Flex VPN

June 3, 2016 | Author: Yildrim Ekmecki | Category: Types, Presentations
Share Embed Donate


Short Description

FlexVPN...

Description

Deploying FlexVPN with IKEv2 and SSL BRKSEC-3013

Tom Alexander – Technical Leader, Cisco Services Email: [email protected] #clmel

Agenda • FlexVPN Introduction – Why FlexVPN – FlexVPN Positioning

• FlexVPN Building Blocks • Shortcut Switching (FlexMesh)

• FlexVPN & AAA Integration • FlexVPN Redundancy • Remote Access • Wrap-up

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

3

Before We Begin... “Additional info” slides: – Rendered in the presentation PDF (download it through the Cisco Live portal) – Not shown during the live presentation – Cover extra details or small additional topics

“For your Reference” slides: – Just for your reference when back at work. – Will not be covered in detail

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

4

Tidbits about your Speaker  Cruising on VPN Tunnels : 10 + years Whats on my wall -Treat your customer like your best friend Longest Webex Session @ TAC - 15+ hours straight 9 pm – 12 noon Mantra – Work Hard Play Hard ! Don’t make work a job, make it Fun  Email: [email protected] BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

5

Tom the Bug @ Bugathon 13

An Introduction to FlexVPN and IKEv2

EasyVPN, DMVPN and Crypto Maps crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp policy 1

group 2

crypto isakmp policy 1

crypto isakmp client configuration encr group3des cisco key cisco123

authentication pre-share

encr 3des

pool dvti

group 2

authentication pre-share

group 2 crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac

acl 100 crypto isakmp profile dvti match identity group cisco

mode transport

crypto isakmp client configuration group cisco

crypto ipsec profile vpnprofile

key pr3sh@r3dk3y

client authentication list lvpn set transform-set vpn-ts-set

pool vpnpool

isakmp authorization list lvpn interface Tunnel0

acl 110

ip address 10.0.0.254 255.255.255.0 client configuration address respond virtual-template 1

crypto dynamic-map dynamicmap 10

ip nhrp map multicast dynamic

ip nhrpesp-sha-hmac network-id 1 crypto ipsec transform-set dvti esp-3des crypto ipsec profile dvti

crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmac

set transform-set vpn-ts-set

tunnel source Serial1/0

reverse-route

set transform-set dvti

tunnel mode gre multipoint

crypto map client-vpn-map client authentication list userauthen

set isakmp-profile dvti

tunnel protection ipsec profile vpnprof

crypto map client-vpn-map isakmp authorization list groupauthor

interface Virtual-Template1 type tunnel ip route 192.168.0.0 255.255.0.0 Null0router bgp 1 ip unnumbered Ethernet0/0 bgp log-neighbor-changes tunnel mode ipsec ipv4 redistribute static tunnel protection ipsec profile dvti neighbor DMVPN peer-group ip local pool dvti 192.168.2.1 192.168.2.2 bgp listen range 10.0.0.0/24 peer-group DMVPN ip route 0.0.0.0 0.0.0.0 10.0.0.2 neighbor DMVPN remote-as 1 access-list 100 permit ip 192.168.1.0 0.0.0.255 any no auto-summary

crypto map client-vpn-map client configuration address initiate crypto map client-vpn-map client configuration address respond crypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmap interface FastEthernet0/0 ip address 83.137.194.62 255.255.255.240 crypto map client-vpn-map ip local pool vpnpool 10.10.1.1 10.10.1.254 access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

VPN Technology Selection Death by a thousand questions… 3rd party and legacy support

Hub & Spoke AAA Manageability

Failover time

Spoke – Spoke Direct IPv4/IPv6 dual stack Solution vs Components Failure detection method Design complexity Route Injection Dual DMVPN Dynamic Routing Crypto Map or Tunnels Feature order Multi-Hub Homing Per peer ACL’s Scalability Multicast Multi-ISP Homing

QoS support High Availability BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

FlexVPN Unifies

VPN

Interop

Dynamic Routing

IPsec Routing

Spoke-spoke direct (shortcut)

Remote Access

Simple Failover

Source Failover

Config push

Per-peer config

Per-Peer QoS

Full AAA Management

Unified Overlay VPN’s

Easy VPN

No

No

Yes

No

Yes

Yes

No

Yes

Yes

Yes

Yes

DMVPN

No

Yes

No

Yes

No

partial

No

No

No

group

No

Crypto Map

Yes

No

Yes

No

Yes

poor

No

No

No

No

No

Flex VPN

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

• One VPN to learn and deploy

• Everything works – no questions asked BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

FlexVPN Overview • What is FlexVPN? – IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-spoke and spoke-to-spoke topologies

• FlexVPN highlights – – – – – – – – –

Unified CLI Based on and compliant to IKEv2 standard Unified infrastructure: leverages IOS Point-to-Point tunnel interface Unified features: most features available across topologies Key features: AAA, Config-mode, dynamic routing, IPv6 Per Spoke level features for QOS, VRF, ZBFW, ACL, etc Simplified configuration using smart-defaults Interoperable with non-Cisco implementations Easier to learn, market and manage

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

IKEv2 and FlexVPN Feature History - T train PI

Release

Features introduced

PI12

15.1(1)T

IKEv2 CLI, IKEv2 Site-Site(sVTI-sVTI, sVTI-dVTI), IKEv2–DMVPN

PI13

15.1(2)T

IKEv2 Suite-b

PI14

15.1(3)T

IKEv2 RA Server - interop with Win7 client, IKEv2 fragmentation

PI15

15.1(4)M

IKEv2 IPv6 - sVTI, Crypto-Maps

PI16

15.2(1)T

FlexVPN client FlexVPN Server - interop with Win7, Anyconnect, FlexVPN clients FlexVPN Server v6 - interop with Win7 FlexVPN Smart Defaults, IKEv2 dVTI multi-SA

PI17

15.2(2)T

FlexVPN Spoke-Spoke, Mode Config Separation, FlexVPN TAC EFT feedback, IKEv2 Debug Enhancements

PI18

15.2(3)T

FlexVPN Client - IPv6 and EAP support(MSCHAP-v2, MD5 and GTC), FlexVPN client - Mixed mode support using GRE (v4-over-v6 andv6-over-v4) IKEv2 Initial-Contact enhancements

PI19

15.2(4)M

IKEv2 Load Balancer

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

11

IKEv2 and FlexVPN Feature History - S train XE

Release

Features introduced

3.2

15.1(1)S

IKEv2 Site-Site (sVTI-sVTI, sVTI-dVTI), IKEv2 –DMVPN

3.3

15.1(2)S

IKEv2 RA Server - Win7 client

3.5

15.2(1)S

FlexVPN Server – interop with WIn7, Anyconnect FlexVPN Smart Defaults, IKEv2 dVTI multi-SA

3.7

15.2(3)S

FlexVPN Server v6 – interop with Win7, FlexVPN Client IPv4/IPv6 , Mixed mode support using GRE (v4-over-v6 andv6-over-v4), IKEv2 Initial-Contact enhancements, IKEv2 Debug Enhancements

3.8

15.2(4)M

FlexVPN Spoke-Spoke, FlexVPN client –EAP support (MSCHAP-v2, MD5 and GTC), IKEv2 load balancer

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

IKEv2 in a Few Words • Defined in RFC 4306 - updated by RFC 5996 – No interoperability with IKEv1 – Usage ramping up rapidly!

• Both are using the same basic structure aiming at: – Privacy – Integrity – Authentication

• Both run over UDP 500/4500

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Flex is IKEv2 Only • Why Flex now? Authentication Same Objectives ISAKMP RFC2408

DPD Modeconfig DOI RFC2407

Integrity Privacy

IKE RFC2409

IKEv2 RFC5996

Suite B More Secure Anti-DoS

NAT-T

PSK, RSA-Sig Authentication Options

EAP Hybrid Auth

Uses UDP ports 500 & 4500 Similar but Different

Identity Exchange is Cleaner Main + Aggressive  INITIAL Ack’ed notifications

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

14

FlexVPN Building Blocks

FlexVPN and Interfaces Hub 1

Tu0

Tu0

Hub 2 VT2

VT1

Site to Site VA1

VA2

VA3

Tu0

Tu0

Spoke 1

BRKSEC-3013

VT1

Remote Access Hub & Spoke Dynamic Mesh

VA1

© 2015 Cisco and/or its affiliates. All rights reserved.

VA1

Cisco Public

VT1

16

Spoke 2

Remote User

Tu

Static Tunnel

VT

Virtual Template

VA

Virtual Access (dynamically created)

IKEv2 Configuration IKEv2 proposal

IKEv2 policy

Optional (default exists)

Optional (default exists)

IKEv2 keyring

IKEv2 profile

crypto ikev2 proposal prop-1 encryption aes-cbc-128 3des integrity sha1 group 2 ! crypto ikev2 policy site-policy proposal prop-1 ! crypto ikev2 keyring V2-keyring peer cisco address 10.0.1.1 pre-shared-key cisco123 ! crypto ikev2 profile prof match identity remote address 10.0.1.1 authentication local pre-share authentication remote pre-share keyring V2-keyring

Introduced in15.1(1)T BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

crypto ikev2 profile default

IKEv2 CLI Overview IKEv2 Profile – extensive CLI Self Identity Control

Matching on peer identity or certificate

Matching on local address and front VRF

Asymmetric local and remote authentication methods IOS based and AAA based Pre-Shared Keyring

identity local address 10.0.0.1 identity local fqdn local.cisco.com identity local email [email protected] identity local dn

match identity remote address 10.0.1.1 match identity remote fqdn remote.cisco.com match identity remote fqdn domain cisco.com match identity remote email [email protected] match identity remote email domain cisco.com match certificate certificate_map match fvrf red match address local 172.168.1.1

authentication local pre-share [key ] authentication local rsa-sig authentication local eap authentication remote pre-share [key ] authentication remote rsa-sig authentication remote eap keyring local keyring aaa pki trustpoint

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

IKEv2 Basic Negotiation HDR, SAi1, KEi, Ni

Responder

Initiator HDR, SAr1, KEr, Nr [Certreq]

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [Cert], AUTH, TSi, TSr} HDR – IKE Header

SK– payload encrypted and integrity protected

SA[i/r] – cryptographic algorithms the peer proposes/accepts

ID[i/r] – Initiator/Responder Identity Length

KE[i/r] – Initator Key Exchange material

Cert(req) – Certificate (request)

N[i/r] – Initiator/Responder Nonce

AUTH – Authentication data SA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SA Ts[i/r] – Traffic Selector as src/dst proxies

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

IKEv2 Profile Match Statements match certificate

SubjectName: • CN=RouterName • O=Cisco • OU=Engineering IssuerName: • CN=PKI Server • O=Cisco • OU=IT

HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}

172.16.0.1 router.cisco.com [email protected] … BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

match identity remote address match identity remote fqdn match identity remote email Cisco Public

IPsec CLI Overview Tunnel Protection IPsec transform

IPsec profile defines SA parameters and points to IKEv2 profile Dynamic and Static point-to-point interfaces Static point-to-point interfaces

Tunnel protection links to IPsec profile

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

crypto ipsec transform-set default esp-aes 128 esp-sha-hmac crypto ipsec profile default set transform-set default set crypto ikev2 profile default interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel protection ipsec profile default interface Tunnel0 ip address 10.0.0.1 255.255.255.252 tunnel source Ethernet0/0 tunnel destination 172.16.2.1 tunnel protection ipsec profile default Cisco Public

21

Introducing Smart Defaults Intelligent, reconfigurable defaults crypto ipsec crypto ipsectransform-set transform-set default default esp-aes 128 esp-aes 128 esp-sha-hmac esp-sha-hmac

crypto ikev2 profile default match identity remote address 10.0.1.1 authentication local rsa-sig authentication remote rsa-sig aaa authorization user cert list default default pki trustpoint TP ! interface Tunnel0 ip address 192.168.0.1 255.255.255.252 tunnel protection ipsec profile default What you need to specify

cryptoipsec crypto ipsecprofile profile default default set transform-set default set crypto ikev2 profile default cryptoikev2 crypto ikev2proposal proposal default default encryption aes-cbc-256 aes-cbc-128 3des integrity sha512 sha 256 sha1 md5 group 5 2 cryptoikev2 crypto ikev2policy policy default default match fvrf any proposal default

cryptoikev2 crypto ikev2authorization authorisation policy policy default default route set interface These constructs are the Smart Defaults route accept any BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Static Site-to-Site Example Router 1

Router 2

Perform IKE SA agreement & Diffie-Hellman key exchange (not shown)

My IKE ID is: r1.cisco.com (FQDN) My PSK authentication payload is... I want to protect GRE traffic between... Map connection to IKEv2 profile “default” by matching on peer FQDN Verify peer’s AUTH payload & produce our own based on configured PSK Use our own FQDN as IKE ID

My IKE ID is: r2.cisco.com (FQDN) My PSK authentication payload is... I agree to protect GRE traffic between... Finalize IPSec SAs (GRE between local & remote WAN addresses) Establish routing protocol neighbourship & exchange prefixes BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

crypto ikev2 keyring my_keyring peer R1 hostname r1.cisco.com pre-shared-key cisco123 crypto ikev2 profile default match identity remote fqdn r1.cisco.com identity local fqdn r2.cisco.com authentication remote pre-share authentication local pre-share keyring local my_keyring ! interface Tunnel0 ip address 10.0.0.2 255.255.255.252 tunnel source Ethernet0/0 tunnel destination 192.0.2.1 tunnel protection ipsec profile default ! interface Ethernet0/0 ip address 192.0.2.2 255.255.255.0 ! router rip version 2 network 10.0.0.0 ...

