AAA Configuration External Authentication

Router(config) aaa group server radius VPN-ACS router(config-sg-radius) server 10.0.1.12 router(config-sg-radius) exit router(config) aaa authntication login default group VPN-ACS This section shows how to configure AAA using an external RADIUS server. AAA is configured in global configuration mode. The authentication method list is referenced in the WebVPN context configuration with the aaa authentication command. The steps in this task configure AAA using a RADIUS server. Follow this...

Add the Group Profile to Be Defined

I Primary DNS Microsoft WINS 10.0.1.13 I Secondary DNS Microsoft WINS 10.0.1.14 R1(config) crypto isakmp client configuration group R6 R1(config-isakmp-group) key VPNKEY R1(config-isakmp-group) dns 10.0.1.13 10.0.1.14 R1(config-isakmp-group) wins 10.0.1.13 10.0.1.14 R1(config-isakmp-group) domain cisco.com R1(config-isakmp-group) pool Remote-Pool R1(config-isakmp-group) save-password 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-31 The crypto isakmp client configuration group...

Allowed Transform Combinations

Secured Connectivity 4-69 2007 Cisco Systems, Inc. Secured Connectivity 4-69 ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) ESP with the 160-bit SEAL encryption algorithm. ESP Authentication Transform (Select only one.) ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm IP compression with the Lempel-Ziv-Stac (LZS) algorithm Step 2 (Optional) Change the mode associated with the transform...

Allowing Local LAN Access

In a multiple network interface card (NIC) configuration, local LAN access pertains only to network traffic on the interface on which the tunnel was established. The Allow Local LAN Access parameter gives you access to the resources on your local LAN (printer, fax, shared files, or other systems) when you are connected through a secure gateway to a central-site VPN device. When this parameter is enabled and your central site is configured to permit it, you can access local resources while...

Application Access Port Forwarding Screen

jj Application Access - Microsoft Internet Explorer Close this window when you finish using Application Access. Please wait for the table to be displayed before starting applications. If you shut down your computer without closing this window, you might later have problems running the applications listed below. Click here for details. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-7 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-7 The Java-based application helper...

Apply Mode Configuration and XAUTH

Step 1 Configure the router to respond to mode configuration requests. Step 2 Enable IKE querying for a group policy. Step 3 Enforce XAUTH Step 3 Apply the dynamic crypto map to the crypto map. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 -36 Apply mode configuration to a dynamic crypto map using the following steps in global configuration mode Step 1 Configure the router to respond to mode configuration requests. Step 2 Enable IKE queries for group policy lookup. Step 3 Enforce...

Apply the Crypto Map to Router Outside Interface

R1(config) interface ethernet0 1 R1(config-if) crypto map ClinetMap R1(config-if) end This task applies the crypto map to the Cisco Easy VPN Server router outside interface. The figure above shows an example of how to apply the crypto map to the outside interface. 4-330 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 This section describes how to enable DPD. crypto isakmp keepalive secs retries R1(config) crypto isakmp keepalive 20 10 2007 Cisco Systems, Inc. All rights re Use the...

Applying Crypto Maps to Interfaces

R1(config) interface ethernet0 1 R1(config-if) crypto map SNRS-MAP Applies the crypto map to outside Activates the IPsec policy 2007 Cisco Systems, Inc. All rights re A crypto map set will need to be applied to each interface through which IPsec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all of the interface traffic against the crypto map set and to use the specified policy during connection or SA negotiation on behalf of traffic to be...

Authentication

The Cisco Easy VPN Remote feature supports a two-stage process for authenticating the remote router to the central Cisco VPN concentrator. The first step is group-level authentication and is part of the control channel creation. In this first stage, two types of authentication credentials can be used either pre-shared keys or digital certificates. This discussion provides details about these options. The second authentication step is called Extended Authentication (XAUTH). In this step, the...

Authentication Begins

Because there are two ways to perform authentication, the Cisco VPN Client must consider the following when initiating this phase If a pre-shared key is to be used for authentication, the Cisco VPN Client initiates aggressive mode. When pre-shared keys are used, the accompanying group name entered in the configuration GUI (ID_KEY_ID) is used to identify the group profile associated with this Cisco VPN Client. If digital certificates are to be used for authentication, the Cisco VPN Client...

Authentication Bypass

All rights reserved This figure is an example of a web-based activation in which the user chose to connect only to the Internet by clicking the Internet Only option. This option is most useful for household members who need to browse the Internet while the remote teleworker is not available to authenticate the VPN tunnel for corporate use. Note If a user mistakenly closes the Web-Based Activation window, the window can be reopened by accessing the remote router (by...

Authentication Header

Mechanism for providing strong integrity and authentication for IP datagrams Can also provide nonrepudiation 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-4 IP AH, a key protocol in the IPsec architecture, is used to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replays. This protection service against replay is an optional service to be selected by the receiver when an SA is established. AH is defined in RFC...

Benefits

Here are some of the benefits of a hub-and-spoke VPN topology Provides support for small sites with small LAN and low-end routers Only one IPsec tunnel is needed at the spoke routers. Reduces the hub router configuration size and complexity The hub router no longer needs to maintain a separate static crypto map for each of the spoke sites or to maintain a list of IP addresses of the spoke sites, thus simplifying the add, delete, and spoke sites. Only hub needs to have static and global IP...

