Cisco IOS Easy VPN server (Remote access vpn)

Acknowledgement

I would like to thank Mr. Richard Deal in this post. Mr. Deal is able to describe complex cisco security technology into easy to understand and easy to digest manner. I have not met Mr. Deal in person nor does he know who I am, but through his books I have learned a great deal about Cisco security technologies. I would also like to thank Cisco for releasing its manual to the public, this enables me to understand Cisco’s security product, what benefits me the most is its publication of case studies.

Authentication, Authorization and Accounting (AAA)

For easy vpn server configuration only authentication and authorization are used. Authentication is to identify the user and authorization is to limit what a user can and cannot do.

To enable AAA in Cisco router use aaa new-model, enable aaa is just the start, a word of caution is never saved the configuration to the nvram and reboot the router or power off the router without configuring authentication, if you do this you will be locked out of the router.


ezvpn(config)#aaa authentication login ?
  WORD     Named authentication list (max 31 characters, longer will be
           rejected).
  default  The default authentication list.

Give an arbitrary name of not more than 31 characters to the aaa authentication list.

ezvpn(config)#aaa authentication login example1 ?
  cache          Use Cached-group
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5           Use Kerberos 5 authentication.
  krb5-telnet    Allow logins only if already authenticated via Kerberos V
                 Telnet.
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

Assign which type of authentication you wish to attach to this list, local is to use local username and password list configured in your Cisco router, group is to use external authentication server such as tacacs+, radius and ldap. For easy vpn server the only external authentication method supported is radius.

ezvpn(config)#aaa authentication login example1 group ?
  WORD     Server-group name
  ldap     Use list of all LDAP hosts.
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

The purpose of AAA implementation is to allow security administrator to have more granularity to assign user into groups and assign what the users in the group can and cannot do and finally to add accountability of users within the group.

ezvpn(config)#username user1 secret user123
ezvpn(config)#username user2 secret whoareyou123

Configure username and password for local. If local is assigned to your aaa authentication list make sure these are configured.


ezvpn(config)#aaa authorization network example1 ?
  cache             Use Cached-group
  group             Use server-group.
  if-authenticated  Succeed if user has authenticated.
  local             Use local database.
  none              No authorization (always succeeds).

ezvpn(config)#aaa authorization network example1 group ?
  WORD     Server-group name
  ldap     Use list of all LDAP hosts.
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

aaa authorization network is used defined the expected remote access vpn users defined in authentication group i.e. either group defined external radius server or group of users defined in the router locally. This authorization group list will be used in crypto map .... isakmp authorization list command.

Finished AAA configuration block

ezvpn(config)#aaa new-model
ezvpn(config)#username cyrus secret cyrus123
ezvpn(config)#username cisco secret cisco123
ezvpn(config)#aaa authentication login vpnclient local
ezvpn(config)#aaa authorization network vpngroup local

The passwords are weak, it is common sense not to use these passwords 🙂 Just a side note, John the ripper with word mangling rule can break this quickly however brute forcing passwords is loud I doubt seasoned hacker will want to do this.

Define local group for vpn client
Define local group in Cisco router is only necessary if local is chosen for aaa authentication and authorization list.

Create an IP pool list for dynamically assign IP address to authenticated vpn client use ip local pool command. Then attach the ip local pool list to isakmp client configuration. If no explicit pool is specified for the vpn client group this address-pool will be used as the default ip address pool.

ezvpn(config)#ip local pool vpnpool-default 192.168.1.200 192.168.1.210
ezvpn(config)#crypto isakmp client configuration address-pool local vpnpool-default
ezvpn(config)#ip local pool vpnpool 192.168.1.100 192.168.1.150

vpnpool-default will be used for vpn client if no explicit ip address pool is defined for the vpn client group.
Create isakmp configuration group for vpn client. Give an arbitrary name to the group too.

ezvpn(config)#crypto isakmp client configuration group vpnusers
ezvpn(config-isakmp-group)#key cisco
ezvpn(config-isakmp-group)#pool vpnpool
ezvpn(config-isakmp-group)#domain cyruslab.local
ezvpn(config-isakmp-group)#max-logins 2
ezvpn(config-isakmp-group)#include-local-lan
ezvpn(config-isakmp-group)#exit
ezvpn(config)#

key is the pre-share key used, again it is common sense not to use weak key 🙂
pool is the explicit defined address pool usable by vpnusers group. include-local-lan allows vpn client to access private lan resources in plain text and whichever traffic to easy vpn server is encrypted, this command keyword must be used if no split tunneling is configured, if this command keyword is omitted then your non-split-tunneled authenticated vpn client cannot access anything in private LAN.

Reference: http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1183760

If you have an external radius server you can save a lot of work, you only need to define user groups in the radius server.

IKE phase 1 proposal


ezvpn(config)#crypto isakmp policy 5
ezvpn(config-isakmp)#hash sha256
ezvpn(config-isakmp)#encryption aes 128
ezvpn(config-isakmp)#lifetime 3200
ezvpn(config-isakmp)#group 2
ezvpn(config-isakmp)#authentication pre-share

This is the IKE phase 1 proposal which the vpn client and the server must agree on to start phase 1. lifetime can be mismatched, the lower lifetime will be taken into account, however the DH group type, hash algorithm, encryption algorithm and authentication must match. The default authentication method is to use certificate X.502. crypto isakmp policy 5, 5 is the priority number the lower the preferred, when you have configured a lot of IKE phase 1 proposals the router will find from the lowest priority number until the router can find a matching proposal.


ezvpn(config)#crypto isakmp keepalive 30 5

30 is the interval between keepalives, 5 is the interval of retries between each failed keepalives.

