Category Archives: IPSEC

Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI)

R14 –CLOUD– R15

R14#sh ip int brief | ex ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 1.1.1.10 YES manual up up
FastEthernet0/1 172.16.32.1 YES manual up up
Virtual-Access2 172.16.0.4 YES TFTP up up
Virtual-Template11 172.16.0.4 YES TFTP down down
Loopback0 172.16.0.4 YES manual up up

========= CONFIGURATION

R14#sh run
Building configuration…

Current configuration : 2505 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R14
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
username site secret 5 $1$fsT/$wFlStpOW8qr1EKH2v3q9j/
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group EZVPN_GROUP
key cisco
dns 172.16.32.40
domain LABMINUTES.COM
acl EZVPN_ST_ACL
save-password
pfs
crypto isakmp profile EZVPN_ISAKMP_PROFILE
self-identity address
match identity group EZVPN_GROUP
client authentication list AUTHEN
isakmp authorization list AUTHOR
client configuration address respond
keepalive 10 retry 3
virtual-template 11
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile EZVPN_IPSEC_PROFILE
set security-association lifetime kilobytes 1024000
set security-association lifetime seconds 28800
set transform-set ESP_AES256_SHA
set pfs group2
set isakmp-profile EZVPN_ISAKMP_PROFILE
!
!
!
!
!
interface Loopback0
ip address 172.16.0.4 255.255.255.255
!
interface FastEthernet0/0
ip address 1.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.32.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template10
no ip address
!
interface Virtual-Template11 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZVPN_IPSEC_PROFILE
!
ip route 2.2.2.0 255.255.255.0 1.1.1.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.32.0 0.0.0.255 any
!
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end

========= ROUTE

R14#sh ip route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 [1/0] via 1.1.1.1
[1/0] via 0.0.0.0, Virtual-Access2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.128.0/24 [1/0] via 0.0.0.0, Virtual-Access2
C 172.16.32.0/24 is directly connected, FastEthernet0/1
C 172.16.0.4/32 is directly connected, Loopback0

Note: routes automatically installed to each router pointing to the virtual access interface that was dynamically created.

===================================================
R15#sh ip int brief | ex ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.128.1 YES manual up up
FastEthernet0/1 2.2.2.10 YES manual up up
Virtual-Access2 2.2.2.10 YES TFTP up up
Virtual-Template10 172.16.0.2 YES TFTP down down
Loopback0 172.16.0.2 YES manual up up

R15#sh run
Building configuration…

Current configuration : 1981 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R15
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
!
!
!
!
crypto ipsec client ezvpn EZVPN
connect auto
group EZVPN_GROUP key cisco
mode network-extension
peer 1.1.1.10 default
idletime 3600
virtual-interface 10
username site password cisco
xauth userid mode local
!
!
!
!
!
interface Loopback0
ip address 172.16.0.2 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.128.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN inside
!
interface FastEthernet0/1
ip address 2.2.2.10 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN
crypto ipsec client ezvpn EZVPN inside
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
!
ip route 1.1.1.0 255.255.255.0 2.2.2.1
!
!
no ip http server
no ip http secure-server
ip dns view
domain name-server 172.16.32.40
ip dns view-list ezvpn-internal-viewlist
view 10
restrict name-group 1
view 20
ip dns name-list 1 permit P^B
ip dns server view-group ezvpn-internal-viewlist
!
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 2.2.2.1
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.128.0/24 is directly connected, FastEthernet0/0
S 172.16.32.0/24 [1/0] via 0.0.0.0, Virtual-Access2
C 172.16.0.2/32 is directly connected, Loopback0
R15#

======================== TEST PING (LAN TO LAN)
R14#ping 172.16.128.1 source 172.16.32.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.128.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.32.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/56 ms

R15#ping 172.16.32.1 source 172.16.128.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.32.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.128.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/79/188 ms
R15#

Advertisements

Dynamic VTI IPSEC

Dynamic VTI IPSEC

IPSec virtual tunnel interfaces (VTI) provide a routable interface type for terminating IPSec tunnels an
easy way to define protection between sites to form an overlay network. IPSec virtual tunnel interfacees
simplify configuration of IPSec for protection of remote links, supports multicast, and simplifies
network management and load balancing.