Certificate and Trustpoint Configuration

Set the router time and date Request your own certificate 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-14 WebVPN is based on HTTPS, which requires a public key infrastructure (PKI) trustpoint to be configured. A self-signed certificate is automatically generated when a WebVPN gateway is put in service. However, if network security policy dictates that you use an external certificate authority (CA) server, use the discussion here as a guide. The figure lists the tasks involved with...

Certificate Authentication

For certificate authentication, perform the following procedure, which varies according to the type of certificate that you are using Step 1 Click the Certificate Authentication radio button. Step 16 Choose the name of the certificate that you are using from the menu. If the field reads No Certificates Installed and is shaded, you must enroll for a certificate before you can use this feature. 4-348 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc.

Certificate Enrollment

Certificate enrollment is the process of obtaining a certificate from a CA. Each end host that wants to participate in the PKI must obtain a certificate. Certificate enrollment occurs between the end host requesting the certificate and the CA. The following steps describe the certificate enrollment process 1. The end host generates an RSA key pair. 2. The end host generates a certificate request and forwards it to the CA (or the RA, if applicable). 3. The CA receives the certificate enrollment...

Checking Connectivity Without IPsec Enabled

Basic connectivity between peers must be checked before you begin configuring IPsec. The router ping command can be used to test basic connectivity between IPsec peers. Although a successful Internet Control Message Protocol (ICMP) echo (ping) will verify basic connectivity between peers, you should ensure that the network works with any other protocols or ports that you want to encrypt, such as Telnet, FTP, or SQL*NET, before beginning IPsec configuration. After IPsec is activated, basic...

Checking for Existing IPsec Configurations

You should check the current Cisco router configuration to see if there are any IPsec policies already configured that are useful for, or may interfere with, the IPsec policies that you plan to configure. Previously configured IKE and IPsec policies and details can and should be used, if possible, to save configuration time. However, previously configured IKE and IPsec policies and details can make troubleshooting more difficult if problems arise. You can see whether any IPsec policies have...

Cisco Easy VPN

Cisco Unity is the common VPN language between Cisco devices. 2007 Cisco Systems, Inc. All rights re 2007 Cisco Systems, Inc. All rights re When deploying VPNs for teleworkers and small branch offices, ease of deployment is increasingly important. Cisco Easy VPN makes it easier than ever to deploy VPNs as part of small and medium businesses or large enterprise networks with Cisco products. Cisco Easy VPN Remote and Cisco Easy VPN Server offer flexibility, scalability, and ease of use for...

Cisco Easy VPN Components

Cisco Easy VPN is made up of two components Cisco Easy VPN Server Enables Cisco IOS routers, Cisco ASA Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. Cisco Easy VPN Remote Enables Cisco IOS routers, Cisco ASA Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as remote VPN Clients. 2007 Cisco...

Cisco Easy VPN Remote

Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as Cisco Easy VPN Remote clients. These devices can receive security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements at the remote location. This cost-effective solution is ideal for remote offices with little IT support or for large customer premises equipment (CPE) deployments where it is impractical to individually...

Cisco Easy VPN Remote Configuration General Tasks for Access Routers

Configure the Cisco Easy VPN Remote client profile. - Manual or automatic tunnel control Assign the Cisco Easy VPN Remote client profile to the interfaces. Verify the Cisco Easy VPN configuration. 2007 Cisco Systems, Inc. All rights reserveO. SNRS V2.0 4-1 An access router at a remote site can be configured as a Cisco Easy VPM remote client. As a remote client, the access router can give out DHCP addresses to hosts behind it or you can let the Easy VPN server...

Cisco Easy VPN Remote Network Extension Mode

Provides a seamless extension of the remote network 2007 Cisco Systems, Inc. All rights reserved. This figure illustrates the network extension mode of operation. In this example, the Cisco 831 Ethernet Broadband Router acts as a Cisco Easy VPN Remote device, connecting to a router used as a Cisco Easy VPN Server. The client hosts are given IP addresses that are fully routable by the destination network over the tunnel. These IP addresses could be either in the same subnet space as the...

Cisco Easy VPN Server

Cisco Easy VPN Server enables Cisco IOS routers, Cisco ASA and Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remoteaccess VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. Using this feature, security policies defined at the headend are pushed to the remote VPN device, ensuring that those connections have up-to-date policies in place before the connection is established. In addition, a Cisco Easy...

Cisco Easy VPN Server Authenticates the Device

The Cisco Easy VPN Server authenticates the device first before authenticating the user. ISAKMP policy is global for the Cisco Easy VPN Server and can consist of several proposals. In the case of multiple proposals, the Cisco Easy VPN Server will use the first match (so you should always have your most secure policies listed first). The Cisco Easy VPN Server searches for a match. The first proposal to match the server list is accepted (highest-priority match). The most secure proposals are...

Cisco Easy VPN Server General Configuration Tasks

The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router (Optional) Create IP address pool for connecting clients Enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access Define a group policy for mode configuration push Apply mode configuration and XAUTH (Optional) Enable the XAUTH Save Password feature 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-27 The Cisco Easy VPN Server feature allows a remote end user to...