FlexVPN AAA Integration

Dynamic Point-to-Point Interfaces P2P interface template FlexVPN Server Dynamically instantiated P2P interfaces interface Virtual-Access1 interface Virtual-Access2 ip unnumbered Loopback0 interface ip unnumbered Loopback0 tunnel sourceVirtual-Access3 ip unnumbered Loopback0 tunnel source tunnel destination tunnel source tunnel destination tunnel mode ipsec ipv4 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile default tunnel mode output ipsec ipv4 tunnel protection ipsec profile default service-policy mobile-QoS tunnel protection ipsec profile default service-policy output traveler-QoS service-policy output home-office-QoS

VT1 VA1

VA2

VA3

crypto ikev2 profile default ... virtual-template 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile default

Routing table (RIB/FIB) S L S S S S

default via Ethernet0/0 10.0.1.1/32 local Loopback0 10.0.1.10/32 via Virtual-Access1 10.0.1.11/32 via Virtual-Access2 10.0.1.12/32 via Virtual-Access3 10.42.1.0/24 via Virtual-Access3

Static P2P interface 10.0.1.10/32

10.0.1.11/32

10.0.1.12/32

10.42.1.0/24

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

25

Tun0

interface Tunnel0 ip address negotiated tunnel source Ethernet0/0 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile default

High-Level AAA Operations RA Client IKEv2 Initiator RADIUS Client EAP Supplicant

FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator

AAA Server RADIUS Server EAP Backend

Cert. Authentication

Authentication

PSK Authentication

AAA PSK Retrieval EAP Client Authentication

Cached Authorization

Authorisation

Local Authorisation RADIUS Authorisation

   

Your assigned IPv6 address is ... Your DNS server is ... There is no WINS server The protected subnets are ...

Configuration Exchange RADIUS Accounting

Accounting BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

Building Block – IKEv2 Name Mangler RA Client IKEv2 Initiator

FlexVPN Server IKEv2 Responder RADIUS NAS

AAA Server RADIUS Server

IKEv2 Exchange FQDN: joe.cisco.com Email: [email protected] DN: cn=joe,ou=IT,o=Cisco EAP: joe@cisco

crypto ikev2 name-mangler extract-user fqdn hostname email username dn common-name eap prefix delimiter @

Client Identity IKEv2 Name Mangler AAA Username: joe

Static password (configurable) Local AAA Request Username: joe

RADIUS AAA Request Username: joe, password: cisco

• Start with the peer’s IKE or EAP identity • Derive a username that is meaningful to AAA (local or RADIUS) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Authorisation Types • Not mutually exclusive – May be combined Implicit User Authorisation crypto ikev2 profile default aaa authorization user {psk|eap} cached

Eg. aaa authentication user eap mylist

Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication Explicit User Authorisation crypto ikev2 profile default aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]

Retrieves user attributes from RADIUS (local database not supported)

Explicit Group Authorisation

Reverse order of precedence (group > user)

crypto ikev2 profile default aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]

Retrieves group attributes from RADIUS or local database BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

Attributes – Merging FlexVPN Server

AAA Server Received during AAA-based authentication

Attribute

Value

Framed-IP-Address

10.0.0.101

ipsec:dns-servers

10.2.2.2

Cached User Attributes Explicit User Attributes take precedence

Explicit User Attributes Attribute

Value

Framed-IP-Address

172.16.1.2

ipsec:dns-servers

10.2.2.2

Received during explicit user authorisation Attribute

Value

Framed-IP-Address

172.16.1.2

Merged User Attributes Merged User Attributes take precedence except if “group override” configured

Explicit Group Attributes

Received during explicit group authorisation Attribute

Value

Attribute

Value

ipsec:dns-servers

172.19.1.2

Framed-IP-Address

172.16.1.2

ipsec:banner

Welcome !

ipsec:dns-servers

10.2.2.2

ipsec:banner

Welcome !

BRKSEC-3013

Final Merged Attributes

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

29

Authorisation Example RA Client

FlexVPN Server My IKE ID is cn=joe-pc, ou=Eng, o=Cisco Here is my identity certificate I need an IPv4 address

Map connection to IKEv2 profile “default” by matching on cert-map “cisco” Perform certificate-based authentication (not shown)

Run client IKE ID to name-mangler “get-ou” & username output is “Eng” Invoke AAA with list “here” (local) & username “Eng” & auth policy “Eng” Allocate IPv4 address from pool “pool-Eng” Clone V-Template1 into V-Access1, apply VRF & IP unnumbered

Your IPv4 address is: 10.0.1.10/32

“show derived-config ...” BRKSEC-3013

interface Virtual-Access1 vrf forwarding Eng ip unnumbered Loopback1 tunnel source 192.0.2.2 tunnel mode ipsec ipv4 tunnel destination 192.168.221.129 tunnel protection ipsec profile default

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

30

aaa authorization network AUTHOR local aaa attribute list attr-Eng attribute type interface-config “ip vrf forwarding Eng" attribute type interface-config "ip unnumbered Loopback1" ! crypto ikev2 authorization policy Eng pool pool-Eng netmask 255.255.255.255 aaa attribute list attr-Eng ! crypto pki certificate map cisco 1 subject-name co o = cisco ! crypto ikev2 name-mangler get-ou dn organization-unit ! crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list AUTHOR name-mangler ou virtual-template 1 ! ip local pool pool-Eng 10.0.1.10 10.0.1.99 ! interface Loopback1 vrf forwarding Eng ip address 10.0.1.1 255.255.255.255 ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 tunnel protection ipsec profile default

Accounting and Change of Authorisation

AAA Accounting We know a lot about Spoke1 ! Spoke Spoke Spoke Spoke Spoke …

1: 1: 1: 1: 1:

21:52 21:53 21:52 10:34 10:34

02-Jan-2015 01-Jan-2015 31-Dec-2014 12-Oct-2014 11-Jun-2014

to to to to to

22:50 21:50 21:50 21:50 21:50

03-Jan 2015 02-Jan-2015 01-Jan-2014 31-Dec-2014 12-Oct-2014

200.7 231.1 216.4 90.12 0.75

MB MB MB GB TB

in in in in in

442.7 401.2 398.8 180.6 1.21

© 2015 Cisco and/or its affiliates. All rights reserved.

out out out out out

Cisco Public

32

.254 Spoke 1 stands out…

Spoke Spoke Spoke Spoke Spoke Spoke

Since 31 Dec, Spoke 1 has been disconnecting and reconnecting every 24 hours…

BRKSEC-3013

MB MB MB GB TB

192.168.100.0/24 .1

172.16.0.1 Connected 22:51

1: 2: 3: 4: 5: 6:

Connected Connected Connected Connected Connected

11:12 22:34 16:51 10:34 10:34

03-Jan 12-Oct 12-Oct 11-Oct 10-Oct 13-Nov

2015 2014 2014 2014 2014 2014

123.6 403.1 450.5 539.7 245.3 245.3

MB GB GB GB GB GB

in in in in in in

207.2 880.1 832.0 989.4 103.8 872.6

MB GB GB GB GB GB

out out out out out out

Activating AAA Accounting And why it is a good idea too… A Good Idea ?

• Because it is simple!

aaa group server radius MyRADIUS server-private 192.168.104.101 key cisco

• Captures even short lived sessions  event driven vs. polling (e.g. SNMP)

aaa accounting network ACCT start-stop group MyRADIUS

• Reliable protocol (acknowledged)

crypto ikev2 profile default match identity fqdn domain mycompany.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint TP aaa authorization group cert list default default aaa accounting cert ACCT Tell IKEv2 to report session status virtual-template 1

 more reliable than SNMP traps

• Maps the identity to the statistics  no more crossing tables (IPID)

• You may need it anyway – Authorisation, IP pool…

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

AAA Accounting RA Client

FlexVPN Server IKEv2 (EAP) & IPsec

Upon client connection: RADIUS Acct-Request (Start)

RADIUS Server

RADIUS Acct-Response 192.168.221.129 Assigned address: 10.0.1.101

10.0.0.1

aaa accounting network rad start-stop group frad aaa group server radius frad server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t ! crypto ikev2 profile default aaa authentication eap frad aaa authorization user eap cached aaa accounting eap frad

Accounting-Request (Start)

IKE ID

Client public IP address

Acct-Session-Id = "0000001B" Cisco-AVPair = "isakmp-phase1-id=acvpn" Cisco-AVPair = "isakmp-initator-ip=192.168.221.129" Framed-IP-Address = 10.0.1.101 Assigned IP address User-Name = "joe@cisco" Cisco-AVPair = "connect-progress=No Progress" Acct-Authentic = Local EAP username Acct-Status-Type = Start NAS-IP-Address = 10.0.0.1 Acct-Delay-Time = 0 BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

Upon client disconnection: RADIUS Acct-Request (Stop)

10.0.0.2

RADIUS Acct-Response

Accounting-Request (Stop) Acct-Session-Id = "0000001B" Cisco-AVPair = "isakmp-phase1-id=acvpn" Cisco-AVPair = "isakmp-initator-ip=192.168.221.129" Framed-IP-Address = 10.0.1.101 User-Name = "joe@cisco" Statistics Acct-Authentic = Local Cisco-AVPair = "connect-progress=No Progress" Acct-Session-Time = 104 Acct-Input-Octets = 13906 Acct-Output-Octets = 11040 Acct-Input-Packets = 207 Acct-Output-Packets = 92 Acct-Terminate-Cause = 0 Cisco-AVPair = "disc-cause-ext=No Reason" Acct-Status-Type = Stop NAS-IP-Address = 10.0.0.1 Acct-Delay-Time = 0

Demo – AAA CoA Magic !

Tom the Pundit

A Simplistic Configuration RADIUS based Authentication, Authorisation and Accounting aaa group server radius ISE server-private 192.168.104.101 key CISCO ! aaa authentication login ISE group ISE aaa authorization network ISE group ISE aaa accounting network ISE start-stop group ISE ! aaa server radius dynamic-author client 192.168.104.101 server-key CISCO auth-type all ! crypto ikev2 profile default match identity remote any identity local dn authentication remote eap query-identity authentication local rsa-sig pki trustpoint TRUSTPOINT EAP Authentication aaa authentication eap ISE aaa authorization user eap cached Authorization aaa accounting eap ISE virtual-template 1 Accounting (optional but recommended)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

How CoA Works Session is set up – V-Access is populated

Generated by IOS, Cisco Av pair Uniquely identifies each client session

ACCESS (Request, Audit Session ID, username, password) Possibly more (if EAP)

ACCESS (Accept, Profile)

192.168.100.0/24

FlexVPN Server

.1

.254

ip access-list 100 in service-policy Silver out …

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

Accounting Session is set up – Accounting Starts Unique ID, generated by IOS ACCT (Audit Session ID, START, params…) ACCT (Audit Session ID, ACK)

FlexVPN Server

192.168.100.0/24 .1

.254

ip access-list 100 in service-policy Silver out …

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

CoA – Packet of Disconnect Remote clearing of a session

Accounting tells the administrator whether it is worth sending… (session status)

CoA (Disconnect-Request, Audit Session ID) CoA (Disconnect-Request ACK, Audit Session ID)

Session is terminated

192.168.100.0/24 .1

.254

FlexVPN Server

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

CoA – Change of Authorisation The Real Thing ™ CoA (CoA-Request, Audit Session ID, new profile) CoA (CoA-Request ACK, Audit Session ID)

Session is updated

192.168.100.0/24 .1

.254

FlexVPN Server ip access-list 100 in ip access-list 100 in service-policy Silver out service-policy Gold out service-policy Slow out … …

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

Shortcut Switching With IKEv2 Routing

FlexVPN Mesh Network Diagram with Hub Resiliency 192.168.100.0/24 .1

.2

172.16.0.1

.254 172.16.0.2

Virtual-Access Interfaces

Static Tunnel Interface

Virtual-Access Interfaces

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Hub and Spoke Bootstrap – Config Exchange 192.168.100.0/24

192.168.1.0/24

.1

172.16.1.1

.254

172.16.0.1

SA Prop (AES-256, SHA-1, DH 5), KEi, Ni

Routing Table

Spoke Assigned Address (optional)

172.16.0.1/32  172.16.1.254 (E0/0) 192.168.1.0/24  Ethernet 0/1 10.0.0.254/32  Tunnel 0 192.168.0.0/16  Tunnel 0

IDi=Spoke1.cisco.com, Auth, TSi, TSr, CFG_Req(IP4_SUBNET…)

BRKSEC-3013

Ethernet0/0: 172.16.0.1 Ethernet0/1: 192.168.100.1 Loopback0: 10.0.0.254/32 VirtualAccess1: 10.0.0.254/32

0.0.0.0/0  172.16.0.254 (E0/0) 192.168.100.0/24  Ethernet 0/1 10.0.0.1/32  VirtualAccess1 192.168.1.0/24  VirtualAccess1

IDr, cert, Auth, TSi, TSr, CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16; IP4_ADDRESS=10.0.0.1) CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24, 10.0.0.1/32)

Supernet covering all spokes LAN prefixes

Interfaces

Ethernet0/0: 172.16.1.1 Ethernet0/1: 192.168.1.1 Tunnel0: 10.0.0.1

Routing Table

Interfaces

SA Prop (AES-256, SHA-1, DH 5), KEr, Nr

CFG_ack()

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

Hub 1 .1

192.168.100.0/24

172.16.1.1 10.0.0.1

Physical: Tunnel:

-

C 192.168.1.0/24  Eth0 C 10.0.0.1  Tunnel0 S 0.0.0.0/0  Dialer0 S 10.0.0.254/32  Tunnel0 S 192.168.0.0/16  Tunnel0 BRKSEC-3013

C 10.0.0.253  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.2  V-Access1 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.2 Tunnel: 10.0.0.253

Spoke 2 192.168.2.0/24

Spoke 1 192.168.1.0/24

© 2015 Cisco and/or its affiliates. All rights reserved.