Information About IPSec Virtual Tunnel Interfaces:
The IPSec virtual tunnel interface greatly simplifies the configuration process when you need to provide
protection for remote access and provides an simpler alternative to using GRE or L2TP tunnels for
encapsulation and crypto maps with IPSec. A major benefit associated with IPSec virtual tunnel
interfaces is the reduction in overhead because the configuration does not require a static mapping of
IPSec sessions to a physical interface: The IPSec VTI allows for the flexibility of sending and receiving
both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple
paths (multicast routing).

Routing with IPSec Virtual Tunnel Interfaces:
You can enable routing protocols on the tunnel interface so that routing information can be propagated
over the virtual tunnel. The router can establish neighbor relationships over the virtual tunnel interface.
Multicast packets can be encrypted, and interoperability with standard-based IPSec installations is
possible through the use of IP ANY ANY proxy. The static IPSec interface, will negotiate and accept
permit IP ANY ANY proxies.
– Cisco Docs

Verification Commands:
show interface tunnel 0
Tunnel protocol/transport IPSEC/IP
show crypto session
show crypto isakmp policy
show crypto isakmp profile
show crypto engine connection active
show run | s crypto
show ip route

IP Addressing / Block:
192.168.0.0/32 – lo
10.0.123.1 – Tunnel Interface
123.0.0.0/24 – WAN

—–R1
int g1/0
ip add 123.0.0.1 255.255.255.0
desc Hub
no shut
int loop 0
ip add 192.168.0.1 255.255.255.255
no shut
—–R2
int g1/0
ip add 123.0.0.2 255.255.255.0
desc spoke1-R2
no shut
int loop 0
ip add 192.168.0.2 255.255.255.255
no shut
—–R3
int g1/0
ip add 123.0.0.3 255.255.255.0
desc spoke2-R3
no shut
int loop 0
ip add 192.168.0.3 255.255.255.255
no shut

IPSEC and VTI Configuration:
============= R2
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
lifetime 3600

crypto isakmp key cisco address 123.0.0.1
crypto isakmp key cisco address 123.0.0.3

crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile IPSEC
set transform-set TS

interface Tunnel0
ip address 10.0.123.2 255.255.255.0
ip mtu 1400
tunnel source GigabitEthernet1/0
tunnel mode ipsec ipv4
tunnel destination 123.0.0.1
tunnel protection ipsec profile IPSEC

router eigrp 1

============== R1
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
lifetime 3600

! Difference on HUB is we are not seperating the crypto key for each spoke rather we put it in a single keyring for neighbors.
crypto keyring KEYRING
re-shared-key address 123.0.0.2 key cisco

! BUild a ISAKMP Profile and link it to the keyring
crypto isakmp profile ISAKMP
keyring KEYRING
match identity address 123.0.0.2
virtual-template 1

crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile IPSEC
set transform-set TS

! Create another loopback for virtual template.
int loop 1
ip address 10.0.123.1 255.255.255.0 (same network with spoke tunnel int)

! ANother thing is we are not creating a tunnel interface but we create virtual template with type tunnel

int virtual-template 1 type tunnel
ip unnumbered loopback 1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC
no ip split-horizon eigrp 1
no ip next-hop-self eigrp 1

IPSEC VPN

IPSEC VPN

IPSEC Control Plane
– ISAKMP & IKE Negotiation

IPSEC Data Plance
– ESP & AH Encapsulation

Virtual Private Network(VPN)
– Extension of private network over a public network.
– VPN doesn’t necessarily imply encryption.

Example:
Layer 2 VPNs
– Ethernet VLANs, QinQ, Frame Relay PVCs, ATM PVCs, VPLS
Layer 3 VPNs
– GRE, MPLS layer 3 VPN, IPSEC

What is IPsec?
– IPsec is a standards based security framework.
– Lots of RFC…

IPsec Features
– Data Origin Authentication
– Who did the packet come from?
– Data Integrity
– Was the packet changed in the transit path?
– Data Confidentiality
– Can anyone read the packet in the transit path?
– Anti-replay
– Did I already receive this packet?

Why use IPsec VPNs?
– Does not need static SP provisioning like MPLS
– Independent of SP access method
– IPv4/IPv6 transport is the only requirement
– Allows both site-to-site and remote access
– Always on vs. dial-on-demand (Cisco Anyconnect)
– Offers data protection
– Main motivation.
Note: The requirement is just IP Transport.

When we our talking about other VPN technologies like MPLS, MPLS doesn’t not have encryption. If someone has gained access to the transport in service provider network and they do packet capture they will be able to see our frames in clear text. The only thing MPLS doing is adding a additional header between layer 2 and the payload.

