VPN Remote Access With IOS & Introduction To FlexVPN

VPN Remote Access with IOS
& Introduction to FlexVPN

BRKSEC-2881
Alex HONOR
CCIE #19553
Senior Customer Support Engineer
EMEA Technical Assistance Center
Objectives & Prerequisites
Session objectives:
Introduce IKEv2 & FlexVPN, with a focus on AAA-based management
Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution
with a variety of clients (software & hardware)
Solve simple & complex use cases using FlexVPN
Basic understanding of the following topics is required:
IPsec, IKEv1, PKI, AAA, RADIUS, AnyConnect, VRF, QoS
Experience with the following features is a plus:
Easy VPN, MQC, VRF-Lite, iBGP
More FlexVPN (hub-spoke, dynamic mesh, MPLS over Flex, multicast, ...)
BRKSEC-3036 Advanced IPsec designs with FlexVPN by F. Detienne
Friday 11:30am, North Wing Level -1, Green Hall 3
BRKSEC-2881 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Session Agenda
Introduction to FlexVPN Scenarios & Use Cases
Full & Split Tunneling
Tunnel Interfaces
Network Extension
Configuration Building Blocks Virtualization (VRF)
Quality of Service
FlexVPN AAA Integration
AAA-Based Authentication FlexVPN SSL Preview
User & Group Authorization
Wrap-up
Connection Accounting
Remote Access Clients
AnyConnect Software Mobility Client
Windows Native IKEv2 Client
FlexVPN Hardware Client
Before We Begin...
Additional info slides:

Rendered in the presentation PDF
(download it through the Cisco Live portal)
Not shown during the live presentation
Cover extra details or small additional topics
Introduction to FlexVPN
FlexVPN Overview
Unified overlay VPN
Combines site-to-site, remote access, hub-spoke & spoke-spoke topologies
IPsec VPN compliant with the IKEv2 standard
SSL VPN remote access coming soon (AnyConnect Secure Mobility Client)
FlexVPN highlights
Unified CLI with smart defaults
Unified infrastructure that leverages point-to-point tunnel interfaces
Most features available across all topologies (QoS, AAA, VRF, ...)
Interoperable with other IKEv2 implementations (ASA, Windows, strongSwan, ...)
Easier to learn, market and manage
Solution Positioning
Spoke to
Full AAA
Dynamic
Per-Peer
Per-Peer
Failover
Failover
Routing
Routing
Interop.
Remote
Access
Source
Simple
Config
Config
Spoke
Direct
Mgmt
IPsec
Push
QoS
Easy
No No Yes No Yes Yes No Yes Yes Yes Complex
VPN
DMVPN No Yes No Yes No Partial No No No Group No
Crypto
Yes No Yes No Yes Poor No No No No No
Map
FlexVPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
One VPN to learn and deploy

Everything works no questions asked
Why FlexVPN ?
IKEv2 is a major protocol update
No backward compatibility with IKEv1
Requires serious consideration and reconfiguration
Brings in a lot of improvements
Major IOS architecture rework needed to address needs
Per-peer features (QoS, ZBFW, policies, VRF injection,)
Too many overlay technologies offering was too fragmented
VPN learning time had grown out of control (1 day techtorial insufficient)
IKEv2 is a good transition point to revisit design and architecture
Ideal for all types of VPNs
Service aggregation (remote access, site-to-site, ...)
Improved service management
Multitenancy
Comparing IKEv1 & IKEv2
Authentication
EAP-Only IKEv2
Same
RFC 5998 Integrity
Objectives
DPD ISAKMP Childless IKEv2 Confidentiality
RFC 2408 RFC 6023
Suite-B
IPsec DOI IKEv2
RFC 2407 IKEv1 Mode IKEv2
RFC 5996
More Secure
Anti-DoS
Config
IKE IKEv2 Redirect
RFC 2409 RFC 5685 PSK, RSA-Sig
NAT-T Authentication
EAP Auth.
Etc. ... Options
Hybrid Auth.
Cleaner Identity/Key Exchange
Similar but Uses UDP Ports 500 & 4500

Different
Main + Aggressive INITIAL
Acknowledged Notifications
IKEv2 Exchanges
Initiator (I) Responder (R)
IKEv2 Security Association (SA) establishment

IKE_SA_INIT (proposal selection, key exchange)
Mutual authentication & identity exchange

Initial IPsec SAs establishment
IKE_AUTH
Certificate exchange (optional)
Configuration exchange (optional)
Additional IPsec SAs establishment

CREATE_CHILD_SA
IKEv2 & IPsec SA rekey
Can be (I R) with ACK or (R I) with ACK

INFORMATIONAL Notifications (SA deletion, liveness check, ...)
Configuration exchange (one or both ways)
IKEv2 Configuration Exchange
Initiator (I) Responder (R)
I would like:
an IPv6 address
a DNS & WINS server
CFG_REQUEST a list of protected IPv6 subnets
Initiator (RA client) requests
IKE_AUTH configuration parameters
Your assigned IPv6 address is ...
from responder (RA server). Your DNS server is ...
CFG_REPLY
There is no WINS server
My protected IPv6 subnets are ...
CFG_SET
Derived from peer authorization
INFORMATIONAL
Derived from peer authorization
CFG_ACK Initiator and/or responder
sends unsolicited configuration My local IPv6 protected subnets are ...
CFG_SET parameters to its peer.
Acknowledged
INFORMATIONAL
CFG_ACK
IKEv2 Certificate-Based Authentication
(initiator) [IKE_SA_INIT_I] (responder) B is willing to accept:
R R certs issued by Root
S#1 S#2 certs issued by Sub#1
A A [IKE_SA_INIT_R] B B
CERT_REQ(Root) A must provide B with:

S#1
CERT_REQ(Sub#2) its identity certificate
Compute
A
the Sub#1 certificate
cert chain
to complete the chain
[IKE_AUTH_I]
CERT_REQ(Root) Root
CERT_REQ(Sub#1)
CERT(Root Sub#1)
CERT(Sub#1 A) Sub#1 Sub#2
R
AUTH(HASH_I) Validate chain & S#1
verify signature A
[IKE_AUTH_R] S#2
A B
CERT(Root Sub#2) Compute B
CERT(Sub#2 B) cert chain

R
S#2
Validate chain & AUTH(HASH_R)
B verify signature
Tunnel Interfaces
Dynamic Point-to-Point Virtual Interfaces
P2P virtual interface template
FlexVPN Server crypto ikev2 profile default
...
virtual-template 1
Dynamically instantiated P2P interfaces !
interface Virtual-Access1 interface Virtual-Template1 type tunnel
interface
ip Virtual-Access2
unnumbered Loopback0 ip unnumbered Loopback0
interface
ip sourceVirtual-Access3
unnumbered
tunnel Loopback0
<local-address> VT1 tunnel mode ipsec ipv4
ip unnumbered
tunnel
tunnel destination Loopback0
source <local-address>
<remote-address> tunnel protection ipsec profile default
tunnel
tunnel
tunnel source
ipsec <local-address>
destination
mode ipv4<remote-address> VA1 VA2 VA3
tunnel
tunnel
tunnel destination
mode ipsec
protection <remote-address>
ipv4
ipsec profile default
tunnel
tunnel mode output
ipsec
protection
service-policy ipv4
ipsec profile default
mobile-QoS Server routing table (RIB/FIB)
tunnel protection
service-policy outputipsec profile default
traveler-QoS S default via Ethernet0/0
service-policy output home-office-QoS Security L 10.0.1.1/32 local Loopback0
Policy S 10.0.1.10/32 via Virtual-Access1
S 10.0.1.11/32 via Virtual-Access2
Static P2P virtual interface

interface Tunnel0
10.0.1.10/32 10.0.1.11/32 ip address negotiated
10.0.1.12/32
Tun0 tunnel source Ethernet0/0
tunnel destination <server-address>
10.42.1.0/24 tunnel mode ipsec ipv4
tunnel protection ipsec profile default
Interface Features
FlexVPN Server
Pre-encapsulation IPsec encapsulation

RIB/FIB (routing table)
interface output features (tunnel protection)
(apply to cleartext packet)
Interface input features Post-encapsulation

(apply to cleartext packet) interface output features
(apply to encrypted packet)
Eth0/0 V-Access1 Eth0/1
IP L4 Data IP IPsec IP L4 Data

Cleartext Traffic Encrypted Traffic Encrypted
(from server LAN) (to RA client)
Interface feature (NAT, PBR, QoS, NetFlow, ...)

