Deploying FlexVPN with IKEv2 and SSL BRKSEC-3013
Tom Alexander – Technical Leader, Cisco Services Email:
[email protected] #clmel
Agenda • FlexVPN Introduction – Why FlexVPN – FlexVPN Positioning
• FlexVPN Building Blocks • Shortcut Switching (FlexMesh)
• FlexVPN & AAA Integration • FlexVPN Redundancy • Remote Access • Wrap-up
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Before We Begin... “Additional info” slides: – Rendered in the presentation PDF (download it through the Cisco Live portal) – Not shown during the live presentation – Cover extra details or small additional topics
“For your Reference” slides: – Just for your reference when back at work. – Will not be covered in detail
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Tidbits about your Speaker Cruising on VPN Tunnels : 10 + years Whats on my wall -Treat your customer like your best friend Longest Webex Session @ TAC - 15+ hours straight 9 pm – 12 noon Mantra – Work Hard Play Hard ! Don’t make work a job, make it Fun Email:
[email protected] BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
Tom the Bug @ Bugathon 13
An Introduction to FlexVPN and IKEv2
EasyVPN, DMVPN and Crypto Maps crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp policy 1
group 2
crypto isakmp policy 1
crypto isakmp client configuration encr group3des cisco key cisco123
authentication pre-share
encr 3des
pool dvti
group 2
authentication pre-share
group 2 crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
acl 100 crypto isakmp profile dvti match identity group cisco
mode transport
crypto isakmp client configuration group cisco
crypto ipsec profile vpnprofile
key pr3sh@r3dk3y
client authentication list lvpn set transform-set vpn-ts-set
pool vpnpool
isakmp authorization list lvpn interface Tunnel0
acl 110
ip address 10.0.0.254 255.255.255.0 client configuration address respond virtual-template 1
crypto dynamic-map dynamicmap 10
ip nhrp map multicast dynamic
ip nhrpesp-sha-hmac network-id 1 crypto ipsec transform-set dvti esp-3des crypto ipsec profile dvti
crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac
set transform-set vpn-ts-set
tunnel source Serial1/0
reverse-route
set transform-set dvti
tunnel mode gre multipoint
crypto map client-vpn-map client authentication list userauthen
set isakmp-profile dvti
tunnel protection ipsec profile vpnprof
crypto map client-vpn-map isakmp authorization list groupauthor
interface Virtual-Template1 type tunnel ip route 192.168.0.0 255.255.0.0 Null0router bgp 1 ip unnumbered Ethernet0/0 bgp log-neighbor-changes tunnel mode ipsec ipv4 redistribute static tunnel protection ipsec profile dvti neighbor DMVPN peer-group ip local pool dvti 192.168.2.1 192.168.2.2 bgp listen range 10.0.0.0/24 peer-group DMVPN ip route 0.0.0.0 0.0.0.0 10.0.0.2 neighbor DMVPN remote-as 1 access-list 100 permit ip 192.168.1.0 0.0.0.255 any no auto-summary
crypto map client-vpn-map client configuration address initiate crypto map client-vpn-map client configuration address respond crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap interface FastEthernet0/0 ip address 83.137.194.62 255.255.255.240 crypto map client-vpn-map ip local pool vpnpool 10.10.1.1 10.10.1.254 access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
VPN Technology Selection Death by a thousand questions… 3rd party and legacy support
Hub & Spoke AAA Manageability
Failover time
Spoke – Spoke Direct IPv4/IPv6 dual stack Solution vs Components Failure detection method Design complexity Route Injection Dual DMVPN Dynamic Routing Crypto Map or Tunnels Feature order Multi-Hub Homing Per peer ACL’s Scalability Multicast Multi-ISP Homing
QoS support High Availability BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexVPN Unifies
VPN
Interop
Dynamic Routing
IPsec Routing
Spoke-spoke direct (shortcut)
Remote Access
Simple Failover
Source Failover
Config push
Per-peer config
Per-Peer QoS
Full AAA Management
Unified Overlay VPN’s
Easy VPN
No
No
Yes
No
Yes
Yes
No
Yes
Yes
Yes
Yes
DMVPN
No
Yes
No
Yes
No
partial
No
No
No
group
No
Crypto Map
Yes
No
Yes
No
Yes
poor
No
No
No
No
No
Flex VPN
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
• One VPN to learn and deploy
• Everything works – no questions asked BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexVPN Overview • What is FlexVPN? – IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-spoke and spoke-to-spoke topologies
• FlexVPN highlights – – – – – – – – –
Unified CLI Based on and compliant to IKEv2 standard Unified infrastructure: leverages IOS Point-to-Point tunnel interface Unified features: most features available across topologies Key features: AAA, Config-mode, dynamic routing, IPv6 Per Spoke level features for QOS, VRF, ZBFW, ACL, etc Simplified configuration using smart-defaults Interoperable with non-Cisco implementations Easier to learn, market and manage
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
IKEv2 and FlexVPN Feature History - T train PI
Release
Features introduced
PI12
15.1(1)T
IKEv2 CLI, IKEv2 Site-Site(sVTI-sVTI, sVTI-dVTI), IKEv2–DMVPN
PI13
15.1(2)T
IKEv2 Suite-b
PI14
15.1(3)T
IKEv2 RA Server - interop with Win7 client, IKEv2 fragmentation
PI15
15.1(4)M
IKEv2 IPv6 - sVTI, Crypto-Maps
PI16
15.2(1)T
FlexVPN client FlexVPN Server - interop with Win7, Anyconnect, FlexVPN clients FlexVPN Server v6 - interop with Win7 FlexVPN Smart Defaults, IKEv2 dVTI multi-SA
PI17
15.2(2)T
FlexVPN Spoke-Spoke, Mode Config Separation, FlexVPN TAC EFT feedback, IKEv2 Debug Enhancements
PI18
15.2(3)T
FlexVPN Client - IPv6 and EAP support(MSCHAP-v2, MD5 and GTC), FlexVPN client - Mixed mode support using GRE (v4-over-v6 andv6-over-v4) IKEv2 Initial-Contact enhancements
PI19
15.2(4)M
IKEv2 Load Balancer
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
IKEv2 and FlexVPN Feature History - S train XE
Release
Features introduced
3.2
15.1(1)S
IKEv2 Site-Site (sVTI-sVTI, sVTI-dVTI), IKEv2 –DMVPN
3.3
15.1(2)S
IKEv2 RA Server - Win7 client
3.5
15.2(1)S
FlexVPN Server – interop with WIn7, Anyconnect FlexVPN Smart Defaults, IKEv2 dVTI multi-SA
3.7
15.2(3)S
FlexVPN Server v6 – interop with Win7, FlexVPN Client IPv4/IPv6 , Mixed mode support using GRE (v4-over-v6 andv6-over-v4), IKEv2 Initial-Contact enhancements, IKEv2 Debug Enhancements
3.8
15.2(4)M
FlexVPN Spoke-Spoke, FlexVPN client –EAP support (MSCHAP-v2, MD5 and GTC), IKEv2 load balancer
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
IKEv2 in a Few Words • Defined in RFC 4306 - updated by RFC 5996 – No interoperability with IKEv1 – Usage ramping up rapidly!
• Both are using the same basic structure aiming at: – Privacy – Integrity – Authentication
• Both run over UDP 500/4500
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
Flex is IKEv2 Only • Why Flex now? Authentication Same Objectives ISAKMP RFC2408
DPD Modeconfig DOI RFC2407
Integrity Privacy
IKE RFC2409
IKEv2 RFC5996
Suite B More Secure Anti-DoS
NAT-T
PSK, RSA-Sig Authentication Options
EAP Hybrid Auth
Uses UDP ports 500 & 4500 Similar but Different
Identity Exchange is Cleaner Main + Aggressive INITIAL Ack’ed notifications
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
FlexVPN Building Blocks
FlexVPN and Interfaces Hub 1
Tu0
Tu0
Hub 2 VT2
VT1
Site to Site VA1
VA2
VA3
Tu0
Tu0
Spoke 1
BRKSEC-3013
VT1
Remote Access Hub & Spoke Dynamic Mesh
VA1
© 2015 Cisco and/or its affiliates. All rights reserved.
VA1
Cisco Public
VT1
16
Spoke 2
Remote User
Tu
Static Tunnel
VT
Virtual Template
VA
Virtual Access (dynamically created)
IKEv2 Configuration IKEv2 proposal
IKEv2 policy
Optional (default exists)
Optional (default exists)
IKEv2 keyring
IKEv2 profile
crypto ikev2 proposal prop-1 encryption aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy site-policy proposal prop-1 ! crypto ikev2 keyring V2-keyring peer cisco address 10.0.1.1 pre-shared-key cisco123 ! crypto ikev2 profile prof match identity remote address 10.0.1.1 authentication local pre-share authentication remote pre-share keyring V2-keyring
Introduced in15.1(1)T BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
crypto ikev2 profile default
IKEv2 CLI Overview IKEv2 Profile – extensive CLI Self Identity Control
Matching on peer identity or certificate
Matching on local address and front VRF
Asymmetric local and remote authentication methods IOS based and AAA based Pre-Shared Keyring
identity local address 10.0.0.1 identity local fqdn local.cisco.com identity local email
[email protected] identity local dn
match identity remote address 10.0.1.1 match identity remote fqdn remote.cisco.com match identity remote fqdn domain cisco.com match identity remote email
[email protected] match identity remote email domain cisco.com match certificate certificate_map match fvrf red match address local 172.168.1.1
authentication local pre-share [key ] authentication local rsa-sig authentication local eap authentication remote pre-share [key ] authentication remote rsa-sig authentication remote eap keyring local keyring aaa pki trustpoint
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
IKEv2 Basic Negotiation HDR, SAi1, KEi, Ni
Responder
Initiator HDR, SAr1, KEr, Nr [Certreq]
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}
HDR, SK {IDr, [Cert], AUTH, TSi, TSr} HDR – IKE Header
SK– payload encrypted and integrity protected
SA[i/r] – cryptographic algorithms the peer proposes/accepts
ID[i/r] – Initiator/Responder Identity Length
KE[i/r] – Initator Key Exchange material
Cert(req) – Certificate (request)
N[i/r] – Initiator/Responder Nonce
AUTH – Authentication data SA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SA Ts[i/r] – Traffic Selector as src/dst proxies
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
IKEv2 Profile Match Statements match certificate
SubjectName: • CN=RouterName • O=Cisco • OU=Engineering IssuerName: • CN=PKI Server • O=Cisco • OU=IT
HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}
172.16.0.1 router.cisco.com
[email protected] … BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
match identity remote address match identity remote fqdn match identity remote email Cisco Public
IPsec CLI Overview Tunnel Protection IPsec transform
IPsec profile defines SA parameters and points to IKEv2 profile Dynamic and Static point-to-point interfaces Static point-to-point interfaces
Tunnel protection links to IPsec profile
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
crypto ipsec transform-set default esp-aes 128 esp-sha-hmac crypto ipsec profile default set transform-set default set crypto ikev2 profile default interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel protection ipsec profile default interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source Ethernet0/0 tunnel destination 172.16.2.1 tunnel protection ipsec profile default Cisco Public
21
Introducing Smart Defaults Intelligent, reconfigurable defaults crypto ipsec crypto ipsectransform-set transform-set default default esp-aes 128 esp-aes 128 esp-sha-hmac esp-sha-hmac
crypto ikev2 profile default match identity remote address 10.0.1.1 authentication local rsa-sig authentication remote rsa-sig aaa authorization user cert list default default pki trustpoint TP ! interface Tunnel0 ip address 192.168.0.1 255.255.255.252 tunnel protection ipsec profile default What you need to specify
cryptoipsec crypto ipsecprofile profile default default set transform-set default set crypto ikev2 profile default cryptoikev2 crypto ikev2proposal proposal default default encryption aes-cbc-256 aes-cbc-128 3des integrity sha512 sha 256 sha1 md5 group 5 2 cryptoikev2 crypto ikev2policy policy default default match fvrf any proposal default
cryptoikev2 crypto ikev2authorization authorisation policy policy default default route set interface These constructs are the Smart Defaults route accept any BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Static Site-to-Site Example Router 1
Router 2
Perform IKE SA agreement & Diffie-Hellman key exchange (not shown)
My IKE ID is: r1.cisco.com (FQDN) My PSK authentication payload is... I want to protect GRE traffic between... Map connection to IKEv2 profile “default” by matching on peer FQDN Verify peer’s AUTH payload & produce our own based on configured PSK Use our own FQDN as IKE ID
My IKE ID is: r2.cisco.com (FQDN) My PSK authentication payload is... I agree to protect GRE traffic between... Finalize IPSec SAs (GRE between local & remote WAN addresses) Establish routing protocol neighbourship & exchange prefixes BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
crypto ikev2 keyring my_keyring peer R1 hostname r1.cisco.com pre-shared-key cisco123 crypto ikev2 profile default match identity remote fqdn r1.cisco.com identity local fqdn r2.cisco.com authentication remote pre-share authentication local pre-share keyring local my_keyring ! interface Tunnel0 ip address 10.0.0.2 255.255.255.252 tunnel source Ethernet0/0 tunnel destination 192.0.2.1 tunnel protection ipsec profile default ! interface Ethernet0/0 ip address 192.0.2.2 255.255.255.0 ! router rip version 2 network 10.0.0.0 ...