Routing Table

NHRP Table Routing Table

Hub 2 .2

Tunnel 100

Physical: 172.16.0.1 Tunnel: 10.0.0.254

Physical: Tunnel:

Routing Table

C 10.0.0.254  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.1  V-Access1 S 192.168.1.0/24  V-Access1

NHRP Table

Routing Table

FlexVPN Hub and Spoke – IKE Route Exchange

Cisco Public

44

172.16.2.1 10.0.0.2

-

C 192.168.2.0/24  Eth0 C 10.0.0.2  Tunnel1 S 0.0.0.0/0  Dialer0 S 10.0.0.253/32  Tunnel1 S 192.168.0.0/16  Tunnel1

There is a better path directly to spoke

NHRP Table

Routing Table

192.168.100.0/24

Hub 2 .2

Tunnel 100

Physical: 172.16.0.1 Tunnel: 10.0.0.254

Physical: Tunnel:

Routing Table

Hub 1 .1

172.16.1.1 10.0.0.1

Physical: Tunnel:

-

C 192.168.1.0/24  Eth0 C 10.0.0.1  Tunnel0 S 0.0.0.0/0  Dialer0 S 10.0.0.254/32  Tunnel0 S 192.168.0.0/16  Tunnel0 BRKSEC-3013

C 10.0.0.253  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.2  V-Access1 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.2 Tunnel: 10.0.0.253

Spoke 2 192.168.2.0/24

Spoke 1 192.168.1.0/24

© 2015 Cisco and/or its affiliates. All rights reserved.

NHRP Table

C 10.0.0.254  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.1  V-Access1 S 192.168.1.0/24  V-Access1

Routing Table

Routing Table

FlexVPN Mesh – Indirection

Cisco Public

45

172.16.2.1 10.0.0.2

-

C 192.168.2.0/24  Eth0 C 10.0.0.2  Tunnel1 S 0.0.0.0/0  Dialer0 S 10.0.0.253/32  Tunnel1 S 192.168.0.0/16  Tunnel1

NHRP Table Routing Table

Hub 2 .2

Tunnel 100 Resolution (192.168.2.2)

Physical: 172.16.0.1 Tunnel: 10.0.0.254

Physical: Tunnel:

192.168.100.0/24

Routing Table

Hub 1 .1

172.16.1.1 10.0.0.1

C 10.0.0.253  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.2  V-Access1 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.2 Tunnel: 10.0.0.253

Physical: Tunnel: Resolution Reply (192.168.2.0/24)

10.0.0.2/32  172.16.2.1 192.168.2.0/24  172.16.2.1

Spoke 2 192.168.2.0/24

Spoke 1 192.168.1.0/24

C 192.168.1.0/24  Eth0 C 10.0.0.1  Tunnel0 S 0.0.0.0/0  Dialer0 S 10.0.0.254/32  Tunnel0 S 192.168.0.0/16  Tunnel0 H/S 10.0.0.2/32  V-Access1 H/S 192.168.2.0/24  V-Access1 BRKSEC-3013 © 2015 Cisco and/or its affiliates. All rights reserved.

NHRP Table

C 10.0.0.254  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.1  V-Access1 S 192.168.1.0/24  V-Access1

Routing Table

Routing Table

FlexVPN Mesh – Resolution

Cisco Public

46

172.16.2.1 10.0.0.2

10.0.0.1  172.16.1.1

C 192.168.2.0/24  Eth0 C 10.0.0.2  Tunnel1 S 0.0.0.0/0  Dialer0 S 10.0.0.253/32  Tunnel1 S 192.168.0.0/16  Tunnel1 H/S 10.0.0.1/32  V-Access1

Hub 1 .1

192.168.100.0/24

C 10.0.0.253  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.2  V-Access1 S 192.168.2.0/24  V-Access1

Physical: 172.16.0.2 Tunnel: 10.0.0.253

172.16.1.1 10.0.0.1

Physical: Tunnel:

10.0.0.2/32  172.16.2.1 192.168.2.0/24  172.16.2.1 Spoke 2 192.168.2.0/24

Spoke 1 192.168.1.0/24

C 192.168.1.0/24  Eth0 C 10.0.0.1  Tunnel0 S 0.0.0.0/0  Dialer0 S 10.0.0.254/32  Tunnel0 S 192.168.0.0/16  Tunnel0 H/S 10.0.0.2/32  V-Access1 H/S 192.168.2.0/24  V-Access1 BRKSEC-3013 © 2015 Cisco and/or its affiliates. All rights reserved.

Routing Table

NHRP Table Routing Table

Hub 2 .2

Tunnel 100

Physical: 172.16.0.1 Tunnel: 10.0.0.254

Physical: Tunnel:

Routing Table

C 10.0.0.254  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.1  V-Access1 S 192.168.1.0/24  V-Access1

NHRP Table

Routing Table

FlexVPN Mesh – Shortcut Forwarding

Cisco Public

47

172.16.2.1 10.0.0.2

10.0.0.1  172.16.1.1

C 192.168.2.0/24  Eth0 C 10.0.0.2  Tunnel1 S 0.0.0.0/0  Dialer0 S 10.0.0.253/32  Tunnel1 S 192.168.0.0/16  Tunnel1 H/S 10.0.0.1/32  V-Access1

FlexVPN Mesh (IKEv2 Routing) Hub 1 Configuration Accept connections from Spokes

crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub1.cisco.com authentication remote rsa-sig Local or AAA spoke profiles supported. Can even control authentication local rsa-sig QoS, ZBF, NHRP redirect, pki trustpoint TP network-id, … dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 ! crypto ikev2 authorization policy default route set remote 10.0.0.0 255.0.0.0 route set remote 192.168.0.0 255.255.0.0

These prefixes can also be set by RADIUS

BRKSEC-3013

Defines which prefixes should be protected

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

Static per-spoke features applied here

interface Virtual-Template1 type tunnel ip unnumbered Loopback0 NHRP is the magic ip nhrp network-id 1 All V-Access will be in the ip nhrp redirect same network-id ip access-group AllowMyBGP in tunnel protection ipsec profile default ! Hub 1 dedicated overlay address interface Loopback0 ip address 10.0.0.254 255.255.255.255 ! Inter-Hub link interface Tunnel100 (not encrypted) ip unnumbered Loopback0 ip nhrp network-id 1 Same NHRP networkid on v-access and ip nhrp redirect inter-hub link tunnel source Ethernet0/1 tunnel destination 192.168.100.2

FlexVPN Mesh (IKEv2 Routing) Hub 2 Configuration crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub2.cisco.com authentication remote rsa-sig Dedicated Identity authentication local rsa-sig (optional) pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 ! crypto ikev2 authorization policy default route set remote 10.0.0.0 255.0.0.0 route set remote 192.168.0.0 255.255.0.0

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

49

interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect ip access-group AllowMyBGP in tunnel protection ipsec profile default ! Dedicated Overlay Address interface Loopback0 ip address 10.0.0.254 255.255.255.255 ! interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.2

FlexVPN Mesh (IKEv2 Routing)

QoS Everywhere!

Spoke Configuration interface Tunnel0 Tunnel to Hub 1 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.1 tunnel protection ipsec profile default ! interface Tunnel1 Tunnel1 to Hub 2 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.2 tunnel protection ipsec profile default

crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Spoke2.cisco.com authentication remote rsa-sig authentication local rsa-sig Needed for tunnel pki trustpoint TP address exchange dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1

crypto ikev2 authorization policy default route set interface route set interface e0/0

interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel protection ipsec profile default

V-Template to clone for spoke-spoke tunnels

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

50

QoS can be applied here

interface Loopback0 ip address 10.0.0.2 255.255.255.255

Shortcut Switching With a routing protocol (BGP)

Hub 1 .1

192.168.100.0/24

172.16.1.1 10.0.0.1

Physical: Tunnel:

-

C 192.168.1.0/24  Eth0 C 10.0.0.1  Tunnel0 S 0.0.0.0/0  Dialer0 S 10.0.0.254/32  Tunnel0 B 192.168.0.0/16  10.0.0.254 BRKSEC-3013

C 10.0.0.253  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.2  V-Access1 B 192.168.2.0/24  10.0.0.2

Physical: 172.16.0.2 Tunnel: 10.0.0.253

Spoke 2 192.168.2.0/24

Spoke 1 192.168.1.0/24

© 2015 Cisco and/or its affiliates. All rights reserved.

Routing Table

NHRP Table Routing Table

Hub 2 .2

Tunnel 100

Physical: 172.16.0.1 Tunnel: 10.0.0.254

Physical: Tunnel:

Routing Table

C 10.0.0.254  Loopback0 C 192.168.100.0/24  Eth0 S 192.168.0.0/16  Tunnel100 S 10.0.0.0/8  Tunnel100 S 10.0.0.1  V-Access1 B 192.168.1.0/24  10.0.0.1

NHRP Table

Routing Table

FlexVPN Mesh with BGP Routing

Cisco Public

52

172.16.2.1 10.0.0.2

-

C 192.168.2.0/24  Eth0 C 10.0.0.2  Tunnel1 S 0.0.0.0/0  Dialer0 S 10.0.0.253/32  Tunnel1 B 192.168.0.0/16  10.0.0.253

FlexVPN Mesh (BGP) Hub 1 Configuration Accept connections crypto ikev2 profile default from Spokes match identity remote fqdn domain cisco.com identity local fqdn Hub1.cisco.com authentication remote rsa-sig Local or AAA spoke profiles authentication local rsa-sig ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 supported. Can even control QoS, pki trustpoint TP NHRP redirect, network-id, … ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 dpd 10 2 on-demand aaa authorization group cert list default default Dynamically accept spoke router bgp 1 virtual-template 1 BGP peering! bgp log-neighbor-changes Static per-per config here… bgp listen range 10.0.0.0/24 peer-group Flex interface Virtual-Template1 type tunnel ! ip unnumbered Loopback0 address-family ipv4 ip access-group AllowMyBGP in NHRP is the magic neighbor Flex peer-group All V-Access will be in the ip nhrp network-id 1 same network-id neighbor Flex remote-as 1 ip nhrp redirect neighbor Flex timers 5 15 tunnel protection ipsec profile default neighbor Flex next-hop-self all redistribute static route-map rm Hub 1 dedicated overlay address interface Loopback0 exit-address-family ip address 10.0.0.254 255.255.255.255 ! route-map filters static routes route-map rm permit 10 Inter-Hub link to redistribute in BGP interface Tunnel100 (not encrypted) match tag 2 ip unnumbered Loopback0 ip nhrp network-id 1 Same NHRP networkip nhrp redirect id on v-access and tunnel source Ethernet0/1 inter-hub link tunnel destination 192.168.100.2 BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

FlexVPN Mesh (BGP) Hub 2 Configuration crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Hub2.cisco.com authentication remote rsa-sig Dedicated Identity authentication local rsa-sig pki trustpoint TP (optional) dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1

ip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2 ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2 router bgp 1 bgp log-neighbor-changes bgp listen range 10.0.0.0/24 peer-group Flex ! address-family ipv4 redistribute static route-map rm neighbor Flex peer-group neighbor Flex remote-as 1 neighbor Flex timers 5 15 neighbor Flex next-hop-self all exit-address-family ! route-map rm permit 10 match tag 2

interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip access-group AllowMyBGP in ip nhrp network-id 1 ip nhrp redirect tunnel protection ipsec profile default

Dedicated Overlay Address interface Loopback0 ip address 10.0.0.253 255.255.255.255 interface Tunnel100 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp redirect tunnel source Ethernet0/1 tunnel destination 192.168.100.1 BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

• Almost the same as Hub 1 again!

Cisco Public

54

QoS Everywhere!