IKE phase 2 (IPSec) proposal

ezvpn(config)#crypto ipsec transform-set client-encryption esp-aes 128 esp-sha256-hmac
ezvpn(cfg-crypto-trans)#exit

transform-set is the encryption method for IKE phase 2. HMAC is produced by hashing an encrypted payload with a digest (hash product) attached.

Dynamic crypto map entry
Remote access vpn is an on-demand vpn connection, hence the easy vpn server does not know the ip address of inbound vpn client, which is why dynamic crypto map entry is needed to establish a session.

ezvpn(config)#crypto dynamic-map inbound-vpn 10
ezvpn(config-crypto-map)#set transform-set client-encryption
ezvpn(config-crypto-map)#exit

The transform-set is associated with this dynamic map, the number 10 is the sequence number to insert the entry. There are many options available for dynamic map, however the only one needed is the transform-set.

Static crypto map entry

ezvpn(config)#crypto map vpnmap client authentication list vpnclient
ezvpn(config)#crypto map vpnmap isakmp authorization list vpngroup
ezvpn(config)#crypto map vpnmap client configuration address respond

This static vpnmap map is to associate the authentication list and the authorization group configured earlier. Also to state whether Easy VPN server should respond or initiate the IKE configuration. Cisco VPN software and Easy VPN client initiate IKE configuration, but Microsoft L2TP/IPsec clients respond to IKE configuration, hence if a mixture of these vpn clients are expected to connect to Easy VPN server then you will need to add another entry to initiate like this crypto map vpnmap client configuration address initiate.

IP parameters

ezvpn(config)#in fa0/0
ezvpn(config-if)#ip address 192.168.1.1 255.255.255.0
ezvpn(config-if)#description Pte LAN behind Easy VPN server
ezvpn(config-if)#no shut
ezvpn(config-if)#exit
ezvpn(config)#int fa0/1
ezvpn(config-if)#ip address 155.1.80.1 255.255.255.0
ezvpn(config-if)#no shut
ezvpn(config-if)#description Int facing public network, inbound vpn terminates here
ezvpn(config-if)#crypto map vpnmap
ezvpn(config-if)#exit

You should apply the static crypto map to the interface expecting an inbound vpn client connection.

The entire Easy VPN server configuration

ezvpn(config)#aaa new-model
ezvpn(config)#username cyrus secret cyrus123
ezvpn(config)#username cisco secret cisco123
ezvpn(config)#aaa authentication login vpnclient local
ezvpn(config)#aaa authorization network vpngroup local

ezvpn(config)#crypto isakmp policy 5
ezvpn(config-isakmp)#hash sha256
ezvpn(config-isakmp)#encryption aes 128
ezvpn(config-isakmp)#lifetime 3200
ezvpn(config-isakmp)#group 2
ezvpn(config-isakmp)#authentication pre-share

ezvpn(config)#crypto isakmp keepalive 30 5

ezvpn(config)#ip local pool vpnpool 192.168.1.100 192.168.1.150
ezvpn(config)#crypto isakmp client configuration group vpnusers
ezvpn(config-isakmp-group)#key cisco
ezvpn(config-isakmp-group)#pool vpnpool
ezvpn(config-isakmp-group)#domain cyruslab.local
ezvpn(config-isakmp-group)#max-logins 2
ezvpn(config-isakmp-group)#include-local-lan
ezvpn(config-isakmp-group)#exit
ezvpn(config)#

ezvpn(config)#crypto ipsec transform-set client-encryption esp-aes 128 esp-sha256-hmac
ezvpn(cfg-crypto-trans)#exit

ezvpn(config)#crypto dynamic-map inbound-vpn 10
ezvpn(config-crypto-map)#set transform-set client-encryption
ezvpn(config-crypto-map)#exit
ezvpn(config)#crypto map vpnmap client authentication list vpnclient
ezvpn(config)#crypto map vpnmap isakmp authorization list vpngroup
ezvpn(config)#crypto map vpnmap client configuration address respond
ezvpn(config)#in fa0/0
ezvpn(config-if)#ip address 192.168.1.1 255.255.255.0
ezvpn(config-if)#description Pte LAN behind Easy VPN server
ezvpn(config-if)#no shut
ezvpn(config-if)#exit
ezvpn(config)#int fa0/1
ezvpn(config-if)#ip address 155.1.80.1 255.255.255.0
ezvpn(config-if)#no shut
ezvpn(config-if)#description Int facing public network, inbound vpn terminates here
ezvpn(config-if)#crypto map vpnmap
ezvpn(config-if)#exit

ezvpn(config)#ip dhcp excluded-address 192.168.1.100 192.168.1.150
ezvpn(config)#ip dhcp excluded-address 192.168.1.1
ezvpn(config)#ip dhcp pool pte-lan
ezvpn(dhcp-config)#network 192.168.1.0 /24
ezvpn(dhcp-config)#default-router 192.168.1.1
ezvpn(dhcp-config)#exit
ezvpn(config)#

About Cisco security product ordering
The motivation of writing this post is to give an alternative to user who does not have SSL VPN license.

The new line of Cisco ISR2 routers have a different business model compared to last time. New ISR2 routers are shipped with IOS 15 universal image, this image is a full version IOS however full functionality is locked.

Additional license pak must be purchased to unlock universal image features.

The license paks are divided into Data, Security and UC. SSL VPN is a separate purchase, comes with 10 users license and 25 users license, to order SSL VPN license you must order your router with Security bundle. Always do your BOM with Cisco Dynamic Configurator Tool with Enable Configuration Guidance checked.

Advertisements
This entry was posted in Security, VPN and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s