Tunnel Encapsulation
IPsec Tunnel Mode (IPv4 or IPv6) interface Virtual-Template1 type tunnel
Classic dVTI: compatibility with software clients tunnel mode ipsec {ipv4 | ipv6}
(any-to-any or any-to-assigned-address)
Multi-SA dVTI: compatibility with legacy IP IPsec IP L4 Data
crypto map peers (ASA, other vendors) Encrypted
GRE over IPsec

interface Virtual-Template1 type tunnel
Dual-stack (IPv4 + IPv6 over IPsec) out of the box tunnel mode gre {ip | ipv6}
Enables tunneling of non-IP protocols (e.g. MPLS)
Required for dynamic mesh scenarios ( la DMVPN, IP IPsec GRE IP L4 Data
but with the extra flexibility of point-to-point interfaces) Encrypted
tunnel mode gre ip is the default on static & dynamic
tunnel interfaces
Configuration Building Blocks
18
Configuration Example
crypto ikev2 profile default
match identity remote fqdn domain cisco.com
identity local fqdn router.cisco.com IKEv2 identity & profile selection
authentication local rsa-sig
authentication remote eap IKEv2 authentication & certificates
pki trustpoint root sign
aaa authentication eap default AAA integration (authentication,
aaa authorization user eap authorization, accounting)
virtual-template 1
interface Virtual-Template1 type tunnel Dynamic point-to-point interfaces

ip unnumbered Loopback0
tunnel mode ipsec ipv4 Native IPsec tunnel or GRE/IPsec
IKEv2 CLI Overview
Proposal, Policy and Keyring
crypto ikev2 proposal default

IKEv2 Proposal encryption aes-cbc-256 aes-cbc-128 3des
(algorithms for IKEv2 SA) integrity sha512 sha256 sha1 md5
group 5 2
IKEv2 Policy crypto ikev2 policy default

(binds IKEv2 Proposal to match fvrf any
local Layer 3 scope) proposal default
crypto ikev2 keyring IOSKeyring

IKEv2 Keyring
peer cisco
(supports asymmetric address 10.0.1.1
Pre-Shared Keys) pre-shared-key local CISCO
pre-shared-key remote OCSIC
IKEv2 Authorization Policy
crypto ikev2 authorization policy default
(contains attributes for local
route set interface
AAA & config. exchange) route accept any
Only one local identity allowed
IKEv2 CLI Overview identity
identity
local
local
address 10.0.0.1
fqdn local.cisco.com
IKEv2 Profile Extensive CLI identity
identity
local
local
email local@cisco.com
dn
Multiple match identity allowed
Self Identity Control match identity remote address 10.0.1.1
match identity remote fqdn remote.cisco.com
Match on peer IKE identity match identity remote email remote@cisco.com
match identity remote email domain cisco.com
or certificate
match certificate certificate_map
match fvrf red

Match on local address and match address local 172.168.1.1
front VRF
authentication local pre-share Only one local method allowed

Asymmetric local & remote authentication local eap
authentication methods
authentication remote pre-share Multiple remote methods allowed
authentication remote rsa-sig
authentication remote eap
Local and AAA-based
Pre-Shared Keyring keyring local IOSKeyring
keyring aaa AAAlist
pki trustpoint <trustpoint_name>

IKEv2 Basic Negotiation
HDR, SAi1, KEi, Ni
Initiator Responder
HDR, SAr1, KEr, Nr [CERTREQ]
HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}
HDR, SK {IDr, [CERT], AUTH, TSi, TSr}
HDR IKE Header IDi, IDr Initiator/Responder IKE Identity

Length
SAi, SAr Crypto algorithms proposed/accepted by the peer CERTREQ, CERT Certificate Request, Certificate Payload
KEi, KEr Initiator Key Exchange material AUTH Authentication data
Ni, Nr Initiator/Responder Nonce SA Proposal & Transform to create initial CHILD_SA
SK {...} Payload encrypted and integrity protected TSi, TSr Traffic Selectors (as src/dst proxies)
IKEv2 Profile Match Statements
IP Address: 172.16.0.1 match identity remote address 172.16.0.1
FQDN: router.cisco.com match identity remote fqdn router.cisco.com
Email: router@cisco.com
match identity remote email router@cisco.com
HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}
subject-name co ou = engineering
Subject: cn=Router, ou=Engineering, o=Cisco

Issuer: cn=PKI Server, ou=IT, o=Cisco issuer-name co o = cisco
...
match certificate <cert-map>
IPsec CLI Overview
Tunnel Protection similar to DMVPN and EasyVPN
Transform set unchanged crypto ipsec transform-set default esp-aes 128 esp-sha-hmac
IPsec profile defines SA crypto ipsec profile default

parameters and points to set transform-set default
IKEv2 profile set crypto ikev2 profile default

Dynamic point-to-point
interfaces tunnel protection ipsec profile default
Static point-to-point interface Tunnel0

interfaces ip address 10.0.0.1 255.255.255.252
tunnel source Ethernet0/0
Tunnel protection points tunnel destination 172.16.2.1
to IPsec profile tunnel protection ipsec profile default
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec transform-set default crypto ikev2 profile default

esp-aes 128 esp-sha-hmac match identity remote address 10.0.1.1
crypto ipsec profile default authentication remote rsa-sig
set transform-set default aaa authorization user cert list default default
set crypto ikev2-profile default pki trustpoint root
!
crypto ikev2 proposal default interface Tunnel0
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 ip address 192.168.0.1 255.255.255.252
integrity sha512 sha384 sha256 sha1 md5 tunnel protection ipsec profile default
group 5 2
What you need to specify
crypto ikev2 policy default
match fvrf any
proposal default
crypto ikev2 authorization policy default

route set interface
route accept any
These constructs are the Smart Defaults
Reconfigurable Defaults
All defaults can be modified, deactivated and restored
Modifying defaults: crypto ikev2 proposal default

encryption aes-cbc-128
integrity md5
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
Restoring defaults: default crypto ikev2 proposal
default crypto ipsec transform-set
Disabling defaults: no crypto ikev2 proposal default
no crypto ipsec transform-set default
Static Site-to-Site Example
Router 1 Router 2 crypto ikev2 profile default
match identity remote fqdn r1.cisco.com
identity local fqdn r2.cisco.com
authentication remote pre-share key r1r2!
authentication local pre-share key !r2r1
!
Perform IKE SA agreement & Diffie-Hellman key exchange (not shown) interface Tunnel0
ip address 10.0.0.2 255.255.255.252
My IKE ID is: r1.cisco.com (FQDN) tunnel source Ethernet0/0
tunnel destination 192.0.2.1
My PSK authentication payload is... tunnel protection ipsec profile default
I want to protect GRE traffic between... !
interface Ethernet0/0
Map connection to IKEv2 profile default by matching on peer FQDN ip address 192.0.2.2 255.255.255.0
!
Verify peers AUTH payload & produce our own based on configured PSK router rip
version 2
network 10.0.0.0
Use our own FQDN as IKE ID
...
My IKE ID is: r2.cisco.com (FQDN)

My PSK authentication payload is...
I agree to protect GRE traffic between...
Finalize IPsec SAs (GRE between local & remote WAN addresses)
Establish routing protocol neighborship & exchange prefixes
28
FlexVPN AAA
Authentication, Authorization & Accounting
IKEv2 communicates with IOS AAA subsystem AAA list name

Local database (IKEv2 Authorization Policy) aaa new-model
aaa author network local-db local
Remote database (RADIUS) aaa author network remote-db group radius
Protocols in play: IKEv2, RADIUS, EAP

AAA-based authentication:
Pre-shared keys stored on RADIUS server
EAP over IKEv2 & RADIUS
Authorization:
Implicit authorization (re-uses attributes received during authentication)
Explicit authorization (local or remote, group- & user-level)
Accounting
High-Level Interactions
RA Client FlexVPN Server AAA Server
IKEv2 Initiator IKEv2 Responder RADIUS Server
RADIUS Client RADIUS NAS EAP Backend
EAP Supplicant EAP Authenticator
Cert. Authentication
(optional)
PSK Authentication AAA PSK Retrieval
EAP Client Authentication
Cached & Local Authorization
RADIUS Authorization
RADIUS Accounting
Building Block IKEv2 Name Mangler
RADIUS Client RADIUS NAS
IKEv2 Exchange
crypto ikev2 name-mangler extract-user
FQDN: joe.cisco.com fqdn hostname
Email: joe@cisco.com RA Client Identity
email username
DN: cn=joe,ou=IT,o=Cisco dn common-name
EAP: joe@cisco IKEv2 Name Mangler eap prefix delimiter @
AAA Username: joe

Static password
(configurable)
Local AAA Request RADIUS AAA Request
Username: joe Username: joe, password: cisco
Start with the peers IKE or EAP identity