Cisco Ios Ca Configuration Procedure

- Add CA server to router host table - Generate an RSA key pair or use a self-signed certificate 2007 Cisco Systems, Inc. All rights reseived. SNRS V2.0 4-14 There are several steps required to configure a router to use PKI. Having a detailed plan lessens the chances of improper configuration. Some planning steps to prepare for CA support include the following Step 1 Set the router time and date. Step 2 Configure the router hostname and domain name. Step 3 Generate an RSA key pair. Digital...

Cisco Ios Ca Configuration Procedure Cont

Request your own certificate Verify the CA support configuration (Optional) Monitor and maintain CA interoperability 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-15 Step 5 Authenticate the CA. The router needs to authenticate the CA. It does this by obtaining the CA self-signed certificate that contains the CA public key. Step 6 Request your own certificate. Complete this step to obtain the identity certificate for your router from the CA. Step 7 Verify the CA support...

Cisco Ios Ssl Vpn Client Full Network Access

Leverages depth of Cisco encryption client experience to deliver a lightweight, stable and easy-to-support SSL VPN tunneling client IPsec-like application access through web-pushed client Application agnostic full network access No touch central site configuration Compatible with Cisco softphone for VoIP support Multimedia data voice desktops for greatest user productivity Client may be either removed at end of session or left permanently installed No trace of client after session provides...

Cisco IOS WebVPN

Clientless and full network SSL VPN access 2007 Cisco Systems, Inc. All rights reserved. SSL-based VPN, or WebVPN, is an emerging technology that provides remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they are establishing the connection. If application access requirements are modest, SSL VPN does not...

Clientless Mode Access

Microsoft Windows 2000 or XP 2007 Cisco Systems, Inc. All rights reserved. Microsoft Windows 2000 or XP 2007 Cisco Systems, Inc. All rights reserved. In clientless mode, the remote user accesses the internal or corporate network using a web browser on the client machine. The PC of the remote user must run the Windows 2000, Windows XP, or Linux operating systems.

Commands

This section covers some of the show commands available for viewing WebVPN information. 2007 Cisco Systems, Inc. All rights reserved. This section describes the show commands that are used to verify the following WebVPN gateway configuration Display the status of the WebVPN gateway using the show webvpn gateway command WebVPN context configuration Display the operational status and configuration parameters for WebVPN context configurations using the show webvpn context command Cisco Secure...

Configure Client Authentication Properties

All rights reserved VPN Client I Properties for 10.86.194 173 Description (Documentation Concentrator Authentication I Transport Backup Servers Dial-Up C Group Authentication < Mutual Group Authentication Confirm Password ***** Under the Authentication tab, enter the information for the method that you want to use. You can connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate.

Configure Connection to the Internet Through Dialup Networking

This section describes how to configure the client to use a dial-up connection. Configure Connection to the Internet Through Dial-Up Networking To connect to a private network using a dialup connection, complete these steps Step 1 Use a dialup connection to your ISP to connect to the Internet. Step 2 Use the Cisco VPN Client to connect to the private network through the Internet. To enable and configure this feature, check the Connect to the Internet via Dial-Up check box. This box is not...

Configure IPsec

After setting up IKE, you must still setup IPsec. The steps required for IPsec configuration do not rely at all on the IKE configuration method. When you configure IPsec, you will do the following Create an extended ACL (determines what traffic should be protected by IPsec) Create IPsec transform (or transforms). Transform sets are offered to the peer which will choose one. ah-md5-hmac, esp-des, etc Create crypto map (or maps) Specify transform sets created earlier Specify ACL to match for...

Configure ISAKMP

The only reason that IKE exists is to establish SAs for IPsec. IKE must first negotiate an SA (an ISAKMP SA) relationship with the peer before it can establish the IPsec SA. Because IKE negotiates its own policy, it is possible to configure multiple policy statements with different configuration statements, and then let the two hosts come to an agreement. There are currently two methods used to configure ISAKMP. Pre-shared keys Simple, not very scalable 1. Configure ISAKMP protection suite (or...

Configure Isakmp Identity

R1(config) crypto isakmp identity address You should set the ISAKMP identity for each peer that uses pre-shared keys in an IKE policy. When two peers use IKE to establish IPsec SAs, each peer sends its identity to the remote peer. Each peer sends either its hostname or its IP address, depending on how you have set the ISAKMP identity of the router. By default, the ISAKMP identity of a peer is the IP address of the peer. If appropriate, you could change the identity to be the peer hostname...

Configure Transparent Tunneling

This section describes how to enable transparent tunneling. Description testSystem iJ Host l 0.10.32.32 W Enable Transparent Tunneling i IPSec over UDP (NAT t PAT ) C IPSec over TCP TCP Port 110000 Allow Local LAN Access Peer response timeout (seconds) 90 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-53 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-53 Next, configure transparent tunneling by completing the fields on the Transport tab.

Configure XAUTH

Step 1 Enable AAA login authentication. Step 2 Set the XAUTH timeout value. Step 3 Enable ISAKMP XAUTH for the dynamic crypto map. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 -40 Complete the following steps to configure XAUTH on your Cisco Easy VPN Server router Step 1 Enable AAA login authentication. Step 2 Set the XAUTH timeout value. Step 3 Enable ISAKMP XAUTH for the dynamic crypto map. 4-332 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc.

