IOS VPN
IPsec Site to Site
Cisco IOS: 2811 to 837 via PAT/NAT router
- Must forward port TCP/UDP 4500 and TCP/UDP 500 in router to Cisco837.
- Must forward port TCP/UDP 4500 and TCP/UDP 500 in router to Cisco837.
Cisco837(privatenet) -> PAT-Router -> Internet -> Cisco2811
Cisco 837
crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key n3tInS address 167.142.60.62 (peer router) crypto isakmp nat keepalive 10 ! crypto ipsec transform-set STRONG esp-3des esp-sha-hmac ! crypto map CISCO 10 ipsec-isakmp set peer 167.142.60.62 set transform-set STRONG set pfs group2 match address 101 ! ! (local LAN subnet) (remote LAN subnet) access-list 101 permit ip 198.133.143.0 0.0.0.255 167.142.49.0 0.0.0.255 log ! interface Ethernet0 description To_F1-3 ip address dhcp crypto map CISCO ! interface Ethernet2 description F4_to_LAN ip address 198.133.143.254 255.255.255.0 !
Cisco 2811
crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key n3tInS hostname home.gotdns.com crypto isakmp nat keepalive 10 ! crypto ipsec transform-set STRONG esp-3des esp-sha-hmac ! ! ! crypto map CISCO 10 ipsec-isakmp set peer home.gotdns.com dynamic set transform-set STRONG set pfs group2 match address 101 ! (local LAN subnet) (remote LAN subnet) access-list 101 permit ip 167.142.49.0 0.0.0.255 198.133.143.0 0.0.0.255 ! interface Serial0/0/0:0 ip address 167.142.60.62 255.255.255.252 encapsulation ppp crypto map CISCO ! interface GigabitEthernet0/0 description PublicNetwork ip address 167.142.49.254 255.255.255.0
WebVPN IOS (selfsigned)
Step 1:
- The following command creates the keys that are what the certificate will be referencing, they work together.
- It is very important for these keys to be exportable. This allows the keys to be moved the the redundant router.
webvpn(config)#crypto key generate rsa general-keys label webvpn.domain.com exportable The name for the keys will be: webvpn.domain.com Choose the size of the key modulus in the range
of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be exportable...[OK]
- Note: to export a rsa keypair(public and private)
webvpn(config)#crypto key export rsa key-label pem url flash:filename.pem 3des passphrase
Step 2:
- Create a trustpoint to declare the CA and also specify any characteristics for the CA.
webvpn(config)#crypto pki trustpoint webvpn.domain.com webvpn(ca-trustpoint)#enrollment selfsigned webvpn(ca-trustpoint)#subject-name C=US, ST=State, CN=webvpn.domain.com, O=me, OU=me webvpn(ca-trustpoint)#fqdn webvpn.domain.com webvpn(ca-trustpoint)#rsakeypair webvpn.domain.com webvpn(ca-trustpoint)#exit
Step 3:
- Enroll the webvpn.domain.com domaint to acquire the Certificate Request key
webvpn(config)#crypto ca enroll webvpn.domain.com % Start certificate enrollment .. % The subject name in the certificate will include: C=US, ST=State, CN=webvpn.domain.com, O=me, OU=me % The subject name in the certificate will include: webvpn.domain.com % Include the router serial number in the subject name? [yes/no]: no Generate Self Signed Router Certificate? [yes/no]: yes Router Self Signed Certificate successfully created
WebVPN Configuration
Virtual Template interface to enable nat from private IPs
interface Virtual-Template2 description SSLVPN_NAT ip unnumbered BVI1 ip nat inside ip virtual-reassembly peer default ip address pool ssl-pool ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 !
