Documente Academic
Documente Profesional
Documente Cultură
Details
Aim: The aim of this lab is to introduce Virtual Private Network (VPN) concepts, using an IPSec
remote access VPN between a remote users system and a perimeter router. This will allow
a remote user to access the trusted organisational network securely, over an untrusted
network, such as the Internet, and allow us to analyse the setup and some tunnelled
traffic.
Activities
10.2.1 Create Virtual Topology
Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client.
Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be
assigned a group folder to work with which contains the VMs needed for the lab (check Moodle for
the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a Windows
Windows2003 VM running VPN Client application.
You can create a new project for the Lab, or a preconfigured starting project should be in the
Projects folder. If you wish to start with that just click Recent Projects button and select lab9_start,
then save as a project called lab9 or suchlike (save as, before you power on devices).
The topology, shown below, mimics an organisation and a remote User with the 10.1.Z,0 network
being the untrusted Internet. The R2 Router will be configured to provide VPN termination for
remote users.
Starting Topology
You will be assigned networks to address the host and router interfaces see Moodle for:
192.168.X.0/24, 192.168.Y.0/24 and 10.1.Z.0/24
Additionally configure the MAC Address on the R1 Router f0/1 interface with the following
commands, and using the format ca0 module code grpno 01 such as the following for csn11118
group 99:
R1(config)# int fa0/1
R1(config-if)# mac-address ca01.1118.9901
To test connectivity from the 192.168.X.0 network, again an extended ping can be used. For
example, from the R2 router:
R2# ping
Protocol [ip]:
Target IP address: 192.168.Y.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.X.254
Type of service [0]:
Remember to save R1 and R2 running configurations to the routers NVRAM, and then save the GNS3
project is you want to use later/back them up.
To test connectivity from the Remote User to the companys HQ network, ping and traceroute
can be used:
Authentication/Access Control for Client VPN Policy Lookup using Local AAA
AAA is used to authenticate a remote user, before a VPN policy is pushed to their VPN endpoint (The
remote user Windows VM in this case), and for authorisation for network access.
Use the following commands in Privileged command mode, to set up VPN policy lookup.
Configure an authentication list VPNAUTHEN for the VPN connection login, to use the local AAA
users accounts:
R2(config)# aaa authentication login VPNAUTHEN local
Q. Where will the router look for user names and passwords to authenticate remote VPN clients?
To configure IKE on Cisco devices, the crypto isakmp command is used to create an IKE policy
with a priority of 3 (1 is the highest). Each IKE policy is used to create a different VPN tunnel, as the
router may be the end point for several different VPNs.
R2(config)# crypto isakmp policy 3
Now we are in ISAKMP policy configuration command mode, shown by the change in prompt. Next,
we define that Pre-shared keys will be used to authenticate the peers at the end points of the VPN
tunnel. The pre-shared keys are used along with a hash algorithm for HMAC authentication of the
sender in IKE phase I.
R2(config-isakmp)# authentication pre-share
Define the hash algorithm which will be used in the authentication process.
R2(config-isakmp)# hash md5
Define the key exchange mechanism to be used; the Diffie-Hellman group. The groups represent the
length of keys generated: 768 bit Diffie-Hellman is Group 1, 1024 bit is group 2, and 1582 bit is group
3. Diffie-Hellman is used in phase I to exchange secret keys to be used for data encryption.
R2(config-isakmp)# group 2
Define the encryption algorithm which will be used for data encryption (other options are des, aes-
256 etc).
R2(config-isakmp)# encryption 3des
R2(config-isakmp)# exit
R2(config)#
Configure a local pool of IP Addresses to be allocated to VPN clients. In this case we will give the VPN
clients addresses on the same inside network subnet (this is not always the case).
R2(config)# ip local pool IPPOOL 192.168.X.20 192.168.X.30
Configure a User Group Policy for Remote User VPN clients called REMOTE.
R2(config)# crypto isakmp client configuration group REMOTE
R2(config-isakmp-group)#
Now we are in ISAKMP group configuration command mode, shown by the change in prompt. Add a
pre-shared key to the group policy, which will authenticate the VPN client application to the VPN
server.
R2(config-isakmp-group)# key vpn123
Assign an IP Address pool, which the VPN clients will be assigned from.
R2(config-isakmp-group)# pool IPPOOL
View the running configuration to check the Remote User Group Policy has been created successfully
(check for typos).
Create a new transform set REMOTE_USER_SET, which will use the Encapsulating Security Payload
(ESP) protocol, with AES for data encryption and SHA1 HMAC for data integrity.
R2(config)# crypto ipsec transform-set REMOTE_USER_SET esp-aes esp-sha-hmac
Set IPSec to use Tunnel mode, which means the entire IP Packet will be protected.
R2(cfg-crypto-trans)# mode tunnel
R2(cfg-crypto-trans)# exit
Q. What does the Authentication Header (AH) protocol not provide which ESP does?
A Crypto map represents the IPSec configuration for a VPN, and must be created to allow the setup
of IKE Phase II Security Associations (SA) for traffic to be protected (1 SA in each direction).
Create a crypto map template, using the transform set REMOTE_USER_SET.
