Network Security 2
Module 6 – Configure Remote Access VPN
Learning Objectives
6.1 Introduction to Cisco Easy VPN 6.2 Configure the Easy VPN Server
6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x 6.4 Configure Cisco Easy VPN Remote for Access Routers 6.5 Configure the PIX Security Appliance as an Easy VPN Server
6.6 Configure a PIX 501 or 506E as an Easy VPN Client 6.7 Configure the Adaptive Security Appliance to Support WebVPN
Module 6 – Configure Remote Access VPN
6.1 Introduction to Cisco EasyVPN
Cisco Easy VPN Components
• The Cisco Easy VPN is made up of two components –
Easy VPN Server – Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Series
Concentrators to act as VPN head-end devices in site-to- site or remote-access VPNs, where the remote office
devices are using the Cisco Easy VPN Remote feature
Easy VPN Remote – Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Hardware Clients or Software Clients to act as remote VPN Clients
Remote Access Using Cisco Easy VPN
PC with Easy Remote VPN Client 4.x
Cisco 800 Router
Cisco 900 Router
Cisco 1700 Router
Cisco IOS router 12.3(11)T (or later) Easy VPN Server
Easy VPN Remote Connection Process
Step 1 – The VPN Client initiates the IKE Phase 1 process.
Step 2 – The VPN Client establishes an ISAKMP SA.
Step 3 – The Easy VPN Server accepts the SA proposal.
Step 4 – The Easy VPN Server initiates a username/
password challenge.
Step 5 – The mode configuration process is initiated.
Step 6 – The RRI process is initiated.
Step 7 – IPSec quick mode completes the connection.
Step 1 – The VPN Client Initiates the IKE Phase 1 Process
Cisco IOS router 12.3(11)T Easy VPN
Server Remote PC with
Easy Remote VPN Client 4.x
Using pre-shared keys? Initiate aggressive mode (AM).
Using digital certificates? Initiate main mode (MM).
Step 2 – The VPN Client Establishes an ISAKMP SA
Cisco IOS router 12.3(11)T Easy VPN
Server Remote PC with
Easy Remote VPN Client 4.x
Proposal 1, proposal 2, proposal 3
The VPN Client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.
To reduce manual configuration on the VPN Client, these ISAKMP proposals include several combinations of the following –
Encryption and hash algorithms Authentication methods
Diffie-Hellman group sizes
Step 3 – The Easy VPN Server Accepts the SA Proposal
The Easy VPN Server searches for a match –
The first proposal to match the server’s list is accepted (highest-priority match).
The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority).
ISAKMP SA is successfully established.
Device authentication ends and user authentication begins.
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router 12.3(11)T Easy VPN
Server Proposal 1
Proposal checking
finds proposal 1
match
Step 4 – Username/Password Challenge
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router 12.3(11)T Easy VPN
Server
Username/password
AAA checking Username/password challenge
If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge –
The user enters a username/password combination.
The username/password information is checked against authentication entities using AAA.
All Easy VPN Servers should be configured to enforce user authentication.
Step 5 – The Mode Configuration Process Is Initiated
If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server –
Mode configuration starts.
The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the VPN Client.
Remember that the IP address is the only required parameter in a group profile. All other parameters are optional.
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router 12.3(11)T Easy VPN
Server Client Requests Parameters
System Parameters via Mode Config
Step 6 – The RRI Process Is Initiated
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router 12.3(11)T
Easy VPN Server
RRI
static route creation
VPN Tunnel
After the Easy VPN Server knows the VPN Client’s assigned IP address, it must determine how to route packets through the appropriate VPN tunnel –
RRI creates a static route on the Easy VPN Server for each VPN Client’s internal IP address.
RRI must be enabled on the crypto maps supporting VPN Clients.
RRI need not be enabled on a crypto map applied to a GRE tunnel that is already being used to distribute routing information.
Step 7 – IPSec Quick Mode Completes the Connection
Cisco IOS router 12.3(11)T Easy VPN
Server Remote PC with
Easy Remote
VPN Client 4.x Quick mode
IPSec SA establishment
VPN tunnel
After the configuration parameters have been successfully received by the VPN Client, ISAKMP quick mode is initiated to negotiate IPSec SA
establishment.
After IPSec SA establishment, the VPN connection is complete.
Module 6 – Configure Remote Access VPN
6.2 Configure the EasyVPN Server
Easy VPN Server General Configuration Tasks
• The following general tasks are used to configure Easy VPN Server on a Cisco router –
Task 1 – Create IP address pool.
