SNRS Securing Networks with Cisco Routers and Switches Volume 2 Version 3.0 Student Guide nt Part Number: 97-2743.01edie eae ae Neoste ot wmucieco.combefsfices [DISCLAIMER WARRANTY. THIS CONTENT IS BEING PROVIDED “AS IS® CISCO MAKES AND VOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF ITHIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY. NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR. PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This laring product may contin erly lease content, and wie Cisco believes cto be accurate it als subject to the dselaime above Pritas in CanadaTable of Contents Volume 2 Secure Site-to-Site Communications 4 Overview 34 Module Objectives 34 Examining VPN and IPsec Fundamentals Overview Objectives IPsec Overview Security Associations Site-to-Site VPNs VPN Benefits VPN Restrictions Cisco Easy VPN and Cisco IOS SSL VPNs VPN Design Guide Global VPN Settings, Summary Implementing IPsec VPNs with PKI Overview Objectives Cisco IOS PKI Overview Cerificate Authorities Examining SCEP Cisco IOS CA Server Configuring CA support ‘Simple Certificate Enrollment Protocol (SCEP) ‘Cut-and-Pasteiimport from PC Configuring a PKI-Based IPsec Site-to-Site VPN Testing and Verifying CA Support Testing and Verifying IPsec Summary Implementing GRE over IPsec Overview Objectives Examining GRE Tunnels Configuring a GRE Tunnel Configuring a GRE-Over-IPsec Tunnel Generate a Mirror Configuration Testing and Verifying GRE over IPsec Summary uri Overview Objectives High Availability for Cisco IPsec VPNs IPsec Backup Peer Hot Standby Router Protocol IPsec Stateful Failover Backing Up @ WAN Connection with an IPsec VPN Static and Dynamic VTIs Summary Cor h-Av: VPNs and VTLImplementing DMVPN_ 3-147 Overview 3-147 Objectives 3-147 Dynamic Multipoint VPN 3-148 DMVPN Example Operation 3-156 Dynamic Routing Protocols over DMVPN 3161 EIGRP 3-162 OSPF 3-163 RIPv2 3-165 Configuring a DMVPN Hub 3-166 Configuring a DMVPN Spoke 3475 Editing DMVPN Settings 3-182 Verifying DMVPN 3-183 ‘Summary 3-185 Implementing GET VPN 3187 Overview 3-187 Objectives 3-187 VEN Limitations 3-188 GET VPN Overview 3-191 GET VPN Architecture 3-195 GET VPN Security 3-200 GET VPN Operations 3-203 Configuring GET VPN Key Servers 3211 Configuring GET VPN Group Members 3-232 Verifying GET VPN Settings 3-233 ‘Summary 3-239 Module Summary 3241 References: 3-241 ‘Securing Networks with Cisco Routers and Switches (SNRS) v8.0 {© 2008 Cisco Systems, Ine> Secure Remote Access Communications Overview ‘Module Objectives implementing Cisco 10S Remote Access Usina Ci VPN. Overview 4 Objectives 4 Introduction to Cisco Easy VPN 4 Cisco Easy VPN Server 4. Cisco Easy VPN Remote 4 4 4 4, 4. IR ee haan Only ISAKMP Policy Group 2 Supported on Cisco Easy VPN Servers, Transform Sets Supported Dial Backup for Cisco Easy VPN Remotes NAT Interoperability Support ‘Authentication at Step 1: Cisco Easy VPN Remote Client Initiates the IKE Phase 1 Process a4 Step 2: Cisco Easy VPN Server Accepts the SA Proposal at Step 3: Cisco Easy VPN Server Initiates a Username and Password Challenge (Optional) 4-16 Step 4: IKE Mode Configuration Process Is Initiated 447 Step 5: The RRI Process Is Initiated (Optional) 418 Step 6: IKE Phase 2 Completes the Connection 419 Configuring the Cisco VPN Client 4-20 Task 1: Install Cisco VPN Client 421 Task 2: Create a New Client Connection Entry 4-22 Task 3: Configure Client Authentication Properties, 424 Task 4: Configure Transparent Tunneling 4-25 Task 5: Enable and Add Backup Servers 4-27 Task 6: Configure Connection to the Internet Through Dial-Up Networking 4-28 Configuring Cisco Easy VPN Remote 4-30 Configuring Cisco Easy VPN Server 4.37 Verity the Cisco Easy VPN Configuration 4-49 ‘Summary 4-54 Examining a Cisco IOS SSL VPN 5 ‘Overview 4-55 Objectives. 4-55 ‘Overview of Cisco 1OS SSL VPN 4-56 Prerequisites 4-58 Client Software 4.59 Restrictions 4.63 Auto Applet Download 4.63 Configuring Cisco IOS SSL VPN Prerequisites 4-69 Cisco IOS SSL VPN Configuration 470 Editing Cisco 10S SSL VPNs 479 CIFS Support 4-80 NBNS Resolution 481 Samba Support 4-81 Configuring the Virtual Gateway 4-90 Configuring a Policy Group 4-92 Verifying SSL VPN Functionality 4-94 ‘Summary 4-103 Module Summary 4-105 References: 4-105 {© 2008 Cisco Systems nc. ‘Securing Neiworks with Cisco Routers and Switches (GNRS) v3.0 oi‘Securing Networks with Cisco Routers and Switches (SNRS) v8.0 (© 2008 Cisco Systemes, incModule 3| Secure Site-to-Site Communications Overview Virtual private networks (VPNs) allow secure access to corporate resources by establishing an enerypted tunnel across the Internet. The ubiquity of the Internet, combined with the VPN technologies of today, allows organizations to cost-effectively and securely extend the reach of their networks to anyone, anyplace, anytime. This module introduces you to IP Security (IPsec) services and Generic Routing Encapsulation (GRE). You will then set up si d Dynamic Multipoint VPNs (DMVPNs). This lesson also examines the new Group Enerypted Transport VPN (GET VPN). o-site Module Objectives Upon completing this module, you will be able to design, install, configure, and troubleshoot site-to-site VPNs using Cisco Integrated Services Routers. This ability includes being able to ect these objectives Describe basic characteristics and protocols that are used in IPsee configurations and describe the various types of VPNS that are available using Cisco 10S Software, including IPsec, DMVPN, GET VPN, Cisco Easy VPN, and Cisco IOS SSL VPN = Describe and configure a Cisco IOS CA Server and an IPsec site-to-site VPN using digital certificates = Describe and configure GRE-over-IPsee tunnels = Describe and configure hi = Describe and config’ = Describe and configure GET VPNs32 Securing Networks wth Cisco Routers and Switches (SNRS) v3.0 {© 2008 Cisco Systems, ncLesson 1 | Examining VPN and IPsec Fundamentals Overview In the current business environment, itis critical that corporate networks that are connected to the Intemet offer flexible and secure virtual private network (VPN) aceess with IP Security (Psec). Connecting remote sites over the Intemet provides a great cost-saving opportunity when compared with the traditional WAN access such as Frame Relay or ATM. With IPsec technology, customers can now build VPNs over the Internet with the security of ion, integrity, and confidentiality protection. This lesson introduces you to IPsec some of the underlying protocols that IPsec uses, and the tasks of configuring IPsec on a router. This lesson also provides you with multiple designs for implementing IPsec VPN over the Public Internet infrastructure. The IPsec VPN configurations presented in this lesson include site-to-site and remote-access VPNs, Objectives Upon completing this lesson, you will be able to describe basic characteristics and protocols that are used in IPsec configurations and describe the various types of VPNs that are available using Cisco 10S Software, including IPsec, Dynamic Multipoint Virtual Private Network (DMVPN), Group Encrypted Transport VPN (GET VPN), Cisco Easy VPN, and Cisco 10S Secure Sockets Layer (SSL) VPN. This ability includes being able to meet these objectives: = Db ribe the basic functionality and protocols of IPsee VPNs = Describe different types of site-to-site VPNs, including fully-meshed, hub-and-spoke, IPsec, Cisco Easy VPN with VTI, GRE over IPsec, DMVPN, and GET VPN = Describe Cisco Easy VPN and Cisco IOS SSL VPNs = Explain the VPN design guide that is available in Cisco SDM Configure global VPN router settings in Ciseo SDMIPsec Overview This topic describes the basic functionality and protocols of IPsec VPNs. IPsec Overview * Defined in RFC 4301 = Combines three protocols into a cohesive security framework IPsec is designed to provide interoperable, high-quality, and cryptographically-based security IPsec is defined in RFC 4301, Security Architecture for the Internet Protocol. \Pscc offers access control, connectionless integrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and upper-layer protocols (ULPs). Because these services are provided at the IP layer, they can be used by any higher-layer protocol, such, as TCP, User Datagram Protocol (UDP), and Border Gateway Protocol (BGP) IPsec provides security services at the IP layer by enabling a system that selects required security protocols, determines the algorithm (or algorithms) to use for the service (or services), and puts in place any cryptographic keys that are required to provide the requested services, IPsec can protect one or more paths between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. Note The term “security gateway’ is primarily used to refer to an intermediate system that implements IPsec protocois—for example, a router or a frewall that is implementing IPsec. The IPsec protocol provides IP network layer encryption and defines a new set of headers to be added to IP datagrams. These new headers are placed after the IP header and before the Layer 4 protocol (typically TCP or UDP). The new headers furnish information for securing the payload of the IP packet, 34 Securing Networks with Cisco Routers and Switches (SRS) v3.0 "© 2008 Cieco Systems, IneIPsec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and you define the parameters that should be used to protect these sensitive packets, by specifying the characteristics of these tunnels, Then when the IPsec peer sees a sensitive packet (based on your definition), it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. These tunnels are sets of security associations (SAs) that are established between two IPsec peers, The SAs define which protocols and algorithms should be applied to sensitive packets and specify the keying material that the two peers will use. SAs are unidirectional and are established per security protocol (Authentication Header [AH] or Encapsulating Security Payload [ESP)), IPsec combines the following security protocols; m= Internet Key Exchange (IKE) = AH = ESP You can use AH and ESP independently or together, although for most applications just one of ‘them is sufficient. For both of these protocols, IPsec does not define the specific security algorithms to use, but provides an open framework for implementing industry-standard algorithms. Initially, most implementations of IPsec support Message Digest 5 (MDS) from Rivest, Shamir, and Adleman (RSA) security or the Secure Hash Algorithm (SHA) as defined by the U.S, government for integrity and authentication. The Data Encryption Standard (DES) is currently the most commonly offered bulk encryption algorithm, although RFCs are available that define how to use many other encryption systems. Because these security services use shared secret values (cryptographic keys) IPsec relies on a separate set of mechanisms for putting these keys in place. Security Associations The concept of an SA is fundamental to IPsec. Both AH and ESP make use of SAs, and a major function of IKE is to establish and maintain SAs. All implementations of AH or ESP must support the concept of an SA. ‘An SA is a simplex connection that affords security services to the traffic that is carried by it. Security services are provided to an SA by the use of either AH or ESP, but not both. If both AH and ESP protection are applied toa traffie stream, two (or more) SAs are created to provide protection to the traffic stream, To secure typical, bidirectional communication between two hosts or between two security gateways, two SAS (one in each direction) are required. (© 2008 Cisco Systems, ne Secure Site1o-Site Communications 35Authentication Header RFC 4302 IP protocol 51 Mechanism for providing strong integrity and authentication for IP datagrams Can also provide antireplay IP AH, a key protocol in the IPsec architecture, provides connectionless integrity and data origin authentication for IP datagrams and offers protection against replays. Protection against replay is an optional service that the receiver can select when an SA is established. AH is defined in RFC 4302, IP Authentication Header. The IP version 4 (IPv4) or IP version 6 (IPv6) header immediately preceding the AH contains the value 51 in its Next Header (IPV6) or Protocol (IPv'4) field lis a mechanism to provide strong integrity and authentication for IP datagrams. Confidentiality and protection from traffic analysis are not provided by AH. Users who need confidentiality should consider using ESP, rather than or in conjunetion with AH. The primary difference between the authentication that ESP and AH provide is the extent of the coverage. Specifically, ESP does not protect any IP header fields unless those fields are encapsulated by ESP. You can employ AH in two ways: transport mode or tunnel mode. 36 Securing Nebworks with Clsoo Routers and Switches (SNRS) v3.0 {© 2008 cisco Systems, incIPsec Modes—AH Transport Mode IPsec has two methods of forwarding data across a network: transport mode and tune! mode. Each method differs in its application and how much overhead is added to the packet. = AH transport mode: IPsec transport mode inserts an AH header between the IP header and the transport layer header. In this case, transport mode saves the additional IP header, resulting in less packet expansion. = AH tunnel mode: IPsec tunnel mode adds an additional new IP header before the AH header. The tunnel endpoint routers own the IP addresses that are used in these new headers. Using tunnel! mode results in packet expansion of approximately 20 bytes associated with the new IP header. (© 2008 Cisco Systems. In. ‘Seaure Ste-o-Site Communications 37Encapsulating Security Payload + RFC 4303 * IP protocol 50 * May provide the following: Confidentiality (encryption) ~ Connectionless integrity ~ Data origin authentication ‘An antireplay service ESP is designed to provide a mix of security services in IPv4 and IPV6, ESP provides confidentiality and integrity by encrypting the data that is to be protected and placing the cenerypted data in the data portion of the IP ESP payload. ESP is defined in RFC 4303, 1P Encapsulating Security Payload (ESP) Note Using ESP increases the IP protocol processing costs in participating systems and increases the communication latency. The increased latency is primarily because of the encryption and decryption that is generally used for each IP datagram that contains ESP. ‘The ESP header is inserted after the IP header and before the ULP header (transport mode) or before an encapsulated IP header (tunnel mode). The Internet Assigned Numbers Authority (IANA) has assigned IP protocol 50 to ESP. The header immediately preceding an ESP header always contains the value 50 in its Next Header (IPv6) or Protocol (IPv4) field. ESP consists of ‘an unencrypted ESP header followed by encrypted data. The encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or a ULP frame (such as TCP or UDP). 3-8 Securing Networks with Claco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ine.IPsec Modes—ESP ‘Transport Mode As with AH, IPsec has two methods of forwarding data across a network: transport mode and tunnel mode, These methods differ in their application and how much overhead is added to the passenger packet. = ESP transport mode: IPsec transport mode inserts an ESP header between the IP header and the transport layer header. In this case, transport mode saves an additional IP header, which leads to less packet expansion, = ESP tunnel mode: IPsec tunnel! mode adds an additional new IP header before the ESP header. Tunnel! mode encapsulates and protects an entire IP packet, Because tunnel mode encapsulates or hides the original IP header of the packet, a new IP header must be added for the packet to be successfully forwarded. The encrypting routers own the IP addresses used in these new headers, Using tunnel mode leads to additional packet expansion of approximately 20 bytes that is associated with the new IP header. (© 2008 Cisco Systems, nc ‘Secure Ste-o-Ste Communications 3Internet Security Association and Key Management Protocol + RFC 2408 + UDP 500 + Defines procedures for: Peer authentication ~ Creation and management of SAS Key generation techniques Threat mitigation Intemet Security Association and Key Management Protocol (ISAKMP) is defined in RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP. defines the following: © Procedures to authenticate a communicating peer © How to create and manage SAS = Key generation techniques = Threat mitigation—for example, denial of service (DoS) and replay attacks IPsec is the actual protocol that protects the IP datagrams; ISAKMP is the protocol that negotiates policy and provides a common framework for generating keys that IPsec peers share. ISAKMP does not specify any details of key management or key exchange and is not bound to any key generation technique. Inside of ISAKMP, Cisco uses Oakley for the key exchange protocol. Oakley enables you to choose between different well-known Diffie-Hellman (DH) groups. Cisco IOS Software supports DH group I (a 768-bit key), DH Group 2 (a 1024-bit Key), and DH Group 5 (a 1536-bit key). ISAKMP and Oakley create an authenticated, secure tunnel between two entities, and then negotiate the SA for IPsec. This process requires that the two entities authenticate themselves to cach other and establish shared keys. Both parties must be authenticated to each other. ISAKMP and Oakley support multiple authentication methods. The two entities must agree on a common authentication protocol through a negotiation process using either RSA signatures, RSA encrypted pseudo-random numbers (nonces), or pre-shared keys (PSKS). Both RSA signatures and RSA-enerypted nonces require the public key of the remote peer, and they require the remote peer to have your local public key. Public keys are exchanged in ISAKMP in the form of digital certificates. You can obtain these certificates by enrolling with the certificate authority (CA). Currently, if there is no certificate in the router, ISAKMP does not negotiate the protection suite RSA signatures. 3-10 Seouring Networks with Cisco Routers and Switshes (SNRS) v2.0 © 2008 Cisco Systems, Inc.Both parties must have a shared session key to enerypt the ISAKMP-Oakley tunnel. The DH protocol is used to agree on a common session key. The exchange is authenticated as described previously to guard against man-in-the-midale attacks, ‘These two steps, authentication and key exchanges, ereate the ISAKMP-Oakley SA, which is a secure tunnel between the two devices. One side of the tunnel offers a set of algorithms; the other side of the tunnel! must then accept one of the offers or reject the entire connection. When the two sides have agreed on which algorithms to use, they must derive key material to use for IPsec with AH, ESP, or both. IPsec uses a different shared key from ISAKMP and Oakley. The IPsec shared key can be derived by using DH again to ensure perfect forward secrecy (PFS) or by refreshing the shared secret derived from the original DH exchange that generated the ISAKMP-Oakley SA by hashing it with nonces, The first method provides greater security but is slower. In most implementations, a combination of the two methods is used. That is, DH is used for the first key exchange, and then local policy dictates when to use DH or merely a key refresh. After this process is complete, the IPsec SA is established Cisco routers do not create certificates. Routers create keys and request certificates for those keys. The certificates, which bind the keys of the routers to their identities, are ereated and signed by CAs. This process is an administrative function, and the CA always requires some sort of verification that the users are who they say they are, So, you cannot just create new certificates in real time. ‘The communicating machines exchange pre-existing certificates that they have obtained from CAs. The certificates are public information, but the corresponding private keys must be available to anyone who wants to use a certificate to prove identity. However, the private keys also must be kept secret from anyone who should not be able to use that identity A certificate can identify a user or a machine, depending on the implementation. Most early systems typically use a certificate to idemtify a machine. If a certificate identifies a user, the private key corresponding to that certificate must be stored in such a way that another user on the same machine cannot use it. So, generally, either the key is kept encrypted or the key is kept in a smart card. (Using encrypted keys is likely to be more common in early implementations.) In either case, the user generally has to enter a pass phrase whenever a key is activated. (© 2008 Cisco Systeme, ne ‘Seoure Stero-Site Communications S11Internet Key Exchange = RFC 2409 * A hybrid protocol consisting of: ‘SKEME—A mechanism for using public key encryption for authentication Cakley—A modes-based mechanism for ariving at an encryption key between two peers ISAKMP—An architecture for message exchange, including Packet formats and state transitions between two peers, which is phase-based IKE is a hybrid protocol that uses part Oakley and part of another protocol suite known as SKEME inside of the ISAKMP framework. IKE establishes a shared security policy and authenticated keys for services that require keys, such as IPsec. Before any IPsec traffic can be a passed, each router, firewall, and host must be able to verify the identity of its peer. This verification can be performed by manually entering PSKs into both hosts, using a CA service, ‘or using the future Domain Name System Security (DNSSEC). IKE is the protocol formerly - known as ISAKMP/Oakley, and is defined in RFC 2409, The Internet Key Exchange (IKE). A potential point of confusion is that the acronyms “ISAKMP” and “IKE” are both used in Ciseo IOS Software to refer to the same thing. These two items are somewhat different. ima IKE uses a DH key exchange to set up a shared session secret, from which cryptographic keys u are derived, IKE is a hybrid solution that uses the following: m= SKEME: Describes a versatile key exchange technique that provides anonymity, reputability, and quick key refreshment ed = Oakley: Describes a series of key exchanges known as “modes” and details the services provided by each (for example—PFS for keys, identity protection, and authentication) a m= ISAKMP: Provides a framework for authentication and key exchange but does not define them; designed to support many different key exchanges solves the enormous problem of a manual and nonscalable implementation of IPsec by automating the entire key exchange process. The following are reasons to implement IKE in your IPsee configuration: m= Scalability a | Manageable manual configuration SA characteristics negotiation a = Automatic key generation = Automatic key refresh a 5-12 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne.How IKE Works IKE is a two-phase protocol. hops Peers negotiate a secure, ‘SAs are negotiated on ‘authenticated communication behalf of IPsec services channel Oakley and SKEME each define a method to establish an authenticated key exchange. This exchange includes the construction of payloads, the information that payloads carry, the order in which payloads are processed, and how they are used. Oakley defines modes; ISAKMP defines phases. The relationship between the two is straightforward, and IKE presents different exchanges as modes that operate in one of two phases. IKE Phase 1 The two ISAKMP peers establish a secure, authenticated channel with which to communicate, This channel is known as the ISAKMP SA. Main mode and aggressive mode each accomplish ‘an IKE Phase 1 exchange. Main mode and aggressive mode must be used only in IKE Phase | IKE Phase 2 SAs are negotiated on behalf of services such as IPsec or any other service that needs key ‘material or parameter negotiation, or both. Quick mode accomplishes an IKE Phase 2 exchange—Quick mode is IKE Phase 2 (© 2008 Cisco Systems, Inc ‘Secure Sitete-Site Communications 3-13Other Protocols and Terminology = Symmetric encryption = Key exchange algorithm: algorithms: DH ee = PKI technologies: oe ~ Certiicates 3DES cas = Asymmetric encryption Joris. algorithms: —RSA * Hashing algorithms and technologies: ~ MDS SHA HMAC * IPsec terms and technologies: Crypto maps ~ PFS Transforms ‘The following are additional protocols and terms that are used with IPsec: Advanced Encryption Standard (AES): AES was finalized as a Federal Information Processing Standard (FIPS)-approved cryptographic algorithm to protect clectronic data transmission (FIPS PUB 197). AES is based on the Rijndael algorithm, which specifies how to use keys with a length of 128, 192, or 256 bits to enerypt blocks with a length of 6 bits (all nine combinations of key length and block length are possible), CA is a third-party entity with the responsibility to issue and revoke certificates, Each device that has its own certificate and public key on the CA can authenticate every ‘other device within the domain of a given CA. This term also applies to server software that provides these services. Certificate: A certificate is a cryptographically signed object that contains an identity and a public key associated with this identity. Certificate revocation list (CRL): A CRL is a digitally signed message that lists all of the ‘current but revoked certificates listed by a given CA. Crypto map: A crypto map is a Cisco IOS Software configuration entity that performs two primary functions, First, it selects data flows that need security processing. Second, it defines the policy for these flows and the crypto peer to which the traffic must go. A crypto ‘map is applied to an interface. DES: DES was published in 1977 by the National Bureau of Standards (NBS) (the former name of the National Institute of Standards and Technology [NIST]) and is a secret key encryption scheme that is based on the Lucifer algorithm from IBM. Triple DES (3DES): 3DES is a mode of the DES encryption algorithm that encrypts data three times. Three 64-bit keys are used, instead of one 64-bit key, for an overall key length of 192 bits; the first encryption is encrypted with a second key, and the resulting cipher text is again encrypted with a third key. DH: DI is a method of establishing a shared key over an insecure medium, DH is a component of Oakley. 314 Securing Networks wit Cisco Routors and Switches (SNRS) v3.0, {© 2008 Cisco Systems, In.Hash: A hash is a one-way function that takes an input message of arbitrary length and produces a fixed-length digest. Cisco uses both SHA and MDS hashes within its implementation of the IPsce framework. Hashed Message Authentication Code (HMAC): HMAC is a mechanism for message authentication that uses cryptographic hashes such as SHA and MDS. MDS: MDS is a one-way hashing algorithm that produces a 128-bit hash, Both MDS and SHA are variations on Message Digest 4 (MD4), designed to strengthen the security of the hashing algorithm, SHA is more secure than MD4 and MDS. Perfect forward secrecy (PFS): PFS ensures that a given IPsec SA key was not derived from any other secret (such as other keys). In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all of the IPsec protected data, and then use knowledge of the IKE SA secret to compromise the IPsec SA setup by this IKE SA. With PES, breaking IKE docs not give an attacker immediate access to IPsec. The attacker rust break each IPsec SA individually. The Cisco IOS IPsec implementation uses PFS group 1 (DH 768 bit) by default. RSA: RSA is a public key cryptographic algorithm (named after its inventors, Rivest, ‘Shamir, and Adieman) with a variable key length. The main weakness of RSA is that it computes significantly slower compared with popular secret key algorithms, such as DES. The Cisco IKE implementation uses a DH exchange to get the secret keys. This exchange can be authenticated with RSA (or PSKs). With the DH exchange, the DES key never crosses the network (not even in encrypted form), which is not the case with the RSA cenerypt and sign technique. RSA is not a public domain algorithm and must be licensed from RSA Security. ‘SHA-I: SHA-I is a one-way hash algorithm published by the NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, itis more resistant to brute-force attacks than 128-bit hashes (such as MDS), but itis slower. ‘Transform: A transform describes a security protocol (AH or ESP) with its corresponding algorithms (for example, ESP with the DES cipher algorithm and HMAC and SHA for authentication), {© 2008 Cisco Systome, nc ‘Secure Ste-to Ste Communications 315,IPsec Configuration Task List * Check network connectivity * Ensure ACL lists are compatible with IPsec Allow IP protocols 50 and 51 Allow UDP 500 * Configure IKE Phase 1 ISAKMP policies * Configure IKE Phase 2 (IPsec) Create crypto ACLs Define transform sets Create crypto map entries * Set global lifetimes for IPsec SAS. ‘Apply crypto map to the interface IPsec configuration on a Cisco router involves the configuration of IKE policies and IPsec configurations. You also must ensure that your network devices are not interfering with the IPsec process Its possible to overlook the obvious when you are adding VPNs to an existing network, Ensure that the router does not have an access control list (ACL) that blocks ISAKMP (UDP 500), AH (IP protocol 51), or ESP (IP protocol 50), The only reason that IKE exists is to establish SAS for IPsec, IKE must first negotiate an SA (an ISAKMP SA) relationship with the peer before it can establish the IPsec SA. Because IKE negotiates its own policy, itis possible to configure multiple policy statements with different configuration statements, and then let the two hosts come to an agreement. Currently, you can use two methods to configure ISAKMP: 1. PS imple, not very scalable = Configure ISAKMP protection suite (or suites) — Specify what size modulus to use for DH calculation = Group 1: 768 bits 024 bits 6 bits = Group 2: = Group 5:1 — Specify a hashing algorithm (MDS of SHA) — Specify the lifetime of the SA (in seconds) — Specify the authentication method (PSK) = Configure the ISAKMP key (specify ISAKMP key and peer) 3-16 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncCA server: RSA signatures, RSA-encrypted nonce, scalable throughout an enterprise Create an RSA key for the router Request certificate of the CA Enroll certificates for the client router, Configure ISAKMP protection suite (or suites): Specify rsa-sig as the authentication method After setting up IKE, you must still configure IPsec. The steps that are required to configure [IPsec do not rely on the IKE configuration method. When you configure IPsec, you do the following = Create an extended ACL (determines what traffic should be protected by IPsec). Create IPsec transform (or transforms), Transform sets are offered to the peer, and the peer chooses which transform set to use. = Create a crypto map (or maps). — Specify peer (or peers) — Specify $A lifetime — Specify transform sets — Specify the ACL to match against for relevant traffic = Apply the crypto map to an interface. Apply the erypto map to the egress interface, not the ingress interface. (© 2008 Cisco Systems, ine. ‘Secure Siteto-Ste Communications 317IPsec with NAT or PAT—The Problems Pee Remote Cont NAT or PAT Device ‘PAT fas when Layer 4 por TA authorticaion fais because the information is encrypted In ESP packets IP source address has changed, [AH authentication fale when ombeased TP addresses are vanclates (FTP, SNMP. SIP, H-323, LOAP, ot) The IPsec VPN tunnel might not work across a Network Address Translation (NAT) or Port Address Translation (PAT) device. For example, NAT breaks AH because NAT changes the source or destination IP addresses that are used to calculate the Integrity Check Value (ICV). In addition, some protocols and applications, such as FTP, session initiation protocol (SIP), ‘Simple Network Management Protocol (SNMP), and Lightweight Directory Access Protocol (LDAP) embed IP addresses in the application layer, and the NAT devices change the embedded address, resulting in a failed ICV. ESP works with NAT because the outer IP header is not included in the ICV computation. However, ESP does not work with PAT because when an IPsec VPN tunnel is used with ESP, the TCP or UDP port information is encrypted and, therefore, the PAT device cannot read the port information to perform PAT 38 ‘Securing Networks with Cisco Routors and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IncIPsec NAT-T Use NAT-T with IPsec over UDP: * NAT-T detection = NAT-T decision + UDP encapsulation of IPsec packets using port 4500 FES, NAT orPAT Pace Remote ce caaway Eom om a ccs, EN ee 2 ie = ep NAT traversal (NAT-T) is designed to solve the problems inherent in using IPsec with NAT. NAT-T is negotiated using the following factors: m= NAT-T detection = NAT-T decision = UDP encapsulation of IPsec packets using port 4500 During the IKE phase 1 negotiation, two types of NAT detection occur before IKE quick mode begins: NAT support and NAT existence along the network path. To detect NAT support, the vendor ID string is exchanged with the remote peer. If the remote peer supports NAT-T, it sends a vendor ID string payload to its peer to indicate that its hardware or software version supports NAT-T. Thereafter, NAT existence along the network path can be determined. NAT-T enables an IPsec device to find any NAT device between two IPsec peers. To detect whether a NAT device exists along the network path, the peers send a payload with hashes of the IP address and port of both the source and destination address from each end. The hashes are sent as a series of NAT discovery (NAT-D) payloads. If, upon receipt, both ends recalculate the hashes and the hashes match the payload hash, each peer knows that no NAT device exists on the network path between them. If the payload hash and recalculated hashes do not match, that indicates that a device translated the address or port and that each peer must perform NAT- T to get the IPsec packet through the network IKE phase 1 detects NAT support and NAT existence along the network path; IKE phase 2 decides whether the peers at both ends will use NAT-T. Quick mode SA payload is used for NAT-T negotiation Note To use NAT-T, you must permit UDP port 4500 through any ACLs or firewalls. (© 2008 Cisco Systems, In. ‘Seoure Ste-o-Ste Communications 319IPsec Over TCP IPsec over TCP: = No negotiation = Encapsulated over TCP from the start of the tunnel establishment = TCP encapsulation of IPsec packets using port 10000 GBM, NAToreAT im aes Ee [ise] eo Ey os Another solution to the problem of using IPsec with NAT or PAT is IPsec over TCP. IPsec over TCP encapsulates both IKE and IPsec protocols within TCP from the start of the tunnel establishment cycle. At the point in which IKE would negotiate the use of IPsec over UDP, IPsec over TCP is already active. The goal of IPsec over TCP is to allow Cisco VPN clients to operate in environments that use NAT and PAT by employing TCP to encapsulate both IKE and ESP. This takes advantage of the fact that many firewalls allow outgoing TCP traffic and the inbound packets associated with the outbound connection, Using TCP through firewalls is preferable over UDP because the state of TCP packets can be maintained, resulting in higher security. The TCP implementation defaults to port 10,000, but does not restrict the ability of the administrator to configure different ports. Although TCP is used to encapsulate IKE and IPsec, this feature is not intended to provide the reliability found in a fully deployed TCP implementation. The application layer (IKE) already provides much of the reliability needed IPsec over TCP is a system-wide feature, If enabled at both ends, it is on from the start of the IKE negotiations. If both NAT-T and IPsec over TCP are enabled, IPsec over TCP takes precedence. 320 Securing Networks with Cisco Rowers and Switches (GNRS) v3.0 (© 2008 Cisco Systems, neVirtual Private Networks Seiad stor Coble wie v3 Telecomms Workplace Resources ‘An IPsec VPN is a VPN that you deploy on a shared infrastructure using IPsec encryption technology. You can use IPsec VPNs as an alternative to a WAN infrastructure to replace or augment existing private networks that use leased-line or enterprise-owned Frame Relay and ATM networks. IPsec VPNs do not inherently change WAN requirements, such as support for multiple WAN layer 2 protocols, high reliability, and extensive scalability, but instead meet these requirements more cost-effectively and with greater flexibility The following are some of the Cisco IPsec site-to-site VPN deployment options Fully-meshed Hub-and-spoke Cisco Fasy VPN with Virtual Tunnel Interface (VTI) Generic Routing Encapsulation (GRE) over IPsec DMVPN (hub-and-spoke or virtual full-mesh) GET VPN An IPsee VPN uses the most pervasive transport technologies available today (the public Internet, IP backbones, and Frame Relay and ATM networks). The equipment that is deployed at the edge of the enterprise network and the feature integration across the WAN primarily defines the functionality of an IPsec VPN, rather than being defined by the WAN transport protocol IPsec VPNs are deployed to ensure secure connectivity between the VPN sites. The VPN sites can be either a subr ct ora host residing behind routers. (© 2008 Cisco Systems, Inc Secure Stete-Site Communications 321The following are some of the key components of a VPN connection: 20 VPN routers serving as VPN headend termination devices at a central campus (headquarters) = Cisco VPN access routers serving as VPN branch-end termination devices at branch office locations = IPsec and GRE tunnels that interconnect the headend and bran nd devices in the VPN = VPN clients for remote users = An Internet service provider (ISP) serving as the WAN interconnection medium 322 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncSite-to-Site VPNs This topic describes different types of site-to-site VPNs, including fully-meshed, hub-and- spoke, IPsec, Cisco Easy VPN with VTI, GRE over IPsec, DMVPN, and GET VPN. Fully-Meshed VPNs «= There are static public addresses between peers. * Local LAN addresses can be private or public IPsec Tunnel ‘The fully-meshed site-to-site VPN design refers to a mesh of IPsec tunnels that connect all remote sites. For any-to-any connectivity, a full mesh of tunnels is required to provide a path between all of the sites. Site-to-site VPNs are primarily deployed to connect branch office locations to the central site of an enterprise and to each other. A full-mesh site-to-site VPN configuration requires IPsec peers to use public IP addresses to establish the IPsec tunnels. The public IP addresses are specified in the IPsec peers configuration and require the public addresses of the VPN routers be static addresses. However, the VPN site internal addresses can be private or public addresses, because the site traffic is ‘enerypted before it enters the IPsec tunnels. VPN Benefits The following are some of the benefits ofa fully-meshed VPN topology: = Increased data and network security = Reduced WAN costs and increased WAN flexibility = Simple and flexible design and configuration procedure for adding new sites (© 2008 Cisco Systems, nc. ‘Secure Sieto-Skte Communications 3:23VPN Restrictions The following are some of the restrictions of a fully-meshed VPN topology: All sites must have static IP addresses for IPsec peering = When adding a new site, you must reconfigure all of the other routers to add the new site. To maintain a full mesh, you must configure n * (7-1) tunnels, where 7 is the total number of sites. For example, if you have 10 sites, you must configure 109, or 90 tunnels. To add a single site requires 110 tunnels (11*10), which means that you must configure 20 additional tunnels Hub-and-Spoke VPNs * Only the hub needs a static public address. Jes + Spoke addresses can be dynamically assigned using DHCP. + Dynamic crypto maps atthe hub anticipate dynamic spoke addresses In a hub-and-spoke network configuration, the spoke sites use IPsec tunnels to connect to a hub site to establish network connectivity. The hub site consists of high-end tunnel aggregation routers that service multiple IPsec tunnels for a predefined maximum number of spoke locations. Small site routers (spoke sites) typically connect to a set of large site routers (hub sites) AA benefit of terminating the VPN tunnels at the hub site is that the headend can act as the Aistribution point for all routing information and connectivity to and from spoke-site devices. For resiliency and load distribution, you can set up the hub site with multiple headend devices. When the majority of traffic is targeted to the hub and the core of the network, the hub-and- spoke design is the most suitable configuration. Additional IPsec connections that form partial mesh connections can enable a direct IPsec path if some spoke sites require direct access to cach other. Ina hub-and-spoke configuration, the hub typically uses statically assigned public IP addresses, although the spokes can use dynamically assigned IP addresses. In an environment where the spoke sites also use static public addresses, a partial mesh of IPsec connections ean create the VPN using site-to-site configurations. 3-24 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne.