VPN Remote Access with IOS & Introduction to FlexVPN

Transcription

1

2 VPN Remote Access with IOS & Introduction to FlexVPN Alex HONORÉ CCIE #19553 Senior Customer Support Engineer EMEA Technical Assistance Center

3 Objectives & Prerequisites Session objectives: Introduce IKEv2 & FlexVPN, with a focus on AAA-based management Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution with a variety of clients (software & hardware) Solve simple & complex use cases using FlexVPN Basic understanding of the following topics is required: IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect, VRF, QoS Experience with the following features is a plus: Easy VPN, MQC, VRF-Lite, ibgp More FlexVPN (hub-spoke, dynamic mesh, MPLS over Flex, multicast,...) BRKSEC-3036 Advanced IPsec designs with FlexVPN by F. Detienne Friday 11:30am, North Wing Level -1, Green Hall 3 3

4 Session Agenda Introduction to FlexVPN Tunnel Interfaces Configuration Building Blocks FlexVPN AAA Integration AAA-Based Authentication User & Group Authorization Connection Accounting Remote Access Clients AnyConnect Software Mobility Client Windows Native IKEv2 Client FlexVPN Hardware Client Scenarios & Use Cases Full & Split Tunneling Network Extension Virtualization (VRF) Quality of Service FlexVPN SSL Preview Wrap-up 4

5 Before We Begin... Additional info slides: Rendered in the presentation PDF (download it through the Cisco Live portal) Not shown during the live presentation Cover extra details or small additional topics 5

6 Introduction to FlexVPN

7 FlexVPN Overview Unified overlay VPN Combines site-to-site, remote access, hub-spoke & spoke-spoke topologies IPsec VPN compliant with the IKEv2 standard SSL VPN remote access coming soon (AnyConnect Secure Mobility Client) FlexVPN highlights Unified CLI with smart defaults Unified infrastructure that leverages point-to-point tunnel interfaces Most features available across all topologies (QoS, AAA, VRF,...) Interoperable with other IKEv2 implementations (ASA, Windows, strongswan,...) Easier to learn, market and manage 7

8 Interop. Dynamic Routing IPsec Routing Spoke to Spoke Direct Remote Access Simple Failover Source Failover Config Push Per-Peer Config Per-Peer QoS Full AAA Mgmt Solution Positioning Easy VPN No No Yes No Yes Yes No Yes Yes Yes Complex DMVPN No Yes No Yes No Partial No No No Group No Crypto Map Yes No Yes No Yes Poor No No No No No FlexVPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes One VPN to learn and deploy Everything works no questions asked 8

9 Why FlexVPN? IKEv2 is a major protocol update No backward compatibility with IKEv1 Requires serious consideration and reconfiguration Brings in a lot of improvements Major IOS architecture rework needed to address needs Per-peer features (QoS, ZBFW, policies, VRF injection, ) Too many overlay technologies offering was too fragmented VPN learning time had grown out of control (1 day techtorial insufficient) IKEv2 is a good transition point to revisit design and architecture Ideal for all types of VPNs Service aggregation (remote access, site-to-site,...) Improved service management Multitenancy 9

10 Comparing IKEv1 & IKEv2 EAP-Only IKEv2 RFC 5998 Same Objectives Authentication Integrity DPD ISAKMP RFC 2408 Childless IKEv2 RFC 6023 Confidentiality IPsec DOI RFC 2407 IKE RFC 2409 IKEv1 NAT-T Mode Config IKEv2 RFC 5996 IKEv2 IKEv2 Redirect RFC 5685 Etc.... More Secure Authentication Options Suite-B Anti-DoS PSK, RSA-Sig EAP Auth. Hybrid Auth. Cleaner Identity/Key Exchange Similar but Different Uses UDP Ports 500 & 4500 Main + Aggressive INITIAL Acknowledged Notifications 10

11 IKEv2 Exchanges Initiator (I) Responder (R) IKE_SA_INIT IKE_AUTH CREATE_CHILD_SA INFORMATIONAL IKEv2 Security Association (SA) establishment (proposal selection, key exchange) Mutual authentication & identity exchange Initial IPsec SAs establishment Certificate exchange (optional) Configuration exchange (optional) Additional IPsec SAs establishment IKEv2 & IPsec SA rekey Can be (I R) with ACK or (R I) with ACK Notifications (SA deletion, liveness check,...) Configuration exchange (one or both ways) 11

12 IKEv2 Configuration Exchange Initiator (I) Responder (R) CFG_REQUEST IKE_AUTH CFG_REPLY CFG_SET INFORMATIONAL CFG_ACK CFG_SET Initiator (RA client) requests configuration parameters from responder (RA server). Initiator and/or responder sends unsolicited configuration parameters to its peer. I would like: an IPv6 address a DNS & WINS server a list of protected IPv6 subnets Your assigned IPv6 address is... Your DNS server is... There is no WINS server My protected IPv6 subnets are... Derived from peer authorization Derived from peer authorization My local IPv6 protected subnets are... INFORMATIONAL Acknowledged CFG_ACK 12

13 IKEv2 Certificate-Based Authentication R S#2 B R S#1 A S#1 A (initiator) A Compute cert chain Validate chain & verify signature [IKE_SA_INIT_I] [IKE_AUTH_I] CERT_REQ(Root) CERT_REQ(Sub#1) CERT(Root Sub#1) CERT(Sub#1 A) AUTH(HASH_I) [IKE_SA_INIT_R] CERT_REQ(Root) CERT_REQ(Sub#2) [IKE_AUTH_R] CERT(Root Sub#2) CERT(Sub#2 B) AUTH(HASH_R) (responder) B Compute cert chain R S#2 B Validate chain & verify signature S#2 B R S#1 A B is willing to accept: certs issued by Root certs issued by Sub#1 A must provide B with: its identity certificate the Sub#1 certificate to complete the chain Sub#1 A Root Sub#2 B 13

14 Tunnel Interfaces

15 Dynamic Point-to-Point Virtual Interfaces FlexVPN Server Dynamically instantiated P2P interfaces interface Virtual-Access1 ip interface unnumbered Virtual-Access2 Loopback0 tunnel ip interface unnumbered source Virtual-Access3 <local-address> Loopback0 tunnel ip unnumbered destination source <local-address> Loopback0 <remote-address> tunnel mode destination source ipsec <local-address> ipv4 <remote-address> tunnel protection mode destination ipsec ipsec ipv4 <remote-address> profile default service-policy tunnel protection mode output ipsec ipsec ipv4 mobile-qos profile default service-policy tunnel protection output ipsec traveler-qos profile default service-policy output home-office-qos VA1 VA2 VA3 VT1 Security Policy P2P virtual interface template crypto ikev2 profile default... virtual-template 1! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile default Server routing table (RIB/FIB) S default via Ethernet0/0 L /32 local Loopback0 S /32 via Virtual-Access1 S /32 via Virtual-Access2 S /32 via Virtual-Access3 S /24 via Virtual-Access / / / /24 Tun0 Static P2P virtual interface interface Tunnel0 ip address negotiated tunnel source Ethernet0/0 tunnel destination <server-address> tunnel mode ipsec ipv4 tunnel protection ipsec profile default 15

16 Interface Features FlexVPN Server Pre-encapsulation interface output features (apply to cleartext packet) RIB/FIB (routing table) IPsec encapsulation (tunnel protection) Interface input features (apply to cleartext packet) Eth0/0 V-Access1 Eth0/1 Post-encapsulation interface output features (apply to encrypted packet) IP L4 Data IP IPsec IP L4 Data Cleartext Traffic (from server LAN) Encrypted Traffic (to RA client) Encrypted Interface feature (NAT, PBR, QoS, NetFlow,...) 16