Configuring a Siteto Site VPN Using PKI Tasks

Prepare for ISAKMP and IPsec Create ACLs for encryption traffic (crypto ACLs) Apply crypto map to an interface 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-11 The configuration process for a site-to-site IPsec VPN using digital certificates consists of these five major tasks 1. Prepare for Internet Security Association and Key Management Protocol (ISAKMP) Preparing for ISAKMP and IPsec involves determining the detailed encryption policy identifying the hosts and networks that you...

Configuring CIFS

Follow this procedure to enable file sharing support in WebVPN. Step 1 Enter SSL VPN configuration mode. router(config) webvpn context SSLVPN Step 7 Enter SSL VPN NBNS list configuration mode. router(config-webvpn-context) nbns-list name Name This is the name of the NBNS list. The name can be up to 64 characters in length. This argument is case sensitive. The NBNS server list is used to configure a list of Microsoft WINS to resolve Microsoft file directory shares. Entering the nbns-list command...

Configuring Cisco Easy VPN Remote for the Cisco VPN Client v4x General Tasks

Create a new client connection entry. Choose an authentication method. Configure transparent tunneling. Enable and add backup servers. Configure a connection to the Internet through dialup networking. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 -4 The Cisco VPN Client is simple to deploy and operate. The Cisco VPN Client enables customers to establish secure, end-to-end encrypted tunnels to any Cisco Easy VPN server. This thin design, IPSec...

Configuring IPsec

This topic describes the tasks required to configure an IPsec site-to-site VPN using pre-shared keys. Create ACLs for encryption traffic (crypto ACLs). Apply crypto map to an interface. 2007 Cisco Systems, Inc. All rights reserved There are several configuration items that must be enabled to implement IPsec on a router. The major tasks are as follows Step 1 Prepare for IPsec. This task involves checking network connectivity before IPsec is implemented, checking current configuration for IPsec...

Configuring ISAKMP

This topic describes how to configure ISAKMP using pre-shared keys. This topic describes how to configure ISAKMP using pre-shared keys. Step 3 RSA signatures (when using PKI). 2007 Cisco Systems, Inc. All rights reserved. IKE automatically negotiates IPsec SAs and enables IPsec secure communications without costly manual reconfigurations. IKE provides authentication of the IPsec peers, negotiates IPsec keys, and negotiates IPsec SAs . Multiple IKE policies can be defined between two IPsec peers...

Configuring Microsoft File Shares for Clientless Remote Access

In clientless remote-access mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the HTTPS-enabled browser. When enabled, a list of file server and directory links are displayed on the portal page after login. The administrator can customize permissions on the WebVPN gateway to provide limited read-only access for a single file or full write access and network browsing capabilities. CIFS is the protocol that provides access to Microsoft...

Configuring the Group Policy

The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of remote users. Entering the policy group command places the router in SSL VPN group policy configuration mode. After it is configured, the group policy is attached to the WebVPN context configuration by configuring the default-group-policy command. Follow these steps to create a WebVPN group policy Step 5 Enter SSL VPN configuration mode. router(config)...

Configuring Thin Client Mode TCP Port Forwarding

The port-forward command is used to create the port-forwarding list. Application port number mapping (port forwarding) is configured with the local-port command in SSL VPN port-forward configuration mode. A port-forwarding list is configured for thin-client mode WebVPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP and User Datagram Protocol (UDP)-based applications that use well-known port numbers, such as POP3, SMTP, IMAP,...

Connection Is Completed with IPsec Quick Mode

IKE Phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in IKE Phase 1. IKE Phase 2 negotiates a shared IPsec policy, derives shared-secret keying material used for the IPsec security algorithms, and establishes IPsec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new shared-secret key material and prevent replay attacks from generating bogus SAs. Quick mode is also used to renegotiate a new...

Create a DHCP Server Pool

R6(config) ip dhcp pool Local-Pool R6(dhcp-config) network 10.0.6.0 2 55.255.255.0 R6(dhcp-config) default-router 10.0.6.2 R6(dhcp-config) exit R6(config) ip dhcp excluded-address 10.0.6.2 R6(config) ip dhcp pool Local-Pool R6(dhcp-config) network 10.0.6.0 2 55.255.255.0 R6(dhcp-config) default-router 10.0.6.2 R6(dhcp-config) exit R6(config) ip dhcp excluded-address 10.0.6.2 If you want to use the local router DHCP server to assign IP addresses to the hosts that are connected to the LAN...

Create a New Client Connection Entry

Connection Entries Status Certificates Log Options Conned New Import Modify Connection Entries Certificates Log j 63.67.72.134 10.10.99.30 10.10.32.32 10.10.32.32 10.10.32.32 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-49 To use the Cisco VPN Client, you must create at least one connection entry, which identifies the following information The VPN device (the remote server) to access Pre-shared keys the IPsec group to which the system administrator assigned you (Your group...

Create a New Client Connection Entry Cont

All rights reserveO A VPN Client Properties for 10.86.194.173 Connection Entry ConnectiorABC P HPE2 Description Documentation Concentrator i MjjjjX i l Authentication j Transport j Backup Servers Dial-Up r 6 roup Authentication ( Mutual Group Authentication Confirm Password I Step 10 Enter a unique name for this new connection. You can use any name to identify this connection for example, Engineering. This name can contain spaces, and it is not case-sensitive. Step 11...