‘The main feature that is used to enable @ hub-and-spoke configuration is the dynamic erypto map. which eases IPsec configuration. A dynamic crypto map is essentially a crypto map entry without all of the parameters configured. It acts as a policy template where the missing parameters are dynamically configured to match the requirements of a remote peer. When using a dynamic crypto map, only the remote peer can initiate the tunnel. Dynamic crypto maps are used in a hub-and-spoke configuration to support the dynamic addresses at the spokes. The peer addresses are dynamically assigned IP addresses that are not statically assigned in the hub configuration, ‘The spokes must authenticate themselves to the hub to establish the IPsec tunnel to the hub. If PSKS are used for authentication, the hub must be configured with a wildcard PSK because spoke IP addresses are not known beforehand. Alll spokes that know the PSK and have IP addresses that match the network mask for the wildcard PSK can connect to the hub. The following are some of the common characteristics ofa hub-and-spoke VPN: = Static IP address at the hub |= Dynamic IP addresses at the spokes |= Dynamic crypto maps © Wildcard IP addresses with the PSKs The following are some of the benefits of a hub-and-spoke VPN topology: = Provides support for small sites with small LAN and low-end routers: Only one IPsec tunnel is needed at the spoke routers. © Reduces the hub router configuration size and complexity: The hub router does not need to maintain a separate static erypto map for each spoke site or maintain list of IP addresses for the spoke sites, thereby simplifying the adding, deleting, and changing of spoke sites. = Only the hub must have a static and global IP address: The spoke routers ean have DHCP-based dynamic IP addresses with the hub configured to use a dynamic crypto map. = Easy to add a new site or router: No changes to the existing spoke or hub routers are required. The following are some of the restrictions of a hub-and-spoke VPN topology IPsec performance is aggregated at the hub. = All spoke packets are decrypted and re-encrypted at the hub, = When using hub-and-spoke configurations with dynamic crypto maps, the IPsec eneryption tunnel must be initiated by the spoke routers. (© 2008 Gisco Systems, Inc ‘Seoure Steto-Sie Communications 225,GRE over IPsec VPNs Corporate Hieadquarters Erp Payload You can use GRE in conjunction with IPsec to pass routing updates between sites on an IPsec VPN. GRE encapsulates the plaintext packet, and then IPsce (in transport mode or tune! mode) encrypts the packet. This packet flow of IPsec over GRE enables routing updates, which are generally multicast, to be carried over an encrypted link. IPsce alone cannot achieve this, because it does not support multicast. Because IPsec encryption works only on IP unicast frames, itis important to use GRE over IPsec tunnels in a VPN environment that must support the encryption of multicast and broadcast traffic. The figure shows a headquarters network that provides a remote office access to the corporate intranet. In this scenario, the headquarters and remote office are connected through a GRE over IPsec tunnel that is established over an IP infrastructure (the Internet). Employees in the remote office are able to access internal, private web pages and perform various IP-based network tasks, 326 ‘Securing Network with Cisco Routers and Switches (SNRS) v3.0 "© 2008 Cisco Systoms, ne.Dynamic Multipoint VPNs Local LAN addresses can be private. SSS J33 sas Qari Someo-Sene IPsec Tunnel Some companies might want to interconnect small sites while having the small sites simultaneously connect to a main site over the Internet. When small sites are interconnected, it is difficult to maintain the configurations for all of the connections. It is also difficult to create change a large full-mesh network configuration. Because the spokes have direct access to cach other over the Internet, it is beneficial for the spoke-to-spoke traffic to go directly between spokes rather then via a hub site, This traffic flow is useful when two spokes are in the same city and the hub is across the country. With the DMVPN IPsec solution, the spoke sites are able to dynamically establish secure connectivity with each other. DMVPNS provide a combination of static and dynamic on-demand tunnels. The static VPN tunnels are connected to a hub site in a hub-and-spoke fashion. ‘The hub-and-spoke design is the ‘most suitable configuration when the majority of the traffic is targeted to the hub and the core of the network, When some spoke sites require direct access to each other, an additional IPsec connection that forms a partial-mesh connection dynamically directs the IPsec path. DMVPNs use multipoint GRE (mGRE) and Next Hop Resolution Protocol (NHRP) to help create the on- demand tunnels between spokes, NHRP enables the spoke routers to dynamically lear the exterior physical interface address of the routers in the VPN network. Each spoke has a permanent IPsec tunnel only to the hub, not to the other spokes within the network, Each spoke registers as a client of the NHRP ser which is the hub router. When a spoke needs to send a packet to a destination subnet on another spoke, it queries the NRP server for the real (outside) address of the destination (target) spoke, After the originating spoke learns the peer address of the target spoke, it can initiate a dynamic IPsce tunnel to the target spoke. The spoke-to-spoke tunnel is built over the mGRE interface. The spoke-to-spoke links are established on demand whenever there is traffic between the spokes. Thereafier, packets are able to bypass the hub and use the spoke-to-spoke tunnel (© 2008 Cisco Systems, Inc ‘Secure Steto-Ste Communications 3:27‘The spoke-to-spoke tunnel configuration is important; without it, the spoke-to-spoke data traffic is sent via the hub, causing it to be encrypted and decrypted twice, increasing the delay of the spoke-to-spoke traffic, and increasing the load on the hub router. To use this feature, a spoke router must learn the networks that are behind the other spoke routers and map them to the IP next hop of the tunnel IP address of the other spoke router. The IP routing protocols that run over the IPsec-mGRE tunnel between the spoke and the hub provide this information. ‘The following are some of the common characteristics of DMVPNs: | DMVPNs support dynamic IP addresses on the spokes. = Local LANs can have private addresses. The following are some of the benefits of a DMVPN topology: = Is useful when configuration of spoke-to-spoke traffic is relatively complex to configure and maintain = Reduces the hub router configuration size and complexity (The hub router no longer needs, to maintain a separate static crypto map for each of the spoke sites or to maintain a list of IP addresses of the spoke sites, simplifying the add, delete, and change of spoke sites.) m= Conserves router resources by establishing links on demand and tearing them down after a preconfigured duration of inactivity = Supports split tunneling at the spokes = Creates a constant configuration size on the hub router, regardless of how many spoke routers are added to the VPN network The following are some restrictions of a DMVPN topology: = The majority of the traffic should pass through dedicated hub sites to minimize topology changes, ‘= The initial packets pass through the hub, until the spoke-to-spoke tunnel is established. © When using a hub-and-spoke topology with dynamic crypto maps, the spoke routers must initiate the IPsec encryption tunnel. 328 ‘Securing Networks with Cisco Routers and Switches (SNRS) v8.0 (© 2008 Cisco Systems, ne.Group Encrypted Transport VPNs Ae, Group Member Introduced in Cisco IOS Software Release 12.4(11)T, Group Encrypted Transport (GET) provides connectionless, tunnel-free encryption that leverages the existing routing infrastructure, GET VPN offers simplified encryption for both subscribers and providers. Although the versatility of GET qualifies it for various Multiprotocol Label Switching (MPLS), IP, Frame Relay, and ATM networks, it isan ideal encryption solution for MPLS VPNs that require site-to-site encryption. Customer edges (CEs) of a specific VPN group maintain one IPsec SA per flow to encrypt and decrypt traffic. Thus, the eneryption burden is removed from the provider edges (PEs). The current routing protocols that run in the network set up the connectivity between CEs, eliminating the need for a new routing plane. Eneryption can be controlled by CEs without setting up tunnels. GET VPN offers a new standards-based IPsec security model that is based on the concept of ‘trusted” group members. A key server distributes keys and policies to all of the registered and authenticated group member routers. For VPN sites that connect over the Intemet, DMVPN or point-to-point IPsec is recommended because it supports private IP addressing information, The following are benefits of GET VPN: = Provides economical and scalable eneryption Reduces provisioning on routers because manual intervention is eliminated Offers centrally controlled group authentications and policies Provides flexibility in controlling policies from any point in a network Faci tates applications that require full-mesh connectivity {© 2008 Cisco Systems, inc. ‘Secure Stee-Site Communications 3.29Site-to-Site VPN Comparison CE Maat ter pe on ra eee I seomaeee en ta? Seno | Sect a {scooter mite Ue UES na ebeee? | _ Manat VINE |enabe poneratne ae / Praecsecr | mrnagt rasan” | Posie mens ‘The figure compares and contrasts the different site-to-site VPN technologies that are currently available in Cisco IOS routers. 3.30 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0| (© 2008 Cisco Systems, ncCisco Easy VPN and Cisco IOS SSL VPNs SL VPNs. This topic describes Cisco Easy VPN and Cisco 10! Cisco Easy VPN Internet When you are deploying VPNs for teleworkers and small branch offices, ease of deployment is increasingly important. Cisco Easy VPN makes it easier than ever to deploy VPNs as part of small and medium-sized businesses (SMBs) or large enterprise networks with Cisco products. Cisco Easy VPN Remote and Cisco Easy VPN Server offer flexibility, scalability, and case of use fir site-to-site and remote-access VPNs. A router that is enabled with Cisco Easy VPN Server can terminate VPN tunnels that are initiated by mobile and remote workers running Cisco VPN Client software on PCs, and it ‘enables remote routers to act as Cisco Easy VPN Remote nodes. Cisco Easy VPN enables the VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, Microsoft Windows Intemet Name Service (WINS) server addresses, and split-tunneling flags, to be pushed from the Cisco Easy VPN Server to the remote device. This server can be dedicated VPN device, such as a Cisco ASA adaptive security appliance or a Cisco IOS router. Note ‘You can use Cisco Easy VPN technology to accomplish site-to-ste or remote-access IPsec VPNs. (© 2008 Cisco Systems, ne ‘Secure Stewo-Ste Communications 331IPsec VTI Overview see Static VTIs oy __seseinase Cima aD) St Provides routable interface type for terminating IPsec tunnels, ‘Supports Go. muticas, and other routing functions that previously requred GRE ‘Simplifies VPN configuration by eliminating crypto maps, ACLs, and GRE Provides a more scalable ternative to GRE Offers both static and dynamic VTIs. Allows VPN interoperailty wth oer vendors 's supported in Cisco Easy VPN IPsec VTI is another mechanism that is used to support VPNs. IPsec VTIs provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites, to form an overlay network. A VTI supports native IPsec tunneling and allows interface commands to be applied dircetly to the IPsec tunnels. The IPsce tunnel endpoint is associated with a virtual interface, Because there is a routable interface at the tunnel endpoint, you can apply many common interface capabilities to the IPsec tunnel. VTIs support interoperability with standards-based IPsec installations of other vendors. The IPsec VTI supports quality of service (QoS), multicast, and other routing functions that previously required GRE. VTIs provide the flexibility of sending and receiving both IP unicast and multicast encrypted traffic on any physical interface. Traffic is encrypted or decrypted when itis forwarded from or to the tunnel interface and is managed by the IP routing table. You can use dynamic or static IP routing to route traffic to the virtual interface. VTI simplifies VPN configuration and design. Customers can use the Cisco IOS virtual template to clone on demand new virtual access interfaces for IPsec. Using IP routing to forward the traffic to the tunnel interface simplifies the IPsec VPN configuration compared with the more complex process of using ACLs with erypto maps in native IPsec configurations ‘You do not need GRE or Layer 2 Tunneling Protocol (L2TP) tunnels for encapsulation, Dynamic VTIs (DVTIs) function like any other real interface; therefore, QoS, firewall, and other security services can be applied as soon as the tunnel is active. In addition, existing ‘management applications can now monitor separate interfaces for different sites. IPsec VTIs use single SAs per site that cover different types of traffic, which enables improved scaling compared with GRE. A major benefit of IPsec VTIs is that the cor require a static mapping of IPsec sessions to a physical interface. 3:32 Securing Networks with Cisco Routers and Switshes (SNRS) v3.0 (© 2008 Cisco Systems, nc.You can configure both static VTI (SVTI) and DVTI. SVTI configurations are good to use for site-o-site connectivity in which a tunnel provides always-on access between two sites. The advantage of using SVTIs instead of crypto map configurations is that users can enable dynamic routing protocols on the tunnel interface without the extra 4 bytes that GRE headers require, thus reducing the bandwidth that is required to send encrypted data. DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The DVTI technology replaces dynamie erypto maps and the dynamic hub-and-spoke method for establishing tunnels. You can use DVTIs for both the server and remote configuration. Note ‘You can use Cisco Router and Security Device Manager (SDM) to configure Cisco Easy \VPN Server and Cisco Easy VPN Remote with |Psec DVT Both Cisco Easy VPN Server and Cisco Easy VPN Remote support DVTI. The tunnels provide an on-emand separate virtual access interface for each Cisco Easy VPN connection. The Cisco Easy VPN with DVTI configuration provides a routable interface to selectively send traffic to different destinations, such as a Cisco Easy VPN concentrator, a different site-to-site peer, oF the Internet. The IPsec DVTI configuration does not require a static mapping of IPsec sessions. to a physical interface. This ability allows for the flexibility of sending and receiving enerypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted ‘when itis forwarded from or to the tunnel interface. (© 2008 Cisco Systems nc. ‘Seoure Steto-Site Communications 3-33Cisco 1OS SSL VPN * Integrated security and routing * Clientiess and full network SSL VPN access sco 10s SSLVPN rs eo ay vs Worlace Resources Cisco IOS SSL VPN (also known as WebVPN) is an emerging technology that provides, remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. This feature enables companies to extend access to their secure enterprise network to any authorized user by providing remote-aecess connectivity to corporate resources from any Intemet-enabled location. A Cisco IOS SSL VPN can also support access from machines that are not corporate owned, including home computers, Intemet kiosks, and wireless hot spots. These locations are difficult places to deploy and manage IPsec VPN client software and remote configurations that are required to support IPsec VPN connections. A Cisco IOS SSL VPN delivers three modes of SSL VPN access: = Clientless: Clientless mode provides secure access to private web resources and provides access to web content. This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that use a web interface = Thin client (port-forwarding Java applet): Thin-client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH), = Full-tunnel client: Full-tunnel client mode offers extensive application support through its, dynamically downloaded Cisco AnyConnect VPN Client (a next-generation SSL VPN client) for SSL VPN. Full-tunnel client mode delivers a lightweight, centrally configured, and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application 3.34 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne.VPN Design Guide This topic deseribes the VPN design guide that is available in Cisco SDM. VPN Design Guide ‘Choose who you are relative fo seting up the VPN lek Launch Design Guide. Read the Wieleome ssreen and chick Next Ifyou are an administrator setting up a VPN network, the Cisco SDM VPN design guide helps ‘you determine which kind of VPN to configure. To access the VPN design guide, choose Configure > VPN > VPN. From the Virtual Private Network pane that appears, click Launch Design Guide. (© 2008 Cisco Systems, in. Secure Stete-Site Communications 335,Wit pon rae ‘such ae PX or ‘Appletak ow through the VPN ‘tunnel? S| = Tam seting up a \VPN to connect oy ‘the corporate ‘office to 8 branch offic = “Are you using non Cisco equipment at the eng ote VPN. ‘The VPN design guide asks you to provide information about what type of user you are, the type of equipment that the router establishes VPN connections with, the type of traffic that the VPN will carry, and other features that you must configure. ‘Based on your requrements. 3 VPN designs recommented ‘Check any ‘ackstional features Yyou intend to use inthe VPN, After you provide this information, the VPN design guide recommends a VPN type and allows you to launch a wizard that enables you to configure that type of VPN. 3-36 Securing Networks with Cisco Routors and Switchos (SNRS) v3.0 (© 2008 Cisco Systems, nc.Global VPN Settings This topic describes how to examine global VPN router settings in Cisco SDM. = eae Babies | Tamara] * Two main components: ‘ota VP ~ IPsec Ike, + Two optional components: Group policies for easy VPN server functionality Public Key inastucture for IKE authentication using digital certificates Choose Configure > VPN > VPN to access the following Cisco SDM VPN configuration wizards and configuration screens: 1 Site-to-Site VPN (IPsec and GRE over IPsec) = Cisco Easy VPN Remote Cisco Easy VPN Server DMVPN SSL VPN (© 2008 Cisco Systems, In. Secure Steto-Sie Communications 3-37Summary This topic summarizes the key points that were discussed in this lesson. Summary * IPsec is designed to provide interoperable, high-quality, and ‘cryptographically-based security. For any-to-any connectivity, a full mesh of tunnels is required to provide a path between all of the sites. Easy VPN technology can be used to accomplish site-to-site or remote-access connections. If you are an administrator setting up a VPN network, the VPN design guide helps you determine which type of VPN to configure. Global VPN parameters are reached by choosing Configure > \VPN > VPN Components. 3-38 Securing Networks with Gisco Routers and Switches (SNRS) v8.0 (© 2008 Cisco Systems, nc.Lesson 2 Implementing IPsec VPNs with PKI Overview ‘You can configure IP Security (IPsec) virtual private networks (VPNs) for various t authentication. One such method is using pre-shared keys (PSKs). With PSKs, each client shares a common key. This method is not very scalable, especially in an enterprise network. Another more scalable method incorporates the public key infrastructure (PKI) for authentication purposes. This lesson discusses the process of configuring an IPsec site-to-site VPN using PKI Objectives Upon completing this lesson, you will be able to describe and configure a Cisco IOS certificate authority (CA) and an IPsec site-to-site VPN using digital certificates. This ability includes being able to meet these objectives: Describe Cisco 10S PKI support Describe the use of CAs and RAS Describe how SCEP manages the certificate lifecycle Describe and configure the Cisco IOS CA Server Configure CA interoperability on a Configure a PKI-based IPsec site-to-site VPN on a router using Cisco SDM isco router using Cisco SDM Troubleshoot CA interoperability using the CLI Test and verify IPsec configurations using the CLICisco IOS PKI Overview This topic describes Cisco IOS PKI support Implementing PKI To add a new IPsec router to the network, you must configure only the new router to request a certificate from —_cenincate the CA, instead of making * multiple key configurations Ss with all other existing IPsec routers Cisco 10S PKI provides certificate management to support security protocols such as IPsec, Secure Shell (SSH), and Secure Sockets Layer (SSL). A PK] is composed of the following entities: Peers communicating on a secure network Digital signatures (Rivest, Shamir, and Adleman [RSA] keys) At least one CA that grants and maintains certificates Digital certificates, which contain information such as the certificate validity period, peer identity information, the public keys that are used for secure communications, the CA that granted the certificate and the digital signature of the issuing CA = An optional cA tration authority (RA) that processes enrollment requests to offload the © A distribution mechanism (such as Lightweight Directory Access Protocol [LDAP] or HTTP) for certificate revocation lists (CRLs) 340 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nc.PKI Environment Registration and Certificate Certification Issuance ‘Authority Key Certification Revocation Certificate Distribution Key Storage Trusted caer ‘Support for Nonrepudiation Time Service A PKI provides a hierarchical framework for managing digital security attributes of entities that will engage in secured communications. In addition to human users, there are encryption gateways, sccure web servers, and other resources that require close control of identity and ‘encryption, PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Every entity (a person or device) participating in the secured communications is enrolled in the PKI in a process in which the entity generates an RSA key pair (one private key and one public key) and has their identity validated by a trusted entity (also known as a CA or trust point) After enrolling in a PKI, each peer (also known as end host) in a PKI is granted a digital certificate that has been issued by a CA. When peers must negotiate a secured communication session, they exchange digital certificates. Based on the information in the certificate, a peer can validate the identity of another peer and establish an encrypted session with the public keys that are contained in the certificate. (© 2008 Cisco Systems, Inc ‘Secure Sitet0-Site Communications 3-81Digital Signatures Message > Private key belonging to ‘Alice Digital signatures, enabled by public key cryptography, provide a means of digitally authenticating devices and individual users. In public key cryptography, such as the RSA ‘eneryption system, each user has a key pair containing both a public and a private key. The keys act as complements, and anything encrypted with one of the keys can be decrypted with the other. In simple terms, a signature is formed when data is encrypted with the private key of user. 3842 Securing Networks with Cisco Routors and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IneBob decrypts the received signature Message with ‘Appended mre ‘Signature ‘Alice Public n Koy % iver verifies the signature by decrypting the message with the public key of the sender. - The fact that the message could be decrypted using the public key of the sender indicates that the holder of the private key, the sender, must have created the message. This process relies on the receiver having a copy of the public key of the sender and knowing with a high degree of nm certainty that it really does belong to the sender and not to someone pretending to be the sender. Internet Key Exchange (IKE), an essential component of IPsec, can use digital signatures to authenticate peer devices before setting up security associations (SAs). (© 2008 Cisco Systems, nc. ‘Seoure Steto-Site Communications 3-43Certificate Authorities This topic describes the use of CAs and RAs. SS eet " nscates Gnoads (CA hierarchy given identity coriicata is esuod from (CA chain In contrast oa single CA server. Digital certificates provide the link. A digital certificate contains information to identify a user or device, such as the name, serial number, company. department, or IP address. It also contains ‘copy of the public key of the entity. The certificate is signed by a CA, which is a third party that is explicitly trusted by the receiver to validate identities and to create digital certifi X.509 specifies the digital certificate format, To validate the signature of the CA, the receiver must first know the public key of the CA Normally, this process is managed out-of-band or through an operation performed at installation. For instance, most web browsers are configured with the public keys of several CAs by default. Without digital signatures, you must manually exchange either public keys or secrets between cach pair of devices that use IPsec to protect communications between them. Without certificates, every new device added to the network requires a configuration change on every other device with which it communicates securely. With digital certificates, each device is enrolled with a CA. When two devices want to communicate, they exchange certificates and digitally sign data to authenticate each other. When a new device is added to the network, someone simply enrolls that device with a CA, and none of the other devices needs ‘modification. When the new device attempts an IPsec connection, certificates are automatically ‘exchanged, and the device can be authenticated. Based on the information in the certificate, a peer can validate the identity of another peer and establish an encrypted session with the public keys contained in the certificate. It is safe to transport the digital certificates because the private key is not included with the certificate. It is not possible to impersonate a device or person ‘without the private key 34 ‘Securing Networks with Cisco Routers and Switches (SNRS) v8.0 (© 2008 Cisco Systems, IncRSA key pairs are used to sign and encrypt IKE key management messages and are required before you can obtain a certificate for your router from the CA. mplifies the administration of IPsec network devices. You can use a CA with a ing multiple Psec-compliant devices such as routers. ACA, also known as a trustpoint, manages certificate requests and issues certificates to participating network devices. These services (managing certificate requests and issuing certificates) provide centralized key management for the participating devices and are explicitly trusted by the receiver to validate identities and to create digital certificates. Before any PKI operations can begin, the CA generates its own public key pair and creates a self-signed CA certificate; thereafter, the CA can sign certificate requests and begin peer enrollment for the PKL. ‘You can use a CA provided by a third-party CA vendor, or you can use an internal CA, which is the Cisco IOS certificate server. Because PKIs are hierarchical in nature, the issuing CA can be a root CA (the top-level CA in the hierarchy) or a subordinate CA. The root CA uses a self-signed certificate, and the subordinate CA certificate is signed by the CA above it. The PKI might employ additional hosts, known as RAS, to accept requests for enroliment in the PKI. RAs are employed to reduce the burden on CAs in an environment that supports a large number of certificate transactions. The CA is the central point of trust within the PKI, The end hosts in the organization trust the CA as the decisive source of information for the authenticity of other end hosts. When the CA sues a certificate, its digital signature on the certificate is a definitive mark that the end host, holds the certificate, is part of the PKI. ‘When an end host tries to authenticate another end host that is enrolled in a different CA, the end hosts determine whether the CA with which the respective hosts are enrolled signs the certificates from its peers. If not, the end hosts climb up the hierarchy of CAs until they locate a CA that is common to both branches of the PKI In a more complex environment, the RA might be tasked with verifying user identity, establishing passwords for certificate management transactions, submitting enrollment requests (along with appropriate organizational attributes or other information) to the CA, and managing assorted tasks (for example, certificate revocation and re-enrollment). ‘The RA has the power only to accept registration requests and forward them to the CA. The RA is not allowed to issue certificates or publish CRLs. The CA is responsible for these functions. An accurate time source must be available to enroll a cryptographic device in a PKI and to check certificate validity from negotiating peers. When crypto peers present their certificate to each other, the validity date is among the first things that are checked within the certificate. Cisco IOS Software compares the beginning and end of the certificate validity period (embedded in the certificate) to the time and date in the clock of the router. If the current date of the router is within the validity period of the certificate, the router goes on to check the validity of other components of the certificate. The router must have access to the correct time, cither through manual configuration of the system clock, accurate time sources such as Network Time Protocol (NTP), or clock adjustment via Simple Network Management Protocol (SNMP). ‘© 2008 Cisco Systems. In. ‘Secure Ste-to-Ste Communications 3-85Certificate Enrollment 2 Step + RSA Key ee Pav Step 2 ew End End host Centiicate CA sions Host west concn a Sore wath private vey Step 5 Stop 4 Certificate enrollment is the process of obtaining a certificate from a CA. Each cnd host that wants to participate in the PKI must obtain a certificate, Certificate enrollment occurs between the end host requesting the certificate and the CA, = The following steps describe the certificate enrollment process: 1. The end host generates an RSA key pair. oe 2. The end host generates a certificate request and forwards it to the CA (or the RA. if a applicable). 3. The CA receives the certificate enrollment request and, depending on your network u configuration, one of the following options occurs: = Manual intervention is required to approve the request The end host is configured to automatically request a certificate from the CA. Thus, ‘operator intervention is no longer required at the time that the enrollment request is sent to the CA server. -_ 4. After the request is approved, the CA signs the certificate with its private key and returns the completed certificate to the end host. o 5. The end host writes the certificate to a storage area such as NVRAM. Cisco IOS Software supports the following methods to obtain a certificate from a CA: = Simple Certificate Enrollment Protocol (SCEP): SCEP is an enrollment protocol a developed by Cisco that uses HTTP to communicate with the CA or the RA. SCEP is an Intemet Engineering Task Force (IETF) draft sponsored by Cisco and is the most commonly used method for sending and receiving requests and certificates. You can find a ‘more information on the SCEP standard at http:/tools.ietf.org/html/draft-nourse-scep-17. 3:46 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne.Note To take advantage of automated certificate and key rover functionality, Cisco IOS Release 12.4(2)T must be running and SCEP must be used as your client enroliment method || Manual (cut and paste): The router displays the certfieate request on the console terminal, allowing the user to enter the issued certificate on the terminal. Users can manually cut and paste certificate requests and certificates when they do not have a network connection between the router and the CA. ‘© Enrollment profiles: The router sends HTTP-based enrollment requests directly to the CA server instead of the RA proxy. You can use enrollment profiles if a CA server does not support SCEP and if the user does not want to use an RA as a proxy. ‘= Public-Key Cryptography Standard (PKCS) #7: PKCS #7 is the Cryptographic Message Syntax Standard that defines the general syntax for data that can have cryptography applied to it, such as digital signatures and digital envelopes. It provides a means for bundling multiple certificates into a single packet. This standard is useful for transporting the entire certificate chai m= PKCS #10: PKCS #10 is the Certification Request Syntax Standard that defines the syntax for requesting a digital certificate, = PKCS #12: PKCS #12 is a file format that is commonly used to store private keys with the accompanying public key digital certificates. It is protected with a password, making it safe to transport. ‘© Cisco IOS File System (IFS): The router uses any file system that is supported by Cisco IOS Software (such as TFTP, FTP, flash memory, and NVRAM) to send a certificate request and to receive the issued certificate. Users can enable Cisco IFS certificate enrollment when their CA does not support SCEP. ‘© Self-signed certificate enrollment for a trustpoint: The HTTPS server generates a self signed certificate that is to be used during the SSL handshake, establishing a secure ‘connection between the HTTPS server and the client. The self-signed certificate is then saved in the router startup configuration (NVRAM). The saved, self-signed certificate can then be used for future SSL handshakes, eliminating the user intervention that was necessary to accept the certificate every time the router reloaded. (© 2008 Cisco Systems, nc ‘Secure Stete-Ste Communications 3-47Examining SCEP This topic describes how SCEP manages the certificate lifecycle, Simple Certificate Enrollment Protocol e—_ga-—_ cA Sane © Se w cach conone HTP oat enape ® | cose compe Receive cat andar ca finger persion Cisco IOS Software uses SCEP to communicate with a PKI. Cisco developed SCEP to extend the capability of the certificate enrollment protocol that was developed by VeriSign for Cisco, SCEP has achieved broad acceptance with the majority of CA software manufacturers, and Cisco competitors frequently implement protocols for certificate enrollment on their own VPN. products. SCEP offers a mechanism to support the secure transportation of key information and certificates between the different components of a PKL SCEP has the following features: m= Isa transaction-oriented request and response protocol m= Uses PKCS #7 (Cryptographic Message Syntax Standard) and PKCS #10 (Certification Request Syntax Standard) to make requests from the CA server = Is independent of the transport mechanism = Requires manual authentication during enrollment ‘3-48 Securing Networks win Cisco Routes and Switches (SNRS) v3.0, {© 2008 Cisco Systems, Ine‘The following are operations that SCEP supports: = CA and RA public key istribution Certificate enrollment Certificate revocation Centficate query RL query SCEP employs the HTTP transport. Therefore, there is no requirement to implement support for new protocols on existing networks in the event that firewalls must be configured to permit access to services on protected networks, ‘The end hosts employ a standard format for transportation of certificates and key information when they communicate internally and with the CA and the RA. The 15 different PKCSs define these formats. RSA Security, a leading authority in development and maintenance of public key cryptography technology, publishes the PKCS documentation. The two standards that are applied with SCEP are PKCS #7 and PKCS #10. As shown in the figure, CA and RA public key distribution is performed as plaintext HTTP transfers. After the end host receives the CA certificate, it has to authenticate the CA certificate ‘by comparing the fingerprint (digital signature) against the fingerprint known at the CA or the RA. This comparison is generally performed out of band, via e-mail or phone conversation, between the remote user enrolling the end host and the operator at the CA or the RA console. (© 2008 Cisco Systems, nc. ‘Secure Siteto-Site Communications 2-49SCEP Enrollment cASener RSA Key Par Internet, =§ ——>__ Corticate Request entity Certificate ‘The end host can be enrolled via SCEP after retrieving the public key (of the CA or the RA) from the CA or the RA. The enrollment request consists of a PKCS #10-formatted certificate request that is transmitted to the CA or the RA in a PKCS #7 package. The certificate request also includes a challenge password and a request to include additional information in the certificate that the CA retums. The end host operator or administrator should know the challenge password, which is provided as an out-of-band authentication method for certificate issuance and verification activities. The challenge password is made available to the CA or the RA operator after the CA or the RA receives the certificate request. The end host signs the certificate request with the CA or the RA public key. The CA or the RA decrypts the certificate request with its private key and takes one of two actions: = Automatically signs the certificate with its private key and returns the certificate to the end host ‘= Waits until the CA or the RA operator verifies the certificate request with the end host ‘operator and approves the request, after which the CA or the RA signs the certificate and returns the certificate to the end host CEP supports certificate revocation by an out-of-band dialog between the end host operator and the CA or the RA operator. In the event that the keys of the end host are compromised, or if circumstances render the certificate invalid, the end host operator contacts the Cor the RA ‘operator and presents the challenge password. The challenge password is known at the end host and at the CA or the RA, because it was sent with the enrollment request. After the challenge password is verified, the CA or the RA operator follows the procedure for the given CA to revoke the certificate of the end host, and the revoked certificate is published to the CRL. 350 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ine.Cisco IOS CA Server This topic describes the Cisco 1S Certificate Authority (CA) Server and how to configure it Cisco IOS CA Server * Was first introduced in Cisco IOS Release 12.3(4) * Is supported on all security images of Cisco 800 Series Routers through Cisco 7400 Series Routers + Has several factors that affect its performance: Key length—Longer key lengths are computationally more intensive. Certificate lifetime—Shorter lifetimes put a greater burden on the router chosen to be the Cisco IOS CA Server. Number of simultaneous enrollments—Networks with a large number of certificate enrollments and re-enrollments may ‘experience long wait times, RL location—f the CRL is stored in flash, there can be performance issues. It is better to store the CRL on a server. Cisco first introduced the Cisco IOS CA Server function in Cisco IOS Release 12.3(4) and currently supports this feature on all hardware that runs security images, which includes the Cisco 800 Series Routers through the Cisco 7400 Series Routers. Cisco IOS CA Server performance is not a significant performance factor for IPsec network availability; however, deploying the right router for CA server applications can optimize performance and reliability for digital certificate operations, such as certificate enrollment and CRL publishing and checking. Deploying the best router as the Cisco IOS CA Server can minimize the cost and maximize network performance and availability Several key issues can influence the selection of an appropriate router for PKI CA Server support = Key length: Larger RSA cryptographic keys are more computationally intensive and will drive CPU utilization to a greater level for a longer period. A long enrollment queue can develop when a large key pair is used and the device receives a large number of certificate enrollment or re-enrollment requests in a short period of time. As a result, certain devices ‘might encounter a longer wait than usual to receive their certificate. = Duration of certificate validity: Short certificate-validity periods (several days to a few weeks), particularly in large networks that have many devices enrolled with the CA, cause higher loads on the Cisco IOS CA Server. Short certificate validity periods cause heavy loads because the devices must enroll more frequently in a given time period, causing greater enrollment activity on the Cisco IOS CA Server. This extra load is particularly relevant in networks in which Cisco IOS CA Server functionality is combined with the IPsec headend in the same device. (© 2008 Cisco Systems, Ine ‘Secure Sto-to-Site Communications 3-51= Number of simultaneous enrollments: Large network deployments or frequent certificate re-enroliments ean lead to circumstances in which a large number of devices enroll simultaneously. Low-performance routers, including the Cisco 800 Series Routers, the Cisco 1700 Series Modular Access Routers, and the Cisco 2600 Series Multiservice Platforms, might experience long wait times for device enrollment and re-enrollment as the nrollment queue lengthens on the Cisco IOS CA Server. © CRL location: Routers that support Cisco IOS Software offer excellent packet-forwarding and service performance, but the flash file system of routers does not offer high performance. If the Cisco IOS CA Server stores the database in the local flash memory, the CA performance will be reduced to a degree, because the individual database files must be written to the file system before the next certificate enroliment in the queue can be serviced Configuring Cisco IOS CA Server rebicontia)# ip http server * Enables the web server in preparation for SCEP_ ebb (contigh czypto pki server name * Creates a Cisco IOS CA Server bb (ce-nerver) Gatabase archive pen password pa * Archives certificate in the PEM format Gatabase archive pkosi? password password Archives certificate in the PKCS 12 format Before you configure a Cisco IOS CA Server, you must plan for and choose appropriate values for the settings you intend to use within your PKI (such as certificate lifetimes and CRL lifetimes). After you have configured the settings in the certificate server and certificates are ‘granted, you cannot change settings without having to reconfigure the certificate server and re~ cenroll the peers. ‘The certificate server supports SCEP over HTTP. The HTTP server must be enabled on the router for the certificate server to use SCEP. (To enable the HTTP server, use the ip http server command.) The certificate server automatically enables or disables SCEP services after the HTTP server is enabled or disabled. If the HTTP server is not enabled, only manual PKCS #10 enrollment is supported Note Time services are critical when using public key certificates. It is recommended that you use NTP as a reliable source for time. 352 Securing Networks with Cisco Roulers and Switches (SNRS) v3.0 (© 2008 Clsco Systems, ncWhen you initially set up the certificate server, you can enable the CA certificate and the CA key to be automatically archived so that you can restore them later if either the original copy or the original configuration is lost. When the certificate server is tured on the first time, the CA certificate and CA key are generated. If automatic archive is also enabled, the CA certificate and the CA key are exported (archived) to the server database. The archive can be in PKCS #12 or privacy-enhanced mail (PEM) format, PEM encoded certificates begin with the BEGIN CERTIFICATE" and end with the line “--END CERTIFICATE-—-.” PEM format allows you to cut and paste the certificates using the command-line interface (CLI). Note This CA key backup fll is extremely important and should be moved immediately to another secure place. In addition tothe CA certificate and the CA key archive file, you should also rogularty back up the serial file (ser) and the CRL fle (cl). The serial fle and the CRL file are both ertical for CA operation if you must restore your certificate server. Follow these steps to begin configuring the Cisco IOS CA Server: Step1 Enable the HTTP server: rbb (config) #ip http server Step2 Use the command erypto pki server name to define a label for the certificate server and enter certificate server configuration mode. xbb (config) #erypto pki server CA Step3 Optionally, you can use the command database archive {pkes12| pem} [password [encr-type] password} to set the CA key, CA certificate archive format (pkes12 or pem), and password to encrypt the file, The default value is pkes12, so if this subcommand is not configured, autoarchiving is still performed and the PKCS #12 format is used, rbb (ce-server) #database archive pem password ciscol23 rbb (cs-server) #database archive pkcsi2 password ciscol23 (© 2008 Cisco Systems, ine ‘Secure Ske-o-Ste Communications 353,Configuring Cisco IOS CA Server (Cont.) bb (ce-server!