Derive a username that is meaningful to AAA (local or RADIUS)
AAA-Based Authentication
AAA Pre-Shared Keys
Same IKEv2 packet flow as regular PSK authentication
FlexVPN Server has no IKEv2 keyring configured
Local & remote pre-shared keys stored on RADIUS server
Symmetric key (IETF attribute):
router2 Cleartext-Password := "cisco"
Tunnel-Password = "!cisco?"
Asymmetric keys (Cisco AV-Pair):

router1 Cleartext-Password := "cisco"
Cisco-AVPair = "ipsec:ikev2-password-local=cisco!",
Cisco-AVPair += "ipsec:ikev2-password-remote=!ocsic"
AAA Pre-Shared Keys Packet Flow
FlexVPN Client FlexVPN Server AAA Server
RADIUS Client RADIUS NAS

keyring aaa list radius name-mangler extract-host
!
crypto ikev2 name-mangler extract-host
fqdn hostname
IKEv2 (IKE_AUTH)
IDi, AUTH(PSK), ...
IKEv2 Name Mangler
IKEv2 ID: joe.cisco.com AAA Username: joe
(FDQN hostname)
RADIUS (Access-Request)
User-Name: joe
Password: cisco Static password (configurable)
IKEv2 (IKE_AUTH) RADIUS (Access-Accept)
IDr, AUTH(PSK), ... Local PSK = cisco!
Remote PSK = !ocsic Cached for authorization
Other user attributes for joe
EAP Authentication
Extensible Authentication Protocol (RFC 3748)
Provides common functions for a variety of authentication methods
Tunneling methods (costly): EAP-TTLS, EAP-PEAP,
Non-tunneling (recommended): EAP-MSCHAPv2, EAP-GTC, EAP-MD5,
Implemented in IKEv2 as additional IKE_AUTH packets
RA client initiates EAP authentication by omitting AUTH payload in IKE_AUTH
RA server must authenticate itself using certificates (mandatory)
Authentication takes place between RA client and EAP backend authentication server
EAP packets are relayed by RA server
Between RA client and RA server: tunneled inside IKEv2
Between RA server and EAP backend: tunneled inside RADIUS
EAP method is transparent to RA server
Only needs to be supported by RA client and EAP backend
EAP Authentication
IKEv2 Initiator IKEv2 Responder IKE RADIUS Server
crypto ikev2 profile default RA server authenticates to client

authentication remote eap query-identity using IKE certificates (mandatory)
aaa authentication eap frad
IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...
Username-Password/Token/Mobile Authentication (One-Way)
IKEv2 RADIUS
TLS EAP-TLS TLS
TLS-Based Certificate Authentication (Mutual)
IKEv2 RADIUS
EAP-PEAP / EAP-TTLS
TLS EAP-MSCHAPv2 / EAP-TLS / ... TLS
TLS-Protected Nested Authentication (One-Way or Mutual)
EAP Authentication Packet Flow
IKEv2 (IKE_AUTH) crypto ikev2 profile default
IDi, CFG_REQ, no AUTH authentication remote eap query-identity
IKEv2 (IKE_AUTH)
IDr, AUTH(RSA), EAP(ID-Request)
IKEv2 (IKE_AUTH) RADIUS (Access-Request)
EAP(ID-Response: IDEAP)
IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)
EAP(EAP-Method-Pkt#1)
EAP(EAP-Method-Pkt#2)
MSK MSK
IKEv2 (IKE_AUTH) RADIUS (Access-Accept)
EAP(Success) EAP(Success), MSK, User-Name, EAP Username
IKEv2 (IKE_AUTH) Other user attributes
AUTH(MSK) Cached for authorization
IKEv2 (IKE_AUTH)
CFG_REPLY, AUTH(MSK)
EAP Authentication Initiation
With query-identity query-identity recommended

several clients jam if not configured
IKEv2 (IKE_AUTH) not the default ... but it should be
IDi, CFG_REQ, no AUTH
IKEv2 (IKE_AUTH) EAP ID provided by client

IDr, AUTH(RSA), EAP(ID-Request)

EAP(ID-Response: IDEAP) EAP(ID-Response: IDEAP)
Without query-identity
IKEv2 (IKE_AUTH) IKE ID used as EAP ID
IDi, CFG_REQ, no AUTH

IDr, AUTH(RSA) EAP(ID-Response: IDi)
User & Group Authorization
Authorization Types
Not mutually exclusive May be combined
RADIUS (Access-Accept)
Implicit User Authorization Local PSK = cisco!
Remote PSK = !ocsic Cached for
aaa authorization user {psk|eap} cached Other user attributes for joe authorization
Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authentication
Explicit User Authorization

aaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]
Retrieves user attributes from RADIUS (local database not supported)
Explicit Group Authorization Reverse order of precedence (group > user)

aaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]
Retrieves group attributes from RADIUS or local database

Attributes Syntax
crypto ikev2 authorization policy Eng
Local Database pool Eng
dns 10.0.1.1
IKEv2 Authorization Policy netmask 255.255.255.255
aaa attribute list Eng
AAA Attribute List (V-Access interface
configuration statements)
attribute type interface-config "vrf forwarding Eng"
attribute type interface-config "ip unnumbered Loopback1"
Central/Remote Database (on RADIUS Server)

Standard IETF Attributes (Framed-IP-Address, etc.)
Cisco Attribute-Value Pairs (Cisco-AVPair)
Eng Cleartext-Password := "cisco"
Framed-IP-Netmask = "255.255.255.255",
Cisco-AVPair = "ipsec:addr-pool=Eng",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1",
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng",
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1"
Attributes Merging
FlexVPN Server AAA Server
Received during
AAA-based authentication
Attribute Value
Cached User Attributes Received during explicit
Framed-IP-Address 10.0.0.101
user authorization
ipsec:dns-servers 10.2.2.2 Explicit User Attributes take precedence
Explicit User Attributes Attribute Value

Attribute Value
Merged User Attributes
Received during explicit
ipsec:dns-servers 10.2.2.2 Merged User Attributes take precedence group authorization
except if group override configured
Explicit Group Attributes Attribute Value

Attribute Value ipsec:dns-servers 10.2.2.3
Framed-IP-Address 10.0.0.102 ipsec:banner Welcome !
Final Merged Attributes
ipsec:dns-servers 10.2.2.2
ipsec:banner Welcome !
Attributes Interface Config Ordering
Interface config strings do not override each other during merging
Instead, higher precedence statements are applied last
Pay attention to command-specific behavior (overwrites / stacks up / collides ?)
Received during explicit user authorization
Attribute Value
OK will be overridden by subsequent
zone-member statement
Interface-Config zone-member security high
Interface-Config service-policy output gold Attribute Value
Interface-Config zone-member security medium
Interface-Config service-policy output silver
Received during explicit group authorization Interface-Config zone-member security high
Interface-Config service-policy output gold
Attribute Value
Interface-Config zone-member security medium
Interface-Config service-policy output silver NOK will collide with previous service-policy statement:
Policy map silver is already attached
Attributes Scope
RA Client FlexVPN Server
AAA authorization enables the Peer Authorization
IKEv2 Configuration Exchange
Some remote attributes may

be derived from local attributes
Remote Attributes (Sent to Peer) Locally Relevant Attributes
IPv4/IPv6 Address Standard IPv4/IPv6 Address Pool
IPv4/IPv6 Netmask Standard DHCP Server
IPv4/IPv6 Subnets Standard IKEv2 Routing (route set statements)
DNS/WINS Servers Standard V-Access Interface Configuration
DNS Domain Name Cisco Unity ...
Logon Banner Cisco Unity
Backup Gateways Cisco Unity IOS AAA attributes are translated into
IKEv2 Configuration Exchange attributes
Config Version/URL FlexVPN
...
Attributes IP Address Assignment
User-specific statically assigned IP address joe
Framed-IP-Address = "10.0.1.101"
Returned as RADIUS IETF Framed-IP-Address Framed-IP-Netmask = "255.255.255.255"
External DB only, not configurable in IKEv2 Authorization Policy

IOS-managed address pool crypto ikev2 authorization policy Eng
pool Eng
Referenced in user or group attributes !
ip local pool Eng 10.0.1.10 10.0.1.99
IOS pool name can be passed by RADIUS server
Eng
Allocation/deallocation entirely managed by IOS Cisco-AVPair = "ipsec:addr-pool=Eng"
DHCP-assigned IP addresses
Request placed by IOS on behalf of RA client dhcp server 10.2.2.2
DHCP server can be passed by RADIUS
Eng
RADIUS-managed address pool Cisco-AVPair = "ipsec:group-dhcp-server=10.2.2.2"
Address allocated by RADIUS server and returned as Framed-IP-Address

Accounting must be configured (to release addresses when clients disconnect)
aaa authorization network here local
attribute type interface-config "vrf forwarding Eng"
Authorization Example !
attribute type interface-config "ip unnumbered Loopback1"