Create Dynamic Crypto Map with RRI

Contains the following steps Step 1 Create a dynamic crypto map. Step 2 Assign a transform set. Step 3 Enable RRI. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 -34 This task creates a dynamic crypto map to be used when building IPsec tunnels to Cisco Easy VPN Remote clients. In this example, RRI is used to ensure that returning data destined for a particular IPsec tunnel can find that tunnel. RRI ensures that a static route is created on the Cisco Easy VPN Server for each client...

Create IKE Policies for a Purpose

IKE negotiations must be protected, so each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. After the two peers agree upon a policy, an SA established at each peer identifies the security parameters of the policy. These SAs apply to all subsequent IKE traffic during the negotiation. You can create multiple, prioritized policies at each peer to ensure that at least one...

Create Isakmp Policies with the crypto isakmp Command

R1(config) crypto isakmp policy 110 R1(config-isakmp) encryption 3des R1(config-isakmp) hash md5 R1(config-isakmp) authentication pre-share R1(config-isakmp) group 2 R1(config-isakmp) lifetime 36000 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.0 4-15 To define an IKE policy, follow these steps Step 1 Identify the policy to create and enter the ISAKMP configuration command mode. (Each policy is uniquely identified by the priority number that you assign.) router(config) crypto isakmp...

Create Isakmp Policy for Remote VPN Client Access

Authentication Pre-shared keys Encryption 3-DES Diffie-Hellman Group 2 Other settings Default R1(conf R1(conf R1(conf R1(conf R1(conf R1 ig) crypto isakmp enable ig) crypto isakmp policy 10 ig-isakmp) authentication pre-share ig-isakmp) encryption 3des ig-isakmp) group 2 -isakmp) end 2007 Cisco Systems, Inc. All rights reserved. Complete this task to configure the ISAKMP policy for all Cisco Easy VPN Remote clients attaching to this router. Use the standard ISAKMP configuration commands to...

Create Transform Sets

R1(config) crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac 2007 Cisco Systems, Inc. All rights This task creates a transform set for the Cisco Easy VPN Remote clients to use when they attempt to build an IPsec tunnel to this router. Use the standard method for creating a transform set, as shown in this figure. Here is an example of how to create a transform set for Cisco Easy VPN Remote client access R1(config) crypto ipsec transform-set transform-set-name transform1 4-322...

Creating a New Connection Entry

Use the following procedure to create a new connection entry. Step 1 Start the Cisco VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client. Step 8 The Cisco VPN Client application starts and displays the advanced mode main window. If you are not already there, choose the Options menu in simple mode and choose Advanced Mode or press Ctrl-M. Step 9 Choose New from the toolbar or the Connection Entries menu. The VPN Client displays a form.

Creating Crypto ACLs

Create an extended ACL to define what traffic will be protected. Must be a mirror image of peer's crypto ACL. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-36 As with the previous configuration, configuring crypto ACLs for digital signatures is the same as with pre-shared keys. Complete these steps to configure your crypto ACL router(config) ip access-list extended < name> Step 2 Define which traffic is to be protected. router(config-ext-nacl) permit protocol source...

Creating Crypto Maps

When IKE is used to establish SAs, the IPsec peers can negotiate the settings that they will use for the new SAs. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map entry. Follow these steps to create crypto map entries that will use IKE to establish the SAs Step 1 Name the crypto map to create, specify ISAKMP SAs, and enter crypto map configuration mode. router(config) crypto map map-name seq-num ipsec-manual router(config) crypto map map-name...

Crypto Map Parameters

All rights You can apply only one crypto map set to a single interface. The crypto map set can include a combination of IPsec using IKE, and IPsec with manually configured SA entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces. If you create more than one crypto map entry for a given interface, use the sequence number (seq-num) of each map entry to rank the map entries the lower the sequence number,...

Crypto System Error Messages for ISAKMP

CRYPTO-6-IKMP_SA_NOT_AUTH Cannot accept Quick Mode exchange from 15i if SA is not authenticated CRYPTO-6-IKMP_SA_NOT_OFFERED Remote peer 15i responded with attribute chars not offered or changed ISAKMP peers failed protection suite negotiation for ISAKMP. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-41 Cisco IOS Software can generate many useful system error messages for ISAKMP. Two of the error messages are as follows CRYPTO-6-IKMP_SA_NOT_AUTH Cannot accept Quick Mode exchange...

Deactivation

File Edit View Go Bookmarks lools Help O O s O J http www.cisco.com Loo in 1 Register Contacts & Feedback Help Site Map Select a The VPN Tunnel has been brought down. You would need to reconnect to bring the tunnel up again. This page will automatically close in 5 seconds 2007 Cisco Systems, Inc. All rights reserved. SNRS v2 .0 4-12 2007 Cisco Systems, Inc. All rights reserved. SNRS v2 .0 4-12 This figure is an example of a VPN tunnel that has been deactivated successfully. The page...

Debug CA Commands

10.0.1.12 I * A ' * I 10.0.6.12 2007 Cisco Systems, Inc. All rights re Some commands are available to troubleshoot CA interoperability. You can use the debug crypto pki messages and the debug crypto pki transactions commands to assist you in finding any issues related to CA operations. 4-156 Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Declaring a CA

R1(config) crypto pki trustpoint vpnca R1(ca-trustpoint) enrollment url http vpnca 80 2007 Cisco Systems, Inc. All rights re The example shown in the figure declares a CA and identifies characteristics of the CA. In this example, the name vpnca is created for the CA, which is located at http vpnca port 80. This is the minimum possible configuration required to declare a CA. Follow these steps to declare a CA server Step 1 Declare which CA your router will use. Issuing the crypto pki trustpoint...

