Comparing Cisco VPN Types¶
Configuring ISAKMP & IKE SA Tunnels¶
Configuring IPSec on Cisco IOS
Configure IKEv1
Configure Phase 1 Tunnel
Configure ISAKMP Policy
Where the HAGLE parameters are configured
Configure ISAKMP PSK
Where the PSK is configured for each VPN address
Configuring Phase 2 Tunnel
Configure Transform Set
Configure IPsec Profile
Configure IKEv2
Configure IKE_SA Tunnel
Configure IKEv2 Proposal
Configure IKEv2 Profile
Configure IKEv2 Policy
Configure Keyring
Configure Child SA Tunnel
Configure Transform Set
Configure IPsec Profile
IKEv1 Phase 1 Configuration Tasks¶
Configure ISAKMP Policy
The lower the number, the higher the priority
Configure each HAGLE parameter by entering the attribute that you want to configure, followed by the chosen configuration
It is best practice to have the most secure algorithm with the highest priority, while the least secure algorithm will be the lowest priority
The ISAKMP policy number does not need to be the same on both sides
(config)#crypto isakmp policy 10
(config-isakmp)#hash sha512
(config-isakmp)#authentication pre-share
(config-isakmp)#group 15
(config-isakmp)#lifetime 86400
(config-isakmp)#encryption aes 256
Configure ISAKMP PSK
(config)#crypto isakmp key cisco123 1.1.1.1
# OR
(config)#crypto isakmp key cisco123 hostname omaha-router.globomantics.com
IKEV2 IKE_SA Configuration Tasks¶
Configure Keyring
Defines the PSKs of VPN peers are configured
# Creates a keyring with a locally significant name
(config)#crypto ikev2 keyring name_of_keyring
# Creates a peer within the key ring that all attributes will be assigned to
(config-ikev2-keyring)#peer name_of_peer
# Specify the IP address
(config-ikev2-keyring-peer)#address ip_address
# Enter the identity mechanism the router will use to identify the peer
(config-ikev2-keyring-peer)#identity <address[FQDN[email[key-id> r1.test.com
# Enter both the local and remote PSK
(config-ikev2-keyring-peer)#pre-shared-key local cisco123
# Enter both the local and remote PSK
(config-ikev2-keyring-peer)#pre-shared-key remote cisco456
Configure IKEv2 Proposal
Defines Hash, DH Group, and Encryption
Configure IKEv2 Profile
Defines Authentication, Keyring, Lifetime
# Creates an IKEv2 profile with a locally significant name
(config)#crypto ikev2 profile name_of_profile
# Matches our peer. Can be IP address, Domain name, email, etc
(config-ikev2-profile)#match identity remote <addresslemaillfqdn> identifier
# Identifies how we will authenticate with the peer locally
(config-ikev2-profile)#authentication local <pre-sharelrsa-sig>
# Identifies how we will authenticate with the peer remotely
(config-ikev2-profile)#authentication remote <pre-sharelrsa-sig>
# Enter both the local and remote PSK
(config-ikev2-profile)#keyring name_of_keyring
# Specifies the lifetime
(config-ikev2-profile)#lifetime lifetime_length_in_seconds
# Determines the identity the router will send to VPN peer
(config-ikev2-profile)# identity local fqdn fully_qualified_domain_name
Configure IKEv2 Policy
Defines router traffic to match
Whenever possible, use explicit policies for VPN connections
(config)#crypto ikev2 policy name_of_policy
(config-ikev2-profile)#match address local ip_address
(config-ikev2-profile)#match fvrf name_of_fvrf
# Specifies the IKEv2 Proposal traffic that matches this policy will use
(config-ikev2-profile)#proposal name_of_ikev2_proposal
Configuring the IPsec Tunnel¶
Configuring the 2nd Tunnel (IKEv1 or IKEv2)¶
Configure Transform Set
Defines encryption and hash of second tunnel
# Specifies the encryption and hashing algorithm
(config)#crypto ipsec transform-set name esp-aes 256 esp-sha256-hmac
# Specifies if the tunnel is in transport mode or tunnel mode
(cfg-crypto-trans)#mode <tunnel[transport>
Configure IPsec Profile
Associates transform set with the first tunnel
(config)#crypto ipsec profile name_of_profile
# Matches transform set to the first tunnel
(ipsec-profile)#set transform-set name_of_transform_set
(ipsec-profile)#set <ikev2-profile|isakmp-profile> name_of_profile
Legacy Configuration (Crypto-Maps)¶
(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any
(config)#crypto map crypto_map_name sequence_number ipsec-isakmp
(config-crypto-map)#match address 100
(config-crypto-map)#set peer 1.1.1.1
(config-crypto-map)#set transform-set transform_set_name
(config-crypto-map)#set isakmp-profile isakmp_profile_name
(config-crypto-map)#exit
(config)#interface ethernet 0/1
(config-if)#crypto map crypto_map_name
Cisco Tunnel Interface Types¶
Virtual Tunnel Interface (VTI)¶
Allows for easier management
Can apply policies to tunnel interface just like any other interface
Can use the IP address of another interface
VTI Configuration