Task 2 – Configure group policy lookup.
Task 3 – Create ISAKMP policy for remote VPN Client access.
Task 4 – Define group policy for mode configuration push.
Task 5 – Create a transform set.
Task 6 – Create a dynamic crypto map with RRI.
Task 7 – Apply mode configuration to the dynamic crypto map.
Task 8 – Apply the crypto map to the router interface.
Task 9 – Enable IKE DPD. Task 10 – Configure XAUTH.
Task 11 – (Optional) Enable XAUTH save password feature.
Task 1 – Create IP Address Pool
REMOTE-POOL 10.0.1.100 to
10.0.1.150 Pool
vpngate1 Remote client
router(config)#
ip local pool {default | pool-name low-ip-address [high-ip-address]}
vpngate1(config)# ip local pool REMOTE-POOL 10.0.1.100 10.0.1.150
Creating a local address pool is optional if an external DHCP server is in use on the network.
Task 2 – Configure Group Policy Lookup
vpngate1 Remote client
VPN-REMOTE-ACCESS
Group
router(config)#
aaa new-model router(config)#
aaa authorization network list-name local [method1 [method2…]]
vpngate1(config)# aaa new-model
vpngate1(config)# aaa authorization network
Task 3 – Create ISAKMP Policy for Remote VPN Client Access
Authen – Preshared keys Encryption – 3-DES Diffie-Hellman – Group 2 Other settings – Default
Policy 1
vpngate1 Remote client
vpngate1(config)# crypto isakmp enable vpngate1(config)# crypto isakmp policy 1 vpngate1(config-isakmp)# authen pre-share vpngate1(config-isakmp)# encryption 3des vpngate1(config-isakmp)# group 2
vpngate1(config-isakmp)# exit
Task 4 – Define Group Policy for Mode Configuration Push
• Task 4 contains the following steps –
Step 1 – Add the group profile to be defined.
Step 2 – Configure the ISAKMP pre-shared key.
Step 3 – Specify the DNS servers.
Step 4 – Specify the WINS servers.
Step 5 – Specify the DNS domain.
Step 6 – Specify the local IP address pool.
Task 4-Step 1 – Add the Group Profile to Be Defined
router(config)#
Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com
Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150
Group – VPN-REMOTE-ACCESS
vpngate1 Remote client
crypto isakmp client configuration group {group-name | default}
vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS
Task 4-Step 2 – Configure the IKE Pre-Shared Key
Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com
Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150
Group – VPN-REMOTE-ACCESS
Remote client
vpngate1 vpngate1
router(config-isakmp-group)#
key name
Task 4-Step 3 – Specify the DNS Servers
Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com
Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150
Group – VPN-REMOTE-ACCESS
Remote client
vpngate1
router(config-isakmp-group)#
dns primary-server secondary-server
vpngate1(config-isakmp-group)# dns DNS1 DNS2 vpngate1(config-isakmp-group)# dns
Task 4-Step 4 – Specify the WINS Servers
Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com
Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS
Remote client
vpngate1
router(config-isakmp-group)#
wins primary-server secondary-server
vpngate1(config-isakmp-group)# wins WINS1 WINS2
Task 4-Step 5 – Specify the DNS Domain
Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com
Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS
vpngate1 Remote client
router(config-isakmp-group)#
domain name
vpngate1(config-isakmp-group)# domain cisco.com
Task 4-Step 6 – Specify the Local IP Address Pool
vpngate1 Remote client
Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com
Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS
router(config-isakmp-group)#
pool name
vpngate1(config-isakmp-group)# pool REMOTE-POOL
Task 5 – Create Transform Set
Transform set name
router(config)#
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
vpngate1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
vpngate1(cfg-crypto-trans)# exit
VPNTRANSFORM
vpngate1 Remote client
Task 6 – Create a Dynamic Crypto Map with RRI
• Task 6 contains the following steps –
Step 1 – Create a dynamic crypto map.
Step 2 – Assign a transform set.
Step 3 – Enable RRI.