Default GRE Characteristics

Tunneling of arbitrary OSI Layer 3 payload is primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-B overhead by default (20-B IP header and 4-B GRE header) 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-3 GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of any Open Systems Interconnection (OSI) Layer 3 protocol. GRE itself is completely stateless it does...

Define Group Policy for Mode Configuration Push

This section describes the steps involved in defining the policy attributes that are pushed to the client via mode configuration. Step 1 Add the group profile to be defined. Step 2 Configure the ISAKMP pre-shared key. Step 4 Specify the Microsoft WINS servers. Step 6 Specify the local IP address pool. 2007 Cisco Systems, Inc. All rights reserved. Complete this task to define a group policy to be pushed during mode configuration. Although users can belong to only one group per connection, they...

Define IKE Policy Parameters

You can select specific values for each IKE parameter per the IKE standard. You choose one value over another based on the security level that you desire and the type of IPsec peer to which you will connect. There are five parameters to define in each IKE policy, as outlined in the figure and in the table. The figure shows the relative strength of each parameter the table shows the default values. 4-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc....

Deployment Scenario

All rights ri This figure shows a headquarters network providing a remote office access to the corporate intranet. In this scenario, the headquarters and remote office are connected through a GRE tunnel that is established over an IP infrastructure (the Internet). Employees in the remote office are able to access internal, private web pages and perform various IP-based network tasks. GRE can be used in conjunction with IPsec to pass routing updates between sites on an...

Digital Signatures

Digital signatures, enabled by public key cryptography, provide a means of digitally authenticating devices and individual users. In public key cryptography, such as the RSA encryption system, each user has a key pair containing both a public and a private key. The keys act as complements, and anything encrypted with one of the keys can be decrypted with the other. In simple terms, a signature is formed when data is encrypted with the private key of a user. 2007 Cisco Systems, Inc. Secured...

Displaying IPsec Events

To display messages about IPsec events, use the debug crypto ipsec command in privileged EXEC mode. To disable debugging output, use the no form of this command. The following is sample output from the debug crypto ipsec command. In this example, SAs have been successfully established. 4-104 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Source address or interface 10.0.1.2 Loose, Strict, Record, Timestamp, Verbose none Sweep range of sizes n Sending 5,...

DMVPN Example

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 Physical 172.16.2.1 Tunnel0 10.0.0.12 Physical 172.17.0.1 TunnelO 10.0.0.1 Physical 172.17.0.1 TunnelO 10.0.0.1 Physical 172.16.2.1 Tunnel0 10.0.0.12 2007 Cisco Systems, Inc. All rights reserved. In the figure, the DMVPN example illustrates the following 1. A PC (192.168.1.25) on the spoke A subnet wants to contact the web server (192.168.2.37) behind spoke B. It sends a packet toward the server. 2. The spoke A router consults its routing table for a...

DMVPN Example Cont

Physical 172.17.0.1 Tunnel0 10.0.0.1 Physical 172.17.0.1 Tunnel0 10.0.0.1 Physical 172.16.2.1 Tunnel0 10.0.0.12 Physical 172.16.2.1 Tunnel0 10.0.0.12 2007 Cisco Systems, Inc. All rights re 2007 Cisco Systems, Inc. All rights re 5. Spoke A receives the NHRP response and enters it in its NHRP table. This triggers IPsec to create a tunnel directly to 172.16.2.1. (Spoke A uses its public address for the IPsec peer.) 4-194 Securing Networks with Cisco Routers and Switches (SNRS) v2.0

DMVPN Topologies

In a DMVPN design, the following two topologies are recommended Dual hub-single DMVPN cloud In both topologies, two hubs are recommended for redundancy. High availability is provided through the use of a second hub router, which may be on the same DMVPN subnet as the primary router. This is commonly referred to as a single DMVPN cloud topology. The second hub router can also service its own DMVPN subnet, which is known as a dual DMVPN cloud 2007 Cisco Systems, Inc. Secured Connectivity 4-181...

DNS Configuration

Router(config) hostname SSL router(config) ip domain name cisco.com router(config) ip name server 10.0.1.13 router(config) ip host home.cisco.com 10.0.1.12 Before configuring WebVPN, an administrator must configure DNS-related commands. The hostname and the domain name must be set as well as any name servers that may be in use. The following commands are used to configure DNS parameters for use with WebVPN Step 1 Specify a hostname for the router. router(config) hostname name Where name New...

Dynamic Multipoint VPN

This topic describes the overall features, operation, and prerequisites for DMVPN. Hub router configuration reduction Automatic IPsec encryption initiation Support for dynamically addressed spoke routers Dynamic tunnel creation for spoke-to-spoke tunnels 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-2 The Cisco DMVPN feature allows users to better scale large and small IPsec virtual private networks (VPNs). The Cisco DMVPN feature combines mGRE tunnels, IPsec encryption, and NHRP...

Dynamic Multipoint VPNs

Local LAN addresses can be private. Dynamic Spoke-to-Spoke IPsec Tunnels Dynamic Spoke-to-Spoke IPsec Tunnels 2007 Cisco Systems, Inc. All rights Some companies may want to interconnect small sites together, while simultaneously connecting to a main site over the Internet. When small sites are interconnected, it is difficult to maintain the configurations for all of the connections. It is also difficult to create, add, and change a large full-mesh network...