# Tifetine certificate days = Configures lifetime of certificates issued by the certificate server bb (oa-orver!# [Eitetine ca-certificate days SCS] = Configures lifetime of the signing certificate of the certificate server bb (ca-server!# Tifetine orl hours = Configures lifetime of the CRLs published by the certificate server bb (co-sorver!# = Enables Cisco |OS CA Server ‘The default lifetimes that are used when you configure the Cisco IOS CA Server might not be appropriate for all networks. Use the commands in the “lifetime Comma lifetimes for your network. lifetime Commands ids” table to adjust the ‘Command Description Lifetime certificate days (Optional) Specifies the iftime, in days, of a certificate Valid values range from 1 to 1825 days. The default Certificate iftime is 1 year. The maximum certifcate lifetime is 1 month less than the lifetime of the CA certificate (Optional) Specifies the ifetime, in days, ofa signing Coticate. Valid values range from 1 to 1825 days. The default CA certificate lifetime is 3 years, Lifetime orl hours (Optional) Defines the lifetime, in hours, of the CRL that is Used by the certificate server, The maximum lifetime value is 396 hours (2 weeks), and the defauit value is 168 hours (1 week). After you have adjusted the certificate lifetimes, you must enable the Cisco IOS CA Server. To. enable the Cisco IOS CA Server, use the command no shutdown in certificate server configuration mode. You should issue this command only after you have completely configured your certificate server. 354 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Gsco Systems, ncThe following configuration is an example of configuring the Cisco IOS CA Server lifetimes and then enabling the Cisco IOS CA Server: rb (co-server) #1ifetime certificate 1095 rb (co-server) #1ifetime ca-certificate 1625 rb (cs-server) #1ifetime crl 24 rbb (cs-server) #no shutdown ‘Some server settings cannot be changed after CA certificate generation 4 Generating 1024 bit RSA keys, keys will be non-exportable. Feb 21 17:39:36.916: crypto_engine: generate public/private keypair [0K] Feb 21 17:39:48.808: crypto_engine: generate public/private keypair Feb 21 17:39:48.812: ¥SSH-S-ENABLED: SSH 1.99 hae been enabled Feb 21 17:39:48.812: crypto_engine: public key sign + Exporting Certificate server signite and keys. % Certificate Server enabled rbb(cs-server) # Feb 21 17:39:54,064: crypto_engine: public key verity {© 2008 Cisco Systems, Inc. ‘Secure Siteto-Site Communications 355Verifying Cisco IOS CA Server be iow caypte pki * Displays information about the certificate server Tebtakow crypto pel Farver enabled enabled fort fingerprint: PO«C2B75 #0243F8C 19606219 81077412 oxz 55 owt sep 2 2008 timer: 21:02:58 Get Sep 9 2008 Current storage dir: nvram: Database Level: Minimum = m0 to storage You can use the command show erypto pki server to verify the Cisco IOS CA Server status. The following is example output from this command. This output shows that the certificate server status is enabled and shows the CA certificate fingerprint rbb#show crypto pki server Certificate Server CA: enabled current state: enabled Issuer name: CN=CA CA cert fingerprint: F04C2B75 #0243FBC 19806219 B1D77412 Granting mode is: manual Last certificate issued serial number: 0x2 cA certificate expiration timer: 21:02:55 GMT Sep 2 2008 CRL NextUpdate timer: 21:02:58 GNT Sep 9 2008 Current storage dir: nvram Database Level: Minimum - no cert data written to storage 3.88 ‘Securing Networks wit Cisco Routers and Switches (SNRS) v3.0, {© 2008 Cisco SystemConfiguring CA support This topic describes how to configure CA interoperability on a Cisco router using Cisco Router and Security Device Manager (SDM). Enabling NTP with Cisco SDM —_—— ction Digital certificate technologies require accurate timestamps in order to work. Configuring NTP is one of the recommendations that the Certificate wizard offers you (if itis not already configured). NTP allows routers on your network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings, Ifthe Certificate Wizard window suggests that you configure NTP, click the Configure NTPISNTP link. Another way to reach the NTP configuration window is to choose Configure > Additional Tasks > Router Properties > NTP/SNTP from the Cisco SDM home page. The NTP pane appears and allows you to view the NTP server information that has been configured, add new information, and edit or delete existing information Note It your router does not support NTP commands, this section does not appear in the Router Properties tree. To configure the router to use an NTP server, click the Add button. The Add NTP Server Details window appears. In this window, choose NTP Server IP Address from the list box and enter the IP address of the NTP server your router is using. From the NTP Source Interface drop-down list, choose the router interface that provides access to the NTP server. You can use the show ip routes CLI command to determine which interface has a route to this NTP server. (© 2008 Cisco Systems, Inc. ‘Secure Ste-o-Ste Communications 3-57Note ‘An extended access rule is created for port 123 traffic and is applied to the interface that you ‘choose in this window. If an access rule is already in place for this interface, Cisco SOM ‘adds statements to permit port 123 traffic on this interface. Ifthe existing rule is a standard ‘access rule, Cisco SDM changes it to an extended rule to specity traffic type and destination Check the Authentication Key check box if the NTP server uses an authentication key, and enter the information required in the fields. The information in these fields must match the key information on the NTP server. Enter the number for the authentication key, and then enter the key used by the NTP server. The key value can use any of the letters A to Z, uppercase or lowercase, and is limited to 32 characters. In the example in the figure, the NTP server is defined at 10.1.1.1 and interface FastEthemet 0/0 is defined as the NTP source interfacc Note ‘The valid key number range is 0 to 4,294,967.295. Configuring a Domain Name Public key encryption technologies require FQDNs in order to work. Another common suggestion you will receive from the Certificate Wizards window is to configure a domain name and hostname for your router. If this suggestion is made, click the Configure Domain Name link to go to the Device Properties window where you ean configure these settings. Another way to reach this window is to choose Configure > Additional Tasks > Router Properties from the Cisco SDM home page. The Device Properties pane appears. To modify the settings of a device, choose the device and click Edit. The Device Properties window appears. The Device tab in this window enables you to modify the following fields: = Host: Enter the name that you want to give the router in this field. = Domain: Enter the domain name for your organization. = Enter the Text for Banner: Fnter text for the router banner. The router text banner displays whenever anyone logs into the router. It is recommended that the text banner include a message that indicates that unauthorized access is prohibited. 3-58 Seouing Networks with Gisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neRunning the Certificate Enrollment Wizard You can use Cisco SDM to configure CA interoperability on a Cisco router. Cisco SDM has several wizards that are available to help you configure the CA settings. To access these wizards, from the Cisco SDM home page choose Configure > VPN > VPN > VPN Components > Public Key Infrastructure > Certificate Enrollment, The Certificate Enrollment Wizards window displays and allows you to select the type of enrollment you are performing. The Certificate Wizards window also alerts you to configuration tasks that you must perform before beginning enrollment or to tasks that Cisco recommends you perform before enrolling. ‘Completing these tasks before beginning the enrollment process helps eliminate problems that can occur. To see the required and recommended tasks, choose the enrollment method (Simple Certificate Enrollment Protocol (SCEP) or Cut and Paste /Import from PC). If Cisco SDM finds that there are configuration tasks that should be performed before you begin the enrollment process, it alerts you to them in the Prerequisite/Recommended Tasks box; a link is provided next to the alert text. If you click a link, you are redirected to the part of Cisco SDM that will enable you to complete the configuration. If Cisco SDM does not discover any missing configurations, this box does not appear. Simple Certificate Enrollment Protocol (SCEP) Click the Simple Certificate Enrollment Protocol (SCEP) button if you can establish a direct connection between your router and a CA server. You must have the enrollment URL of the server to do this. The wizard does the following: = The wizard gathers information from you to configure a trustpoint and deliver it to the router. = The wizard initiates an enrollment with the CA server that you specified in the trustpoint. = Ifthe CA server is available, the wizard displays the fingerprint of the CA server for your acceptance, © Once you verify the CA server fingerprint, complete the enrollment. {© 2008 Cisco Systems, Ine ‘Secure Ste-to-Site Communicators 359Cut-and-Paste/Import from PC Click the Cut-and-Paste/Import from PC button if your router cannot establish a direct connection to the CA server or if you want to generate an enrollment request and send it to the CA at another time. After generation, you can submit the enrollment request to a CA at another time. Cut-and-paste enrollment requires you to invoke the Digital Certificates wizard to ‘generate a request, and then to reinvoke it when you have obtained the certificates for the CA server and for the router. Note I you use cut and paste enrollment, Cisco SDM supports only base-G4-encoding, After you choose the enrollment type, click the Launeh the Selected Task button to begin the wizard, If Cisco SDM has detected a required task that must be performed before enrollment this button is disabled. After the task is completed, the button is enabled, ‘The Welcome to the SCEP Wizard window indicates that you are using the SCEP wizard. If you do not want to use the Simple Certificate Enrollment Process, click Caneel to leave this wizard. 3-60 Scouring Networks with Cisco Routers and Switches (SNRS) v3.0, {© 2008 Cisco Systems, Inc.The first window of the SCEP wizard asks you to provide information to identify the CA server and to specify a challenge password that is sent along with the request. Note ‘The information that you enter in this sereen is used to generate a trustpoint. The trustpoint is generated with a default revocation check methad of CRL. If you are using the SCEP_ wizard to edit an existing trustpoint, and a revocation method other than CRI. already exists Under the trustpoint, such as Online Certificate Status Protocol (OCSP), Cisco SDM does ot modify it. If you must change the revocation method, go to Configure > VPN > VPN. Components > Public Key Infrastructure > Router Certificates, choose the trusipoint that you configured, and then click the Check Revocation button The CA server nickname is an identifier for the trustpoint that you are configuring. Enter a name that helps you identify one trustpoint from another. The trustpoint defines the CA that the router should use. Ifyou are completing an SCEP enrollment, enter the enrollment URL for the CA server in the Enrollment URL field—for example, http://CAuthority/enrollment..The URL must begin with the characters http://, Ensure that there is connectivity between the router and the CA server before beginning the enrollment process. The Enrollment URL field does not appear if you are completing a cut-and-paste enrollment A challenge password can be sent to the CA for you to use if you ever need to revoke the certificate. It is recommended that you configure this option, because some CA servers do not issue certificates if the challenge password is blank. If you want to use a challenge password, center that password in the Challenge Password field, and then re-enter it in the Confirm Challenge Password ficld. The challenge password is sent along with the enrollment request. For security purposes, the challenge password is encrypted in the router configuration file, so ‘you should record the password and save it in a location you will remember. This password is also referred to as a challenge password. (© 2008 Cisco Systems, Inc. ‘Seowe Siteto-Site Communicalons 3-61‘When you are done configuring the CA details and the challenge password information, click Next. ‘The next window in the SCEP wizard asks you to specify additional information that you want to be included in the certificate, Any information that you specify is viewable by any party to whom the router sends the certificate. It is recommended that the fully qualified domain name (FQDN) of the router be included in the certificate, Check the FODN check box if you want Cisco SDM to include the FQDN of the router in the certificate request. Note If the Cisco IOS image running on the router does not support this feature, the FODN box is. disabled 362 ‘Securing Networks with Cisoo Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, Inc.Contacting the CA You must include an RSA public key in the enrollment request. After the certificate has been granted, the public key is included in the certificate so that peers can use it to encrypt data sent to the router. The router keeps the private key and decrypts the data that is sent by peers. The private key is also used to digitally sign transactions when negotiating with peers. From the RSA Keys window of the SCEP wizard, click the Generate New Key Pair(s) button if you want to generate a new key to use in the certificate. When you generate a key pair, you ust specify the modulus to determine the size of the key. The larger the modulus, the more secure the key, but keys with a large modulus take longer to generate, and the encryption and decryption operations take longer with larger keys. Enter the key modulus value. If you want a modulus value between 512 and 1024, enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation can take a minute or longer. The new key appears in the RSA Keys window when the wizard is complete. Click the Use Existing RSA Key Pair button if you want to use an choose the key from the drop-down list. existing key pair, and the After you have either created a new key pair or selected an existing RSA key pair to use, click Next, The Summary window appears and summarizes the information that you provided. The information that you provided is used to configure a trustpoint on the router and begin the enrollment process. Enable Preview Commands Before Delivering to Router in the Preferences dialog to preview the commands that Cisco SDM will deliver to the router. ‘After the commands are delivered to the router, Cisco SDM attempis to contact the CA server. Ifthe CA server is contacted, Cisco SDM displays a CA Server Certificate window that displays the CA server digital certificate fingerprint. The CA server fingerprint shown should match the CA server fingerprint shown from the CA server show erypto pki server output (© 2008 Cisco Systems, inc. ‘Secure Steto-Site Communications 3-63I0S-CA-Server#show crypto pki server Certificate Server CA: Status: enabled Server's current state: enabled Issuer name: CN=CA CA cert fingerprint: FO4C2B75 B0243FBC 19806219 B1D77412 Granting mode is: manual Last certificate issued serial number: 0x2 CA certificate expiration timer: 21:02:55 GMT Sep 2 2008 CRL NextUpdate timer: 21:02:58 GMT Sep 9 2008 Current storage dir: nvram: Database Level: Ninimum - no cert data written to storage 3.64 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neConfiguring a PKI-Based IPsec Site-to-Site VPN This topic describes how to configure a PKI-based IPsec site-to-site VPN using Cisco SDM. ‘You can have Cisco SDM use default settings for most of the site-to-site VPN configuration values, or you ean use Cisco SDM VPN wizards to guide you through configuring a site-to-site VPN. To use the Site-to-Site VPN wizard, choose Configure > VPN > VPN > Site-to-Site VPN from the Cisco SDM home page. The Create Site to Site VPN tab appears. From this tab, click the Create a Site ta Site VPN option, and then click Launch the Selected Task. ‘The Site-to-Site VPN Wizard window appears. From this window, click the Step by Step Wizard option, and then click Next, {© 2008 cisco Systems, Inc ‘Secure Stei0-Site Communications S65The VPN Connection Information window is the next window that appears in the Site-to-Site VPN Wizard. Use this window to select the interface on the router that connects to the remote site, The router you are configuring is represented as the Local router in the Use diagram. Next, identify the IP address or hostname of the remote site that will terminate the VPN tunnel. The remote IPsec peer might be another router, a VPN concentrator, or any other gateway device that supports IPsec. Choose the Peer(s) With Dynamic IP Addresses option ifthe peers to which the router connects use dynamically-assigned IP addresses. Choose the Peer with Static IP Address option if the peer to which the router connects uses a fixed IP address, and then enter the IP Address of the remote peer. Click the Pre-shared Keys radio button if the VPN peers use a PSK to authenticate connections from each other. This key must be the same on each side of the VPN connection, Enter the PSK, and then re-enter it for confirmation. Exchange the PSK with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. Note a not use question marks (2) and spaces in the PSK. The PSK can contain @ maximum of 128 characters. Click the Digital Certificate radio button if the VPN peers use digital certificates for authentication, Note The router must have @ digital certificate issued by a CA to authenticate itself. f you have not configured a digital certificate for the router, go to VPN components and use the Digital Certificate wizard to enrall fora digital certificate. ‘When you are done configuring the VPN connection information, click Next ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncIKE Proposals ‘The next window that appears is the IKE Proposals window. This window lists all of the IKE. policies that have been configured on the router. If no user-defined policies have been configured, the window lists the Cisco SDM default IKE policy. IKE policies govern the way that devices in a VPN authenticate themselves. The local router uses the IKE policies listed in this window to negotiate authentication with the remote router. The local router and the peer device must both use the same policy. The router that initiates the VPN connection offers the policy with the lowest priority number first. Ifthe remote system rejects that policy, the local router offers the policy with the next lowest number, and continues in this fashion until the remote system accepts. You must coordinate closely with the administrator of the peer system so that you can configure identical policies on both routers. For Cisco Easy VPN connections, you configure IKE policies only on the Cisco Easy VPN Server. The Cisco Easy VPN client sends proposals, and the server responds according to its configured IKE policies. Cisco SDM supports a variety of encryption types, listed in order of security. The more secure an eneryption type is, the more processing time it requires. Note Not all Cisco IOS images support all of the encryption types that Cisco SDM supports. Encryption types that the Cisco !OS image does not support do not appear in the screen. If hardware encryption is tuned on, only the encryption types that are supported by hardware ‘encryption appear in the screen. Cisco SDM supports the following types of encryption: = DES (Data Eneryption Standard): This form of encryption supports 56-bit encryption. = 3DES (Triple DES): This form of encryption is stronger than DES, supporting 168-bit ‘encryption. (© 2008 Cisco Systems, ne ‘Seoure Stete-Ste Communications 3-67= Advanced Encryption Standard (AES)-128: This form of encryption uses a 128-bit key AES provides greater security than DES and is computationally more efficient than 3DES. = AES-192: This form of AES encryption uses a 192-bit key m= AES-256: This form of AES encryption uses a 256-bit key. Cisco SDM supports the following hash algorithms: = SHA (Secure Hash Algorithm)-1: A hash algorithm that is used to authenticate packet data = MDS (Message Digest 5): A hash algorithm that is used to authenticate packet data ‘The Diffie-Hellman (DH) Group is a public-key eryptography protocol that allows two routers to establish a shared secret over an insecure communications channel. Cisco SDM supports the following groups: = DH Group 1 (DH1): DHI is a 768-bit DH group, = DH Group 2 (DH2): DH? is a 1024-bit DH group. It provides more security than group 1, but requires more processing time ‘= DH Group 5 (DH 5): DHS isa 1536-bit DH group. It provides more security than group 2, but requires more processing time. The following authentication methods are supported: © PRE_SHARE: This form of authentication uses PSKs. = RSA_SIG: This form of authentication uses digital certificates. Note ‘You must choose the authentication type that you specified when you identified the interfaces that the VPN connection is using, To use an existing IKE policy and continue, choose it from the list and click Next. To create a new IKE policy, click Add 308 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IneSee eect come The Transform Set window lists the default transform sets of Cisco SDM and the additional transform sets that have been configured on this router. These transform sets are available for use by the VPN or Dynamic Multipoint Virtual Private Network (DMVPN). A transform set represents a certain combination of security protocols and algorithms. During the IPsec SA negotiation, the peets agree to use a particular transform set for protecting a particular data flow. A transform describes a particular security protocol with its corresponding algorithms. You can select only one transform set in this window, but you can associate additional transform sets to the VPN or DMVPN connection using the VPN or DMVPN Edit tabs. To add a new transform set, click the Add button and fill in the fields in the Add Transform Set window. To use an existing transform set, choose it from the list and click Next. Note Not all routers support IP compression, (© 2008 cisco Systems, nc Secure Site10-Ste Communications 3-69The last window to configure in the Site-to-Site VPN wizard is the Traffic to Protect window. This window lets you define the traffic that this VPN protects. The VPN can protect traffic between specified subnets or protect the traffic that is specified in an IPsec rule that you select (this is done using access control lists [ACLs)). Note Because they can specify traffic type and both source and destination, IPsec rules (ACLs) ‘are extended rules (ACLS). If you enter the number or name of a standard rule (ACL), a warming message is displayed thal indicates that you have entered the name or number of a standard rule (ACL). Any packets that do not match the oriteria in the IPsec rue are sont with no encryption. 3-70 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 {© 2008 seo Systome, IncWhen you are done running the Site-to-Site VPN wizard, the Summary of the Configuration ‘window shows you the VPN configuration that you created. You can review the configuration in this window and use the Back button to make any necessary changes. Check the Test VPN Connectivity After Configuring check box to test the VPN connection that you have just configured. The results of the test are shown in another window. (© 2008 Cisco Systems, inc Secure Site4o-Sie Communications 3-71IPsec Configuration Example Site 1 10.0.1.0 10.0.20 Pme, os itera o> 1001.14 i - 100.2.11 392:108.1.2 19216822 ‘The example in the figure shows the possible CLI commands that would be created from your choices in the Cisco SDM VPN wizard. The sample configuration shows both sides of a site-to- site VPN using digital certificates (authentication rsa-sig) for authentication, 372 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncTesting and Verifying CA Support This topic describes how to troubleshoot CA interoperability using the CLI Verify the CA Support Configuration Site 1 ig 100.10 swo20 (Sg Ste2 ? «Internet 26+ yoann p Naie 1002.11 192,168.12 192168.22 A 172,26.26.150 Titahow crypto pil certifica To display information about your certificate, the CA certificate and any registration authority certificates use the show erypto pki certificates [rusipoint-name [verbose]] command in privileged EXEC mode The following is sample output from the show crypto pki certificates command that shows the certificate of the router and the certificate of the CA. In the following example, a single, general-purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair, as indicated by the pending status. certificate Subject Name Name: r1.cisco.com IP Address: 192.168.1.2 Serial Number: 04806682 Status: Pending Key Usage: General Purpose Fingerprint: 428125BD 3419600 3F6C7831 6CDEFASS 00000000 cA Certificate Status: Available Certificate Serial Number: 3051DF7123Bi )BE31B8341DFEABIA338ESF Key Usage: Not Set {© 2008 Cisco Systems, Ine ‘Secure Sterte-Site Communications 373To display the trustpoints that are configured in the router, use the show erypto pki trustpoints [status | /abe! [status] command in privileged or user EXEC mode. ‘The following is sample output from the show erypto pki trustpoints command showing a trustpoint named “bo”: rif show crypto pki trustpoints Trustpoint bo: Subject Name: CN = bomborra Certificate Manager © = Cisco.com c= us Serial Number:01 Certificate configured CEP URL:http://bomborra CRL query url: ldap: //bomborra To display the RSA public keys of your router, use the show erypto key mypubkey rsa command in privileged EXEC mode. The following is sample output from this command, Special usage RSA keys were previously generated for this router using the erypto key generate rsa usage-keys command. The usage-keys option causes two RSA special-usage key pairs to be generated, one encryption pair and one signature pair. § Key pair was generated at: 06:07:49 UTC Jan 13 2008 Key name: ri.cisco.com Usage: Signature Key Key Data: D05C300D o6092A86 48B6F70D 01010105 00034800 30480241 OOCSE23a SSDEAB22 D4ABP1BA A54O28A6 9ACCOICS 12909924 G4CABG20 84 7EDADS DFOBAE4C 73A0SDD2 BDS2ABAS FASO3DD2 E2ASAGFS 98F76E28 DS8AD221 858307A4 71020301 0002 ¥ key pair was generated at: 06:07:50 UTC Jan 13 2008 Key name: ri.cisco.com Usage: Encryption Key Key Data: 00302017 4a7D385B i234EF29 335FC973 20DS0A37 CASBOED 9DADE748 42961805 18242BA3 2EDFADDS 4296142A DDF7D3D8 08407685 2F2190A0 OB43F1BD 9ABAZ6DE 07953829 791FCDES A9E420F0 GAS2045B 90286A26 DBCG4468 7709F76E FE21 374 ‘Securing Networks with Gisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nodebug crypto pki Commands Site 1 10.0.1.0 oy? : ot 192.168.1.2 192,160.22 A 172.28.28.150 eivdebug xypto pe messages Fitdebug crypto pki transactions To display debugging messages for the details of the interaction (message dump) between the CA and the router, use the debug erypto pki messages command in privileged EXEC mode. This command displays messages about the actual data that is being sent and received during PKI transactions and is intemal for use by Cisco support personnel. To disable debugging ‘output from this command, use the no form of the command To display debugging messages for the trace of interaction (message type) between the CA and the router, use the debug erypto pki transactions command in privileged EXEC mode. This command displays debugging messages that pertain to PKI certificates. The messages show status information during certificate enrollment and verification. To disable debugging output for this command, use the no form of the command. {© 2008 Cisco Systems, nc Secure Steto-Ste Communications 3-75show crypto isakmp policy Command site pe 10020 | 4 Site 2 soos te @ 100201 iy 192.168.12 192,168.22 ‘show crypto isakmp policy Tivonow ceipee teal poly Sien'aigectthas secure muah standard Dittle-teliman groups #2 (2024 Bie) ‘igorithay DES - ata mreryption Standard (56 Bit keys). a ee bie) Use the show erypto isakmp policy command to display configured IKE policies and the default IKE policy settings. This command is useful because it reveals your Intemet Security Association and Key Management Protocol (ISAKMP) configuration with one command, rPiishow crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit} lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard(Sé bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit 3.76 Securing Networks with Cisoo Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systams, ncshow crypto ipsec transform-set Command Ste 1 (3g 1004.0 10020 (ig Ste2 Internet 7a roots oy tooat 192.188.12 192.168.22 ne show crypto ipsec transform-set * Displays the currently defined transform sets ‘You can use the show erypto ipsec transform-set command to show all of the configured transform sets. Because transform sets determine the level of protection that your data will have as it is tunneled, itis important to verify the strength of your IPsec protection policy. vlishow crypto ipsec transform-set ‘Transform set ESP_AES-256_SHA-1: { esp-256-aes esp-sha-hmac } will negotiate - { Tunnel, }, (© 2008 Cisco Systems, In ‘Secure Site4o-Ste Communications 3-77show crypto map Command Sito 100.10 10020 f 4 Sito2 > «Iter et a so0.4.11 ef soo241 A 192:168.1.2 192,108.22 ‘show crypto map [interface interface) = Displays the currently configured crypto maps sein porate ip 38,6.2.6 €.6.0.55 26.0.1.0 man 0.0.0.255 To see all of the configured crypto maps, use the show crypto map command. This command verifies configurations and shows the SA lifetime. The show running-eonfig command also reveals many of these same settings xPHahow crypto map Crypto Map "SNRS-MAP" 1 ipsec-isakmp Peer = 192.168.2.2 Extended IP access list 101 access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 mask 0.0.0.255 Current peer: 192.168.2.2 Security PRS (Y/N): N ‘Transform set! ociation lifetime: 4608000 kilobytes/3600 seconds ESP_AES-256_SHA-1,} Interfaces using crypto map SNRS-MAP Sexialo/0/0 To view a crypto map that is bound to a particular interface, use the show erypto map interface command. The output is identical 3-78 Securing Networks wth Cisco Routers and Switchas (SNRS) v3.0 (© 2008 Gsco Systems, neTesting and Verifying IPsec This topic describes how to test and verify IPsec configurations using the CLI show crypto isakmp sa Command Site 9 0.10 10020 x ste2 bere aH. 3 ef tooatt 192.168.1.2 192.188.22 To display current IKE SAs, use the show erypto isakmp sa [active | standby] command in privileged EXEC mode. If you do not specify either the active or standby keyword, the current SAs for all of the configured routers are shown, ritehow crypto isakmp sa IPv4 Crypto ISAKMP SA ast sre state conn-id slot status, 192,168.2.2 QM IDLE 10010 IVE ‘The state of QM_IDLE (Quick Mode Idle) indicates that the ISAKMP SA is idle, The ISAKMP SA remains authenticated with its peer and can be used for subsequent quick mode exchanges; this is also known as a quiescent state, When an ISAKMP SA exists, it will most likely be in its quiescent state (QM_IDLE). Note “The source and destination references are dependent upon which router initiated the connection, ‘© 2008 Cisco Systems, Inc. ‘Secure Steto-Site Communications 3-79show crypto ipsec sa Command ‘Site 1 10.0.1.0 10.0.2.0 4 Site 2 - vont GT — ro04.11 a 0211 192.108.1.2 102.168.22 Since verity. 050 To display the settings that the current SAs use, use the show erypto ipsee sa command in privileged EXEC mode. The full syntax for this command is as follows: show erypto ipsee sa {map map-name | address | identity | interface interface | peer [vet firf- name] address | vefiv-name] [detail] ‘The following is sample output for the show erypto ipsec sa command rlfshow crypto ipsec sa interface: Serialo/0/0 Crypto map tag: ra, local addr. 192.168.1.2 protected vrf local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port) : (10.0.2.11/255.255.255.255/0/0) current peer: 192.168.2.2:500 PERMIT, flags=(} fpkts encaps: 0, #pkte encrypt: 0, #pkts digest 0 fipkts decaps: 0, #pkts decrypt: 0, #pkte verity 0 Hpkts compressed: 0, #pkts decompressed: 0 fipkts not compressed: 0, #pkts compr. failed: 0 fipkts not decompressed: 0, #pkts decompress tailed: 0 fisend errors 0, #recv errors 0 local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2 path mtu 1500, media mtu 1500 current outbound spi: so110cre 380 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neinbound esp as: spi: OxA3E24AFD(2749516541) transform: esp-3des esp-md5-hmac , in use settings =(Tunnel, } slot: 0, conn id: 5127, flow i crypto map: ra sa timing remaining key lifetime (k/sec): (4603517/3503) Iv size: @ bytes replay detection support: ¥ inbound ah sas. inbound pep sas: outbound esp sas: spi: 0x50110CF8 (1343294712) transform: esp-aes-256 esp-sha-hmac , in use settings =(Tunnel, } slot: 0, conn id: $128, flow_id: 8, crypto map: ra sa timing: remaining key lifetime (k/sec): (4603517/3502) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pep sas: (© 2008 Cisco Systems, ne ‘Secure Site-to-Ste Communications 38debug crypto Commands Ste 1 (ig 10010 10020 [ig Sie2 5 _tntemet ast, oot am) 10241 162.168.12 192.168.22 Fivasbag SHyPe To display messages about IKE events, use the debug erypto isakmp command in privileged EXEC mode, To disable debugging output, use the no form of this command. The following is sample output from the debug erypto isakmp command for an IKE peer that initiates an IKE negotiation. = First, IKE negotiates its own SA, checking for a matching IKE policy. The output shows that a matching policy is found. rlfdebug crypto isakmp 20:26:58: ISAKMP (8); beginning Main Mode exchange 20:26:58: ISAKMP (8): processing SA payload. message ID = 0 20:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy 20:26:58: ISAKMP. encryption 3DES-cBC 20:26:58: ISAKMP: hash SHA 20:26:58: ISAKMP: group 2 20:26:58: ISAKMP: auth pre-share 20:26:58: ISAKMP (8): atte are acceptable. Next payload is 0 ‘Next, the IKE SA is used by each per to authenticate the other peer. 20:26:58: ISAKMP (8): SA is doing pre-shared key authentication 20:26:59: ISAKMP (8): processing KE payload. message ID = 0 20:26:59: ISAKMP (8): processing NONCE payload. message ID = 0 20:26:59: ISAKMP (8): SKEYID state generated 20:26:59: ISAKMP processing ID payload. message ID = 0 20:26:59: ISAKMP processing HASH payload. message ID - 0 20:26:59: ISAKMP SA has been authenticated 3-82 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nc.© Then IKE negotiates to set up the IPsec SA by searching for a matching transform set. The ‘output shows that a matching IPsce transform set is found. 20:26:59: ISAKMP (8): beginning Quick Mode exchange, M-ID of 767162845 20:26:59: ISAKMP (8): processing SA payload. message ID 767162845 20:26:59: ISAKMP (8): Checking IPSec proposal 1 20:26:59: ISAKMP: transform 1, ESP_3DES 20:26:59: ISAKMP: attributes in transform: 20:26:59: TSAKMP: encaps is 1 20:26:59: ISAKMP: SA life type in seconds 20:26:59: ISAKMP. SR life duration (basic) of 600 20:26:59: ISAKMP: SA life type in kilobytes 20:26:59: ISAKMP: $A life duration (VPI) of OXO 0x46 0x50 0x0 20:26:59: ISAKMP: authenticator is HMAC-SHA 2 ISAKMP (8): atts are acceptable. = Finally, the IPsec SA can be created (one SA is created for each direction). 20:26:59: ISAKMP (8): processing NONCE payload. message ID = 767162845 20:26:59: ISAKMP (8): processing ID payload. message ID 767162845 20:26:59: ISAKMP (8): processing ID payload. message ID = 767162845 (8): Creating IPSec Sas Ambound SA from 192.168.2.2 to 192.168.1.2 (proxy 192.168.2.2 to 192-168.1.2 ) 20:26:59 has spi 454886490 and conn_id 9 and flags 4 20:26:59 lifetime of 600 seconds 20:26:59 Lifetime of 4608000 kilobytes 20:26:59: outbound SA from 192.168.1.2 to. 192.168.2.2 (proxy 192.168.1.2 to 192.168.2.2 r 20:26:59: hhas spi 75506225 and conn_id 10 and flags 4 20:26:59 Lifetime of 600 seconds 20:26:59: Lifetime of 4608000 kilobytes To display IPsec events, use the debug erypto ipsee command in privileged EXEC mode. To disable debugging output, use the ne form of this command. ‘The following is sample output from the debug crypto ipsee command. In the example, SAS have been successfully established. ‘© IPsec requests SAs between peers 192.168.1.2 and 192.168.2.2, on behalf of the permit ip host 192.168.1.2 host 192.168.2.2 command, It prefers to use the transform set esp-des with esp-md5-hmac, but it will also consider ah-sha-hmac. rl#debug crypto ipsec 00:24:30: IPSEC(ca_request): , (key eng. msg.) src= 192.168.1.2, dest= 192.168.2.2, src_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.2.2/255.255.255.255/0/0 (type=1) protocol= ESP, transform= esp-des esp-mdS-hmac , lifedur= 120s and 4608000kb, {© 2008 Cisco Systems, Inc. Secure Sto-c-Ste Communications 3-83.spi= 0x0(0), conn_id= 0, keysize= 0, flags= ox4 4:30: IPSEC(sa_request): , (key eng. msg.) src= 192.168.1.2, dest= 192.168.2.2, src_proxy= 192.168.1.2/255.285.255.255/0/0 (type=1), dest_proxy= 192.168.2.2/255.255.255.255/0/0 (type=1)., protocol= AK, transform= ah-sha-hmac , lifedur= 120s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0. = IKE asks for service provider interfaces (SPIs) from IPsec. For inbound SAs, IPsec controls its own SPI space 00:24:34: IPSEC (key engine): got a queue event 00:24:34: IPSEC(spi_response): getting spi 30297401214 for SA from 192.168.2.2 to 192.168.1.2 for prot 3 00:24:34: IPSEC(spi_response): getting spi 52507594014 for SA from 192.168.2.2 to 192.168.1.2 for prot 2 IKE asks IPsec if it accepts the SA proposal. In this case, itis the SA proposal sent by the local IPsec in the first place: 00:24:34: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.2.2, src= 192.168.1.2, dest_proxy= 192.168.2.2/255.255.258.255/0/0 (type=1), src_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and Okb, spi= 0x0(0), conn_ié keysize 0, flags= ox4 = After the proposal is accepted, IKE finishes the negotiations, generates the keying material, and then notifies IPsec of the new SAs (one SA for each direction). 00:24:35: IPSEC(key engine): got a queue event |The following output pertains to the inbound SA. The conn_id value references an entry in the erypto engine connection table. 00:24:35: IPSEC(initialize sas): , (key eng. msg.) dest= 192.168.1.2, src= 192.168.2.2, dest_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1), src_proxy= 192.168,2.2/255.255.255.255/0/0 (types), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 1208 and 4608000 kb, spi= 0x120F043C(302974012), conn_id= 29, keysize= 0, flags= ox4 = The following output pertains to the outbound SA‘ 00:24:38: IPSEC(initialize_sas): , (key eng. meg.) src= 192.168.1.2, dest= 192.168.2.2, src_proxy= 192.168.1.2/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.2.