Task 6-Step 1 – Create a Dynamic Crypto Map
DYNMAP 1
Dynamic Crypto map name/sequence #
vpngate1 Remote client
router(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num
vpngate1(config)# crypto dynamic-map DYNMAP 1 vpngate1(config-crypto-map)#
Task 6-Step 2 – Assign Transform Set to Dynamic Crypto Map
VPNTRANSFORM Transform set name
Remote client
vpngate1
router(config-crypto-map)#
set transform-set transform-set-name
[transform-set-name2…transform-set-name6]
vpngate1(config-crypto-map)# set transform-set VPNTRANSFORM
Task 6-Step 3 – Enable RRI
vpngate1 Remote client
10.0.1.100 File
server
Tunnel
RRI routing announcement to
inside network
router(config-crypto-map)#
reverse-route
vpngate1(config-crypto-map)# reverse-route
Task 7 – Apply Mode Configuration to Crypto Map
• Task 7 contains the following steps –
Step 1 – Configure the router to respond to mode configuration requests.
Step 2 – Enable IKE querying for a group policy.
Step 3 – Apply the dynamic crypto map to the crypto map.
Task 7-Step 1 – Configure Router to Respond to Mode Configuration Requests
vpngate1 Remote client
router(config)#
crypto map map-name client configuration address {initiate | respond}
vpngate1(config)# crypto map CLIENTMAP client configuration address respond
Task 7-Step 2 – Enable ISAKMP Querying for Group Policy
vpngate1 Remote client
VPN-REMOTE-ACCESS
Group
router(config)#
crypto map map-name isakmp authorization list list-name
vpngate1(config)# crypto map CLIENTMAP isakmp
Task 7-Step 3 – Apply Dynamic Crypto Map to the Crypto Map
Crypto map name/sequence # CLIENTMAP 65535
vpngate1 Remote client
router(config)#
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
vpngate1(config)# crypto map CLIENTMAP 65535
Task 8 – Apply the Crypto Map to Router Outside Interface
CLIENTMAP Crypto map name
vpngate1 e0/1
Remote client
vpngate1(config)# interface ethernet0/1 vpngate1(config-if)# crypto map CLIENTMAP vpngate1(config-if)# exit
Task 9 – Enable ISAKMP DPD
vpngate1 Remote client
1) DPD send – Are you there?
2) DPD Reply – Yes I am here.2) DPD reply – Yes, I am here.
router(config)#
crypto isakmp keepalive secs retries
vpngate1(config)# crypto isakmp keepalive 20 10
Task 10 – Configure XAUTH
• Task 10 contains the following steps –
Step 1 – Enable AAA login authentication.
Step 2 – Set the XAUTH timeout value.
Step 3 – Enable ISAKMP XAUTH for the dynamic crypto map.
Task 10, Step 1 – Enable AAA Login Authentication
vpngate1 Remote client
VPNUSERS VPN user group
router(config)#
aaa authentication login list-name method1 [method2…]
vpngate1(config)# aaa authentication login VPNUSERS local
Task 10, Step 2 – Set XAUTH Timeout Value
vpngate1
Remote client 20 seconds
VPNUSERS VPN user group
router(config)#
crypto isakmp xauth timeout seconds
vpngate1(config)# crypto isakmp xauth timeout 20
Task 10, Step 3 – Enable ISAKMP XAUTH for Crypto Map
vpngate1 Remote client
VPNUSERS VPN user group
CLIENTMAP Crypto map name
router(config)#
crypto map map-name client authentication list list-name
vpngate1(config)# crypto map CLIENTMAP client
Task 11 – (Optional) Enable XAUTH Save Password
VPN-REMOTE-ACCESS Group
Remote client
vpngate1
router(config-isakmp-group)#
save-password
vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS
vpngate1(config-isakmp-group)# save-password
• This step could have been completed in Step 1 of Task 4
Easy VPN Server Configuration Example
version 12.3
hostname Router1
!
aaa new-model
aaa authentication login VPNAUTHEN local aaa authorization network VPNAUTHOR local ip domain-name cisco.com
ip dhcp excluded-address 10.0.1.1 10.0.1.12
!
ip dhcp pool POD1_INSIDE
network 10.0.1.0 255.255.255.0 default-router 10.0.1.2
!
crypto isakmp policy 3 hash md5
authentication pre-share group 2
!
ip local pool IPPOOL 11.0.1.20 11.0.1.30
Easy VPN Server Configuration Example
crypto isakmp client configuration group SALES key cisco123
domain cisco.com pool IPPOOL
save-password
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNMAP 10 set transform-set MYSET reverse-route
!
crypto map CLIENTMAP client authentication list VPNAUTHEN crypto map CLIENTMAP isakmp authorization list VPNAUTHOR crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
interface FastEthernet 0/1
Task 12 – Verify
router#
show crypto map [interface interface | tag map- name]
Router# show crypto map interface ethernet 0
•Displays crypto map configuration.
router#
show run
Router# show run
•Displays running configuration.