Enable and Add Backup Servers

This section describes how to enable and add backup servers. 2007 Cisco Systems, Inc. All rights re The private network may include one or more backup VPN servers to use if the primary server is not available. Your system administrator tells you whether to enable backup servers. Information on backup servers can download automatically from the Cisco VPN concentrator, or you can manually enter this information. To enable backup servers from the Cisco VPN Client, complete the following steps Step...

Encapsulating Security Payload

All rights reserved SNRS V2.0 4-5 ESP is designed to provide a mix of security services in IPv4 and IPv6. ESP seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP payload. ESP is defined in RFC 2406, IP Encapsulating Security Payload (ESP). IP protocol 50 Note Use of ESP will increase the IP protocol processing costs in participating systems and will also increase the...

Encrypting GRE Tunnel Traffic

To encrypt only traffic through the GRE tunnel, follow these additional instructions When you set up your encryption ACL, the list should contain only one criteria statement. In this one statement, specify gre as the protocol, specify the tunnel source address as the source, and specify the tunnel destination address as the destination. Apply the crypto map to both the physical interface and to the tunnel interface. Note Without GRE tunnels, you only had to apply the crypto map to the physical...

Encryption ACLs and GRE

When using IPsec with GRE, the access control list (ACL) for encrypting traffic does not define the traffic to be protected instead, it should allow GRE between the source and destination of the GRE tunnel. Without a further ACL on the tunnel interface, this configuration will allow for all packets forwarded to the GRE tunnel to get encrypted. 2007 Cisco Systems, Inc. Secured Connectivity 4-175 R1(config-if) ip address 172.16.1.1 255.255.255.0 R1(config-if) tunnel source 172.30.1.2...

Enrollment Process

The crypto pki enroll command requests certificates from the CA for all of the RSA key pairs of your router. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.) If you previously generated general purpose keys, this command obtains the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command obtains...

Ensure ACLs Are Compatible with IPsec

R1 show ip access-lists Extended IP access list 101 10 permit ahp host 172.30.1.2 host 172.30.6.2 20 permit esp host 172.30.1.2 host 172.30.6.2 30 permit udp host 172.30.1.2 host 172.30.6.2 eq isakmp 40 permit udp host 172.30.1.2 host 172.30.6.2 eq non500-isakmp ACLs must be compatible with IPsec. The ACLs must allow the following protocols through Encapsulation Security Payload 2007 Cisco Systems, Inc. Secured Connectivity 4-129

Extended IP ACLs for Crypto ACLs

Site 1 110.0.1.0 R6 10.0.6.0 g Site 2 10.0.1.12 I I I 10.0.6.12 R1(config) ip access-list extended 103 R1(config-ext-nacl) permit tcp 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 Define which IP traffic will be protected by encryption (interesting traffic) Permit encrypt deny do not encrypt 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 -25 To create an ACL, use the following commands Define an encryption ACL by number and specify conditions to determine which IP packets will be protected....

Fully Meshed VPNs

There are static public addresses between peers Local LAN addresses can be private or public. The fully meshed site-to-site design refers to a mesh of IPsec tunnels connecting between remote sites. For any-to-any connectivity, a full mesh of tunnels is required to provide a path between all of the sites. Site-to-site VPNs are primarily deployed to connect branch office locations to the central site of an enterprise and to each other. This configuration requires the IPsec peers to utilize public...

Gathering the Information That You Need

To configure and use the Cisco VPN Client, you might need the information listed in this section. Ask for this information from the system administrator of the private network that you want to access. Your system administrator might have preconfigured much of this data if so, your system administrator will tell you which items you need. Hostname or IP address of the secure gateway to which you are connecting Your IPsec group name (for pre-shared keys) Your IPsec group password (for pre-shared...

Generating RSA Keys

The name for the keys will be R1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus 512 1024 Generating 1024 bit RSA keys, keys will be non-exportable OK Jul 24 16 46 09.839 SSH-5-ENABLED SSH 1.99 has been enabled 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-22 This figure shows an example of RSA key generation. When you generate RSA...

Generic Routing Encapsulation

Generic Routing Encapsulation Uses IP protocol 47 when encapsulated within IP Allows passing of routing information between connected networks 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-2 GRE is a tunneling protocol designed for encapsulation of arbitrary kinds of network layer packets inside arbitrary kinds of network layer packets as defined in RFCs 1701, 1702, and 2784. (See the References subtopic for the titles of these RFCs). RFC 1702 deals with GRE over IP version 4 (IPv4)...

Global SA Lifetime Examples

Site 1 J 110.0.1.0 R6 10.0.6.0 I g Site 2 10.0.1.12 I t I 10.0.6.12 R1(config) crypto ipsec security-association lifetime kilobytes 1382400 R1(config) crypto ipsec security-association lifetime seconds 2700 When an SA expires, a new one is negotiated without interrupting the data flow. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 -23 This figure shows an example of a global SA lifetime. The SA (and corresponding keys) will expire according to whichever occurs sooner, either after...