FlexVPN Mesh (BGP) Spoke Configuration crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Spoke2.cisco.com authentication remote rsa-sig authentication local rsa-sig Needed for tunnel pki trustpoint TP address exchange dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1

interface Tunnel0 Tunnel to Hub 1 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.1 tunnel protection ipsec profile default ! interface Tunnel1 Tunnel1 to Hub 2 ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel source Ethernet0/0 tunnel destination 172.16.0.2 tunnel protection ipsec profile default

router bgp 1 bgp log-neighbor-changes neighbor 10.0.0.253 remote-as 1 neighbor 10.0.0.253 timers 5 15 neighbor 10.0.0.254 remote-as 1 neighbor 10.0.0.254 timers 5 15 ! address-family ipv4 network 192.168.2.0 neighbor 10.0.0.253 activate neighbor 10.0.0.254 activate maximum-paths ibgp 2

V-Template to clone for spoke-spoke tunnels BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

interface Virtual-Template1 type tunnel ip unnumbered Loopback0 ip nhrp network-id 1 ip nhrp shortcut virtual-template 1 tunnel protection ipsec profile default

QoS can be applied here

interface Loopback0 ip address 10.0.0.2 255.255.255.255

Per Session Features: ACL, VRF ,ZbFW, QoS

Provisioning Per-Peer Features Central and Distributed Models

Option #2: Local AAA profiles on Router

Some spokes with high bandwidth

Option #1: Features on different VirtualTemplate

192.168.100.0/24 .1

.254

172.16.0.1 Option #3: Centralized Policy enforcement on RADIUS

Some spokes belong to VRF Red

Some spokes belong to VRF Blue

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Some spokes with low bandwidth

Cisco Public

57

VRF Injection

192.168.100.0/24

Hub injects traffic in chosen VRF

192.168.100.0/24

Hub private interface(s) in Inside VRF (light)

Virtual-Access in iVRF

.1

172.16.1.254

Wan in Global Routing Table or Front VRF

Optional VRF on spokes (Not in this example)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

58

192.168.100.0/24 .1 .1

.2

.2

.2

172.16.1.253

Inside-VRF and Front-VRF Layer 5+ Layer 4 Layer 3 Layer 2

AAA

IKE Remote protected prefix added to iVRF table

Global Routing Table

VRF Red

VRF Blue

Inside VRF aka iVRF Applied by IKEv2: vrf forwarding Red tunnel vrf Blue Virtual-Access Interface (Tunnel) created by IKEv2

BRKSEC-3013

BGP

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

59

Front Door VRFGreen VRF aka fVRF

Inside-VRF and Front-VRF Layer 5+

AAA

IKE

Layer 4 Layer 3 Layer 2

BGP

Post-encapsulation Tunnel Protection (encrypt)

Global Routing Table

Input features

VRF Red

VRF Blue

Output features

Output features Tunnel Encapsulation

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

VRF Green

60

QoS in a Nutshell – Hierarchical Shaper Each Hub V-Access Needs Its Own Policy Parent Shaper limits total Bandwidth

Bandwidth Reservation

Priority Queuing

Fair Queuing

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

QoS Policy Map(s) Based on Spoke Bandwidth class-map Control match ip precedence 6

class-map Voice match ip precedence 5 policy-map SubPolicy

class Control

20Kbps Guaranteed to Control

bandwidth 20 class Voice

60% of Bandwidth for Voice

priority percent 60

1Mbps to each tunnel policy-map Silver

5Mbps to each tunnel policy-map Gold

class class-default

BRKSEC-3013

class class-default

shape average 1000000

shape average 5000000

service-policy SubPolicy

service-policy SubPolicy

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

iVRF + fVRF + QoS + … Layer 5+

AAA

IKE

BGP

Layer 4 Routes applied here…

Layer 3 Layer 2

Global Routing Table

VRF Red

VRF Blue

Applied by IKEv2: vrf forwarding Red tunnel vrf Blue service-policy out Gold Any feature can be applied here: MTU, NAT, NHRP network-id, NHRP redirect, FW Zone, QoS, VRF, ACL…

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

63

VRF Green

Heavy Configuration

VRF Injection – Hub Configuration Option 1: Mapping with In-IOS configuration (without AAA) Dedicated IKEv2 profile crypto ikev2 profile BLUE match identity fqdn domain blue authentication local rsa-sig FQDN Domain authentication remote rsa-sig is differentiator pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 Virtual-Template in VRF interface virtual-template1 type tunnel vrf forwarding BLUE ip unnumbered loopback1 Loopback in VRF service-policy Gold out tunnel protection ipsec profile default

crypto ikev2 profile RED match identity fqdn domain red authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 2

crypto ikev2 profile GREEN match identity fqdn domain green authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 3

interface virtual-template2 type tunnel vrf forwarding RED ip unnumbered loopback2 service-policy Gold out tunnel protection ipsec profile default

interface virtual-template3 type tunnel vrf forwarding GREEN ip unnumbered loopback3 service-policy Silver out tunnel protection ipsec profile default

Add NHRP, ACL’s,…

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

VRF Injection – Hub Configuration Option 2: Mapping with AAA group based configuration

Common IKEv2 profile

Profile name extracted from Domain Name

Vanilla VirtualTemplate

aaa attribute list blue attribute type interface-config ”vrf forwarding BLUE” attribute type interface-config ”ip unnumbered loopback1” attribute type interface-config ”service-policy Gold out”

aaa new-model aaa authorization network default local

Profiles on IOS

Group profiles on IOS

crypto ikev2 profile default match identity any identity local fqdn Hub1.cisco.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA dpd 10 2 on-demand aaa authorization group cert default name-mangler dom virtual-template 1

interface virtual-template1 type tunnel tunnel protection ipsec profile default

crypto ikev2 authorization policy blue aaa attribute list blue route set interface aaa attribute list red attribute type interface-config ”vrf forwarding RED” attribute type interface-config ”ip unnumbered loopback2” attribute type interface-config ”service-policy Silver out” crypto ikev2 authorization policy red aaa attribute list red route set interface aaa attribute list green attribute type interface-config ”vrf forwarding GREEN” attribute type interface-config ”ip unnumbered loopback3” attribute type interface-config ”service-policy GOLD out”

crypto ikev2 name-mangler dom fqdn domain

crypto ikev2 authorization policy green aaa attribute list green route set interface BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

VRF Injection – Hub Configuration Option 3: RADIUS based profiles

Common IKEv2 profile Profile name extracted from Domain Name

Vanilla VirtualTemplate

aaa new-model aaa authorization network default group RADIUS aaa group server radius RADIUS  server-private 192.168.100.2 auth-port 1812 acct-port 1813 key cisco123

Profile “blue” / password “cisco” ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding BLUE” ip:interface-config=“ip unnumbered loopback 1” ip:interface-config=“service-policy Gold out”

crypto ikev2 profile default match identity any identity local fqdn Hub1.cisco.com authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA aaa authorization group cert default name-mangler dom virtual-template 1

Profile “red” / password “cisco” ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding RED” ip:interface-config=“ip unnumbered loopback 2” ip:interface-config=“service-policy Silver out” Profile “green” / password “cisco” ipsec:route-accept=any ipsec:route-set=interface ip:interface-config=“vrf forwarding GREEN” ip:interface-config=“ip unnumbered loopback 3” ip:interface-config=“service-policy Gold out”

interface virtual-template1 type tunnel tunnel protection ipsec profile default crypto ikev2 name-mangler dom fqdn domain

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

RADIUS Group Profiles

Profiles stored on RADIUS server

Group profiles on RADIUS Could be per peer profiles or group+peer (derivation)

VRF Injection – Hub Configuration For both options: BGP and VRF configurations ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0 ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0

Attract summaries and drops nonreachable prefixes

ip route vrf RED 10.0.0.0 255.0.0.0 Null0 ip route vrf RED 192.168.0.0 255.255.0.0 Null0 ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0 ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0

BGP dynamic peering These address can not currently overlap Follow CSCtw69765. Each VRF has its own control section.

Activate peer group in its corresponding VRF

Redistributes above statics into BGP BRKSEC-3013

router bgp 1 bgp listen range 10.1.0.0/16 peer-group BluePeer bgp listen range 10.2.0.0/16 peer-group RedPeer bgp listen range 10.3.0.0/16 peer-group GreenPeer ! address-family ipv4 vrf BLUE redistribute static neighbor BluePeer peer-group neighbor BluePeer remote-as 1 exit-address-family ! address-family ipv4 vrf RED redistribute static neighbor RedPeer peer-group neighbor RedPeer remote-as 1 exit-address-family ! address-family ipv4 vrf GREEN redistribute static neighbor GreenPeer peer-group neighbor GreenPeer remote-as 1 exit-address-family

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

vrf definition BLUE rd 1:1 address-family ipv4 address-family ipv6 interface Loopback1 vrf forwarding BLUE ip address 10.0.0.254 255.255.255.255 vrf definition RED rd 2:2 address-family ipv4 address-family ipv6

interface Loopback2 vrf forwarding RED ip address 10.0.0.254 255.255.255.255 vrf definition GREEN rd 3:3 address-family ipv4 address-family ipv6 interface Loopback3 vrf forwarding GREEN ip address 10.0.0.254 255.255.255.255

VRF Injection – Spoke Configuration Vanilla IKE and BGP configurations Profiles stored on RADIUS server

aaa new-model aaa authorization network default local

crypto ikev2 profile default match identity remote fqdn Hub1.cisco.com match identity remote fqdn Hub2.cisco.com identity local fqdn spoke1.RED IKEv2 Identity authentication remote rsa-sig Defines Group authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand Just necessary for aaa authorization group cert list default default config exchange ! interface Loopback0 ip address 10.1.0.2 255.255.255.255 ! interface Tunnel0 Tunnel to Hub1 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.1.1 tunnel protection ipsec profile default ! Tunnel to Hub2 interface Tunnel1 ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel destination 172.16.4.1 tunnel ipsec profile default 68 BRKSEC-3013 © 2015 Cisco and/or protection its affiliates. All rights reserved. Cisco Public

Plain simple IKEv2 profile

Basic iBGP configuration

router bgp 1 bgp log-neighbor-changes network 192.168.0.0 mask 255.255.0.0 neighbor Hub peer-group iBGP neighbor Hub remote-as 1 neighbor Hub next-hop-self neighbor 10.0.0.253 peer-group Hub neighbor 10.0.0.254 peer-group Hub maximum-paths ibgp 2 Two Hubs… Equal Cost Load Balancing

Case Study: Multi-tenant Hybrid Access

Use Case: Mixed Client and Branch Access 

Requirements: 



RADIUS/EAP Server (in management VRF)

Single router for software clients & remote branches (spokes)



Spoke-to-spoke tunnels enabled on a per-branch basis



VRF/ QoS enforced per user/branch



Branches use IKE certificates, clients use EAP (password or TLS certificates)

Proposed solution:  

Multiple VRFs behind hub FlexVPN Hub IPsec tunnels Internet Bob (VRF blue) QoS Silver

shortcut tunnel

Tom (VRF green) QoS Gold

Single IKEv2 profile & V-Template Differentiated AAA authorisation depending on authentication method

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Branch A (VRF red) QoS Gold

Branch B (VRF red) QoS Silver

Joe (VRF blue) QoS Bronze

FlexVPN Server Configuration RADIUS-based EAP authentication and AAA authorisation Match on FQDN domain for branches Match statements for clients (depending on allowed client types) Allow peers to authenticate using either EAP or certificates User authorisation using attributes returned during EAP authentication Branch authorisation using RADIUS Automatic detection of tunnel mode1 (pure IPsec tunnel mode for clients, GRE/IPsec for branches/spokes)

1

aaa new-model aaa authentication login my-rad group my-rad aaa authorization network my-rad group my-rad ! crypto ikev2 profile default match identity remote fqdn domain example.com match identity remote {key-id | email | address} ... identity local dn authentication remote rsa-sig authentication remote eap query-identity authentication local rsa-sig pki trustpoint my-ca aaa authentication eap my-rad aaa authorization user eap cached aaa authorization user cert list my-rad virtual-template 1 auto mode ! interface Virtual-Template1 type tunnel no ip address [no need to specify tunnel mode] tunnel protection ipsec profile default

Starting with IOS-XE 3.12S

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

RADIUS Server Configuration Clients can perform password-based or TLS-based EAP authentication (TLS: RADIUS account = CN or UPN) User attributes returned by RADIUS with successful EAP authentication

joe cleartext-password=c1sc0! ipsec:addr-pool=blue ip:interface-config=vrf forwarding blue ip:interface-config=ip unnumbered Loopback1 ip:interface-config=service-policy output Bronze ip:interface-config=...