Module 6 – Configure Remote Access VPN
6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x
Configuring Easy VPN Remote for the Cisco VPN Client 4.x – General Tasks
Task 1 – Install Cisco VPN Client 4.x.
Task 2 – Create a new client connection entry.
Task 3 – Choose an authentication method.
Task 4 – Configure transparent tunneling.
Task 5 – Enable and add backup servers.
Task 6 – Configure connection to the Internet through dial-up networking.
Task 1 – Install Cisco VPN Client 4.x
Error Message
Task 2 – Create a New Client Connection
Entry
Task 3 – Configure Client Authentication
Properties
Task 4 – Configure Transparent
Tunneling
Task 5 – Enable and Add Backup
Servers
Task 6 – Configure Connection to the Internet through Dial-up Networking
Module 6 – Configure Remote Access VPN
6.4 Configure Cisco Easy VPN Remote for Access Routers
Easy VPN Remote Client Mode
Cisco 831 router Cisco router (Easy VPN
Server) 12.3(11)T 10.0.0.3
10.0.0.4
10.0.0.2
192.168.100.X
VPN tunnel
Easy VPN Remote Network Extension Mode
Cisco 831(Easy VPN Remote)
Cisco router (Easy VPN
Server) 12.3(11)T 172.16.10.5
172.16.10.6
.4
172.16.X.X
VPN tunnel
Easy VPN Remote Configuration General Tasks for Access Routers
Task 1 – (Optional) Configure the DHCP server pool.
Task 2 – Configure and assign the Cisco Easy VPN client profile.
Task 3 – (Optional) Configure XAUTH password save.
Task 4 – Initiate the VPN tunnel.
Task 5 – Verify the Cisco Easy VPN configuration.
Task 1
–Configure the DHCP Server Pool
router(config)#
ip dhcp pool pool-name router(dhcp-config)#
network ip-address [ mask | /prefix-length]
default-router address [address2 ... addressN]
import all
lease {days [ hours][ minutes] | infinite}
exit
router(config)#
Task 1 Example – DHCP Server Pool
20.20.20.0
vpnRemote1(config)# ip dhcp pool CLIENT
vpnRemote1(dhcp-config)# network 10.10.10.0 255.255.255.0
vpnRemote1(dhcp-config)# default-router 10.10.10.1 vpnRemote1(dhcp-config)# import all
vpnRemote1(dhcp-config)# lease 3
VPNREMOTE1 VPNGATE1
30.30.30.0 10.10.10.0
.2 .1
.1
Task 2 – Configure the Cisco Easy VPN Client Profile
router(config)#
crypto ipsec client ezvpn name router(config-crypto-ezvpn)#
group group-name key group-key peer [ ip-address | hostname]
mode {client | network-extension | network-plus}
exit
Task 2 Example – Configure the Cisco Easy VPN Client Profile
VPNREMOTE1 VPNGATE1
30.30.30.0 10.10.10.0
.1 .2
Group: VPN-REMOTE-ACCESS
Peer: 20.20.20.2 Key: MYVPNKEY Mode: Client
VPNGATE1
.1
20.20.20.0
vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1 vpnRemote1(config-crypto-ezvpn)# group VPNREMOTE1 key
MYVPNKEY
vpnRemote1(config-crypto-ezvpn)# peer 20.20.20.2 vpnRemote1(config-crypto-ezvpn)# mode client
vpnRemote1(config-crypto-ezvpn)# exit
Task 2 Example – Assign Easy VPN Remote to the Interface
vpnRemote1(config)# interface ethernet1
vpnRemote1(config-if)# crypto ipsec client ezvpn VPNGATE1
vpnRemote1(config-if)# exit
VPNGate1
VPNREMOTE1 VPNGATE1
30.30.30.0 10.10.10.0
.2 .1
20.20.20.0 .1
router(config-if)#
crypto ipsec client ezvpn name [inside | outside]
Task 3 – (Optional) Configure XAUTH Save Password Feature
router(config)#
crypto ipsec client ezvpn name router(config-crypto-ezvpn)#
username aaa-username password aaa-password vpnRemote1(config)# crypto ipsec client ezvpn
VPNGATE1
vpnRemote1(config-crypto-ezvpn)# username VPNUSER password VPNPASS
vpnRemote1(config-crypto-ezvpn)# exit
Task 4 – (Optional) Initiate the VPN Tunnel (XAUTH)
Cisco IOS message: Waiting for valid XAUTH username and password.