FlexVPN AAA Integration
Dynamic Point-to-Point Interfaces P2P interface template FlexVPN Server Dynamically instantiated P2P interfaces interface Virtual-Access1 interface Virtual-Access2 ip unnumbered Loopback0 interface ip unnumbered Loopback0 tunnel sourceVirtual-Access3 ip unnumbered Loopback0 tunnel source tunnel destination tunnel source tunnel destination tunnel mode ipsec ipv4 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile default tunnel mode output ipsec ipv4 tunnel protection ipsec profile default service-policy mobile-QoS tunnel protection ipsec profile default service-policy output traveler-QoS service-policy output home-office-QoS
VT1 VA1
VA2
VA3
crypto ikev2 profile default ... virtual-template 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile default
Routing table (RIB/FIB) S L S S S S
default via Ethernet0/0 10.0.1.1/32 local Loopback0 10.0.1.10/32 via Virtual-Access1 10.0.1.11/32 via Virtual-Access2 10.0.1.12/32 via Virtual-Access3 10.42.1.0/24 via Virtual-Access3
Static P2P interface 10.0.1.10/32
10.0.1.11/32
10.0.1.12/32
10.42.1.0/24
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Tun0
interface Tunnel0 ip address negotiated tunnel source Ethernet0/0 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile default
High-Level AAA Operations RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend
Cert. Authentication
Authentication
PSK Authentication
AAA PSK Retrieval EAP Client Authentication
Cached Authorization
Authorisation
Local Authorisation RADIUS Authorisation
Your assigned IPv6 address is ... Your DNS server is ... There is no WINS server The protected subnets are ...
Configuration Exchange RADIUS Accounting
Accounting BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
Building Block – IKEv2 Name Mangler RA Client IKEv2 Initiator
FlexVPN Server IKEv2 Responder RADIUS NAS
AAA Server RADIUS Server
IKEv2 Exchange FQDN: joe.cisco.com Email:
[email protected] DN: cn=joe,ou=IT,o=Cisco EAP: joe@cisco
crypto ikev2 name-mangler extract-user fqdn hostname email username dn common-name eap prefix delimiter @
Client Identity IKEv2 Name Mangler AAA Username: joe
Static password (configurable) Local AAA Request Username: joe
RADIUS AAA Request Username: joe, password: cisco
• Start with the peer’s IKE or EAP identity • Derive a username that is meaningful to AAA (local or RADIUS) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Authorisation Types • Not mutually exclusive – May be combined Implicit User Authorisation crypto ikev2 profile default aaa authorization user {psk|eap} cached
Eg. aaa authentication user eap mylist
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication Explicit User Authorisation crypto ikev2 profile default aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
Retrieves user attributes from RADIUS (local database not supported)
Explicit Group Authorisation
Reverse order of precedence (group > user)
crypto ikev2 profile default aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Retrieves group attributes from RADIUS or local database BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
Attributes – Merging FlexVPN Server
AAA Server Received during AAA-based authentication
Attribute
Value
Framed-IP-Address
10.0.0.101
ipsec:dns-servers
10.2.2.2
Cached User Attributes Explicit User Attributes take precedence
Explicit User Attributes Attribute
Value
Framed-IP-Address
172.16.1.2
ipsec:dns-servers
10.2.2.2
Received during explicit user authorisation Attribute
Value
Framed-IP-Address
172.16.1.2
Merged User Attributes Merged User Attributes take precedence except if “group override” configured
Explicit Group Attributes
Received during explicit group authorisation Attribute
Value
Attribute
Value
ipsec:dns-servers
172.19.1.2
Framed-IP-Address
172.16.1.2
ipsec:banner
Welcome !
ipsec:dns-servers
10.2.2.2
ipsec:banner
Welcome !
BRKSEC-3013
Final Merged Attributes
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
Authorisation Example RA Client
FlexVPN Server My IKE ID is cn=joe-pc, ou=Eng, o=Cisco Here is my identity certificate I need an IPv4 address
Map connection to IKEv2 profile “default” by matching on cert-map “cisco” Perform certificate-based authentication (not shown)
Run client IKE ID to name-mangler “get-ou” & username output is “Eng” Invoke AAA with list “here” (local) & username “Eng” & auth policy “Eng” Allocate IPv4 address from pool “pool-Eng” Clone V-Template1 into V-Access1, apply VRF & IP unnumbered
Your IPv4 address is: 10.0.1.10/32
“show derived-config ...” BRKSEC-3013
interface Virtual-Access1 vrf forwarding Eng ip unnumbered Loopback1 tunnel source 192.0.2.2 tunnel mode ipsec ipv4 tunnel destination 192.168.221.129 tunnel protection ipsec profile default
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
aaa authorization network AUTHOR local aaa attribute list attr-Eng attribute type interface-config “ip vrf forwarding Eng" attribute type interface-config "ip unnumbered Loopback1" ! crypto ikev2 authorization policy Eng pool pool-Eng netmask 255.255.255.255 aaa attribute list attr-Eng ! crypto pki certificate map cisco 1 subject-name co o = cisco ! crypto ikev2 name-mangler get-ou dn organization-unit ! crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list AUTHOR name-mangler ou virtual-template 1 ! ip local pool pool-Eng 10.0.1.10 10.0.1.99 ! interface Loopback1 vrf forwarding Eng ip address 10.0.1.1 255.255.255.255 ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 tunnel protection ipsec profile default
Accounting and Change of Authorisation
AAA Accounting We know a lot about Spoke1 ! Spoke Spoke Spoke Spoke Spoke …
1: 1: 1: 1: 1:
21:52 21:53 21:52 10:34 10:34
02-Jan-2015 01-Jan-2015 31-Dec-2014 12-Oct-2014 11-Jun-2014
to to to to to
22:50 21:50 21:50 21:50 21:50
03-Jan 2015 02-Jan-2015 01-Jan-2014 31-Dec-2014 12-Oct-2014
200.7 231.1 216.4 90.12 0.75
MB MB MB GB TB
in in in in in
442.7 401.2 398.8 180.6 1.21
© 2015 Cisco and/or its affiliates. All rights reserved.
out out out out out
Cisco Public
32
.254 Spoke 1 stands out…
Spoke Spoke Spoke Spoke Spoke Spoke
Since 31 Dec, Spoke 1 has been disconnecting and reconnecting every 24 hours…
BRKSEC-3013
MB MB MB GB TB
192.168.100.0/24 .1
172.16.0.1 Connected 22:51
1: 2: 3: 4: 5: 6:
Connected Connected Connected Connected Connected
11:12 22:34 16:51 10:34 10:34
03-Jan 12-Oct 12-Oct 11-Oct 10-Oct 13-Nov
2015 2014 2014 2014 2014 2014
123.6 403.1 450.5 539.7 245.3 245.3
MB GB GB GB GB GB
in in in in in in
207.2 880.1 832.0 989.4 103.8 872.6
MB GB GB GB GB GB
out out out out out out
Activating AAA Accounting And why it is a good idea too… A Good Idea ?
• Because it is simple!
aaa group server radius MyRADIUS server-private 192.168.104.101 key cisco
• Captures even short lived sessions event driven vs. polling (e.g. SNMP)
aaa accounting network ACCT start-stop group MyRADIUS
• Reliable protocol (acknowledged)
crypto ikev2 profile default match identity fqdn domain mycompany.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint TP aaa authorization group cert list default default aaa accounting cert ACCT Tell IKEv2 to report session status virtual-template 1
more reliable than SNMP traps
• Maps the identity to the statistics no more crossing tables (IPID)
• You may need it anyway – Authorisation, IP pool…
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
AAA Accounting RA Client
FlexVPN Server IKEv2 (EAP) & IPsec
Upon client connection: RADIUS Acct-Request (Start)
RADIUS Server
RADIUS Acct-Response 192.168.221.129 Assigned address: 10.0.1.101
10.0.0.1
aaa accounting network rad start-stop group frad aaa group server radius frad server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t ! crypto ikev2 profile default aaa authentication eap frad aaa authorization user eap cached aaa accounting eap frad
Accounting-Request (Start)
IKE ID
Client public IP address
Acct-Session-Id = "0000001B" Cisco-AVPair = "isakmp-phase1-id=acvpn" Cisco-AVPair = "isakmp-initator-ip=192.168.221.129" Framed-IP-Address = 10.0.1.101 Assigned IP address User-Name = "joe@cisco" Cisco-AVPair = "connect-progress=No Progress" Acct-Authentic = Local EAP username Acct-Status-Type = Start NAS-IP-Address = 10.0.0.1 Acct-Delay-Time = 0 BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
Upon client disconnection: RADIUS Acct-Request (Stop)
10.0.0.2
RADIUS Acct-Response
Accounting-Request (Stop) Acct-Session-Id = "0000001B" Cisco-AVPair = "isakmp-phase1-id=acvpn" Cisco-AVPair = "isakmp-initator-ip=192.168.221.129" Framed-IP-Address = 10.0.1.101 User-Name = "joe@cisco" Statistics Acct-Authentic = Local Cisco-AVPair = "connect-progress=No Progress" Acct-Session-Time = 104 Acct-Input-Octets = 13906 Acct-Output-Octets = 11040 Acct-Input-Packets = 207 Acct-Output-Packets = 92 Acct-Terminate-Cause = 0 Cisco-AVPair = "disc-cause-ext=No Reason" Acct-Status-Type = Stop NAS-IP-Address = 10.0.0.1 Acct-Delay-Time = 0
Demo – AAA CoA Magic !
Tom the Pundit
A Simplistic Configuration RADIUS based Authentication, Authorisation and Accounting aaa group server radius ISE server-private 192.168.104.101 key CISCO ! aaa authentication login ISE group ISE aaa authorization network ISE group ISE aaa accounting network ISE start-stop group ISE ! aaa server radius dynamic-author client 192.168.104.101 server-key CISCO auth-type all ! crypto ikev2 profile default match identity remote any identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint TRUSTPOINT EAP Authentication aaa authentication eap ISE aaa authorization user eap cached Authorization aaa accounting eap ISE virtual-template 1 Accounting (optional but recommended)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
How CoA Works Session is set up – V-Access is populated
Generated by IOS, Cisco Av pair Uniquely identifies each client session
ACCESS (Request, Audit Session ID, username, password) Possibly more (if EAP)
ACCESS (Accept, Profile)
192.168.100.0/24
FlexVPN Server
.1
.254
ip access-list 100 in service-policy Silver out …
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
Accounting Session is set up – Accounting Starts Unique ID, generated by IOS ACCT (Audit Session ID, START, params…) ACCT (Audit Session ID, ACK)
FlexVPN Server
192.168.100.0/24 .1
.254
ip access-list 100 in service-policy Silver out …
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
CoA – Packet of Disconnect Remote clearing of a session
Accounting tells the administrator whether it is worth sending… (session status)
CoA (Disconnect-Request, Audit Session ID) CoA (Disconnect-Request ACK, Audit Session ID)
Session is terminated
192.168.100.0/24 .1
.254
FlexVPN Server
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
CoA – Change of Authorisation The Real Thing ™ CoA (CoA-Request, Audit Session ID, new profile) CoA (CoA-Request ACK, Audit Session ID)
Session is updated
192.168.100.0/24 .1
.254
FlexVPN Server ip access-list 100 in ip access-list 100 in service-policy Silver out service-policy Gold out service-policy Slow out … …
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
Shortcut Switching With IKEv2 Routing
FlexVPN Mesh Network Diagram with Hub Resiliency 192.168.100.0/24 .1
.2
172.16.0.1
.254 172.16.0.2
Virtual-Access Interfaces
Static Tunnel Interface
Virtual-Access Interfaces
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Hub and Spoke Bootstrap – Config Exchange 192.168.100.0/24
192.168.1.0/24
.1
172.16.1.1
.254
172.16.0.1
SA Prop (AES-256, SHA-1, DH 5), KEi, Ni
Routing Table
Spoke Assigned Address (optional)
172.16.0.1/32 172.16.1.254 (E0/0) 192.168.1.0/24 Ethernet 0/1 10.0.0.254/32 Tunnel 0 192.168.0.0/16 Tunnel 0
IDi=Spoke1.cisco.com, Auth, TSi, TSr, CFG_Req(IP4_SUBNET…)
BRKSEC-3013
Ethernet0/0: 172.16.0.1 Ethernet0/1: 192.168.100.1 Loopback0: 10.0.0.254/32 VirtualAccess1: 10.0.0.254/32
0.0.0.0/0 172.16.0.254 (E0/0) 192.168.100.0/24 Ethernet 0/1 10.0.0.1/32 VirtualAccess1 192.168.1.0/24 VirtualAccess1
IDr, cert, Auth, TSi, TSr, CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16; IP4_ADDRESS=10.0.0.1) CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24, 10.0.0.1/32)
Supernet covering all spokes LAN prefixes
Interfaces
Ethernet0/0: 172.16.1.1 Ethernet0/1: 192.168.1.1 Tunnel0: 10.0.0.1
Routing Table
Interfaces
SA Prop (AES-256, SHA-1, DH 5), KEr, Nr
CFG_ack()
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Hub 1 .1
192.168.100.0/24
172.16.1.1 10.0.0.1
Physical: Tunnel:
-
C 192.168.1.0/24 Eth0 C 10.0.0.1 Tunnel0 S 0.0.0.0/0 Dialer0 S 10.0.0.254/32 Tunnel0 S 192.168.0.0/16 Tunnel0 BRKSEC-3013
C 10.0.0.253 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.2 V-Access1 S 192.168.2.0/24 V-Access1
Physical: 172.16.0.2 Tunnel: 10.0.0.253
Spoke 2 192.168.2.0/24
Spoke 1 192.168.1.0/24
© 2015 Cisco and/or its affiliates. All rights reserved.