17 Tunnel Encapsulation IPsec Tunnel Mode (IPv4 or IPv6) Classic dvti: compatibility with software clients (any-to-any or any-to-assigned-address) Multi-SA dvti: compatibility with legacy crypto map peers (ASA, other vendors) interface Virtual-Template1 type tunnel tunnel mode ipsec {ipv4 ipv6} tunnel protection ipsec profile default IP IPsec IP L4 Data Encrypted GRE over IPsec Dual-stack (IPv4 + IPv6 over IPsec) out of the box Enables tunneling of non-ip protocols (e.g. MPLS) Required for dynamic mesh scenarios (à la DMVPN, but with the extra flexibility of point-to-point interfaces) tunnel mode gre ip is the default on static & dynamic tunnel interfaces interface Virtual-Template1 type tunnel tunnel mode gre {ip ipv6} tunnel protection ipsec profile default IP IPsec GRE IP L4 Data Encrypted 17

18 Configuration Building Blocks 18

19 Configuration Example crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn router.cisco.com authentication local rsa-sig authentication remote eap pki trustpoint root sign aaa authentication eap default aaa authorization user eap virtual-template 1 interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile default IKEv2 identity & profile selection IKEv2 authentication & certificates AAA integration (authentication, authorization, accounting) Dynamic point-to-point interfaces Native IPsec tunnel or GRE/IPsec 19

20 IKEv2 CLI Overview Proposal, Policy and Keyring IKEv2 Proposal (algorithms for IKEv2 SA) IKEv2 Policy (binds IKEv2 Proposal to local Layer 3 scope) IKEv2 Keyring (supports asymmetric Pre-Shared Keys) IKEv2 Authorization Policy (contains attributes for local AAA & config. exchange) crypto ikev2 proposal default encryption aes-cbc-256 aes-cbc-128 3des integrity sha512 sha256 sha1 md5 group 5 2 crypto ikev2 policy default match fvrf any proposal default crypto ikev2 keyring IOSKeyring peer cisco address pre-shared-key local CISCO pre-shared-key remote OCSIC crypto ikev2 authorization policy default route set interface route accept any 20

21 IKEv2 CLI Overview IKEv2 Profile Extensive CLI Self Identity Control Match on peer IKE identity or certificate Match on local address and front VRF crypto ikev2 profile default identity local address identity local fqdn local.cisco.com identity local identity local dn match identity remote address match identity remote fqdn remote.cisco.com match identity remote fqdn domain cisco.com match identity remote match identity remote domain cisco.com match certificate certificate_map match fvrf red match address local Only one local identity allowed Multiple match identity allowed Asymmetric local & remote authentication methods Local and AAA-based Pre-Shared Keyring authentication local pre-share authentication local rsa-sig authentication local eap authentication remote pre-share authentication remote rsa-sig authentication remote eap keyring local IOSKeyring keyring aaa AAAlist Only one local method allowed Multiple remote methods allowed pki trustpoint <trustpoint_name> 21

22 IKEv2 Basic Negotiation Initiator HDR, SAi1, KEi, Ni Responder HDR, SAr1, KEr, Nr [CERTREQ] HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr} HDR, SK {IDr, [CERT], AUTH, TSi, TSr} HDR IKE Header SAi, SAr Crypto algorithms proposed/accepted by the peer KEi, KEr Initiator Key Exchange material Ni, Nr Initiator/Responder Nonce SK {...} Payload encrypted and integrity protected IDi, IDr Initiator/Responder IKE Identity Length CERTREQ, CERT Certificate Request, Certificate Payload AUTH Authentication data SA Proposal & Transform to create initial CHILD_SA TSi, TSr Traffic Selectors (as src/dst proxies) 22

23 IKEv2 Profile Match Statements IP Address: FQDN: router.cisco.com match identity remote address match identity remote fqdn router.cisco.com match identity remote HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr} subject-name co ou = engineering Subject: Issuer: cn=router, ou=engineering, o=cisco cn=pki Server, ou=it, o=cisco... issuer-name co o = cisco match certificate <cert-map> 23

24 IPsec CLI Overview Tunnel Protection similar to DMVPN and EasyVPN Transform set unchanged IPsec profile defines SA parameters and points to IKEv2 profile Dynamic point-to-point interfaces Static point-to-point interfaces Tunnel protection points to IPsec profile crypto ipsec transform-set default esp-aes 128 esp-sha-hmac crypto ipsec profile default set transform-set default set crypto ikev2 profile default interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel protection ipsec profile default interface Tunnel0 ip address tunnel source Ethernet0/0 tunnel destination tunnel protection ipsec profile default 24

25 Introducing Smart Defaults Intelligent, reconfigurable defaults crypto ipsec transform-set default esp-aes 128 esp-sha-hmac crypto ipsec profile default set transform-set default set crypto ikev2-profile default crypto ikev2 proposal default encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha512 sha384 sha256 sha1 md5 group 5 2 crypto ikev2 policy default match fvrf any proposal default crypto ikev2 profile default match identity remote address authentication local rsa-sig authentication remote rsa-sig aaa authorization user cert list default default pki trustpoint root! interface Tunnel0 ip address tunnel protection ipsec profile default What you need to specify crypto ikev2 authorization policy default route set interface route accept any These constructs are the Smart Defaults 25

26 Reconfigurable Defaults All defaults can be modified, deactivated and restored Modifying defaults: crypto ikev2 proposal default encryption aes-cbc-128 integrity md5 crypto ipsec transform-set default esp-aes 256 esp-sha-hmac Restoring defaults: default crypto ikev2 proposal default crypto ipsec transform-set Disabling defaults: no crypto ikev2 proposal default no crypto ipsec transform-set default 26

27 Static Site-to-Site Example Router 1 Router 2 crypto ikev2 profile default match identity remote fqdn r1.cisco.com identity local fqdn r2.cisco.com authentication remote pre-share key r1r2! authentication local pre-share key!r2r1 Perform IKE SA agreement & Diffie-Hellman key exchange (not shown) My IKE ID is: r1.cisco.com (FQDN) My PSK authentication payload is... I want to protect GRE traffic between... Map connection to IKEv2 profile default by matching on peer FQDN Verify peer s AUTH payload & produce our own based on configured PSK Use our own FQDN as IKE ID My IKE ID is: r2.cisco.com (FQDN) My PSK authentication payload is... I agree to protect GRE traffic between... Finalize IPsec SAs (GRE between local & remote WAN addresses) Establish routing protocol neighborship & exchange prefixes! interface Tunnel0 ip address tunnel source Ethernet0/0 tunnel destination tunnel protection ipsec profile default! interface Ethernet0/0 ip address ! router rip version 2 network

28 FlexVPN AAA Integration 28

29 FlexVPN AAA Authentication, Authorization & Accounting IKEv2 communicates with IOS AAA subsystem Local database (IKEv2 Authorization Policy) Remote database (RADIUS) Protocols in play: IKEv2, RADIUS, EAP AAA-based authentication: Pre-shared keys stored on RADIUS server EAP over IKEv2 & RADIUS Authorization: Implicit authorization (re-uses attributes received during authentication) Explicit authorization (local or remote, group- & user-level) Accounting AAA list name aaa new-model aaa author network local-db local aaa author network remote-db group radius 29

30 High-Level Interactions RA Client IKEv2 Initiator RADIUS Client EAP Supplicant FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator AAA Server RADIUS Server EAP Backend Cert. Authentication PSK Authentication (optional) AAA PSK Retrieval EAP Client Authentication Cached & Local Authorization RADIUS Authorization RADIUS Accounting 30

31 Building Block IKEv2 Name Mangler RA Client IKEv2 Initiator RADIUS Client FlexVPN Server IKEv2 Responder RADIUS NAS AAA Server RADIUS Server FQDN: joe.cisco.com DN: cn=joe,ou=it,o=cisco EAP: IKEv2 Exchange RA Client Identity IKEv2 Name Mangler crypto ikev2 name-mangler extract-user fqdn hostname username dn common-name eap prefix AAA Username: joe Local AAA Request Username: joe Static password (configurable) RADIUS AAA Request Username: joe, password: cisco Start with the peer s IKE or EAP identity Derive a username that is meaningful to AAA (local or RADIUS) 31