01:34:42: EZVPN: Pending XAuth Request, Please enter the following command:
01:34:42: EZVPN: crypto ipsec client ezvpn xauth
router#
crypto ipsec client ezvpn xauth
vpnRemote1# crypto ipsec client ezvpn xauth Enter Username and Password: vpnusers
Password: ********
• With XAUTH: When SA expires, username and password must be manually entered.
• With XAUTH Password Save enabled: When SA expires, the last valid username and
Task 5 – Verify the Cisco Easy VPN Configuration
vpnRemote1# show crypto ipsec client ezvpn Easy VPN Remote Phase: 2
Tunnel name : VPNGATE1
Inside interface list: Ethernet0, Outside interface: Ethernet1
Current State: IPSEC_ACTIVE Last Event: SOCKET_UP
Address: 30.30.30.24 Mask: 255.255.255.255
DNS Primary: 30.30.30.10 DNS Secondary: 30.30.30.11
NBMS/WINS Primary: 30.30.30.12
Easy VPN Remote Configuration Example
version 12.2
hostname VPNREMOTE1
!
username admin privilege 15 password 7 070E25414707485744 ip subnet-zero
ip domain-name cisco.com
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT import all
network 10.10.10.0 255.255.255.0 default-router 10.10.10.1
lease 3
!
crypto ipsec client ezvpn VPNGATE1 connect auto
group VPNREMOTE1 key 0 MYVPNKEY mode client
peer 20.20.20.2
Easy VPN Remote Configuration Example (Cont.)
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
crypto ipsec client ezvpn VPNGATE1 inside
!
interface Ethernet1
ip address 20.20.20.1 255.255.255.0 crypto ipsec client ezvpn VPNGATE1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 30.30.30.0 255.255.255.0 Ethernet1 ip http server
no ip http secure-server
!
line con 0
no modem enable stopbits 1
line aux 0
Module 6 – Configure Remote Access VPN
6.5 Configure the PIX Security Appliance as an Easy VPN Server
EasyVPN Server General Configuration Tasks
• Task 1 – Create an ISAKMP policy for remote Cisco VPN Client access.
• Task 2 – Create an IP address pool.
• Task 3 – Define a group policy for a mode configuration push.
• Task 4 – Create a transform set.
• Task 5 – Create a dynamic crypto map.
• Task 6 – Assign a dynamic crypto map to a static crypto map.
• Task 7 – Apply a dynamic crypto map to the PIX Security Appliance interface.
• Task 8 – Configure XAUTH.
• Task 9 – Configure NAT and NAT 0.
• Task 10 – Enable IKE dead peer detection (DPD).
Create ISAKMP Policy
Create IP Address Pool
Define Group Policy for Mode Configuration Push
• Step 1 Set the Tunnel Group Type
• Step 2 Configure the IKE Pre-shared Key
• Step 3 Specify the Local IP Address Pool
• Step 4 Configure the Group Policy Type
• Step 5 Enter the Group Policy Attributes Submode
• Step 6 Specify the DNS Servers
• Step 7 Specify the WINS Servers
• Step 8 Specify the DNS Domain
• Step 9 Specify the Idle Timeout
Set Tunnel Group Type
Configure IKE Pre-Shared Key
Specify Local IP Address Pool
Configure the Group Policy Type
Enter the Group Policy Attributes
Submode
Specify DNS Servers
Specify WINS Servers
Specify DNS Domain
Specify Idle Time
Create Transform Set
Create Dynamic Crypto Map
Assign Dynamic Crypto Map to Static
Crypto Map
Apply Dynamic Crypto Map
Configure XAUTH
• Step 1 Enable AAA login authentication.
• Step 2 Define AAA server IP address and encryption key.
• Step 3 Enable IKE XAUTH for the crypto map.
Configure NAT and NAT 0
Enable IKE DPD
Module 6 – Configure Remote Access VPN
6.6 Configure a PIX 501 or 506E as an Easy VPN Client
PIX Easy VPN Remote
Easy VPN Remote Client Configuration
Easy VPN Client Device Mode
Module 6 – Configure Remote Access VPN
6.7 Configure the Adaptive Security Appliance to Support WebVPN