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 120s and 4608000kb, spi= 0x38914A4 (59315364), conn_id= 30, keysize= 0, flags= oxs 3.84 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 {© 2008 Cisco Systems, Incclear Commands 1 ig 10.010 10.0.1 2 site2 Interfaces and Connections, and then click the Edit Interface/Connection tab. From the toolbar, choose Add > New Logical Interface > GRE Tunnel, and the Add GRE Tunnel Interface window appears From this window, configure the following settings: = Tunnel Number: Enter a number for this tunnel interface. © Tunnel Source: Either choose the interface that the tunnel will use from the Interface drop- down list, or enter an IP address for the interface that should be used for the tunnel source in the IP Address text box. This interface or IP address must be reachable from the other ‘end of the tunnel; therefore, it must have a public, routable IP address. = Tunnel Destination: The tunnel destination is the hostname or the IP address of the face on the router at the other end of the tunnel. — Choose whether you will specify the destination using an IP address or 2 hostname, and then enter that information. If you chose IP address, provide the IP address and subnet mask in dotted decimal format—for example, 192,168.2.0 and 3-04 Securing Networks with Cisco Roulers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, me.— Ensure that this address or hostname is reachable; otherwise, the tunnel will not be properly created. Tunnel IP Address: Enter the IP address and subnet mask of the tunnel interface, You can center the subnet mask in dotted decimal or bit count format. m= GRE Keepalive: Check this check box if you want the router to send GRE keepalives. Specify the interval, in seconds, that keepalives will be sent, and the waiting period, in seconds, between retries, ‘© MTU: Enter the maximum transmission unit (MTU) size. If you want the MTU size automatically adjusted to a lower value when the adjustment would avoid packet fragmentation, check the Adjust MTU to Avoid Fragmentation check box. = Bandwidth: Check this check box to specify the bandwidth, in kilobytes, for this tunnel interface. (© 2008 Cisco Systems, Ine ‘Secure Steto-Site Communications 3-86Configuring a GRE Tunnel via the CLI “ou @RETunne a” Site Cg 010 10020 ~ so03.31 t wager 1 109241 192.168.1.2 192,168.22 Ti jsoatig) Fines Ts siseasig ora Hleoatis: fo2ss60.2.2 Follow these steps to configure a basic GRE tunnel using the CLI step 1 step2 step 3 Stop 4 Stop 5 Step 6 Step 7 Specify a tunnel interface number and enter interface configuration mode. rl (config) #interface tunnel number n IP address and subnet mask on the tunnel interface. ip-address net-mask Specify the tunnel interface source address or interface. r1(config-if)#tunnel source {ip-address | interface-type interface-nunber} Specify the tunnel imterface destination address. ri (config-if)#tunnel destination dest-ip Bring up the tunnel interface rl(config-if)#no shutdown Exit back to global configuration mode. xi (config-if) Hoxie Configure a statie route to route traffic that is destined for the remote office network to route through the tunnel. rl (config) #ip route remote-network remote-mask tunnel number 3.98 ‘Securing Networks with Cico Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IncConfiguring a GRE-Over-IPsec Tunnel This topic describes how to configure a GRE tunnel with IPsec encryption using Cisco SDM and verify the resulting CLI configurations. “Tuane! Mose ‘Sample “rnepont Mods ample ‘Eneptos Paviond * GRE encapsulates an arbitrary payload, * IPsec encapsulates unicast IP packets (GRE) Tunnel mode (default): IPsec creates a new tunnel IP packet. ~ Transport mode: IPsec reuses the IP header of GRE (20 bytes less overhead). * You cannot selectively protect GRE traffic. Either all GRE traffic is protected or none of itis protected, ‘When GRE tunnel endpoints are located on routers that run crypto versions of Cisco IOS Software, you can configure GRE over IPsec such that IPsee protects all of the traffic that passes through the GRE tunnel Note ‘You cannot selectively protect GRE tunnel trafic: either all of the GRE tunnel raffic is protected by IPsec or none of the GRE tunnel traffic is protected by IPsec. (© 2008 Cisco Systems, ne. ‘Secure Stee Site Communications 3-87The Secure GRE wizard enables you to create a GRE tunnel with IPsec encryption, When you create a secure GRE tunnel configuration, you also create an IPsec rule that describes the ‘endpoints of the tunnel s To start the Secure GRE wizard, from the Cisco SDM home page, choose Configure > VPN > VPN > Site-to-Site VPN. From the Create Site to Site VPN tab, click the Create a Secure - GRE Tunnel (GRE over IPsec) option, and then click the Launch Selected Task button. The initial Secure GRE wizard window appears. Click Next to get started. GRE Tunnel Information Se g 3-98 Securing Networks with Cisco Rovlers and Switches (SNRS) v3.0, {© 2008 Cisco Systems, Inc‘The first step in the Secure GRE wizard is to provide general GRE tunnel information. In the GRE Tunnel Information window, fill in the following information, = Tunnel Source: Select the interface name or enter the IP address of the interface that the tunnel will use, The IP address of the interface must be reachable from the other end of the tunnel; therefore, it must be a public, routable IP address. — Details: Click this button to obtain details about the interface that you selected. The Details window shows any access rules, IPsec policies, NAT rules, or inspection rules that are associated with the interface. = Tunnel Destination: Enter the IP address of the interface on the remote router at the other cend of the tunnel. This is the source interface from the point of view of the other end of the tunnel, Ensure that this address is reachable, = IP Address of the GRE Tunnel; Enter the IP address information of the tunnel. The IP addresses of both ends of the tunnel must be on the same subnet. The tunnel is given a separate IP address — IP Address: Enter the IP address of the tunnel in dotted decimal format. — Subnet Mask: Enter the subnet mask for the tunnel address in dotted decimal format or in bit count notation, When you are done filling in the GRE tunnel information, click Next. The Backup GRE Tunnel Information window appears. From the Backup GRE Tunnel Information window, you can configure a backup GRE-over- IPsec tunnel that the router can use when the primary tunnel fails. This tunnel uses the same interface that you configured for the primary tunnel, but it must be configured with a backup VPN router as the peer. If routing is configured for the primary GRE-over-IPsee tunnel, the routing protocol sends keepalive packets to verify that the tunnel is still active. If the router stops receiving keepalive packets on the primary tunnel, then traffic is sent through the backup tunnel ‘When you are done filling in the backup GRE tunnel information, or if no backup GRE tunnel information is necessary, click Nevt {© 2008 Cisco Systoms, Ine ‘Secure Siteto-Site Communications 3-09VPN peers can use a pre-shared key (PSK) to authenticate connections from each other. This key must be the same on each side of the VPN connection. The VPN Authentication Information window of the Secure GRE wizard enables you to configure the PSK information. This window provides the following options: = Pre-Shared Key: Click this option if the VPN peers use a PSK for authentication. If you choose this option, you must enter the PSK, and then re-enter it for confirmation. Exchange the PSK with the administrator of the remote site through some secure and convenient ‘method, such as an encrypted e-mail message. Note You cannot use question marks (?) and spaces in the PSK. = Digital Certificate: Click this option if the VPN peers will use digital certificates for authentication. The router must have a digital certificate issued by a certificate authority (CA) to authenticate itself. If you have not configured a digital certificate for the router, 20 to the VPN components, and use the Digital Certificate wizard to enroll for a digital certificate. ‘When you are done providing the VPN authentication information, « Proposals window appears. ck Next and the IKE Internet Key Exchange (IKE) policies govern the way that devices in a VPN authenticate themselves. The IKE Proposals window lists all of the IKE policies that have been configured ‘on the router. Ifno user-defined policies have been configured, the window lists the Cisco SDM default IKE policy. The local router uses the IKE policies that are listed in this window to negotiate authentication with the remote router. ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 {© 2008 Cisco Systems, ne.The local router and the peer device must both use the same policy. The router that initiates the VPN connection offers the policy with the lowest priority number first. Ifthe remote system rejects that policy, the local router offers the policy with the next lowest number, and continues n this fashion until the remote system accepts one of the policies, or until all ofthe policies are rejected. If all of the policies are rejected, the VPN connection does not come up, s0 itis important that you coordinate closely with the administrator of the peer system so that you can configure identical policies on both routers. IPsec Transform Set os Se passes ce ee oes ‘The Transform Sct window of the Secure GRE wizard shows the default Cisco SDM transform sets and the additional transform sets that have been configured on the router. A transform set represents a combination of security protocols and algorithms. During the IPsec security association (SA) negotiation, the peers agree to use a particular transform set for protecting a particular data flow. A transform describes a particular security protocol with its corresponding algorithms, Note ‘You can choose only one transform set in this window, but you can associate additional transform sets to the VPN connection using the VPN Edit tab. (© 2008 Cisco Systems, In. ‘Seaure Site-t-Site Communications 3-101Select the Routing Protocol se ‘The Select Routing Protocol window of the Secure GRE wizard enables you to configure routing for the tunneled traffic. Configuring routing enables you to specify the networks that will participate in the GRE-over-IPsec VPN. Additionally, if you configure a backup GRE- a ‘over-IPsec tunnel, the keepalive packets sent by the routing protocols allow the router to determine when the primary tunnel has failed. = EIGRP: Check this check box to use Enhanced Interior Gateway Routing Protocol (EIGRP) to route traffic. When you click Next, you will be asked specify which networks will participate in the GRE-over-IPsec VPN in the Routing Information window. a = OSPF: Check this check box to use Open Shortest Path First (OSPF) to route traffic. When you click Next, you will be asked to specify which networks will participate in the GRE- over-IPsec VPN in the Routing Information window. i = RIP: Check this check box to use Routing Information Protocol (RIP) to route traffic, When you click Next, you will be asked to specify which networks will participate in the = GRE-over-1Psee VPN in the Routing Information window. Static Routing: You can use static outing in smaller VPN deployments in which only @ ua few private networks participate in the GRE-over-IPsee VPN. You can configure a static route for cach remote network so that traffic destined for the remote networks will pass through the appropriate tunnels In the example in the figure, OSPF dynamic routing is configured over the tunnel 3-102 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nc‘The Summary of the Configuration window of the Secure GRE wizard summarizes the GRE configuration that you have completed. You can review the information in this sereen, and click the Back button to return to any screen in which you want to make changes. If you want to save the configuration, click Finish. (© 2008 Gisco Systems, Inc. ‘Secure Stoe-Site Communications 3-103GRE over IPsec—IPsec Settings crypts teatap policy 2 The figure shows a typical IPsec site-to-site tunnel configuration. The interesting traffic that will go through the tunnel is limited to GRE traffic between the two tunnel endpoints. This configuration accomplishes GRE-over-1Psce tunneling, = Note Itis important that the necessary traffic is forwarded to the tunnel interface for routing. - To identify which traffic IPsec should protect through the GRE tunnel, follow these additional a instructions: Step1 When you set up your erypto access control list (ACL), the list should contain only u one criteria statement. In this statement, specify “gre” as the protocol, specify the tunnel source address as the source, and specify the tunnel destination address as the destination - Step2 Apply the crypto map to the tunnel interface. Note Without GRE tunnels, you apply the crypto map to the physical interface. Repeat these steps at both ends of the GRE tunnel 3-104 Securing Networks wih Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, In.GRE over IPsec—Tunnel Settings s7246.4.4 723612 S site 100.10 | Sesbsec tons“ 10020 a He Intomet eT toot t 1 toa 192.168.12 192168.22 Sales source Seriaio/0/0 This figure shows a tunnel configuration with the tunnel source as the local Serial 0/0/0 interface and the tunnel destination of 192.168.2.2, which is the IP address of the peer router Serial 0/0(0 interface. The IP address 172.16.1.1 is assigned to the tunnel interface, and the erypto map shown on the previous page (SDM_CMAP_1) is applied to the tunne! interface. OSPF has also been configured to exchange routes over the GRE tunnel. (© 2008 Cisco Systems, nc ‘Secure Siteo-Ske Communications 3105Generate a Mirror Configuration This topic describes how to generate mirror configurations. ra FR | Configure > VPN > VPN > Siteo-Site VPN > Edit Sit-to-Site VPN. To lessen the likelihood of misconfigurations, you can ereate a mirror configuration of your VPN tunnel. To create a mirror configuration for your VPN tunnel, from the Cisco SDM home page choose Configure > VPN > VPN > Site-to-Site VPN. From the Edit Site to Site VPN tab, choose the tunnel interface for which you would like to create a mirror configuration, and then click Generate Mirror. The Generate Mirror window appears and shows you the IPsec policy used for the VPN tunnel. From this window, click the Save button to save the policy 10 a text file that you can use to configure the peer device. After you click the Save button, specify a name and location for the text file. You ean give this text file to the administrator of the peer device so that they can create a policy that mirrors the one you created, 3-106 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 ‘© 2008 Cisco Systems, neTesting and Verifying GRE over IPsec operati ns using the CLI You can use several commands to monitor and troubleshoot GRE tunnels. To verify if the wy rifshow ip interface brief Interface 1P-RaG: OK? Method Fastetherneto/o 10.0.3 YES manual unassigned YES manual serialo/o/o 192.168.1.2 YES manual serialo/o/2 unassigned YES manual ‘Tunnelo 72.16.1.2 YES TETP nel interface is up or down, use the show ip interface brief command, statue Protocol up up administratively down down up up administratively down down up wp '© 2008 Cisco Systoms, nc. ‘Secure Site-to-Site Communications 2-407To verify the tunnel interface configuration, use the show erypto map interface tunnel ‘umber command. The output should be similar to the following: rlfshow crypto map interface tunnel 0 Crypto Map "SDM_CNAP_1" 1 ipsec-isakmp Description: Tunnel to 192.168.2.2 Peer = 192.168.2.2 Extended IP access list 102 access-list 102 permit gre host 192.168.1.2 host 192.168.2.2 Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/3600 seconds PES (Y/N): N Transform sets={ ESP-3DES-SHA, ) Interfaces using crypto map SDM_CMAP_1: ‘Tunnelo “3108 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, Inc.- Summary This topic summarizes the key points that were discussed in this lesson. Summary _ GRE is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels. - Use the tunnel source command and the tunnel destination ‘command to define the source and destination addresses of a GRE tunnel ma You cannot selectively encrypt GRE tunnel traffic; either all of the GRE tunnel traffic is encrypted or none of the GRE tunnel traffic is encrypted. Click the Generate Mirror button to create a text file that you can give to an administrator of a peer device so that they can create a Policy that mirrors yours. Use the show crypto map interface tunnel number command to verify the tunnel interface configuration. ‘© 2008 Cisco Systems, nc. ‘Secure Siteto-Site Communications 3-1083-110 Socuring Networks with Cleco Routers and Switches (SNRS) v3.0 {© 2008 Cisco Systems, in.Lesson 4 Configuring High-Availability VPNs and VTI Overview This lesson describes some of the designs you can use to provide a high-availability IP Security (IPsec) virtual private network (VPN). You will leam how to use Hot Standby Router Protocol (HSRP) as a backup option to provide router redundancy, and how to use stateless failover and HSRP with Stateful Switchover (SSO) to provide stateful failover for IPsec VPN sessions, This lesson also addresses a new technology, the virtual tunne! interface (VTD). Objectives Upon completing this lesson, you will be able to describe and configure high-availability VPN technologies. This ability able to meet these objectives = Desc high availability for IPsec VPNs = Explain how to achieve high availability with IPsec VPNs using redundant peers and how to configure it Describe HSRP, the role it plays in high availability, and how to configure it = Describe Cisco 10S stateful failover and how to configure it = Explain how to back up WAN links using VPNs = Describe the benefit of using static or dynamic VTI and how to configure VTIs for site-to site IPsec VPNsHigh Availability for Cisco IPsec VPNs This topic describes high availability for IPsec VPNs. Failures = -_ + Reacend E Reet * IPsec VPNs can experience several types of failures: ‘Access link failure ~ Remote peer failure Device failure Path failure + IPsec VPNs should be designed and implemented with redundancy and high-availabilty mechanisms to mitigate these failures, IPsec-based VPNs provide connectivity between distant sites that use an untrusted transport network, such as the Internet, Network connectivity consists of links, devices, and sometimes {just paths across networks whose topology is not known. Any of these components can fail making the VPN inoperable You should design and implement IPsec VPNs that require high availability with redundancy to survive failures. 3-112 Socuring Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne‘Common solutions for redundancy use one or more of the following options + Two access links to mitigate access-link failures, * Multiple peers to mitigate peer failure + Two local VPN devices to mitigate device failures * Multiple independent paths to mitigate all path failures The figure illustrates an implementation of an IPsec VPN in which maximum failover is, configured. Every component has been duplicated so that the solution can survive any possible single failure: © Twoaccess links are used on both ends to mitigate a failure of any access link. The remote site is configured with two headend peers in case any one of them fails. . ‘= Both sites use two VPN gateways to mitigate local device failures. . Multiple independent paths (dual ISPs) are used between remote unknown failure anywhere in any of the paths. ites to mitigate an ‘The duplication of hardware and links should be coupled with other high-availability ‘mechanisms, {© 2008 Cisco Systems, Inc ‘Secure Siteto-Ste Communications 3-113Failure Detection * Native IPsec can use DPD to detect failures in the path and remote peer failure, * Any form of GRE over IPsec typically uses a routing protocol to detect failures (hello mechanism). * HSRP is typically used to detect failures of local devices. VRRP. has similar failure-detection functionality The figure illustrates the usage of high-availability mechanisms to detect failures and reroute traffic to secondary paths. Failures in the IPsec path are typically detected using one of two mechanisms: = Dead peer detection (DPD), which is a native Internet Key Exchange (IKE) mechanism similar to old proprietary IKE keepalives = Alternatively, any routing protocol running across the Generic Routing Encapsulation (GRE)-over-IPsec tunnel will detect failures using the hello mechanism of the routing protocol Itis typical to use the Cisco-proprictary HSRP to provide router redundancy on the LAN. Virtual Router Redundancy Protocol (VRRP) is a standardized version of HSRP. 3-114 Securing Networks with Cisco Routers and Suites (SNRS) v3.0 (© 2008 Cisco Systoms, neDead Peer Detection * DPD: ‘Sends keepalives at periodic intervals if no data is transmitted Js on-demand (default) * Cisco IKE keepalives: Was replaced with standards-based DPD in Cisco IOS Release 12.2(8)T and higher Jom <4 [DPD AreYou'Thae Message | es [DPD Renly Messane DPD and Cisco IOS keepalives is a scheme that allows the router to query the liveliness of its IKE peer. DPD and Cisco IOS keepalives function based on a timer. If the timer is set for 10 seconds, the router sends a hello message every 10 seconds (unless, of course, the router receives a hello message from the peer). The benefit of Cisco IOS keepalives and periodic DPD is earlier detection of dead peers. However, Cisco IOS keepalives and periodic DPD rely on periodic messages that must be sent with considerable frequency. The result of sending frequent messages is that the communicating peers must encrypt and decrypt more packets. DPD also has an on-demand approach, which is the default approach. With on-demand DPD, ‘messages are sent based on traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. Ifa router has no traffic to send, it never sends a DPD message. Ifa peer is dead and the router never has any traffic to send to the peer, the router does not find out until the IKE or IPsec security association (SA) has to be rekeyed (the liveliness of the peer is ‘unimportant if the router is not trying to communicate with the peer). On the other hand, if the router has traffic to send to the peer, and the peer does not respond, the router wil initiate a DPD message to determine the state of the peer. In Cisco 10S Software Release 12.2(8)T, the Cisco IOS keepalives were replaced with standard DPD. Two peers can still use proprietary keepalives if one of them has an older Cisco IOS. Software release, (© 2008 Cisco Systems, ne ‘Secure Ste4o-Ste Communications — 3115IPsec Backup Peer This topic describes how you can achieve high availability of IPsec VPNs using redundant peers and how to configure this option. IPsec Backup Peer ‘Backup Peer ‘One high-availability design option is to use native IPsec and its high-avallability mechanisms + DPD to detect failures * Backup peers to take over new tunnels when primary peer becomes unavailable Stateless failover for IPsce VPNs means that when there isa failure and a tunnel goes down, it ‘must be re-established. This process can be disruptive to the network and might not be transparent to the users In contrast, stateful failover for IPsec VPNs enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs, and the process is transparent to the user. To provide stateful failover, a pair of devices must run in a virtually identical environment (same hardware, software, configuration, and so forth) and exchange live information about IPsec SAs. You can use DPD or Cisco IOS keepalive features in conjunction with multiple peers in the crypto map to allow for stateless failover. DPD allows the router to detect a dead IKE peer, and when the router detects the dead state, the router deletes the IPsec and IKE SAs with that peer Ifyou have multiple peers configured, the router switches over to the next listed peer for a stateless failover. 3-116 Securing Networks with Cisco Routers and Swatches (SNRS) v3.0, (© 2008 Cisco Systems, IneIPsec Backup Peer Configuration Example yaa a00 Backup Peer Sa aay ai TT * Router will fist try primary peer. * If primary peer is not available or becomes unavailable (DPD failure detection), the router tries backup peers in the order listed in the crypto map, The figure illustrates a sample configuration in which DPD is enabled with a 10-second frequency and a 3-second retry frequency, using the command erypto isakmp keepalive 10 3. The crypto map is configured to use a backup peer (172.31.1.200) when DPD determines that the primary peer is no longer responding. Toallow the gateway to send DPD messages to the peer, use the erypto isakmp keepalive command in global configuration mode. To disable keepalives, use the no form of this, command. The full syntax for this command is erypto isakmp keepalive seconds (retries} [periodic | on-demand] (© 2008 Cisco Systems, ine ‘Secure Stet Ste Communicationscrypto isakmp keepalive Parameters Parameter seconds Description ‘The number of seconds between DPD messages; the range is. from 10 to 3600 seconds. if you do not specify atime interval you will receive an error message. (Optional) The number of seconds between DPD retries if the DPD message fails; the range is from 2 to 60 seconds, If Unspecified, the default is 2 seconds, periodic (Optional) DPD messages are sent at regular intervals, on-demand (Optional) This option is the default behavior. DPD retries are sent on demand, Note that because this option is the default, the ‘on-demand keyword does not appear in configuration output Note When the erypto isakmp keepalive command is configured, the Cisco |OS Software negotiates the use of proprietary Cisco IOS keepalives or standard DPDs, depending on which protocot that the peer supports Use the periodic keyword to cont ure your router so that DPD messages are forced at regular intervals. This approach detects dead peers earlier than the on-demand approach. If you do not configure the periodie option, the router defaults to the on-demand option, a8 ‘Securing Networks with Cisco Rovers ang Switches (SNRS) v3.0 (© 2008 Cisco Systems, IncHot Standby Router Protocol This topic describes HSRP, the role it plays in high availability, and how to configure it. = HSRP can be used at: — Headend—Two headend IPsec devices appear as one to remote peers. Remote site—Two IPsec gateways appear as one to local devices. * Active HSRP device uses a virtual IP and MAC address * Standby HSRP device takes over virtual IP and MAC address. when active HSRP device goes down, ‘You typically configure large classes of legacy hosts that do not support dynamic router discovery with a default gateway (router). Running a dynamic router discovery mechanism on every host might not be feasible for a number of reasons, including administrative overhead, processing overhead, security issues, or lack of a protocol implementation for some platforms. Instead, you can configure HSRP on the routers to provide router failover services without requiring any dynamic router discovery mechanism on the hosts, Using HSRP, a set of routers work together to present the illusion of a single virtual router. This set of routers is known as an HSRP group ot a standby group. A single router elected from the group is responsible for forwarding packets that are sent to the virtual router. This router is known as the active router. Another router is elected as the standby rower. In the event that the active router fails, the standby router assumes the packet forwarding duties of the active router. Although an arbitrary number of routers can run HSRP, only the active router forwards the packets sent to the virtual router. To minimize network traffic, only the active and standby routers send periodic HSRP messages after the protocol has completed the election process. Ifthe active router fails, the standby router takes over as the active router. Ifthe standby router fails or becomes the active router, another router is elected as the standby router. On a particular network, multiple standby groups can coexist and overlap. Each standby group emulates a single virtual router. The individual routers can participate in multiple standby ‘groups. In this case, the router maintains separate state and timers for each group. Each standby group has a single, well-known MAC address and an IP address. (© 2008 Gisco Systems, ne. ‘Secure Stete-Site Communications 3-119HSRP Configuration Commands Configure: * standby 1 ip 172.16.10.4 Verify: ‘Viral Router + show running-contig = eee a The table describes the minimum commands that you use to configure HSRP. Commands Used to Configure and Verify HSRP ‘Command. Description Router (config-if)# Configures HSRP on this interface for this Standby group-nunber ip ip-address {group number. IP address is that of the Virtual gateway. Default group number is 0. Router (config-if}# Disables HSRP on the interface no standby group-number ip ip-address Router# Displays HSRP parameters configured on| show running-config each interface. Router# Displays HSRP information. Use the options show standby [interface] [group-number] | to minimize the output ofthis command. Ibrief) While running HSRP, the end-user stations must not discover the actual MAC addresses of the routers in the standby group. You must disable any protocol that informs a host of the actual address of a router, To ensure that the actual addresses of the participating HSRP routers are not discovered, enabling HSRP on a Cisco router interface automatically disables Intemet Control Message Protocol (ICMP) redirects on that interface. After you issue the standby ip command, the interface changes to the appropriate state. When the router successfully executes the command, the router issues an HSRP message. To remove an interface from an HSRP group, enter the no standby ip command, 3-120 Securing Networks wit Cisco Routers and Switches (SNRS) v3.0, ‘© 2008 Cisco Systoms, IneConfiguring HSRP Standby Priority Taceresnov somny vias eanty 1 petoetty 189 se? * The default priority is 100. * In the case of a tie, the router with the highest configured IP address within the HSRP group becomes active, Tester contig i estenany S priory S50 Each standby group has its own active and standby routers. The network administrator can assign a priority value to each router in a standby group, allowing the administrator to control the order in which active routers for that group are selected. To set the priority value of a router, enter this command in interface configuration mode: Router (config-if)#standby group-number priority priority-value standby Parameters Parameter Definition group-nurber __| Indicates the HSRP group. This number can be in the range of 0 to 256. priority-value | Indicates the number that priontizes a potential HSRP router. The range is 0 to 255, and the default is 100, During the election process, the router with the highest priority in an HSRP group, where a higher number equates to a higher priority, becomes the active router. In the case of a tie, the router with the highest configured IP address will become active. To reinstate the default standby priority value, enter the no standby priority command, The figure shows the configuration for one of the routers in a standby group. The other HSRP router on the LAN will have a similar configuration. For example: interface Vianio ip address 172.16.10.20 255.255.255.0 no ip redirects standby 1 priority 140 standby 1 ip 172.16.10.1 (© 2008 Cisco Systems, nc ‘Secure Ste-o-Site Communications 3-121Asslned Proame! 172.26.10.20 255.255.255.0 ‘Standby Group Numer eandny 1 priority 350 seanaty 1 preeant Teaver (contig if brtenaoy BPE seandby 1 ip 372.26.10.1 eg ye ca Rae Preempt enables a router to resume the forwarding router role. ‘The standby router automatically assumes the active router role when the active router fails or is removed from service, This new active router remains the forwarding router, even when the former active router with the higher priority regains service in the network. You can configure the former active router to resume the forwarding router role by preempting a router with a lower priority. To enable a router to resume the forwarding router role, enter this ‘command in interface configuration mode: Router (config-if)#standby [group-number] preempt [(delay) [minimum delay] (syne delay}! ‘When you issue the standby preempt command, the interface changes to the appropriate state Note It the routers do not have preempt configured, then a router that boots up significantly faster than the others in the standby group will become the active router, regardless of the configured priority, ‘To remove the interface from preemptive status, enter the no standby preempt command 3-122 Securing Networks with Cisco Roviers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, Ine.HSRP Interface Tracking Tracking In some situations, the status of an interface directly affects which router must become the active router. This is particularly true when each of the routers in an HSRP group has a different path to resources within the campus network. In the example in the figure, router A and router B reside in one building. Each of these routers supports a Gigabit Ethernet link to the other building. Router A has the higher priority and is the active forwarding router for standby group 1. Router B is the standby router for that group. Routers A and B are exchanging hello messages through their E0 interfaces. {© 2008 Cisco Systems. In. Secure Steo-Site Communications 3-123,The Gigabit Ethernet link between the active forwarding router for the standby group and the other building experiences a failure. Without HSRP enabled, router A would detect the failed link and send an ICMP redirect to any host that attempted to use it. However, when HSRP is enabled, ICMP redirects are disabled. Therefore, neither router A nor the virtual router sends an ICMP redirect. In addition, although the G1 interface on router A is no longer functional, router A still communicates hello messages out of interface EO, indicating that router A is still the active router. Packets that are sent to the virtual router for forwarding to headquarters cannot be routed until the routing protocol converges. Without interface tracking, host traffic suffers from suboptimal routing, Interface tracking enables the priority of a standby group router to be automatically adjusted, based on the availability of the interfaces of that router. When a tracked interface becomes unavailable, the HSRP priority of the router is decreased. When properly configured, the HSRP tracking feature ensures that a router with an unavailable key interface will relinquish the active router role. In the example in the figure, the E0 interface on router A tracks the Gl interface. Ifthe link between the G1 interface and the other building fails, the router automatically decrements the priority on that interface and stops transmitting hello messages out of interface E0. Router B assumes the active router role when no hello messages are detected for the configured holdtime period. ‘Securing Networks with Gisco Routers and Switches (SNRS) v3.0 (© 2008 Gieco Systome, neConfiguring HSRP Tracking Router (config-if)#standby (group-number] track type number Unterface-priority] * Configures HSRP tracking Router (config) #intertace vian 10 Router (config-if)#atandby 1 track Gigabitsthernet 0/7 50 Router (config-if)#standby 1 track Gigabitgthernet 0/8 60 Router (config-if) #standby 1 preempt + Example of HSRP tracking Preempt must be configured on all participating devices within the HSRP group. To configure interface tracking, enter this command in interface configuration mode: Router (config-if)#standby (group-number] track type number Uinterface-priority] standby track Parameters Parameters _| Description group-number | (Optional) indicates the group number on the interface to which the tracking applies. ‘The default number is 0 type Indicates the interface type (combined with the interface number) that will be tracked. umber Indicates the interface number (combined with the interface type) that will be tracked, inverface- | (Optional) indicates the amount by which the hat standby prioily for the router is| patoeley decremented when the interface becomes disabled. The priority of the router is. incremented by this amount when the interface becomes available. The default value is 10. To disable interface tracking, enter the no standby track command, ‘You can apply multiple tracking statements to an interface, This can be useful if the currently active HSRP interface will relinquish its status only upon the failure of two (or more) tracked. interfaces. (© 2008 Gisco Systoms, nc ‘Seavre Stoo-Site Communications 9-125Dofaatt Gateway 100.14 * All remote devices use virtual IP as default gateway. * Standby router is used only when active router is down. The figure illustrates the usage of HSRP at remote sites where devices behind the pair of IPsec gateways are configured with a static default gateway. To ensure that you can mitigate a single device failure, the default gateway points to an HSRP virtual IP address (10.0.1.1 in the example), thus ensuring that the default IP gateway is always. present. In the example in the figure, the top router on the remote side has a priority of 150 configured for its FastEthemnet 0/0 interface. The bottom router has the default priority of 100 for its FastEthemet 0/0 interface, resulting in the top router being the active router for virtual IP address 10.0.1.1. 3126 Securing Networks with Cisco Routers and Switches (GNRS) v3.0, (© 2008 Cisco Systems, ncSynchronizing IPsec with HSRP * Use periodic IKE keepalives to allow IPsec to detect HSRP_ failover in time. * Link the crypto map to the HSRP group using the crypto map ‘map_name redundancy standby-group-name command. + Use RRI to allow dynamic routing information updates during the HRP and IPsec failover. HSRP is often used to track the status of router interfaces to achieve failover between routers. However, because no intemal correlation exists between IPsec and HSRP, HSRP does not track the state of IPsec Ss. IPsec requires the use of other mechanisms to synchronize with HSRP failover when it occurs. The following are some highlights of the schemes used to provide a closer coupling between IPsec and HSRP: = Periodic IKE keepalives are used to allow IPsec to detect HSRP failover in time. = The dynamic crypto map that is applied on a specific router interface is linked with the HSRP group that is already configured on that interface to make IPsec aware of the HSRP setup. This mechanism also allows IPsec to use the HSRP virtual IP address as the Intemet Security Association and Key Management Protocol (ISAKMP) identity of the HSRP routers. Enter the command erypto map map-name redundancy siandby-group-name on the interface that you are configuring for HSRP. The map_name parameter must match the name of a crypto map that is configured in global configuration mode. The Reverse Route Injection (RRI) feature is used to allow dynamic routing information updates during the HSRP and IPsec failover. To support the RRI feature, enter the command reverse-route in the crypto map. (© 2008 Cisco Systems, Inc. ‘Secure Site-to-Site Communications 3-127Remete = Remote sites peer with virtual IP address (HSRP) of the headend, + RRI or HSRP can be used on inside interface to ensure proper retun path The figure illustrates the usage of HSRP to make the pair of headend VPN routers appear as a single device. A failure of the primary device leads to the IPsec tunnel failing, but the remote site will re-establish the tunnel to the other router using the same peer address (172.31.1.1 in the example, which is the virtual IP address). Devices that are behind the headend VPN routers can find the return path toward remote sites using one of two mechanisms = HSRP on the inside interfuc configured similarly to the HSRP on the outside interface © RRIto inject remote networks into an interior gateway protocol (IGP) and distribute it to other routers in the network To configure the name of the standby group, use the standby name command in interface configuration mode. Creating a name for an HSRP configuration allows that name to be ‘mapped to an IPsec configuration with the redundaney keyword. 