Branch router attributes returned by RADIUS during AAA authorisation step Add/remove NHRP to enable/disable spoke-to-spoke tunnels per branch Exchange prefixes via IKEv2 routing, branch prefix(es) controlled by branch

branchA.example.com ip:interface-config=vrf forwarding red ip:interface-config=ip unnumbered Loopback3 ip:interface-config=service-policy output Gold ip:interface-config=ip nhrp network-id 3 ip:interface-config=ip nhrp redirect ipsec:route-set=prefix 192.168.0.0 255.255.0.0 ipsec:route-accept=any

Branch prefix / QoS controlled by AAA server (installed as local static route)

branchB.example.com ip:interface-config=vrf forwarding green ip:interface-config=ip unnumbered Loopback2 ip:interface-config=service-policy output Silver ipsec:route-set=prefix 192.168.0.0 255.255.0.0 ipsec:route-set=local 192.168.1.0 255.255.255.0

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

FlexVPN High Availability

FlexVPN Backup Mechanisms Tunnel Origin/Destination

Routing Based

Dynamic Routing (BGP, EIGRP, OSPF, RIP…)

IKEv2 Routing

Tunnel Peer Selection Backup Peer List

Static or Downloadable Peer State Tracking Peer re-activation

Backup Groups Load-Balancing BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

74

Tunnel Source Selection

Tunnel Pivoting

FlexVPN Backup IKE Backup Peers (1) 192.168.100.0/24 .1

Tunnels are set up to a primary Hub

BRKSEC-3013

.2

172.16.0.1

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

172.16.0.2

75

FlexVPN Backup IKE Backup Peers (2) 192.168.100.0/24 .1

Hub 1 Fails

.2

172.16.0.1

172.16.0.2

New tunnels are set up to a backup Hub

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

76

Also works with Routing Protocol

FlexVPN Backup

IKE Backup Peers (3) – Spoke Config. aaa authorization network default local

Detect Hub Failure

To Primary Hub To Secondary Hub

Destination managed by FlexVPN

BRKSEC-3013

crypto ikev2 profile default match certificate HUBMAP identity local fqdn Spoke1.cisco.com authentication remote rsa-sig authentication local pre-shared keyring local pki trustpoint CA aaa authorization group cert list default default dpd 30 2 on-demand crypto ikev2 client flexvpn default client connect tunnel 0 peer 1 172.16.1.254 peer 2 172.16.1.253

interface Tunnel0 ip address negotiated tunnel source FastEthernet0/0 tunnel destination dynamic tunnel protection ipsec profile default

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Powerful Peer Syntax peer peer track peer peer track

Nth source selected only if corresponding track object is up RADIUS Backup List Attribute ipsec:ipsec-backup-gateway Up to 10 backup gateways pushed by config-exchange

crypto ikev2 authorization policy default route set interface route set access-list 99

FlexVPN Backup Mechanisms Backup Peer List • No explicit destination is configured on tunnel interface: – ‘tunnel destination dynamic’

• Peer to connect to is derived from a list at tunnel establishment time

• The peer list can be fully static or partially downloadable – Downloadable list require at least one static peer to retrieve the list from

• Peers are assigned a sequence number (explicit or implicit) which determine their

priority – The lowest the most preferred

• Selection of ‘active’ peer in case of failure rely on the waterfall-model – Use the peers in turn until the bottom of list is reached, then start again from top

• Dead Peer Detection (DPD’s) are required for proper operations BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

78

FlexVPN Backup – Downloadable Backup Peer List Static Peer List (Locally Configured)

Downloadable Peer List

Seq 10: Peer 1

 Peer 1 is selected initially (sequence number based)  If Peer 1 fails, Peer 2 is selected (sequence number based)

Seq 20: Peer 2

 Upon connection to Peer 2, a downloadable peer list is received Seq 30: Peer 3

Seq 10: Peer 2.1

Seq 20: Peer 2.2

 Upon failure of Peer 2, Peer 2.1 then 2.2 are selected (part of downloadable peer list)  Downloadable list peers are used until last downloadable list peer fails

 Upon successful connection to next peer in static list, downloadable list is deleted

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

79

FlexVPN Backup – Re-activation of Primary Peer  Allow re-establishing tunnel directly to preferred peer as soon as it is available again  Trackers are required for this feature

10.0.0.1

10.0.0.2 client

10.0.0.3

Tracker state (Up/Down) ICMP-echo IP SLA probe IPsec Tunnel BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

80

track 1 ip sla 1 reachability track 2 ip sla 2 reachability track 3 ip sla 3 reachability ! crypto ikev2 flexvpn client remote1 peer 1 10.0.0.1 track 1 peer 2 10.0.0.2 track 2 peer 3 10.0.0.3 track 3 peer reactivate client connect Tunnel0 ! interface Tunnel0 ip address negotiated … tunnel destination dynamic …

FlexVPN Backup – Backup Groups • Warrant that a peer, belonging to different peer-lists in the same backup group, is never active in multiple peer-list at a given time

Hub 1 Tu0

Service Provider 1

10.0.0.1

Hub 2

Client

10.0.0.2

Tu1 Service Provider 2

Hub 3 10.0.0.3

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

crypto ikev2 flexvpn client remote1 peer 1 10.0.0.1 peer 2 10.0.0.2 peer 3 10.0.0.3 backup group 1 client connect Tunnel0 crypto ikev2 flexvpn client remote2 peer 1 10.0.0.1 peer 2 10.0.0.2 10.0.0.1 cannot be used as peer 3 10.0.0.3 already active in remote1 backup group 1 client connect Tunnel1 peer-list from same group ! interface Tunnel0 ip address negotiated … tunnel destination dynamic …

interface Tunnel1 ip address negotiated … tunnel destination dynamic …

FlexVPN Backup – Tunnel Pivoting • Use when different Service Providers are used to connect to remote host

track 1 ip sla 1 reachability crypto ikev2 flexvpn client remote1 peer 10.0.0.1 source 1 interface GigabitEthernet0/0 track 1 source 2 interface Cellular0/0 client connect tunnel 0

Service Provider 1 GigE0/0

Client Cellular0/0

interface Tunnel0 ip address negotiated … tunnel source dynamic tunnel destination dynamic …

Hub Service Provider 2 Cellular network

Tracker state (Up/Down) ICMP-echo IP SLA probe IPsec Tunnel BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

82

FlexVPN Backup IKEv2 Load-Balancer Client Connection LAN

Slave Hub 2

Master

Standby .12

Slave

Hub 1

Standby

Active CLB Registration

10.0.0.0/24 1. HSRP Active Router election Winner takes over the VIP (“.5”)

.5 .11

Hub 3

CLB Registration

.13

HSRP Election

WAN

2. CLB Registration HSRP Standby become CLB Slaves and register to Master (HSRP Active)

On Hub 1: *Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected. *Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected. BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

83

FlexVPN Backup IKEv2 Load-Balancer Client Connection LAN 2. CLB Master selects the LLG (Hub 3)

Slave Hub 2

3. CLB Master sends a redirect to client to Hub 3

Master

Hub 1

Slave

Standby

Active

Standby

.12

.5 .11

.13

10.0.0.0/24

WAN 1. Client sends IKE SA_INIT with REDIRECT_SUPPORTED to VIP (.5)

4. Client establishes IKEv2 session with LLG Hub (Hub 3) BRKSEC-3013

Hub 3

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

IKEv2 Load-Balancer Hub 1 Configuration crypto ikev2 redirect gateway init Activates the sending of IKEv2 redirects during SA_INIT ! crypto ikev2 profile default match identity remote fqdn domain cisco.com ! identity local fqdn Hub1.cisco.com interface Ethernet0/0 authentication remote rsa-sig ip address 10.0.0.11 255.255.255.0 authentication local rsa-sig standby 1 ip 10.0.0.5 HSRP Group Name must match pki trustpoint TP standby 1 name vpngw IKEv2 Cluster configuration dpd 10 2 on-demand ! aaa authorization group cert list default default interface Loopback0 virtual-template 1 ip address 172.16.1.11 255.255.255.0 ! ! crypto ikev2 authorization policy default interface Virtual-Template1 type tunnel route set interface ip unnumbered Loopback0 ! ip mtu 1400 crypto ikev2 cluster tunnel source Ethernet1/0 standby-group vpngw tunnel protection ipsec profile default slave max-session 10 no shutdown

• Configuration of slave hubs is almost identical (except HSRP priority)! BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

IKEv2 Load-Balancer Client Configuration crypto ikev2 authorization policy default route set interface ! crypto ikev2 redirect client max-redirects 10 ! crypto ikev2 profile default match identity remote fqdn domain cisco.com identity local fqdn Spoke2.cisco.com authentication remote rsa-sig authentication local rsa-sig pki trustpoint TP dpd 10 2 on-demand aaa authorization group cert list default default virtual-template 1 ! crypto ikev2 client flexvpn VPN_LB peer 1 10.0.0.5 client connect Tunnel0

Activates IKEv2 redirection support and limit redirect count (DoS prevention)

interface Tunnel0 ip address 172.16.1.100 255.255.255.0 ip mtu 1400 tunnel source Ethernet0/0 tunnel destination dynamic tunnel protection ipsec profile default

FlexVPN Peer configured with the VIP address only

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

86

FlexVPN Backup IKEv2 Load Balancer

IKEv2 Load-Balancer

• Redirects inbound IKEv2 negotiation to Least Loaded Gateway (LLG) • Implements RFC 5685 • Redirect is performed during IKEv2 SA_INIT, IKE_AUTH • Rely on HSRP for device failure detection and master selection • Rely on Cisco Load Balancing (CLB) protocol (TCP/2012) to report load to cluster

master • Available since 15.2(4)M

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

87

FlexVPN IKEv2 Remote Access

Anywhere, Any Device Access

FlexVPN Framework

Device Location

IKEV2 IPSEC

Application

SSL

Any

More Diverse Users, Working from More Places, Using More Devices, Accessing More Diverse Applications, and Passing Sensitive Data BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

IKEv2 Configuration Exchange Initiator (I)

Responder (R)

CFG_REQUEST

IKE_AUTH CFG_REPLY

Initiator (RA client) requests configuration parameters from responder (RA server).

CFG_SET

   

Your assigned IPv6 address is ... Your DNS server is ... There is no WINS server The protected subnets are ... Derived from peer authorisation

INFORMATIONAL CFG_ACK

CFG_SET

Derived from peer authorisation

Initiator and/or responder sends unsolicited configuration parameters to its peer.

CFG_ACK © 2015 Cisco and/or its affiliates. All rights reserved.

 My local IPv6 address is ...  My local IPv6 protected subnets are ...  Acknowledged

INFORMATIONAL

BRKSEC-3013

I would like:  an IPv6 address  a DNS & WINS server  a list of IPv6 protected subnets

Cisco Public

90

Extensible Authentication Protocol (EAP) • No X-AUTH in IKEv2; EAP instead • EAP – A General protocol for authentication that support multiple methods: – Tunnelling: EAP-TLS, EAP/PSK, EAP-PEAP, … – Non-tunnelling (recommended): EAP-MS-CHAPv2, EAP-GTC, EAP-MD5, …

• Implemented as additional IKE_AUTH exchanges

• Only used to authenticate initiator to responder • Responder MUST authenticate using certificates • Can severely increase number of messages (12-16) • EAP comes with many caveats – refer to documentation !!

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

91

EAP Authentication RA Client IKEv2 Initiator RADIUS Client EAP Supplicant

FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator

AAA Server RADIUS Server EAP Backend

IKE

crypto ikev2 profile default authentication remote eap query-identity aaa authentication eap frad

RA server authenticates to client using IKE certificates (mandatory)

IKEv2 RADIUS EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ... Username-Password/Token/Mobile Authentication (One-Way)

IKEv2

RADIUS

TLS

TLS

EAP-TLS TLS-Based Certificate Authentication (Mutual)

IKEv2

RADIUS EAP-PEAP / EAP-TTLS

TLS

EAP-MSCHAPv2 / EAP-TLS / ... TLS-Protected Nested Authentication (One-Way or Mutual)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

92

TLS

EAP Authentication – Packet Flow RA Client IKEv2 Initiator RADIUS Client EAP Supplicant

FlexVPN Server IKEv2 Responder RADIUS NAS EAP Authenticator

AAA Server RADIUS Server EAP Backend crypto ikev2 profile default authentication remote eap query-identity aaa authentication eap frad

IKEv2 (IKE_AUTH) IDi, CFG_REQ, no AUTH

IKEv2 (IKE_AUTH) IDr, AUTH(RSA), EAP(ID-Request) RADIUS (Access-Request) IKEv2 (IKE_AUTH) EAP(ID-Response: IDEAP) RADIUS (Access-Challenge) IKEv2 (IKE_AUTH) EAP(EAP-Method-Pkt#1) RADIUS (Access-Request) IKEv2 (IKE_AUTH) EAP(EAP-Method-Pkt#2) MSK

MSK IKEv2 (IKE_AUTH) EAP(Success) IKEv2 (IKE_AUTH) AUTH(MSK)

RADIUS (Access-Accept) EAP(Success), MSK, User-Name, Other user attributes

Cached for authorisation

IKEv2 (IKE_AUTH) CFG_REPLY, AUTH(MSK) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

EAP Username

93

Remote Access Clients – Overview AnyConnect (Desktop Version)

AnyConnect (Mobile Version)

Windows Native IKEv2 Client

FlexVPN Hardware Client

strongSwan

Supported OSes

Windows Mac OS X Linux

Android Apple iOS

Windows 7 & 8

Cisco IOS 15.2+ Not on IOS-XE / ASR1k Not on ISR-G1

Linux, Mac OS X, Android, FreeBSD, ...

Supported IKEv2 Authentication Methods

Certificates EAP

Certificates EAP

Certificates EAP

Certificates EAP Pre-Shared Key

Certificates EAP Pre-Shared Key

Supported EAP Authentication Methods

EAP-MSCHAPv2 EAP-GTC EAP-MD5

EAP-MSCHAPv2 EAP-GTC EAP-MD5

EAP-MSCHAPv2 EAP-TLS1 EAP-PEAP1 ... and more (Win8)

EAP-MSCHAPv2 EAP-GTC EAP-MD5

EAP-MSCHAPv2 EAP-TLS1 EAP-PEAP1 ... and more (plugins)

Dual Stack (IPv4 & IPv6)

3.1.05152 (with GRE) IOS-XE 3.14

Planned (client limitation)

Planned (headend limitation)

Both (with GRE)

Planned (headend limitation)

Split Tunnelling

Yes

Yes

Very limited (classful)

Yes

Yes

1 EAP-TLS, 2 IPsec

BRKSEC-3013

EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client

Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

94

AnyConnect Secure Mobility Client • Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS) – Desktop: Windows, Mac OS X, Linux – Mobile: Apple iOS, Android

• Supported authentication methods: – – – –

Machine Certificates (RSA signatures) EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2) EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens) EAP-MD5 (hash-based authentication)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

AnyConnect – VPN Profile Editor Add entry to server list

Server FQDN

Connection name

... Resulting XML Profile FlexVPN flexra.cisco.com IPsec true EAP-GTC acvpn ...