Routing Table
NHRP Table Routing Table
Hub 2 .2
Tunnel 100
Physical: 172.16.0.1 Tunnel: 10.0.0.254
Physical: Tunnel:
Routing Table
C 10.0.0.254 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.1 V-Access1 S 192.168.1.0/24 V-Access1
NHRP Table
Routing Table
FlexVPN Hub and Spoke – IKE Route Exchange
Cisco Public
44
172.16.2.1 10.0.0.2
-
C 192.168.2.0/24 Eth0 C 10.0.0.2 Tunnel1 S 0.0.0.0/0 Dialer0 S 10.0.0.253/32 Tunnel1 S 192.168.0.0/16 Tunnel1
There is a better path directly to spoke
NHRP Table
Routing Table
192.168.100.0/24
Hub 2 .2
Tunnel 100
Physical: 172.16.0.1 Tunnel: 10.0.0.254
Physical: Tunnel:
Routing Table
Hub 1 .1
172.16.1.1 10.0.0.1
Physical: Tunnel:
-
C 192.168.1.0/24 Eth0 C 10.0.0.1 Tunnel0 S 0.0.0.0/0 Dialer0 S 10.0.0.254/32 Tunnel0 S 192.168.0.0/16 Tunnel0 BRKSEC-3013
C 10.0.0.253 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.2 V-Access1 S 192.168.2.0/24 V-Access1
Physical: 172.16.0.2 Tunnel: 10.0.0.253
Spoke 2 192.168.2.0/24
Spoke 1 192.168.1.0/24
© 2015 Cisco and/or its affiliates. All rights reserved.
NHRP Table
C 10.0.0.254 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.1 V-Access1 S 192.168.1.0/24 V-Access1
Routing Table
Routing Table
FlexVPN Mesh – Indirection
Cisco Public
45
172.16.2.1 10.0.0.2
-
C 192.168.2.0/24 Eth0 C 10.0.0.2 Tunnel1 S 0.0.0.0/0 Dialer0 S 10.0.0.253/32 Tunnel1 S 192.168.0.0/16 Tunnel1
NHRP Table Routing Table
Hub 2 .2
Tunnel 100 Resolution (192.168.2.2)
Physical: 172.16.0.1 Tunnel: 10.0.0.254
Physical: Tunnel:
192.168.100.0/24
Routing Table
Hub 1 .1
172.16.1.1 10.0.0.1
C 10.0.0.253 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.2 V-Access1 S 192.168.2.0/24 V-Access1
Physical: 172.16.0.2 Tunnel: 10.0.0.253
Physical: Tunnel: Resolution Reply (192.168.2.0/24)
10.0.0.2/32 172.16.2.1 192.168.2.0/24 172.16.2.1
Spoke 2 192.168.2.0/24
Spoke 1 192.168.1.0/24
C 192.168.1.0/24 Eth0 C 10.0.0.1 Tunnel0 S 0.0.0.0/0 Dialer0 S 10.0.0.254/32 Tunnel0 S 192.168.0.0/16 Tunnel0 H/S 10.0.0.2/32 V-Access1 H/S 192.168.2.0/24 V-Access1 BRKSEC-3013 © 2015 Cisco and/or its affiliates. All rights reserved.
NHRP Table
C 10.0.0.254 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.1 V-Access1 S 192.168.1.0/24 V-Access1
Routing Table
Routing Table
FlexVPN Mesh – Resolution
Cisco Public
46
172.16.2.1 10.0.0.2
10.0.0.1 172.16.1.1
C 192.168.2.0/24 Eth0 C 10.0.0.2 Tunnel1 S 0.0.0.0/0 Dialer0 S 10.0.0.253/32 Tunnel1 S 192.168.0.0/16 Tunnel1 H/S 10.0.0.1/32 V-Access1
Hub 1 .1
192.168.100.0/24
C 10.0.0.253 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.2 V-Access1 S 192.168.2.0/24 V-Access1
Physical: 172.16.0.2 Tunnel: 10.0.0.253
172.16.1.1 10.0.0.1
Physical: Tunnel:
10.0.0.2/32 172.16.2.1 192.168.2.0/24 172.16.2.1 Spoke 2 192.168.2.0/24
Spoke 1 192.168.1.0/24
C 192.168.1.0/24 Eth0 C 10.0.0.1 Tunnel0 S 0.0.0.0/0 Dialer0 S 10.0.0.254/32 Tunnel0 S 192.168.0.0/16 Tunnel0 H/S 10.0.0.2/32 V-Access1 H/S 192.168.2.0/24 V-Access1 BRKSEC-3013 © 2015 Cisco and/or its affiliates. All rights reserved.
Routing Table
NHRP Table Routing Table
Hub 2 .2
Tunnel 100
Physical: 172.16.0.1 Tunnel: 10.0.0.254
Physical: Tunnel:
Routing Table
C 10.0.0.254 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.1 V-Access1 S 192.168.1.0/24 V-Access1
NHRP Table
Routing Table
FlexVPN Mesh – Shortcut Forwarding
Cisco Public
47
172.16.2.1 10.0.0.2
10.0.0.1 172.16.1.1
C 192.168.2.0/24 Eth0 C 10.0.0.2 Tunnel1 S 0.0.0.0/0 Dialer0 S 10.0.0.253/32 Tunnel1 S 192.168.0.0/16 Tunnel1 H/S 10.0.0.1/32 V-Access1
FlexVPN Mesh (IKEv2 Routing) Hub 1 Configuration Accept connections from Spokes
crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub1.cisco.com authentication remote rsa-sig Local or AAA spoke profiles supported. Can even control authentication local rsa-sig QoS, ZBF, NHRP redirect, pki trustpoint TP network-id, … dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 ! crypto ikev2 authorization policy default route set remote 10.0.0.0 255.0.0.0 route set remote 192.168.0.0 255.255.0.0
These prefixes can also be set by RADIUS
BRKSEC-3013
Defines which prefixes should be protected
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Static per-spoke features applied here
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 NHRP is the magic ip nhrp network-id 1 All V-Access will be in the ip nhrp redirect same network-id ip access-group AllowMyBGP in tunnel protection ipsec profile default ! Hub 1 dedicated overlay address interface Loopback0 ip address 10.0.0.254 255.255.255.255 ! Inter-Hub link interface Tunnel100 (not encrypted) ip unnumbered Loopback0 ip nhrp network-id 1 Same NHRP networkid on v-access and ip nhrp redirect inter-hub link tunnel source Ethernet0/1 tunnel destination 192.168.100.2
FlexVPN Mesh (IKEv2 Routing) Hub 2 Configuration crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub2.cisco.com authentication remote rsa-sig Dedicated Identity authentication local rsa-sig (optional) pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 ! crypto ikev2 authorization policy default route set remote 10.0.0.0 255.0.0.0 route set remote 192.168.0.0 255.255.0.0
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect ip access-group AllowMyBGP in tunnel protection ipsec profile default ! Dedicated Overlay Address interface Loopback0 ip address 10.0.0.254 255.255.255.255 ! interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.2
FlexVPN Mesh (IKEv2 Routing)
QoS Everywhere!
Spoke Configuration interface Tunnel0 Tunnel to Hub 1 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.1 tunnel protection ipsec profile default ! interface Tunnel1 Tunnel1 to Hub 2 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.2 tunnel protection ipsec profile default
crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Spoke2.cisco.com authentication remote rsa-sig authentication local rsa-sig Needed for tunnel pki trustpoint TP address exchange dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1
crypto ikev2 authorization policy default route set interface route set interface e0/0
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel protection ipsec profile default
V-Template to clone for spoke-spoke tunnels
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
50
QoS can be applied here
interface Loopback0 ip address 10.0.0.2 255.255.255.255
Shortcut Switching With a routing protocol (BGP)
Hub 1 .1
192.168.100.0/24
172.16.1.1 10.0.0.1
Physical: Tunnel:
-
C 192.168.1.0/24 Eth0 C 10.0.0.1 Tunnel0 S 0.0.0.0/0 Dialer0 S 10.0.0.254/32 Tunnel0 B 192.168.0.0/16 10.0.0.254 BRKSEC-3013
C 10.0.0.253 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.2 V-Access1 B 192.168.2.0/24 10.0.0.2
Physical: 172.16.0.2 Tunnel: 10.0.0.253
Spoke 2 192.168.2.0/24
Spoke 1 192.168.1.0/24
© 2015 Cisco and/or its affiliates. All rights reserved.
Routing Table
NHRP Table Routing Table
Hub 2 .2
Tunnel 100
Physical: 172.16.0.1 Tunnel: 10.0.0.254
Physical: Tunnel:
Routing Table
C 10.0.0.254 Loopback0 C 192.168.100.0/24 Eth0 S 192.168.0.0/16 Tunnel100 S 10.0.0.0/8 Tunnel100 S 10.0.0.1 V-Access1 B 192.168.1.0/24 10.0.0.1
NHRP Table
Routing Table
FlexVPN Mesh with BGP Routing
Cisco Public
52
172.16.2.1 10.0.0.2
-
C 192.168.2.0/24 Eth0 C 10.0.0.2 Tunnel1 S 0.0.0.0/0 Dialer0 S 10.0.0.253/32 Tunnel1 B 192.168.0.0/16 10.0.0.253
FlexVPN Mesh (BGP) Hub 1 Configuration Accept connections crypto ikev2 profile default from Spokes match identity remote fqdn domain cisco.com identity local fqdn Hub1.cisco.com authentication remote rsa-sig Local or AAA spoke profiles authentication local rsa-sig ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 supported. Can even control QoS, pki trustpoint TP NHRP redirect, network-id, … ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 dpd 10 2 on-demand aaa authorization group cert list default default Dynamically accept spoke router bgp 1 virtual-template 1 BGP peering! bgp log-neighbor-changes Static per-per config here… bgp listen range 10.0.0.0/24 peer-group Flex interface Virtual-Template1 type tunnel ! ip unnumbered Loopback0 address-family ipv4 ip access-group AllowMyBGP in NHRP is the magic neighbor Flex peer-group All V-Access will be in the ip nhrp network-id 1 same network-id neighbor Flex remote-as 1 ip nhrp redirect neighbor Flex timers 5 15 tunnel protection ipsec profile default neighbor Flex next-hop-self all redistribute static route-map rm Hub 1 dedicated overlay address interface Loopback0 exit-address-family ip address 10.0.0.254 255.255.255.255 ! route-map filters static routes route-map rm permit 10 Inter-Hub link to redistribute in BGP interface Tunnel100 (not encrypted) match tag 2 ip unnumbered Loopback0 ip nhrp network-id 1 Same NHRP networkip nhrp redirect id on v-access and tunnel source Ethernet0/1 inter-hub link tunnel destination 192.168.100.2 BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
FlexVPN Mesh (BGP) Hub 2 Configuration crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub2.cisco.com authentication remote rsa-sig Dedicated Identity authentication local rsa-sig pki trustpoint TP (optional) dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1
ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group Flex ! address-family ipv4 redistribute static route-map rm neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor Flex next-hop-self all exit-address-family ! route-map rm permit 10 match tag 2
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip access-group AllowMyBGP in ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile default
Dedicated Overlay Address interface Loopback0 ip address 10.0.0.253 255.255.255.255 interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.1 BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
• Almost the same as Hub 1 again!
Cisco Public
54
QoS Everywhere!