32 FlexVPN AAA Integration AAA-Based Authentication

33 AAA Pre-Shared Keys Same IKEv2 packet flow as regular PSK authentication FlexVPN Server has no IKEv2 keyring configured Local & remote pre-shared keys stored on RADIUS server Symmetric key (IETF attribute): router2 Cleartext-Password := "cisco" Tunnel-Password = "!cisco?" Asymmetric keys (Cisco AV-Pair): router1 Cleartext-Password := "cisco" Cisco-AVPair = "ipsec:ikev2-password-local=cisco!", Cisco-AVPair += "ipsec:ikev2-password-remote=!ocsic" 33

34 AAA Pre-Shared Keys Packet Flow FlexVPN Client IKEv2 Initiator RADIUS Client FlexVPN Server IKEv2 Responder RADIUS NAS AAA Server RADIUS Server IKEv2 (IKE_AUTH) IDi, AUTH(PSK),... crypto ikev2 profile default match identity remote fqdn domain cisco.com keyring aaa list radius name-mangler extract-host! crypto ikev2 name-mangler extract-host fqdn hostname IKEv2 ID: joe.cisco.com IKEv2 Name Mangler (FDQN hostname) AAA Username: joe IKEv2 (IKE_AUTH) IDr, AUTH(PSK),... RADIUS (Access-Request) User-Name: joe Password: cisco RADIUS (Access-Accept) Local PSK = cisco! Remote PSK =!ocsic Other user attributes for joe Static password (configurable) Cached for authorization 34

35 EAP Authentication Extensible Authentication Protocol (RFC 3748) Provides common functions for a variety of authentication methods Tunneling methods (costly): EAP-TTLS, EAP-PEAP, Non-tunneling (recommended): EAP-MSCHAPv2, EAP-GTC, EAP-MD5, Implemented in IKEv2 as additional IKE_AUTH packets RA client initiates EAP authentication by omitting AUTH payload in IKE_AUTH RA server must authenticate itself using certificates (mandatory) Authentication takes place between RA client and EAP backend authentication server EAP packets are relayed by RA server Between RA client and RA server: tunneled inside IKEv2 Between RA server and EAP backend: tunneled inside RADIUS EAP method is transparent to RA server Only needs to be supported by RA client and EAP backend 35

36 EAP Authentication RA Client IKEv2 Initiator RADIUS Client EAP Supplicant FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator IKE AAA Server RADIUS Server EAP Backend crypto ikev2 profile default authentication remote eap query-identity aaa authentication eap frad RA server authenticates to client using IKE certificates (mandatory) IKEv2 RADIUS EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM /... Username-Password/Token/Mobile Authentication (One-Way) TLS IKEv2 RADIUS EAP-TLS TLS-Based Certificate Authentication (Mutual) TLS TLS IKEv2 EAP-PEAP / EAP-TTLS EAP-MSCHAPv2 / EAP-TLS /... RADIUS TLS-Protected Nested Authentication (One-Way or Mutual) TLS 36

37 EAP Authentication Packet Flow RA Client IKEv2 Initiator RADIUS Client EAP Supplicant FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator AAA Server RADIUS Server EAP Backend MSK IKEv2 (IKE_AUTH) IDi, CFG_REQ, no AUTH IKEv2 (IKE_AUTH) IDr, AUTH(RSA), EAP(ID-Request) IKEv2 (IKE_AUTH) RADIUS (Access-Request) EAP(ID-Response: ID EAP ) IKEv2 (IKE_AUTH) RADIUS (Access-Challenge) EAP(EAP-Method-Pkt#1) IKEv2 (IKE_AUTH) RADIUS (Access-Request) EAP(EAP-Method-Pkt#2) IKEv2 (IKE_AUTH) EAP(Success) IKEv2 (IKE_AUTH) AUTH(MSK) IKEv2 (IKE_AUTH) CFG_REPLY, AUTH(MSK) crypto ikev2 profile default authentication remote eap query-identity aaa authentication eap frad MSK RADIUS (Access-Accept) EAP(Success), MSK, User-Name, EAP Username Other user attributes Cached for authorization 37

38 EAP Authentication Initiation RA Client IKEv2 Initiator RADIUS Client EAP Supplicant FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator AAA Server RADIUS Server EAP Backend With query-identity IKEv2 (IKE_AUTH) IDi, CFG_REQ, no AUTH query-identity recommended several clients jam if not configured not the default... but it should be IKEv2 (IKE_AUTH) IDr, AUTH(RSA), EAP(ID-Request) IKEv2 (IKE_AUTH) EAP(ID-Response: ID EAP ) RADIUS (Access-Request) EAP(ID-Response: ID EAP ) EAP ID provided by client Without query-identity IKEv2 (IKE_AUTH) IDi, CFG_REQ, no AUTH IKEv2 (IKE_AUTH) IDr, AUTH(RSA) RADIUS (Access-Request) EAP(ID-Response: IDi) IKE ID used as EAP ID 38

39 FlexVPN AAA Integration User & Group Authorization

40 Authorization Types Not mutually exclusive May be combined Implicit User Authorization crypto ikev2 profile default aaa authorization user {psk eap} cached RADIUS (Access-Accept) Local PSK = cisco! Remote PSK =!ocsic Other user attributes for joe Cached for authorization Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication Explicit User Authorization crypto ikev2 profile default aaa authorization user {psk eap cert} list list [name name-mangler mangler] Retrieves user attributes from RADIUS (local database not supported) Explicit Group Authorization Reverse order of precedence (group > user) crypto ikev2 profile default aaa authorization group {psk eap cert} [override] list list [name name-mangler mangler] Retrieves group attributes from RADIUS or local database 40

41 Attributes Syntax Local Database IKEv2 Authorization Policy AAA Attribute List (V-Access interface configuration statements) Central/Remote Database (on RADIUS Server) Standard IETF Attributes (Framed-IP-Address, etc.) Cisco Attribute-Value Pairs (Cisco-AVPair) crypto ikev2 authorization policy Eng pool Eng dns netmask aaa attribute list Eng aaa attribute list Eng attribute type interface-config "vrf forwarding Eng" attribute type interface-config "ip unnumbered Loopback1" Eng Cleartext-Password := "cisco" Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:addr-pool=eng", Cisco-AVPair += "ipsec:dns-servers= ", Cisco-AVPair += "ip:interface-config=vrf forwarding Eng", Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1" 41

42 Attributes Merging FlexVPN Server Received during AAA-based authentication AAA Server Attribute Value Framed-IP-Address ipsec:dns-servers Attribute Value Framed-IP-Address ipsec:dns-servers Cached User Attributes Merged User Attributes Explicit User Attributes take precedence Explicit User Attributes Merged User Attributes take precedence except if group override configured Received during explicit user authorization Attribute Value Framed-IP-Address Received during explicit group authorization Attribute Value Framed-IP-Address ipsec:dns-servers Final Merged Attributes Explicit Group Attributes Attribute Value ipsec:dns-servers ipsec:banner Welcome! ipsec:banner Welcome! 42

43 Attributes Interface Config Ordering Interface config strings do not override each other during merging Instead, higher precedence statements are applied last Pay attention to command-specific behavior (overwrites / stacks up / collides?) Received during explicit user authorization Attribute Value Interface-Config zone-member security high Interface-Config service-policy output gold Received during explicit group authorization Attribute Value Interface-Config zone-member security medium Interface-Config service-policy output silver OK will be overridden by subsequent zone-member statement Attribute Interface-Config Interface-Config Interface-Config Interface-Config Value zone-member security medium service-policy output silver zone-member security high service-policy output gold NOK will collide with previous service-policy statement: Policy map silver is already attached 43

44 Attributes Scope RA Client FlexVPN Server AAA authorization enables the IKEv2 Configuration Exchange Peer Authorization Remote Attributes (Sent to Peer) IPv4/IPv6 Address Standard IPv4/IPv6 Netmask Standard IPv4/IPv6 Subnets Standard DNS/WINS Servers Standard DNS Domain Name Cisco Unity Logon Banner Cisco Unity Backup Gateways Cisco Unity Config Version/URL FlexVPN... Some remote attributes may be derived from local attributes Locally Relevant Attributes IPv4/IPv6 Address Pool DHCP Server IOS AAA attributes are translated into IKEv2 Configuration Exchange attributes IKEv2 Routing ( route set statements) V-Access Interface Configuration... 44