Only applies to EAP authentication methods

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

AnyConnect – Backup Server List Primary

Backup

Add backup server(s) to list

WAN

... Resulting XML Profile FlexVPN flexra.cisco.com flexra2.cisco.com ...

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Primary server stops responding  Client will try connecting to backup server(s)

97

AnyConnect – Seamless Auto-Reconnect crypto ikev2 profile default reconnect [timeout ]

crypto ikev2 profile default reconnect [timeout ]

3: Server marks session as “inactive”, awaiting reconnection until the configured timeout WAN 1: Connected

4: ISP/WAN comes back up  Session resumed without any user intervention

WAN 1: Connected over 3G

2: Network failure detected  Client will attempt to reconnect automatically

3: Session resumed over WiFi link without any user intervention

2: Switching to WiFi  Different IP address

Also works when computer suspends & resumes (behaviour controllable through XML profile) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

AnyConnect Desktop – Profile Deployment Options Use a Software Management System XML

Add the profile to the AnyConnect package XML

Send the profile via email Download the profile to the file system

BRKSEC-3013

OS

Default Location

Windows

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Mac OS, Linux

/opt/cisco/anyconnect/profile

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

99

AnyConnect Mobile – Profile Deployment Options XML

Send the profile via email

anyconnect://import?type=profile&uri=location

Install the profile via a URI handler

Example location: http://example.com/profile.xml

Import it from Local File system or URI

Manual Connection Creation

MDM (Mobile Device Management) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

100

AnyConnect Mobile – Manual Connection Certificate selection

Cisco ASA only

Connection name

Create new manual connection

Server FQDN

Enable IKEv2 Select authentication method

Specify IKE ID for EAP methods

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

101

AnyConnect Mobile – URI Handler Profile Deployment • Import profiles, certificates, and create connection entries • Apple iOS & Android – Import via URL, email, device storage – Also connect & disconnect VPN using URI Handler

anyconnect://create/?name=FlexVPN&host=flexra.cisco.com&protocol=IPsec&a uthentication=EAP-MD5&ike-identity=acvpn

Prompt or Enabled - Required for URI Handler BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Connection successfully created Cisco Public

102

AnyConnect Mobile – Certificate Deployment • Package certificate & keypair into PKCS#12 file • Apple iOS – Import PKCS#12 from URL or email attachment – Provision credentials or set up SCEP enrollment using configuration profile (e.g. via iPhone Configuration Utility)

• Android – Import PKCS#12 from URL, email or filesystem – Use existing credentials from Credential Storage

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

103

AnyConnect – Certificate Requirements AnyConnect Client IKEv2 Certificate

FlexVPN Server IKEv2 Certificate

Used for

Mutual RSA-SIG

Mutual RSA-SIG EAP (all types)

Common Name (CN)

Anything

Anything (if SAN field present) Server FQDN (if no SAN field)

Key Usage (KU)

Digital Signature

Digital Signature Key Encipherment or Key Agreement

Extended Key Usage (EKU)

Optional1,3 If present: TLS Client Authentication

Optional2,3 If present: TLS Server Authentication or IKE Intermediate

Subject Alternative Name (SAN)

Not required3

Optional3 If present: Server FQDN

1 Required

in AC 3.0.8 to 3.0.10 (CSCuc07598)

2 Required

in AC 3.0 (all versions), lifted in 3.1

3 Not

required: may be omitted or set to any value – Optional: may be omitted or set to the specified value

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

104

FlexVPN Hardware Client – Example • Sample configuration: – Static tunnel interface driven by FlexVPN Client Profile – Local AAA authorisation (default IKEv2 author. policy) – Certificate-based mutual authentication (no EAP)

• Tunnel interface configuration: – IP address assigned through IKEv2 Configuration Exchange – Tunnel destination set dynamically

• Default IKEv2 routing between client & server: – Client advertises route for Tunnel0 assigned IP address – Client installs networks advertised by server

client#show crypto ikev2 authorization policy default IKEv2 Authorization Policy : default route set interface route accept any tag : 1 distance : 1 BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

105

aaa new-model aaa authorization network here local ! crypto pki trustpoint root rsakeypair root ! crypto pki certificate map cisco 1 subject-name co o = cisco ! crypto ikev2 profile default match certificate cisco identity local dn authentication remote rsa-sig authentication local rsa-sig pki trustpoint root aaa authorization group cert list here default ! crypto ikev2 client flexvpn flexra peer 1 fqdn flexra.cisco.com dynamic client connect Tunnel0 ! interface Tunnel0 ip address negotiated tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel destination dynamic tunnel protection ipsec profile default

FlexVPN Network Extension FlexVPN Client 10.42.1.0/24

FlexVPN Server WAN

Eth0/1 Eth0/0 Assigned IP: 10.0.1.22/32

10.0.0.0/8 Lo1: 10.0.1.1/32

route set interface route set remote ipv4 10.42.1.0

route set interface route set remote ipv4 10.0.0.0 255.0.0.0

Summary prefix reachable through tunnel S S C

Assigned IP address reachable over client VA

10.0.0.0/8 is directly connected, Tunnel0 10.0.1.1/32 is directly connected, Tunnel0 10.0.1.22/32 is directly connected, Tunnel0

S S

Client LAN directly reachable over tunnel (prefix can be redistributed into IGP)

Local/remote addresses & prefixes exchanged using IKEv2 routing interface Tunnel0 ip address negotiated ! interface Ethernet0/1 ip address 10.42.1.1 255.255.255.0

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

10.0.1.22/32 is directly connected, Virtual-Access1 10.42.1.0/24 is directly connected, Virtual-Access1

interface Loopback1 ip address 10.0.1.1 255.255.255.255 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1

Cisco Public

106

FlexVPN Client Profile – Key Features • Peer list with object tracking: – Ordered list of FlexVPN servers (by address or FQDN) – Enable/disable entries based on tracking object state – Additional peers can be pushed by server during Config Exchange

• Connection modes: – Automatic (infinite loop, 10 seconds between tries) – When tracking object goes up/down (enables dial backup) – Manual (CLI-triggered)

• EAP local authentication (IKEv2 initiator only): – Username prompt only if server does “query-identity” – Alternative: static credentials in IKEv2 profile

• More than a Remote Access client:

crypto ikev2 client flexvpn flexra peer 1 peer 2 track 10 up peer 3 track 20 down ! track 10 interface line-protocol track 20 ip route reachability connect auto connect track 10 up connect manual

crypto ikev2 profile default authentication local eap client#crypto ikev2 client flexvpn connect Enter the command 'crypto eap credentials flexra' client#crypto eap credentials flexra Enter the Username for profile flexra: joe@cisco Enter the password for username joe@cisco:

– Can also be used in hub-spoke & dynamic mesh designs – Useful when advanced initiator logic is required (dial backup, object tracking, ...) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

107

Demo AnyConnect Secure Mobility Client

Tom the Sardar

Anyconnect Mobile Profile & Certificate Deployment Demo Administrator Sequence of Events

Objective: Deploy anyconnect connection entry and CA certificate to Android Mobile device

1: Retrieve CA certificate as a file 2: Insert anyconnect connection URI into email 3: Attach CA cert and send email FlexVPN Server

anyconnect://create/?name=FlexVPN&host =Flex_hub.mydomain.com&protocol=IPsec &authentication=EAP-MD5&ikeidentity=acvpn

User Sequence of Events 1: Enable External control on Anyconnect 2: Click on hyperlink to create anyconnect connection 3: Click on CA cert attachment to import CA cert

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

109

Anyconnect Windows 7 Profile Deployment Demo Objective: Deploy anyconnect XML User profile containing connection information to a remote desktop.

XML

Anyconnect XML profile added to package and installed on Windows Desktop

Administrator Sequence of Events

FlexVPN Server

1:Create profile using profile Editor 2:Bundle Profile with Installation Package

User Sequence of Events 1:User retrieves Installation Package 2:User Installs package 3:Profile is automatically imported BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

110

FlexVPN SSL

Management

FlexVPN SSL Overview ASDM

Clients

• Infrastructure

Desktop Windows

Mac OS X

Linux

Secure Connectivity Cisco ASR

Mobile

Apple iOS Android iPhone and iPad Smartphones Tablets IOS-XE 3.15.1S / 15.5(2)S1 ASR1006/1013 with ESP100/200 ASR1002-X and ASR1001-X only

BB10 (future) • Smartphone • Playbook

•HTC •Motorola •Samsung •Version 4.0+

•HTC •Lenovo •Motorola •Samsung • Version 4.0+

Cisco Cloud Services Router 1000V IOS-XE 3.12.1S / 15.4(2).1S

BRKSEC-3013

Tentative date – June 2015

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

112

• First release of SSLVPN support (on ASR / CSR) • Client-based only (AnyConnect) • No clientless support • Integrated into FlexVPN framework • • • •

AAA integration Virtual tunnel interfaces Smart defaults CLI consistency

• ASR not supported on previous ESP (ESP 2.5 up to 40 due to lack of crypto engine support)

Features Not Supported In Initial Release • Automatic anyconnect software upgrade from headend • Web Launch for anyconnect (from browser)

• Client side certificates • Hostscan and Posture • Name mangler

• Two-Factor & Double Authentication • IPv6 Mixed-Mode / Dual-Stack • DTLS

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

113

FlexVPN SSL and Interfaces Per user attributes such as ACL, QoS, VRF, ZBFW can be applied granularly

Hub 1

VT2

VT1 VA1

Remote User BRKSEC-3013

u0

VA2

VA3

Smartphone User

Remote User © 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Remote Access Sessions

114

VT

Virtual Template

VA

Virtual Access

What is SSL/TLS? • Stands for Secure Socket Layer • Protocol that enables privacy and data integrity between client and server

• Protocol developed by Netscape in mid 1990. • Predecessor of TLS [ Transport Layer Security] • SSL 1.0 and 2.0 had a number of security flaws which led to the design of sslv3 [1996 draft got republished as historical document in RFC6101] • TLS 1.0 is designed in RFC2246 as the next-gen protocol in order to replace SSLv3 ( SSLv3 is now considered as insecure]

• TLS 1.0 has evolved over time: – TLS 1.1 [ RFC4346] added protection against CBC attacks and added explicit IV – TLS 1.2 [ RFC5246] added enhancements in hashing / signing. Expansion of authenticated encryption ciphers used for GCM BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

115

SSL/TLS Exchanges Overview TCP connection bootstrap

TCP 3 way handshake (3 messages)

Client Hello – Server Hello (2 messages)

Negotiate security capabilities

Server authentication and Pub Key Exchange (1 message)

Client key exchange, Change Cipher Spec (1 message)

BRKSEC-3013

Protected data

© 2015 Cisco and/or its affiliates. All rights reserved.

B

Cisco Public

Generate encryption keys

Anti MITM encrypted exchange

Server finished / Client finished (2 messages)

A

Server auth – keying material exchange

116

The TLS Handshake - Simplified

Cipher suite example

Client

Server

I want a secure connection. Here are the cipher suites I support

Client Hello Here are the security protocols we shall use

Server Hello

Here’s who I am(server certificate)

ServerCertificate

I am done for now – waiting for you 

ServerHelloDone

ClientKeyExchange

Here is the key we use for encryption(pre-master key encrypted using server public key)

ChangeCipherSpec

I am switching to a secure channel (Future messages will be encrypted ) I am done with SSL/TLS negotiation

Finished

I am also switching to a secure channel (Future messages will be encrypted) I am also done with SSL/TLS negotiation

ChangeCipherSpec

Finished

* Some of the Handshake protocols such as Certificate, Server Hello Done, can be combined in one packet or arrive in

different SSL packets BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

117

TLS/SSL Protocol Building Blocks

INITIALISES COMMUNCATION BETWEEN CLIENT & SERVER

ERROR HANDLING

HANDLES COMMUNICATION WITH THE APPLICATION

INITIALISES SECURE COMMUNICATION

SSL Handshake PROTOCOLS

HANDLES DATA COMPRESSION

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

SSL Handshake- Client Hello Client proposes basic SA attributes along with random number material

VN, CR, SI, CS, CA, EXT Client

Server

VN – Version Number CR – Client random value [32 bytes long] based on client date [ 4 bytes] + random data [ 28 bytes] used later to generate master secret SI – The sessionID is included to enable the client to resume a previous session ( Optional ) CS – Cipher suites list available on the client [ eg is TLS_RSA_WITH_AES_128_CBC_SHA TLS is the protocol version, RSA is the algorithm that will be used for the key exchange AES_128_CBC is the encryption algorithm SHA is the hash function.