Pool for dialin(vpn) computers
ip local pool ssl-pool 192.168.0.200 192.168.0.205
WebVPN web interface
webvpn gateway gateway_1 hostname webvpn.domain.com ip address 123.123.123.123 port 443 http-redirect port 80 ssl trustpoint webvpn.domain..com logging enable inservice ! webvpn install svc flash:/webvpn/anyconnect-win-2.5.1025-k9.pkg sequence 1 ! webvpn context mysslvpn ssl authenticate verify all ! ! policy group policy_1 functions svc-enabled hide-url-bar svc address-pool "ssl-pool" svc default-domain "domain.com" svc keep-client-installed svc split exclude local-lans svc dns-server primary 192.168.0.254 svc dns-server secondary 8.8.8.8 virtual-template 2 default-group-policy policy_1 aaa authentication list local_auth gateway gateway_1 domain vpn logging enable inservice !
iPhone to IOS VPN(IPSec)
Configuration Example
version 12.3 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption no service dhcp ! hostname C2651 ! ! *** Setup aaa aaa new-model aaa authentication login local_auth local aaa session-id common ! ! clock timezone MST -7 clock summer-time MDT recurring ip cef ! ! *** Enter a username and password here username vpnuser password 7 ******************** ! ! ! *** This policy is for phase 1 for the vpn client crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 ! ! *** This part sets up the group password (Group Name: VPNCLIENT/Secret: secretkey) ! *** make sure you enter your dns/wins/domain name also crypto isakmp client configuration group VPNCLIENT key secretkey dns 10.2.2.5 wins 10.2.2.5 domain domain.local pool VPNCLIENT_ADDRESSES acl 101 ! *** we use acl 101 to control what goes in the network.. ! ! *** We setup a isakmp (phase 1) profile for the vpnclient ! *** Tell it to use local_auth aaa to get the username/password crypto isakmp profile vpn-isakmp-profile match identity group VPNCLIENT client authentication list local_auth isakmp authorization list local_auth client configuration address initiate client configuration address respond ! ! *** THIS is the part where we specify PHASE 2. ! *** We set the transform to esp-aes 256bit with sha-hmac crypto ipsec transform-set esp-aes-sha esp-aes 256 esp-sha-hmac ! ! *** we then set up to use that transport-set and the isakmp profile crypto dynamic-map VPNCLIENT_MAP 1 set transform-set esp-aes-sha set security-association lifetime seconds 3600 set isakmp-profile vpn-isakmp-profile reverse-route ! *** lifetime may not show up as 3600 may already be the default ! ! *** We then associate it to the vpn map. crypto map vpn 4 ipsec-isakmp dynamic VPNCLIENT_MAP ! ! *** Internal NIC interface FastEthernet0/0 ip address 10.2.2.1 255.255.255.0 no ip proxy-arp ip nat inside duplex auto speed auto ! ! *** External NIC interface FastEthernet0/1 ip address dhcp ip nat outside duplex auto speed auto crypto map vpn ! *** We connect the vpn map to the external NIC ! ! *** We specify a dhcp pool address ip local pool VPNCLIENT_ADDRESSES 10.0.0.1 10.0.0.254 ! ! *** we add acl 101 to accept connectivity from 10.0.0.0/24 to the internal network access-list 101 remark CVPN ACL access-list 101 permit ip 10.2.2.0 0.0.0.255 10.0.0.0 0.0.0.255
On the iPhone side:
- Description: <your choosing>
- Server: IP or hostname of the router
- Account: vpnuser
- Password: password
- Use Certificate: off
- Group Name: VPNCLIENT
- Secret: secretkey
I hope this makes sense… to recap:
This config setups:
Cisco VPN Client with AAA authentication.
Tested with CVPN Mac OS X v4.9.01 (0100) and iPhone v2.2
Phase 1: 3DES/SHA Group 2 Lifetime 3600 Seconds
Phase 2: AES256/SHA Lifetime 3600 Seconds Tunnel Mode
Internal: 10.2.2.0/24 VPN IPs: 10.0.0.0/24 WAN: DHCP
iPhone to IOS VPN (PPTP)
Caveat is that it won't work through firewall(client iPhone side)
the "username" account has to use PASSWORD not SECRET
username client password testclient ! interface Virtual-Template1 ip unnumbered Dialer0 ip nat inside ip virtual-reassembly peer default ip address pool ssl-pool ppp mtu adaptive ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 ppp eap refuse callin ! vpdn enable ! vpdn-group PPTPVPN ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 lcp renegotiation on-mismatch l2tp tunnel timeout no-session 15 ! aaa authentication ppp default local aaa authorization network default local !
Cisco IOS Certificate Server set-up and client enrolment
A quick step by step overview of how to configure the certificate server on a Cisco IOS device.
The certificate server functionality was added in version 12.3(4). It is only available in in security images or higher. We can use this functionality to provide scalable authentication for VPN set-ups.