45 Attributes IP Address Assignment User-specific statically assigned IP address Returned as RADIUS IETF Framed-IP-Address External DB only, not configurable in IKEv2 Authorization Policy IOS-managed address pool Referenced in user or group attributes IOS pool name can be passed by RADIUS server Allocation/deallocation entirely managed by IOS DHCP-assigned IP addresses Request placed by IOS on behalf of RA client DHCP server can be passed by RADIUS joe Framed-IP-Address = " " Framed-IP-Netmask = " " crypto ikev2 authorization policy Eng pool Eng! ip local pool Eng Eng Cisco-AVPair = "ipsec:addr-pool=eng" crypto ikev2 authorization policy Eng dhcp server Eng Cisco-AVPair = "ipsec:group-dhcp-server= " RADIUS-managed address pool Address allocated by RADIUS server and returned as Framed-IP-Address Accounting must be configured (to release addresses when clients disconnect) 45

46 Authorization Example RA Client My IKE ID is cn=joe-pc, ou=eng, o=cisco Here is my identity certificate I need an IPv4 address FlexVPN Server Map connection to IKEv2 profile default by matching on cert-map cisco Run client IKE ID through name-mangler ou Invoke AAA with list here (local authorization) & username Eng Clone V-Template1 into V-Access1, apply VRF & IP unnumbered show derived-config... Perform certificate-based authentication (not shown) Allocate IPv4 address from pool Eng Your IPv4 address is: /32 interface Virtual-Access1 vrf forwarding Eng ip unnumbered Loopback1 tunnel source tunnel mode ipsec ipv4 tunnel destination tunnel protection ipsec profile default aaa authorization network here local aaa attribute list Eng attribute type interface-config "vrf forwarding Eng" attribute type interface-config "ip unnumbered Loopback1"! crypto ikev2 authorization policy Eng pool Eng netmask aaa attribute list Eng! crypto pki certificate map cisco 1 subject-name co o = cisco! crypto ikev2 name-mangler ou dn organization-unit! crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list here name-mangler ou virtual-template 1! ip local pool Eng ! interface Loopback1 vrf forwarding Eng ip address ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 tunnel protection ipsec profile default 46

47 FlexVPN AAA Integration Connection Accounting

48 Accounting RA Client FlexVPN Server Upon client connection: RADIUS Server IKEv2 (EAP) & IPsec RADIUS Acct-Request (Start) RADIUS Acct-Response Assigned address: aaa accounting network frad start-stop group frad aaa group server radius frad server-private auth-port 1812 acct-port 1813 key s3cr3t! crypto ikev2 profile default aaa authentication eap frad aaa authorization user eap cached aaa accounting eap frad Accounting-Request (Start) Acct-Session-Id = " B" Cisco-AVPair = "isakmp-phase1-id=acvpn" Cisco-AVPair = "isakmp-initator-ip= " Framed-IP-Address = User-Name = "joe@cisco" Cisco-AVPair = "connect-progress=no Progress" Acct-Authentic = Local Acct-Status-Type = Start NAS-IP-Address = Acct-Delay-Time = 0 IKE ID EAP username Client public IP address Assigned IP address Upon client disconnection: RADIUS Acct-Request (Stop) RADIUS Acct-Response Accounting-Request (Stop) Acct-Session-Id = " B" Cisco-AVPair = "isakmp-phase1-id=acvpn" Cisco-AVPair = "isakmp-initator-ip= " Framed-IP-Address = User-Name = "joe@cisco" Acct-Authentic = Local Cisco-AVPair = "connect-progress=no Progress" Acct-Session-Time = 104 Acct-Input-Octets = Acct-Output-Octets = Acct-Input-Packets = 207 Acct-Output-Packets = 92 Acct-Terminate-Cause = 0 Cisco-AVPair = "disc-cause-ext=no Reason" Acct-Status-Type = Stop NAS-IP-Address = Acct-Delay-Time = 0 Statistics 48

49 Remote Access Clients 49

50 Remote Access Clients Overview Supported OSes Supported IKEv2 Authentication Methods Supported EAP Authentication Methods Security Policy Exchange Dual Stack (IPv4 & IPv6) AnyConnect 3.1 (Desktop Version) Windows Mac OS X Linux Certificates EAP EAP-MSCHAPv2 EAP-GTC EAP-MD5 AnyConnect 3.0 (Mobile Version) Android Apple ios Certificates EAP EAP-MSCHAPv2 EAP-GTC EAP-MD5 Windows Native IKEv2 Client FlexVPN Hardware Client Windows 7 & 8 Cisco IOS Not on IOS-XE / ASR1k Not on ISR-G1 Certificates EAP EAP-MSCHAPv2 EAP-TLS 1 EAP-PEAP 1... and more (Win8) Certificates EAP Pre-Shared Key EAP-MSCHAPv2 EAP-GTC EAP-MD5 Automatic 2 (RRI) Automatic 2 (RRI) Automatic 2 (RRI) Automatic 2 (IKEv2) Dyn. Routing Protocol (with GRE) IOS-XE 3.14 (TBC) Planned (client limitation) Planned (headend limitation) Both (with GRE) Split Tunneling Yes Yes Very limited (classful) Yes Yes strongswan Linux, Mac OS X, Android, FreeBSD,... Certificates EAP Pre-Shared Key EAP-MSCHAPv2 EAP-TLS 1 EAP-PEAP 1... and more (plugins) Automatic 2 (RRI) Planned (headend limitation) 1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client 2 IPsec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default 50

51 Remote Access Clients AnyConnect Secure Mobility Client

52 AnyConnect Secure Mobility Client Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS) Desktop: Windows, Mac OS X, Linux Mobile: Apple ios, Android Supported authentication methods: Machine/User Certificates (RSA signatures) EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2) EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens) EAP-MD5 (hash-based authentication) Particularities: Requires EAP query-identity on server (triggers username/password input dialog) Requires no crypto ikev2 http-url cert on server (aborts the connection otherwise) CSCud96246: incompatibility with IOS when using SHA-2 integrity (resolved in , Dec 2013) For more on AnyConnect management & deployment: BRKSEC-3033 Advanced AnyConnect Deployment and Troubleshooting with ASA by H. Nohre Focuses on ASA as headend, but many topics also relevant for FlexVPN 52

53 AnyConnect VPN Profile Editor Add entry to server list Server FQDN Connection name... Resulting XML Profile <ServerList> <HostEntry> <HostName>FlexVPN</HostName> <HostAddress>flexra.cisco.com</HostAddress> <PrimaryProtocol>IPsec <StandardAuthenticationOnly>true <AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation> <IKEIdentity>acvpn</IKEIdentity> </StandardAuthenticationOnly> </PrimaryProtocol> </HostEntry> </ServerList>... Only applies to EAP authentication methods 53

54 AnyConnect Backup Server List Primary Backup Add backup server(s) to list WAN... Resulting XML Profile <ServerList> <HostEntry> <HostName>FlexVPN</HostName> <HostAddress>flexra.cisco.com</HostAddress> <BackupServerList> <HostAddress>flexra2.cisco.com</HostAddress> </BackupServerList>... Primary server stops responding Client will try connecting to backup server(s) 54

55 AnyConnect Seamless Auto-Reconnect Seamless reconnection after: transient loss of connectivity switching between networks (e.g. moving from 3G to WiFi) suspend/resume computer Supported by AnyConnect desktop & mobile for both SSL & IKEv2 FlexVPN server-side support introduced in IOS 15.4(1)T & IOS-XE 15.4(1)S / 3.11S Suspend/resume client behavior configurable separately: DisconnectOnSuspend: release VPN session resources upon suspend, do not reconnect ReconnectAfterResume: try to reconnect after operating system resumes Proprietary method: Session token exchanged during initial session establishment (configuration exchange) Reconnection attempts use session token as pre-shared key in IKE_AUTH Mutually exclusive with PSK configuration in IKEv2 profile Session expires on server after configured timeout (default: 30 minutes) crypto ikev2 profile default... reconnect [timeout <seconds>] 55

