IOS VPN

From Hurlster Wiki
Jump to navigation Jump to search

IPSec Network Security

IPsec Site to Site

Cisco IOS: 2811 to 837 via PAT/NAT router

    • Must forward port TCP/UDP 4500 and TCP/UDP 500 in router to Cisco837.

Cisco837(privatenet) -> PAT-Router -> Internet -> Cisco2811

Cisco 837

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key n3tInS address 167.142.60.62 (peer router)
crypto isakmp nat keepalive 10
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac 
!
crypto map CISCO 10 ipsec-isakmp 
 set peer 167.142.60.62
 set transform-set STRONG
 set pfs group2
 match address 101
!
!                          (local LAN subnet)  (remote LAN subnet)
access-list 101 permit ip 198.133.143.0 0.0.0.255 167.142.49.0 0.0.0.255 log
!
interface Ethernet0
 description To_F1-3
 ip address dhcp
 crypto map CISCO
!
interface Ethernet2
 description F4_to_LAN
 ip address 198.133.143.254 255.255.255.0
!

Cisco 2811

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key n3tInS hostname home.gotdns.com
crypto isakmp nat keepalive 10
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac 
!
!
!
crypto map CISCO 10 ipsec-isakmp 
 set peer home.gotdns.com dynamic
 set transform-set STRONG
 set pfs group2
 match address 101
!                          (local LAN subnet)  (remote LAN subnet)
access-list 101 permit ip 167.142.49.0 0.0.0.255 198.133.143.0 0.0.0.255
!
interface Serial0/0/0:0
 ip address 167.142.60.62 255.255.255.252
 encapsulation ppp
 crypto map CISCO
!
interface GigabitEthernet0/0
 description PublicNetwork
 ip address 167.142.49.254 255.255.255.0

WebVPN IOS (selfsigned)

Step 1:

The following command creates the keys that are what the certificate will be referencing, they work together.
It is very important for these keys to be exportable. This allows the keys to be moved the the redundant router.
webvpn(config)#crypto key generate rsa general-keys label webvpn.domain.com exportable

The name for the keys will be: webvpn.domain.com Choose the size of the key modulus in the range
of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
Note: to export a rsa keypair(public and private)
webvpn(config)#crypto key export rsa key-label pem url flash:filename.pem 3des passphrase

Step 2:

Create a trustpoint to declare the CA and also specify any characteristics for the CA.
webvpn(config)#crypto pki trustpoint webvpn.domain.com
webvpn(ca-trustpoint)#enrollment selfsigned 
webvpn(ca-trustpoint)#subject-name C=US, ST=State, CN=webvpn.domain.com, O=me, OU=me
webvpn(ca-trustpoint)#fqdn webvpn.domain.com
webvpn(ca-trustpoint)#rsakeypair webvpn.domain.com
webvpn(ca-trustpoint)#exit 

Step 3:

Enroll the webvpn.domain.com domaint to acquire the Certificate Request key
webvpn(config)#crypto ca enroll webvpn.domain.com
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=US, ST=State, CN=webvpn.domain.com, O=me, OU=me
% The subject name in the certificate will include: webvpn.domain.com
% Include the router serial number in the subject name? [yes/no]: no
Generate Self Signed Router Certificate? [yes/no]: yes 

Router Self Signed Certificate successfully created

WebVPN Configuration

Virtual Template interface to enable nat from private IPs

interface Virtual-Template2
 description SSLVPN_NAT
 ip unnumbered BVI1
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool ssl-pool
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!