FlexVPN Mesh (BGP) Spoke Configuration crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Spoke2.cisco.com authentication remote rsa-sig authentication local rsa-sig Needed for tunnel pki trustpoint TP address exchange dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1
interface Tunnel0 Tunnel to Hub 1 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.1 tunnel protection ipsec profile default ! interface Tunnel1 Tunnel1 to Hub 2 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.2 tunnel protection ipsec profile default
router bgp 1 bgp log-neighbor-changes neighbor 10.0.0.253 remote-as 1 neighbor 10.0.0.253 timers 5 15 neighbor 10.0.0.254 remote-as 1 neighbor 10.0.0.254 timers 5 15 ! address-family ipv4 network 192.168.2.0 neighbor 10.0.0.253 activate neighbor 10.0.0.254 activate maximum-paths ibgp 2
V-Template to clone for spoke-spoke tunnels BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel protection ipsec profile default
QoS can be applied here
interface Loopback0 ip address 10.0.0.2 255.255.255.255
Per Session Features: ACL, VRF ,ZbFW, QoS
Provisioning Per-Peer Features Central and Distributed Models
Option #2: Local AAA profiles on Router
Some spokes with high bandwidth
Option #1: Features on different VirtualTemplate
192.168.100.0/24 .1
.254
172.16.0.1 Option #3: Centralized Policy enforcement on RADIUS
Some spokes belong to VRF Red
Some spokes belong to VRF Blue
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Some spokes with low bandwidth
Cisco Public
57
VRF Injection
192.168.100.0/24
Hub injects traffic in chosen VRF
192.168.100.0/24
Hub private interface(s) in Inside VRF (light)
Virtual-Access in iVRF
.1
172.16.1.254
Wan in Global Routing Table or Front VRF
Optional VRF on spokes (Not in this example)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
192.168.100.0/24 .1 .1
.2
.2
.2
172.16.1.253
Inside-VRF and Front-VRF Layer 5+ Layer 4 Layer 3 Layer 2
AAA
IKE Remote protected prefix added to iVRF table
Global Routing Table
VRF Red
VRF Blue
Inside VRF aka iVRF Applied by IKEv2: vrf forwarding Red tunnel vrf Blue Virtual-Access Interface (Tunnel) created by IKEv2
BRKSEC-3013
BGP
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Front Door VRFGreen VRF aka fVRF
Inside-VRF and Front-VRF Layer 5+
AAA
IKE
Layer 4 Layer 3 Layer 2
BGP
Post-encapsulation Tunnel Protection (encrypt)
Global Routing Table
Input features
VRF Red
VRF Blue
Output features
Output features Tunnel Encapsulation
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
VRF Green
60
QoS in a Nutshell – Hierarchical Shaper Each Hub V-Access Needs Its Own Policy Parent Shaper limits total Bandwidth
Bandwidth Reservation
Priority Queuing
Fair Queuing
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
QoS Policy Map(s) Based on Spoke Bandwidth class-map Control match ip precedence 6
class-map Voice match ip precedence 5 policy-map SubPolicy
class Control
20Kbps Guaranteed to Control
bandwidth 20 class Voice
60% of Bandwidth for Voice
priority percent 60
1Mbps to each tunnel policy-map Silver
5Mbps to each tunnel policy-map Gold
class class-default
BRKSEC-3013
class class-default
shape average 1000000
shape average 5000000
service-policy SubPolicy
service-policy SubPolicy
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
iVRF + fVRF + QoS + … Layer 5+
AAA
IKE
BGP
Layer 4 Routes applied here…
Layer 3 Layer 2
Global Routing Table
VRF Red
VRF Blue
Applied by IKEv2: vrf forwarding Red tunnel vrf Blue service-policy out Gold Any feature can be applied here: MTU, NAT, NHRP network-id, NHRP redirect, FW Zone, QoS, VRF, ACL…
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
VRF Green
Heavy Configuration
VRF Injection – Hub Configuration Option 1: Mapping with In-IOS configuration (without AAA) Dedicated IKEv2 profile crypto ikev2 profile BLUE match identity fqdn domain blue authentication local rsa-sig FQDN Domain authentication remote rsa-sig is differentiator pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 Virtual-Template in VRF interface virtual-template1 type tunnel vrf forwarding BLUE ip unnumbered loopback1 Loopback in VRF service-policy Gold out tunnel protection ipsec profile default
crypto ikev2 profile RED match identity fqdn domain red authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 2
crypto ikev2 profile GREEN match identity fqdn domain green authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 3
interface virtual-template2 type tunnel vrf forwarding RED ip unnumbered loopback2 service-policy Gold out tunnel protection ipsec profile default
interface virtual-template3 type tunnel vrf forwarding GREEN ip unnumbered loopback3 service-policy Silver out tunnel protection ipsec profile default
Add NHRP, ACL’s,…
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
VRF Injection – Hub Configuration Option 2: Mapping with AAA group based configuration
Common IKEv2 profile
Profile name extracted from Domain Name
Vanilla VirtualTemplate
aaa attribute list blue attribute type interface-config ”vrf forwarding BLUE” attribute type interface-config ”ip unnumbered loopback1” attribute type interface-config ”service-policy Gold out”
aaa new-model aaa authorization network default local
Profiles on IOS
Group profiles on IOS
crypto ikev2 profile default match identity any identity local fqdn Hub1.cisco.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert default name-mangler dom virtual-template 1
interface virtual-template1 type tunnel tunnel protection ipsec profile default
crypto ikev2 authorization policy blue aaa attribute list blue route set interface aaa attribute list red attribute type interface-config ”vrf forwarding RED” attribute type interface-config ”ip unnumbered loopback2” attribute type interface-config ”service-policy Silver out” crypto ikev2 authorization policy red aaa attribute list red route set interface aaa attribute list green attribute type interface-config ”vrf forwarding GREEN” attribute type interface-config ”ip unnumbered loopback3” attribute type interface-config ”service-policy GOLD out”
crypto ikev2 name-mangler dom fqdn domain
crypto ikev2 authorization policy green aaa attribute list green route set interface BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
VRF Injection – Hub Configuration Option 3: RADIUS based profiles
Common IKEv2 profile Profile name extracted from Domain Name
Vanilla VirtualTemplate
aaa new-model aaa authorization network default group RADIUS aaa group server radius RADIUS server-private 192.168.100.2 auth-port 1812 acct-port 1813 key cisco123
Profile “blue” / password “cisco” ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered loopback 1” ip:interface-config=“service-policy Gold out”
crypto ikev2 profile default match identity any identity local fqdn Hub1.cisco.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA aaa authorization group cert default name-mangler dom virtual-template 1
Profile “red” / password “cisco” ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding RED” ip:interface-config=“ip unnumbered loopback 2” ip:interface-config=“service-policy Silver out” Profile “green” / password “cisco” ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered loopback 3” ip:interface-config=“service-policy Gold out”
interface virtual-template1 type tunnel tunnel protection ipsec profile default crypto ikev2 name-mangler dom fqdn domain
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66
RADIUS Group Profiles
Profiles stored on RADIUS server
Group profiles on RADIUS Could be per peer profiles or group+peer (derivation)
VRF Injection – Hub Configuration For both options: BGP and VRF configurations ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0
Attract summaries and drops nonreachable prefixes
ip route vrf RED 10.0.0.0 255.0.0.0 Null0 ip route vrf RED 192.168.0.0 255.255.0.0 Null0 ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0 ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0
BGP dynamic peering These address can not currently overlap Follow CSCtw69765. Each VRF has its own control section.
Activate peer group in its corresponding VRF
Redistributes above statics into BGP BRKSEC-3013
router bgp 1 bgp listen range 10.1.0.0/16 peer-group BluePeer bgp listen range 10.2.0.0/16 peer-group RedPeer bgp listen range 10.3.0.0/16 peer-group GreenPeer ! address-family ipv4 vrf BLUE redistribute static neighbor BluePeer peer-group neighbor BluePeer remote-as 1 exit-address-family ! address-family ipv4 vrf RED redistribute static neighbor RedPeer peer-group neighbor RedPeer remote-as 1 exit-address-family ! address-family ipv4 vrf GREEN redistribute static neighbor GreenPeer peer-group neighbor GreenPeer remote-as 1 exit-address-family
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
67
vrf definition BLUE rd 1:1 address-family ipv4 address-family ipv6 interface Loopback1 vrf forwarding BLUE ip address 10.0.0.254 255.255.255.255 vrf definition RED rd 2:2 address-family ipv4 address-family ipv6
interface Loopback2 vrf forwarding RED ip address 10.0.0.254 255.255.255.255 vrf definition GREEN rd 3:3 address-family ipv4 address-family ipv6 interface Loopback3 vrf forwarding GREEN ip address 10.0.0.254 255.255.255.255
VRF Injection – Spoke Configuration Vanilla IKE and BGP configurations Profiles stored on RADIUS server
aaa new-model aaa authorization network default local
crypto ikev2 profile default match identity remote fqdn Hub1.cisco.com match identity remote fqdn Hub2.cisco.com identity local fqdn spoke1.RED IKEv2 Identity authentication remote rsa-sig Defines Group authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand Just necessary for aaa authorization group cert list default default config exchange ! interface Loopback0 ip address 10.1.0.2 255.255.255.255 ! interface Tunnel0 Tunnel to Hub1 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.1.1 tunnel protection ipsec profile default ! Tunnel to Hub2 interface Tunnel1 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.4.1 tunnel ipsec profile default 68 BRKSEC-3013 © 2015 Cisco and/or protection its affiliates. All rights reserved. Cisco Public
Plain simple IKEv2 profile
Basic iBGP configuration
router bgp 1 bgp log-neighbor-changes network 192.168.0.0 mask 255.255.0.0 neighbor Hub peer-group iBGP neighbor Hub remote-as 1 neighbor Hub next-hop-self neighbor 10.0.0.253 peer-group Hub neighbor 10.0.0.254 peer-group Hub maximum-paths ibgp 2 Two Hubs… Equal Cost Load Balancing
Case Study: Multi-tenant Hybrid Access
Use Case: Mixed Client and Branch Access
Requirements:
RADIUS/EAP Server (in management VRF)
Single router for software clients & remote branches (spokes)
Spoke-to-spoke tunnels enabled on a per-branch basis
VRF/ QoS enforced per user/branch
Branches use IKE certificates, clients use EAP (password or TLS certificates)
Proposed solution:
Multiple VRFs behind hub FlexVPN Hub IPsec tunnels Internet Bob (VRF blue) QoS Silver
shortcut tunnel
Tom (VRF green) QoS Gold
Single IKEv2 profile & V-Template Differentiated AAA authorisation depending on authentication method
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Branch A (VRF red) QoS Gold
Branch B (VRF red) QoS Silver
Joe (VRF blue) QoS Bronze
FlexVPN Server Configuration RADIUS-based EAP authentication and AAA authorisation Match on FQDN domain for branches Match statements for clients (depending on allowed client types) Allow peers to authenticate using either EAP or certificates User authorisation using attributes returned during EAP authentication Branch authorisation using RADIUS Automatic detection of tunnel mode1 (pure IPsec tunnel mode for clients, GRE/IPsec for branches/spokes)
1
aaa new-model aaa authentication login my-rad group my-rad aaa authorization network my-rad group my-rad ! crypto ikev2 profile default match identity remote fqdn domain example.com match identity remote {key-id | email | address} ... identity local dn authentication remote rsa-sig authentication remote eap query-identity authentication local rsa-sig pki trustpoint my-ca aaa authentication eap my-rad aaa authorization user eap cached aaa authorization user cert list my-rad virtual-template 1 auto mode ! interface Virtual-Template1 type tunnel no ip address [no need to specify tunnel mode] tunnel protection ipsec profile default
Starting with IOS-XE 3.12S
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
RADIUS Server Configuration Clients can perform password-based or TLS-based EAP authentication (TLS: RADIUS account = CN or UPN) User attributes returned by RADIUS with successful EAP authentication
joe cleartext-password=c1sc0! ipsec:addr-pool=blue ip:interface-config=vrf forwarding blue ip:interface-config=ip unnumbered Loopback1 ip:interface-config=service-policy output Bronze ip:interface-config=...