CA – Compression Algorithm ( none is currently supported with IOS ) EXT - Extensions like renegotiation, Server name Indication BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

119

SSL Handshake- Server Hello Server sends back a set of acceptable attributes, along with key exchange material and optional certificate request

VN, SR, SI, CS, CA Client

Server

VN – Version Number. The Server sends the highest version supported by both sides. CR – Client random value [32 bytes long] based on server date [ 4 bytes ] + random data [ 28 bytes] used later to generate master secret SI – The sessionID will be sent by the Server

• NewSessionID will be generated if the ClientHello does not contain a SessionID • ResumedSessionID will reuse the ClientHello SessionID if the server is willing to • Null will be used if it’s a new session but the server is not willing to resume it. CS – The server will choose the strongest cipher supported by both Client & Server. If no agreement a “handshake failure” will be sent CA – Compression Algorithm ( none is currently supported ) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

120

SSL Handshake- Server Certificate Server sends its certificate which include his public RSA key which will be used later by the client to encrypt the premaster secret.

Certificate ,Server Hello Done Client

Server

Certificate – The Server will send its certificate to the client. • The client will extract the server public key from the certificate • Public key will be used to authenticate the server. • Later on, that public key will be used as well to encrypt the premaster secret

Server Hello Done – Server Hello has been completed and we are waiting for the Client to proceed

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

121

SSL Handshake- Client key exchange Client generates a session key that can be only decrypted by the Server

Clt Key Exch, Chg Cipher Spec, Clt Finished Client

Server

Clt Key Exch – Client Key Exchange • the premaster secret ( computed from both client and server random) is encrypted by the the Server Public RSA key. • The session will be derived from that MasterSecret. • Only the server can decrypt it since has the correct private RSA key

Chg Cipher Spec – Change Cipher Spec – • Client notify the Server that subsequent packets will be encrypted using negotiated keys and algorithms

Clt Finished – Client Finished contains the hash of the entire conversation that is used to provide further protection against man-in-the-middle attacks BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

122

SSL Handshake- Server Finished, Change Cipher Spec Server sends back Change Cipher Spec message and his Hash of the entire exchange

Change Cipher Spec ,Server Finished Client

Server

Change Cipher Spec – By sending Change Cipher Spec, the server is announcing to the client that following packets will be encrypted using negotiated keys and algorithms. Subsequent packets from both client and server will be encrypted Server Finished – Server Finished contains the hash of the entire conversation that is used to provide further protection against Man-in-the-middle attacks

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

123

SSL Record Protocol: Protected data IP header ( 20 bytes) TCP header ( 20 bytes) content Type (1 byte)

SSL version (2 bytes)

Length (2 bytes)

ENCRYPTED APPLICATON DATA

HMAC / PAD

• Record protocol receives data from application layer – – – – –

Data fragmented in blocks ( encryption) or reassembled to it’s original format ( decryption) Sequentially numbers data blocks Compress/Decompress data based on negotiated compression algorithm Encrypt / Decrypt data using negotiated encryption keys / cryptographic algorithm Apply HMAC to outgoing data. Check HMAC when data is received

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

124

Data Fragmentation data

data fragment IP TCP record header header header

data fragment

MAC

encrypted data and MAC

IP TCP record header header header

record header: content type; version; length MAC: of data, sequence number, content type with the help of a key: Mx Fragment: each SSL fragment 214 bytes (~16 Kbytes) BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

MAC

encrypted data and MAC

SSL Alert Protocol • Alerting protocol based on different alert levels : – warning(1) – fatal(2)

• Different Alert Messages: – – – – – –

close_notify(0), unknown_ca(48) bad_record_mac(20) insufficient_security(71) record_overflow(22) certificate_revoked(44)

• Exhaustive list: – http://tools.ietf.org/html/rfc5246#appendix-A.3

• A session cannot be resumed once terminated by Fatal Alerts. BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

126

SSL and Certificates: Server Certificate Validation • Router certificate should be trusted by clients – Public (well-known) Certificate Authority (e.g. Verisign) – Enterprise Certificate Authority, e.g. Microsoft AD – Self-Signed (need to import certificate to all clients)

• URL matches with CN/SAN in Server Certificate ? Server certificate: DN: CN=srv1, OU=IT, O=Cisco SAN: IPAddr 10.0.0.1 SAN: DNSName srv1.cisco.com SAN: DNSName sslvpn.example.com

Match

URI: https://sslvpn.example.com

Internet

Intranet Server

Enterprise CA

Public CA BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

127

Key Usage and Extended Key Usage Checking • Extended Key Usage (EKU) and Key Usage (KU) determine how certificate can be used (client authentication, server authentication, email encryption etc) • AnyConnect does not require EKU or KU to be in ASA server certificate • From AnyConnect 3.1: if EKU or KU are present, they must be correct – EKU must contain “Server Authentication” – KU must contain “Digital Signature” and “Key Encipherment”

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

128

Anyconnect and Untrusted Certificates • If the server certificate is not trusted, do you want the user to be able to accept the certificate? false • .... or do you want AnyConnect to refuse to connect? true

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

129

Ensure Clients Trust the Router Certificate • AnyConnect uses OS to validate certificate – Microsoft Windows: MS CAPI – MAC OS: Keychain – Linux: Varies with distribution

• Tip: Examine warnings with browser – Untrusted CA chain – Mismatch domain name – Validity time ( NTP?)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

130

Anyconnect Connection Flow Select the group we want to connect

Group or URL Selection Aggregate Authentication

User authentication

Authenticate the user & get attributes

VPN Downloader

Anyconnect S/W & profile updates SSL only(no IKEv2) on IOS

CSTP Connect

A

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Protected data

Cisco Public

131

Apply attributes on the client

B

Anyconnect Aggregate Authentication • Platform-independent framework for authentication and config exchange • Common XML Data format for both IPSEC and SSL

• Allows new client side features without headend s/w change – Opaque info can be sent from headend – Opaque info meaningful to client only

• Easier Integration of new features – Double Authentication – Certificate Authentication

• Multiple Request/Response Types – – – –

Init Auth request / response Config request / response Complete

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Example 3.1.05182 win 00-0c-29-46-bb-3f group2 https://sslvpn.example.com

132

Aggregate Authentication High level Flow Anyconnect Client

Router (eg. Connect to https://sslvpn.example.com)

Init

Enterprise Network

Authentication Request Authentication Reply

Aggregate Authentication

Complete Config (image, profile)

I would like:  an IPv4 address  a domain-name, DNS server  List of protected IPv4 subnets

Initiates tunnel establishment (CONNECT) request attributes like ip address Send attributes (eg. Ip address) Tunnel established - Client traffic over tunnel

BRKSEC-3013

Image/Profile download / upgrade

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

 Your assigned IPv4 address is ...  Your DNS server is ...  My protected IPv4 subnets are ...

SSL Aggr. Auth Flow - Anyconnect group selection Aggregate Auth type – Init

HTTP POST msg contains the server host and URL

POST /group FQDN/IP/URL Client

Server

Host – VPN Headend URL defined on the client. • IP address or FQDN. To avoid any certificate issues, this URL must match the HUB server CN or SAN. POST / HTTP/1.1 Host: flexssl.cisco.com User-Agent: AnyConnect Windows 3.1.05182 X-Aggregate-Auth: 1 X-AnyConnect-Platform: win 3.1.05182 win https://flexssl.cisco.com BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

134

SSL Aggr. Auth Flow - Authentication Request Aggregate Auth type – Auth-request

Server requests username/Password with auth-request HTTP/1.1 200 OK, XML Client

Server

HTTP/1.1 200 OK – Acknowledge FQDN / IP group selection XML – Aggregate auth [ proprietary protocol request ]

HTTP/1.1 200 OK X-Aggregate-Auth: 1

….Login Please enter your username and password. ….

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

135

SSL Aggr. Auth Flow - User Authentication Aggregate Auth type – Auth-reply

Client HTTP post msg sends auth-reply POST HOST/group XML Client

Server

Host – VPN Headend URL/GROUP defined on the client. • IP address or FQDN.

XML – XML file contains user / password / machine information / tunnel-group /… *Jan 13 07:35:24.906: POST /CL2015 HTTP/1.1 POST /CL2015 HTTP/1.1 3.1.06073 win cisco cisco

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

136

SSL Aggr. Auth Flow - Authentication Successful Aggregate Auth type – complete , config

User authentication by the server is successful

HTTP/1.1 200 OK, XML Client

Server

HTTP/1.1 200 OK – Acknowledge authentication XML – Provide server XML profile location / Pre-installed server package version information for that particular OS. VPN Downloader will kick in if the version on the Server is newer than on the client HTTP/1.1 200 OK Success /auth> /CACHE/webvpn/stc/profiles/CL2015.xml uri>binaries/anyconnect-win-3.1.06073-web-deploy-k9.exe AnyConnect Secure Mobility Client

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

137

SSL Connection Flow – Tunnel Establishment CSTP – Cisco SSL Tunnelling Protocol

Client connect and request attributes

CONNECT, CSTP attributes Client

Server

CONNECT – initiate the tunnel establishment for datapath by accessing /CSCOSSLC/tunnel HTTP/1.1 CSTP attributes– Client attributes requested from headend and capabilities supported (eg.IPV6) CONNECT /CSCOSSLC/tunnel HTTP/1.1 Host: flexssl.cisco.com User-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.06073 X-CSTP-Version: 1 X-CSTP-Hostname: olpeleri-WE01 X-CSTP-MTU: 1399 X-CSTP-Address-Type: IPv6,IPv4 X-CSTP-Local-Address-IP4: 192.168.255.166 X-CSTP-Base-MTU: 1500 X-CSTP-Remote-Address-IP4: 192.168.255.167 X-CSTP-Full-IPv6-Capability: true

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

138

SSL Connection Flow – send client attributes User authentication by the server is successful. Client IP address and other attributes sent HTTP/1.1 200 OK, CSTP Attributes download

Client

Server

HTTP/1.1 200 OK – Acknowledge Client connect

CSTP attribute – Set of server provider attributes used by the client ( such as private ip address / DNS / WINS / lifetime ) HTTP/1.1 200 OK Server: Cisco IOS SSLVPN X-CSTP-Version: 1 X-CSTP-Address: 192.168.254.4 X-CSTP-Netmask: 0.0.0.0 X-CSTP-Lease-Duration: 43200 X-CSTP-MTU: 1406 X-CSTP-Rekey-Time: 3600 X-CSTP-Rekey-Method: new-tunnel X-CSTP-DPD: 300 X-CSTP-Disconnected-Timeout: 0 X-CSTP-Idle-Timeout: 1800 X-CSTP-Session-Timeout: 43200 X-CSTP-Keepalive: 30 X-CSTP-Smartcard-Removal-Disconnect: false X-CSTP-Include-Local_LAN: false BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

139

FlexVPN SSL CSTP Data Encapsulation CSTP – Cisco SSL Tunnelling Protocol

FlexVPN SSL Server Pre-encapsulation interface output features (apply to cleartext packet)

RIB/FIB (routing table)

SSL/CSTP Encapsulation

Post-encapsulation interface output features (apply to encrypted packet)

Interface input features (apply to cleartext packet) Eth0/0

IP

L4

V-Access1

Data

IP

Cleartext Traffic (from server LAN)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Eth0/1

Cisco Public

TCP SSL CSTP

Encrypted Traffic (To Anyconnect client)

140

IP

L4

Data

Encrypted

PAD/MAC

FlexVPN SSL Configuration Example crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1

crypto ssl policy my-policy ip interface GigabitEthernet0/0/0 port 443 pki trustpoint my-cert sign ssl proposal my-proposal no shutdown

 Cryptographic algorithms  Key exchange method  Local endpoint matching criteria  Apply SSL proposal  Configure SSL server certificate      

crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com authentication remote user-pass aaa authentication user-pass list my-radius aaa authorization user user-pass cached virtual-template 1 no shutdown

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

141

Match on SSL policy Match on URL (FQDN, hostname, path, ...) Authentication (certificate, username/password) Authorisation (cached, user, group) Accounting Virtual interface template (ASR only)

CLI Experience: FlexVPN IPsec vs SSL Crypto ssl proposal sslvpn1 protection rsa-aes128-sha1 rsa-aes256-sha1 !

crypto ikev2 proposal prop-1 encryption aes-cbc-128 3des integrity sha group 2 ! crypto ikev2 policy site-policy proposal prop-1 ! crypto ikev2 authorization policy default pool mypool ! crypto ikev2 profile v2-profile match identity remote address 10.0.1.1 authentication local rsa-sig authentication remote rsa-sig pki trustpoint CA aaa authorization cert list default default virtual-template 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel source Ethernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-prof BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

crypto ssl policy sslvpn1 ssl proposal sslvpn1 pki trustpoint SSLVPN sign ip address local 10.48.67.251 port 443 ! crypto ssl authorization policy default pool mypool ! crypto ssl profile sslvpn1 match policy sslvpn1 match url https://flexssl.cisco.com aaa authentication user user-pass list SSLUSERS aaa authorization group user-pass list SSLAUTHOR authentication remote user-pass virtual-template 1 ! interface Virtual-Template1 type vpn ip unnumbered Loopback1 ip mtu 1400 ip nat inside vpn mode ssl Cisco Public

142

FlexVPN SSL Proposal • Specifies one or more of: –Encryption algorithm(s) –Integrity algorithm(s)

• No DH support today crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

143

FlexVPN SSL Policy • Specifies one or more proposal(s) (mandatory) • Trustpoint used by SSL Server

• Specifies interface or ip address for TCP listener for SSL – Per fVRF (default: global) – SSL port configurable (default:443)

crypto ssl policy my-policy ip interface GigabitEthernet0/0/0 port 443 pki trustpoint my-cert sign ssl proposal my-proposal no shutdown

• Multiple match statements of each type (future support) – Statements of same type logically OR'ed – Statements of different types logically AND'ed – Current release only support single instance of each type BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

144

FlexVPN SSL Profile • Mandatory SSL CLI profile construct • Selected by matching: – IP address from SSL policy – Server URL (optional- if configured)

crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com authentication remote user-pass aaa authentication user-pass list my-radius aaa authorization user user-pass cached aaa authorization group list LOCAL_AUTHOR my-policy

virtual-template 1 no shutdown

• Specifies AAA parameters • Virtual-template is used to spawn v-access interface per user –

Apply per user features (VRF, ACL, ZBFW , QOS)

• Multiple match statements of each type (future support)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

145

ASR1000 specific

Smart Defaults Constructs • Default constructs: crypto ssl proposal default RSA-AES128-SHA1 RSA-AES256-SHA1

• SSL Proposal: default Protection: RSA-AES128-SHA1 RSA-AES256-SHA1

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

146

Anyconnect High-Level Connection Flow Example SSLVPN Gateway

Anyconnect Client

User launches anyconnect client and enters URL: sslvpn.example.com

Establish 3-way TCP handshake to host sslvpn.example.com port 443 SSL Handshake- Server selects cipher from proposal list and sends cert Client sends https POST to start Aggregate Authentication Initialization phase Maps connection to SSL profile my-profile by matching URL sslvpn.example.com POST / HTTP/1.1 Host: sslvpn.example.com User-Agent: AnyConnect Windows 3.1.05182 https://sslvpn.example.com

Aggregate Auth (auth-request) - Send Client authentication request my-profile Please enter your username and password.