Pool for dialin(vpn) computers

ip local pool ssl-pool 192.168.0.200 192.168.0.205

WebVPN web interface

webvpn gateway gateway_1
 hostname webvpn.domain.com
 ip address 123.123.123.123 port 443  
 http-redirect port 80
 ssl trustpoint webvpn.domain..com
 logging enable
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1
 !
webvpn context mysslvpn
 ssl authenticate verify all
 !
 !
 policy group policy_1
   functions svc-enabled
   hide-url-bar
   svc address-pool "ssl-pool"
   svc default-domain "domain.com"
   svc keep-client-installed
   svc split exclude local-lans
   svc dns-server primary 192.168.0.254
   svc dns-server secondary 8.8.8.8
 virtual-template 2
 default-group-policy policy_1
 aaa authentication list local_auth
 gateway gateway_1 domain vpn
 logging enable
 inservice
!

iPhone to IOS VPN(IPSec)

Configuration Example

version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
!
hostname C2651
!
! *** Setup aaa
aaa new-model
aaa authentication login local_auth local
aaa session-id common
!
!
clock timezone MST -7
clock summer-time MDT recurring
ip cef
!
! *** Enter a username and password here
username vpnuser password 7 ********************
!
!
! *** This policy is for phase 1 for the vpn client
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
! *** This part sets up the group password (Group Name: VPNCLIENT/Secret: secretkey)
! *** make sure you enter your dns/wins/domain name also
crypto isakmp client configuration group VPNCLIENT
key secretkey
dns 10.2.2.5
wins 10.2.2.5
domain domain.local
pool VPNCLIENT_ADDRESSES
acl 101
! *** we use acl 101 to control what goes in the network..
!
! *** We setup a isakmp (phase 1) profile for the vpnclient
! *** Tell it to use local_auth aaa to get the username/password
crypto isakmp profile vpn-isakmp-profile
match identity group VPNCLIENT
client authentication list local_auth
isakmp authorization list local_auth
client configuration address initiate
client configuration address respond
!
! *** THIS is the part where we specify PHASE 2.
! *** We set the transform to esp-aes 256bit with sha-hmac
crypto ipsec transform-set esp-aes-sha esp-aes 256 esp-sha-hmac
!
! *** we then set up to use that transport-set and the isakmp profile
crypto dynamic-map VPNCLIENT_MAP 1
set transform-set esp-aes-sha
set security-association lifetime seconds 3600
set isakmp-profile vpn-isakmp-profile
reverse-route
! *** lifetime may not show up as 3600 may already be the default
!
! *** We then associate it to the vpn map.
crypto map vpn 4 ipsec-isakmp dynamic VPNCLIENT_MAP
!
! *** Internal NIC
interface FastEthernet0/0
ip address 10.2.2.1 255.255.255.0
no ip proxy-arp
ip nat inside
duplex auto
speed auto
!
! *** External NIC
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
crypto map vpn
! *** We connect the vpn map to the external NIC
!
! *** We specify a dhcp pool address
ip local pool VPNCLIENT_ADDRESSES 10.0.0.1 10.0.0.254
!
! *** we add acl 101 to accept connectivity from 10.0.0.0/24 to the internal network
access-list 101 remark CVPN ACL
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.0.0.0 0.0.0.255

On the iPhone side:

  • Description: <your choosing>
  • Server: IP or hostname of the router
  • Account: vpnuser
  • Password: password
  • Use Certificate: off
  • Group Name: VPNCLIENT
  • Secret: secretkey

I hope this makes sense… to recap:

This config setups:

Cisco VPN Client with AAA authentication.
Tested with CVPN Mac OS X v4.9.01 (0100) and iPhone v2.2

Phase 1: 3DES/SHA Group 2 Lifetime 3600 Seconds
Phase 2: AES256/SHA Lifetime 3600 Seconds Tunnel Mode

Internal: 10.2.2.0/24 VPN IPs: 10.0.0.0/24 WAN: DHCP

iPhone to IOS VPN (PPTP)

Caveat is that it won't work through firewall(client iPhone side)
the "username" account has to use PASSWORD not SECRET

username client password testclient
!
interface Virtual-Template1
 ip unnumbered Dialer0
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool ssl-pool
 ppp mtu adaptive
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
 ppp eap refuse callin
!
vpdn enable
!
vpdn-group PPTPVPN
 ! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 lcp renegotiation on-mismatch
 l2tp tunnel timeout no-session 15
!
aaa authentication ppp default local
aaa authorization network default local 
!

Cisco IOS Certificate Server set-up and client enrolment

A quick step by step overview of how to configure the certificate server on a Cisco IOS device.