Branch router attributes returned by RADIUS during AAA authorisation step Add/remove NHRP to enable/disable spoke-to-spoke tunnels per branch Exchange prefixes via IKEv2 routing, branch prefix(es) controlled by branch
branchA.example.com ip:interface-config=vrf forwarding red ip:interface-config=ip unnumbered Loopback3 ip:interface-config=service-policy output Gold ip:interface-config=ip nhrp network-id 3 ip:interface-config=ip nhrp redirect ipsec:route-set=prefix 192.168.0.0 255.255.0.0 ipsec:route-accept=any
Branch prefix / QoS controlled by AAA server (installed as local static route)
branchB.example.com ip:interface-config=vrf forwarding green ip:interface-config=ip unnumbered Loopback2 ip:interface-config=service-policy output Silver ipsec:route-set=prefix 192.168.0.0 255.255.0.0 ipsec:route-set=local 192.168.1.0 255.255.255.0
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
FlexVPN High Availability
FlexVPN Backup Mechanisms Tunnel Origin/Destination
Routing Based
Dynamic Routing (BGP, EIGRP, OSPF, RIP…)
IKEv2 Routing
Tunnel Peer Selection Backup Peer List
Static or Downloadable Peer State Tracking Peer re-activation
Backup Groups Load-Balancing BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
74
Tunnel Source Selection
Tunnel Pivoting
FlexVPN Backup IKE Backup Peers (1) 192.168.100.0/24 .1
Tunnels are set up to a primary Hub
BRKSEC-3013
.2
172.16.0.1
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
172.16.0.2
75
FlexVPN Backup IKE Backup Peers (2) 192.168.100.0/24 .1
Hub 1 Fails
.2
172.16.0.1
172.16.0.2
New tunnels are set up to a backup Hub
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
76
Also works with Routing Protocol
FlexVPN Backup
IKE Backup Peers (3) – Spoke Config. aaa authorization network default local
Detect Hub Failure
To Primary Hub To Secondary Hub
Destination managed by FlexVPN
BRKSEC-3013
crypto ikev2 profile default match certificate HUBMAP identity local fqdn Spoke1.cisco.com authentication remote rsa-sig authentication local pre-shared keyring local pki trustpoint CA aaa authorization group cert list default default dpd 30 2 on-demand crypto ikev2 client flexvpn default client connect tunnel 0 peer 1 172.16.1.254 peer 2 172.16.1.253
interface Tunnel0 ip address negotiated tunnel source FastEthernet0/0 tunnel destination dynamic tunnel protection ipsec profile default
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Powerful Peer Syntax peer peer track peer peer track
Nth source selected only if corresponding track object is up RADIUS Backup List Attribute ipsec:ipsec-backup-gateway Up to 10 backup gateways pushed by config-exchange
crypto ikev2 authorization policy default route set interface route set access-list 99
FlexVPN Backup Mechanisms Backup Peer List • No explicit destination is configured on tunnel interface: – ‘tunnel destination dynamic’
• Peer to connect to is derived from a list at tunnel establishment time
• The peer list can be fully static or partially downloadable – Downloadable list require at least one static peer to retrieve the list from
• Peers are assigned a sequence number (explicit or implicit) which determine their
priority – The lowest the most preferred
• Selection of ‘active’ peer in case of failure rely on the waterfall-model – Use the peers in turn until the bottom of list is reached, then start again from top
• Dead Peer Detection (DPD’s) are required for proper operations BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
78
FlexVPN Backup – Downloadable Backup Peer List Static Peer List (Locally Configured)
Downloadable Peer List
Seq 10: Peer 1
Peer 1 is selected initially (sequence number based) If Peer 1 fails, Peer 2 is selected (sequence number based)
Seq 20: Peer 2
Upon connection to Peer 2, a downloadable peer list is received Seq 30: Peer 3
Seq 10: Peer 2.1
Seq 20: Peer 2.2
Upon failure of Peer 2, Peer 2.1 then 2.2 are selected (part of downloadable peer list) Downloadable list peers are used until last downloadable list peer fails
Upon successful connection to next peer in static list, downloadable list is deleted
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
79
FlexVPN Backup – Re-activation of Primary Peer Allow re-establishing tunnel directly to preferred peer as soon as it is available again Trackers are required for this feature
10.0.0.1
10.0.0.2 client
10.0.0.3
Tracker state (Up/Down) ICMP-echo IP SLA probe IPsec Tunnel BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
80
track 1 ip sla 1 reachability track 2 ip sla 2 reachability track 3 ip sla 3 reachability ! crypto ikev2 flexvpn client remote1 peer 1 10.0.0.1 track 1 peer 2 10.0.0.2 track 2 peer 3 10.0.0.3 track 3 peer reactivate client connect Tunnel0 ! interface Tunnel0 ip address negotiated … tunnel destination dynamic …
FlexVPN Backup – Backup Groups • Warrant that a peer, belonging to different peer-lists in the same backup group, is never active in multiple peer-list at a given time
Hub 1 Tu0
Service Provider 1
10.0.0.1
Hub 2
Client
10.0.0.2
Tu1 Service Provider 2
Hub 3 10.0.0.3
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
81
crypto ikev2 flexvpn client remote1 peer 1 10.0.0.1 peer 2 10.0.0.2 peer 3 10.0.0.3 backup group 1 client connect Tunnel0 crypto ikev2 flexvpn client remote2 peer 1 10.0.0.1 peer 2 10.0.0.2 10.0.0.1 cannot be used as peer 3 10.0.0.3 already active in remote1 backup group 1 client connect Tunnel1 peer-list from same group ! interface Tunnel0 ip address negotiated … tunnel destination dynamic …
interface Tunnel1 ip address negotiated … tunnel destination dynamic …
FlexVPN Backup – Tunnel Pivoting • Use when different Service Providers are used to connect to remote host
track 1 ip sla 1 reachability crypto ikev2 flexvpn client remote1 peer 10.0.0.1 source 1 interface GigabitEthernet0/0 track 1 source 2 interface Cellular0/0 client connect tunnel 0
Service Provider 1 GigE0/0
Client Cellular0/0
interface Tunnel0 ip address negotiated … tunnel source dynamic tunnel destination dynamic …
Hub Service Provider 2 Cellular network
Tracker state (Up/Down) ICMP-echo IP SLA probe IPsec Tunnel BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
82
FlexVPN Backup IKEv2 Load-Balancer Client Connection LAN
Slave Hub 2
Master
Standby .12
Slave
Hub 1
Standby
Active CLB Registration
10.0.0.0/24 1. HSRP Active Router election Winner takes over the VIP (“.5”)
.5 .11
Hub 3
CLB Registration
.13
HSRP Election
WAN
2. CLB Registration HSRP Standby become CLB Slaves and register to Master (HSRP Active)
On Hub 1: *Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected. *Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected. BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
83
FlexVPN Backup IKEv2 Load-Balancer Client Connection LAN 2. CLB Master selects the LLG (Hub 3)
Slave Hub 2
3. CLB Master sends a redirect to client to Hub 3
Master
Hub 1
Slave
Standby
Active
Standby
.12
.5 .11
.13
10.0.0.0/24
WAN 1. Client sends IKE SA_INIT with REDIRECT_SUPPORTED to VIP (.5)
4. Client establishes IKEv2 session with LLG Hub (Hub 3) BRKSEC-3013
Hub 3
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
84
IKEv2 Load-Balancer Hub 1 Configuration crypto ikev2 redirect gateway init Activates the sending of IKEv2 redirects during SA_INIT ! crypto ikev2 profile default match identity remote fqdn domain cisco.com ! identity local fqdn Hub1.cisco.com interface Ethernet0/0 authentication remote rsa-sig ip address 10.0.0.11 255.255.255.0 authentication local rsa-sig standby 1 ip 10.0.0.5 HSRP Group Name must match pki trustpoint TP standby 1 name vpngw IKEv2 Cluster configuration dpd 10 2 on-demand ! aaa authorization group cert list default default interface Loopback0 virtual-template 1 ip address 172.16.1.11 255.255.255.0 ! ! crypto ikev2 authorization policy default interface Virtual-Template1 type tunnel route set interface ip unnumbered Loopback0 ! ip mtu 1400 crypto ikev2 cluster tunnel source Ethernet1/0 standby-group vpngw tunnel protection ipsec profile default slave max-session 10 no shutdown
• Configuration of slave hubs is almost identical (except HSRP priority)! BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
IKEv2 Load-Balancer Client Configuration crypto ikev2 authorization policy default route set interface ! crypto ikev2 redirect client max-redirects 10 ! crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Spoke2.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 ! crypto ikev2 client flexvpn VPN_LB peer 1 10.0.0.5 client connect Tunnel0
Activates IKEv2 redirection support and limit redirect count (DoS prevention)
interface Tunnel0 ip address 172.16.1.100 255.255.255.0 ip mtu 1400 tunnel source Ethernet0/0 tunnel destination dynamic tunnel protection ipsec profile default
FlexVPN Peer configured with the VIP address only
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
86
FlexVPN Backup IKEv2 Load Balancer
IKEv2 Load-Balancer
• Redirects inbound IKEv2 negotiation to Least Loaded Gateway (LLG) • Implements RFC 5685 • Redirect is performed during IKEv2 SA_INIT, IKE_AUTH • Rely on HSRP for device failure detection and master selection • Rely on Cisco Load Balancing (CLB) protocol (TCP/2012) to report load to cluster
master • Available since 15.2(4)M
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
87
FlexVPN IKEv2 Remote Access
Anywhere, Any Device Access
FlexVPN Framework
Device Location
IKEV2 IPSEC
Application
SSL
Any
More Diverse Users, Working from More Places, Using More Devices, Accessing More Diverse Applications, and Passing Sensitive Data BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
89
IKEv2 Configuration Exchange Initiator (I)
Responder (R)
CFG_REQUEST
IKE_AUTH CFG_REPLY
Initiator (RA client) requests configuration parameters from responder (RA server).
CFG_SET
Your assigned IPv6 address is ... Your DNS server is ... There is no WINS server The protected subnets are ... Derived from peer authorisation
INFORMATIONAL CFG_ACK
CFG_SET
Derived from peer authorisation
Initiator and/or responder sends unsolicited configuration parameters to its peer.
CFG_ACK © 2015 Cisco and/or its affiliates. All rights reserved.
My local IPv6 address is ... My local IPv6 protected subnets are ... Acknowledged
INFORMATIONAL
BRKSEC-3013
I would like: an IPv6 address a DNS & WINS server a list of IPv6 protected subnets
Cisco Public
90
Extensible Authentication Protocol (EAP) • No X-AUTH in IKEv2; EAP instead • EAP – A General protocol for authentication that support multiple methods: – Tunnelling: EAP-TLS, EAP/PSK, EAP-PEAP, … – Non-tunnelling (recommended): EAP-MS-CHAPv2, EAP-GTC, EAP-MD5, …
• Implemented as additional IKE_AUTH exchanges
• Only used to authenticate initiator to responder • Responder MUST authenticate using certificates • Can severely increase number of messages (12-16) • EAP comes with many caveats – refer to documentation !!
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
91
EAP Authentication RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend
IKE
crypto ikev2 profile default authentication remote eap query-identity aaa authentication eap frad
RA server authenticates to client using IKE certificates (mandatory)
IKEv2 RADIUS EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ... Username-Password/Token/Mobile Authentication (One-Way)
IKEv2
RADIUS
TLS
TLS
EAP-TLS TLS-Based Certificate Authentication (Mutual)
IKEv2
RADIUS EAP-PEAP / EAP-TTLS
TLS
EAP-MSCHAPv2 / EAP-TLS / ... TLS-Protected Nested Authentication (One-Way or Mutual)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
92
TLS
EAP Authentication – Packet Flow RA Client IKEv2 Initiator RADIUS Client EAP Supplicant
FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator
AAA Server RADIUS Server EAP Backend crypto ikev2 profile default authentication remote eap query-identity aaa authentication eap frad
IKEv2 (IKE_AUTH) IDi, CFG_REQ, no AUTH
IKEv2 (IKE_AUTH) IDr, AUTH(RSA), EAP(ID-Request) RADIUS (Access-Request) IKEv2 (IKE_AUTH) EAP(ID-Response: IDEAP) RADIUS (Access-Challenge) IKEv2 (IKE_AUTH) EAP(EAP-Method-Pkt#1) RADIUS (Access-Request) IKEv2 (IKE_AUTH) EAP(EAP-Method-Pkt#2) MSK
MSK IKEv2 (IKE_AUTH) EAP(Success) IKEv2 (IKE_AUTH) AUTH(MSK)
RADIUS (Access-Accept) EAP(Success), MSK, User-Name, Other user attributes
Cached for authorisation
IKEv2 (IKE_AUTH) CFG_REPLY, AUTH(MSK) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
EAP Username
93
Remote Access Clients – Overview AnyConnect (Desktop Version)
AnyConnect (Mobile Version)
Windows Native IKEv2 Client
FlexVPN Hardware Client
strongSwan
Supported OSes
Windows Mac OS X Linux
Android Apple iOS
Windows 7 & 8
Cisco IOS 15.2+ Not on IOS-XE / ASR1k Not on ISR-G1
Linux, Mac OS X, Android, FreeBSD, ...
Supported IKEv2 Authentication Methods
Certificates EAP
Certificates EAP
Certificates EAP
Certificates EAP Pre-Shared Key
Certificates EAP Pre-Shared Key
Supported EAP Authentication Methods
EAP-MSCHAPv2 EAP-GTC EAP-MD5
EAP-MSCHAPv2 EAP-GTC EAP-MD5
EAP-MSCHAPv2 EAP-TLS1 EAP-PEAP1 ... and more (Win8)
EAP-MSCHAPv2 EAP-GTC EAP-MD5
EAP-MSCHAPv2 EAP-TLS1 EAP-PEAP1 ... and more (plugins)
Dual Stack (IPv4 & IPv6)
3.1.05152 (with GRE) IOS-XE 3.14
Planned (client limitation)
Planned (headend limitation)
Both (with GRE)
Planned (headend limitation)
Split Tunnelling
Yes
Yes
Very limited (classful)
Yes
Yes
1 EAP-TLS, 2 IPsec
BRKSEC-3013
EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client
Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
94
AnyConnect Secure Mobility Client • Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS) – Desktop: Windows, Mac OS X, Linux – Mobile: Apple iOS, Android
• Supported authentication methods: – – – –
Machine Certificates (RSA signatures) EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2) EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens) EAP-MD5 (hash-based authentication)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
95
AnyConnect – VPN Profile Editor Add entry to server list
Server FQDN
Connection name
... Resulting XML Profile FlexVPN flexra.cisco.com IPsec true EAP-GTC acvpn ...