GREIPsec

IPsec encapsulates unicast IP packet (GRE) - Tunnel mode (default) IPsec creates a new tunnel IP packet. - Transport mode IPsec reuses the IP header of the GRE (20 B less overhead). 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-8 When GRE tunnel endpoints are located at the encrypting routers of the peer, you can configure encryption so that all traffic through the GRE tunnel is encrypted. Note You cannot selectively encrypt GRE tunnel traffic...

Group Authentication

The network administrator usually configures group authentication for you. If this is not the case, complete the following procedure Step 1 Click the Group Authentication radio button. Step 13 In the Name field, enter the name of the IPsec group to which you belong. This entry is case-sensitive. Step 14 In the Password field, enter the password (which is also case-sensitive) for your IPsec group. The field displays only asterisks. Step 15 Verify your password by entering it again in the Confirm...

Group Policy Configuration Commands

Router(config) webvpn context SSLVPN router(config-webvpn-context) policy group SSL-policy router(config-webvpn-group) banner Login Successful router(config-webvpn-group) nbns-list NBNS-SERVERS router(config-webvpn-group) timeout idle 1800 router(config-webvpn-group) timeout session 36000 router(config-webvpn-group) url-list Internal router(config-webvpn-group) port-forward Portlist 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.0 4-2C 2007 Cisco Systems, Inc. Secured Connectivity 4-249

How Cisco Easy VPN Works

This topic describes the operations of Cisco Easy VPN. Cisco Easy VPN Remote Connection Process Client requests remaining parameters Client requests remaining parameters Cisco VPN Client initiates the IKE aggressive mode for preshared keys or main mode for PKI Multiple ISAKMP proposals ISAKMP SA is established Cisco VPN Client initiates the IKE aggressive mode for preshared keys or main mode for PKI Multiple ISAKMP proposals ISAKMP SA is established RRI route to 6 client is injected into...

How IKE Works

Peers negotiate a secure, authenticated communications channel. Security associations are negotiated on behalf of IPsec services. Peers negotiate a secure, authenticated communications channel. Security associations are negotiated on behalf of IPsec services. 2007 Cisco Systems, Inc. All rights Oakley and Skeme each define a method to establish an authenticated key exchange. This includes the construction of payloads, the information that payloads carry, the order in which payloads are...

How Many Crypto Maps Should You Create

R1(config) crypto map SNRS-MAP 110 ipsec-isakmp R1(config) crypto map map-name 110 ipsec-manual R1(config) crypto map SNRS-MAP 110 ipsec-isakmp R1(config) crypto map map-name 110 ipsec-manual R1(config) crypto map MYMAP 110 ipsec-isakmp R1(config-crypto-map) match address 110 R1(config-crypto-map) set peer 172.30.6.2 R1(config-crypto-map) set transform-set SNRS R1(config-crypto-map) set security-association lifetime seconds 36000 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-29

How These Lifetimes Work

The SA (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new SA is negotiated before the lifetime threshold of the existing SA is reached, to ensure that a new SA is ready for use when the old one expires. The new SA is negotiated either 30 seconds before the seconds lifetime expires or when the...

Hub Configuration

Router(config) interface Tunnel 0 router(config-if) ip address 172.16.16.1 255.255.255.0 router(config-if) no ip next-hop-self eigrp 1 router(config-if) ip nhrp authentication cisco123 router(config-if) ip nhrp map multicast dynamic router(config-if) ip nhrp network-id 99 router(config-if) no ip split-horizon eigrp 1router(config-if) tunnel source FastEthernet 0 1 router(config-if) tunnel key 999 router(config-if) tunnel mode gre multipoint router(config-if) tunnel protection ipsec profile...

Hub Verification

After the spokes have been configured, you should see the SAs that have been negotiated between the hub and the spokes. To verify the operation at the hub router, perform the following commands and observe the output Crypto Map Tunnel0-head-0 65536 ipsec-isakmp Profile name DMVPN Security association lifetime 4608000 kilobytes 3600 seconds PFS (Y N) N Transform sets 4-214 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Crypto Map Tunnel0-head-0 65537...

Huband Spoke IPsec VPNs

This topic describes hub-and-spoke IPsec VPNs. Static public address needed at the hub only. Spoke addresses can be dynamically applied using DHCP. Static public address needed at the hub only. Spoke addresses can be dynamically applied using DHCP. 2007 Cisco Systems, Inc. All rights In a hub-and-spoke network configuration, the spoke sites connect with IPsec tunnels to a hub site to establish connectivity to the network. The hub site consists of high-end tunnel aggregation routers servicing...

Identify IPsec Peers

All rights An important part of determining the IPsec policy is to identify the IPsec peer that the Cisco router will communicate with. The peer must support IPsec as specified in the RFCs as supported by Cisco IOS Software. Many different types of peers are possible. Before configuration, identify all the potential peers and their VPN capabilities. Possible peers include, but are not limited to, the following Cisco ASA or Cisco PIX Firewall IPsec products from other...

IKE and IPsec Configuration

Follow these steps to configure IKE and IPsec Step 1 Pre-configure your ISAKMP policies as you did when setting up a site-to-site IPsec VPN using pre-shared keys. The only exception is that you will configure a group wildcard for the spokes addresses in the next step. Step 2 Configure ISAKMP to use a group (wildcard) pre-shared key. hub_router1config) crypto isakmp key 0 key address 0.0.0.0 Step 3 Create an IPsec profile.