The certificate server functionality was added in version 12.3(4). It is only available in in security images or higher. We can use this functionality to provide scalable authentication for VPN set-ups.

These are the seven basic steps that are needed to configure a fictional root certificate server on the CA IOS device shown in the topology below. If you would like to try yourself the initial GNS3 net file is [here] which includes all the basic config. The lab was made using 3600 routers running Version 12.4(16a) of IOS.

Certificate Server
Step 	Description
1 	RSA key pair
2 	PKI Trustpoint
3 	Certificate Server
4 	Issuing Policy
5 	CRL
6 	SCEP
7 	Enable the Certificate server

1. RSA Key Pair – First step is to generate a private/public key pair on the CA router. The private key will be used to sign “user” certificates and the public key will distributed and used to verify certificates. In the example below our keys are labelled CE-Key.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto key generate rsa usage-keys label CA-Key modulus 2048 exportable
The name for the keys will be: CA-Key

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...[OK]
% Generating 2048 bit RSA keys, keys will be exportable...[OK]

2. PKI Trustpoint – The trustpoint configures what key pair will be used within the certificate server.

CA(config)#crypto pki trustpoint CA-Server
CA(ca-trustpoint)#rsakeypair CA-Key

3. Certificate Server – Now we create and configure the actual certificate server. We configure it using the same name as the trustpoint from step 2. Then we configure a local location for the database (this can be remote) and set the database storage level to complete. Finally we configure the X.500 name information using the X.500 distinguished name (DN) format.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto pki server CA-Server
CA(cs-server)#database url flash:/CA-Server
CA(cs-server)#database level ?
  complete  Each issued certificate is saved to the database
  minimum   Minimum certificate info is saved to the database
  names     Certificate serial-number & subject name is saved to the database

CA(cs-server)#database level complete
CA(cs-server)#issuer-name C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN

4. Issuing Policy – We can either manually grant all certificate requests or automattically grant all requests. We will configure a password to provide some additional authentication when users try to enrol. First we configure sha-1 as the hash algorithm used to sign the certificates with (MD5 is the default). We configure the lifetime of the certificate servers signing certificate (5 years) when this expires all issued certificates are invalidated and users will have to re-enrol. Now we configure the lifetime of client issued certificates after which clients will have to re-enrol. Both lifetimes are counted in days.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto pki server CA-Server
CA(cs-server)#hash sha1
CA(cs-server)#lifetime ca-certificate 1825
CA(cs-server)#lifetime certificate 730
CA(cs-server)#no grant auto
</re>
5. CRL – Now we define the revocation policy used to create and maintain the Certificate Revocation List (CRL). In this example we configure the CRL to only be valid for an hour (the minimum) and publish the CRL on the router itself using the cdp-url http://MYROUTERIP/cgi-bin/pkiclient.exe?operation=GetCRL command. Note - to enter the “?” you may need to press “Ctrl+V” before entering it!!
<pre>
CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#crypto pki server CA-Server
CA(cs-server)#lifetime crl 1
CA(cs-server)#cdp-url http://1.1.1.1/cgi-bin/pkiclient.exe?operation=GetCRL

6. SCEP – To ease admin burden and provide scalability we “configure” the use of Simple Certificate Enrollment Protocol (SCEP). This is done by enabling the IOS HTTP server.

CA#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
CA(config)#ip http server

7. Enable Certificate server – Finally we enable the certificate server now that all the prereqisits have been configured :) First we must ensure that the time of the Certificate Server is correct! In this example we configure the CA router as a NTP master then enable the server. Well configured and synchronised time on all devices is very important in a PKI environment!!

CA(config)#clock timezone GMT 0 0
CA(config)#ntp master
CA(config)#crypto pki server CA-Server
CA(cs-server)#no shutdown
%Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or type Return to exit
Password:
% Password must be more than 7 characters. Try again
% or type Return to exit
Password:

Re-enter password:

%Some server settings cannot be changed after CA certificate generation.
% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.

Now the Certificate server is configured and running :) We can validate this with the show crypto pki server command.

