Acknowledgement
I would like to thank Mr. Richard Deal in this post. Mr. Deal is able to describe complex cisco security technology into easy to understand and easy to digest manner. I have not met Mr. Deal in person nor does he know who I am, but through his books I have learned a great deal about Cisco security technologies. I would also like to thank Cisco for releasing its manual to the public, this enables me to understand Cisco’s security product, what benefits me the most is its publication of case studies.
Authentication, Authorization and Accounting (AAA)
For easy vpn server configuration only authentication and authorization are used. Authentication is to identify the user and authorization is to limit what a user can and cannot do.
To enable AAA in Cisco router use aaa new-model, enable aaa is just the start, a word of caution is never saved the configuration to the nvram and reboot the router or power off the router without configuring authentication, if you do this you will be locked out of the router.
ezvpn(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.
Give an arbitrary name of not more than 31 characters to the aaa authentication list.
ezvpn(config)#aaa authentication login example1 ?
cache Use Cached-group
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
Assign which type of authentication you wish to attach to this list, local is to use local username and password list configured in your Cisco router, group is to use external authentication server such as tacacs+, radius and ldap. For easy vpn server the only external authentication method supported is radius.
ezvpn(config)#aaa authentication login example1 group ? WORD Server-group name ldap Use list of all LDAP hosts. radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
The purpose of AAA implementation is to allow security administrator to have more granularity to assign user into groups and assign what the users in the group can and cannot do and finally to add accountability of users within the group.
ezvpn(config)#username user1 secret user123 ezvpn(config)#username user2 secret whoareyou123
Configure username and password for local. If local is assigned to your aaa authentication list make sure these are configured.
ezvpn(config)#aaa authorization network example1 ? cache Use Cached-group group Use server-group. if-authenticated Succeed if user has authenticated. local Use local database. none No authorization (always succeeds). ezvpn(config)#aaa authorization network example1 group ? WORD Server-group name ldap Use list of all LDAP hosts. radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
aaa authorization network is used defined the expected remote access vpn users defined in authentication group i.e. either group defined external radius server or group of users defined in the router locally. This authorization group list will be used in crypto map .... isakmp authorization list command.
Finished AAA configuration block
ezvpn(config)#aaa new-model ezvpn(config)#username cyrus secret cyrus123 ezvpn(config)#username cisco secret cisco123 ezvpn(config)#aaa authentication login vpnclient local ezvpn(config)#aaa authorization network vpngroup local
The passwords are weak, it is common sense not to use these passwords 🙂 Just a side note, John the ripper with word mangling rule can break this quickly however brute forcing passwords is loud I doubt seasoned hacker will want to do this.
Define local group for vpn client
Define local group in Cisco router is only necessary if local is chosen for aaa authentication and authorization list.
Create an IP pool list for dynamically assign IP address to authenticated vpn client use ip local pool command. Then attach the ip local pool list to isakmp client configuration. If no explicit pool is specified for the vpn client group this address-pool will be used as the default ip address pool.
ezvpn(config)#ip local pool vpnpool-default 192.168.1.200 192.168.1.210 ezvpn(config)#crypto isakmp client configuration address-pool local vpnpool-default ezvpn(config)#ip local pool vpnpool 192.168.1.100 192.168.1.150
vpnpool-default will be used for vpn client if no explicit ip address pool is defined for the vpn client group.
Create isakmp configuration group for vpn client. Give an arbitrary name to the group too.
ezvpn(config)#crypto isakmp client configuration group vpnusers ezvpn(config-isakmp-group)#key cisco ezvpn(config-isakmp-group)#pool vpnpool ezvpn(config-isakmp-group)#domain cyruslab.local ezvpn(config-isakmp-group)#max-logins 2 ezvpn(config-isakmp-group)#include-local-lan ezvpn(config-isakmp-group)#exit ezvpn(config)#
key is the pre-share key used, again it is common sense not to use weak key 🙂
pool is the explicit defined address pool usable by vpnusers group. include-local-lan allows vpn client to access private lan resources in plain text and whichever traffic to easy vpn server is encrypted, this command keyword must be used if no split tunneling is configured, if this command keyword is omitted then your non-split-tunneled authenticated vpn client cannot access anything in private LAN.
Reference: http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1183760
If you have an external radius server you can save a lot of work, you only need to define user groups in the radius server.
IKE phase 1 proposal
ezvpn(config)#crypto isakmp policy 5 ezvpn(config-isakmp)#hash sha256 ezvpn(config-isakmp)#encryption aes 128 ezvpn(config-isakmp)#lifetime 3200 ezvpn(config-isakmp)#group 2 ezvpn(config-isakmp)#authentication pre-share
This is the IKE phase 1 proposal which the vpn client and the server must agree on to start phase 1. lifetime can be mismatched, the lower lifetime will be taken into account, however the DH group type, hash algorithm, encryption algorithm and authentication must match. The default authentication method is to use certificate X.502. crypto isakmp policy 5, 5 is the priority number the lower the preferred, when you have configured a lot of IKE phase 1 proposals the router will find from the lowest priority number until the router can find a matching proposal.
ezvpn(config)#crypto isakmp keepalive 30 5
30 is the interval between keepalives, 5 is the interval of retries between each failed keepalives.