56 AnyConnect Seamless Auto-Reconnect crypto ikev2 profile default reconnect [timeout <seconds>] crypto ikev2 profile default reconnect [timeout <seconds>] 3: Server marks session as inactive, keps it alive until the configured timeout 1: Connected WAN 4: ISP/WAN comes back up Session resumed without any user intervention 1: Connected over 3G WAN 3: Session resumed over WiFi link without any user intervention 2: Network failure detected Client will attempt to reconnect automatically 2: Switching to WiFi Different IP address Also works when computer suspends & resumes (behavior controllable through XML profile) 56

57 AnyConnect Profile Deployment Options Push using a Software Management System XML Send via AnyConnect Desktop Install manually on local hard disk OS Windows Mac OS, Linux Default Location %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile /opt/cisco/anyconnect/profile Add to the AnyConnect installation package XML Import from local filesystem Configure connection manually AnyConnect Mobile Import or create via URI handler anyconnect://import?type=profile&uri=location Send via XML Example location: http%3a%2f%2fexample.com%2fflexvpn.xml 57

58 AnyConnect Mobile Manual Connection Connection name Certificate selection Cisco ASA only Create new manual connection Server FQDN Enable IKEv2 Select authentication method Specify IKE ID for EAP methods 58

59 AnyConnect Mobile URI Handler anyconnect:// URI handler on Apple ios & Android Import XML profile Create connection entry Connect & disconnect VPN anyconnect://create/?name=flexvpn&host=flexra.cisco.com &protocol=ipsec&authentication=eap-md5&ike-identity=acvpn Prompt or Enabled required Connection successfully created 59

60 AnyConnect Mobile Certificate Deployment Package certificate & keypair into PKCS#12 file Apple ios Import PKCS#12 from URL or attachment Provision credentials or set up SCEP enrollment using configuration profile (e.g. via iphone Configuration Utility) Android Import PKCS#12 from URL, or filesystem Use existing credentials from Credential Storage 60

61 AnyConnect Mutual RSA Signatures Mutual IKE certificate-based authentication AnyConnect picks best available identity certificate Based on selection rules in XML profile (if any) Certificate with EKU preferred over non-eku Client IKE ID = certificate subject DN Server selects IKE profile based on certificate match Matching is done on certificate itself, not on IKE ID Explicit user/group authorization Non-AAA authentication no cached attributes Extract CN/OU field from DN using name-mangler Retrieve user/group attributes from RADIUS crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list frad name-mangler ou aaa authorization user cert list frad name-mangler cn virtual-template 1 # Group definition Eng Cleartext-Password := "cisco" Cisco-AVPair = "ipsec:dns-servers= " # User definition joe Cleartext-Password := "cisco" Framed-IP-Address = " ", Framed-IP-Netmask = " " Explicit Authorization IKEv2 RADIUS IKE IKE Certificate Authentication IKE 61

62 AnyConnect EAP EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 Client IKE ID = KEY-ID string configured in XML profile Server selects IKEv2 profile based on KEYID string EAP query-identity prompts user for credentials EAP ID = username entered by user Password authentication against AAA user database Returned attributes cached for implicit authorization crypto ikev2 profile default match identity remote key-id acvpn identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root sign aaa authentication eap frad aaa authorization user eap cached virtual-template 1 # User definition joe@cisco Cleartext-Password := "c1sc0!" Framed-IP-Address = " ", Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:dns-servers= " IKE IKEv2 EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 EAP Username-Password Authentication RADIUS 62

63 AnyConnect Certificate Requirements AnyConnect Client IKEv2 Certificate Used for Mutual RSA-SIG Mutual RSA-SIG EAP (all types) FlexVPN Server IKEv2 Certificate Common Name (CN) Anything Anything (if SAN field present) Server FQDN (if no SAN field) Key Usage (KU) Digital Signature Digital Signature Key Encipherment or Key Agreement Extended Key Usage (EKU) Optional 1,3 If present: TLS Client Authentication Optional 2,3 If present: TLS Server Authentication or IKE Intermediate Subject Alternative Name (SAN) Not required 3 Optional 3 If present: Server FQDN 1 Required in AC to (CSCuc07598) 2 Required in AC 3.0 (all versions), lifted in Not required: may be omitted or set to any value Optional: may be omitted or set to the specified value 63

64 Remote Access Clients Windows Native IKEv2 Client

65 Windows Native IKEv2 Client Since Windows 7, IKEv2/IPsec natively supported for RA connections Supported authentication methods: Machine Certificates (RSA signatures) EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2) EAP-TLS (certificate authentication, based on TLS handshake) EAP-PEAP (tunnels another EAP method within TLS) EAP-TTLS (Windows 8 tunnels EAP or non-eap authentication within TLS) EAP-AKA / EAP-AKA / EAP-SIM (Windows 8 SIM card & mobile network authentication) Particularities: Requires EAP query-identity on server (fails to respond to EAP otherwise) Requires AES-256 in IPsec transform set (current IOS default is AES-128) RSA authentication will fail if more than 100 CA s in client Local Machine Trusted Roots store KB975488: Windows 7 only sends IP address as IKE Identity (except when using certs) KB814394: Certificate requirements for EAP-TLS and PEAP-EAP-TLS KB939616: Certificate keypair lost when copying from user store to machine store 65

66 Windows 7 VPN Connection Settings (1) DNS-resolvable FQDN must be found in: CN/SAN of FlexVPN Server IKE certificate CN of EAP Server TLS certificate Type of VPN: IKEv2 Require encryption & Strongest encryption require AES-256 in the IPsec transform set crypto ipsec transform-set default esp-aes 256 esp-sha-hmac EAP-MSCHAPv2 RSA Signatures 66

67 Windows Mutual RSA Signatures Mutual IKE certificate-based authentication Windows can only use local machine certificates IKEv2 Profile selection on server Client IKE ID = certificate subject DN Server selects profile based on certificate map Matching is done on certificate itself, not on IKE ID Explicit user/group authorization Non-AAA authentication no cached attributes Extract CN/OU field from DN using name-mangler Retrieve user/group attributes from RADIUS crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list frad name-mangler ou aaa authorization user cert list frad name-mangler cn virtual-template 1 # Group definition Eng Cleartext-Password := "cisco" Cisco-AVPair = "ipsec:dns-servers= " # User definition joe Cleartext-Password := "cisco" Framed-IP-Address = " ", Framed-IP-Netmask = " " Explicit Authorization IKEv2 RADIUS IKE IKE Certificate Authentication IKE 67

68 Windows EAP Considerations IKEv2 mandates certificate-based server authentication Profile selection based on client IKE ID Windows 7 with fix for KB975488: IKE ID = user@domain Selection can be based on domain match Windows 7 w/o fix or 8 w/ regression: IKE ID = client IP address Only option: single IKE profile and VTemplate for all groups Leverage AAA to provide service differentiation EAP ID provided by client during authentication Requires query-identity (client cannot perform EAP otherwise) EAP server will query AAA database for attributes Attributes can be reused for implicit user authorization Server sends updated EAP ID in final Access-Accept reply (usually same value as the initial client-provided EAP ID) Final EAP ID can be reused for additional authorization if needed crypto ikev2 profile default identity local dn authentication local rsa-sig pki trustpoint root [sign] match identity remote domain cisco match identity remote address authentication remote eap query-identity aaa authentication eap frad aaa authorization user eap cached aaa authorization group eap list here name-mangler domain 68

69 Windows 7 EAP-MSCHAPv2 EAP-MSCHAPv2 EAP ID = user or user@domain Password authentication against EAP server database crypto ikev2 profile default match identity remote domain cisco match identity remote address identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root sign aaa authentication eap frad aaa authorization user eap cached virtual-template 1 IKE # User definition joe@cisco Cleartext-Password := "c1sc0!" Framed-IP-Address = " ", Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:dns-servers= " IKEv2 EAP-MSCHAPv2 EAP Username-Password Authentication RADIUS 69