RA Client FlexVPN Server pool Eng
netmask 255.255.255.255
My IKE ID is cn=joe-pc, ou=Eng, o=Cisco aaa attribute list Eng
Here is my identity certificate !
I need an IPv4 address crypto pki certificate map cisco 1
subject-name co o = cisco
Map connection to IKEv2 profile default by matching on cert-map cisco !
crypto ikev2 name-mangler ou
Perform certificate-based authentication (not shown) dn organization-unit
!
Run client IKE ID through name-mangler ou
match certificate cisco
identity local dn
Invoke AAA with list here (local authorization) & username Eng authentication remote rsa-sig
Allocate IPv4 address from pool Eng pki trustpoint root
aaa authorization group cert list here name-mangler ou
Clone V-Template1 into V-Access1, apply VRF & IP unnumbered virtual-template 1
!
ip local pool Eng 10.0.1.10 10.0.1.99
Your IPv4 address is: 10.0.1.10/32 !
interface Loopback1
interface Virtual-Access1 vrf forwarding Eng
vrf forwarding Eng ip address 10.0.1.1 255.255.255.255
ip unnumbered Loopback1 !
tunnel source 192.0.2.2 interface Virtual-Template1 type tunnel
tunnel mode ipsec ipv4 no ip address
tunnel destination 192.168.221.129 tunnel mode ipsec ipv4
show derived-config ...
tunnel protection ipsec profile default tunnel protection ipsec profile default
Connection Accounting
Accounting
RA Client FlexVPN Server Upon client connection: RADIUS Server
IKEv2 (EAP) & IPsec RADIUS Acct-Request (Start)
RADIUS Acct-Response
192.168.221.129 10.0.0.1 Upon client disconnection:

10.0.0.2
Assigned address: 10.0.1.101 RADIUS Acct-Request (Stop)
aaa accounting network frad start-stop group frad
RADIUS Acct-Response
aaa group server radius frad
server-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t
!
Accounting-Request (Stop)
crypto ikev2 profile default Acct-Session-Id = "0000001B"
aaa authentication eap frad Cisco-AVPair = "isakmp-phase1-id=acvpn"
aaa authorization user eap cached Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"
aaa accounting eap frad Framed-IP-Address = 10.0.1.101
User-Name = "joe@cisco" Statistics
IKE ID Client public Acct-Authentic = Local
Accounting-Request (Start) IP address Cisco-AVPair = "connect-progress=No Progress"
Acct-Session-Id = "0000001B" Acct-Session-Time = 104
Cisco-AVPair = "isakmp-phase1-id=acvpn" Acct-Input-Octets = 13906
Cisco-AVPair = "isakmp-initator-ip=192.168.221.129" Acct-Output-Octets = 11040
Framed-IP-Address = 10.0.1.101 Acct-Input-Packets = 207
User-Name = "joe@cisco" Assigned IP address Acct-Output-Packets = 92
Cisco-AVPair = "connect-progress=No Progress" Acct-Terminate-Cause = 0
Acct-Authentic = Local EAP username Cisco-AVPair = "disc-cause-ext=No Reason"
Acct-Status-Type = Start Acct-Status-Type = Stop
NAS-IP-Address = 10.0.0.1 NAS-IP-Address = 10.0.0.1
Acct-Delay-Time = 0 Acct-Delay-Time = 0
49
Remote Access Clients Overview
AnyConnect 3.1 AnyConnect 3.0 Windows FlexVPN strongSwan

(Desktop Version) (Mobile Version) Native IKEv2 Client Hardware Client
Supported OSes Windows Android Windows 7 & 8 Cisco IOS 15.2+ Linux, Mac OS X,
Mac OS X Apple iOS Not on IOS-XE / ASR1k Android, FreeBSD, ...
Linux Not on ISR-G1
Supported IKEv2 Certificates Certificates Certificates Certificates Certificates
Authentication EAP EAP EAP EAP EAP
Methods Pre-Shared Key Pre-Shared Key
Supported EAP EAP-MSCHAPv2 EAP-MSCHAPv2 EAP-MSCHAPv2 EAP-MSCHAPv2 EAP-MSCHAPv2
Authentication EAP-GTC EAP-GTC EAP-TLS1 EAP-GTC EAP-TLS1
Methods EAP-MD5 EAP-MD5 EAP-PEAP1 EAP-MD5 EAP-PEAP1
... and more (Win8) ... and more (plugins)
Security Policy Automatic2 (RRI) Automatic2 (RRI) Automatic2 (RRI) Automatic2 (IKEv2) Automatic2 (RRI)
Exchange Dyn. Routing Protocol
Dual Stack 3.1.05152 (with GRE) Planned Planned Both (with GRE) Planned
(IPv4 & IPv6) IOS-XE 3.14 (TBC) (client limitation) (headend limitation) (headend limitation)
Split Tunneling Yes Yes Very limited (classful) Yes Yes
1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client
2 IPsec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default
AnyConnect Secure Mobility Client
AnyConnect Secure Mobility Client
Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS)
Desktop: Windows, Mac OS X, Linux
Mobile: Apple iOS, Android
Supported authentication methods:
Machine/User Certificates (RSA signatures)
EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2)
EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)
EAP-MD5 (hash-based authentication)
Particularities:
Requires EAP query-identity on server (triggers username/password input dialog)
Requires no crypto ikev2 http-url cert on server (aborts the connection otherwise)
CSCud96246: incompatibility with IOS when using SHA-2 integrity (resolved in 3.1.05, Dec 2013)
For more on AnyConnect management & deployment:
BRKSEC-3033 Advanced AnyConnect Deployment and Troubleshooting with ASA by H. Nohre
Focuses on ASA as headend, but many topics also relevant for FlexVPN
AnyConnect VPN Profile Editor
Add entry to server list
Server FQDN Connection name ... Resulting XML Profile

<ServerList>
<HostEntry>
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>EAP-GTC</AuthMethodDuringIKENegotiation>
<IKEIdentity>acvpn</IKEIdentity>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
...
Only applies to EAP

authentication methods
AnyConnect Backup Server List
Primary Backup
Add backup server(s) to list
WAN
... Resulting XML Profile

<ServerList>
<HostEntry> Primary server stops responding
<HostName>FlexVPN</HostName>
<HostAddress>flexra.cisco.com</HostAddress> Client will try connecting to backup server(s)
<BackupServerList>
<HostAddress>flexra2.cisco.com</HostAddress>
</BackupServerList>
...
AnyConnect Seamless Auto-Reconnect
Seamless reconnection after:
transient loss of connectivity crypto ikev2 profile default
...
switching between networks reconnect [timeout <seconds>]
(e.g. moving from 3G to WiFi)
suspend/resume computer
Supported by AnyConnect desktop & mobile for both SSL & IKEv2
FlexVPN server-side support introduced in IOS 15.4(1)T & IOS-XE 15.4(1)S / 3.11S
Suspend/resume client behavior configurable separately:
DisconnectOnSuspend: release VPN session resources upon suspend, do not reconnect
ReconnectAfterResume: try to reconnect after operating system resumes
Proprietary method:
Session token exchanged during initial session establishment (configuration exchange)
Reconnection attempts use session token as pre-shared key in IKE_AUTH
Mutually exclusive with PSK configuration in IKEv2 profile
Session expires on server after configured timeout (default: 30 minutes)
AnyConnect Seamless Auto-Reconnect
crypto ikev2 profile default crypto ikev2 profile default
reconnect [timeout <seconds>] reconnect [timeout <seconds>]
3: Server marks session

as inactive, keps it alive
until the configured timeout
WAN 4: ISP/WAN comes back up WAN 3: Session resumed

Session resumed without 1: Connected over WiFi link without
1: Connected any user intervention over 3G any user intervention
2: Network failure detected 2: Switching to WiFi

Client will attempt to Different IP address
reconnect automatically
Also works when computer suspends & resumes (behavior controllable through XML profile)
AnyConnect Profile Deployment Options
Push using a Software XML Send via e-mail
Management System
Add to the AnyConnect XML

Install manually on local hard disk installation package
AnyConnect
Desktop
OS Default Location
Windows %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Mac OS, Linux /opt/cisco/anyconnect/profile
Import from local filesystem Configure connection manually
AnyConnect Import or create via URI handler Send via e-mail

Mobile XML
anyconnect://import?type=profile&uri=location
Example location: http%3A%2F%2Fexample.com%2FFlexVPN.xml
AnyConnect Mobile Manual Connection
Certificate selection
Cisco ASA only
Connection name
Create new
manual connection
Server FQDN
Enable IKEv2
Select authentication method
Specify IKE ID for EAP methods
AnyConnect Mobile URI Handler
anyconnect:// URI handler on Apple iOS & Android
Import XML profile
Create connection entry
Connect & disconnect VPN anyconnect://create/?name=FlexVPN&host=flexra.cisco.com
&protocol=IPsec&authentication=EAP-MD5&ike-identity=acvpn
Connection successfully created
Prompt or Enabled required
AnyConnect Mobile Certificate Deployment
Package certificate & keypair into PKCS#12 file
Apple iOS
Import PKCS#12 from URL or email attachment
Provision credentials or set up SCEP
enrollment using configuration profile
(e.g. via iPhone Configuration Utility)
Android
Import PKCS#12 from URL, email or filesystem
Use existing credentials from Credential Storage
AnyConnect Mutual RSA Signatures
Mutual IKE certificate-based authentication match certificate cisco
identity local dn
AnyConnect picks best available identity certificate authentication remote rsa-sig
Based on selection rules in XML profile (if any) pki trustpoint root
Certificate with EKU preferred over non-EKU aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
Client IKE ID = certificate subject DN virtual-template 1
Server selects IKE profile based on certificate match # Group definition
Matching is done on certificate itself, not on IKE ID Eng
Cleartext-Password := "cisco"
Explicit user/group authorization Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
Non-AAA authentication no cached attributes # User definition

joe
Extract CN/OU field from DN using name-mangler Cleartext-Password := "cisco"
Retrieve user/group attributes from RADIUS Framed-IP-Address = "10.0.1.101",
Framed-IP-Netmask = "255.255.255.255"
Explicit Authorization
IKEv2 RADIUS
IKE IKE Certificate Authentication IKE