3-128 Securing Networks with Cisco Routers and Switenes (SNRS) v3.0, (© 2008 Cisco Systoms, ne.IPsec Stateful Failover This topic describes Cisco IPsec stateful failover and how to configure it IPsec Stateful Failover = IPsec VPNs that use DPD, HSRP, or IGPs to mitigate failures provide only stateless failover. * IPsec stateful failover requires: Identical hardware and software configuration of IPsec on active and standby device Exchange of IPsec state between active and standby device (ie., complete SA information) When configuring redundancy for a VPN, both the active and standby devices must run the idemtical Cisco 10S Software release, and both the active and standby devices must be connected via a hub or switch. Note Pease refer to the latest documentation on IPsec stateful fallover at http:/www.cisco.com fora ful lst of the most current restrictions, In addition, you must duplicate on the standby device the IKE Phase 1 and IPsec configuration that is set up on the active device. That is, the crypto configuration must be identical with respect to the following: m= ISAKMP policies, profiles, and keys (preshared) IPsec profiles IPsec transform sets All erypto map sets that are used for stateful failover All access control lists (ACLs) that are used in match address statements on the erypto map sets All authentication, authorization, and accounting (AAA) configurations used for crypto Client configuration groups = IP local pools used for erypto {© 2008 Cisco Systems, Inc. ‘Secure Steto-Site Communications 3-129IPsec Stateful Failover (Cont.) * IPsec stateful failover works in combination with HSRP and SSO. * SSO is responsible for synchronizing the ISAKMP and IPsec SA database between HSRP active and standby routers. = RRIis optionally used to inject the routes into the internal network. Stateful failover for IPsec, introduced in Cisco IOS Software Release 12.3(11)T, enables a router to continue processing and forwarding IPsec packets after a planned or unplanned outage ‘occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and does not require adjustment or reconfiguration of any remote peer. Stateful failover for IPsec is designed to work in conjunetion with Stateful Switchover (SSO) and HSRP. HSRP provides router redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface ‘goes down, the whole router is deemed to be down and ownership of IKE and IPsec SAS is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPsec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPsec, you should enable HSRP, assign a virtual IP address, and enable the SSO protocol. Note Curren, only limited numberof platforms support stateful falover. To check thelist of latest platforms that suppor this feature, go to Cisco Feature Navigator at hutp:/wwww.cisco.com/go/tn ‘3-130 Securing Notworks with Cisco Routers and Switches (SNRS) v3.0, (© 2008 Cisco Systoms, ineConfigure IPC using SCTP between headend devices Enable stateful redundancy The figure illustrates a configuration for IPsec stateful failover. In the figure, the crypto map redundancy is configured with the stateful keyword, which n with SSO, The right part of the configuration requires HSRP to be configured in combinat ‘example shows how the HSRP profile named VPNHA is configured to exchange IPsec state with the other HSRP routers using Stream Control Transmission Protocol (SCTP) on source and destination port 12345. Follow the steps in the “Configuring IPsec State Exchange Procedure” table to configure the router to exchange IPsec stateful information with the peer. (© 2008 Cisco Systems, Inc Secure Stet0-Site Communications 3-191Configuring IPsec State Exchange Procedure Step | Action Notes a redundancy inter-device Example! Router(config)# redundancy inter- device Configures redundancy and enters inter- device configuration mode To exit inter-device configuration mode, use the exit command, To remove all ofthe inter- device configuration, use the no form of the ‘command ‘scheme standby standby-group-name Example: Router (config-red- interdevice)# scheme standby ‘VPNHA Defines the redundancy scheme that is to be Used, Currently, “standby” is the only supported scheme. = standby-group-name: Must match the standby name specified in the standby name interface configuration command, In addition, the standby name should be the same on both routers. Note: Only the active or standby state of the standby group is used for SSO. The virtual IP address of the standby group is not required or used by SSO. In addition, the standby group does not have to be part of any crypto map configuration ipe zone default Example: Router (config)# ipe zone default Configures the inter-device communication protocol, interprocess communication (IPC), ‘and enters IPC zone configuration mode. Use this command to initiate the ‘communication link between the active router ‘and the standby router ‘association 1 Example: Router (config-ipczone- assoc)# association 1 Configures an association between the two devices and enters IPC association configuration mode. protocol sctp Example: Router (config-ipczone- assoc)# protocol sctp Configures SCTP as the transport protocol {and enters SCTP protocol configuration mode. local-port local-port-number Example: Router (config-ipc-protocol- sctp)# local-port 12345 Defines the local SCTP port number that is Used to communicate with the redundant [peer and puts you in IPC transport ww Hub-and-Spoke Spoke-to-Spoke Hub-and-Spoke Tunnels = — — — —— = ‘Spoke-to-Spoke Tunnels —= = = + = + A DMVPN cloud topology can support cither a hub-and-spoke or a spoke-to-spoke deployment model. In a hub-and-spoke deployment model, cach hub router contains an mGRE interface, and each branch router contains a point-to-point GRE interface. In a spoke-to-spoke deployment model, both the hub router and the branch router contain mGRE interfaces. A DMYPN cloud is a collection of routers that are configured with either an mGRE interface or 4 point-to-point GRE interface (or a combination of the two) and that share the same subnet. A DMYPN cloud topology can support two deployment models: = Hub-and-spoke: The hub-and-spoke deployment model is the most common deployment model. This model is the most scalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM hub-and-spoke networks. The hub is configured with an mGRE interface and the branch with a point-to-point GRE interface. In this deployment model, no tunnels connect one branch to another branch. Traffic between branches passes through the hub router. = Spoke-to-spoke: The spoke-to-spoke deployment model enables branches to dynamically create tunnels to other branches within the same DMVPN cloud for intercommunication. This deployment model isa fully meshed topology and requires mGRE interfaces to be configured on both the hub and all branches, In a spoke-to-spoke deployment model, all branch-to-branch unicast communication transits through the hub until the dynamic spoke-to-spoke tunnel is created. The dynamic spoke-to-spoke tunnels must be within a single DMVPN cloud or subnet. It is not possible to dynamically create a spoke-to-spoke tunnel between two DMVPN clouds. The spoke-to-spoke deployment model is similar to the hub-and-spoke deployment model, with the exception that all GRE interfaces in the hub and the branch are mGRE interfaces. Branch routers can initiate and accept dynamic tunnels from other branch offices. 3-154 Securing Networks with Cisco Routers and Switches (SNRS) v3.0, {© 2008 Cisco Systoms, Inc.‘The primary DMVPN deployment model is a hub-and-spoke model in which the primary enterprise resources are located in a large central site, with a number of smaller sites or branch offices connected directly to the central site over a VPN. However, in some scenarios, you can use a spoke-to-spoke deployment model to create temporary connections between branch sites directly using IPsec encryption. Because VPNs are used for secure enterprise communications across a shared public infrastructure, such as the Internet, you must consider two distinct IP address domains: = The enterprise addressing space, sometimes referred to as the private or inside addresses = The infrastructure addressing space, also referred to as the service provider, public, or outside addresses In most DMVPN designs, the outside interface of the router is addressed in the infrastructure (or public) address space that is assigned by the service provider. The tunnel interface belongs, to the enterprise private network address space. A branch router public IP address is either a statically defined or a dynamically assigned IP address, For a hub-and-spoke deployment model, both the point-to-point GRE and crypto tunnels are sourced from the public IP address. For a spoke-to-spoke deployment model, the mGRE and crypto tunnels are also sourced from the public IP address. This public IP address is registered with the hub router using NHRP. {© 2008 Cisco Systems, nc Secire Sieto-Ste Communications S155DMVPN Example Operation This subtopic describes the DMVPN operation. Pryseat 1721701 Tome: 10004 Phys 1721621 Tune: 1000 12 wooo wae rras6. 100045 4 i ‘The figure illustrates the following DMVPN example: A PC (192.168.1.25) on the spoke A subnet wants to contact the web server (192.168.2.37) behind spoke B. It sends a packet toward the server. ‘The spoke A router consults its routing table fora route to the destination network (192.168.2.0) behind spoke B. The routing table provides an IP next hop of 10.0.0.12 via the tunnel0 interface of spoke A. ‘Spoke A consults its NHRP mapping table for destination 10.0.0.12 and does not find an entry. Therefore, it sends an NHRP query packet to the NHRP server. ‘The NRP server at the hub resolves 10.0.0.12 to the corresponding public address on spoke B (172.16.2.1) and sends this response to spoke A. 3156 Securing Networks wih Gisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne.DMVPN Example (Cont.) Physica 172.1701 Tune: 12091 Physi 17216241 Tunnel 100042 5. Spoke A receives the NHRP response and enters it in its NHRP mapping table. This, process triggers IPsec to create a tunnel directly to 172.16.2.1. (Spoke A uses the public IP address to establish the IPsec tunnel to Spoke B.) DMVPN Example (Cont.) Prysical172.17.09 ‘Tunnel: 10001 Pysica172162:1 ‘Tunne 1000:%2 6. Now that the tunnel has been built to spoke B, spoke A will send unicast data packets to spoke B. Multicast traffic still transits the hub, Note So far, the tunnel can pass traffic only in one direction. {© 2008 Cisco Systems, nc ‘Secure Stete-Ste Communications 3-157DMVPN Example (Cont.) Physica 1721701 ‘Tanne: 1900 1 Physic 172.1624 TTunneio: 100.012 7. The web server receives the packet from the PC and sends its response. This process triggers the same sequence of steps (steps 2, 3, and 4) on spoke B as was just performed on spoke A. After spoke B has the NHRP mapping for spoke A. the response packet can be sent directly to spoke A. The tunnel has already been ereated. DMVPN Example (Cont.) Phys: 172.1701 Physical 172.1621 Funai 1000.2 Pryscot 172 16.13 ae) 8, After a (programmable) timeout period, the NHRP entries age out, triggering IPsec to break down the dynamic spoke-to-spoke tunnel 3-158 Securing Networks with Ceca Routers and Switches (SNRS) v.0 (© 2008 Cisco Systems, ncHub ‘The figure shows the resulting routing tables. Please note that the destinations are reachable via interface Tunnel 0. ‘The figure shows the resulting NHRP tables. Please note the mapping of tunnel addresses to physical interface addresses. (© 2008 Cisco Systems, ic. ‘Secure Ste-to-Ste Communications 3-169Dual Hub =e & fara ¢ ee 0 ew 180414 Lecaemtorimi BS aoe Tenerone Se Teena For high availability DMVPN designs, you can use two hub routers to provide redundaney. High availability is provided using a second hub router, which might be on the same DMVPN network as the primary router. This configuration is commonly referred to as a dual-hub, single-DMVPN cloud topology. Ifthe second hub router services its own DMVPN network as shown in the example, then this is known as a dual-hub, dual-DMVPN cloud topology. A dual-hub, dual-DMVPN cloud using a hub-and-spoke design has the following characteristics ‘= The network design is dual hub-and-spoke (redundant DMVPN). © You must lose both hubs before the spoke is isolated. = You can distribute spokes across many hubs. ‘= You can configure routing to prefer one hub to the other to provide load distribution. For example, you can alter the tunnel interface bandwidth configuration to influence the Enhanced Interior Gateway Routing Protocol (EIGRP) routing decision. ‘= One mGRE tunnel interface is required on each hub router and two mGRE tunnel interfaces on each spoke router. 3-160 Securing Networks with Clsco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne.Dynamic Routing Protocols over DMVPN This topic describes dynamic routing protocol operations over DMVPN.. Routing Protocols and DMVPNs Routing protocols usually need additional configuration because the DMVPN cioud is an NMA network. The following are additional ‘commands you must configure, based on the routing protocol used: * EXGRP. = no ip next-nop-sttelgp pa Ipholdstime eigrp nop spitnorizon slp ‘cigep stub connected no auto-eummary + OSPF: ~ ip ospf network broadcast |p ospt hellodnterval ~Ip.osp priority ~ area area stub no-summary + RIP no ip split-nerizon ho auto- VPN > VPN > Dynamic Multipoint VPN. From the Create Dynamic Multipoint VPN (DMVPN) tab, click the Create a Hub (Server or Head-End) ina DMVPN option, and then click Launch the Selected Task. The DMVPN Hub wizard appears and explains what you will be configuring. Click Next to start the wizard. 3-186 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nc.DMVPN Fuli-Mesh Topology On the first window of the DMVPN Hub wizard, you must choose one of the following DMVPN network types © Hub and Spoke Network: Select this option if you are configuring the router in a network: in which each spoke router has a point-to-point GRE-over-IPsec connection to the DMVPN. hub and will send traffic destined for other spokes through the hub. When you select this option, the graphic displays links from the spokes to the hub. = Fully Meshed Network: Select this option if you are configuring the router as a spoke that is capable of establishing a direct IPsec tunnel to other spokes in the network. You configure an mGRE tunnel on the spoke to support this functionality. When you select this option, the graphic displays links from the spokes to the hub, and links to each other. The DMVPN Network Topology window lists the Cisco IOS Software images that are required to support a fully-meshed DMVPN network. ter you click the appropriate DMVPN topology, click Next. The Type of Hub window appears. You can configure DMVPN networks with a single hub or with a primary and a backup hub. Ifthe DMVPN network that you are configuring is going to use a single hub, click Primary Hub. If the DMVP network that you are configuring is going to use a primary and a backup hub, click the appropriate type for the hub you are currently configuring, Ifyou are configuring a backup hub for the DMVPN network, you must identify the primary hub by providing its public and private IP addresses. Enter the IP address of the interface on the primary hub that is used for this tunnel. This address should be a static IP address. Obtain this information from the hub administrator. (© 2008 Cisco Systems, ine. ‘Seoure Ste-o-Site Communications 3-167meme arco a —— ee = ~~ f=— * ome [oe —— | coe] oe The mGRE feature is used in a DMVPN network to allow a single GRE tunnel interface on a hub to support an IPsec tunnel to each spoke router, which greatly simplifies the DMVPN configuration. GRE allows routing updates to be sent over IPsec connections, In the Multipoint GRE Tunnel Interface Configuration window, select the router interface that connects to the Intemet, The GRE tunnel originates from this interface, Enter the IP address and subnet mask for the mGRE tunnel interface. This address must be a private address and be in the same subnet as the GRE interfaces of the other routers in the network, Cisco SDM provides default values for advanced tunnel settings. However, the hub administrator must decide on the tunnel settings and give them to the personnel administering spoke routers so that they can configure matching settings. To configure advanced settings for the tunnel interface, click the Advanced button. From the Advanced Configuration for the ‘Tunnel Interface window, you can configure GRE tunnel parameters. Cisco SDM provides default values, but you must obtain the correct values from the hub administrator and enter them here = NHRP Authentication String: Enter the string that DMVPN hubs and s authenticate themselves for NHRP transactions. The string can be up to eight characters Jong, Special characters such as spaces and question marks (2) are not allowed. You must configure all devices in the DMVPN with the same authentication string. The default is DMVPN_NW. = NHRP Network ID: Enter the NHRP network ID. The network ID is a globally unique, 32-bit network identifier for an NBMA network. The range is 1 to 4294967295. The default s 100000. = NHRP Hold Time: Enter the number of seconds that NHRP network IDs should be advertised as valid, The default is 360. 3-168 Securing Networks wih Gleco Routers and Swtchos (SNRS) v3.0 (© 2008 Gieco Systems, Ine= Tunnel Key: Enter the key to use for this tunnel. This key should be the same for all ‘mGRE tunnels in the network, The default is 100000. = Bandwidth: Enter the intended bandwidth, in kb/s. Default bandwidth values are set during startup; you can use the show interfaces EXEC command to display the bandwidth values. In DMVPN configurations, 1000 is a typical bandwidth setting. The default is 1000. = MTU: Enter the largest amount of data, in bytes, that should be allowed in a packet traveling through the tunnel, The default is 1400. in tens of microseconds. = Tunnel Throughput Delay: Set a delay value for an interfa The default is 1000. {© 2008 Cisco Systems, Inc ‘Secure Siteto-Ste Communications 3-169DMVPN peers can use PSKs or digital certificates to authenticate connections from each other. IF PSKs are used, each hub router and spoke router in the network must use the same PSK. You should exchange PSKs with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. You cannot use question marks (2) and spaces in the PSK. The PSK can contain a maximum of 128 characters. Choose the appropriate authentication method and click Next. Note ‘You configure digital certificates by choosing Configure > VPN > VPN > VPN Components > Public Key Infrastructure from the Cisco SOM home page, The IKE Proposals window lists all of the IKE policies that have been configured on the router. If no user-defined policies have been configured, the window lists the Cisco SDM default IKE policy. IKE policies govern the way in which devices in a VPN authenticate themselves, Choose the appropriate IKE proposal from the list, or click Add or Edit to create a new IKE proposal or to edit an existing one, Click Next when you are done. ‘The Transform Set window lists the Cisco SDM default transform sets and the additional transform sets that have been configured on this router. These transform sets are available for use by the DMVPN, A transform set represents a certain combination of security protocols and algorithms. During the IPsec security association (SA) negotiation, the peers agree to use a particular transform set for protecting a particular data flow. A transform describes a particular security protocol with its corresponding algorithms. You can select only one transform set in this window, but you can associate additional transform sets to the DMVPN connection using, the DMVPN Edit tabs. Choose the transform set to use from the Seleet Transform Set drop- down list, and then click Next. 3170 Securing Networks wih Cisco Routers and Switches (SNRS) v3.0 (© 2008 Gisco Systems, Ine2 | suis jae = Use the Select Routing Protocol window to specify how other networks behind your router are advertised to the other routers in the network. Click one of the following: = EIGRP = OSPF = RIP Note ‘The DMVPN hub-and-spoke topology does not support RIP, but the DMVPN full-mesh topology does. Use the Routing Information window to add or edit routing information about networks behind. the router that you want to advertise to the other routers in the network. The fields in this window vary according to the routing protocol you specified in the Select Routing Protocol window. If you have already configured the routing protocol that you specified in the Select ing Protocol window, the networks that were configured to be advertised appear in this (© 2008 Cisco Systems, nc. ‘Secure Site-to-Ste Communications S471After you finish the DMVPN Hub wizard, you must provide spoke administrators with the following information about the hub: m= The IP address of the hub router physical interface m= The IP address of the hub mGRE tunnel interface | The routing protocol to use to send routing updates to the DMVPN, and the routing protocol specific parameters such as autonomous system (AS) number for EIGRP The Cisco SDM spoke configuration feature enables you to create a text file that contains the information that spoke administrators need about the hub configuration. This feature is available from the Summary window of the DMVPN Hub wizard by clicking the Spoke Configuration button. You also must tell the spoke administrators which subnet mask to use for the mGRE or GRE tunnel interface, and assign each spoke router an IP address from the same subnet as the hub so that address conflicts do not occur. 3172 Securing Networks with Csco Routers and Swiches (SNRS) v3.0 (© 2008 Cisco Systems, nc.Upon completion of the Soap aeee om ip ‘hep holdtine 360 Pea 1724704 ‘hep setwork 42 100000 ‘Shep euthentication avs ep adjust mes 2360 fo 4p eplit-nerizen etare 2 4p ahep map milsicast dynamic tunpel. source Serial0/0/0 tunnel inode gre muitipeloe ‘euanal Rey 100000 rd, the following NHRP-related commands are sent to the DMVYPN hub router: default interface Tunnelo interface Tunnelo bandwidth 1000 delay 1000 ip nhrp holdtime 360 ip nhrp network-id 100000 ip nbrp authentication DNVPN_NW ip mtu 1400 no shutdown ip address 10.0.0.1 255.255.255.0 ip top adjust-mss 1360 no ip split-horizon eigrp 2 no ip next-hop-self eigrp 1 ip nhep map multicast dynamic tunnel source Serial0/0/0 tunnel mode gre multipoint tunnel protection ipsec profile SDM Profilei tunnel key 100000 (© 2008 Cisco Systems, ne. ‘Secure Steo-Sie Communications 3-173DMVPN Hub IPsec Configuration are 0 tenap hay ore ‘That DMVPN Hub wizard also produces the following IPsec commands on the DMVPN hub router (the example in the figure uses PSK for IPscc peer authentication) crypto ipsec transform-set ESP-3DBS-SHA esp-sha-hmac esp-3des, mode traneport crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 Lifetime e640 crypto isakmp key *¥**###* address 0.0.0.0 0.0.0.0 3-174 Seouring Networks wit Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncConfiguring a DMVPN Spoke This topic describes how to configure a DMVPN spoke using the DMVPN wizard. Configuring a DMVPN Spoke oe Ba et You can use the DMVPN Spoke wizard that is available in Cisco SDM to help you configure your router as a spoke in a DMVPN network. Before starting the configuration, you should pping the hub to be sure that your router can send traffic to it. In addition, before you begin, you should have all of the information about the hub that you need, A hub administrator who uses Cisco SDM to configure the hub can generate a text file that contains the hub information that. ‘you will need, ‘You must obtain the following information before you begin: The IP address of the hub physical interface = The IP address of the hub mGRE tunnel interface ‘= The IP address and subnet mask for the mGRE or GRE tunnel interface of your spoke, assigned to you by the hub administrator ‘= The routing protocol to use, and the protocol-specific parameters, such as the AS number for EIGRP or the area id for OSPF To access the DMVPN Spoke wizard, from the Cisco SDM home page, choose Configure > VPN > VPN > Dynamie Multipoint VPN. From the Create Dynamic Multipoint VPN (DMVPN) tab, click the Create a spoke (client) in a DMVPN option and click Launch the Selected Task. The DMVPN Spoke wizard appears and explains what you will be configuring. Click Next to start the wizard (© 2008 Cisco Systems, Ine ‘Seaure Steto-Site Communications 3-175Specify Hub Information selees| Jems) me (On the first window of the DMVPN Spoke wizard, you must choose the type of DMVPN network of which this router will be a part. Click the Hub and Spoke Network option if you are configuring the router in a network in which each spoke router has a point-to-point GRE ‘over-IPsec connection to the DMVPN hub and will send traffic destined for other spokes through the hub. When you select this option, the graphic displays links from the spokes to the hub, Click the Fully Meshed Network option if you are configuring the router as a spoke that is capable of establishing a direct IPsec tunnel to other spokes in the network. You configure an ‘mGRE tunnel on the spoke to support this functionality. When you select this option, the ‘graphic displays links from the spokes to the hub, and links to each other. The DMVPN Network Topology window lists the Cisco IOS Software images that are required to support a fully-meshed DMVPN network After you click the appropriate DMVPN topology, click Next. The Specify Hub Information window appears. Enter information in the following required fields about the hub device that this spoke router will connect to in the DMVPN: m= LP Address of Hub’s Physical Interface: Enter the IP address of the interface on the hub, Obtain this address from the hub administrator. This address is used as the tunnel destination = IP Address of Hub’s mGRE Tunnel Interface: Enter the IP address of the mGRE tunnel interface on the bub. The mGRE tunnel IP addresses for the hub and spokes must be in the same subnet. If the DMVPN is configured to use a backup hub, also enter the IP address for the physical interface and mGRE tunnel interface for the backup hub. When you are finished entering the hub information, click Next, 3-176 Securing Networks with Gisco Routers and Switches (SNRS) v8.0 (© 2008 Cisco Systems, Ine.In the Multipoint GRE Tunnel Interface Configuration window, choose the router interface that connects to the Internet. The mGRE or GRE tunnel originates from this interface. Enter the IP address for the mGRE or GRE tunnel interface. This address must be a private address and be in the same subnet as the mGRE interface of the hub routers in the network Enter the mask for the subnet of the mGRE or GRE tunnel interface, Cisco SDM provides default values for advanced tunnel settings. However, the hub administrator must decide on the tunnel settings and give them to the personnel administering spoke routers so that they can make matching settings. (© 2008 Cisco Systems. Inc ‘Secure Site1o-Site Communications &-177Configuring IKE Phase 1 and IPsec 4 DMVPN peers can use PSKs or digital certificates to authenticate connections from each other. IfPSKs are used, each hub router and spoke router in the network must use the same PSK. You should exchange PSKs with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. You cannot use question marks (?) and spaces in the PSK. The PSK can contain a maximum of 128 characters. Choose the appropriate authentication method and click Next. Note ‘You configure digital certificates by choosing Configure > VPN > VPN > VPN Components > Public Key Infrastructure from the Cisco SOM home page. The IKE Proposals window lists all of the IKE policies that have been configured on the router. If no user-defined policies have been configured, the window lists the Cisco SDM default IKE policy. IKE policies govern the way that devices in a VPN authenticate themselves. Choose the appropriate IKE proposal from the list, or click Add or Edit to create @ new IKE proposal or to edit an existing one. Click Next when you are done. ‘The Transform Set window lists the Cisco SDM-default transform sets and the additional transform sets that have been configured on this router. These transform sets are available for use by the DMVPN. Choose the transform set to use from the Select Transform Set drop- down list and then click Next. 34178 Securing Networks wit Cisco Routers and Switches (SNRS) v8.0 (© 2008 Gisco Systems, In.Use the Select Routing Protocol window to specify how other networks behind your router are advertised to the other routers in the network. Click one of the following: = EIGRP = OSPF = RIP Note ‘The DMVPN hub-and-spoke topology does not support RIP, but the DMVPN ful-mesh topology does, Use the Routing Information window to add or edit routing information about networks behind the router that you want to advertise to the other routers in the network. The fields in this window vary according to the routing protocol you specified in the Select Routing Protocol ‘window. If you have already configured the routing protocol that you specified in the Select a Routing Protocol window, the networks that were configured to be advertised appear in this list On the Summary of the Configuration page, click Finish if the configuration is correct. Otherwise, click Back and make the necessary corrections. (© 2008 Cisco Systems, nc ‘Seow Ske-io-Ste Communications 3-179DMVPN Spoke IPsec Configuration a = aT te repent sacens 0.0.0.8 IPsec configuration is identical on spokes and hub ‘The example in the figure uses PSK for IPsec peer authentication. The wizard creates an IPsec configuration on the DMVPN spoke router as follows: crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des mode transport crypto ipsec profile SpM_Profile1 set transform-set ESP-3DES-SHA crypto isaknp policy 1 authentication pre-share encr 3des hash sha group 2 Lifetime #6400 crypto isakmp key **#*###* address 0.0.0.0 0.0.0.0 3-180 _Seauring Networks with Cisca Routers and Switches (SNRS) v3.0 (© 2006 Cisco Systems, Incfp Sip Madeatistetce Sev a ‘The following is an example of the NHRP configuration that the DMVPN Spoke wizard er on the spoke router (this configurat Spoke Routers tes mn varies slightly from the hub router) default interface Tunnel0 interface Tunnel0 bandwidth 1000 delay 1000 ip nhrp holdtime 360 ip nhrp network-id 100000 ip nhrp authentication DMVPN_NW ip meu 1400 no shutdown ip address 10.0.0.11 255.255.255.0 ip tep adjust-nss 1360 ip nhrp nhs 10.0.0.2 ip nhrp map multicast 172.17.0.1 4p nhrp map 10.0.0. 172.17.0.2 tunnel source serialo/0/0 tunnel mode gre multipoint tunnel protection ipsec profile SDM_Profile1 tunnel key 100000 {© 2008 Cisco Systems, Inc ‘Secure Si 3161Editing DMVPN Settings This topic describes how to edit DMVPN settings using Cisco SDM. Editing DMVPN Settings = Pome | Foo = a Semen fame ad ae CT eee DM, choose Configure > VPN > VPN > Dynai VPN, and click the Edit Dynamic Multipoint VPN (DMVPN) tab. The window 18 displays the existing DMVPN tunnel configurations. To make changes to an existing tunnel interface, choose the interface from the window, and click Edit. The DMVPN ‘Tunnel configuration window appears and allows you to make changes to the general, NHRP, and routing configurations of the tunnel interface. From the Edit Dynamic Multipoint VPN (DMVPN) tab, you can also add a new tunnel interface by clicking the Add button; however, it is easier to add a new interface using the DMVPN wizards, Cisco SDM supports the configuration of a hub-and-spoke DMVPN that uses IPsec profiles to define encryption. You can also use the command-line interface (CLI) to configure crypto maps to define encryption in the DMVPN. ‘Securing Networks with Cisco Routers and Switches (SNRS) v2.0 {© 2008 isco Systems, IncVerifying DMVPN This topic describes how to verify DMVPN connectivity. a SE Oo SETTLE show ip nhrp ‘Gpoketehow ip ahtp 20.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:21:16, never expire authoritative used * Displays NHRP cache The show ip nhrp command is useful in verifying the NHRP cache. The following is an example of output from this command: Spokettshow ip nhrp 10.0.0.1/32 via 10.0.0.1, Tunnel0 created 01:21:16, never expire ‘Typ% NBMA address: 172.17.0.1 static, Flags: authoritative used Note that the entries in the NHRP cache contain mappings between remote tunnel interface addresses and the remote physical interface IP addresses that are needed to reach the tunnels. In the example output, 10.0.0.1 is mapped to 172.17.0.1 {© 2008 Cisco Systems, Inc. Secure Sto-e-Site Communications 3-183show ip nhrp traffic ‘Spoketahow ip hep trattic ‘Tannel0 O Resolution Request 0 Resolution Reply 170 Regiatration Request ‘O'Registration Reply 0 Purge Request 0 Purge Reply © Error indication Reva: Total 24 O Resolution Request 0 Resolution Reply 0 Registration Request 24 Registration Reply 0 Purge Request 0 Purge Reply O-Rrror Indication * Displays NHRP traffic statistics The show ip nhrp traffie command displays NHRP traffie statistics. Spoke#show ip nhrp traffic ‘Tunne10 sent Request Reva. Request Total 170 © Resolution Request 0 Resolution Reply 170 Registration 0 Registration Reply 0 Purge Request 0 Purge Reply 0 Error Indication Total 24 © Resolution Request 0 Resolution Reply 0 Registration 24 Registration Reply 0 Purge Request 0 Purge Reply 0 Error Indication 18 ‘Securing Networks with Cisoo Routers and Switches (SNRS) v8.0 (© 2008 Cisco Systems nc.Summary This topic summarizes the key points that were discussed in this lesson, Summary * The Cisco DMVPN feature relies on the following two technologies: NHRP and mGRE. ‘Some considerations must be made when running dynamic routing protocols across the DMVPN, because the DMVPN cloud is an NBMA network You should configure the DMVPN hub before the spokes to provide the spoke administrators with the information they need to configure their spoke routers. A hub administrator who uses Cisco SDM to configure the hub can generate a text file that contains the hub information that spoke administrators will need. DMVPNs that use crypto maps are managed and modified using the CLI You can use the show ip nhrp command to see the NHRP cache. ‘© 2006 Cisco Systems, Inc. Secure Stowe-Site Communications 3-1853-186 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (©-2008 Cisco Systems, nc.Lesson 6| Implementing GET VPN Overview As network security risks inerease and regulatory compliance becomes essential, Cisco Group Encrypted Transport VPN (GET VPN), a next-generation WAN encryption technology, climinates the need to compromise between network intelligence and data privacy. Additionally, GET VPN helps ensure low latency and low jitter for voice, video, and other latency-sensitive traffic by enabling direct, always-on communication between all sites without traversing a central hub site. It also reduces the traffic load for multicast traffic across IP Layer 3 virtual private networks (VPNs) by eliminating the broadcast traffic replication that is usually required on IP Security (IPsec) encrypted networks. Objectives Upon completing this lesson, you will be able to describe and configure GET VPNs. This ability includes being able to meet these objectives: = Describe problems that are encountered scaling tunnel-based VPNs = Describe GET VPN = Describe how dynamic routing protocols work over GET VPN Describe the security measures that are built into the GET VPN solution Deseribe GET VPN operations Configure the GET VPN key server Configure GET VPN group members Verify GET VPN settings and operationVPN Limitations This topic describes problems you might encounter when scaling tunnel-based VPNs. Network Requirements * Enterprise WAN technologies of today force a trade-off between ‘QoS-enabled branch interconnectivity and transport security. Networked applications such as voice, video, and web-based applications drive the need for instantaneous, branch interconnected, QoS-enabled WANs. ‘The distributed nature of network applications results in increased demands for scalable branch-to-branch interconnectivity, Increased network security risks and regulatory compliance: have driven the need for WAN transport security. * Service providers want to deliver security services over WANS, such as MPLS, without compromising their SLAs, Current network applications, such as voice and video, are accelerating the need for instantaneous, branch- interconnected, and quality of service (QoS)-enabled WANs. In addition, the distributed nature of these applications results in increased demands for scalable branch-to- branch interconnectivity. At the same time, enterprise WAN technologies force businesses to make a tradeoff between QoS-enabled branch interconnectivity and transport security. Service providers are also looking for additional services to sell without risking performance. Security services are extremely attractive as long as they do not compromise existing service level agreements (SLA). Service providers want to deliver security services on top of WANS, such as Multiprotocol Label Switching (MPLS), without compromising existing SLAs The IP and MPLS networks of today that support voice, video, and critical data services require highly secured and intelligent networks, 35188 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IncExisting Solutions +P VPN (og, MPLS, Frame Resay, ATA satelite) Single-pont povsionng Dietrbute end here rutng fer salty Optal eat omar * No contentlty + Noinesety ‘Scala conaints of pinto. unt Sealab constraints of panto-pintoveriay rung or ou insertion Trac forwarcing acording to norepinal une! oveay = secunty * Coney + bteatty Although MPLS VPNs offer a similar level of security as Frame Relay and Asynchronous Transfer Mode (ATM), there might be additional security requirements for certain applications or network designs. In these situations, you must take additional steps to secure the network periphery without sacrificing network intelligence. Encryption is one of the most popular mechanisms used over public and private IP networks to ensure data security, In recent years, regulatory information privacy standards driven by organizations such as Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), PCI, and Basel Il mandate encryption for some industries. For example, financial transactions, patient health care, and insurance information must be encrypted regardless ofthe transport type. Enterprise customers face numerous security challenges based on their network application and connectivity requirements. Though MPLS VPNs can provide a certain level of security, many critical applications need end-to-end encryption as well ‘You can use solutions involving Dynamic Multipoint Virtual Private Network (DMVPN) or Cisco Easy VPN to achieve end-to-end encryption, but these are basically an overlay "hub-and- spoke" model. This mode! can introduce suboptimal routing even for a fully meshed network using MPLS, setting up a full mesh of connections among all sites, resulting in suboptimal support for multicast traffic and causing scaling limitations as well as provisioning and troubleshooting overhead. (© 2008 Cisco Systems, nc. ‘Secure Ste-io-Site Communications 3-189The Resulting Paradox * IP VPNs are useful for: ~ Any-to-any connectivity Hierarchical and scalable routing Efficient multicast distribution ‘Segmentation from the Internet Simplified QoS models * IPsec VPNs are useful for: Confidentiality Integrity ‘Authentication ‘The resulting paradox of existing solutions is that IP VPNs are successful at meeting the ‘connectivity and performance requirements of the modern network, but fail to satisfy security demands. IPsec VPNs succeed at meeting the security demands but fail to satisfy the connectivity and performance requirements of modem networks, 3-190 Seourng Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neGET VPN Overview This topic describes GET VPN. Solution—Cisco GET VPN Large-scale any-to-any encrypted communications Native routing without tunnel overlay (tunnel-free) Optimal for QoS and muticast support, which improves application performance Transport agnostic Available on Cisco Integrated Services Routers, Cisco 7200 Series Routers, and Cisco 7301 Router with Cisco 10S. 12.4(11)T or later Introduced in Cisco IOS Software Release 12.4(11)T, GET provides connectionless, tunnel-free ceneryption that leverages the existing routing infrastructure. GET VPN offers simplified encryption for both subscribers and providers. Although the versatility of GET VPNs qualifies, them for various MPLS, IP, Frame Relay, and ATM networks, itis an ideal encryption solution for MPLS VPNs that require site-to-site eneryption. With the introduction of GET VPN, Cisco now delivers a new category of VPN that eliminates the need for tunnels. By removing the need for point-to-point tunnels, distributed branch networks are able to scale larger while maintaining network intelligence features that are critical to voiee and video quality, such as QoS, routing, and multicast. GET VPN offers a new standards-based IPsec security model that is based on the concept of “trusted” group members, ‘Trusted member routers use a common security methodology that is independent of any point- to-point IPsec tunnel relationship, You can use GET VPN-based networks in a variety of WAN environments, including IP and MPLS. MPLS VPNs that use this encryption technology are highly scalable, manageable, and fective and meet regulatory-mandated encryption requirements. The flexible nature of GET VPN enables security conscious enterprises to manage their own network security over a service provider WAN service or to offload encryption services to their providers. GET VPN iplifies securing large Layer 2 or MPLS networks that require partial or full-mesh connectivity. Note Itis recommended that you use hardware acceleration of IPsec whenever IPsec is employed, {© 2008 Cisco Systems, in. ‘Secure Siete Ste Communications 3-191Hardware acceleration of IPsec encryption helps ensure that performance requirements are achieved. IPsec acceleration and the GET feature set are supported with the onboard encryption capabilities of the Cisco Integrated Services Routers, the Cisco 7200 Series Routers, and the Cisco 7301 Router with VPN modules. VPN Accelers Feature Platform GET VPN isco 870 Router, and Cisco 1800 ‘group member Series, 2800 Series, anc 3800, Series Integrated Services Routers Cisco VPN Acceleration (On-board IPsec acceleration Cisco 1841 Integrated Services Router, and Cisco 2800 and 3800 Series Integrated Services Routers Cisco AIM-VPN/SSL-1, AIM-VPNISSL- 2, and AIM-VPNISSL-3 Advanced Integration Modules Cisco 7200 Series Intogratod Services Routers and Cisco 7301 Router Cisco VPN Acceleration Module 2+ GET VPN key server Cisco 1841 Integrated Services Router, Cisco 2800 Series and 3800 Series Integrated Services Routers, Cisco 7200 Series Routers, and Cisco 7301 Router Cisco AIM-VPN/SSL-1, AIM-VPNISSL- 2, and AIM-VPNISSL-3 Advanced Integration Modules(Cisco Integrated Services Routers) Cisco VPN Acceleration Module 2+ (Cisco 7200 Series Routers and 7301 Router) 3192 ‘Securing Networks with Cisco Routers and Switenes (SNRS) v3.0 {© 2008 Cisco Systems, IncTunnel-Free VPN: Any-to-Any Encryption Before: IPsec Tunnels ‘After: Tunnel-Free VPN Scalailty isan issue ‘Scalable architecture for any-tovany Overay routing Connectity ane encryption ‘Any/to-any instant connectivity cannot | * No overlays—native outing be Wone to scale ‘Any-Lorany instant connectivity Limites advanced Qos ‘Advanced QoS: Multicast replication is inefcient Efficient mulicast replication ‘Tunnel-based IPsec has scaling issues, which can be a problem for enterprises. Instant any-to- any connectivity is limited, resulting in suboptimal routing because of the tunnel overlay. This suboptimal routing renders QoS difficult and multicast replication to be inefficient. By removing the tunnels, the scaling problem is