R2(config)# crypto dynamic-map DYN_MAP 10
R2(config-crypto-map)# set transform-set REMOTE_USER_SET
R2(config-crypto-map)# reverse-route
R2(config-crypto-map)# exit
R2(config)#
Create the crypto map REMOTE_USER_MAP, and specify client configuration settings. In this case
the router is set to respond to VPN Client requests.
R2(config)# crypto map REMOTE_USER_MAP client configuration address respond
For the REMOTE_USER_MAP crypto map, specify VPN clients User Authentication. Set the
authentication list to VPNAUTHEN we created earlier, to specify that user accounts are stored locally
on the router.
R2(config)# crypto map REMOTE_USER_MAP client authentication list VPNAUTHEN
For the REMOTE_USER_MAP crypto map, allow IKE group policy querying by VPN clients. Set the
authorisation list to VPNAUTHOR we created earlier, to specify the policy is stored locally.
R2(config)# crypto map REMOTE_USER_MAP isakmp authorization list VPNAUTHOR
For the REMOTE_USER_MAP crypto map, set the ipsec-isakmp parameter to specify IKE will be used
to establish security associations, and assign the dynamic crypto map template. The number 10 is
the sequence number; lower numbered maps are used before higher numbered.
R2(config)# crypto map REMOTE_USER_MAP 10 ipsec-isakmp dynamic DYN_MAP
Check the IPSec VPN Server configuration, and the interface its applied on, using the following.
R2# show crypto map
Crypto Map "REMOTE_USER_MAP" 10 ipsec-isakmp
Dynamic map template tag: DYN_MAP
Interfaces using crypto map REMOTE_USER_MAP:
Serial1/0
Enter the IP Address of the outside interface of the VPN Server device - 10.1.Z.2
Click on the Authentication tab, and click the Group Authentication radio button. Enter the VPN User
Group Name we configured earlier, and the Shared-Key defined for the group.
Save the VPN Connection Entry, and the VPN Client application should look like the below note the
window title.
From the Remote User Windows VM connect to the HQ network, using a VPN tunnel. From the VPN
Client window, Double click the HQ Connection. The following dialog box should be shown. Enter the
user and password of a user account.
Once connected, the VPN Client application window should look like the following note the
window title.
On the Remote User Windows VM, open a command window, and use the ipconfig command to
check the interfaces and IP Addresses now.
Q. What has changed?
A second virtual interface should have been created by the VPN Client, as shown below.
Disconnect from the VPN using the Disconnect button on the VPN client, and then reconnect, and
log in again. On the Windows VM, use the ipconfig command again.
Q. What is the IP Address of the virtual interface?
Right click the lock icon in the system tray and select Statistics, and select the Tunnel Details tab, as
shown below. The Tunnel Details tab shows
Q. How many packets have been received through the VPN tunnel, and decrypted?
Start Wireshark on the Remote User Windows VM. Select the Capture>Interfaces menu item. From
a command window ping the inside network, at 192.168.X.254.
You should see packets being sent through the VPN tunnel interface:
Click Start on the VPN interface. Ping again if packets are not displayed. Click on a packet and click
on ICMP protocol, in the protocols pane.
The Wireshark window, packets pane, should look something like the following.
The Wireshark window, packet detail, and packet contents panes, should look something like the
following. Note: the ICMP payload.
From the Windows remote VM, from a command window again ping the inside network, at
192.168.X.254.
Ping again if packets are not displayed. Click on a packet and click on ICMP protocol, in the protocols
pane.
These are the same ping packets, but have been encrypted and encapsulated with an ESP header, at
each end of the IPSec VPN tunnel. The Wireshark window should look something like the following.
Encrypted
New IP
ESP Header IP header DATA
header
Payload Data
On the R2 router use the following to display the current VPN tunnels.
R2# show crypto session
Q. Why?
On the R2 router the following can be used to display the current state of the IPSec Security
Associations. The following command shows initialised IPSec SAs.
R2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.99.2 192.168.199.10 QM_IDLE 1002 ACTIVE
The following can be used to display the IPSec SA encrypted traffic in detail.
R2# show crypto ipsec sa
Q. What are the end point IP Addresses of the encrypted VPN tunnel?
You can review the final VPN server configuration for Router R2 in Appendix B.
Try encrypting with the 3DES cipher similar to the ISAKMP tunnel setup encryption.
First create a file payload.txt and add some chars to it such as abcdefg etc. cat the file to check
the contents.
Then use the openssl enc command to check the encryption algorithms available:
openssl enc -h
Try encrypting files other ciphers such as with the aes cipher used in the VPN tunnel itself.
R1
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
interface FastEthernet0/0
description int to the 192.168.5.0/24 network
ip address 192.168.Y.254 255.255.255.0
duplex auto
speed auto
no shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
R2
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
interface FastEthernet0/0
ip address 192.168.X.254 255.255.255.0
duplex auto
speed auto
no shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 10.1.Z.2 255.255.255.252
duplex auto
speed auto
no shutdown
!
router rip
network 0.0.0.0
R1
!
Same as previous config
!
R2
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
! AAA for user authentication and authorisation
aaa new-model
!
aaa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
ip auth-proxy max-nodata-conns 3