70 Windows 7 EAP-TLS EAP-TLS Client performs TLS handshake w/ EAP server Mutual authentication using TLS certificates Client authentication mandatory (unlike EAP-PEAP) EAP ID = TLS certificate UPN (or CN if none) crypto ikev2 profile default match identity remote domain cisco match identity remote address identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root sign aaa authentication eap frad aaa authorization user eap cached virtual-template 1 IKE # User definition joe@cisco Cleartext-Password := "c1sc0!" Framed-IP-Address = " ", Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:dns-servers= " IKEv2 EAP-TLS RADIUS TLS EAP Certificate/TLS-Based Authentication TLS 70

71 Windows 7 EAP-TLS Settings Get certificate from Current User certificate store Server name must be found in CN of EAP Server TLS certificate Trusted root authorities for EAP server authentication 71

72 Windows 7 EAP-PEAP EAP-PEAP Client performs TLS handshake w/ EAP server Client authenticates EAP server using TLS certificate Provides protection for inner EAP exchange Inner (tunneled) EAP method authenticates the user Outer EAP method returns user attributes to server Tunneled EAP-MSCHAPv2 EAP ID = user or user@domain Tunneled EAP-TLS EAP ID = TLS certificate UPN (or CN if none) IKE crypto ikev2 profile default match identity remote domain cisco match identity remote address identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root sign aaa authentication eap frad aaa authorization user eap cached virtual-template 1 # User definition joe@cisco Cleartext-Password := "c1sc0!" Framed-IP-Address = " ", Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:dns-servers= " TLS IKEv2 EAP-PEAP (TLS) EAP-MSCHAPv2 or EAP-TLS RADIUS TLS EAP Certificate/TLS-Based or Username-Password Authentication 72

73 Windows 7 EAP-PEAP Settings Server name must be found in CN of EAP Server TLS certificate Trusted root authorities for EAP server authentication Inner (tunneled) EAP method 73

74 Windows 7 Certificate Requirements Win7 Client IKEv2 Certificate FlexVPN Server IKEv2 Certificate Used for Mutual RSA-SIG Mutual RSA-SIG EAP (all types) Win7 Client TLS Certificate EAP-TLS EAP-PEAP (optional) Certificate Store Local Computer N/A Current User N/A Common Name (CN) Key Usage (KU) Extended Key Usage (EKU) Subject Alternative Name (SAN) Anything Anything (if SAN field present) Server FQDN (if no SAN field) Anything (if UPN present) user@domain (if no UPN 2 ) EAP-TLS EAP-PEAP EAP Server TLS Certificate Server name (as configured in Client EAP Settings) Digital Signature Digital Signature Digital Signature Digital Signature Key Encipherment Not required 1 TLS Server Authentication TLS Client Authentication TLS Server Authentication Not required 1 Optional 1 If present: Server FQDN Optional 1 If present: UPN 2 Server FQDN 1 Not required: may be omitted or set to any value Optional: may be omitted or set to the specified value 2 UPN (User Principal Name): Microsoft proprietary user@domain SAN extension (OID ) 74

75 Windows 7 Certificate Import Client keypair & certificate can be issued by CA and provisioned to client PC Import keypair, identity cert and issuer cert from PFX / PKCS#12 package Due to KB939616, machine IKEv2 cert must be imported explicitly into machine store 75

76 Remote Access Clients FlexVPN Hardware Client

77 FlexVPN Hardware Client Overview IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct Supported authentication methods: Certificates (RSA signatures) EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2) EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens) EAP-MD5 (hash-based authentication) Pre-Shared Keys Routing on FlexVPN server and client: IKEv2 Routing (bidirectional Configuration Exchange) Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing) IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces More than a Remote Access client, useful also in hub-and-spoke designs where advanced initiator logic is required (dial backup, object tracking,...) 77

78 FlexVPN Hardware Client Example Sample configuration: Static tunnel interface driven by FlexVPN Client Profile Local AAA authorization (default IKEv2 author. policy) Certificate-based mutual authentication (no EAP) Single peer (name resolution of FQDN on connection) Tunnel interface configuration: IP address assigned through IKEv2 Configuration Exchange Tunnel destination set dynamically by FlexVPN Client logic IKEv2/IPsec initiation triggered by FlexVPN Client logic Default IKEv2 routing between client & server: Client advertises route for Tunnel0 assigned IP address Client installs prefixes advertised by server (egress Tun0) client#show crypto ikev2 authorization policy default IKEv2 Authorization Policy : default route set interface route accept any tag : 1 distance : 1 aaa new-model aaa authorization network here local! crypto pki trustpoint root rsakeypair root! crypto pki certificate map cisco 1 subject-name co o = cisco! crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list here default! crypto ikev2 client flexvpn flexra peer 1 fqdn flexra.cisco.com dynamic client connect Tunnel0! interface Tunnel0 ip address negotiated tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile default 78

79 FlexVPN Hardware Client Key Features Peer list with object tracking: Ordered list of FlexVPN servers (by address or FQDN) Enable/disable entries based on tracking object state Additional peers can be pushed by server during Config Exchange Connection modes: Automatic (infinite loop, 10 seconds between tries) When tracking object goes up/down (enables dial backup) Manual (CLI-triggered) EAP local authentication (IKEv2 initiator only): Username prompt only if server does query-identity Alternative: static credentials in IKEv2 profile crypto ikev2 client flexvpn flexra peer 1 <address> peer 2 <address> track 10 up peer 3 <address> track 20 down! track 10 interface <name> line-protocol track 20 ip route <prefix> reachability connect auto connect track 10 up connect manual crypto ikev2 profile default authentication local eap client#crypto ikev2 client flexvpn connect Enter the command 'crypto eap credentials flexra' client#crypto eap credentials flexra Enter the Username for profile flexra: joe@cisco Enter the password for username joe@cisco: 79

80 Configuration Review

81 Review Mutual RSA Signatures Certificate selection depends on client AnyConnect picks best available ID certificate Based on selection rules in XML profile (if any) Certificate with EKU preferred over non-eku Windows uses local machine certificate FlexVPN Client uses trustpoint in initiator IKEv2 profile IKEv2 Profile selection on server Client IKE ID = certificate subject DN Server selects profile based on certificate map Matching is done on certificate itself, not on IKE ID Explicit user/group authorization Non-AAA authentication no cached attributes Extract CN/OU fields from DN using name-mangler Retrieve user/group attributes from RADIUS Assign IP address based on pool or Framed-IP crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list frad name-mangler ou aaa authorization user cert list frad name-mangler cn virtual-template 1 # Group definition Eng Cleartext-Password := "cisco" Cisco-AVPair = "ipsec:dns-servers= " # User definition joe Cleartext-Password := "cisco" Framed-IP-Address = " ", Framed-IP-Netmask = " " 81

82 Review EAP Authentication (1) IKE identity depends on client type AnyConnect: KEY-ID string in XML profile Windows 7 with fix for bug KB975488: user@domain AnyConnect Windows Windows (bug) Windows 7 w/o fix, 7 or 8 with regression: client IP address Only option: single IKE profile and VT for all groups Leverage AAA to provide service differentiation crypto ikev2 profile default match identity remote key-id acvpn match identity remote domain cisco match identity remote address identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root sign aaa authentication eap frad aaa authorization user eap cached virtual-template 1 # User definition joe@cisco Cleartext-Password := "c1sc0!" Framed-IP-Address = " ", Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:dns-servers= " FlexVPN Client: configurable (in initiator IKEv2 profile) crypto ikev2 profile default identity local... 82