eliminated, By removing the tunnel overlay, all of the problems linked to tunnel-based IPsec, suboptimal routing, problems with QoS and multicast, are gone {© 2008 Cisco Systems, Ino ‘Secure Ste-o-Sie Communications 3-103Ceayory an Cisco IOS Software offers several encryption solutions that you can use in conjunetion with MPLS or IP networks in which IPsec tunnels are deployed over the existing network. Although widely deployed, tunnel-based encryption solutions include well-known drawbacks. Due to their point-to-point nature, tunnel-based solutions require manual meshing. They also operate with more overhead, requiring increased memory and processing power. Many applications transported over MPLS VPN/IP networks require fully meshed networks. However, full mesh connectivity that requires manual intervention usually results in a provisioning nightmare. You can ease some of the provisioning by overlaying DMVPNs on an MPLS VPNs/IP network. However deploying DMVPNs on top of an MPLS VPN often introduces suboptimal overlay routing. Additionally, it adds latency in setting up full mesh connectivity between the spoke sites (because it is primarily suitable for a hub-and-spoke topology) and causes suboptimal support for multicast traffic. The table in the figure compares several features of various IPsec solutions, including Cisco Easy VPN, DMVPN, IPsec of Generic Routing Encapsulation (GRE), and GET VPN 3-194 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, no.GET VPN Architecture This topic describes how GET VPNs work and how routing protocols work over GET VPN. GET VPN Concepts * Key distribution mechanism—GDO1 ~ RFC 3547 ~ Group keys between peers. ~ Enerypted control plane Routing continuity—no overlay routing Preserves IP header Mutticast data protection ~ Enerypts multicast with IP header preservation ata Protection’ Unicast data protection one Unicast ~ Encrypts unicast with IP header preservation GET VPN is an enhanced IPsec solution that supports secure unicast and multicast—the Cisco solution for enabling encryption for “native” multicast packets—and unicast over a private WAN, Secure multicast and GET VPN are based on Group Domain of Interpretation (GDO!) as defined in RFC 3547, The Group Domain of Interpretation. in addition, GET VPN has ‘enhancements to IPsec in the area of header preservation and security association (SA) lookup. Dynamic distribution of IPsce SAs has been added to GET VPN, and the tunnel overlay properties of IPsec have been removed. With GET VPN, IPsec protected data packets carry the original source and destin addresses in the outer IP header rather than replacing them with tunnel endpoint technique is known as IPsec Tunnel Mode with Address Preservation ‘Address preservation allows routing to deliver the packets to any router in the network that advertises a route to the destination address. Note that any source and destination address ‘matching the policy for the group is treated in a similar manner. In the situation in which a link between IPsec peers is not available, address preservation also helps combat traffic “black- hole” situations, ‘The header preservation that GET VPN provides also maintains routing continuity throughout the enterprise address space as well as in the WAN. Note Host addresses of the network are exposed to the WAN (for MPLS VPN, this applies to the ‘20ge of the WAN). For this reason, GET VPN is applicable only for private IP WAN, such as ‘an MPLS, Frame Relay, or ATM network. {© 2008 Cisco Systems. ne ‘Secure Ste-to-Site Communications 3-196In extending GDOI by encrypting and authenticating both multicast and unicast traffic, the GET VPN provides benefits to a variety of applications: = Provides data security and transport authentication, helping to meet security compliance and intemal regulation by encrypting all WAN traffic = Enables high-scale network meshes and eliminates complex peer-to-peer key management with group encryption keys ‘© Maintains the network intelligence, such as full-mesh connectivity, natural routing path, and QoS for MPLS networks = Uses a centralized key server to provide easy membership control Ensures low latency and low jitter by enabling full-time, direct communications between sites, without requiring transport through a central hub: IPsec Tunnel Mode with IP Header Preservation IPsec Tunnel Mode IPsec Tunnel Mode with IP Header Preservation A GET VPN-enabled security model uses the existing routing infrastructure rather than using the traditional IPsec overlay. Data packets maintain their original IP source and destination ‘addresses. By preserving the original IP header in IPsec packets, GET VPN enables ‘organizations to rely on the existing Layer 3 routing information, thereby addressing multicast replication inefficiencies and improving network performance. Encrypting multicast packets, with IP address preservation is necessary to preserve the ($,G) (source, multicast group) information so that the replication of multicast packets in the core can be based on the original (8.6) information, 5-198 Securing Networks wih Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nc.Key and Policy Distribution TER Group Members * GCKS—Control piane * Group members/VPN gateways—Data plane GDOI is a standards-based Intemet Security Association and Key Management Protocol (ISAKMP) group key management protocol that is designed to provide secure group communications. GET VPN uses GDOL as the group keying mechanism, Group Controller/Key Servers (GCKSs), also known as key servers, and group members are the ‘two key components that use the GET VPN architecture, The key server holds and supplies ‘group authentication keys and SAS to group members. Group members provide encryption service to the interesting traffic. A key server distributes keys and policies to all of the registered and authenticated group member routers. By distributing keys and policies trom a centralized point and by sharing the same group SA with authenticated group members, key distribution and management are greatly simplified, Communication among a key server and group members is enerypted and secured. GDOI supports the use of two keys: Traffic Encrypting Key (TEK) and Key Encrypting Key (KEK). = TEK: A key that is used to protect traffic between group members © KEK: A key that is used to protect rekeys between key servers and group members ‘The key server distributes the TEK to all of the group members. The group members use the downloaded TEK to communicate securely among the group and to create and verify IPsec packets, The key server also distributes the KEK, which group members use to decrypt the incoming rekey messages from the key server. {© 2008 Cisco Systems, inc Secure Steto-Site Communications 3197Group Key Distribution + Group keys: KEK (default lifetime of 24 hours) TEK (defautt lifetime of 1 hour) + Key distribution methods: Unicast * Infrastructure capable of unicast only + Requirement for rekey acknowledgement ~ Muiticast + Infrastructure capable of multicast * Quick key and policy distribution Rekey messages refresh IPs group member. When the IPsec SAs or the rekey lifetime are about to expire, one single rekey message for a particular group is generated on the key server. No new Internet Key Exchange (IKE) sessions are created for the rekey message distribution. The key server distributes the rekey messages over the existing IKE SAs. Rekeying can use multicast or unicast messages. Secure multicast uses multicast rekeying only. GET supports both unicast and multicast rekeying, Ifany part of the enterprise network is not multicast-capable, because of either the core or the enterprise itself, itis recommended that you use the unicast transport mechanism to distribute rekeys for all group members. The key server sends a separate rekey for every group member, and the group member must respond to the key server with an acknowledgement. The key server retransmits rekeys if it does not receive the acknowledgement from the group member. If the key server does not hear an acknowledgement from a group member after three rekeys, it removes the group member. ‘The key server maintains all of the registered group members in the database and tracks the ‘number of rekeys that are sent and acknowledged per group member. This information helps troubleshoot any issues with a specific group member. ‘The following are some general guidelines for rekeying 1 If'most of the group members are capable of unicast, then use unicast rekeying, 1 If'most of the group members are capable of multicast, then use multicast rekeying, and the ‘group members that support only unicast will reregister. m= The suggested KEK time is 24 hours. = The suggested TEK time is one or more hours. 3-198 Seowing Networks with Cisco Routers and Switches (SNRS) v3.0, (© 2008 Cisco Systems, IneGroup Policy Considerations + What may already be protected? Management plane + SSH, TACACS+, HTTPS ' What should not be protected with group security? Control plane IKE and GDO! + Routing exchanges (OSPF, BGP) + What needs to be protected with group security? ~ Data plane * Enterprise transactions + Enterprise multicast streams + What might need to be protected with group security? Data piane * Internet transactions * Diagnostics (LAN-LAN, WAN-WAN, WAN-LAN) When you are considering what to include in the encryption policy, itis useful to identify different classes of traffic. The following is an example of one way to classify the traffic: Already Protected: If management protocols, such as Secure Shell (SSH) and HTTPS being used, it is not necessary to double-enerypt them. = Should Not Be Protected: Control plane data, such as IKE or routing protocol exchanges (Open Shortest Path First [OSPF] and Border Gateway Protocol [BGP)), should not be protected. Also included in this list is GDOI traffic, which is sufficiently protected by the GDOI protocol. = Needs Protection: Each enterprise will have a different response for what data must be protected, but it usually includes the bulk of data, both unicast and multicast, between offices. |= Might Need Protection: Examples of such traffic might be Internet traffic or diagnostic traffic that might be needed to troubleshoot problems with the GET VPN (© 2008 Cisco Systems, inc Secure Siteo-Site Communications — 3-199GET VPN Security This topic describes the security measures that are built into the GET VPN solutior GDOI Security Properties + The GOO! registration protocol has the following properties: ‘Authentication (X.509 certificates or PSKs) Authorization (ACLS or identity lists) Confidentiality (3DES or AES) Antireplay (cookies, message ID, nonces, hashes) + The GDOI rekey protocol has the following properties: Authentication (digital signature) Confidentiality (3DES or AES) Antireplay (cookies and sequence number) The GDOI registration protocol supports authentication, authorization, confidentiality, and antireplay, each with a choice of methods. Group members register with a key server to get the initial key ‘The GDOI rekey protocol also has authentication, confidentiality, and antireplay properties. Group members receive GDOI rekey messages containing the replacement keys before the current keys expire. Ifa group member misses the rekey event from the key server, it reregisters with the key server before the current keys expire. Note {An identity ist isa collection of methods by which IPsec peers identify themselves Examples of methods include IP address, hostname, or key ID. 3-200 Seounng Networks with Cisco Rovters and Swiches (SNRS) v3.0 (© 2008 Cisco Systems, neGET VPN IPsec Properties + Packet confidentiality ~ Strong encryption ciphers (AES is preferred) * Packet integrity Strong hashed message authentication codes (HMAC-SHA or HMAC-MD5) * Antireplay protection ‘Time-based replay protection method developed at Cisco GET VPN has all of the security benefits that IPsee and its security services provide. These security properties include confidentiality (such as AES [Advanced Encryption Standard]), integrity (such as Hashed Message Authentication Code-Secure Hash Algorithm [HMA\ SHA] or Hashed Message Authentication Code-Message Digest 5 [HMAC-MDS]). and a Cisco proprietary time-based (instead of sequence number-based) antireplay protection mechanism. (© 2008 Cisco Systems. nc.Cryptographic Algorithm Considerations Cipher keys have theoretical lifetimes: + AES keys should be used to encrypt no more than 2° bytes. * 3DES keys should be used to encrypt no more than 2® bytes. + These limitations apply to the aggregate usage of the key across all encryption devices. For example, if 500 VPN gateways are connected to a T1 and 2VPN gateways are connected to an OC-3: + AES lifetime = 64,446 years + SDES lifetime = 237 secs + Use AES when possible On average, a brute-force attack sueceeds halfway through the keyspace. Therefore, itis recommended that you use AES keys for a maximum of 2 bytes of data. It is also recommended that you do not use more than 2" bytes of data with any set of Triple Data Encryption Standard (3DES) keys. In calculating these data volumes with GET VPN, you must include the aggregate of all data generated from all sources. In a large GET VPN, this volume of data can be reached more quickly than with a tunnel-based VPN. For example, if 500 VPN gateways are connected to a TI. and 2 VPN gateways are connected to an Optical Carrier 3 (OC-3), it might be necessary to change 3DES keys every 4 minutes. In the same situation, AES keys should be good for more than 64,000 years. Note For more information on recommended encryption practices with GET VPN, go to bup://www.cisco.com/en/US/prodicollateral/iosswrel/ps6537/ps6586/ps6635/ps718 O/white_paper_cl1-471053.html 3.202 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2006 Cisco Systems, ncGET VPN Operations This topic describes how the GET VPN solution operates, Step 1—VPN Gateways Register Key Server al oe J\INS a tl aa ee eae uric (VPN Gateways) * The key server authenticates and authorizes group members * The key server returns a set of keys, IPsec SAs, and policies for the group members to use. The key server, upon receiving registration messages from a group member, generates the information that contains the rekey policy (one KEK) and the new IPsec SAS (multiple TEK attributes, traffic encryption policy. lifetime, source and destination information about the traffic that must be protected, and the security parameter index [SPI]-ID that is associated with cach TEK). The new IPsec SA is then sent to the group member. The key server maintains a table that contains the IP address of each group member per group. When a group member registers, the key server adds the new IP address in its associated group table, allowing the key server to monitor all active group members. Note Kay servers and group members can support multiple groups, {© 2008 Cisco Systems, ne ‘Secure Ste6-Site Communications 3-203= Group members exchange encrypted traffic using the group keys. = The routers use the “header preservation” tunnel mode. the sender (multicast group source) does not know who the potential recipients are, When using Protocol Independent Multicast sparse mode (PIM-SM), ‘the multicast router sends the multicast data packets to the rendezvous point (RP). The RP ‘maintains a list of the multicast group recipients With GET VPN, in the data plane for secure multicast, the sender assumes thatthe legitimate ‘group members obtain a TEK from the group key server. The group member enerypts the ‘multicast data packet—with header preservation—and the data is switched out of the router ‘The replication of the multicast packet is performed in the core, based on the source and ‘multicast group IP address (S,G), which is retained in the multicast data packet. The secure data plane unicast is a corollary for the multicast example. In the secure data plane, the receiver does not know who the potential encryption sources are. The receivers assure that legitimate group members obtained a TEK from the group key server. The receiver authenticates the group membership when itis able to decrypt the data packet. 3-204 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Gsco Systems, neStep 3—Key Server Rekeys the Group = The key server pushes out the replacement IPsec keys before Key Server the current keys expire. Rekey messages are sent using UDP, but are sent ee) several times to protect = ww ‘against packet loss. Ifa VPN gateway (group member) misses a rekey event — entirely, it will reregister with soa ew the key server before the a current keys expire. ew Group Members (VPN Gateways) ‘When itis time for the key server to send out multicast rekeys to the group members, it sends out a single multicast rekey packet to the core, and the core does the replication for all of the ‘group members, Because there is no acknowledgement that is sent by the group member when, ‘using multicast rekeying, itis recommended that the rekeys be retransmitted an additional two or three times during every rekey period. Using multicast transport is efficient and highly recommended for a larger network because it uses the multicast replication that is provided by the core. In tum, it reduces the load on the key server to process the rekey messages for each ‘group member and the acknowledgements received from every group member. Moreover, the ‘group member does not send any acknowledgements, as required in the unicast transport mechanism, Note To use multicast transport, the entire network must be mulicast-capable, including the MPLSIIP core. That is, Multicast VPN (MVPN) is required in the MPLS core, ‘When you use unicast rekeying with many group members, the key server generates rekey messages for only a few group members at a time and ensures that all group members receive the rekey messages for the new SA before the old SA expires. This process helps reduce latency issues. In addition, when a unicast group receives the rekey message from the key server, a group member sends an encrypted acknowledgment (ACK) message to the key server using the keys received as part of the rekey message. When the key server receives this ACK message, it notes it in the associated group table. This process keeps the list of active group ‘members current and ensures that the key server is sending rekey messages only to active members. Note It the network is large, it poses a load on the key server to send unicast rekey messages and process all ofthe acknowledgements received from every group member (© 2008 Cisco Systems, nc ‘Secure Steto-Site Communications 3-205.‘The number of retransmit attempts and the retransmit interval are user-configurable. By default, if the key server does not receive an acknowledgement for three consecutive rekeys from a troup member, the key server stops sending the rekey messages and removes the group ‘member from its active list. The group member must fully reregister with the key server after its current SA expires if its still interested in receiving the rekey messages. If the group ‘member does not receive the rekey before a TEK expires, the group member reregisters with the key server before the current IPsec SA expires. Note It the networks large and a small part of the network is not multicast-capable, the customer can stil use the multicast transport mechanism for rekeying. This method for rekeying ‘causes the small sot of unicast group members to reregister, but It poses less load on the key server compared with the load that the key server has ifthe entire network is using the unicast transport. Each unicast group member that is forced to reregister wil do so before the current group key expires, which avoids any loss of data traffic It is essential for group members to synchronize the removal of old SAs and the installation of new SAs. When new SAs are received through rekey messages, outgoing packets are still encrypted using the old SAs, but incoming packets are decrypted using both old and new SAs for a period of time. After a specified time (T1), outgoing packets are encrypted using new SAs, and incoming packets are still decrypted using both old and new SAs for a period. Finally, at the next time interval (T2), old SAs are completely removed and new SAs encrypt and decrypt the traffic. TI and T2 are set internally to 30 seconds. 3-208 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems. In.Cooperative Key Servers * Up to eight key servers can work together to deliver keys to the VPN gateways. Key Servers Key servers bootstrap into the secondary role and elect one, of themselves to the primary qa tole using the Cooperative ey ne Key Server Protocol. ‘The primary key server creates keys and pushes ‘them to its peer(s) for redundancy. oe Group member registration (ante ivr ay ae is eleced Group Members (VPN Gateways) Multiple key servers (known as cooperative key servers) can work together to deliver keys and policies to the group members. The key servers elect one of the servers to be the primary key server. The primary key server creates keys and pushes them to the peers. Each group member registers with one of the key servers. All group members can now exchange encrypted traffic as part of the same VPN. The primary key server distributes the rekey to all group members. ‘Cooperative key servers in GET VPN can synchronize the policies and keys that are distributed by several cooperating key servers that are deployed in the network. You can configure a maximum of eight key servers. Only one key server can act as the primary, which coordinates the actions of the group. You can piace the key servers anywhere within the enterprise network if they are reachable. There are two reasons to configure multiple key servers: so that the group member can register with the nearest key server and for key server redundancy Note Rokey configuration, the defined policies, and antireplay configurations must be identical in all key servers. When you are bringing the network up for the first time, itis recommended that you enable the cooperative key servers first, After the primary and secondary key servers are running with the policies and the group keys synchronized, you can configure the selective group members ‘with primary and secondary key servers for further registrations For a nctwork that has multiple standalone key servers, enabling cooperative key servers is treated as a network merge, and the newly elected primary key server sends out rekeys to all group members, When you add a new key server and a set of new group members to the existing network, it is recommended that you bring up the cooperative key servers first, and then contigure group ‘members with respective key servers for registrations. {© 2008 Cisco Systems, ne. Secure Siteto-Ste Communications — $207Cooperative key servers exchange one-way announcement messages, process and store the data contents of protocol messages, and update their view of the group state. Announcement ‘messages include the following components to help maintain current state information: = Sender Priority (identity of a key server): This value describes the priority of the sender, which is configurable via the command-line interface (CLI). The key server with the highest priority becomes the primary key server. Ifthe priority values are the same, the key server with the highest IP address becomes the primary key server. | Maintaining the sender role: During the synchronization period, ifthe key servers are at geographically dispersed locations, they might suffer a network-partitioning event, and it is possible that more than one key server will become primary for a period of time. When the network heals and all of the key servers find each other, they exchange role information, which enables the key servers to attain their proper role. = Request for a return packet flag: All messages are defined as one-way messages. When needed, a key server ean request state information from a peer to find out its role, or request the current state of the group, or both. |= Group state: This is the actual IPsec SAs and keys that are current for the group. When ‘messages (announcements) have not been heard from the primary key server for a certain length of time, the Primary Periodic Timer is activated. At this stage, a secondary key server is in Send Announcement state, requesting a return packet from the primary key server. Ifthe primary key server does not respond or if the secondary key server does not hhear back from the primary key server, the Dead Primary Timer begins. A re-evaluation role timer could be set at this point, when a key server is moving to the primary key server state. 3-208 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2006 Cisco Systems. incCooperative Key Servers (Cont.) "i Re croup Members (VPN Gateways) * Each VPN gateway is configured with multiple key servers for redundancy. * Tho routers will attempt to register with the first key server on the is, Ifitis not reachable, they will register with the next one. Redundancy is important to overcome a single point of failure in the network. Cooperative key servers help assure high availability and fast recovery if the primary key server fails. From the group member perspective, the group member tries to register with the first key server listed in the configuration. If the first key server listed is not reachable, the group member then tries to reach the next key server listed in its configuration, The group member keeps trying this process until it successfully registers with one of the key servers. However, only the primary key server sends further rekeys to the entire network. Cooperative key servers also support load balancing. Each key server is active. The primary key server is responsible for creating and distributing the group policy. One liveliness timer is used with the primary key server to keep group synchronization. This timer helps maintain a steady state during the time when the primary key server becomes unavailable and a new primary key server takes over. When the new policy is created on a primary key server, regardless of which key server a group member might be registered with, it is the responsibility of the primary key server to distribute the rekey messages to group members. (© 2008 Cisco Systems, nc ‘Seoure Site-to-Ste Communications 3-208Cooperative Key Servers (Cont.) + Ifthe primary server becomes unavailable, Key Servers another key server sone deo - Programs > Ciseo Systems VPN Client > Uninstall Client {© 2008 Cisco Systems, Inc ‘Secure Remate Access Communications 4-21Task 2: Create a New Client Connection Entry bg Goa ee Came 2 hah Essig aa qe amecnen | et | otis | i | © eae in ren oT ii ee 3 ——— Task 2: Create a New Client Connection Entry To use the Cisco VPN Client, you must create at least one connection entry that includes the following information: VPN device details: Device details include information about the Cisco Easy VPN Server that this client will access, including name and IP address. SK: The PSK is the name of the IPsec group to which the system administrator assigned you. Your group determines how you access and use the remote network. For example, it specifies access hours, number of simultaneous logins, user authentication method, and the IPsee algorithms that your Cisco VPN Client uses. ‘= Certificates: This information provides the name of the digital certificate that you are using for authentication = Optional parameters: Optional parameters govern Cisco VPN Client operation and the connection to the remote network, ‘You can create multiple connection entries if'you use your Cisco VPN Client to connect to multiple networks (though not simultaneously) or if you belong to more than one VPN remote access group. To create a new connection entry, start the Cisco VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client, and follow these steps’ Step1 The Cisco VPN Client application starts and displays the advanced mode main window. If this is not the case and the simple mode window is displayed instead, choose Options > Advanced Mode, or press Ctrl-M, Step2 Click the New icon in the toolbar. Alternatively, choose Connection En New. The VPN Client Create New VPN Connection Entry window appears 422 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (©-2008 Cisco Systems, IneStep 3 step 4 Step 5 Stop 6 Enter a unique name for this new connection in the Connection Entry field. You can use any name to identify this connection—for example, Engineering. This name contain spaces and is not case-sensitive, Enter a description of this connection in the Description field, This field is optional, but it helps further identify this connection—for example, Connection to Engineering remote server. Enter the hostname or IP address of the remote VPN device that you want to access in the Host field Click the Save button to save the connection entry {© 2008 Cisco Systems, In. Secure Remote Access Communications 4.23Task 3: Configure Client Authentication Properties Authentication options: + Group pesnarea secrets group name ana grou ser!) + tsa! eunanacaton (works wit deprecaios VPN concentrator) + Digtalconiiates (ena wit the CA fst sect no corte) Task 3: Configure Client Authentication Properties ‘On the Authentication tab, enter the information for the method that you want to use. You can connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate. Group authentication is a method that uses PSKs for mutual authentication. With this method, the Cisco VPN Client and the VPN central-site device use a group name and password to validate the connection. This is a symmetrical form of authentication because both sides use the same authentication method during their negotiations, Pre-shared authentication occurs in two stages. During the first stage, the two sides exchange security parameters and create a secure channel. During the second stage, user authentication takes place. The VPN central-site device asks for a username and password to verify that the remote user is a legitimate member of a group that is configured on the VPN central-site device. The network administrator usually configures group authentication for you. If this is not the case, complete this procedure: Step1 Click the Group Authentication radio button, Step2 In the Name is case-sensitive. id, enter the name of the IPsec group to which you belong. This entry Step 3 In the Password field, enter the password (which is also case-sensitive) for your TPsee group. The field displays only asterisks. Step4 Verify your password by entering it again in the Confirm Password field. 224 ‘Securing Networks with Cisco Routors and Switches (SNRS) v3.0 (© 2008 Cisco Systems, no.a ae aoe remem Si |tcnsiow of * Transparent tunneling is on by default + NAT-T enables IPsec and IKE Phase 1 over standard UDP port 4500, allowing the VPN client to work behind @ NAT or PAT device. Task 4: Configure Transparent Tunneling Next, configure transparent tunneling, if needed, by completing the fields on the Transport tab. ‘Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure gateway through a router serving as a firewall, which might also be performing NAT or PAT. ‘Transparent tunneling encapsulates Protocol $0 (ESP) traffic within User Datagram Protocol (UDP) packets and can allow both ISAKMP and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices or firewalls. The most common application for transparent tunneling is behind a home router performing PAT. The Cisco VPN Client also frequently sends keepalives to ensure that the mappings on the devices are kept active. Not all devices support multiple simultaneous connections. Some devices cannot map additional sessions to unique source ports. Be sure to check with the vendor of your device to verify whether this limitation exists. Some vendors support Protocol 50 PAT (IPsce pass- through), which might let you operate without enabling transparent tunneling, ‘To use transparent tunneling, you must configure the central-site group in the Cisco VPN device to support it IPsec over UDP (NATIPAT) Click the IPsec over UDP (NAT/PAT) radio button to enable IPsec over UDP (NAT or PAT). With UDP, the port number is negotiated. UDP is the default mode. IPsec over TCP ‘To enable IPsec over TCP, click the IPsec over TCP radio button. When using TCP, you must also enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10,000. (© 2006 Cisco Systems, nc. ‘Secure Remote Access Communications 4-25Allow Local LAN Access Ina multiple-network interface card (NIC) configuration, local LAN access pertains only to network traffic on the interface on which the tunnel was established. The Allow Local LAN. Access parameter gives you access to the resources on your local LAN (printer, fax, shared files, ot other systems) when you are connected through a secure gateway to a central-site VPN device, When this parameter is enabled and your central site is configured to permit it, you can access local resources while connected. When this parameter is disabled, all traffic from your client system goes through the IPsec connection to the secure gateway. To enable this feature, check the Allow Local LAN Aceess check box; to disable it, uncheck the check box. Ifthe local LAN you are using is not secure, you should disable this feature. For example, you would disable this feature if you were using a local LAN in a hotel or an airport A network administrator at the central site configures a list of networks at the client side that you can access. You can access up to 10 networks when this feature is enabled. When the ‘Allow Local LAN Access feature is enabled and you are connected to a central site, all traffic from your system goes through the IPsec tunnel except traffic to the networks that are excluded from doing so (the networks in the network list). ‘When you enable and configure this feature on the Cisco VPN Client and the central-site VPN device permits it, you can see a list of the local LANs available by looking at the routing table. 426 ‘Securing Networks with Cisco Rowers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IncTask 5: Enable and Add Backup Servers List backup VPN servers to be used in case the primary VPN server is not reachable. Task 5: Enable and Add Backup Servers ‘The private network might include one or more backup VPN servers to use ifthe primary server is not available. Your system administrator tells you whether to enable backup servers. Information on backup servers can download automatically from the Cisco Easy VPN Server, or you can manually enter this information To enable backup servers from the Cisco VPN Cliet follow these steps: lick the Backup Servers tab, and Stop1 Check the Enable Backup Servers check box. This box is not checked by default ‘Step2 Click Add to enter the backup server address. Step3 Enter the hostname or IP address of the backup server, using a maximum of 2: characters, ‘To add more backup devices, repeat these three steps. (© 2008 Cisco Sysiems, nc ‘Seoure Remote Access Communications 4.27Task 6: Configure Connection to the Internet Through Dial-Up Networking Optionally, tie a VPN connection to a dial-up connection defined in the Networking section of Windows. Task 6: Configure Connection to the Internet Through Dial-Up Networking ‘The final task is configuring the dial-up connection to the Internet, if needed. To connect to a private network using a dial-up connection, follow these steps: ‘Step 1 Use a dial-up connection to your ISP to connect to the Internet. Step2 Use the Cisco VPN Client to connect to the private network through the Internet. ‘To enable and configure this feature, check the Connect to Internet via Dial-Up check box. This box is not checked by default ‘You can connect to the Intemet using the Cisco VPN Client application in either of the following ways: © Microsoft Dial-Up Networking = Third-party dial-up application 425 Securing Networks with Cisco Rovere and Switches (SNRS) v3.0 (© 2006 Cisco Systems, IncRouting Table A CCITT Se === ‘The Statistics window provides information about tunnel details, routing table, and personal firewall Statistics from the Cisco VPN Client main window. From the Statisties window, you can view the following informat = Tunnel details: = Route details = Firewall information To see the route details, click the Route Details tab, The route details window shows local LAN routes that do not traverse the IPsec tunnel and secured routes that do traverse the IPsec tunnel to a central-site device. The routes in the Loc LAN Routes column are for locally available resources. This screen is also useful for examining which routes are protected by IPsee when split tunneling is enabled, Note In @ multiple-NIC configuration, this feature works on only one NIC—the NIC that is used for the tunnel ‘© 2008 Cisco Systems, nc. Secure Remote Access Communications 4.29Configuring Cisco Easy VPN Remote This topic describes how to configure Cisco Easy VPN Remote using Cisco SDM. Starting the Cisco Easy VPN Remote Wizard Cisco SDM enables you to configure your router as a client to a Cisco Easy VPN Server. Your router must be running a Cisco IOS Software image that supports Cisco Easy VPN Phase Il or later. To be able to complete the configuration, you must have the following information ready: = The IP address or hostname of the Cisco Easy VPN Server = The IPsec group name = PSK This wizard guides you through the configuration of a Cisco Easy VPN Remote Phase II client Note If the router is not running a Cisco IOS image that supports Cisco Easy VPN Remote Phase lor later, you cannot configure a Cisco Easy VPN Remote client To start the Primary Easy VPN Remote wizard, from the Cisco SDM home page choose Configure > VPN > VPN > Easy VPN Remote, and click the Create Easy VPN Remote tab. From this tab, click the Launch Easy VPN Remote Wizard button. The first window of the Primary Easy VPN Remote wizard provides you information about what the wizard will create and what information you will need to successfully complete the wizard, After you have read this window, click Next to begin the wizard 30 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncNESSES woman Pacing nasineroses The first configuration window that appears is the Server Information window. The information you enter in this window identifies the Cisco Easy VPN tunnel, the Cisco Easy VPN Server or ‘concentrator to which the router will connect, and the way you want traffic to be routed in the ‘VPN. Enter the following information in this window: © Connection Name: Enter the name that you want to give to this Cisco Easy VPN connection, The name must be unique among Cisco Easy VPN tunnel names for this router and must not contain spaces or special characters such as question marks (2) m= Easy VPN Servers: In this section, you enter information about a primary (required) and a secondary (optional) Cisco Easy VPN Server. Easy VPN Server 1: Enter the IP address or the hostname of the primary Cisco Easy VPN Server or concentrator to which the router will connect. If you enter a hostname, there must be a DNS server on the network that can resolve the hostname to the correct IP address for the peer device. Easy VPN Server 2: The Easy VPN Server 2 field appears only if the Cisco 10S image on the router supports Cisco Easy VPN Remote Phase III. Enter the IP address or the hostname of the secondary Cisco Easy VPN Server or concentrator to which the router will connect. If you enter a hostname, there must be a DNS server ‘on the network that can resolve the hostname to the correct IP address for the peer device. ‘© Mode of Operation: There are two options for the mode of operation: Client: Choose this option if you want the PCs and other devices on inside networks of the router to form a private network with private IP addresses. Devices that are ‘outside of the LAN will not be able to ping devices on the LAN or reach them directly (© 2008 Cisco Systems, Ine ‘Secure Remote Access Communications 4:34— Network Extension: Choose this option if you want the devices that are connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT is automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another. If you choose Network Extension, you can enable remote management of the router by checking the check box to request a server-assigned IP address for your router This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and SSH). This mode is known as Network Extension Plus. Note Ifthe router is not running a Cisco 10S image that supports Cisco Easy VPN Remote Phase IV or later, you cannot configure Network Extension Plus. Click Next when you are finished filling in the server information, From the Authentication window, you can specify security for the Cisco Easy VPN Remote tunnel. This window has two sections: Device Authentication and User Authentication (XAuth), Follow these steps to configure the device authentication settings: Step From the Authentication drop-down list, choose Digital Certificates or Pre-Shared Key. Step2 _If'you chose Pre-shared Key, enter the IPsec group name in the User Group field ‘The group name must match the group name that is defined on the VPN concentrator or server. In the Key field, enter the IPsec group key. The group key ‘must match the group key defined on the VPN concentrator or server. Re-enter the key to confirm its accuracy. 