AnyConnect EAP
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2 match identity remote key-id acvpn
identity local dn
Client IKE ID = KEY-ID string configured in XML profile authentication remote eap query-identity
Server selects IKEv2 profile based on KEYID string pki trustpoint root sign
EAP query-identity prompts user for credentials aaa authentication eap frad
aaa authorization user eap cached
EAP ID = username entered by user virtual-template 1
Password authentication against AAA user database

# User definition
Returned attributes cached for implicit authorization joe@cisco
Cleartext-Password := "c1sc0!"
Framed-IP-Address = "10.0.1.101",
Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
IKE
IKEv2 RADIUS
EAP-GTC / EAP-MD5 / EAP-MSCHAPv2
EAP Username-Password Authentication
AnyConnect Certificate Requirements
AnyConnect Client FlexVPN Server

IKEv2 Certificate IKEv2 Certificate
Used for Mutual RSA-SIG Mutual RSA-SIG
EAP (all types)
Common Name (CN) Anything Anything (if SAN field present)
Server FQDN (if no SAN field)
Key Usage (KU) Digital Signature Digital Signature
Key Encipherment or Key Agreement
Extended Key Usage (EKU) Optional1,3 Optional2,3
If present: TLS Client Authentication If present: TLS Server Authentication or IKE Intermediate
Subject Alternative Name (SAN) Not required3 Optional3
If present: Server FQDN
1 Required in AC 3.0.8 to 3.0.10 (CSCuc07598)

2 Required in AC 3.0 (all versions), lifted in 3.1
3 Not required: may be omitted or set to any value Optional: may be omitted or set to the specified value
Since Windows 7, IKEv2/IPsec natively supported for RA connections
Machine Certificates (RSA signatures)
EAP-TLS (certificate authentication, based on TLS handshake)
EAP-PEAP (tunnels another EAP method within TLS)
EAP-TTLS (Windows 8 tunnels EAP or non-EAP authentication within TLS)
EAP-AKA / EAP-AKA / EAP-SIM (Windows 8 SIM card & mobile network authentication)
Particularities:
Requires EAP query-identity on server (fails to respond to EAP otherwise)
Requires AES-256 in IPsec transform set (current IOS default is AES-128)
RSA authentication will fail if more than 100 CAs in client Local Machine Trusted Roots store
KB975488: Windows 7 only sends IP address as IKE Identity (except when using certs)
KB814394: Certificate requirements for EAP-TLS and PEAP-EAP-TLS
KB939616: Certificate keypair lost when copying from user store to machine store
Windows 7 VPN Connection Settings (1)
DNS-resolvable FQDN must be found in:
CN/SAN of FlexVPN Server IKE certificate
CN of EAP Server TLS certificate
Type of VPN: IKEv2
Require encryption & Strongest encryption

require AES-256 in the IPsec transform set
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
EAP-MSCHAPv2
RSA Signatures
Windows Mutual RSA Signatures
Mutual IKE certificate-based authentication match certificate cisco
identity local dn
Windows can only use local machine certificates authentication remote rsa-sig
IKEv2 Profile selection on server pki trustpoint root
aaa authorization group cert list frad name-mangler ou
Client IKE ID = certificate subject DN aaa authorization user cert list frad name-mangler cn
virtual-template 1
Server selects profile based on certificate map
Matching is done on certificate itself, not on IKE ID # Group definition
Eng
Explicit user/group authorization Cleartext-Password := "cisco"
Non-AAA authentication no cached attributes
# User definition
Extract CN/OU field from DN using name-mangler joe
Retrieve user/group attributes from RADIUS Framed-IP-Address = "10.0.1.101",
Explicit Authorization
IKEv2 RADIUS
IKE IKE Certificate Authentication IKE

Windows EAP Considerations
IKEv2 mandates certificate-based server authentication identity local dn
Profile selection based on client IKE ID pki trustpoint root [sign]
Windows 7 with fix for KB975488: IKE ID = user@domain match identity remote email domain cisco
Selection can be based on email domain match
Windows 7 w/o fix or 8 w/ regression: IKE ID = client IP address match identity remote address 0.0.0.0
Only option: single IKE profile and VTemplate for all groups
Leverage AAA to provide service differentiation
EAP ID provided by client during authentication
Requires query-identity (client cannot perform EAP otherwise) authentication remote eap query-identity
EAP server will query AAA database for attributes aaa authorization user eap cached
Attributes can be reused for implicit user authorization
Server sends updated EAP ID in final Access-Accept reply aaa authorization group eap list here ...
(usually same value as the initial client-provided EAP ID) ... name-mangler domain
Final EAP ID can be reused for additional authorization if needed
Windows 7 EAP-MSCHAPv2
EAP-MSCHAPv2 match identity remote email domain cisco
match identity remote address 0.0.0.0
EAP ID = user or user@domain identity local dn
authentication remote eap query-identity
Password authentication against EAP server database authentication local rsa-sig
virtual-template 1
# User definition
joe@cisco
IKE
IKEv2 RADIUS
EAP-MSCHAPv2
EAP Username-Password Authentication
Windows 7 EAP-TLS
EAP-TLS match identity remote email domain cisco
Client performs TLS handshake w/ EAP server identity local dn
Mutual authentication using TLS certificates authentication local rsa-sig
Client authentication mandatory (unlike EAP-PEAP) pki trustpoint root sign
EAP ID = TLS certificate UPN (or CN if none) aaa authorization user eap cached
virtual-template 1
# User definition
joe@cisco
IKE
IKEv2 RADIUS
EAP-TLS
TLS TLS
EAP Certificate/TLS-Based Authentication
Windows 7 EAP-TLS Settings
Get certificate from Current
User certificate store
Server name must be found in

Trusted root authorities for

EAP server authentication
Windows 7 EAP-PEAP
EAP-PEAP match identity remote email domain cisco
Client performs TLS handshake w/ EAP server identity local dn
Client authenticates EAP server using TLS certificate authentication local rsa-sig
Provides protection for inner EAP exchange pki trustpoint root sign
Inner (tunneled) EAP method authenticates the user aaa authorization user eap cached
virtual-template 1
Outer EAP method returns user attributes to server
Tunneled EAP-MSCHAPv2 # User definition
joe@cisco
EAP ID = user or user@domain Cleartext-Password := "c1sc0!"
Tunneled EAP-TLS Framed-IP-Netmask = "255.255.255.255",
EAP ID = TLS certificate UPN (or CN if none)
IKE
IKEv2 RADIUS
EAP-PEAP (TLS)
TLS EAP-MSCHAPv2 or EAP-TLS TLS
EAP Certificate/TLS-Based or Username-Password Authentication
Windows 7 EAP-PEAP Settings
Server name must be found in
Trusted root authorities for

EAP server authentication
Inner (tunneled) EAP method
Windows 7 Certificate Requirements
Win7 Client FlexVPN Server Win7 Client EAP Server

