Wednesday, 24 April 2013

IOS IPsec ezVPN server - part II - VTI


Virtual Tunnel Interfaces (VTIs) allow for significantly simpler configuration of IPSec VPNs.
For Remote Access VPN implementation, IOS introduces special type of virtual tunnel interfaces, configured using the command interface virtual-template type tunnel.
 It is recommended to use ISAKMP profile with Easy VPN Server configurations.

The ISAKMP profile is an enhancement to Internet Security Association and Key Management Protocol (ISAKMP) configurations. It enables modularity of ISAKMP configuration for phase 1 negotiations. This modularity allows mapping different ISAKMP parameters to different IP Security (IPSec) tunnels, and mapping different IPSec tunnels to different VPN forwarding and routing (VRF) instances. 

An ISAKMP profile is a repository for IKE Phase 1 and IKE Phase 1.5 configuration for a set of peers.
n ISAKMP profile applies parameters to an incoming IPSec connection identified uniquely through its concept of match identity criteria.

ISAKMP Profile Parameters Configuration
There can be zero or more ISAKMP profiles on the Cisco IOS router. Following is a list of parameters that can be configured per profile:
1. self-identity {address | fqdn | user-fqdn user-fqdn}: Specifies the identity that the local IKE should use to identify itself to the remote peer.
• If not defined, IKE uses the global configured value.
• address-Uses the IP address of the egress interface.
• fqdn-Uses the FQDN of the router.
• user-fqdn-Uses the specified value.
2. keyring keyring-name: Specifies the keyring to use for Phase 1 authentication.
• If the keyring is not specified, the global key definitions are used.
3. ca trust-point {trustpoint-name}: Specifies a trustpoint to validate a Rivest, Shamir, and Adelman (RSA) certificate. If no trustpoint is specified in the ISAKMP profile, all the trustpoints that are configured on the Cisco IOS router are used to validate the certificate.
4. client configuration address {initiate | respond}: This command is used with Easy VPN Server; it specifies whether to initiate the mode configuration exchange or respond to mode configuration requests.
5. client authentication list list-name: AAA to use for authenticating the remote client during the extended authentication (XAUTH) exchange.
6. isamkp authorization list list-name: Network authorization server for receiving the Phase 1 preshared key and other attribute-value (AV) pairs.
7. initiate mode aggressive: Initiates aggressive mode exchange. If not specified, IKE always initiates Main Mode exchange.
8. keepalive seconds retry retry-seconds: Allows the gateway to send dead peer detection (DPD) messages to the peer. If not defined, the gateway uses the global configured value.


Scenario:

VPNConcentrator config

ISAKMP profile
crypto isakmp profile EZVPN
   match identity group ezVPN
   client authentication list ezVPN
   isakmp authorization list ezVPN
   client configuration address respond
   client configuration group ezVPN
   virtual-template 1

where
  • authentication list ezVPN is:
 aaa authentication login ezVPN local
  • authorization list ezVPN is:
aaa authorization network ezVPN local 
  •  configuration group ezVPN is:
crypto isakmp client configuration group ezVPN
 key cisco123
 pool ezVPN
 acl SPLIT_T
  • vitrual-template 1:
interface virtual-template 1 type tunnel
ip unnumbered Loopback0
tunnel protection ipsec profile EZVPN
tunnel mode ipsec ipv4

 IPSEC Profile
crypto ipsec profile EZVPN
 set transform-set 3DES
 set reverse-route tag 1

where
  • transform set is:
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac 


Verification:

VPNConcentrator#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
1002  172.20.1.2      172.20.1.6               ACTIVE 3des md5       2  23:59:07 CX
       Engine-id:Conn-id =  SW:2

VPNConcentrator#show crypto ipsec sa detail
interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 172.20.1.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.101/255.255.255.255/0/0)
   current_peer 172.20.1.6 port 58704
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
     local crypto endpt.: 172.20.1.2, remote crypto endpt.: 172.20.1.6
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
     current outbound spi: 0x830FCBA0(2198850464)

VPNConcentrator#show interfaces virtual-access 2
Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of FastEthernet1/0 (172.20.1.2)
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x0, loopback not set
  Keepalive not set
  Tunnel source 172.20.1.2, destination 172.20.1.6
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "EZVPN")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:01:54
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3 packets input, 180 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3 packets output, 180 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

VPNConcentrator#sh ip local pool
 Pool                     Begin           End             Free  In use   Blocked
 ezVPN                    192.168.1.100   192.168.1.200    100       1       0

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)