432 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne‘The User Authentication (XAuth) section appears in the Authentication window ifthe Cisco IOS image supports Cisco Easy VPN Remote Phase Ill. If the User Authentication section does not appear, you must configure user authentication from the router CLL From the User Authentication section, you can choose three different ways to enter the XAUTH username and password to establish the VPN connection: = From PC Browser when Browsing: This option allows the user to manually enter & username and password in a web browser window. Note ‘The web browser option appears only ifit is supported by the Cisco IOS image on your router = From Router Console or SDM: When « router is the Cisco Easy VPN Remote, you can configure it to authenticate upon making a connection Save XAuth Credentials to this Router: If the server allows this option, you can climinate the need to enter the username and password each time the Cisco Easy VPN tunnel is established, Enter the username and password provided by the Cisco Easy VPN Server administrator, and then re-enter the password to confirm its accuracy. This information is saved in the router configuration file and used each time the tunnel is, established. Caution Storing the XAUTH username and password in router memory can create a security risk, because anyone who has access to the router configuration can obtain ths information. If you do not want ths information stored on the router, do not enter it here. The Cisco Easy \VPN Server wil challenge the router for the username and password each time the ‘connection is established. Additionally, Cisco SDM cannot determine whether the Cisco Easy VPN Server allows the save password option. You must determine whether the sorver allows this option. Ifthe server does not allow this option, you should not create a security risk by entering the information hare. Click Next when you have completed the Authentication window. (© 2008 Cisco Systems, Ine. ‘Secure Remote Access Communications 4.33reser as selec} | The Interfaces and Connections window enables you to specify the interfaces to be used in the Cisco Easy VPN configuration. Follow these steps to complete this window: Step 1 Stop 2 Step 3 Check the check box in front of the inside (LAN) interfaces that serve the local networks that you want to include in this Cisco Easy VPN configuration. You can choose multiple inside interfaces, with the following restrictions = Ifyou choose an interface that is already used in another Cisco Easy VPN configuration, you are told that an interface cannot be part of two Cisco Easy VPN configurations. @ Ifyou choose interfaces that are already used in @ VPN configuration, you are informed that the Ciseo Easy VPN configuration you are creating cant coexist with the existing VPN configuration. You are asked if you want to remove the existing VPN tunnels from those interfaces and apply the Cisco Easy VPN configuration to them |= An existing interface does not appear in the list of interfaces if it cannot be used in a Cisco Easy VPN configuration. For example, loopback interfaces that are configured on the router do not appear in this list. = An interface cannot be designated as both an inside and an outside interface, From the Interface drop-down list, choose the outside interface that connects to the Cisco Easy VPN Server or concentrator. In the Connection Settings section, choose whether you want the VPN tunnel activated automatically, manually, or based on traffic: = Automatically: If you choose this option, the VPN tunnel is established automatically when the Cisco Easy VPN configuration is delivered to the router configuration file. However, you cannot control the tunnel manually in the VPN Connections window. The Connect or Disconnect button is disabled when you choose this type of Cisco Easy VPN connection + ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne= Manually: If you choose this option, you must click the Connect or Disconnect button in the Edit Easy VPN Remote window to establish or take down the tunnel, but you have full control over the tunnel in the Edit Easy VPN Remote window. Additionally, if an SA timeout is set for the router, you must manually re-establish the VPN tunnel whenever a timeout occurs. You can change SA timeout settings in the VPN Components VPN Global Settings window. =| When There Is Traffic From Local Networks (Interesting Traffic): With this traffie-based option, the VPN tunnel is established whenever outbound local (LAN side) traffic is detected. Note ‘The When there is Traffic From Local Networks (Interesting Traffic) option appears only fit is supported by the Cisco IOS image on your router Step4 When you are finished configuring the Interfaces and Configuration information, click Next, (© 2008 isco Systems, no ‘Secure Remote Accoss Communications 435ttle lee When you are finished running the Easy VPN Remote wizard, the Summary of the Configuration window displays the VPN configuration that you ereated. You can review the configuration in this window and use the Back button to make any necessary changes. Resulting Configuration snvertace seria10/0/0 The example in the figure shows the configuration changes that resulted from running the Easy VPN Remote wizard. The EZVPN client configuration is the most noteworthy of the changes. FastEthemet0/0 is configured as an inside interface, and Serial0/0/0 is configured as the EZVPN endpoint, Note the use of a virtual tunnel interface (VTI). 436 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Gisco Systems, nc.Configuring Cisco Easy VPN Server ‘This topic describes how to configure a Cisco Easy VPN Server using Cisco SDM. Configuration Tasks for the Cisco Easy VPN Server Wizards The Cisco Easy VPN Server wizard includes these tasks: * Choosing the interface on which to terminate IPsec IKE Phase 1 policies * Group policy lookup method * User authentication * Local group policies + IPsec transform set ‘The Cisco Fasy VPN Server wizard guides you through a set of steps that include the configuration of the following parameters: ‘Selecting the interface on which to terminate IPsec tunnels IKE Phase I policies (for example, encryption algorithm, Hashed Message Authentication Code (HMAC), priority, lifetime, and DH group) Group policy lookup method (local, RADIUS, or TACAC . & User authentication (local or RADIUS) = Local group policies (such as name, PSK, DNS servers, and split tunneling) . IPsec transform set (for example, encryption algorithm, HMAC, and mode of operation) Before you start the configuration, you should prepare a VPN design and prepare the following parameters that will be required for the configuration’ = IKE Phase 1 authentication method = User authentication method m= IP addressing and routing for clients ‘You should also install the following prerequisite services, depending on which design you choose = RADIUS or TACACS + server installation and configuration {© 2008 Cisco Systems, ne ‘Secure Remote Access Communications 437= Certificate authority (CA) installation and configuration if the public Key infrastructure (PKI) is used for authentication—the router should also be enrolled with the CA to get the CA certificate and the identity certificate of the router that can be used later to enable PKI for the VPN. = DNS resolution for the addresses of the VPN servers = Network Time Protocol (NTP) for the PKI to operate properly Aficr you have configured the prerequisite steps, choose Configure > VPN > VPN > Easy VPN Server to start the Cisco Easy VPN Server wizard, and then click Launch Easy VPN Server Wizard from the Create Easy VPN Server tab to start the Easy VPN Server wizard 438 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 cisco Systems, ne.Configure the VTI Interface stedow | cen) mj The Interface and Authentication window opens. In this window, you can define the VTI Step1 Either choose an existing interface to use for the unnumbered command, or choose to create a new loopback interface to use for the unnumbered command. Step2 Click the authentication method. Step3 Click Next to continue. (© 2008 Cisco Systems, In. ‘Seaure Remote Access Communications 439IKE Proposals and IPsec Transform Sets When configuring IKE Phase 1 proposals, you can use the IKE Phase 1 proposal that is predefined by Cisco SDM or you can add a custom IKE Phase | proposal that specifies the required parameters: = IKE Phase 1 proposal priority ‘© Encryption algorithm (Data Encryption Standard [DES], Triple Data Encryption Standard [3DES], or Advanced Encryption Standard [AES)) HMAC (Secure Hash Algorithm 1 [SHA-1] or Message Digest 5 [MDS] DH group (1, 2, or 5) Authentication type (PSKs or digital certificates) IKE lifetime Note Use DH group 2 when configuring Cisco Easy VPN From the IKE Proposals window, follow these steps to configure the IKE Phase 1 proposals: Step1 Click Add to add an IKE Phase 1 proposal. Step2 An Add IKE Policy window opens. Enter IKE parameters and click OK when you are done. Step3 Click Next to continue, Afier you are done configuring the IKE Phase | proposals, the Easy VPN Server wizard prompts you to configure the IPsec transform sets. The IPsec transform set configuration requires the following parameters: m= Transform set name 440 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, Inc= Encryption algorithm (DE [SEAL}) = HMAC (SHA-I or MDS) , BDES, AES, or Software-Optimized Encryption Algorithm = Optional compression = Mode of operation (tunnel or transport) Follow these steps to configure a transform set: Step 1 Inthe Transform Set window, choose a transform set in the Seleet Transform Set drop-down list to edit an exiting transform set, or click Add to create a new transform set. Step2 If you click Add, an Add Transform Set window opens. Enter the IPsec transform set parameters and click OK. Step3 Click Next to continue. svete] omen} ve | ‘The Group Authorization and Group Policy Lookup window appears next. From this window, ‘you can choose the location for storing the Cisco Easy VPN group policies © Local: All groups are in the router configuration in NVRAM. = RADI he router uses a RADIUS server for group authorization, = RADIUS and Local: The router can store policies locally and look up policies stored on a RADIUS server. After you choose the method for the group policy lookup, click Next to continue (© 2008 Cisco Systems, Inc ‘Secure Remote Access Communications 447From the User Authentication (XAuth) window, you can choose the locat records that are used for XAUTH. Follow these steps to store the user records to a local user database: Step 1 In the User Authentication (XAuth) window, check the Enable User Authentication check box. Step2 Click the Local Only radio button. The Local Only option means that all users are stored in the router configuration in NVRAM. Stop3 Add users by clicking Add User Credentials. A User Accounts window opens, Follow this procedure to add a new user account: 1. Click Add. 2. An Add an Account window opens. Enter a username in the Username field 3. Inthe New Password and Confirm New Password fields, enter « password and confirm it. 4. Use the default privilege level | for VPN users. 5. Click OK in the Add an Account window. 6. Click OK in the User Accounts window. Stop4 From the User Authentication (XAuth) window, click Next to continue. 442 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2006 Cisco Systems, nc.If RADIUS is used for user authentication, you can use a previously configured RADIUS fn server or define a new one, Follow these steps to store the user records in a RADIUS and local user database: a Step1 In the User Authentication (XAuth) window, check the Enable User Authentication check box. oa Step 2 Click the RADIUS and Local Only radio button, Step 3 Click Next to continue. Alternatively, you can choose a previously configured AAA authentication template by clicking the Select an Existing AAA Method List radio button and choosing a method list from = the list box. (© 2008 Cisco Systoms, inc. ‘Secure Remote Access Communications 443,et ae From the Group Authorization and User Group Policies window you can add a group policy by clicking Add. You can skip this step if you intend to store group policies on a AAA server (useful when you are managing @ large number of VPN servers) Click the General tab and follow these steps to configure the minimum required parameters for a functional group policy: Stop1 Define a name of the group. Step2 Enter the PSK information for the group. Step3 Specify an IP address pool from which addresses will be assigned to clients. You have two options: = Create a new pool © Sclect from an existing pool Optionally, you might want to configure DNS and Microsoft Windows Internet Name Service (WINS) server information. You can configure this information from the DNS/WINS tab. You should specify any internal DNS servers that clients might need to resolve hostnames that are reachable only inside the VPN. The same applies to WINS servers, “444 Securing Networks with Cisco Routers and Switches (GNRS) v3.0, (© 2008 Cisco Systems, ne.‘Split tunneling allows some traffic to be tunneled while other trafic is not. This constitutes a security risk Part of the group policy that you can configure is the status and configuration of split tunneling ‘You should keep split tunneling disabled (default) to prevent any compromised client PC from becoming a proxy between the Internet and the VPN. If, however, split tunneling is required, ‘you should complete one of the following two configuration options on the Split Tunneling tab of the Add Group Policy window: Step1 Check the Enable Split Tunneling check box. Step2 Click the Enter the Protected Subnets radio button. Step3 Click Add to add a network. Step4 In the Add a Network window, de! are reachable by bypassing the tunnel). the protected networks (all other destinations Step5 Click OK. Alternatively, click the Select the Split Tunneling ACL radio button to use an existing ACL or create a new ACL to configure split tunneling. The group policy settings also enable you to configure certain client settings. On the Client Settings tab, you can define a list of backup servers to push to the elient: Step1 Click Add. ‘Step2 __ In the Add Easy VPN Server/Concentrator window, enter an IP address or hostname and click OK. Step 3 Check the Firewall Are-U-There check box. Step4 Check the Include Local LAN check box. (© 2008 Cisco Systems, nc ‘Secure Remote Access Communications 445‘You might also want to configure user authentication using XAUTH for this group policy. To configure the XAUTH settings, click the XAuth Options tab and follow these steps: Step1 Check the Group Lock check box to statically tie a user to a VPN group so that uusers must use the group name as part of the XAUTH usemame. Step2 Check the Save Password check box to allow a user to save the password in the VPN client. Step Enter the maximum number of concurrent logins in the Maximum Logins Allowed Per User field to prevent multiple users from sharing the same account at the same time. Step4 Click OK. When you are back to the Group Authorization and User Group Policies window, click Next to continue the wizard. “445 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, IncReview the Generated Configuration a ‘The wizard presents a Summary of the Configuration window. with a summary of the configured parameters. You can use the Back button to make any necessary changes, Otherwise, click Finish to apply the configuration to the router, The following example shows the configuration changes that were made by the Easy VPN Server wizard! aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization network sdm_vpn_group_ml_1 local crypto isakmp policy 1 encr 3des, group 2 crypto isakmp policy 2 encr 3des, authentication pre-share group 2 crypto isakmp client configuration group SNRS key ciscol23 pool SDM_PooL_1 acl 100 netmask 255.255.255.0 crypto isakmp profile sdm-ike-profile-2 match identity group SNRS client authentication list sdm_vpn_xauth_ml_1 isakmp authorization list sdm_vpn_group_ml_1 client configuration address respond virtual-template 1 (© 2008 Cisco Systems, nc Secure Remote Access Gommuricatons 447crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec profile SDM Profile: set transform-set ESP-3DES-SHA set isakmp-profile sdm-ike-profile-1 interface Serialo/o/o bandwidth 128 ip address 192.168.1.2 255.255.255.252 interface Virtual-Templatel type tunnel ip unnumbered Serial0/0/0 tunnel mode ipsec ipva tunnel protection ipsec profile SDM_Profilel ip local pool SDM_POOL_1 10.0.21.20 10.0.21.30 access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 10.0.0.0 0.0.255.255 any “448 Securing Networks wth Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systoms, neVerify the Cisco Easy VPN Configuration This topic describes how to verify the C co Easy VPN configuration. After the Cisco Easy VPN Server configuration is ereated, you can run a test to determine the configuration of the tunnel Step1 Click the Edit sy VPN Server tab, Step2 Choose a Cisco Easy VPN Server configuration. Step3 Click the Test VPN Server button to run the test, {© 2008 Cisco Systems, Inc ‘Secure Remote Access Communications 4-49Editing the Cisco Easy VPN Server Ifyou experience any problems while running the Cisco Easy VPN Server test, you can view and change the configuration of the Cisco Easy VPN Server. Choose the Cisco Easy VPN Server from the Edit Easy VPN Server tab and elick Edit. The Edit Easy VPN Server = Connection window appears. From this window, you can view and edit general settings, IKE Phase I settings, and IPsec settings 450 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, nc.Testing the Cisco Easy VPN Remote Tunnel ‘A Cisco Easy VPN connection is a connection that is configured between a Cisco Easy VPN Remote client and a Cisco Easy VPN Server or concentrator to provide secure communications with other networks that the server or concentrator supports. To manage Cisco Easy VPN connections from Cisco SDM, choose Configure > VPN > VPN > Easy VPN Remote and click the Edit Easy VPN Remote tab. To test a specific VPN tunnel, choose the VPN tunnel in the window and click the Test Tunnel button. The results of the test appear in a separate window. ‘© 2008 Cisco Systems, no. ‘Secure Remote Access Communications 4.51Monitoring the Cisco Easy VPN Server Som Om 3 ties ‘You can use the monitoring page to display the status of the tunnel ang the currently logged-in users, Follow these steps to use the monitoring page: Step Choose Monitor > VPN Status > Easy VPN Server from the Cisco SDM home a page. Step2 Choose a group name in the Select a Group section. Br: Step Verify the client connections in the Client Connections in this Group section, u 452 Securing Networks wih Cisco Routers and Swtcnes (SNRS) v3.0 (© 2008 Cisco Systems, IneTroubleshooting [esrenpte tenae * Debugs IKE communication Gebog aaa authentication > Debugs user authentication via local user database or RADIUS Gebug aaa authorization = Debugs group policy configuration access via RADIUS debug radius * Debugs RADIUS communication ‘The debug erypto isakmp command displays detailed information about the IKE Phase 1 and Phase 2 negotiation processes ‘To debug the authentication and authorization of Cisco Easy VPN tunnels, you ean use the commands listed in the “debug Commands” table. debug Commands Command Description. ‘debug aaa Troubleshoots user authentication authentication debug aaa Troubleshoots group policy configuration access via RADIUS authorization debug radius Troubleshoots RADIUS communication (© 2008 Cisco Systems, nc. Seoure Remote Access Communications 453Summary This topic summarizes the key points that were discussed in this lesson. Summary The main goal of Cisco Easy VPN is to simplify the client configuration by centralizing client configuration information and being able to dynamically push the configuration out to clients. You can install the Cisco VPN Client on your system by using either InstallShield or Microsoft Windows Installer. ‘The VPN configuration page in Cisco SDM lists VPN wizards that help implement different types of IPsec-based VPNs, After the Cisco Easy VPN Server has been configured, you can create @ VPN connection with minimal configuration on a Cisco Easy VPN Remote Client The debug crypto isakmp command displays detailed information about the IKE Phase 1 and Phase 2 negotiation processes. 54 Securing Networks with Cisco Routers and Switches (SNRS) v8.0 (©-2008 Cisco Systems, ne.Lesson 2 Examining a Cisco lOS SSL VPN Overview The Cisco IOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) (also known as WebVPN) enables users to connect remotely to a corporate network without the use of a preloaded VPN client on their computers. In this lesson, you will learn how to configure a Cisco 10S router to use the Cisco TOS SSL VPN feature to create a corporate portal that users can access from anywhere on the Internet. Upon completing this lesson, you will be able to describe and configure a Cisco IOS SSL VPN and verify its operation using Cisco Router and Security Device Manager (SDM). This ability includes being able to meet these objectives = Describe the Cisco 10S SSL VPN feature, including clientless mode, thin-client mode, full- tunnel client mode, and Cisco Secure Desktop Describe the different client packages for the Cisco IOS SSL VPN Configure the prerequisites for Cisco IOS SSL VPN Configure Cisco 10S SSL VPN Edit Cisco IOS SSL VPN configurations Monitor and verify Cisco IOS SSL VPNOverview of Cisco IOS SSL VPN This topie describes the Cisco IOS SSL VPN feature, including clientless mode, thin-client ‘mode, full-tunnel client mode, and Cisco Secure Desktop. SSL Overview * Was developed by Netscape for secure e-commerce * Creates a tunnel between web browser and web server Authenticated and encrypted * Supported in leading browsers + Use hntips:fully_qualified_domain_name Usually over port 443, Closed lock on browser indicates SSL-enabled SL is a protocol that was developed by Netscape to transmit private documents via the Intemet, SSL uses a cryptographic system that employs symmetric and asymmetric keys to cncrypt data and accomplish key exchange. All major browsers support SSL and have leadit certificate authority (CA) server certificates preinstalled. Many websites use SSL to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL. connection begin with hgps: instead of http: Without SSL encryption, data packets travel through networks in plaintext, Anyone with access can see the data. An SSL certificate helps website visitors protect sensitive information and get better idea of whom they are trusting. “55 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, inc.Cisco |OS SSL VPN Branch Offce IPsec Tunnel Si Corporate Resources Cisco IOS SSL VPN is a feature of Cisco IOS Software that provides support for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a gateway that is enabled with Cisco IOS SSL VPN, similar to what happens with IP Security (IPsec) Remote Access VPNs. The Cisco IOS SSL VPN gateway allows remote users to establish a secure VPN tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTPS browser support. Cisco IOS SSL VPN delivers three modes, of SSL VPN access: clientless, thin client, and full-tunnel client suppor. Cisco IOS SSL VPN can also support access from noncorporate-owned machines, including home computers, Internet kiosks, and wireless hot spots. These locations are difficult places to deploy and manage VPN client software and remote configurations that are required to support IPsec VPN connections. {© 2008 Cisco Systems, Inc Secure Remote Access Communications 4.67Prerequisites ‘To use Cisco IOS SSL VPN, you must adhere to the following prerequisites: To securely access resources on a private network behind a Cisco IOS SSL VPN gateway, the remote user of a Cisco IOS SSL VPN service must have the following: — Anaccount (username and password) — An $SL-enabled browser (for example, Internet Explore Mozilla Firefox) Netscape, Mozilla, or — One of the following operating systems: = Microsoft Windows 2000 or Microsoft Windows XP with either the Sun Microsystems Java Runtime Environment (JRE) for Microsoft Windows version 1.4 or later or a browser that supports ActiveX control = Any version of Windows 2003 or Windows Vista = Linux with Sun Microsystems JRE for Linux version 1.4 or later, with Samba installed to access Microsoft file shares from Linux in clientless remote-access mode = Apple Mac OS X a Thin-client support, which is used for TCP port-forwarding applications, requires administrative privileges on the computer of the remote user. ‘© Full-tunnel client support, which is used for Ciseo IOS SSL VPN access, requires administrative privileges on the computer of the remote user to install the full-tunnel client. |= The remote user must have local administrative privileges to use thin-client or full-tunnel client features. = You must complete the Cisco IOS SSL VPN gateway and context configuration before a emote user can access resources on a private network behind a Cisco IOS SSL VPN. Refer to the latest Cisco IOS documentation for any restrictions on using Cisco IOS SSL VPNs. 458 ‘Securing Networks with Cisco Roviers and Switches (SNRS) v3.0 (© 2008 Cisco Systems neClient Software This topic describes the different client packages for Cisco IO: L VPN. Cisco IOS SSL VPN Remote-Access Modes SS "TCP pier | Wea Perot * Wecwe Macro: | «Uae alo pet ee Fstitaacttsad Extends appcaon + Wedensbie Sassi through Java or Activex ert ester | f » Supports al bases easraee tage « Taam 83, SoorWcnnerss eosin + cma proms lores cept Soret caten | percngendvewtng | Cisco IOS SSL VPN delivers the following three modes of Cisco IOS SSL VPN access: = Clientless: acces “lientless mode provides secure access to private web resources and provides to web-enabled content. This mode is useful for accessing most of the content that ‘you would expect to access in a web browser, such as Intemet access, databases, and online tools that employ a web interface. = Thin-client (port-forwarding Java applet): Thin-client mode extends the capability of the eryptographic functions of the web browser to enable remote access to applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), Telnet, and Secure Shell (SSH). © Full-Tunnel client: Full-tunnel client mode offers extensive application support through its dynamically downloaded Cisco SSL VPN Client (SVC) or the newer Cisco AnyConnect VPN Client. Full-tunnel client mode delivers a lightweight, centrally configured, and easy- to-support SSL VPN tunneling client that provides network layer access to virtually any application, ‘The web browser performs end-user login and authentication to the secure gateway using an HTTPS request. This process creates a session that is referenced by a cookie. After authentication, a portal page appears that allows the user access to the Cisco IOS SSL. VPN networks. All requests that are sent by the browser include the authentication cookie. The portal page provides all of the resources that are available on the internal networks. For example, the portal page could provide a link to allow the remote user to download and installa thin-client Java applet (for TCP port forwarding) ora full tunneling client. (© 2008 Cisco Systems, ne. Secure Remote Access Communications 459See a anseniames i > oe Cents wit: eis * Widows 2000, XP, 2003, nd Vista pasclecas * Macintosh and Linux: In clientless mode, the remote user accesses the intemal or corporate network using a web browser on the client machine. The PC of the remote user must run Windows 2000, Windows XP, of Linux. ‘There are many benefits of clientless access: = Clicntless web-based access allows anywhere access to network resources, = Web content transformation provides compatibility with web pages containing HTML and JavaScript. ‘= There is uniform and efficient application delivery via fully clientless Citrix support = Multiple browser support ensures broad connection compatibility. Clientless mode support includes the following applications: m= Web browsing — Using HTTP and HTTPS — Provides a URL box and a list of web server links in the portal page that allows the remote user to browse the internal websites m= File sharing — Uses Common Internet File System (CIFS) — Provides a list of file server links on the portal page that allows the remote user to perform the following operations: m= Browse a network (a list of domains) = Browse a domain (a list of servers) 1 of shares) m= Browse a server (a 460 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncList the files ina share Create a new file Create a directory Rename a directory Update a file Download a file Remove a file Rename a file Note Linux requires that you install the Samba application before users can remotely access CIFS file shares. = Web-based e-mail, such as Microsoft Outlook Web Access 2003 (using HTTP and HTTPS) with Web-Based Distributed Authoring and Versioning (WebDAV) extensions (© 2008 Cisco Systems, ‘Secure Remote Access Communications +61Thin-Client Mode Access es t ee Clients with: = Workplace * Windows 2000, XP, 2003, and Vista ze Resources: * Macintosh and Linux Se Thin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the portal page. The Java applet acts er like a TCP proxy on the client machine for the services that you configure on the gateway. The applications that are supported in thin-client mode are mainly e-mail-based (SMTP, POP3, and IMAP version 4 [IMAP4]) applications or other client-initiated TCP nonweb-based applications that use static ports, such as Telnet. = The Java applet initiates an HTTP request from the remote user client to the Cisco IOS SSL - VPN gateway. The name and port number of the internal e-mail server is included in the HTTP request, The Cisco IOS SSL VPN gateway creates a TCP connection to that internal e-mail server and port = The Java applet starts a new SSL connection for every client connection. so Note The TCP port-forwarding proxy works only with Sun Microsystems JRE version 1 4 or later a ‘A Java applet is loaded through the browser that verifies the JRE version. The Java applet refuses to run ifa compatible JRE version is not detected. The Java-based application helper supplements clientless access by providing connectivity to applications that are not traditionally web-based, such as the following: a = POP, SMTP, or IMAP e-mail © Instant messaging a = Calendar © Client-initiated TCP-based applications such as Telnet = 452 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neRestrictions ‘You should observe the following restrictions when using thin-clicnt mode: = The remote user must allow the Java applet to download and install. = You cannot use thin-client mode for applications in which the ports are negotiated dynamically, such as FTP. You can use TCP port forwarding only with applications that use static ports = Forapplications to work scamlessly, you should give administrative privileges to remote users. If you do not give administrative privileges to remote users, remote users might need to manually change the client program settings so that the applications work properly Auto Applet Download Starting with Cisco IOS Release 12.4(9)T, you have the option of automatically downloading the port-forwarding Java applet. You must configure this feature on a group policy basis (© 2008 Cisco Systems, ne. ‘Sooure Remote Access Communications 463Full-Tunnel Mode Access Corporate Office SSL VPN Client Workplace Clients with: a. Resources * Windows 2000, XP, 2003, and Vista Certificate Macintosh and Linux Ina typical clientless remote-access scenario, remote users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and e-mail). In full-tunne! mode, remote users use an SSL tunnel to move data at the network (IP) layer—IP over SSL. Therefore, full-unnel mode supports most IP-based applications. Full-tunnel mode supports many popular corporate applications (for example, Microsoft Outlook, Microsoft a Exchange, IBM Lotus Notes e-mail, FTP, Telnet, and so on). The tunnel connection is determined by the group policy configuration. The Cisco SVC, which se: is less than 400 KB, is downloaded and installed on the remote user PC, and the tunnel ‘connection is established when the remote user logs into the Cisco IOS SSL VPN gateway. u By default, the Ciseo SVC is removed from the client PC after the connection is closed. However, you have the option to keep the Cisco SVC installed on the elient PC a The Cisco SVC has the following features: ® Provides IPsec-like application access through a “web-pushed” client sein = Enables a “no touch” central site configuration = Supports VoIP i = Enables the client software to be either removed at end of session or left permanently installed = = Requires less than 400-KB download Does not require a reboot after installation a 4.64 Securing Networks with Cisco Routers and Saitohes (SNRS) v3.0 ‘© 2008 Cisco Systems, IncCisco AnyConnect VPN Client * Isa traditional-style client delivered via automatic download Requires administrative privileges only for initial install Is also available for preinstallation as an MSI package Can upgrade from a previous version upon connection = Supports both IPsec and SSL VPNs ‘The Cisco AnyConnect VPN Client is an additional, next i, providing remote users with secure VPN conneetions to the Cisco ASA $500 Series Adaptive Security Appliances running ASA Software Version 8.0 and higher or Cisco Adaptive Security Device Manager (ASDM) Version 6.0 and higher. It does not connect to a Cisco PIX security appliance or to Cisco Virtual Private Network 3000 Series Concentrator Software, Note Cisco PIX security appliance does not support either cllentiess or Cisco AnyConnect VPN Client SSL VPN connections The Cisco AnyConnect VPN Client supports Windows Vista, Windows XP, Windows 2000, Mac OS X (version 10.4 of later) on either Intel or PowerPC, and Red Hat Linux (version 9 or later). You can download the Cisco AnyConnect VPN Client from the router or have it preinstalled on the client computer. See the Cisco AnyConnect VPN Client release notes for the full set of platform requirements and supported versions. You configure the Cisco AnyConnect VPN Client features on the security appliance. You can then load the client on the security appliance and have it automatically download to remote users when they log in, or you can manually install the client as an application on PCs, ‘You can assign particular features to individual users or groups. The Cisco AnyConnect VPN Client includes the following features: = IP version 6 (IPV6) VPN access: Allows access to [PVG resources 01 4 (IPv4) connection (only Windows XP SP2, Windows Vista, Mac OS +a public IP version X, and Linux) © Certificate-only authentication: Allows users to connect with digital certificates and not provide a user ID and password. © Compression: Increases the communication performance between the security appliance and the client by reducing the size of the packets that are being transferred. Compression ‘works only for Transport Layer Security (TLS). (© 2008 Cisco Systems, in. ‘Seaure Remote Access Communications 4-65= Language translation (localization): Provides a way of implementing translation for user messages that appear on the client user interface. = Dynamic access policies feature of the security appliance: Enables you to configure authorization that addresses the variables of multiple group membership and endpoint security for VPN connections. © Cisco Secure Desktop support: Validates the security of client computers that are requesting access to your Cisco IOS SSL VPN, helps ensure they remain secure while they are connected, and attempts to remove traces of the session after they disconnect. The Cisco AnyConnect VPN Client supports the Secure Desktop funetions of Cisco Secure Desktop for Windows 2000 and Windows XP. = Reke pecifies that SSL renegotiation takes place during rekey Note ‘The Cisco AnyConnect VPN Client can coexist with the IPsec Cisco VPN Client, but they cannot be used simultaneously. 408 ‘Securing Networks wih Cisco Routers and Switches (SNRS) v3.0 (© 2008 cisco Systems, Inc.Cisco AnyConnect VPN Client (Cont.) * Web launch Initiate via a web browser Download automatically (ActiveX/Java) Download manually * Manual MSI installer The following are additional features of the Ciseo AnyConneet VPN client: = Standalone mode: Allows a Cisco AnyConnect VPN client to be established as a PC application without the need to use a web browser to establish a connection. = Command Line Interface (CLI): Provides direct access to client commands at the command prompt = Microsoft Installer (MSI): Gives Windows users a preinstall package option that provides installation, maintenance, and removal of Cisco AnyConnect VPN Client software on Windows systems. = Start Before Logon (SBL and more, for Windows. Allows for login scripts, password caching, drive mapping, ‘= Simultaneous Cisco AnyConnect VPN Client and clientless, browser-based connections: Allows a user to have both a Cisco AnyConnect VPN Client (standalone) connection and a clientless Cisco IOS SSL VPN connection (through a web browser) active at the same time to the same IP address. Each connection has its own tunnel, Note Certain features of the Cisco AnyConnect VPN Client are supported in conjunction with| Cisco IOS SSL VPN support. Please see the Cisco IOS SSL VPN Feature Guide for specific details, (©2008 Cisco Systems, Inc ‘Secure Remote Access Commurications 4.67Full-Tunnel Client Comparison “Approximate Sas Init stat Aamoistratve Rigs Roauirod Preoot Operating SR Stepan Headend ‘Ghent Reboot Required * windows 2000 and XP x22, Vata x32, Mac OS X 104/105, Linus Kemal 26, Slane UtaSpare ‘The table in the figure compares the various Cisco VPN full-tunnel client packages and their supported platforms and features. {As of Cisco IOS Release 12.4(15)T5, Datagram Transport Layer Security (DTLS) is not current supported, 458 ‘Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ncConfiguring Cisco lOS SSL VPN Prerequisites This topic describes how to configure the prerequisites that are required to support Cisco IOS SSL VPN. Cisco IOS SSL VPN Prerequisites * Configure AAA Local or Cisco Secure ACS authentication * Configure FQDN Router hostname and domain name * Configure time NTP or manual configuration * Configure certificates and trustpoints CA or self-signed Before configuring Cisco IOS SSL VPN, you must configure and install the following: = Authentication, authorization, and accounting (AAA): This configuration includes setting up local or remote authentication. = Fully qualified domain name (FQDN): This configuration includes configuring the hostname, domain name, and Domain Name System (DNS) name servers or defining a static hostname-to-address mapping in the host (router) cache Network Time Protocol (NTP): to work properly slificate-based solutions require accurate time-keeping = Certificates and trustpoints: This configuration includes requesting and installing certificates and configuring trustpoints. The trustpoint contains the CA that signed the certificate that the Cisco 10S SSL VPN is using. Optionally, the router can use a self- signed certificate Before configuring Cisco 1OS SSL VPN for AAA-related configurations, you must create user accounts using either local authentication or authentication via AAA (RADIUS and TACACS+ servers) and configure the AAA-related commands, (© 2008 Cisco Systems, Inc 8 ure Remote Access Communications 4-69Cisco lOS SSL VPN Configuration This topic describes how to configure Cisco IOS SSL VPN and port-forwarding services on a router. Create a Cisco IOS SSL VPN ‘You can use Cisco SDM to create a new Cisco JOS SSL VPN configuration and edit an existing Cisco IOS SSL VPN configuration. To access the SSL VPN wizards, choose Configure > VPN > VPN > SSL VPN, The Create SSL VPN tab provides three options: = Create a New SSL VPN: This option allows you to create a new Cisco IOS SSL VPN with one user policy and a limited set of features. After you complete the wizard using this option, you can use the other options to configure additional policies and features for the Cisco IOS SSL VPN. You can return to this wizard to create additional Cisco IOS SSL. VPN configurations. ‘When you use Cisco SDM to create the first Cisco IOS SSL VPN configuration on a router, you ereate a Cisco IOS SSL VPN context, configure a gateway, and create a group policy. ‘After you complete the wizard, click the Edit SSL VPN tab to view the configuration and familiarize yourself with how Cisco IOS SSL VPN components work together. Add a New Policy to an Existing SSL VPN for a New Group of Users: This option allows you to add a new policy to an existing Cisco IOS SSL VPN configuration for a new ‘group of users, Multiple policies allow you to define separate sets of capabilities for different groups of users. For example, you might define a policy for engineering and a separate policy for sales = Configure Advanced Features for an Existing SSL VPN: This option allows you to configure additional features for an existing Cisco IOS SSL VPN policy. You must specify the context under which this policy is configured. “470 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systeme, IneTo start a new Cisco IOS SSL VPN configuration, click the Create a New SSL VPN option, and then click Launch the Seleeted Task to start the wizard. You will receive a warning message if you cannot complete this task, If there is a prerequisite task that you must complete, you are told what itis and how to complete it sents FT —— fy] no FF In the first step of the SSL VPN wizard, you use the IP Address and Name fields to create the URL that users will enter to access the Cisco IOS SSL VPN portal, The IP Address list box contains the IP addresses of all of the configured router interfaces and all of the existing Cisco IOS SSL VPN gateways. You can use the IP address of a router interface if itis a public address that the clients can reach, Check the Enable Secure SDM Access Through IP Address check box if you want to continue to access Cisco SDM from the IP address that you choose. This check box appears only if you entered the IP address that you are currently using to access Cisco SDM. If you check this check box, the URL that you must use fo access Cisco SDM changes afier you deliver the configuration to the router. Review the Information area at the bottom of the ‘window to learn which URL to use. Cisco SDM places a shortcut to this URL on the desktop of your PC that you can use to access Cisco SDM in the futur. If you are creating a new gateway, from the Certificate list box choose the digital certificate that you want the router to present to clients when they log