IKE phase 2 (IPSec) proposal
ezvpn(config)#crypto ipsec transform-set client-encryption esp-aes 128 esp-sha256-hmac ezvpn(cfg-crypto-trans)#exit
transform-set is the encryption method for IKE phase 2. HMAC is produced by hashing an encrypted payload with a digest (hash product) attached.
Dynamic crypto map entry
Remote access vpn is an on-demand vpn connection, hence the easy vpn server does not know the ip address of inbound vpn client, which is why dynamic crypto map entry is needed to establish a session.
ezvpn(config)#crypto dynamic-map inbound-vpn 10 ezvpn(config-crypto-map)#set transform-set client-encryption ezvpn(config-crypto-map)#exit
The transform-set is associated with this dynamic map, the number 10 is the sequence number to insert the entry. There are many options available for dynamic map, however the only one needed is the transform-set.
Static crypto map entry
ezvpn(config)#crypto map vpnmap client authentication list vpnclient ezvpn(config)#crypto map vpnmap isakmp authorization list vpngroup ezvpn(config)#crypto map vpnmap client configuration address respond
This static vpnmap map is to associate the authentication list and the authorization group configured earlier. Also to state whether Easy VPN server should respond or initiate the IKE configuration. Cisco VPN software and Easy VPN client initiate IKE configuration, but Microsoft L2TP/IPsec clients respond to IKE configuration, hence if a mixture of these vpn clients are expected to connect to Easy VPN server then you will need to add another entry to initiate like this crypto map vpnmap client configuration address initiate.
IP parameters
ezvpn(config)#in fa0/0 ezvpn(config-if)#ip address 192.168.1.1 255.255.255.0 ezvpn(config-if)#description Pte LAN behind Easy VPN server ezvpn(config-if)#no shut ezvpn(config-if)#exit ezvpn(config)#int fa0/1 ezvpn(config-if)#ip address 155.1.80.1 255.255.255.0 ezvpn(config-if)#no shut ezvpn(config-if)#description Int facing public network, inbound vpn terminates here ezvpn(config-if)#crypto map vpnmap ezvpn(config-if)#exit
You should apply the static crypto map to the interface expecting an inbound vpn client connection.
The entire Easy VPN server configuration
ezvpn(config)#aaa new-model ezvpn(config)#username cyrus secret cyrus123 ezvpn(config)#username cisco secret cisco123 ezvpn(config)#aaa authentication login vpnclient local ezvpn(config)#aaa authorization network vpngroup local ezvpn(config)#crypto isakmp policy 5 ezvpn(config-isakmp)#hash sha256 ezvpn(config-isakmp)#encryption aes 128 ezvpn(config-isakmp)#lifetime 3200 ezvpn(config-isakmp)#group 2 ezvpn(config-isakmp)#authentication pre-share ezvpn(config)#crypto isakmp keepalive 30 5 ezvpn(config)#ip local pool vpnpool 192.168.1.100 192.168.1.150 ezvpn(config)#crypto isakmp client configuration group vpnusers ezvpn(config-isakmp-group)#key cisco ezvpn(config-isakmp-group)#pool vpnpool ezvpn(config-isakmp-group)#domain cyruslab.local ezvpn(config-isakmp-group)#max-logins 2 ezvpn(config-isakmp-group)#include-local-lan ezvpn(config-isakmp-group)#exit ezvpn(config)# ezvpn(config)#crypto ipsec transform-set client-encryption esp-aes 128 esp-sha256-hmac ezvpn(cfg-crypto-trans)#exit ezvpn(config)#crypto dynamic-map inbound-vpn 10 ezvpn(config-crypto-map)#set transform-set client-encryption ezvpn(config-crypto-map)#exit ezvpn(config)#crypto map vpnmap client authentication list vpnclient ezvpn(config)#crypto map vpnmap isakmp authorization list vpngroup ezvpn(config)#crypto map vpnmap client configuration address respond ezvpn(config)#in fa0/0 ezvpn(config-if)#ip address 192.168.1.1 255.255.255.0 ezvpn(config-if)#description Pte LAN behind Easy VPN server ezvpn(config-if)#no shut ezvpn(config-if)#exit ezvpn(config)#int fa0/1 ezvpn(config-if)#ip address 155.1.80.1 255.255.255.0 ezvpn(config-if)#no shut ezvpn(config-if)#description Int facing public network, inbound vpn terminates here ezvpn(config-if)#crypto map vpnmap ezvpn(config-if)#exit ezvpn(config)#ip dhcp excluded-address 192.168.1.100 192.168.1.150 ezvpn(config)#ip dhcp excluded-address 192.168.1.1 ezvpn(config)#ip dhcp pool pte-lan ezvpn(dhcp-config)#network 192.168.1.0 /24 ezvpn(dhcp-config)#default-router 192.168.1.1 ezvpn(dhcp-config)#exit ezvpn(config)#
About Cisco security product ordering
The motivation of writing this post is to give an alternative to user who does not have SSL VPN license.
The new line of Cisco ISR2 routers have a different business model compared to last time. New ISR2 routers are shipped with IOS 15 universal image, this image is a full version IOS however full functionality is locked.
Additional license pak must be purchased to unlock universal image features.
The license paks are divided into Data, Security and UC. SSL VPN is a separate purchase, comes with 10 users license and 25 users license, to order SSL VPN license you must order your router with Security bundle. Always do your BOM with Cisco Dynamic Configurator Tool with Enable Configuration Guidance checked.
cyruslab 