83 Review EAP Authentication (2) EAP identity depends on client type & EAP method AnyConnect: entered by user Windows 7 + non-tls EAP: user[@domain] entered by user Windows 7 + TLS-based EAP: TLS certificate UPN (CN if none) crypto ikev2 profile default match identity remote key-id acvpn match identity remote domain cisco match identity remote address identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root sign aaa authentication eap frad aaa authorization user eap cached virtual-template 1 # User definition joe@cisco Cleartext-Password := "c1sc0!" Framed-IP-Address = " ", Framed-IP-Netmask = " ", Cisco-AVPair = "ipsec:dns-servers= " FlexVPN Client: user[@domain] entered by user or configured in initiator IKEv2 profile crypto ikev2 profile default authentication local eap mschapv2 username joe@cisco password 0 c1sc0! EAP Server returns user attributes for the EAP ID can be cached and reused for authorization 83

84 FlexVPN Routing

85 FlexVPN Routing Overview IKEv2 Routing (Configuration Exchange) IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads Static routes added to the RIB on both sides Remote Access: currently only supported with FlexVPN hardware client IPsec Reverse Route Injection (RRI) Static routes added to RIB for protected remote networks (remote proxies) No configuration required (automatic for Virtual-Access with non-any-any proxies) Remote Access: supported with software clients (AnyConnect, Windows 7+,...) Dynamic Routing Protocol Pros: more powerful/flexible/adaptive Cons: more complex/resource-intensive Remote Access: only supported with FlexVPN hardware client NHRP Routes Not applicable to Remote Access (Dynamic Mesh scenarios only) 85

86 FlexVPN Routing Events & Sources Authorization Config. Exchange Prefixes listed in route set local authorization attribute(s) Prefixes received during Configuration Exchange within IPv4/IPv6 SUBNET attributes (handling controlled by local route accept attribute) route set local {ipv4 ipv6} prefix route accept any [distance...] [tag...] Local configuration route set interface [ifc-name] route set remote {ipv4 ipv6} prefix route set access-list... Remote configuration SA Up / Down Prefixes corresponding to negotiated IPsec SA remote proxies (not applicable to any-any VTI or GRE/IPsec) Routing Update Prefixes advertised by peer over dynamic routing protocol neighborship Shortcut Creation Spoke-to-Spoke tunnels established IKEv2 IPsec Routing Protocol NHRP IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes NHRP Static Routes Routing Table (RIB/FIB) 86

87 Scenarios & Use Cases Full & Split Tunneling

88 Scenario: Windows Full Tunneling /24 Assigned VPN IP: /32 IPv4 Route Table ============================================================ Destination Gateway Interface / Local Area Connection /0 On-link FlexVPN Connection / Local Area Connection /24 On-link Local Area Connection Local LAN still reachable WAN Default route changed to point through VPN tunnel Server reachable in the clear via ISP S FlexVPN Server Lo1: / /16 Assigned IP address reachable over client VA (automatic RRI) /32 is directly connected, Virtual-Access1 interface Loopback1 ip address ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 If un-checked: default route replaced with a single classful route based on assigned VPN IP address (e.g /8) = rudimentary split tunneling 88

89 Scenario: AnyConnect Full Tunneling FlexVPN Server /24 Assigned VPN IP: /32 WAN Lo1: / /16 Default route changed to point through VPN tunnel IPv4 Route Table ============================================================ Destination Gateway Interface / Local Area Connection /0 On-link FlexVPN Connection / Local Area Connection /24 On-link Local Area Connection Local LAN removed from routing table Server in the clear via ISP S /32 is directly connected, Virtual-Access1 interface Loopback1 ip address ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 To enable full tunneling with local LAN access: IOS include-local-lan attribute not supported by AnyConnect use RADIUS-only Cisco-AV-Pair ipsec:split-exclude with special value /32 Cisco-AVPair += "ipsec:split-exclude= / " (supported in 15.2(4)M6, 15.2(4)S5 and 15.4(2)T/S onwards) In addition, Local Lan Access must be enabled in AnyConnect XML Profile 89

90 Scenario: AnyConnect Split Tunneling /24 Assigned VPN IP: /32 IPv4 Route Table ============================================================ Destination Gateway Interface / Local Area Connection /16 On-link FlexVPN Connection /24 On-link Local Area Connection Local LAN still reachable Specific route(s) pointing through VPN tunnel WAN S FlexVPN Server interface Loopback1 ip address ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 Lo1: / /16 Authorization: one or more subnets to include in split tunnel route set remote ipv /32 is directly connected, Virtual-Access1 Split tunnel policy pushed by server within IKEv2 Config Exchange Original default gateway used for internet traffic + server reachability 90

91 Scenarios & Use Cases Network Extension

92 Scenario: HW Client Single Address PAT FlexVPN Client FlexVPN Server /24 Eth0/1 Eth0/0 Assigned IP: /32 WAN Lo1: / /16 route set interface Authorization route set interface route set remote ipv Authorization Summary prefix reachable through tunnel Assigned IP address reachable over client VA S S C C /16 is directly connected, Tunnel /32 is directly connected, Tunnel /32 is directly connected, Tunnel /24 is directly connected, Ethernet0/1 Traffic from LAN to remote VPN networks: PAT to Tunnel0 assigned IP address interface Tunnel0 ip address negotiated ip nat outside! ip nat inside source route-map vpn interface Tunnel0 overload! route-map vpn permit 10 match interface Tunnel0 S /32 is directly connected, Virtual-Access1 Works, but not recommended Case generator clumsy / impractical interface Loopback1 ip address ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 92

93 Scenario: HW Client Network Extension FlexVPN Client FlexVPN Server /24 Eth0/1 Eth0/0 Assigned IP: /32 WAN Lo1: / /16 route set interface route set remote ipv Authorization route set interface route set remote ipv Authorization Summary prefix reachable through tunnel S /16 is directly connected, Tunnel0 S /32 is directly connected, Tunnel0 C /32 is directly connected, Tunnel0 C /24 is directly connected, Ethernet0/1 Local/remote addresses & prefixes exchanged using IKEv2 routing C S S Assigned IP address reachable over client VA /32 is directly connected, Loopback /32 is directly connected, Virtual-Access /24 is directly connected, Virtual-Access1 Client LAN directly reachable over tunnel (prefix can be redistributed into IGP) interface Tunnel0 ip address negotiated! interface Ethernet0/1 ip address interface Loopback1 ip address ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 Recommended design Equivalent to NEM+ in Easy VPN 93

94 Scenario: HW Client Dynamic Routing FlexVPN Client FlexVPN Server /24 Eth0/1 Eth0/0 Assigned IP: /32 WAN Lo1: / /16 route set interface Authorization route set interface Authorization Summary prefix reachable through tunnel Assigned IP address reachable over client VA B S C C /16 [200/0] via (Tunnel0) /32 is directly connected, Tunnel /32 is directly connected, Tunnel /24 is directly connected, Ethernet0/1 Addresses for BGP unicast peering exchanged using IKEv2 Local/remote prefixes exchanged using ibgp router bgp neighbor remote-as neighbor update-source Tunnel0 address-family ipv4 network mask neighbor activate exit-address-family Dynamic, flexible & powerful but closer to Site-Site than RA S B /32 is directly connected, Virtual-Access /24 [200/0] via (Virtual-Access1) Client LAN directly reachable over tunnel (prefix can be redistributed into IGP) BGP Dynamic Neighbor easy configuration router bgp bgp listen range /24 peer-group clients neighbor clients peer-group neighbor clients remote-as neighbor clients update-source Loopback1 address-family ipv4 network mask neighbor clients activate exit-address-family 94

95 Scenarios & Use Cases Virtualization (VRF)

96 Virtual Routing & Forwarding Router maintains separate L3 forwarding information for each VRF instance (RIB, FIB, routing protocols) Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only) Each interface on the router belongs to a single VRF For ip unnumbered, reference interface must belong to the same VRF If no VRF specified, interface belongs to the global VRF VRF definition and assignment: Old CLI: single-protocol VRF (IPv4-only) ip vrf red rd 1:1 interface Ethernet0/0 ip vrf forwarding red... New CLI: multi-protocol VRF (IPv4/IPv6) vrf definition red rd 1:1 address-family ipv4 exit-address-family address-family ipv6 exit-address-family interface Ethernet0/0 vrf forwarding red... 96