into the gateway. If you choose the IP address of an existing gateway, the router uses the digital certificate that is configured for that gateway, and this field is disabled (the list appears grayed out). When you provide the information in the IP Address and Name fields, the Information area contains the URL that users will use to access this Cisco IOS SSL VPN connection. You must provide this URL to the users for whom you are ereating this Cisco IOS SSL. VPN. {© 2008 Cisco Systems, Inc ‘Secure Remote Access Communications 471The following would be the resulting CLI configuration for the example in the figure: router (config) #webvpn gateway SNRS router (config-webvpn-gateway) #hostname rP router (config-webvpn-gateway) #http-redirect router (config-webvpn-gateway) #ip address 192.168.1.2 port 443 router (config-webvpn-gateway) #ee1 eneryption re4-md5 router |config-webvpn-gateway) Hinservice Ifthe http-redireet command is enabled, the Cisco 10S SSL VPN gateway listens for HTTP connections, and then the HTTP connections are redirected to use HTTPS. In the next step of the SSL VPN wizard, you use the User Authentication window to specify how the router is to perform user authentication. From this window, you can choose between the following options: = External AAA Server: Click this option if you want the router to use a AAA server to authenticate Cisco IOS SSL VPN users. The router uses the AAA servers that are listed in the AAA servers configured for this router list (not displayed in the figure). If you choose to authenticate users with AAA servers, this list must contain the name or IP address of at least one server. If there are no AAA servers listed, you can add them using the Add button. This list does not appear if you have chosen the Locally on This Router option. To manage AAA configurations on the router, leave the wizard and choose Configure > Additional Tasks > AAA. = Locally on This Router: Click this option if you want the router to authenticate users using a local database on the router. The router authenticates each user that is displayed in the Username window. If no users are configured on the router, you can add users to this window using the Add button. You can also manage the users on the router using the Edit, button. This list does not appear if you choose the External AAA server option, 472 Securing Networks with Gisco Routers and Switches (SNRS) v3.0 (©2006 Cisco Systems, nc.First on an External AAA Server and Then Locally on This Router: Click this option if ‘you Want the router to first try to authenticate the users using a AAA server, and then if the ‘AAA server retums an error or is unreachable, the router will attempt local authentication, If the user is not configured either on a configured AAA server or locally on the router, authentication for that user fails. Use the AAA Authentication Method List: Click this option if you want the router to use a method list for authentication, A method list contains the authentication methods that should be used. The router attempts the first authentication method in the list. Ifa AAA ‘method returns an error or is unreachable, the router tries the next method in the list and, continues until the user is authenticated or until it reaches the end of the list ‘The following is an example of the resulting CLI commands if you choose the AAA Authentication Method List option: router (config) #webvpn context policy 1 router (config-webvpn-context)#aaa authentication list VPN-ACS router (config-webvpn-context) #default-group-policy 88L-policy router (config-webvpn-context) #gateway SNRS Intranet Websites After you configure the user authentication options, the SSL VPN wizard asks you to configure intranet websites. From the Configure Intranet Websites window, you can configure groups of intranet websites to which you want users to have access. These links appear in the portal that appears when the users of this Cisco IOS SSL. VPN log in, If you are adding a policy to an existing Cisco 10S SSL VPN context, there might already be URL lists in the table. (© 2008 Cisco Systems, nc Secure Remote Access Communications 473To create a new list, follow these steps: step 1 Step 2 ‘Step 3 Step 4 step 5 Click the Add button from the Configure Intranet Website window. Enter a group list name and a heading in the appropriate fields. The text you enter in the Heading field appears in the portal as a link that is displayed when users log into the Cisco IOS SSL VPN. When the user clicks this link, they navigate to a page that displays the URLs that are part of this group lis. Click Add in the Add URL List window to add links to the URL list. Enter a label that you want displayed for the URL link, and then enter the URL to the corporate intranet website to which the users will navigate when they click the label, For example, you might use the label Payroll Calendar if you are entering a URL to the calendar that shows paid holidays and paydays. Click Edit or Delete from the Add URL List window to modify or remove URL links that are part of the group lis. Click OK when you are done adding URL links to the group list. ‘The following is an example of the resulting CLI commands: router (config) #webvpn context policy 1 router (config-webvpn-context)#url-list "StudentPc* router (config-webvpn-url) #heading "Quicklinks" router (config-webvpn-url) #url-text "Pod Homepage" url-value home.cisco.com router (config-webvpn-url) #url-text “OWA” url-value email.mydomain.com 478 ‘Securing Networks with Cisco Routers and Switches (SNRS) v2.0 {© 2008 Cisco Systems, ncTunnel Settings ‘Seven ans | Feet eae [ mo DS aiiaanaaes = ares If the Cisco IOS SSL VPN is going to support full-unnel elient mode, you must enable full- tunnel client support. Follow these steps to enable full-tunnel client support Step1 Check the Enable Full Tunnel check box to allow the router to download the full- tunnel client software to the user PC and to enable the other fields in this window Step2 Specify the IP address pool from which full-tunnel clients will be assigned IP addresses. Either enter the name of an existing pool in the IP Address Poo! field or click the button next to the field and choose Select an Existing IP Pool to browse the list of existing pools. To create a new pool, choose Create a New Pool and complete the dialog that displays. The address pool that you choose or create must contain addresses in the corporate intranet. Step 3 Check Install Full Tunnel Client if you want to install the full-tunnel client software at this time. You must install the full-tunnel client software on the router so that clients can download it to establish full-tunnel connectivity. Ifthe Full Tunnel software was installed along with Cisco SDM, the path to it automatically appears in the Location field. If the primary device of your router is a disk or a slot, the path that you see starts with disk or slot. If the Location field is empty, you must locate the install bundle so that Cisco S ‘can load it onto the router primary device. To locate the install bundle, click the Browse button. If necessary, to download the software install bundle from Cisco.com, click the Download Latest Full Tunnel Client Install Bundle link You can also install the client software when editing this Cisco IOS SSL VPN. Note Ifthe software install bundle is not already installed, there must be sufficient memory in the router flash memory for Cisco SDM to instal it after you complete this wizard (© 2008 Gisco Systems, Inc. ‘Secure Remote Access Communications 4-75Step4 Check the Keep the Full Tunnel Client Software Installed on Client’s PC check box if you want the Full Tunnel software to remain on the client PC after they have logged off. If you do not check this check box, clients download the software each time they establish communication with the gateway. StepS Click Advanced Tunnel Options to configure advanced options such as split tunneling, browser proxy settings, DNS servers, and Microsoft Windows Intemet ‘Name Service (WINS) servers. Note ‘You might need a Cisco.com username and password to obtain software from Cisco software download sites. To obtain these credentials, click Register atthe top of any Cisco.com web page, and provide the information that is asked for. Your username and password is e-mailed to you. Customize Portal Se Tee ees com 118s. VEN Server co fier you finish configuring the full-tunnel settings, the SSL VPN wizard enables you to ‘customize the portal page. The settings that you make in the Customize SSL VPN Portal Page window determine the appearance of the portal. To preview a portal that is based on a specific theme, choose a predefined theme from the Theme list, and the preview appears in the Preview ‘You might want to preview several themes to determine which one you want to use. “4-76 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neACE Pass-Through Configuration For users to connect to the intranet, you must add access control entries (ACE) to the firewall, and network access control (NAC) configurations that permit SSL traffic to reach the intranet. ‘The SSL VPN wizard can configure these ACEs for you, or you can configure them yourself, To configure them yourself, choose Configure > Firewall and ACL > Edit Firewall Policy/ACL and make the necessary edits ‘To allow the SSL VPN wizard to configure the ACEs, check the Allow SSL VPN to Work with NAC and Firewall check box. Click View Details to view the ACES that Cisco SDM will create. The following is an example of an entry that Cisco SDM might add: permit tep any host 192.168.1.2 eq 443 If you are editing an existing Cisco IOS SSL VPN context, the SSL VPN wizard displays the affected interface and the ACL that is applied to it. Click Modify to allow Cisco SDM to add entries to the ACL that enable SSL traffic to pass through the firewall, Click Details to view the entry that Cisco SDM will add. (© 2008 Cisco Systems, ine Secure Remote Access Communications 4-77Finish Wizard fearon aw sa fo cel | The final step of the SSL. VPN wizard is to review the configuration, The Summary of the Configuration window also displays warnings about the configuration. Review the summary and click Finish to complete the wizard, or click Baek to make any necessary changes 478 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, neEditing Cisco IOS SSL VPNs This topic describes how to edit contexts, gateways, and policies to support Ci VPNs 0 JOS SSL Edit SSL VPN To use Cisco SDM to modify an exist 1 VPN configuration, choose Configure > VPN > VPN > SSL VPN and click the Edit SSL VPN tab. The top portion of the tab lists the SSL VPN contexts that are configured on the router, and the bottom portion of the tab displays details for the context that you have selected. To edit an existing context, choose the context from the SSL VPN Contexts pane and click Edit. The Fdit SSL VPN Context window appears, which allows you to make changes to the properties of the context. To remove a context, choose the context from the SSL VPN Contexts pane and click Delete. You can also click the Add button to configure a new Cisco IOS SSL VPN context instead of using the SSL VPN wizard, (© 2006 Gisco Systems, Inc ‘Secure Remote Access Communications 4-78Configuring Microsoft File Share: CARERS) In clientless mode, the remote client can access files and directories that are ereated on Microsoft Windows servers through the HTTPS-enabled browser. When clientless mode is enabled, alist of file server and directory links are displayed on the portal page after the user logs in. The administrator can customize permissions on the Cisco IOS SSL VPN gateway to provide either limited read-only access for a single file or full write access and network browsing capabilities. CIFS Support CIFS is the protocol that provides access to Microsoft file shares and support for common operations that allow users to access and modify shared files The portal page provides a CIFS browsing box to allow browsing and file access of files on the remote NetBIOS Name Service (NBNS) servers. You can configure NBNS servers from the Edit SSLVPN Context window in Cisco SDM or from the webypn context submode at the CLI, and you must define the NBNS list in the group policy for the given Cisco IOS SSL VPN context. You can configure the following access capabilities for Ciseo IOS SSL VPN: Network browsing (listing of domains) Domain browsing (listing of servers) Server browsing (listing of shares) Listing files in a share Downloading files Modifying files Cr iting new directories 480 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Gisco Systems, nc.m= Creating new files m= Deleting files Only file shares that are configured on Microsoft Windows 2000 or Microsoft Windows XP servers are supported. NBNS Resolution Microsoft WINS uses NBNS resolution to map and establish connections between Microsoft servers, You must identify a single server by its IP address in this configuration. You can add up to three servers to the configuration. If you add multiple servers, you should configure one server as the master browser. Samba Support Microsolt file shares ean be accessed through the browser on a Linux system that is configured to run Samba Configuring CIFS Follow these steps to enable file sharing support in Cisco 10S SSL VPN. Step1 From the Edit SSL VPN Context window, choose SSL VPN Context > NetBIOS Name Server List, Step2 Inthe Add NBNS Server List window, enter a name for the lis in the Name field and click Add to add a new server, click Edit to modify an existing server, or click Delete to remove an existing server. Configure a single server as the master browser if you specify multiple servers in the server list, Step3 Click OK when you have finished editing the NBNS server list. ‘The following is an example of the resulting CLI commands: router (config) #webvpn context policy _1 router (conf ig-vebvpn-context) #nbna-list NBNS-Servers router (conf ig-webvpn-nbnslist) #nbns-server 172.16.1.1 mast router (conf ig-webvpn-nbnslist)#nbns-server 172.16.2.2 router (conf ig-webvpn-nbnslist) #exit router (conf ig-webvpn-context) #pelicy group policy 1 router (conf ig-webvpn-group) #nbns-list NBNS-Server: router (conf ig-webvpn-group) #functions file-access file-browse (© 2008 Gisco Systems, Inc. Secure Remote Access Communications 4-81Port Forward Lists EEE NNN REST 2 A port-forwarding list is configured for thin-client mode Cisco IOS SSL VPN, Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to ‘TCP-based applications such as POP3, SMTP, IMAP, Telnet, SSH, and so on. ‘When port forwarding is enabled, the hosts file on the Cisco SVC is modified to map the application to the port number that is configured in the forwarding list. The application port ‘mapping is restored to the default when the user terminates the Cisco IOS SSL VPN session. From the Edit SSL VPN Context window, you can edit the port forward lists. To do this, choose SSL VPN Context > Port Forward Lists. Port forward lists reveal TCP application services to Cisco IOS SSL VPN clients. You can associate the lists to any group policy that is configured under the selected context, The Port Forward Lists pane contains the port forward lists that are configured for the selected context. Click a list name to display the details for the list in the Details of Port Forward List pane. The Details of Port Forward List pane displays the IP address, port number used on the server, corresponding port number on the client, and a description if one was entered You can use the Add, Edit, and Delete buttons in the Edit SSL VPN Context window to create, modify, and remove entries from the list. Each list must have a name and contain at least one server entry. Note Port-orward lists are part ofa thin ellent configuration, 82 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Giseo Systeme, Inc.‘The following is an example of the resulting CLI commands router (config) #webvpn context policy_1 router (config-webvpn-context) #port-forward Portlist router (config-webvpn-port-fwd)#lecal-port 3000 remot. mail.corporate.com remote-port 25 description SMTP router (config-webvpn-port - fwd) #local mail.corporate.com xemote-port 110 a port 3001 remote-server eription POP3 router (config-webvpn-port-fwd) #lecal-port 3002 remot mail.corporate.com remote-port 143 description IMAP4 router (config-webvpn-port -fwd) #exit router (conf ig-webvpn-context)#policy group policy 1 router (conf ig-webvpn-group) #port-forward Portlist (© 2008 Cisco Systems, In. ‘Seoure Remote Access Communications 483,‘The URL list is a list of HTTP URLs that are displayed on the portal page after a successful login. A URL box is provided on the portal page to allow web browsing. You can configure lists of web server links that will be displayed on the portal page. The URL lists are provided to make it easier to navigate the intemal websites. If you have enabled Citrix in the group policy, you can add a link in the URL list to the Citrix server. From the Edit SSL VPN Context window, you can edit the URL lists. To do this, choose SSL. VPN Context > URL Lists. Configure one or more URL lists for each context, and then use the group policy windows to associate these lists with specific group policies. The URL List pane displays all of the URL lists that are configured for the context. The Details of URL List pane displays the contents of the selected list. For each lis, it displays the heading that is displayed at the top of the URL list, and each URL that is in the list. Use the Add, Edit, and Delete buttons to create and manage the URL lists. You must enter a name for each URL list and heading text that will appear at the top of the URL list, Heading text should describe the overall contents of the links in the list. For example, if URL list provides access to the health plan web pages and insurance web pages, you might use the heading text “Benefits.” Click the Add button to create a new entry for the list, and click the Edit and Delete buttons to maintain the list, Each entry that you add appears in the list area. The following is an example of the resulting CLI commands: router (config) #webvpn context policy 1 router (config-webvpn-context)#url-list StudentPc router (config-webvpn-url) #heading “Quicklink: router (config-webvpn-url) #url-text “Pod Homepage” url-value home.ciaco.com router (config-webvpn-url) #url-text OWA url-value email.mydomain.com “84 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 cisco Systems, ne.that secures VPN desktops. + Uses a US. Department of Defense sanitation algorithm Web transactions can leave cookies, browser history files, e-mail attachments, and other files on the PC after the user logs out. Cisco Secure Desktop creates a secure partition on the desktop and uses a U.S. Department of Defense algorithm to remove the files after the session terminates, You can configure the router to install Cisco Secure Desktop on the user PC when the user logs into the Cisco IOS SSL VPN by checking the Enable Cisco Secure Desktop check box. ‘You must install the Cisco Secure Desktop software bundle on the router. Ifthe software was installed along with Cisco SDM, the path to it automatically appears in the Location field as shown: flash: /securedesktop-ios-3.1.0.29-k9.pkg If the software was not installed along with Cisco SDM, click the Download Latest Cisco Secure Desktop Install Bundle link at the bottom of the window. The Download Latest Cisco Secure Desktop Install Bundle link takes you to the following web page: hutp://www.cisco.com/egi-bin tablebuild.pl/securedesktop, where you can log in to install the software, {© 2008 Cisco Systems, Inc ‘Seowe Remote Access Communications 485,Cisco IOS SSL VPN Concepts Main concepts of Cisco IOS SSL VPN: + Cisco IOS SSL VPN gateway server settings: IP address and port Trusipoint + Cisco IOS SSL VPN context session settings: URL lists Port-forwarding lists Authentication Install Cisco Full Tunnel, Cisco Secure Desktop, or both Associated gateway and policy group * Policy group client settings There are three main components to configure within Cisco 1OS SSL VPN. You can configure mponents using Cisco SDM wizards, menus in Cisco SDM, and the router = Configure the Cisco 10S SSL VPN gateway: Before using the Cisco IOS SSL VPN feature, you must configure a virtual gateway and put it into service. This configuration specifies the IP address and port that Cisco IOS SSL VPN should use, and it configures the trustpoint to use. The IP address should be a public IP address that is configured on an. interface or loopback interface on the Cisco IOS SSL VPN gateway. The default port is 443. By putting the virtual gateway into service, the Cisco IOS SSL VPN service is enabled ‘on the gateway. A self-signed certificate is also automatically generated when a Cisco 10S SSL VPN gateway is put into service. = Configure a Ciseo IOS SSL VPN virtual context: A Cisco IOS SSL VPN virtual context used to associate the Cisco IOS SSL VPN gateway with the configured features. You can configure multiple virtual contexts on the secure gateway, giving access to various features and access modes, depending on the domain configured for each context. — Multiple context configurations: Multiple context configurations can exist on the same router: |= When the user logs in, the router det ermines to which context the user belongs. resources that are associated with the = After the router determines the contex context are used for that user. = URL lists, port-forward-lists, and group-policies are local to the context. They cannot be shared across different contexts, “85 Securing Networks with Clsco Routers and Switches (GNRS) v3.0 (© 2008 Cisco 5) toms, ne= Configure Cisco IOS SSL VPN group policies: URL lists: A URL box is provided on the portal page to allow web browsing. You can configure lists of web server links that will display on the portal page. These URL lists make it easier to navigate the internal websites. The URL lists are contigured in the Cisco IOS SSL VPN context submode, and must be defined in the group policy for the given Cisco IOS SSL VPN context. If you enable Citrix in the ‘group policy, you can add a link in the URL list to the Citrix server. Port-forwarding lists: Port-forwarding lists are not created as part of the Cisco 10S SSL VPN wizard. Instead, you must add them after running the wizard by editing the Cisco IOS SSL VPN context. NBNS lists: NBNS lists are not created as part of the Cisco IOS SSL VPN wizard. Instead, you must add them after running the wizard by editing the Cisco IOS SSL VPN context Group policy: Group policies are local to the SSL VPN context. They are defined as part of the Cisco IOS SSL VPN wizard. group policy is configured for each Cisco IOS SSL VPN virtual instance. The group policy specifies the Cisco IOS SSL VPN features and parameters that the virtual instance will use. You can enable or disable the Citrix, CIES . Cisco Secure Desktop, thin-client mode, and full-tunnel mode features in the ‘group policy, which you then associate with the Cisco IOS SSL VPN context. (© 2008 Gisco Systems, ne ‘Secure Remote Access Commurncations 4-87Context Commands Fouter (config) #webvpn context policy 1 jage “Please enter your credentials” router (config-webvpn-context) #title “SNRS WebVPN Page” router (config-webvpn-context) #title-color darkseagreen router (config-webvpn-context) #logo file flash: /cisco.gif router (config-webvpn-context) tmax-users 300 router (config-webvpn-context) aecondary-color darkgreen In addition to using Cisco SDM to configure a Cisco IOS SSL VPN, you must also perform some configuration using the CLI, You can use the CLI to customize the Cisco 10S SSL VPN portal page. Follow these steps to customize the Cisco IOS SSL VPN portal page’ Step1 Enter Cisco IOS SSL VPN configuration mode to configure the Cisco IOS SSL. VPN context. router (config) #webvpn context name Step2 Configure a message for the user login text box that is displayed on the login page. router (config-webvpn-context) #login-message [message-string] Step 3 re the HTML title string that is shown in the browser title and on the title bar router (config-webvpn-context) #title [title-string] The title of the page should reflect the business needs of the company. Step 4 (Optional) Specify the color of the title bars on the login and portal pages of a Cisco IOS SSL VPN. router (config-webvpn-context) #title-color color ‘The value for the color argument is entered as a comma-separated values (CSV) red green, blue (RGB) value, an HTML color value (beginning with a pound sign (#1), fr the name of the color that is recognized in HTML. (no spaces between words or characters), The CSV is limited to 32 characters. The value is parsed to ensure that it matches one of the mentioned formats (using Perl regex notation). The default color is purple. 488 Securing Networks wih Cisco Routers and Switches (SNRS) v3.0 (© 2006 Cisco Systems, nc.Step 5 ‘Step 6 Step 7 Step 8 (Optional) Configure a custom logo to be displayed on the login and portal pages of Cisco IOS SSL VPN router (config-webvpn-context) #logo [file filename | none] ‘The source image file for the logo is a .gif, jpg, or .png file with a filename that can be up to 255 characters and have a file size of up to 100 KB. The file is referenced from a local file system, such as flash memory. An error message is displayed if the file is not referenced from a local file system. No logo is displayed if the image file is removed from the local file system, (Optional) Limit the number of connections that are permitted to the Cisco IOS SSL VPN. router (config-webvpn-context) #max-users number (Optional) Configure the color of the secondary title bars on the login and portal pages of a Cisco IOS SSL VPN. router (config-webvpn-context) #secondary-color color ‘The value for the color argument is entered as a CSV RGB, an HTML color value (beginning with a pound sign (#1), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters and is parsed to ensure that it matches one of the mentioned formats (using Perl regex notation). The default color is purple. (Optional) Configure the color of the text on the secondary bars of a Cisco IOS SSL. VPN. router (config-webvpn-context) #secondary-text-color (black | white} The color of the text on the secondary bars must be aligned with the color of the text on the ttle bar. The default color is black {© 2008 Cisco Systems, nc Secure Remote Access Communications 4.89Gateway Commands ‘router (config) fwebvpa gateway SNRS router (config-webvpn-gateway)#hostnane FP router (config-webvpn-gateway)#attp-redirect (config-webvpn~ )#ip address 10.0.1.1 port 443 router (config-webvpn-gateway)#s61 encryption aes-shal router (config-webvpn-gateway)#ee1 trustpoint CA router (config-webypn-gateway) #inservice Configuring the Virtual Gateway ‘The WebVPN gateway acts as a proxy for connections to protected corporate resources Protected resources are accessed through an SSL-enerypted connection between the gateway and a web-enabled browser on a remote client. You use the webvpn gateway command to place the router in SSL VPN gateway configuration mode. You should observe the following restrictions when configuring the WebVPN gateway = Only one gateway is configured in a Ciseo IOS WebVPN-enabled network = The con ration of the ssl rustpoint command is required only if you must configure a specific CA certificate. A self-signed certificate is automatically generated when a WebVPN gateway is put in service. Follow these steps to configure a WebVPN gateway: ‘Step1 Name the gateway and enter SSL VPN gateway configuration mode. router (config) #webvpn gateway name In the example, the command is webypn gateway SNRS, Step2 Specify the hostname for the WebVPN gateway. router (config-webvpn-gateway) #hostname name In the example, the command is hostname rP. Step3_ Configure HTTP traffic to be carried over HTTPS. router (config-webvpn-gateway)#http-redirect [port number] 480 ‘Securing Networks with Cisco Routers and Swtches (SNRS) v3.0 (© 2008 Cisco Systems, neNote When this command is enabled, the WebVPN gateway listens on port 80 and redirects HTTP traffic over port 443 or the port number that is specified withthe port Keyword, Step4 Configure a proxy IP address for the WebVPN gateway. router (config-webvpn-gateway) #ip address address [port number] [secondary] A secondary address must be configured if the proxy IP address is not on a directly connected network. mA secondary address does not reply to Address Resolution Protocol (ARP) or Intemet Control Message Protocol (ICMP) messages. Inthe example, the command is ip address 10.0.1.1 port 443. Step Specify the encryption algorithm that the SSL. protocol uses for Cisco IOS SSL VPN connections. router (config-webvpn-gateway) #ss1 encryption [3des-shal] [aes- shal] [re4-ma5) In the example, the command is ss1 eneryption aes-sha| Note ‘The Cisco IOS SSL VPN provides remote-access connectivity from almost any Internet- ‘enabled location using only a web browser and its native SSL encryption. The ssl ‘encryption command is configured to restrict the eneryption algorithms that SSL uses in Cisco 10S Software, Step6 Configure the certifi te trustpoint for the WebVPN gateway router (config-webvpn-gateway) #ael trustpoint name In the example, the command is ssl trustpoint CA. Note Entering the no form of this command configures the WebVPN gateway to revert to using an autogenerated self-signed certificate Step? Enable the WebVPN gateway. router (config-webvpn-gateway) #inservice {© 2008 Cisco Systoms, ie ‘Secure Remote Access Communications 4-81router (config) #webvpn context policy 1 router (config-webvpn-context) tpolicy group polic; router (config-webypn-group) #banner “Login Successful” router (config-webypn-group) #nbns-1ist NBNS-SERVERS router (config-webvpn-group) #timeout idle 1600 router (config-webvpn-group) #timeout session 36000 router (config-webypn-group) furl-List StudentPC router (config-webypn-group) #port-forvard Portlist Configuring a Policy Group You can also use the CLI to configure a policy group. The policy group is a con defines the presentation of the portal and the permissions for resources that are configured for a ‘group of remote users. Entering the policy group command places the router in SSL VPN group policy configuration mode. After you configure a group policy, you attach it to the Cisco command: ainer that IOS SSL VPN context configuration using the default-group-polie router (config-webvpn-context) #default-group-policy policy 1 Follow these steps to create a Cisco IOS SSL VPN group policy: ‘Step1 Enter SSL VPN configuration mode. router (config) #webypn context context -name Stop2 Enter SSL VPN group policy configuration mode. router (config-webypn-context) #policy group name Step3 Configure a banner that is displayed afte ful login. router (config-webvpn-group) #banner string ‘The string parameter can contain 7-bit ASCH values, HTML tags, and escape sequences; the text banner must be in quotation marks if it contains spaces. Step 4 Attach an NBN server list to this policy group configuration. router (config-webvpn-group) #nbna-liet name Note You first define the NENS server lst in SSL VPN NBNS list configuration mode. (SRS) (© 2008 Cisco Systems, IneStep 5 Configure remote user session idle time or the total length of time that a session can remain connected router (config-webvpn-group) #timeout (idle seconds | session seconds} timeout Parameters Paramoter Description idle seconds Configures the length of time that an end-user connection can remain idle on seconds Configures the total length of time that an end user can maintain a single connection Step 6 Step 7 Attach @ URL list to this policy group configuration, router (config-webvpn-group) furl-1ist name ‘The name parameter is the name of the URL list that was configured in SSL VPN context configuration mode. Attach a port-forwarding list to this group policy. You use this command when you are configuring the thin-client access mode. router (conf ig-webvpn-group) #port-forwara portlict-name (© 2008 Cisco Systems, nc ‘Secure Remote Access Communications 482Verifying SSL VPN Functionality This topic describes how to monitor and verify Cisco 10S SSL VPNs SSL VPN Login Page When the HTTPS connection is established, a warming about the SSL/TLS certificate might display. If the waming displays, the remote user should install this certificate. If the warning does not display, the system already has a certificate that the browser trusts, The remote user is then connected to the login page. The login page prompts remote users to enter their usemame and password, which are entered into an HTML form. If an authentication failure occurs, the login page displays an error ‘message. A message appears when a login has been successful. The login page has logos, titles, messages, and colors, which you can customize 494 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Cisco Systems, ne‘The portal page is the main page for the Cisco IOS SSL VPN functionality. Only items that you have configured display on the portal page. Note E-mail access is supported by thin-client mode, which is downloaded using the Start Application Access link Remote users can enter an address or URL path of a website that they want to visit either in the text box on the portal page or in the text box on the floating toolbar. Pages from the remote server are displayed in the browser window. The remote user can then browse to other links on the page. The figure illustrates the portal page of a typical website. By clicking the home icon 6 the floating toolbar, the remote user can go back to the portal page A floating toolbar (sce figure) allows the remote user to enter URLs, browse file locations, and choose preconfigured web connections without interfering with the main browser window. The floating toolbar represents the Cisco IOS SSL VPN session. ‘The next figure shows what happens when the remote user clicks the logout button, (© 2008 Cisco Systems, ne Secure Remote Access Communications 4.95,Ifa remote user clicks the window close button, the Cisco IOS SSL VPN gateway prompts the user to confirm that they want to close the session, ‘The logout page displays if the remote user clicks the logout link or if the session terminates because of an idle timeout or a maximum connection timeout, eS. operation Adain statue: up Operation statue: up IP: 10.0.2.2, The figure shows a sample output from the show webypn gateway command, without parameters and with a specifie Cisco IOS SSL VPN gateway name specified. The output shows that the gateway is up and running using a self-signed certificate “96 Securing Networks wity Cisco Routers and Switches (SNRS) v3.0 {© 2008 Cisco Systems, ncshow webvpn context Command Toutertahow webvpn Conant Codes: AS - Adnin status, 05 - Operation Statue context Wane Gateway Domain/WHost = RF AS. Default context n/a n/a n/a dow down policy 2 SMRS-G¥ one pup ‘The figure shows sample output from the show webypn context command, Note that the SSL. ‘gateway is not running in the default virtual context, but is running in the context named “policy_1.” show webvpn context name Command Touterfahow wabypn Conrexe Polley T danin statues up operation status: up Certificate authentication type: All attributes (Like CRE) are AAA Authentication List not configured Default Group Policy: policy 1 [Associated WebYPH Gateway: SNRS-cW + 10000 (detauae) not configured [WRF Wane not configured The figure shows sample output from the show webypn context [name] command, entered with the name of a specific Cisco IOS SSL VPN context, Note that the gateway is up and running and that the other parameters are default parameters, {© 2008 Cisco Systems, ne ‘Secure Remote Access Communications 497show webvpn policy group Command Touter¥ehow wobvpo policy Group policy 1 context si WEBVEN: group policy = policy 1; context = SHRS isle timeout = 2100 sec aeesion tinsout = 42200 sec port forward name = “Portlist” nbns 1ist name = °HENS-Servers” functions = file-access file-browse file-entry ave-enabled address pool nane = “webvpn-pool” ded client timeout = 300 sec pd gateway tiveout = 300 sec keep selvpn client installed = disabled rekey interval = 3600 sec ethod = lease duration = 43200 sec aplit include = 10.0.0.0 255.0.0.0 split inciude = 192.168.0.0 255.255.0.0 DNS primary server = 172.16.32.10 The figure shows sample output from the show webypn policy group command. In the ‘example in the figure, the group “policy_1” has port-forward (“Portlist”), Windows file servers (NBNS-Servers”), Citrix, and split tunneling conf The figure shows sample output from the show webypn session context command. This output shows that there are currently two clients connected to the gateway 493 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 (© 2008 Cisco Systems, rc.16.0.1.22; emtanme onsen: session user command. In the using a context of “policy_1.” The figure shows sample output from the show webypn ‘example, user! is logged in as a member of group “ON {© 2008 Cisco Systems, Ine ‘Secure Remote Access Communications 4.99Troubleshooting SSL VPN TOR Enables Cisco 1OS SSL. VPN basic session ‘debug webvpn aaa ewes dad mbes Many debug webypn commands are available to troubleshoot Cisco IOS SSL VPN. The table shows some of the more helpful debug commands that are available. Debug Commands ‘Command Description debug webvpn Enables Cisco |OS SSL VPN basic session ‘monitoring debug webvpn aaa Displays AAA debug messages debug webvpn cife Displays CIFS debug messages: debug webvpn citrix Displays Citrix debug messages debug webvpn cookie Displays cookie debug messages debug webvpn dns Displays DNS messages Sebug webvpn REED, Displays HTTP messages debug webvpn port-forward Displays portforwarding debug messages debug webvpn web service Displays web service debug messages 4-100 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 ‘© 2008 Cisco Systoms, Incclear Commands Fouter¥clear webvpn session waer wi youtersclea: webvpn session conte fouterteleer webvpn bus routerfclear webven state There are elear commands that clear the NBNS cache, the Cisco IOS SSL VPN sessions, and the Cisco IOS SSL VPN statistics To clear Cisco IOS SSL. VPN remote user sessions, use the following command: router#elear webvpn seseion { [user name) context {name | all) clear webvpn session Parameters Parameter Description user name (Optional) Clears session information for a specific user context (name | all) _ | Clears session information for a specific context or al contexts Use this command to clear the session for cither the specified remote user or all remote users in the specified context. To clear the NBNS cache on a Cisco IOS SSL VPN gateway, use the following command: router#elear webvpn nbns [context {name | a11}1 clear webvpn nbns Parameters Parameter Description context name (Optional) Clears NBNS statistics for a specific context context all (Optional) Clears NBNS statistics for all contexts Entering this command without any keywords or arguments clears all NBNS counters on the network device. (© 2008 Cisco Systems, ne. ‘Secure Remote Access Communications 4-101To clear (or reset) Cisco IOS SSL VPN application and access counters, use the following, command: routerticlear webvpn stats [{cifs | citrix | mangle | port- forward | tunnel) [context [name | al1}]) clear webvpn stats Parameters, Paramotor Description cite (Optional) Clears Microsoft Windows file share (CIFS) statistics, citrix (Optional) Clears Citrix application statistics mangle (Optional) Clears URL mangling statistics port-forward (Optional) Clears port-forwarding statistics tunnel, (Optional) Clears Cisco SVC tunnel statistics context {name | all) (Optional) Clears information for either a specifi content or all contexts ‘You use this command to clear counters for Microsoft Windows file shares, Citrix applications, URL mangling, application port forwarding, and Cisco SVC tunnels, The counters are cleared. ither the specified context or all contexts on the Cisco IOS SS L VPN gateway. 402 ‘Securing Networks with Cisco Routers and Swtches (SNRS) v3.0 (© 2008 Cisco Systems, InoSummary This topic summarizes the Key points that were discussed inthis lesson. Summary * The Cisco IOS SSL VPN feature provides support for remote-user access to enterprise networks from anywhere on the internet, In clientiess mode, the remote user accesses the internal or corporate network using a web browser. In thin-client mode, the remote user downloads a Java applet ‘You must configure AAA for Cisco IOS SSL VPN authentication. Configuring a basic WebVPN portal includes configuring: ~ A gateway A context Group policies Port forwarding lists are created in the Edit SSL VPN Context window. Several show commands are available to verify Cisco IOS SSL \VPN functionality, {© 2008 Cisco Systems. Inc Secure Remote Access Communications 4-103,4-104 Seauing Networks with Cicoo Routers and Switches (SNR) v8.0 {© 2008 Cisco Systems, inc.Module Summary This topic summarizes the key points that were discussed in this module. Module Summary * After you configure the Cisco Easy VPN Server, you can create a YPN connection with minimal configuration on a Cisco Easy VPN Remote. * The Cisco IOS SSL VPN feature provides support for remote-user access to enterprise networks from anywhere on the Internet The Cisco Self-Defending Network vision of secure communications includes secure remote access. This module addressed two ways to accomplish secure remote access: IP Security (IPsec) and Secure Sockets Layer (SSL) remote-access virtual private networks (VPNS). Collectively, the security objectives of confide integrity, and availability can all be achieved with these secure remote-access solutions. References For additional information, refer to these resources: = Cisco Systems, Inc, Tools & Resources: Software Download—Cisco Secure Desktop. http://www. cisco. com/cgi-binvtablebuild pl/securedesktop. {© 2008 Cisco Systeme, Ine. ‘Secure Remate Access Communications 105,“106 Securing Networks with Cisco Routers and Switches (SNRS) v3.0 (© 2008 Gisco Systems, Inc