IKEv2 Certificate IKEv2 Certificate TLS Certificate TLS Certificate
Used for Mutual RSA-SIG Mutual RSA-SIG EAP-TLS EAP-TLS
EAP (all types) EAP-PEAP (optional) EAP-PEAP
Certificate Store Local Computer N/A Current User N/A
Common Name Anything Anything (if SAN field present) Anything (if UPN present) Server name (as configured
(CN) Server FQDN (if no SAN field) user@domain (if no UPN2) in Client EAP Settings)
Key Usage Digital Signature Digital Signature Digital Signature Digital Signature
(KU) Key Encipherment
Extended Key Not required1 TLS Server Authentication TLS Client Authentication TLS Server Authentication
Usage (EKU)
Subject Alternative Not required1 Optional1 Optional1 Server FQDN
Name (SAN) If present: Server FQDN If present: UPN2
1 Not required: may be omitted or set to any value Optional: may be omitted or set to the specified value
2 UPN (User Principal Name): Microsoft proprietary user@domain SAN extension (OID 1.3.6.1.4.1.311.20.2.3)
Windows 7 Certificate Import
Client keypair & certificate can be issued by CA and provisioned to client PC
Import keypair, identity cert and issuer cert from PFX / PKCS#12 package
Due to KB939616, machine IKEv2 cert must be imported explicitly into machine store
FlexVPN Hardware Client
FlexVPN Hardware Client Overview
IKEv2 initiation on IOS can be driven by the FlexVPN Client Profile CLI construct
Certificates (RSA signatures)
EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens)
EAP-MD5 (hash-based authentication)
Pre-Shared Keys
Routing on FlexVPN server and client:
IKEv2 Routing (bidirectional Configuration Exchange)
Dynamic Routing Protocol (optional, bootstrapped through IKEv2 Routing)
IPv4/IPv6 mixed-mode & dual-stack supported using GRE/IPsec interfaces
More than a Remote Access client, useful also in hub-and-spoke designs
where advanced initiator logic is required (dial backup, object tracking, ...)
FlexVPN Hardware Client Example
aaa new-model
Sample configuration: aaa authorization network here local
!
Static tunnel interface driven by FlexVPN Client Profile crypto pki trustpoint root
rsakeypair root
Local AAA authorization (default IKEv2 author. policy) !
Certificate-based mutual authentication (no EAP) crypto pki certificate map cisco 1
subject-name co o = cisco
Single peer (name resolution of FQDN on connection) !
Tunnel interface configuration: match certificate cisco
identity local dn
IP address assigned through IKEv2 Configuration Exchange authentication remote rsa-sig
Tunnel destination set dynamically by FlexVPN Client logic pki trustpoint root
IKEv2/IPsec initiation triggered by FlexVPN Client logic !
aaa authorization group cert list here default
Default IKEv2 routing between client & server: crypto ikev2 client flexvpn flexra
peer 1 fqdn flexra.cisco.com dynamic
Client advertises route for Tunnel0 assigned IP address client connect Tunnel0
!
Client installs prefixes advertised by server (egress Tun0) interface Tunnel0
ip address negotiated
client#show crypto ikev2 authorization policy default tunnel source Ethernet0/0
IKEv2 Authorization Policy : default tunnel mode ipsec ipv4
route set interface tunnel destination dynamic
route accept any tag : 1 distance : 1 tunnel protection ipsec profile default
FlexVPN Hardware Client Key Features
Peer list with object tracking: crypto ikev2 client flexvpn flexra
peer 1 <address>
Ordered list of FlexVPN servers (by address or FQDN) peer 2 <address> track 10 up
peer 3 <address> track 20 down
Enable/disable entries based on tracking object state !
track 10 interface <name> line-protocol
Additional peers can be pushed by server during Config Exchange track 20 ip route <prefix> reachability
Connection modes:
connect auto
Automatic (infinite loop, 10 seconds between tries)
connect track 10 up
When tracking object goes up/down (enables dial backup)
connect manual
Manual (CLI-triggered)
EAP local authentication (IKEv2 initiator only): crypto ikev2 profile default
authentication local eap
Username prompt only if server does query-identity
client#crypto ikev2 client flexvpn connect
Alternative: static credentials in IKEv2 profile Enter the command 'crypto eap credentials flexra'
client#crypto eap credentials flexra
Enter the Username for profile flexra: joe@cisco
Enter the password for username joe@cisco:
Configuration Review
Review Mutual RSA Signatures
Certificate selection depends on client match certificate cisco
identity local dn
AnyConnect picks best available ID certificate authentication remote rsa-sig
Based on selection rules in XML profile (if any) authentication local rsa-sig
pki trustpoint root
Certificate with EKU preferred over non-EKU aaa authorization group cert list frad name-mangler ou
aaa authorization user cert list frad name-mangler cn
Windows uses local machine certificate virtual-template 1
FlexVPN Client uses trustpoint in initiator IKEv2 profile
# Group definition
IKEv2 Profile selection on server Eng
Client IKE ID = certificate subject DN Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
Server selects profile based on certificate map # User definition

Matching is done on certificate itself, not on IKE ID joe
Explicit user/group authorization Framed-IP-Address = "10.0.1.101",
Non-AAA authentication no cached attributes
Extract CN/OU fields from DN using name-mangler
Retrieve user/group attributes from RADIUS
Assign IP address based on pool or Framed-IP
Review EAP Authentication (1)
AnyConnect crypto ikev2 profile default
IKE identity depends on client type Windows
match identity remote key-id acvpn
match identity remote email domain cisco
AnyConnect: KEY-ID string in XML profile Windows (bug) match identity remote address 0.0.0.0
identity local dn
Windows 7 with fix for bug KB975488: user@domain virtual-template 1
# User definition
joe@cisco
Windows 7 w/o fix, 7 or 8 with regression: client IP address Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
Only option: single IKE profile and VT for all groups
Leverage AAA to provide service differentiation
FlexVPN Client: configurable (in initiator IKEv2 profile)

identity local ...
Review EAP Authentication (2)
EAP identity depends on client type & EAP method match identity remote key-id acvpn
match identity remote email domain cisco
AnyConnect: user[@domain] entered by user match identity remote address 0.0.0.0
identity local dn
Windows 7 + non-TLS EAP: user[@domain] entered by user virtual-template 1
# User definition
joe@cisco
Windows 7 + TLS-based EAP: TLS certificate UPN (CN if none) Cisco-AVPair = "ipsec:dns-servers=10.0.1.1"
EAP Server returns user attributes for the EAP ID

can be cached and reused for authorization
FlexVPN Client: user[@domain] entered by user or configured in initiator IKEv2 profile

authentication local eap mschapv2 username joe@cisco password 0 c1sc0!
FlexVPN Routing
FlexVPN Routing Overview
IKEv2 Routing (Configuration Exchange)
IPv4 & IPv6 subnets exchanged within IKEv2 Configuration Payloads
Static routes added to the RIB on both sides
Remote Access: currently only supported with FlexVPN hardware client
IPsec Reverse Route Injection (RRI)
Static routes added to RIB for protected remote networks (remote proxies)
No configuration required (automatic for Virtual-Access with non-any-any proxies)
Remote Access: supported with software clients (AnyConnect, Windows 7+, ...)
Dynamic Routing Protocol
Pros: more powerful/flexible/adaptive
Cons: more complex/resource-intensive
Remote Access: only supported with FlexVPN hardware client
NHRP Routes
Not applicable to Remote Access (Dynamic Mesh scenarios only)
FlexVPN Routing Events & Sources
route set local {ipv4 | ipv6} prefix
Prefixes listed in route set local authorization attribute(s) route accept any [distance ...] [tag ...]
Authorization
Local configuration
Prefixes received during Configuration Exchange route set interface [ifc-name]
within IPv4/IPv6 SUBNET attributes route set remote {ipv4 | ipv6} prefix
Config. Exchange route set access-list ...
(handling controlled by local route accept attribute)
Remote configuration
Prefixes corresponding to negotiated IPsec SA remote proxies

SA Up / Down (not applicable to any-any VTI or GRE/IPsec)
Prefixes advertised by peer over

Routing Update dynamic routing protocol neighborship
Shortcut Creation Spoke-to-Spoke

tunnels established
IKEv2 IPsec Routing Protocol NHRP
IKEv2 Static Routes Reverse Route Injection Regular Dynamic Routes NHRP Static Routes
Routing Table (RIB/FIB)

Scenarios & Use Cases
Full & Split Tunneling
Scenario: Windows Full Tunneling
10.42.1.1 FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Assigned VPN IP: 192.0.2.2 Lo1: 10.0.1.1/32
10.0.1.22/32
Default route changed to point through VPN tunnel Assigned IP address reachable over client VA (automatic RRI)
IPv4 Route Table
============================================================ S 10.0.1.22/32 is directly connected, Virtual-Access1
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection interface Loopback1
0.0.0.0/0 On-link FlexVPN Connection ip address 10.0.1.1 255.255.255.255
192.0.2.2/32 10.42.1.1 Local Area Connection !
10.42.1.0/24 On-link Local Area Connection interface Virtual-Template1 type tunnel
Local LAN still reachable Server reachable in the clear via ISP
If un-checked: default route replaced with a single

classful route based on assigned VPN IP address
(e.g. 10.0.1.22 10.0.0.0/8)
= rudimentary split tunneling
Scenario: AnyConnect Full Tunneling
WAN 10.0.0.0/16
10.0.1.22/32
Default route changed to point through VPN tunnel

IPv4 Route Table
============================================================ S 10.0.1.22/32 is directly connected, Virtual-Access1
Destination Gateway Interface
0.0.0.0/0 10.42.1.1 Local Area Connection interface Loopback1
0.0.0.0/0 On-link FlexVPN Connection ip address 10.0.1.1 255.255.255.255
192.0.2.2/32 10.42.1.1 Local Area Connection !
10.42.1.0/24 On-link Local Area Connection interface Virtual-Template1 type tunnel
Local LAN removed from routing table Server in the clear via ISP
To enable full tunneling with local LAN access:

Cisco-AVPair += "ipsec:split-exclude=0.0.0.0/255.255.255.255"
IOS include-local-lan attribute not supported by
AnyConnect use RADIUS-only Cisco-AV-Pair (supported in 15.2(4)M6, 15.2(4)S5 and 15.4(2)T/S onwards)
ipsec:split-exclude with special value 0.0.0.0/32
In addition, Local Lan Access must be

enabled in AnyConnect XML Profile
Scenario: AnyConnect Split Tunneling
WAN 10.0.0.0/16
10.0.1.22/32
Authorization: one or more subnets to include in split tunnel
IPv4 Route Table Specific route(s) pointing through VPN tunnel route set remote ipv4 10.0.0.0 255.255.0.0
============================================================
Destination Gateway Interface S 10.0.1.22/32 is directly connected, Virtual-Access1
0.0.0.0/0 10.42.1.1 Local Area Connection
10.0.0.0/16 On-link FlexVPN Connection
interface Loopback1
10.42.1.0/24 On-link Local Area Connection
ip address 10.0.1.1 255.255.255.255
!
Local LAN still reachable interface Virtual-Template1 type tunnel
Split tunnel policy pushed by server within IKEv2 Config Exchange
Original default gateway used for internet traffic + server reachability
Network Extension
Scenario: HW Client Single Address PAT
FlexVPN Client FlexVPN Server
WAN 10.0.0.0/16
10.42.1.0/24 Eth0/1 Eth0/0 Lo1: 10.0.1.1/32
Assigned IP: 10.0.1.22/32
route set interface route set interface
Authorization Authorization
route set remote ipv4 10.0.0.0 255.255.0.0
Summary prefix reachable through tunnel Assigned IP address reachable over client VA
S 10.0.0.0/16 is directly connected, Tunnel0 S 10.0.1.22/32 is directly connected, Virtual-Access1
S 10.0.1.1/32 is directly connected, Tunnel0
C 10.0.1.22/32 is directly connected, Tunnel0
C 10.42.1.0/24 is directly connected, Ethernet0/1
Works, but not recommended
Case generator clumsy / impractical
Traffic from LAN to remote VPN networks:
PAT to Tunnel0 assigned IP address
interface Tunnel0 interface Loopback1
ip address negotiated ip address 10.0.1.1 255.255.255.255
ip nat outside !
! interface Virtual-Template1 type tunnel
ip nat inside source route-map vpn interface Tunnel0 overload ip unnumbered Loopback1
!
route-map vpn permit 10
match interface Tunnel0
Scenario: HW Client Network Extension
WAN 10.0.0.0/16
10.42.1.0/24 Eth0/1 Eth0/0 Lo1: 10.0.1.1/32
route set remote ipv4 10.42.1.0 255.255.255.0 route set remote ipv4 10.0.0.0 255.255.0.0
S 10.0.0.0/16 is directly connected, Tunnel0 C 10.0.1.1/32 is directly connected, Loopback0
S 10.0.1.1/32 is directly connected, Tunnel0 S 10.0.1.22/32 is directly connected, Virtual-Access1
C 10.0.1.22/32 is directly connected, Tunnel0 S 10.42.1.0/24 is directly connected, Virtual-Access1
Client LAN directly reachable over tunnel
Local/remote addresses & prefixes exchanged using IKEv2 routing (prefix can be redistributed into IGP)
interface Tunnel0 interface Loopback1

ip address negotiated ip address 10.0.1.1 255.255.255.255
! !
interface Ethernet0/1 interface Virtual-Template1 type tunnel
ip address 10.42.1.1 255.255.255.0 ip unnumbered Loopback1
Recommended design
Equivalent to NEM+ in Easy VPN
Scenario: HW Client Dynamic Routing
WAN 10.0.0.0/16
10.42.1.0/24 Eth0/1 Eth0/0 Lo1: 10.0.1.1/32
B 10.0.0.0/16 [200/0] via 10.0.1.1 (Tunnel0) S 10.0.1.22/32 is directly connected, Virtual-Access1
S 10.0.1.1/32 is directly connected, Tunnel0 B 10.42.1.0/24 [200/0] via 10.0.1.22 (Virtual-Access1)
C 10.0.1.22/32 is directly connected, Tunnel0
Client LAN directly reachable over tunnel
Addresses for BGP unicast peering exchanged using IKEv2 (prefix can be redistributed into IGP)
Local/remote prefixes exchanged using iBGP
BGP Dynamic Neighbor easy configuration
router bgp 65100 router bgp 65100
neighbor 10.0.1.1 remote-as 65100 bgp listen range 10.0.1.0/24 peer-group clients
neighbor 10.0.1.1 update-source Tunnel0 neighbor clients peer-group
address-family ipv4 neighbor clients remote-as 65100
network 10.42.1.0 mask 255.255.255.0 neighbor clients update-source Loopback1
neighbor 10.0.1.1 activate address-family ipv4
exit-address-family network 10.0.0.0 mask 255.255.0.0
neighbor clients activate
Dynamic, flexible & powerful but closer to Site-Site than RA exit-address-family
Virtualization (VRF)
Virtual Routing & Forwarding
Router maintains separate L3 forwarding information for each
VRF instance (RIB, FIB, routing protocols)
Two variants: VRF with MPLS VPN, and VRF-Lite (local significance only)
Each interface on the router belongs to a single VRF
For ip unnumbered, reference interface must belong to the same VRF
If no VRF specified, interface belongs to the global VRF
VRF definition and assignment:
New CLI: multi-protocol VRF (IPv4/IPv6)
vrf definition red
Old CLI: single-protocol VRF (IPv4-only) rd 1:1
ip vrf red address-family ipv4
rd 1:1 exit-address-family
address-family ipv6
interface Ethernet0/0 exit-address-family
ip vrf forwarding red
... interface Ethernet0/0
vrf forwarding red
...
Tunnels iVRF & fVRF
Physical device
Blue RIB/FIB Red RIB/FIB Global RIB/FIB Green RIB/FIB Orange RIB/FIB
iVRF fVRF iVRF fVRF
Eth1/2
Eth2/1
Eth0/0
Eth0/1
Eth1/0
Eth1/1
Eth1/3
Eth2/0
Eth2/2
Eth2/3
Encaps. Encaps.
Tun1 Tun2
interface Eth0/0 interface Eth1/1 interface Eth2/1

ip address 10.0.0.1/24 ip address 10.1.1.1/24 ip address 10.2.1.1/24
vrf forwarding blue vrf forwarding red vrf forwarding green
! ! !
interface Eth0/1 interface Eth1/2 Tunnel interface interface Eth2/2
ip address 10.0.1.1/24 ip address 10.1.2.1/24 address resides in iVRF ip address 10.2.2.1/24
vrf forwarding blue ! vrf forwarding orange
interface Tunnel1 !
ip address 172.16.1.1/30 interface Tunnel2
Inside VRF (iVRF) vrf forwarding red iVRF ip address 172.16.2.1/30
tunnel source Eth1/2 vrf forwarding green
tunnel vrf orange
Explicit fVRF tunnel source Eth2/2
Front-door VRF (fVRF) = Global VRF (default)
VRF Use Case
Requirements:
Traffic segregation between two departments Engineering VRF Finance VRF
Single VPN endpoint in global VRF
AnyConnect software client
EAP user authentication
Eth0/1 Eth0/2
Proposed solution: Joes V-Access Toms V-Access
Single IKEv2 profile & V-Template Global VRF
Local group authorization Eth0/0
Interface configuration strings

EAP solely for authentication WAN
(no caching of RADIUS attributes)
Joe (Engineering) Tom (Finance)
VRF Use Case Configuration
Per-Department Configuration Global Configuration
aaa attribute list Eng aaa authentication login frad group frad
attribute type interface-config "vrf forwarding Eng" aaa authorization network here local
attribute type interface-config "ip unnumbered Loopback1" !
! crypto ikev2 name-mangler dept
aaa ikev2
crypto attribute list Fin policy Eng
authorization eap suffix delimiter @ Single IKEv2 profile
poolattribute
Eng type interface-config "vrf forwarding Fin" ! Single AnyConnect profile
dns attribute
10.0.1.1 type interface-config "ip unnumbered Loopback101" crypto ikev2 profile default
aaa! attribute list Eng match identity remote key-id vpn@cisco
! crypto ikev2 authorization policy Fin Applied to V-Access identity local dn
pool Fin
interface Loopback1 authentication remote eap query-identity
during V-Template cloning
vrf dns 10.0.1.101
forwarding Eng authentication local rsa-sig
aaa attribute
ip address 10.0.1.1list Fin
255.255.255.255 pki trustpoint root
! ! aaa authentication eap frad
interface
ip local pool Loopback101
Eng 10.0.1.10 10.0.1.99 aaa authorization group eap list here name-mangler dept
vrf forwarding Fin virtual-template 1
ip address 10.0.1.101 255.255.255.255 ! Authorization based on
! no crypto ikev2 http-url cert
ip local pool Fin 10.0.1.110 10.0.1.199 username@domain suffix
!
no ip address
RADIUS User Database tunnel mode ipsec ipv4
joe@Eng Cleartext-Password := "joe123"
tom@Fin Cleartext-Password := "tom456"
No attributes required on AAA server
EAP authenticates username & domain
Quality of Service
The Need for QoS on VPN
QoS is crucial on VPN links for:
Sharing network bandwidth
Marshaling bandwidth usage of applications
Meeting application latency & speed requirements
The classical greedy spoke problem:
Spoke 1
Hub (greedy)
CE 1
Crypto engine or WAN link Interface w/ limited downstream rate
Packets are lost