97 Eth0/0 Eth0/1 Eth1/0 Eth1/1 Eth1/2 Eth1/3 Eth2/0 Eth2/1 Eth2/2 Eth2/3 Tunnels ivrf & fvrf Physical device Blue RIB/FIB Red RIB/FIB Global RIB/FIB Green RIB/FIB Orange RIB/FIB ivrf fvrf ivrf fvrf Encaps. Tun1 Encaps. Tun2 interface Eth0/0 ip address /24 vrf forwarding blue! interface Eth0/1 ip address /24 vrf forwarding blue Inside VRF (ivrf) interface Eth1/1 ip address /24 vrf forwarding red! interface Eth1/2 ip address /24! interface Tunnel1 ip address /30 vrf forwarding red tunnel source Eth1/2 Front-door VRF (fvrf) = Global VRF (default) Tunnel interface address resides in ivrf ivrf Explicit fvrf interface Eth2/1 ip address /24 vrf forwarding green! interface Eth2/2 ip address /24 vrf forwarding orange! interface Tunnel2 ip address /30 vrf forwarding green tunnel vrf orange tunnel source Eth2/2 97

98 VRF Use Case Requirements: Traffic segregation between two departments Single VPN endpoint in global VRF AnyConnect software client EAP user authentication Engineering VRF Finance VRF Proposed solution: Single IKEv2 profile & V-Template Local group authorization Interface configuration strings EAP solely for authentication (no caching of RADIUS attributes) Eth0/1 Joe s V-Access Eth0/0 WAN Eth0/2 Tom s V-Access Global VRF Joe (Engineering) Tom (Finance) 98

99 VRF Use Case Configuration Per-Department Configuration aaa attribute list Eng attribute type interface-config "vrf forwarding Eng" attribute type interface-config "ip unnumbered Loopback1"! crypto aaa ikev2 attribute authorization list Fin policy Eng pool attribute Eng type interface-config "vrf forwarding Fin" dns attribute type interface-config "ip unnumbered Loopback101"! aaa attribute list Eng! crypto ikev2 authorization policy Fin interface pool Fin Loopback1 vrf dns forwarding Eng ip address aaa attribute list Fin!! ip local interface pool Loopback101 Eng vrf forwarding Fin ip address ! ip local pool Fin RADIUS User Database Cleartext-Password := "joe123" Cleartext-Password := "tom456" Applied to V-Access during V-Template cloning Global Configuration aaa authentication login frad group frad aaa authorization network here local! crypto ikev2 name-mangler dept eap suffix crypto ikev2 profile default match identity remote key-id identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root aaa authentication eap frad aaa authorization group eap list here name-mangler dept virtual-template 1! no crypto ikev2 http-url cert! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 tunnel protection ipsec profile default No attributes required on AAA server EAP authenticates username & domain Single IKEv2 profile Single AnyConnect profile Authorization based on suffix 99

100 Scenarios & Use Cases Quality of Service

101 The Need for QoS on VPN QoS is crucial on VPN links for: Sharing network bandwidth Marshaling bandwidth usage of applications Meeting application latency & speed requirements The classical greedy spoke problem: Hub Spoke 1 (greedy) Crypto engine or WAN link CE 1 Interface w/ limited downstream rate Packets are lost, AND other spokes/clients are starved Client 2 Spoke 3 Packets are lost Most common problem 101

102 Server-Side Hierarchical Shaper Tunnel bandwidth parent policy: Each VPN tunnel is given a maximum bandwidth A shaper provides the backpressure mechanism Protected packets are processed by the child policy: There would be several policies: bandwidth, LLQ, etc. Hub Branch Parent shaper limits total bandwidth BW Reservation Low-Latency Queuing class-map control match ip precedence 6 class-map voice match ip precedence 5...! policy-map child-common class control bandwidth 20 class voice priority percent 60...! policy-map parent-branch class class-default shape average service-policy inner! policy-map parent-client class class-default shape average service-policy inner Fair Queuing RA Client Different policies for different traffic classes 102

103 QoS Use Case Requirements: Traffic segregation between departments Single VPN endpoint in global VRF AnyConnect software client EAP user authentication Per-user QoS policy Proposed solution: Single IKEv2 profile & V-Template Interface configuration strings Explicit RADIUS group authorization Implicit RADIUS user authorization (user attributes cached during EAP) Engineering VRF Eth0/1 Joe s V-Access High B/W (10 Mbps) Joe (Engineering) Eth0/0 WAN Finance VRF Eth0/2 Tom s V-Access Global VRF Low B/W (5 Mbps) Tom (Finance) 103

104 QoS Use Case Configuration Per-Department Configuration interface Loopback1 vrf forwarding Eng ip address interface Loopback101! vrf forwarding Fin ip local pool Eng ip address ! ip local pool Fin RADIUS User Database Cleartext-Password := "joe123" Cisco-AVPair = "ip:interface-config=service-policy output high" tom@fin Cleartext-Password := "tom456" Cisco-AVPair = "ip:interface-config=service-policy output low" Eng Cleartext-Password := "cisco" Cisco-AVPair = "ipsec:addr-pool=eng", Cisco-AVPair += "ipsec:dns-servers= ", Cisco-AVPair += "ip:interface-config=vrf forwarding Eng", Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1" Fin Cleartext-Password := "cisco" Cisco-AVPair = "ipsec:addr-pool=fin", Cisco-AVPair += "ipsec:dns-servers= ", Cisco-AVPair += [...] Per-user QoS policy All attributes centralized on AAA server Global Configuration aaa authentication login frad group frad aaa authorization network frad group frad! crypto ikev2 name-mangler dept eap suffix crypto ikev2 profile default match identity remote key-id vpn@cisco identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint root aaa authentication eap frad aaa authorization group eap list frad name-mangler dept aaa authorization user eap cached virtual-template 1! no crypto ikev2 http-url cert! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 tunnel protection ipsec profile default! policy-map high... Group authorization based on domain Apply per-user attributes from EAP QoS policies defined locally on FlexVPN server 104

105 FlexVPN SSL Preview TENTATIVE Still in development!

106 FlexVPN SSL Overview Roadmap: IOS-XE 3.12S / 15.4(2)S : CSR1000v support IOS-XE 3.13S / 15.4(3)S : ASR1000 support Client-based only (AnyConnect all platforms) No support for clientless aka WebVPN Integrated into FlexVPN framework AAA integration Virtual tunnel interfaces Smart defaults CLI consistency TENTATIVE Initial baseline release, features to be added progressively Virtual Hosting, HostScan / Posture, Two-Factor, DTLS, Mixed-Mode / Dual-Stack,

107 FlexVPN SSL CLI crypto ssl proposal my-proposal protection dhe-rsa-aes256-sha rsa-aes256-sha1 Cryptographic algorithms Key exchange method TENTATIVE crypto ssl policy my-policy match address local fvrf wan any port 443 pki trustpoint my-root sign ssl proposal my-proposal no shutdown crypto ssl profile my-profile match policy my-policy match url fqdn eng-sslvpn.example.com authentication remote user-pass aaa authentication user-pass list my-radius aaa authorization user user-pass cached aaa authorization group user-pass list my-radius eng-group virtual-template 1 no shutdown Local endpoint matching criteria Apply SSL proposal Configure SSL server certificate Match on SSL policy Match on URL (FQDN, hostname, path,...) Authentication (certificate, username/password) Authorization (cached, user, group) Accounting Virtual interface template 107

108 Wrapping up...

109 Call to Action... Visit the Cisco Campus at the World of Solutions BRKSEC-3036 Advanced IPsec designs with FlexVPN by Frédéric Detienne Friday 11:30am, North Wing Level -1, Green Hall 3 Meet the Engineer Alex Honoré, Frédéric Detienne, Olivier Pélerin (TAC EMEA), Raffaele Brancaleoni (Advanced Services EMEA), Wen Zhang (TAC US), Tom Alexander (TAC GCE) Discuss your project s challenges at the Technical Solutions Clinics Attend one of the Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit CL365 -Visit us online after the event for updated PDFs and on-demand session videos

110 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 110