Only applies to EAP authentication methods
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
96
AnyConnect – Backup Server List Primary
Backup
Add backup server(s) to list
WAN
... Resulting XML Profile FlexVPN flexra.cisco.com flexra2.cisco.com ...
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Primary server stops responding Client will try connecting to backup server(s)
97
AnyConnect – Seamless Auto-Reconnect crypto ikev2 profile default reconnect [timeout ]
crypto ikev2 profile default reconnect [timeout ]
3: Server marks session as “inactive”, awaiting reconnection until the configured timeout WAN 1: Connected
4: ISP/WAN comes back up Session resumed without any user intervention
WAN 1: Connected over 3G
2: Network failure detected Client will attempt to reconnect automatically
3: Session resumed over WiFi link without any user intervention
2: Switching to WiFi Different IP address
Also works when computer suspends & resumes (behaviour controllable through XML profile) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
98
AnyConnect Desktop – Profile Deployment Options Use a Software Management System XML
Add the profile to the AnyConnect package XML
Send the profile via email Download the profile to the file system
BRKSEC-3013
OS
Default Location
Windows
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Mac OS, Linux
/opt/cisco/anyconnect/profile
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
99
AnyConnect Mobile – Profile Deployment Options XML
Send the profile via email
anyconnect://import?type=profile&uri=location
Install the profile via a URI handler
Example location: http://example.com/profile.xml
Import it from Local File system or URI
Manual Connection Creation
MDM (Mobile Device Management) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
100
AnyConnect Mobile – Manual Connection Certificate selection
Cisco ASA only
Connection name
Create new manual connection
Server FQDN
Enable IKEv2 Select authentication method
Specify IKE ID for EAP methods
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
101
AnyConnect Mobile – URI Handler Profile Deployment • Import profiles, certificates, and create connection entries • Apple iOS & Android – Import via URL, email, device storage – Also connect & disconnect VPN using URI Handler
anyconnect://create/?name=FlexVPN&host=flexra.cisco.com&protocol=IPsec&a uthentication=EAP-MD5&ike-identity=acvpn
Prompt or Enabled - Required for URI Handler BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Connection successfully created Cisco Public
102
AnyConnect Mobile – Certificate Deployment • Package certificate & keypair into PKCS#12 file • Apple iOS – Import PKCS#12 from URL or email attachment – Provision credentials or set up SCEP enrollment using configuration profile (e.g. via iPhone Configuration Utility)
• Android – Import PKCS#12 from URL, email or filesystem – Use existing credentials from Credential Storage
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
103
AnyConnect – Certificate Requirements AnyConnect Client IKEv2 Certificate
FlexVPN Server IKEv2 Certificate
Used for
Mutual RSA-SIG
Mutual RSA-SIG EAP (all types)
Common Name (CN)
Anything
Anything (if SAN field present) Server FQDN (if no SAN field)
Key Usage (KU)
Digital Signature
Digital Signature Key Encipherment or Key Agreement
Extended Key Usage (EKU)
Optional1,3 If present: TLS Client Authentication
Optional2,3 If present: TLS Server Authentication or IKE Intermediate
Subject Alternative Name (SAN)
Not required3
Optional3 If present: Server FQDN
1 Required
in AC 3.0.8 to 3.0.10 (CSCuc07598)
2 Required
in AC 3.0 (all versions), lifted in 3.1
3 Not
required: may be omitted or set to any value – Optional: may be omitted or set to the specified value
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
104
FlexVPN Hardware Client – Example • Sample configuration: – Static tunnel interface driven by FlexVPN Client Profile – Local AAA authorisation (default IKEv2 author. policy) – Certificate-based mutual authentication (no EAP)
• Tunnel interface configuration: – IP address assigned through IKEv2 Configuration Exchange – Tunnel destination set dynamically
• Default IKEv2 routing between client & server: – Client advertises route for Tunnel0 assigned IP address – Client installs networks advertised by server
client#show crypto ikev2 authorization policy default IKEv2 Authorization Policy : default route set interface route accept any tag : 1 distance : 1 BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
105
aaa new-model aaa authorization network here local ! crypto pki trustpoint root rsakeypair root ! crypto pki certificate map cisco 1 subject-name co o = cisco ! crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list here default ! crypto ikev2 client flexvpn flexra peer 1 fqdn flexra.cisco.com dynamic client connect Tunnel0 ! interface Tunnel0 ip address negotiated tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile default
FlexVPN Network Extension FlexVPN Client 10.42.1.0/24
FlexVPN Server WAN
Eth0/1 Eth0/0 Assigned IP: 10.0.1.22/32
10.0.0.0/8 Lo1: 10.0.1.1/32
route set interface route set remote ipv4 10.42.1.0
route set interface route set remote ipv4 10.0.0.0 255.0.0.0
Summary prefix reachable through tunnel S S C
Assigned IP address reachable over client VA
10.0.0.0/8 is directly connected, Tunnel0 10.0.1.1/32 is directly connected, Tunnel0 10.0.1.22/32 is directly connected, Tunnel0
S S
Client LAN directly reachable over tunnel (prefix can be redistributed into IGP)
Local/remote addresses & prefixes exchanged using IKEv2 routing interface Tunnel0 ip address negotiated ! interface Ethernet0/1 ip address 10.42.1.1 255.255.255.0
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
10.0.1.22/32 is directly connected, Virtual-Access1 10.42.1.0/24 is directly connected, Virtual-Access1
interface Loopback1 ip address 10.0.1.1 255.255.255.255 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1
Cisco Public
106
FlexVPN Client Profile – Key Features • Peer list with object tracking: – Ordered list of FlexVPN servers (by address or FQDN) – Enable/disable entries based on tracking object state – Additional peers can be pushed by server during Config Exchange
• Connection modes: – Automatic (infinite loop, 10 seconds between tries) – When tracking object goes up/down (enables dial backup) – Manual (CLI-triggered)
• EAP local authentication (IKEv2 initiator only): – Username prompt only if server does “query-identity” – Alternative: static credentials in IKEv2 profile
• More than a Remote Access client:
crypto ikev2 client flexvpn flexra peer 1 peer 2 track 10 up peer 3 track 20 down ! track 10 interface line-protocol track 20 ip route reachability connect auto connect track 10 up connect manual
crypto ikev2 profile default authentication local eap client#crypto ikev2 client flexvpn connect Enter the command 'crypto eap credentials flexra' client#crypto eap credentials flexra Enter the Username for profile flexra: joe@cisco Enter the password for username joe@cisco:
– Can also be used in hub-spoke & dynamic mesh designs – Useful when advanced initiator logic is required (dial backup, object tracking, ...) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
107
Demo AnyConnect Secure Mobility Client
Tom the Sardar
Anyconnect Mobile Profile & Certificate Deployment Demo Administrator Sequence of Events
Objective: Deploy anyconnect connection entry and CA certificate to Android Mobile device
1: Retrieve CA certificate as a file 2: Insert anyconnect connection URI into email 3: Attach CA cert and send email FlexVPN Server
anyconnect://create/?name=FlexVPN&host =Flex_hub.mydomain.com&protocol=IPsec &authentication=EAP-MD5&ikeidentity=acvpn
User Sequence of Events 1: Enable External control on Anyconnect 2: Click on hyperlink to create anyconnect connection 3: Click on CA cert attachment to import CA cert
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
109
Anyconnect Windows 7 Profile Deployment Demo Objective: Deploy anyconnect XML User profile containing connection information to a remote desktop.
XML
Anyconnect XML profile added to package and installed on Windows Desktop
Administrator Sequence of Events
FlexVPN Server
1:Create profile using profile Editor 2:Bundle Profile with Installation Package
User Sequence of Events 1:User retrieves Installation Package 2:User Installs package 3:Profile is automatically imported BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
110
FlexVPN SSL
Management
FlexVPN SSL Overview ASDM
Clients
• Infrastructure
Desktop Windows
Mac OS X
Linux
Secure Connectivity Cisco ASR
Mobile
Apple iOS Android iPhone and iPad Smartphones Tablets IOS-XE 3.15.1S / 15.5(2)S1 ASR1006/1013 with ESP100/200 ASR1002-X and ASR1001-X only
BB10 (future) • Smartphone • Playbook
•HTC •Motorola •Samsung •Version 4.0+
•HTC •Lenovo •Motorola •Samsung • Version 4.0+
Cisco Cloud Services Router 1000V IOS-XE 3.12.1S / 15.4(2).1S
BRKSEC-3013
Tentative date – June 2015
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
112
• First release of SSLVPN support (on ASR / CSR) • Client-based only (AnyConnect) • No clientless support • Integrated into FlexVPN framework • • • •
AAA integration Virtual tunnel interfaces Smart defaults CLI consistency
• ASR not supported on previous ESP (ESP 2.5 up to 40 due to lack of crypto engine support)
Features Not Supported In Initial Release • Automatic anyconnect software upgrade from headend • Web Launch for anyconnect (from browser)
• Client side certificates • Hostscan and Posture • Name mangler
• Two-Factor & Double Authentication • IPv6 Mixed-Mode / Dual-Stack • DTLS
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
113
FlexVPN SSL and Interfaces Per user attributes such as ACL, QoS, VRF, ZBFW can be applied granularly
Hub 1
VT2
VT1 VA1
Remote User BRKSEC-3013
u0
VA2
VA3
Smartphone User
Remote User © 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Remote Access Sessions
114
VT
Virtual Template
VA
Virtual Access
What is SSL/TLS? • Stands for Secure Socket Layer • Protocol that enables privacy and data integrity between client and server
• Protocol developed by Netscape in mid 1990. • Predecessor of TLS [ Transport Layer Security] • SSL 1.0 and 2.0 had a number of security flaws which led to the design of sslv3 [1996 draft got republished as historical document in RFC6101] • TLS 1.0 is designed in RFC2246 as the next-gen protocol in order to replace SSLv3 ( SSLv3 is now considered as insecure]
• TLS 1.0 has evolved over time: – TLS 1.1 [ RFC4346] added protection against CBC attacks and added explicit IV – TLS 1.2 [ RFC5246] added enhancements in hashing / signing. Expansion of authenticated encryption ciphers used for GCM BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
115
SSL/TLS Exchanges Overview TCP connection bootstrap
TCP 3 way handshake (3 messages)
Client Hello – Server Hello (2 messages)
Negotiate security capabilities
Server authentication and Pub Key Exchange (1 message)
Client key exchange, Change Cipher Spec (1 message)
BRKSEC-3013
Protected data
© 2015 Cisco and/or its affiliates. All rights reserved.
B
Cisco Public
Generate encryption keys
Anti MITM encrypted exchange
Server finished / Client finished (2 messages)
A
Server auth – keying material exchange
116
The TLS Handshake - Simplified
Cipher suite example
Client
Server
I want a secure connection. Here are the cipher suites I support
Client Hello Here are the security protocols we shall use
Server Hello
Here’s who I am(server certificate)
ServerCertificate
I am done for now – waiting for you
ServerHelloDone
ClientKeyExchange
Here is the key we use for encryption(pre-master key encrypted using server public key)
ChangeCipherSpec
I am switching to a secure channel (Future messages will be encrypted ) I am done with SSL/TLS negotiation
Finished
I am also switching to a secure channel (Future messages will be encrypted) I am also done with SSL/TLS negotiation
ChangeCipherSpec
Finished
* Some of the Handshake protocols such as Certificate, Server Hello Done, can be combined in one packet or arrive in
different SSL packets BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
117
TLS/SSL Protocol Building Blocks
INITIALISES COMMUNCATION BETWEEN CLIENT & SERVER
ERROR HANDLING
HANDLES COMMUNICATION WITH THE APPLICATION
INITIALISES SECURE COMMUNICATION
SSL Handshake PROTOCOLS
HANDLES DATA COMPRESSION
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SSL Handshake- Client Hello Client proposes basic SA attributes along with random number material
VN, CR, SI, CS, CA, EXT Client
Server
VN – Version Number CR – Client random value [32 bytes long] based on client date [ 4 bytes] + random data [ 28 bytes] used later to generate master secret SI – The sessionID is included to enable the client to resume a previous session ( Optional ) CS – Cipher suites list available on the client [ eg is TLS_RSA_WITH_AES_128_CBC_SHA TLS is the protocol version, RSA is the algorithm that will be used for the key exchange AES_128_CBC is the encryption algorithm SHA is the hash function.