These are the seven basic steps that are needed to configure a fictional root certificate server on the CA IOS device shown in the topology below. If you would like to try yourself the initial GNS3 net file is [here] which includes all the basic config. The lab was made using 3600 routers running Version 12.4(16a) of IOS.
Certificate Server Step Description 1 RSA key pair 2 PKI Trustpoint 3 Certificate Server 4 Issuing Policy 5 CRL 6 SCEP 7 Enable the Certificate server
1. RSA Key Pair – First step is to generate a private/public key pair on the CA router. The private key will be used to sign “user” certificates and the public key will distributed and used to verify certificates. In the example below our keys are labelled CE-Key.
CA#conf t Enter configuration commands, one per line. End with CNTL/Z. CA(config)#crypto key generate rsa usage-keys label CA-Key modulus 2048 exportable The name for the keys will be: CA-Key % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable...[OK] % Generating 2048 bit RSA keys, keys will be exportable...[OK]
2. PKI Trustpoint – The trustpoint configures what key pair will be used within the certificate server.
CA(config)#crypto pki trustpoint CA-Server CA(ca-trustpoint)#rsakeypair CA-Key
3. Certificate Server – Now we create and configure the actual certificate server. We configure it using the same name as the trustpoint from step 2. Then we configure a local location for the database (this can be remote) and set the database storage level to complete. Finally we configure the X.500 name information using the X.500 distinguished name (DN) format.
CA#conf t Enter configuration commands, one per line. End with CNTL/Z. CA(config)#crypto pki server CA-Server CA(cs-server)#database url flash:/CA-Server CA(cs-server)#database level ? complete Each issued certificate is saved to the database minimum Minimum certificate info is saved to the database names Certificate serial-number & subject name is saved to the database CA(cs-server)#database level complete CA(cs-server)#issuer-name C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN
4. Issuing Policy – We can either manually grant all certificate requests or automattically grant all requests. We will configure a password to provide some additional authentication when users try to enrol. First we configure sha-1 as the hash algorithm used to sign the certificates with (MD5 is the default). We configure the lifetime of the certificate servers signing certificate (5 years) when this expires all issued certificates are invalidated and users will have to re-enrol. Now we configure the lifetime of client issued certificates after which clients will have to re-enrol. Both lifetimes are counted in days.
CA#conf t Enter configuration commands, one per line. End with CNTL/Z. CA(config)#crypto pki server CA-Server CA(cs-server)#hash sha1 CA(cs-server)#lifetime ca-certificate 1825 CA(cs-server)#lifetime certificate 730 CA(cs-server)#no grant auto </re> 5. CRL – Now we define the revocation policy used to create and maintain the Certificate Revocation List (CRL). In this example we configure the CRL to only be valid for an hour (the minimum) and publish the CRL on the router itself using the cdp-url http://MYROUTERIP/cgi-bin/pkiclient.exe?operation=GetCRL command. Note - to enter the “?” you may need to press “Ctrl+V” before entering it!! <pre> CA#conf t Enter configuration commands, one per line. End with CNTL/Z. CA(config)#crypto pki server CA-Server CA(cs-server)#lifetime crl 1 CA(cs-server)#cdp-url http://1.1.1.1/cgi-bin/pkiclient.exe?operation=GetCRL
6. SCEP – To ease admin burden and provide scalability we “configure” the use of Simple Certificate Enrollment Protocol (SCEP). This is done by enabling the IOS HTTP server.
CA#conf t Enter configuration commands, one per line. End with CNTL/Z. CA(config)#ip http server
7. Enable Certificate server – Finally we enable the certificate server now that all the prereqisits have been configured :) First we must ensure that the time of the Certificate Server is correct! In this example we configure the CA router as a NTP master then enable the server. Well configured and synchronised time on all devices is very important in a PKI environment!!
CA(config)#clock timezone GMT 0 0 CA(config)#ntp master CA(config)#crypto pki server CA-Server CA(cs-server)#no shutdown %Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key % or type Return to exit Password: % Password must be more than 7 characters. Try again % or type Return to exit Password: Re-enter password: %Some server settings cannot be changed after CA certificate generation. % Exporting Certificate Server signing certificate and keys... % Certificate Server enabled.
Now the Certificate server is configured and running :) We can validate this with the show crypto pki server command.
