth 20
class voice
priority percent 60
...
!
policy-map parent-branch
class class-default
shape average 5000000
service-policy inner
!
policy-map parent-client
class class-default
shape average 1000000
service-policy inner
Different policies for
different traffic classes
Hub
Branch
RA Client
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
QoS Use Case
Requirements:
– Traffic segregation between departments
– Single VPN endpoint in global VRF
– AnyConnect software client
– EAP user authentication
– Per-user QoS policy
Proposed solution:
– Single IKEv2 profile & V-Template
– Interface configuration strings
– Explicit RADIUS group authorization
– Implicit RADIUS user authorization (user attributes cached during EAP)
103
Joe (Engineering) Tom (Finance)
Engineering VRF Finance VRF
Global VRF
Eth0/0
Eth0/2 Eth0/1
Tom’s V-Access Joe’s V-Access
WAN
High B/W (10 Mbps) Low B/W (5 Mbps)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
QoS Use Case – Configuration
104
interface Loopback1
vrf forwarding Eng
ip address 10.0.1.1 255.255.255.255
!
ip local pool Eng 10.0.1.10 10.0.1.99
aaa authentication login frad group frad
aaa authorization network frad group frad
!
crypto ikev2 name-mangler dept
eap suffix delimiter @
!
crypto ikev2 profile default
match identity remote key-id vpn@cisco
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint root
aaa authentication eap frad
aaa authorization group eap list frad name-mangler dept
aaa authorization user eap cached
virtual-template 1
!
no crypto ikev2 http-url cert
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
policy-map high
...
interface Loopback101
vrf forwarding Fin
ip address 10.0.1.101 255.255.255.255
!
ip local pool Fin 10.0.1.110 10.0.1.199
joe@Eng Cleartext-Password := "joe123"
Cisco-AVPair = "ip:interface-config=service-policy output high"
tom@Fin Cleartext-Password := "tom456"
Cisco-AVPair = "ip:interface-config=service-policy output low"
Eng Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:addr-pool=Eng",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"
Fin Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:addr-pool=Fin",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.101",
Cisco-AVPair += [...]
RADIUS User Database
Global Configuration Per-Department Configuration
Per-user QoS policy Group authorization
based on domain
Apply per-user
attributes from EAP
All attributes centralized
on AAA server QoS policies defined locally
on FlexVPN server
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN SSL – Overview
Roadmap:
– IOS-XE 3.12S / 15.4(2)S : CSR1000v support
– IOS-XE 3.13S / 15.4(3)S : ASR1000 support
Client-based only (AnyConnect – all platforms)
– No support for clientless aka WebVPN
Integrated into FlexVPN framework
– AAA integration
– Virtual tunnel interfaces
– Smart defaults
– CLI consistency
Initial baseline release, features to be added progressively
– Virtual Hosting, HostScan / Posture, Two-Factor, DTLS, Mixed-Mode / Dual-Stack, ...
106
TENTATIVE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
FlexVPN SSL – CLI
107
crypto ssl proposal my-proposal
protection dhe-rsa-aes256-sha rsa-aes256-sha1
crypto ssl policy my-policy
match address local fvrf wan any port 443
pki trustpoint my-root sign
ssl proposal my-proposal
no shutdown
crypto ssl profile my-profile
match policy my-policy
match url fqdn eng-sslvpn.example.com
authentication remote user-pass
aaa authentication user-pass list my-radius
aaa authorization user user-pass cached
aaa authorization group user-pass list my-radius eng-group
virtual-template 1
no shutdown
Cryptographic algorithms
Key exchange method
Local endpoint matching criteria
Apply SSL proposal
Configure SSL server certificate
Match on SSL policy
Match on URL (FQDN, hostname, path, ...)
Authentication (certificate, username/password)
Authorization (cached, user, group)
Accounting
Virtual interface template
TENTATIVE
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Call to Action...
Visit the Cisco Campus at the World of Solutions
BRKSEC-3036 – Advanced IPsec designs with FlexVPN by Frédéric Detienne
Friday 11:30am, North Wing Level -1, Green Hall 3
Meet the Engineer
Alex Honoré, Frédéric Detienne, Olivier Pélerin (TAC EMEA),
Raffaele Brancaleoni (Advanced Services EMEA),
Wen Zhang (TAC US), Tom Alexander (TAC GCE)
Discuss your project’s challenges at the Technical Solutions Clinics
Attend one of the Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014
CL365 -Visit us online after the event for updated PDFs and on-demand session videos. www.CiscoLiveEU.com
109
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2881 Cisco Public
Complete your online session evaluation
Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt
Complete Your Online Session Evaluation
110