CA – Compression Algorithm ( none is currently supported with IOS ) EXT - Extensions like renegotiation, Server name Indication BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
119
SSL Handshake- Server Hello Server sends back a set of acceptable attributes, along with key exchange material and optional certificate request
VN, SR, SI, CS, CA Client
Server
VN – Version Number. The Server sends the highest version supported by both sides. CR – Client random value [32 bytes long] based on server date [ 4 bytes ] + random data [ 28 bytes] used later to generate master secret SI – The sessionID will be sent by the Server
• NewSessionID will be generated if the ClientHello does not contain a SessionID • ResumedSessionID will reuse the ClientHello SessionID if the server is willing to • Null will be used if it’s a new session but the server is not willing to resume it. CS – The server will choose the strongest cipher supported by both Client & Server. If no agreement a “handshake failure” will be sent CA – Compression Algorithm ( none is currently supported ) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
120
SSL Handshake- Server Certificate Server sends its certificate which include his public RSA key which will be used later by the client to encrypt the premaster secret.
Certificate ,Server Hello Done Client
Server
Certificate – The Server will send its certificate to the client. • The client will extract the server public key from the certificate • Public key will be used to authenticate the server. • Later on, that public key will be used as well to encrypt the premaster secret
Server Hello Done – Server Hello has been completed and we are waiting for the Client to proceed
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
121
SSL Handshake- Client key exchange Client generates a session key that can be only decrypted by the Server
Clt Key Exch, Chg Cipher Spec, Clt Finished Client
Server
Clt Key Exch – Client Key Exchange • the premaster secret ( computed from both client and server random) is encrypted by the the Server Public RSA key. • The session will be derived from that MasterSecret. • Only the server can decrypt it since has the correct private RSA key
Chg Cipher Spec – Change Cipher Spec – • Client notify the Server that subsequent packets will be encrypted using negotiated keys and algorithms
Clt Finished – Client Finished contains the hash of the entire conversation that is used to provide further protection against man-in-the-middle attacks BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
122
SSL Handshake- Server Finished, Change Cipher Spec Server sends back Change Cipher Spec message and his Hash of the entire exchange
Change Cipher Spec ,Server Finished Client
Server
Change Cipher Spec – By sending Change Cipher Spec, the server is announcing to the client that following packets will be encrypted using negotiated keys and algorithms. Subsequent packets from both client and server will be encrypted Server Finished – Server Finished contains the hash of the entire conversation that is used to provide further protection against Man-in-the-middle attacks
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
123
SSL Record Protocol: Protected data IP header ( 20 bytes) TCP header ( 20 bytes) content Type (1 byte)
SSL version (2 bytes)
Length (2 bytes)
ENCRYPTED APPLICATON DATA
HMAC / PAD
• Record protocol receives data from application layer – – – – –
Data fragmented in blocks ( encryption) or reassembled to it’s original format ( decryption) Sequentially numbers data blocks Compress/Decompress data based on negotiated compression algorithm Encrypt / Decrypt data using negotiated encryption keys / cryptographic algorithm Apply HMAC to outgoing data. Check HMAC when data is received
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
124
Data Fragmentation data
data fragment IP TCP record header header header
data fragment
MAC
encrypted data and MAC
IP TCP record header header header
record header: content type; version; length MAC: of data, sequence number, content type with the help of a key: Mx Fragment: each SSL fragment 214 bytes (~16 Kbytes) BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
MAC
encrypted data and MAC
SSL Alert Protocol • Alerting protocol based on different alert levels : – warning(1) – fatal(2)
• Different Alert Messages: – – – – – –
close_notify(0), unknown_ca(48) bad_record_mac(20) insufficient_security(71) record_overflow(22) certificate_revoked(44)
• Exhaustive list: – http://tools.ietf.org/html/rfc5246#appendix-A.3
• A session cannot be resumed once terminated by Fatal Alerts. BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
126
SSL and Certificates: Server Certificate Validation • Router certificate should be trusted by clients – Public (well-known) Certificate Authority (e.g. Verisign) – Enterprise Certificate Authority, e.g. Microsoft AD – Self-Signed (need to import certificate to all clients)
• URL matches with CN/SAN in Server Certificate ? Server certificate: DN: CN=srv1, OU=IT, O=Cisco SAN: IPAddr 10.0.0.1 SAN: DNSName srv1.cisco.com SAN: DNSName sslvpn.example.com
Match
URI: https://sslvpn.example.com
Internet
Intranet Server
Enterprise CA
Public CA BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
127
Key Usage and Extended Key Usage Checking • Extended Key Usage (EKU) and Key Usage (KU) determine how certificate can be used (client authentication, server authentication, email encryption etc) • AnyConnect does not require EKU or KU to be in ASA server certificate • From AnyConnect 3.1: if EKU or KU are present, they must be correct – EKU must contain “Server Authentication” – KU must contain “Digital Signature” and “Key Encipherment”
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
128
Anyconnect and Untrusted Certificates • If the server certificate is not trusted, do you want the user to be able to accept the certificate? false • .... or do you want AnyConnect to refuse to connect? true
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
129
Ensure Clients Trust the Router Certificate • AnyConnect uses OS to validate certificate – Microsoft Windows: MS CAPI – MAC OS: Keychain – Linux: Varies with distribution
• Tip: Examine warnings with browser – Untrusted CA chain – Mismatch domain name – Validity time ( NTP?)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
130
Anyconnect Connection Flow Select the group we want to connect
Group or URL Selection Aggregate Authentication
User authentication
Authenticate the user & get attributes
VPN Downloader
Anyconnect S/W & profile updates SSL only(no IKEv2) on IOS
CSTP Connect
A
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Protected data
Cisco Public
131
Apply attributes on the client
B
Anyconnect Aggregate Authentication • Platform-independent framework for authentication and config exchange • Common XML Data format for both IPSEC and SSL
• Allows new client side features without headend s/w change – Opaque info can be sent from headend – Opaque info meaningful to client only
• Easier Integration of new features – Double Authentication – Certificate Authentication
• Multiple Request/Response Types – – – –
Init Auth request / response Config request / response Complete
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Example 3.1.05182 win 00-0c-29-46-bb-3f group2 https://sslvpn.example.com
132
Aggregate Authentication High level Flow Anyconnect Client
Router (eg. Connect to https://sslvpn.example.com)
Init
Enterprise Network
Authentication Request Authentication Reply
Aggregate Authentication
Complete Config (image, profile)
I would like: an IPv4 address a domain-name, DNS server List of protected IPv4 subnets
Initiates tunnel establishment (CONNECT) request attributes like ip address Send attributes (eg. Ip address) Tunnel established - Client traffic over tunnel
BRKSEC-3013
Image/Profile download / upgrade
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Your assigned IPv4 address is ... Your DNS server is ... My protected IPv4 subnets are ...
SSL Aggr. Auth Flow - Anyconnect group selection Aggregate Auth type – Init
HTTP POST msg contains the server host and URL
POST /group FQDN/IP/URL Client
Server
Host – VPN Headend URL defined on the client. • IP address or FQDN. To avoid any certificate issues, this URL must match the HUB server CN or SAN. POST / HTTP/1.1 Host: flexssl.cisco.com User-Agent: AnyConnect Windows 3.1.05182 X-Aggregate-Auth: 1 X-AnyConnect-Platform: win 3.1.05182 win https://flexssl.cisco.com BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
134
SSL Aggr. Auth Flow - Authentication Request Aggregate Auth type – Auth-request
Server requests username/Password with auth-request HTTP/1.1 200 OK, XML Client
Server
HTTP/1.1 200 OK – Acknowledge FQDN / IP group selection XML – Aggregate auth [ proprietary protocol request ]
HTTP/1.1 200 OK X-Aggregate-Auth: 1
….Login Please enter your username and password. ….
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
135
SSL Aggr. Auth Flow - User Authentication Aggregate Auth type – Auth-reply
Client HTTP post msg sends auth-reply POST HOST/group XML Client
Server
Host – VPN Headend URL/GROUP defined on the client. • IP address or FQDN.
XML – XML file contains user / password / machine information / tunnel-group /… *Jan 13 07:35:24.906: POST /CL2015 HTTP/1.1 POST /CL2015 HTTP/1.1 3.1.06073 win cisco cisco
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
136
SSL Aggr. Auth Flow - Authentication Successful Aggregate Auth type – complete , config
User authentication by the server is successful
HTTP/1.1 200 OK, XML Client
Server
HTTP/1.1 200 OK – Acknowledge authentication XML – Provide server XML profile location / Pre-installed server package version information for that particular OS. VPN Downloader will kick in if the version on the Server is newer than on the client HTTP/1.1 200 OK Success /auth> /CACHE/webvpn/stc/profiles/CL2015.xml uri>binaries/anyconnect-win-3.1.06073-web-deploy-k9.exe AnyConnect Secure Mobility Client
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
137
SSL Connection Flow – Tunnel Establishment CSTP – Cisco SSL Tunnelling Protocol
Client connect and request attributes
CONNECT, CSTP attributes Client
Server
CONNECT – initiate the tunnel establishment for datapath by accessing /CSCOSSLC/tunnel HTTP/1.1 CSTP attributes– Client attributes requested from headend and capabilities supported (eg.IPV6) CONNECT /CSCOSSLC/tunnel HTTP/1.1 Host: flexssl.cisco.com User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.06073 X-CSTP-Version: 1 X-CSTP-Hostname: olpeleri-WE01 X-CSTP-MTU: 1399 X-CSTP-Address-Type: IPv6,IPv4 X-CSTP-Local-Address-IP4: 192.168.255.166 X-CSTP-Base-MTU: 1500 X-CSTP-Remote-Address-IP4: 192.168.255.167 X-CSTP-Full-IPv6-Capability: true
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
138
SSL Connection Flow – send client attributes User authentication by the server is successful. Client IP address and other attributes sent HTTP/1.1 200 OK, CSTP Attributes download
Client
Server
HTTP/1.1 200 OK – Acknowledge Client connect
CSTP attribute – Set of server provider attributes used by the client ( such as private ip address / DNS / WINS / lifetime ) HTTP/1.1 200 OK Server: Cisco IOS SSLVPN X-CSTP-Version: 1 X-CSTP-Address: 192.168.254.4 X-CSTP-Netmask: 0.0.0.0 X-CSTP-Lease-Duration: 43200 X-CSTP-MTU: 1406 X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 300 X-CSTP-Disconnected-Timeout: 0 X-CSTP-Idle-Timeout: 1800 X-CSTP-Session-Timeout: 43200 X-CSTP-Keepalive: 30 X-CSTP-Smartcard-Removal-Disconnect: false X-CSTP-Include-Local_LAN: false BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
139
FlexVPN SSL CSTP Data Encapsulation CSTP – Cisco SSL Tunnelling Protocol
FlexVPN SSL Server Pre-encapsulation interface output features (apply to cleartext packet)
RIB/FIB (routing table)
SSL/CSTP Encapsulation
Post-encapsulation interface output features (apply to encrypted packet)
Interface input features (apply to cleartext packet) Eth0/0
IP
L4
V-Access1
Data
IP
Cleartext Traffic (from server LAN)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Eth0/1
Cisco Public
TCP SSL CSTP
Encrypted Traffic (To Anyconnect client)
140
IP
L4
Data
Encrypted
PAD/MAC
FlexVPN SSL Configuration Example crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1
crypto ssl policy my-policy ip interface GigabitEthernet0/0/0 port 443 pki trustpoint my-cert sign ssl proposal my-proposal no shutdown
Cryptographic algorithms Key exchange method Local endpoint matching criteria Apply SSL proposal Configure SSL server certificate
crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com authentication remote user-pass aaa authentication user-pass list my-radius aaa authorization user user-pass cached virtual-template 1 no shutdown
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
141
Match on SSL policy Match on URL (FQDN, hostname, path, ...) Authentication (certificate, username/password) Authorisation (cached, user, group) Accounting Virtual interface template (ASR only)
CLI Experience: FlexVPN IPsec vs SSL Crypto ssl proposal sslvpn1 protection rsa-aes128-sha1 rsa-aes256-sha1 !
crypto ikev2 proposal prop-1 encryption aes-cbc-128 3des integrity sha group 2 ! crypto ikev2 policy site-policy proposal prop-1 ! crypto ikev2 authorization policy default pool mypool ! crypto ikev2 profile v2-profile match identity remote address 10.0.1.1 authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA aaa authorization cert list default default virtual-template 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-prof BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
crypto ssl policy sslvpn1 ssl proposal sslvpn1 pki trustpoint SSLVPN sign ip address local 10.48.67.251 port 443 ! crypto ssl authorization policy default pool mypool ! crypto ssl profile sslvpn1 match policy sslvpn1 match url https://flexssl.cisco.com aaa authentication user user-pass list SSLUSERS aaa authorization group user-pass list SSLAUTHOR authentication remote user-pass virtual-template 1 ! interface Virtual-Template1 type vpn ip unnumbered Loopback1 ip mtu 1400 ip nat inside vpn mode ssl Cisco Public
142
FlexVPN SSL Proposal • Specifies one or more of: –Encryption algorithm(s) –Integrity algorithm(s)
• No DH support today crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
143
FlexVPN SSL Policy • Specifies one or more proposal(s) (mandatory) • Trustpoint used by SSL Server
• Specifies interface or ip address for TCP listener for SSL – Per fVRF (default: global) – SSL port configurable (default:443)
crypto ssl policy my-policy ip interface GigabitEthernet0/0/0 port 443 pki trustpoint my-cert sign ssl proposal my-proposal no shutdown
• Multiple match statements of each type (future support) – Statements of same type logically OR'ed – Statements of different types logically AND'ed – Current release only support single instance of each type BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
144
FlexVPN SSL Profile • Mandatory SSL CLI profile construct • Selected by matching: – IP address from SSL policy – Server URL (optional- if configured)
crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com authentication remote user-pass aaa authentication user-pass list my-radius aaa authorization user user-pass cached aaa authorization group list LOCAL_AUTHOR my-policy
virtual-template 1 no shutdown
• Specifies AAA parameters • Virtual-template is used to spawn v-access interface per user –
Apply per user features (VRF, ACL, ZBFW , QOS)
• Multiple match statements of each type (future support)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
145
ASR1000 specific
Smart Defaults Constructs • Default constructs: crypto ssl proposal default RSA-AES128-SHA1 RSA-AES256-SHA1
• SSL Proposal: default Protection: RSA-AES128-SHA1 RSA-AES256-SHA1
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
146
Anyconnect High-Level Connection Flow Example SSLVPN Gateway
Anyconnect Client
User launches anyconnect client and enters URL: sslvpn.example.com
Establish 3-way TCP handshake to host sslvpn.example.com port 443 SSL Handshake- Server selects cipher from proposal list and sends cert Client sends https POST to start Aggregate Authentication Initialization phase Maps connection to SSL profile my-profile by matching URL sslvpn.example.com POST / HTTP/1.1 Host: sslvpn.example.com User-Agent: AnyConnect Windows 3.1.05182 https://sslvpn.example.com
Aggregate Auth (auth-request) - Send Client authentication request my-profile Please enter your username and password.