Design Consideration:
Many designs based on things like healthcare compliance and healthcare compliance, Even you have MPLS2/3 VPN service you maybe require to run IPSec on top of that to be able to add data confidentiality (encryption of traffic).

How IPsec Works
1. IPsec is a Network Layer Protocol (Layer)
– Different from SSL (Layer 7) or 802.1AE MACSEC
(Layer 2)

Note: Ipsec doen’t run directly over ATM or over ethernet it need IPv4/IPv6 transport in order to do the negotiation and actual data plane transport.

2. Main goal is to encrypt and authenticate IPv4 or IPv6 packets.
– Uses symmetric cipher for encryption (e.g. 3DES)
– Keyed hashing for authentication (e.g. MD5)

3. Used to create P2P tunnels between endpoints
– GETVPN is an exception, which can use P2MP

How IPsec Tunnels Work
1. Tunnels are dynamically negotiated through IKE
– Main goal is to NOT define crypto keys manually

2. IPsec use two data structures to build a tunnel
– Security Association (SA)
– An agreement of IPsec Parameters
– Maintancs encryption & authentication key on
peers.
– A logical structure that we maintain on the
control plane

– Security Parameter Index (SPI)
– Field in packet header to select SA on
receiver
– Analogous to VLAN header or MPLS label
– Inside the actual packet

3. Protocols that are used to form security association
– ISAKMP/IKE are the negotiation protocols used to
form SAs
– Internet Security Association and Key
Management Protool (ISAKMP)
– ISAKMP is the framework
– Says that authentication and keying should
occur

– Internet Key Exchange (IKE)
– IKE is the actual implementation
– Defines how authentication and keying occurs
– In general, ISAKMP/IKE terms are interchangeable.

IKEv1 vs IKEv2 Negotiation
IKEv1 was original implementation
IKEv2 add new improvement “Suite B” algorithm
– No change to IPsec data plane, only control plane.

IPsec Tunnel Negotiation with IKE
– Goal of IPsec exchange is to establish SAs
– Occurs through two main negotiation phases using IKE

Note: This is a negotiation of parameters when router say to the another router about what encryption or authentication will be used after they agree on the parameters they gonna form an encrypted tunnel that they can do further negotiation inside of it.

Difference of IPsec Phase:

1. IPsec Phase 1
– Authenticate endpoints and build a secure tunnel for
further negotiation.
– Result is called ISAKMP SA

Note: Goal is to build a temporary secure tunnel that we can do further negotiation inside of it.

2. IPsec Phase 2
– Establish the tunnel used to protect the actual data
traffic.
– Result is called the IPsec SA

Negotiating the ISAKMP SA
– During IKE Phase 1, peers negotiate four main parameters
1. Authentication method
2. Diffie-Hellman group
– 1/2/5/…
3. Encryption type
– DES / 3DES / AES
4. Hast algorithm
– MD5 / SHA1

Authentication in mainly two ways:
– Pre-shared key (PSK) – Password(limitation)
– X.509 Certificates (PKI) (Windows CA)

PSK is easy, but PKI is scalable
– PSKs are difficult to maintain and change.
– PKI allows easy revocation and also hierarchy

IKEv2 adds improved authentication
– EAP methods

Note: Flex VPN means IKEv2, adds more flexibility on the design.

IKE Diffie-hellman Group
– DH is the method to exchange crypto keys
– I.e. Alice and bob agree on a prime number.
– DH group number determines stregth of keys
– Higher group is better, but at expense of CPU
– Result of DH is what 3DES, AES, etc. uses as their symmetric keys.

Encryption algorithm used to protect the traffic -DES, 3DES, AES-128, AES-256, etc.
– Higher is better but at the expense of the CPU
– Some can be hardware accelerated
– I.e. AES crypto offload card

Hashing
– One way hash used to authenticate the packet
– If hashes match, the packet was not modified in
transit
– Higher is better, but again at the expense of CPU
– Hashes supported depends on IKE version
– IKEv1 MD5 & SHA-1
– IKEv2 SHA-256, SHA-384, etc.

The combination of these four parameters is called ISAKMP Policies.
– Combinations of IKE params are ISAKMP
– IKE initiator sends all its policies through a
proposal
– IKE responder checks received policies against its
own.
– First match is used, based on lowest local priority
value.
– Else, connection is rejected.

Common Issue: Parameter issue.

After Phase 1 completes, an encrypted tunnel exists between the peers. Phase 2 negotiation can now be hidden from devices in transit.

