stack your knowledge: IOS IPsec ezVPN server

Easy VPN (ezVPN) is an Client-Server VPN technology based on IPsec. Originally, IPsec was a peer-to-peer technology, where configurations are basically symmetrical on both ends of an IPsec tunnel. The idea of ezVPN is to make client configuration as simple as possible, while putting additional configuration on the server. In order to avoid excessive configuration on client side, additional ISAKMP SA Phase has been introduced – Phase 1.5. The purpose of this phase is to push configuration information to the client and perform additional name-based authentication (Xauth – extended authentication).

Phase 1: Client contacts server, sends it’s identifier (group name) either using ISAKMP Aggressive Mode, or certificate exchange
Phase 1.5: Based on group configuration, server may initiate additional authentication process (called Xauth) to verify user identity. After successful authentication, client sends a Configuration Request. With group and authenticated username on hand, server may then query local database or remote AAA server (e.g. RADIUS) for configuration information, which usually includes client VPN IP address, Split-Tunnel ACL, DNS/WINS servers etc.
Phase 2: Client obtains it’s new IP address and other additional information and then tries to establish IPsec SA based on Split-Tunnel ACL (which specifies traffic to be encrypted) and new VPN IP address. Essentially, split-tunnel ACL is used to create Proxy-Identifiers for Phase 2. As connection is established, server may create a static route, corresponding to the client VPN IP address using process know as Reverse Route Injection (RRI).

Scenario:

VPNConcentrator config

ezVPN xAuth

aaa new-model
aaa authentication login ezVPN local
aaa authorization network ezVPN local
username user1 password 0 cisco

crypto map VPN client authentication list ezVPN
crypto map VPN isakmp authorization list ezVPN

ISAKMP policy

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2

IOS routers use DH group 1 by default, and ezVPN client requires DH group 2 for 3DES and DH group 5 for AES-256.

Local address pool

ip local pool ezVPN 192.168.1.100 192.168.1.200
crypto isakmp client configuration address-pool local ezVPN

Split tunnel

ip access-list extended SPLIT_T
permit ip 10.1.1.0 0.0.0.255 any
permit ip 20.1.1.0 0.0.0.255 any

The client will route traffic to the subnet permited by this ACL across the VPN tunnel and encrypt it.

ISAKMP Group

crypto isakmp client configuration group ezVPN
key cisco123
pool ezVPN
acl SPLIT_T

IPSEC config

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
crypto dynamic-map DYNAMIC 10
set transform-set 3DES
reverse-route

crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC

interface FastEthernet1/0
ip address 172.20.1.2 255.255.255.252
crypto map VPN

If default routing is not in use, the router needs to learn about the next-hops to reach every new dynamically allocated IP address. This could be achieved using the procedure known as Reverse Route Injection (RRI). For every new IP address allocated via ISAKMP configuration mode the router will install a local static /32 route, pointing toward the next-hop to reach this particular VPN client.

Statement

crypto map VPN client configuration address respond

instructs the router to respond to ISAKMP Mode Config messages (specifically, the IP address requests).

Client settup

Add new connection. Set IP address of the VPNConcentrator. The Group Authentication parameters must match the one configured on the VPNConcentrator:

crypto isakmp client configuration group ezVPN
key cisco123

The credentials used for connection are the one defined by the aaa configuration.

Verification:

IP address allocated from VPNConcentrator poll

Static routes added for subnets specified by SPLIT_T ACL.

VPNConcentrator#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1008 172.20.1.2 172.20.1.6 ACTIVE 3des md5 2 23:54:38 CX
Engine-id:Conn-id = SW:8

VPNConcentrator#show crypto ipsec sa detail
interface: FastEthernet1/0
Crypto map tag: VPN, local addr 172.20.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.101/255.255.255.255/0/0)
current_peer 172.20.1.6 port 55487
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 172.20.1.2, remote crypto endpt.: 172.20.1.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0xDE89E3E8(3733578728)

VPNConcentrator#show ip local pool
Pool Begin End Free In use Blocked
ezVPN 192.168.1.100 192.168.1.200 100 1 0

Gateway of last resort is not set
172.20.0.0/30 is subnetted, 2 subnets
C 172.20.1.0 is directly connected, FastEthernet1/0
S 172.20.1.4 [1/0] via 172.20.1.1
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet1/1
192.168.1.0/32 is subnetted, 1 subnets
S 192.168.1.101 [1/0] via 172.20.1.6

stack your knowledge

Tuesday 16 April 2013

IOS IPsec ezVPN server - part I

No comments:

Post a Comment

Search on This Blog

About Me