(config)#tunnel interface interface_number
(config-if)#tunnel mode ipsec <ipv4lipv6>
(config-if)#ip address ip_address subnet_mask OR
(config-if)#ip unnumbered interface_number
(config-if)#tunnel source <ip_addresslinterface_name>
(config-if)#tunnel destination ip_address_of_peer
(config-if)#tunnel protection ipsec profile name_of_profile
Dynamic VTI¶
Used in hub-and-spoke S2S VPNs
Use a template to dynamically
Each interface would use the config outlined in the template create tunnel interfaces
dVTI Configuration
(config)#interface virtual-template template_number type tunnel
(config-if)#tunnel mode ipsec <ipv4lipv6>
(config-if)#ip address ip_address subnet_mask
(config-if)#tunnel source <ip_addresslinterface_name>
(config-if)#tunnel protection ipsec profile name_of_profile
(config-if)#exit
(config)#crypto ikev2 profile name_of_profile
(config-ikev2-profile)#virtual-template template_number
GRE Tunnel¶
Generic Routing Encapsulation
Not encrypted
Allows unicast, multicast, broadcast and non-IP traffic
Needs its own IP address, source interface, and destination IP address
GRE Tunnel Configuration
(config)#tunnel interface interface_number
(config-if)#tunnel mode gre <iplipv6>
(config-if)#ip address ip_address subnet_mask
(config-if)#tunnel source <ip_addresslinterface_name>
(config-if)#tunnel destination ip_address_of_peer
(config-if)#tunnel protection ipsec profile name_of_profile
MTU Size and MSS Size¶
Ethernet MTU is 1500
Any packet that is 1500 will need to be fragmented after IPsec headers are added
That will not work as the IPsec trailers would not be included
Smaller MTU on the interface
Packets will be fragmented before IPsec is applied
MSS value
40 less for IPv4
MTU Size and MSS Size Configuration
(config-if)#ip mtu 1400
(config-if)#ip tcp adjust-mss 1360
GRE Multipoint Interface¶
Allows tunnel interface to create Multiple VPNs with multiple devices
Used with DMVPN
GRE Multipoint Interface Configuration
### (config-if)#tunnel destination ip_address_of_peer - is not configured
(config)#tunnel interface interface_number
(config-if)#tunnel mode gre multipoint (ipv6)
(config-if)#ip address ip_address subnet_mask
(config-if)#tunnel source <ip_addresslinterface_name>
(config-if)#tunnel protection ipsec profile name_of_profile
(config-if)#ip mtu 1400
(config-if)#ip tcp adjust-mss 1360
DMVPN¶
DMVPN doesn’t require each spoke to have a static NBMA
NHRP network IDs
DMVPN uses GRE interfaces, IPsec still needs to be applied
Configure additional security
Tunnel keys
NHRP authentication
DMVPN Components¶
Non-Broadcast Multiple Access (NBMA) Address
IP address routers use to establish VPN
Next Hop Resolution Protocol (NHRP)
Maps the NBMA to each tunnel interface
Next Hop Server (NHS)
Main device that has the NBMA’s for all of the routers
DMVPN in Words
R1 uses dynamic routing protocol to get to R2 via HQ
R1 tunnel interface is configured as MGRE and configured with NHRP
As soon as first packet is sent, R1 will make NHRP request to next-hop server
R1 asks HQ how to get to R2
HQ sends NHRP to R2, R2 sends NBMA address to R1
R1 establishes its own tunnel to R2
DMVPN Phases¶
Hub will always forward NHRP request, even if it knows the NBMA that the request initiator is trying to find.
Phase 1
Requires all traffic to go through the hub
Benefit: Allows dynamic tunnels
Phase 2
Allows spoke-to-spoke tunnels
Phase 3
Hub can enforce optimal path
Hierarchical design of DMVPN
Better route summaries
FlexVPN¶
Framework that encompasses different VPN deployments
Hub router has different templates for each VPN type
Virtual templates contains the necessary configurations
Once authentication is matched, corresponding virtual template is used
Can send configurations through the VPN tunnel
High availability (secondary hubs, etc.)
FlexVPN requires IKEv2 to be used.
Authorization
Authorization can be done through RADIUS or local database
Find attributes in certificate
Pass those attributes to auth server
Based on auth server, implement various configurations
Cisco AnyConnect¶
Client that is installed on user’s device that allows a remote access VPN
Can connect to IOS, ASA, or FTD
Can have different profiles push out different parameters IP address, ACLs, login times
IP address could be used on ACLs in other parts of the network
Split Tunneling
Allows some traffic to flow through tunnel, while other traffic goes through user’s LAN
Encryption can be IPsec or TLS
IPv4 or IPv6
Allows multiple tunnel endpoints to be configured
Additional AnyConnect Features¶
Integrate with other Cisco products
Provide visibility, compliance, malware protection, & web inspection
Remote Access VPNs can also be achieved through Clientless VPN