Negotiating the IPsec SA
– In Phase , peers agree on more parameters…
– Security protocol
– Encapsulation Security Payload (ESP) or
Authentication Header (AH)
– Encapsulation mode
– Tunnel mode or transport mode
– Encryption
– DES, 3DES, AES, ETC
– Authentication
– MD5, SHA, SHA-256, SHA-512, etc.
– Combination of these is called the IPsec Transform set

AH VS ESP
– Authentication Header (AH)
– IP protocol number 51
– Data origin authentication includes IP header
– Data Integrity
– Encapsulating Security Payload (ESP)
– IP protocol number 50
– Data origin authentication excludes IP header
– Data Integrity
– Data Encryption
– Anti-Replay

Tunnel vs Transport
– AH & ESP supports two modes of encapsulation
– Transport
– Original IP header retained
– Payload and layer 4 header
authenticated/encrypted with ESP
– Complete packet authenticated with AH
– Typically used in host to host IPsec
– Tunnel
– Adds new IP header
– Original header & payload authenticated/encrypted
with ESP.
– Complete packet authenticated with AH
– Typically used between IPsec gateways or host to
IPsec gateway

Security Association (SA) lifetimes
– How often should we re-key

Ipsec Proxy identities
– Define what traffic goes into the IPsec tunnel
– I.e. the “Interesting traffic” to trigger the tunnel
– Proxy ACLs should be mirror images
– Take a tunnel from peer A to peer B
– Peer A says traffic is from X to Y
– Peer B says traffic is from Y to X

IPsec Control Plane vs Data Plane
– All traffic is unicast IPv4/IPv6
– IPsec Control Plane (ISAKMP)
– UDP 500
– UDP 4500 if going through NAT
– Ipsec Data Plane
– ESP (50) or AH (51)
– ESP over UDP 4500 if going through NAT
– Some platforms allow custom ports
– E.g. ASA firewall

Q&A
1. Is there any SSL VPN for S-t-S VPN?
– Open ssl in linux (doing the encryption at application level)
2. Proxy acl should match
3.
——————————————————
IKE Phase 1 is ISAKMP (Internet Security Association and Key Management Protocol) – it is used to create a private tunnel between the peers (the routers) for a secure communication.

IKE Phase 2 is also known as IPsec – it creates the IPsec tunnel used for user traffic.

https://learningnetwork.cisco.com/thread/25765
https://supportforums.cisco.com/t5/security-documents/main-mode-vs-aggressive-mode/ta-p/3123382

IPSEC VPN

IKE Phase 1 is ISAKMP (Internet Security Association and Key Management Protocol) – it is used to create a private tunnel between the peers (the routers) for a secure communication.

IKE Phase 2 is also known as IPsec – it creates the IPsec tunnel used for user traffic.

https://learningnetwork.cisco.com/thread/25765

http://gigacon.blogspot.com/2016/12/best-interview-questions-how-vpn-works.html

Main Mode VS Aggressive:
https://supportforums.cisco.com/t5/security-documents/main-mode-vs-aggressive-mode/ta-p/3123382

Fortigate selecting Main and Agressive Mode:
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Phase_1/Choosing_Main_Aggressive.htm

Basic Site-to-Site IPSec VPN (Aggressive Mode):
http://zahid-stanikzai.com/basic-site-to-site-ipsec-vpn-aggressive-mode/

IKE main mode, aggressive mode, & phase 2.
IKE main mode, aggressive mode, & phase 2.

IPsec VPN, Main mode Vs Aggressive mode
http://rayas-security.blogspot.com/2013/06/ipsec-vpn-main-mode-vs-aggressive-mode.html

Conclusions
-Aggressive mode is faster than main mode
-It is generally recommended to use main mode instead of aggressive mode.
-If aggressive mode must be used, for performance issue for example, prefer Public Key Encryption authentication.

Question and Answer:
1. When do we use main mode and aggrassive mode ? In which scenarios we choose them ?
A: Aggressive mode is typically used for remote access VPN’s (remote users). Also you would use aggressive mode if one or both peers have dynamic external IP addresses.
While Main mode is used fro Site-Site VPNs.

2. It will depend on the authentication type used
1. In PSK mode, you have to use Aggressive mode when one side is in dynamic
IP addressing.
2. In the other authentication modes, you can use either Main or Aggressive
modes.
One advantage of the Aggressive mode over the Main mode is it is more
faster

3. Which mode will be secured one ? Main mode or Aggressive?
A: Main mode is secure as it negotiates the SA parameters first before authenticating which aggressive mode does not do.