CA#show crypto pki server
Certificate Server CA-Server:
    Status: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN
    CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2
    Granting mode is: manual
    Last certificate issued serial number: 0x1
    CA certificate expiration timer: 02:27:25 GMT Feb 28 2007
    CRL NextUpdate timer: 03:27:25 GMT Mar 1 2002
    Current storage dir: flash:/CA-Server
    Database Level: Complete - all issued certs written as <serialnum>.cer
CA#

Just to note that any further changes will require the certificate server to be shutdown.

Client Enrolment
Step 	Description
1 	RSA key pair
2 	PKI Trustpoint / SCEP
3 	CA certificate installation
4 	Erollment Request

1. RSA key pair – Much the same as on the CA router generate a public/private key pair.

VPN_Guy#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
VPN_Guy(config)#crypto key generate rsa general-keys label VPN-Key modulus 2048 exportable
The name for the keys will be: VPN-Key

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...[OK]

*Mar  1 04:34:57.814: %SSH-5-ENABLED: SSH 1.99 has been enabled

2. PKI Trustpoint / SCEP – Now we need to configure the trustpoint to tell the client how we would like it to enrol.

VPN_Guy(config)#crypto pki trustpoint CA-Server
VPN_Guy(ca-trustpoint)#enrollment url http://1.1.1.1
VPN_Guy(ca-trustpoint)#revocation-check crl
VPN_Guy(ca-trustpoint)#fqdn VPN_Guy.m00nie.com
VPN_Guy(ca-trustpoint)#subject-name CN=VPN_Guy,OU=X.509,O=m00nieCo,C=UK
VPN_Guy(ca-trustpoint)#rsakeypair VPN-Key

3. CA certificate – Now we need to install the CA server certificate (and verify it).

VPN_Guy(config)#crypto pki authenticate CA-Server
Certificate has the following attributes:
       Fingerprint MD5: 042C977E 813C0A67 87D794DF C16B10C2
      Fingerprint SHA1: 8B182326 5FD01A2A 67572725 D3667D64 73FE9D30

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

verify the fingerprint against the output of show crypto pki server on the Certificate server.

CA#show crypto pki server
 ..
    CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2
..

4. Enrolment request – Now we simple enrol with the certificate server.

 VPN_Guy(config)#crypto pki enroll CA-Server

Then on the CA router

CA#crypto pki server CA-Server info requests
Enrollment Request Database:

Subordinate CA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

RA certificate requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------

Router certificates requests:
ReqID  State      Fingerprint                      SubjectName
--------------------------------------------------------------
1      granted    BE142DCED9C067269D1F4E740C34B77F hostname=VPN_Guy.m00nie.com,cn=VPN_Guy,ou=X.509,o=m00nieCo,c=UK

And grant the request like with the command crypto pki server CA-Server grant 1.

Now we can confirm that the VPN_Guy router has the signed certificate returned from the Certificate server

VPN_Guy#show crypt pk certificates
Certificate
  Status: Available
  Certificate Serial Number: 02
  Certificate Usage: General Purpose
  Issuer:
    c=UK
    l=m00nietown
    o=m00nieCo
    ou=x.509 certs
    cn=m00nie.com VPN
  Subject:
    Name: VPN_Guy.m00nie.com
    hostname=VPN_Guy.m00nie.com
    cn=VPN_Guy
    ou=X.509
    o=m00nieCo
    c=UK
  CRL Distribution Points:

http://1.1.1.1/cgi-bin/pkiclient.exeoperation=GetCRL

  Validity Date:
    start date: 00:19:30 UTC Mar 1 2002
    end   date: 00:19:30 UTC Feb 29 2004
  Associated Trustpoints: CA-Server

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Issuer:
    c=UK
    l=m00nietown
    o=m00nieCo
    ou=x.509 certs
    cn=m00nie.com VPN
  Subject:
    c=UK
    l=m00nietown
    o=m00nieCo
    ou=x.509 certs
    cn=m00nie.com VPN
  Validity Date:
    start date: 00:05:27 UTC Mar 1 2002
    end   date: 00:05:27 UTC Feb 28 2007
  Associated Trustpoints: CA-Server

Now we have a signed certificate installed and ready to use!