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
147
aaa authentication login SSLVPN_AUTHEN local aaa authorization network AUTHOR local crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1 ! crypto ssl policy my-policy ssl proposal my-proposal pki trustpoint my-cert sign ip interface GigabitEthernet0/0/0 port 443 ! crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com aaa authentication user-pass list SSLVPN_AUTHEN aaa authorization user user-pass cached aaa authorization group user-pass list AUTHOR my-auth-policy authentication remote user-pass virtual-template 2 ! crypto ssl authorization policy my-auth-policy pool mypool def-domain mydomain.com ! ip local pool mypool 10.45.1.1 10.45.1.254 interface Virtual-Template2 type vpn ip unnumbered GigabitEthernet0/0/0 ip mtu 1400 vpn mode ssl
Anyconnect High-Level Connection Example(Contd.) SSLVPN Gateway
Anyconnect Client
Invoke AAA authentication for list “SSLVPN_AUTHEN” + local authorization
Retrieve session/user attributes from AAA eg. Ipv4 address from pool mypool Client initiates tunnel establishment and request attributes like ip address via CSTP CONNECT /CSCOSSLC/tunnel HTTP/1.1 Host: sslvpn.example.com X-CSTP-Hostname: admin-PC X-CSTP-MTU: 1399 X-CSTP-Address-Type: IPv6,IPv4
Server sends all anyconnect client attributes like ip address, domain via CSTP HTTP/1.1 200 OK Server: Cisco IOS SSLVPN X-CSTP-Address: 45.1.1.3 X-CSTP-Default-Domain: mydomain.com
Clone V-Template2 into V-Access1- apply per user features like ACL,QOS, VRF
“show derived-config ...”
interface Virtual-Access2 vrf forwarding Eng ip unnumbered Loopback1 vpn mode ssl
Tunnel established - User traffic can now be transmitted BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
148
aaa authentication login SSLVPN_AUTHEN local aaa authorization network AUTHOR local crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1 ! crypto ssl policy my-policy ssl proposal my-proposal pki trustpoint my-cert sign ip interface GigabitEthernet0/0/0 port 443 ! crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com aaa authentication user-pass list SSLVPN_AUTHEN aaa authorization user user-pass cached aaa authorization group user-pass list AUTHOR my-auth-policy authentication remote user-pass virtual-template 2 ! crypto ssl authorization policy my-auth-policy pool mypool def-domain mydomain.com ! ip local pool mypool 10.45.1.1 10.45.1.254 interface Virtual-Template2 type vpn ip unnumbered Loopback1 vrf forwarding Eng ip mtu 1400 vpn mode ssl
Advanced Features…
192.168.100.0/24
MPLS VPN o Flex
192.168.100.0/24
• Objective: end-to-end VRF separation
`
192.168.100.0/24 .1
Single IPSEC sa for multiple VRFs
.1
.1
.2
.2
172.16.1.254
.2
172.16.1.253
Includes SpokeSpoke Tunnels!
192.168.1.0/24
.1 .1
.1
192.168.1.0/24 192.168.1.0/24 192.168.2.0/24
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
.1 .1
192.168.2.0/24 192.168.2.0/24 150
.1
192.168.3.0/24
.1 .1
192.168.3.0/24 192.168.3.0/24
.1
Performances and Scalability
151
IPSec Forwarding Performance ASR1000 ESP100
ASR1000 ESP40 ASR1000 ESP20
ASR1002-X ASR1000 ESP10
IMIX Throughput at 70% Max CPU
ASR1000 ESP5
3945E 3925 2925E 2925
0.500 G BRKSEC-3013
16Gbps
Gigabits Per Second
1941
1.0 G
2.0 G
3.0 G
© 2015 Cisco and/or its affiliates. All rights reserved.
4.0 G Cisco Public
5.0 G
6.0 G
7.0 G
8.0 G 152
Route Exchange Protocol Selection Branch-Hub
Use case
IKEv2
Simple, large scale
Static (No redistribution IGPIKE)
Simple branches (< 20 prefixes)
Identity-based route filtering
Lossy networks
High density hubs
BGP
Simple to complex, large scale
Dynamic (Redistribution IGP BGP)
Complex branches (> 20 prefixes)
Powerful route filtering – not identity based
Lossy networks
High density hubs up to 350K routes
EIGRP
Simple to complex
Dynamic (Redistribution IGP IGP)
Semi-complex branches (> 20 prefixes)
Intermediate route filtering – not identity based
Lossless networks (very rare)
< 5000 prefixes at hub
not recommended at large scale
Hub-Hub
BRKSEC-3013
Use case
BGP
Large amount of prefixes (up to 1M)
Road to scalability
IGP (EIGRP, OSPF)
< 5000 prefixes total
Perceived simplicity
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
153
Powerful route filtering
FlexVPN – High-end Scalability & Performances Release 3.5+ w/out QoS
ISR 4451
ASR1001
ASR1000ESP5
ASR1000ESP10
ASR1000ESP20
ASR1000ESP40
ASR1000ESP100
Throughput (Max / IMIX)
1.2 / 0.8Gbps
1.8 / 1Gbps
1.8 / 1 Gbps
4 / 2.5 Gbps
7 / 6 Gbps
11 / 7.4 Gbps
29 / 16 Gbps
Max tunnels (RP1 / RP2)
4000
4000
1000
1000 / 4000
1000 / 4000
1000 / 4000
-- / 4000
EIGRP neighbors
4000
4000
1000
1000 / 4000
1000 / 4000
1000 / 4000
-- / 4000
(1000 recommended)
(1000 recommended)
(1000 recommended)
(1000 recommended)
(1000 recommended)
(1000 recommended)
4000
4000
1000 / 4000
1000 / 4000
1000 / 4000
-- / 4000
BGP neighbors
1000
Bumping from 4,000 to 10,000 spokes/hub with FlexVPN in 3.12 (RP2, ESP10 & above)
BRKSEC-3013
Release 3.10 w/ QoS
ISR 4451
ASR1001
ASR1000ESP20
ASR1000ESP40
Throughput (Max / IMIX)
1.2/0.8 Gbps
1.8 / 1Gbps
7 / 6 Gbps
11 / 7.4 Gbps
Max tunnels (RP2 only)
2000
4000*
4000
4000
(16K Queues)
(128K Queues)
(128K Queues)
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
154
High-End Scalability & Performances – 3.12+ 3.12+ w/out QoS
ISR 4451
ASR 1001
ASR 1001-X
ASR 1002-X
ASR 1000 ESP5
ASR 1000 ESP10
ASR 1000 ESP20
ASR 1000 ESP40
ASR 1000 ESP100
ASR 1000 ESP200
Throughput (Max / IMIX)
1.2 / 0.8Gbps
1.8 / 1 Gbps
1.8 / 1 Gbps
4 / 4 Gbps
1.8 / 1 Gbps
4 / 2.5 Gbps
7 / 6 Gbps
11 / 7.4 Gbps
29 / 16 Gbps
59 / 78 Gbps
Max tunnels (RP2)
2,000
4,000
4,000
10,000
4,000
4,000
10,000
10,000
10,000
10,000
RP1: 1,000
RP1: 1,000
RP1: 1,000
EIGRP neighbours
2,000
4,000
4,000
4,000
4,000
4,000
4,000
4,000
4,000
4,000
1000 recommended
1000 recommended
1000 recommended
1000 recommended
1000 recommended
1000 recommended
1000 recommended
1000 recommended
1000 recommended
1000 recommended
IKE Routing
2,000
4,000
4,000
10,000
4,000
4,000
10,000
10,000
10,000
10,000
BGP neighbours
2,000
4,000
4,000
10,000
4,000
4,000
10,000
10,000
10,000
10,000
10% crypto throughput decrease
16K Q No crypto impact
16K Q No crypto impact
128K Q No crypto impact
128K Q No crypto impact
128K Q No crypto impact
128K Q No crypto impact
128K Q No crypto impact
128K Q No crypto impact
128K Q No crypto impact
QoS
Bumping from 4,000 to 10,000 spokes/hub with FlexVPN in 3.12 (RP2 only)
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
155
FlexVPN - ISR G2 Scalability Platform
Sec-K9
SEC-K9 + HSEC-K9
Recommended
Max
Recommended
Max
3945E
Up to 225
Up to 225
Up to 2000
Up to 3000
3925E
Up to 225
Up to 225
Up to 1500
Up to 3000
3945
Up to 225
Up to 225
Up to 1000
Up to 2000
3925
Up to 225
Up to 225
Up to 750
Up to 1500
2951
Up to 225
Up to 225
Up to 500
Up to 1000
2921
Up to 225
Up to 225
Up to 400
Up to 900
2911
Up to 225
Up to 225
2901
Up to 150
Up to 225
1941
Up to 150
Up to 225
1921
TBD
TBD
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
156
HSEC-K9 license does not apply since the max. encrypted tunnel count is below the restricted limits.
FlexVPN - ISR G2 Performances Platform
Sec-K9 (Mbps)
75% CPU, IMIX, IPsec/AES, single tunnel SEC-K9 + HSEC-K9 (Mbps)
Recommended
Max
Recommended
Max
3945E
Up to 170
Up to 170
Up to 670
Up to 1503
3925E
Up to 170
Up to 170
Up to 477
Up to 1497
3945
Up to 170
Up to 170
Up to 179
Up to 848
3925
Up to 154
Up to 170
Up to 154
Up to 770
2951
Up to 103
Up to 170
Up to 103
Up to 228
2921
Up to 72
Up to 170
Up to 72
Up to 207
2911
Up to 61
Up to 164
2901
Up to 53
Up to 154
1941
Up to 48
Up to 156
1921
Up to 44
N/A
891
Up to 66
N/A
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
157
HSEC-K9 license does not apply since the max. encrypted tunnel count is below the restricted limits.
FlexVPN CCO Documentation • CCO doc link – http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mtbook.html – Reflects latest release (currently 15.4(1)T)
• Doc organized into chapters – – – – – – – –
FlexVPN Site-Site FlexVPN Server FlexVPN Client FlexVPN Spoke-Spoke FlexVPN Load-Balancer FlexVPN Reconnect Appendix-1: FlexVPN Radius Attributes Appendix-2: Legacy VPNs
• Changes across releases – Documentation reflects latest release – Behaviour/CLI changes noted in corresponding sections BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
158
FlexVPN CCO Documentation • FlexVPN Sample Configurations – http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
• Past FlexVPN sessions from Ciscolive – BRKSEC-3036 - Advanced IPsec designs with FlexVPN (2015 Milan) https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=82068
– BRKSEC-2881 - VPN Remote Access with IOS & Introduction to FlexVPN (2015 Milan) https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=81929
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
159
Before we Part • Sessions of Interest • BRKSEC-3033 – Advanced AnyConnect Deployment and Troubleshooting with ASA (Friday)
• Meet the Expert
• Followup questions: Email me
[email protected]
BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
160
Tom the Ninja
Q&A
Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. • Directly from your mobile device on the Cisco Live Mobile App • By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/clmelbourne2015 • Visit any Cisco Live Internet Station located throughout the venue Learn online with Cisco Live!
T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm BRKSEC-3013
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Visit us online after the conference for full access to session videos and presentations. www.CiscoLiveAPAC.com