CA#show crypto pki server
Certificate Server CA-Server:
Status: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: C=UK,L=m00nietown,O=m00nieCo,OU=x.509 certs,CN=m00nie.com VPN
CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2
Granting mode is: manual
Last certificate issued serial number: 0x1
CA certificate expiration timer: 02:27:25 GMT Feb 28 2007
CRL NextUpdate timer: 03:27:25 GMT Mar 1 2002
Current storage dir: flash:/CA-Server
Database Level: Complete - all issued certs written as <serialnum>.cer
CA#
Just to note that any further changes will require the certificate server to be shutdown.
Client Enrolment Step Description 1 RSA key pair 2 PKI Trustpoint / SCEP 3 CA certificate installation 4 Erollment Request
1. RSA key pair – Much the same as on the CA router generate a public/private key pair.
VPN_Guy#conf t Enter configuration commands, one per line. End with CNTL/Z. VPN_Guy(config)#crypto key generate rsa general-keys label VPN-Key modulus 2048 exportable The name for the keys will be: VPN-Key % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable...[OK] *Mar 1 04:34:57.814: %SSH-5-ENABLED: SSH 1.99 has been enabled
2. PKI Trustpoint / SCEP – Now we need to configure the trustpoint to tell the client how we would like it to enrol.
VPN_Guy(config)#crypto pki trustpoint CA-Server VPN_Guy(ca-trustpoint)#enrollment url http://1.1.1.1 VPN_Guy(ca-trustpoint)#revocation-check crl VPN_Guy(ca-trustpoint)#fqdn VPN_Guy.m00nie.com VPN_Guy(ca-trustpoint)#subject-name CN=VPN_Guy,OU=X.509,O=m00nieCo,C=UK VPN_Guy(ca-trustpoint)#rsakeypair VPN-Key
3. CA certificate – Now we need to install the CA server certificate (and verify it).
VPN_Guy(config)#crypto pki authenticate CA-Server
Certificate has the following attributes:
Fingerprint MD5: 042C977E 813C0A67 87D794DF C16B10C2
Fingerprint SHA1: 8B182326 5FD01A2A 67572725 D3667D64 73FE9D30
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
verify the fingerprint against the output of show crypto pki server on the Certificate server.
CA#show crypto pki server
..
CA cert fingerprint: 042C977E 813C0A67 87D794DF C16B10C2
..
4. Enrolment request – Now we simple enrol with the certificate server.
VPN_Guy(config)#crypto pki enroll CA-Server
Then on the CA router
CA#crypto pki server CA-Server info requests Enrollment Request Database: Subordinate CA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- RA certificate requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- Router certificates requests: ReqID State Fingerprint SubjectName -------------------------------------------------------------- 1 granted BE142DCED9C067269D1F4E740C34B77F hostname=VPN_Guy.m00nie.com,cn=VPN_Guy,ou=X.509,o=m00nieCo,c=UK
And grant the request like with the command crypto pki server CA-Server grant 1.
Now we can confirm that the VPN_Guy router has the signed certificate returned from the Certificate server
VPN_Guy#show crypt pk certificates
Certificate
Status: Available
Certificate Serial Number: 02
Certificate Usage: General Purpose
Issuer:
c=UK
l=m00nietown
o=m00nieCo
ou=x.509 certs
cn=m00nie.com VPN
Subject:
Name: VPN_Guy.m00nie.com
hostname=VPN_Guy.m00nie.com
cn=VPN_Guy
ou=X.509
o=m00nieCo
c=UK
CRL Distribution Points:
http://1.1.1.1/cgi-bin/pkiclient.exeoperation=GetCRL
Validity Date:
start date: 00:19:30 UTC Mar 1 2002
end date: 00:19:30 UTC Feb 29 2004
Associated Trustpoints: CA-Server
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
c=UK
l=m00nietown
o=m00nieCo
ou=x.509 certs
cn=m00nie.com VPN
Subject:
c=UK
l=m00nietown
o=m00nieCo
ou=x.509 certs
cn=m00nie.com VPN
Validity Date:
start date: 00:05:27 UTC Mar 1 2002
end date: 00:05:27 UTC Feb 28 2007
Associated Trustpoints: CA-Server
Now we have a signed certificate installed and ready to use!