Packets are lost, AND other
spokes/clients are starved Client 2 Spoke 3 Most common problem
Server-Side Hierarchical Shaper
class-map control
Tunnel bandwidth parent policy: match ip precedence 6
class-map voice
Each VPN tunnel is given a maximum bandwidth match ip precedence 5
...
A shaper provides the backpressure mechanism !
policy-map child-common
Protected packets are processed by the child policy: class control
bandwidth 20
There would be several policies: bandwidth, LLQ, etc. class voice
priority percent 60
...
!
policy-map parent-branch
Branch class class-default
Parent shaper limits shape average 5000000
total bandwidth service-policy inner
Hub !
policy-map parent-client
BW Reservation class class-default
shape average 1000000
Low-Latency Queuing service-policy inner
Fair Queuing
RA Client
Different policies for
different traffic classes
QoS Use Case
Requirements:
Traffic segregation between departments Engineering VRF Finance VRF
Single VPN endpoint in global VRF
AnyConnect software client
EAP user authentication
Eth0/1 Eth0/2
Per-user QoS policy
Joes V-Access Toms V-Access
Proposed solution: Global VRF
Single IKEv2 profile & V-Template Eth0/0
High B/W (10 Mbps) Low B/W (5 Mbps)
Interface configuration strings
Explicit RADIUS group authorization WAN
Implicit RADIUS user authorization

(user attributes cached during EAP) Joe (Engineering) Tom (Finance)
QoS Use Case Configuration
Per-Department Configuration Global Configuration
interface Loopback1 aaa authentication login frad group frad
vrf forwarding Eng aaa authorization network frad group frad
ip address 10.0.1.1 255.255.255.255 !
interface Loopback101
! crypto ikev2 name-mangler dept
vrf forwarding Fin
ip local pool Eng 10.0.1.10 10.0.1.99 eap suffix delimiter @
ip address 10.0.1.101 255.255.255.255
!
!
ip local pool Fin 10.0.1.110 10.0.1.199
match identity remote key-id vpn@cisco
identity local dn
RADIUS User Database Per-user QoS policy authentication remote eap query-identity
authentication local rsa-sig Group authorization
joe@Eng Cleartext-Password := "joe123"
Cisco-AVPair = "ip:interface-config=service-policy output high" pki trustpoint root based on domain
tom@Fin Cleartext-Password := "tom456" aaa authorization group eap list frad name-mangler dept
Cisco-AVPair = "ip:interface-config=service-policy output low" aaa authorization user eap cached
virtual-template 1
Apply per-user
Eng Cleartext-Password := "cisco" !
no crypto ikev2 http-url cert attributes from EAP
Cisco-AVPair = "ipsec:addr-pool=Eng",
Cisco-AVPair += "ipsec:dns-servers=10.0.1.1", !
Cisco-AVPair += "ip:interface-config=vrf forwarding Eng", interface Virtual-Template1 type tunnel
Cisco-AVPair += "ip:interface-config=ip unnumbered Loopback1" no ip address
tunnel mode ipsec ipv4
Fin Cleartext-Password := "cisco" tunnel protection ipsec profile default
Cisco-AVPair = "ipsec:addr-pool=Fin", All attributes centralized !
Cisco-AVPair += "ipsec:dns-servers=10.0.1.101", policy-map high QoS policies defined locally
on AAA server ...
Cisco-AVPair += [...] on FlexVPN server
TENTATIVE
FlexVPN SSL Preview Still in development !
FlexVPN SSL Overview
Roadmap: TENTATIVE
IOS-XE 3.12S / 15.4(2)S : CSR1000v support
IOS-XE 3.13S / 15.4(3)S : ASR1000 support
Client-based only (AnyConnect all platforms)
No support for clientless aka WebVPN
Integrated into FlexVPN framework
AAA integration
Virtual tunnel interfaces
Smart defaults
CLI consistency
Initial baseline release, features to be added progressively
Virtual Hosting, HostScan / Posture, Two-Factor, DTLS, Mixed-Mode / Dual-Stack, ...
FlexVPN SSL CLI
TENTATIVE
crypto ssl proposal my-proposal Cryptographic algorithms
protection dhe-rsa-aes256-sha rsa-aes256-sha1 Key exchange method
Local endpoint matching criteria

crypto ssl policy my-policy
match address local fvrf wan any port 443
Apply SSL proposal
pki trustpoint my-root sign Configure SSL server certificate
ssl proposal my-proposal
no shutdown
Match on SSL policy
Match on URL (FQDN, hostname, path, ...)
crypto ssl profile my-profile Authentication (certificate, username/password)
match policy my-policy Authorization (cached, user, group)
match url fqdn eng-sslvpn.example.com
authentication remote user-pass
Accounting
aaa authentication user-pass list my-radius Virtual interface template
aaa authorization user user-pass cached
aaa authorization group user-pass list my-radius eng-group
virtual-template 1
no shutdown
Wrapping up...
Call to Action...
Visit the Cisco Campus at the World of Solutions
BRKSEC-3036 Advanced IPsec designs with FlexVPN by Frdric Detienne
Friday 11:30am, North Wing Level -1, Green Hall 3
Meet the Engineer
Alex Honor, Frdric Detienne, Olivier Plerin (TAC EMEA),
Raffaele Brancaleoni (Advanced Services EMEA),
Wen Zhang (TAC US), Tom Alexander (TAC GCE)
Discuss your projects challenges at the Technical Solutions Clinics
Attend one of the Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2014
CL365 -Visit us online after the event for updated PDFs and on-demand
session videos. www.CiscoLiveEU.com
Complete Your Online Session Evaluation
Complete your online session
evaluation
Complete four session evaluations
and the overall conference evaluation
to receive your Cisco Live T-shirt

VPN Remote Access With IOS & Introduction To FlexVPN

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

VPN Remote Access With IOS & Introduction To FlexVPN

Încărcat de

Drepturi de autor:

Formate disponibile

VPN Remote Access with IOS

& Introduction to FlexVPN

Additional info slides:

DMVPN No Yes No Yes No Partial No No No Group No

One VPN to learn and deploy

Cleaner Identity/Key Exchange

Similar but Uses UDP Ports 500 & 4500

IKEv2 Security Association (SA) establishment

Mutual authentication & identity exchange

Additional IPsec SAs establishment

Can be (I R) with ACK or (R I) with ACK

CERT_REQ(Root) A must provide B with:

CERT(Sub#2 B) cert chain

Static P2P virtual interface

Pre-encapsulation IPsec encapsulation

Interface input features Post-encapsulation

IP L4 Data IP IPsec IP L4 Data

Interface feature (NAT, PBR, QoS, NetFlow, ...)

GRE over IPsec

interface Virtual-Template1 type tunnel Dynamic point-to-point interfaces

crypto ikev2 proposal default

IKEv2 Policy crypto ikev2 policy default

crypto ikev2 keyring IOSKeyring

match fvrf red

authentication local pre-share Only one local method allowed

pki trustpoint <trustpoint_name>

HDR, SAr1, KEr, Nr [CERTREQ]

HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}

HDR, SK {IDr, [CERT], AUTH, TSi, TSr}

HDR IKE Header IDi, IDr Initiator/Responder IKE Identity

HDR, SK {IDi, [CERT], [CERTREQ], [IDr], AUTH, SAi2, TSi, TSr}

Subject: cn=Router, ou=Engineering, o=Cisco

match certificate <cert-map>

IPsec profile defines SA crypto ipsec profile default

interface Virtual-Template1 type tunnel

Static point-to-point interface Tunnel0

crypto ipsec transform-set default crypto ikev2 profile default

crypto ikev2 authorization policy default

Modifying defaults: crypto ikev2 proposal default

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

Restoring defaults: default crypto ikev2 proposal

default crypto ipsec transform-set

Disabling defaults: no crypto ikev2 proposal default

no crypto ipsec transform-set default

My IKE ID is: r2.cisco.com (FQDN)

Establish routing protocol neighborship & exchange prefixes

IKEv2 communicates with IOS AAA subsystem AAA list name

Protocols in play: IKEv2, RADIUS, EAP

EAP Client Authentication

Cached & Local Authorization

AAA Username: joe

Start with the peers IKE or EAP identity

Asymmetric keys (Cisco AV-Pair):

crypto ikev2 profile default

crypto ikev2 profile default RA server authenticates to client

With query-identity query-identity recommended

IKEv2 (IKE_AUTH) EAP ID provided by client

IKEv2 (IKE_AUTH) RADIUS (Access-Request)

IKEv2 (IKE_AUTH) RADIUS (Access-Request)

Explicit User Authorization

Retrieves user attributes from RADIUS (local database not supported)

Explicit Group Authorization Reverse order of precedence (group > user)

Retrieves group attributes from RADIUS or local database