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

147

aaa authentication login SSLVPN_AUTHEN local aaa authorization network AUTHOR local crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1 ! crypto ssl policy my-policy ssl proposal my-proposal pki trustpoint my-cert sign ip interface GigabitEthernet0/0/0 port 443 ! crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com aaa authentication user-pass list SSLVPN_AUTHEN aaa authorization user user-pass cached aaa authorization group user-pass list AUTHOR my-auth-policy authentication remote user-pass virtual-template 2 ! crypto ssl authorization policy my-auth-policy pool mypool def-domain mydomain.com ! ip local pool mypool 10.45.1.1 10.45.1.254 interface Virtual-Template2 type vpn ip unnumbered GigabitEthernet0/0/0 ip mtu 1400 vpn mode ssl

Anyconnect High-Level Connection Example(Contd.) SSLVPN Gateway

Anyconnect Client

Invoke AAA authentication for list “SSLVPN_AUTHEN” + local authorization

Retrieve session/user attributes from AAA eg. Ipv4 address from pool mypool Client initiates tunnel establishment and request attributes like ip address via CSTP CONNECT /CSCOSSLC/tunnel HTTP/1.1 Host: sslvpn.example.com X-CSTP-Hostname: admin-PC X-CSTP-MTU: 1399 X-CSTP-Address-Type: IPv6,IPv4



Server sends all anyconnect client attributes like ip address, domain via CSTP HTTP/1.1 200 OK Server: Cisco IOS SSLVPN X-CSTP-Address: 45.1.1.3 X-CSTP-Default-Domain: mydomain.com



Clone V-Template2 into V-Access1- apply per user features like ACL,QOS, VRF

“show derived-config ...”

interface Virtual-Access2 vrf forwarding Eng ip unnumbered Loopback1 vpn mode ssl

Tunnel established - User traffic can now be transmitted BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

148

aaa authentication login SSLVPN_AUTHEN local aaa authorization network AUTHOR local crypto ssl proposal my-proposal protection rsa-aes128-sha1 rsa-aes256-sha1 ! crypto ssl policy my-policy ssl proposal my-proposal pki trustpoint my-cert sign ip interface GigabitEthernet0/0/0 port 443 ! crypto ssl profile my-profile match policy my-policy match url https://sslvpn.example.com aaa authentication user-pass list SSLVPN_AUTHEN aaa authorization user user-pass cached aaa authorization group user-pass list AUTHOR my-auth-policy authentication remote user-pass virtual-template 2 ! crypto ssl authorization policy my-auth-policy pool mypool def-domain mydomain.com ! ip local pool mypool 10.45.1.1 10.45.1.254 interface Virtual-Template2 type vpn ip unnumbered Loopback1 vrf forwarding Eng ip mtu 1400 vpn mode ssl

Advanced Features…

192.168.100.0/24

MPLS VPN o Flex

192.168.100.0/24

• Objective: end-to-end VRF separation

`

192.168.100.0/24 .1

Single IPSEC sa for multiple VRFs

.1

.1

.2

.2

172.16.1.254

.2

172.16.1.253

Includes SpokeSpoke Tunnels!

192.168.1.0/24

.1 .1

.1

192.168.1.0/24 192.168.1.0/24 192.168.2.0/24

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

.1 .1

192.168.2.0/24 192.168.2.0/24 150

.1

192.168.3.0/24

.1 .1

192.168.3.0/24 192.168.3.0/24

.1

Performances and Scalability

151

IPSec Forwarding Performance ASR1000 ESP100

ASR1000 ESP40 ASR1000 ESP20

ASR1002-X ASR1000 ESP10

IMIX Throughput at 70% Max CPU

ASR1000 ESP5

3945E 3925 2925E 2925

0.500 G BRKSEC-3013

16Gbps

Gigabits Per Second

1941

1.0 G

2.0 G

3.0 G

© 2015 Cisco and/or its affiliates. All rights reserved.

4.0 G Cisco Public

5.0 G

6.0 G

7.0 G

8.0 G 152

Route Exchange Protocol Selection Branch-Hub

Use case

IKEv2

Simple, large scale

Static (No redistribution IGPIKE)

Simple branches (< 20 prefixes)

Identity-based route filtering

Lossy networks

High density hubs

BGP

Simple to complex, large scale

Dynamic (Redistribution IGP  BGP)

Complex branches (> 20 prefixes)

Powerful route filtering – not identity based

Lossy networks

High density hubs up to 350K routes

EIGRP

Simple to complex

Dynamic (Redistribution IGP  IGP)

Semi-complex branches (> 20 prefixes)

Intermediate route filtering – not identity based

Lossless networks (very rare)

< 5000 prefixes at hub

not recommended at large scale

Hub-Hub

BRKSEC-3013

Use case

BGP

Large amount of prefixes (up to 1M)

Road to scalability

IGP (EIGRP, OSPF)

< 5000 prefixes total

Perceived simplicity

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

153

Powerful route filtering

FlexVPN – High-end Scalability & Performances Release 3.5+ w/out QoS

ISR 4451

ASR1001

ASR1000ESP5

ASR1000ESP10

ASR1000ESP20

ASR1000ESP40

ASR1000ESP100

Throughput (Max / IMIX)

1.2 / 0.8Gbps

1.8 / 1Gbps

1.8 / 1 Gbps

4 / 2.5 Gbps

7 / 6 Gbps

11 / 7.4 Gbps

29 / 16 Gbps

Max tunnels (RP1 / RP2)

4000

4000

1000

1000 / 4000

1000 / 4000

1000 / 4000

-- / 4000

EIGRP neighbors

4000

4000

1000

1000 / 4000

1000 / 4000

1000 / 4000

-- / 4000

(1000 recommended)

(1000 recommended)

(1000 recommended)

(1000 recommended)

(1000 recommended)

(1000 recommended)

4000

4000

1000 / 4000

1000 / 4000

1000 / 4000

-- / 4000

BGP neighbors

1000

Bumping from 4,000 to 10,000 spokes/hub with FlexVPN in 3.12 (RP2, ESP10 & above)

BRKSEC-3013

Release 3.10 w/ QoS

ISR 4451

ASR1001

ASR1000ESP20

ASR1000ESP40

Throughput (Max / IMIX)

1.2/0.8 Gbps

1.8 / 1Gbps

7 / 6 Gbps

11 / 7.4 Gbps

Max tunnels (RP2 only)

2000

4000*

4000

4000

(16K Queues)

(128K Queues)

(128K Queues)

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

154

High-End Scalability & Performances – 3.12+ 3.12+ w/out QoS

ISR 4451

ASR 1001

ASR 1001-X

ASR 1002-X

ASR 1000 ESP5

ASR 1000 ESP10

ASR 1000 ESP20

ASR 1000 ESP40

ASR 1000 ESP100

ASR 1000 ESP200

Throughput (Max / IMIX)

1.2 / 0.8Gbps

1.8 / 1 Gbps

1.8 / 1 Gbps

4 / 4 Gbps

1.8 / 1 Gbps

4 / 2.5 Gbps

7 / 6 Gbps

11 / 7.4 Gbps

29 / 16 Gbps

59 / 78 Gbps

Max tunnels (RP2)

2,000

4,000

4,000

10,000

4,000

4,000

10,000

10,000

10,000

10,000

RP1: 1,000

RP1: 1,000

RP1: 1,000

EIGRP neighbours

2,000

4,000

4,000

4,000

4,000

4,000

4,000

4,000

4,000

4,000

1000 recommended

1000 recommended

1000 recommended

1000 recommended

1000 recommended

1000 recommended

1000 recommended

1000 recommended

1000 recommended

1000 recommended

IKE Routing

2,000

4,000

4,000

10,000

4,000

4,000

10,000

10,000

10,000

10,000

BGP neighbours

2,000

4,000

4,000

10,000

4,000

4,000

10,000

10,000

10,000

10,000

10% crypto throughput decrease

16K Q No crypto impact

16K Q No crypto impact

128K Q No crypto impact

128K Q No crypto impact

128K Q No crypto impact

128K Q No crypto impact

128K Q No crypto impact

128K Q No crypto impact

128K Q No crypto impact

QoS

Bumping from 4,000 to 10,000 spokes/hub with FlexVPN in 3.12 (RP2 only)

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

155

FlexVPN - ISR G2 Scalability Platform

Sec-K9

SEC-K9 + HSEC-K9

Recommended

Max

Recommended

Max

3945E

Up to 225

Up to 225

Up to 2000

Up to 3000

3925E

Up to 225

Up to 225

Up to 1500

Up to 3000

3945

Up to 225

Up to 225

Up to 1000

Up to 2000

3925

Up to 225

Up to 225

Up to 750

Up to 1500

2951

Up to 225

Up to 225

Up to 500

Up to 1000

2921

Up to 225

Up to 225

Up to 400

Up to 900

2911

Up to 225

Up to 225

2901

Up to 150

Up to 225

1941

Up to 150

Up to 225

1921

TBD

TBD

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

156

HSEC-K9 license does not apply since the max. encrypted tunnel count is below the restricted limits.

FlexVPN - ISR G2 Performances Platform

Sec-K9 (Mbps)

75% CPU, IMIX, IPsec/AES, single tunnel SEC-K9 + HSEC-K9 (Mbps)

Recommended

Max

Recommended

Max

3945E

Up to 170

Up to 170

Up to 670

Up to 1503

3925E

Up to 170

Up to 170

Up to 477

Up to 1497

3945

Up to 170

Up to 170

Up to 179

Up to 848

3925

Up to 154

Up to 170

Up to 154

Up to 770

2951

Up to 103

Up to 170

Up to 103

Up to 228

2921

Up to 72

Up to 170

Up to 72

Up to 207

2911

Up to 61

Up to 164

2901

Up to 53

Up to 154

1941

Up to 48

Up to 156

1921

Up to 44

N/A

891

Up to 66

N/A

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

157

HSEC-K9 license does not apply since the max. encrypted tunnel count is below the restricted limits.

FlexVPN CCO Documentation • CCO doc link – http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-mt/sec-flex-vpn-15-mtbook.html – Reflects latest release (currently 15.4(1)T)

• Doc organized into chapters – – – – – – – –

FlexVPN Site-Site FlexVPN Server FlexVPN Client FlexVPN Spoke-Spoke FlexVPN Load-Balancer FlexVPN Reconnect Appendix-1: FlexVPN Radius Attributes Appendix-2: Legacy VPNs

• Changes across releases – Documentation reflects latest release – Behaviour/CLI changes noted in corresponding sections BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

158

FlexVPN CCO Documentation • FlexVPN Sample Configurations – http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

• Past FlexVPN sessions from Ciscolive – BRKSEC-3036 - Advanced IPsec designs with FlexVPN (2015 Milan) https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=82068

– BRKSEC-2881 - VPN Remote Access with IOS & Introduction to FlexVPN (2015 Milan) https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=81929

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

159

Before we Part • Sessions of Interest • BRKSEC-3033 – Advanced AnyConnect Deployment and Troubleshooting with ASA (Friday)

• Meet the Expert

• Followup questions: Email me [email protected]

BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

160

Tom the Ninja

Q&A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. • Directly from your mobile device on the Cisco Live Mobile App • By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/clmelbourne2015 • Visit any Cisco Live Internet Station located throughout the venue Learn online with Cisco Live!

T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm BRKSEC-3013

© 2015 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Visit us online after the conference for full access to session videos and presentations. www.CiscoLiveAPAC.com

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF