AAA Configuration External Authentication

Router(config) aaa group server radius VPN-ACS router(config-sg-radius) server 10.0.1.12 router(config-sg-radius) exit router(config) aaa authntication login default group VPN-ACS This section shows how to configure AAA using an external RADIUS server. AAA is configured in global configuration mode. The authentication method list is referenced in the WebVPN context configuration with the aaa authentication command. The steps in this task configure AAA using a RADIUS server. Follow this...

Add the Group Profile to Be Defined

I Primary DNS Microsoft WINS 10.0.1.13 I Secondary DNS Microsoft WINS 10.0.1.14 R1(config) crypto isakmp client configuration group R6 R1(config-isakmp-group) key VPNKEY R1(config-isakmp-group) dns 10.0.1.13 10.0.1.14 R1(config-isakmp-group) wins 10.0.1.13 10.0.1.14 R1(config-isakmp-group) domain cisco.com R1(config-isakmp-group) pool Remote-Pool R1(config-isakmp-group) save-password 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-31 The crypto isakmp client configuration group...

Allowed Transform Combinations

Secured Connectivity 4-69 2007 Cisco Systems, Inc. Secured Connectivity 4-69 ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) ESP with the 160-bit SEAL encryption algorithm. ESP Authentication Transform (Select only one.) ESP with the MD5 (HMAC variant) authentication algorithm ESP with the SHA (HMAC variant) authentication algorithm IP compression with the Lempel-Ziv-Stac (LZS) algorithm Step 2 (Optional) Change the mode associated with the transform...

Application Access Port Forwarding Screen

jj Application Access - Microsoft Internet Explorer Close this window when you finish using Application Access. Please wait for the table to be displayed before starting applications. If you shut down your computer without closing this window, you might later have problems running the applications listed below. Click here for details. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-7 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-7 The Java-based application helper...

Apply Mode Configuration and XAUTH

Step 1 Configure the router to respond to mode configuration requests. Step 2 Enable IKE querying for a group policy. Step 3 Enforce XAUTH Step 3 Apply the dynamic crypto map to the crypto map. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 -36 Apply mode configuration to a dynamic crypto map using the following steps in global configuration mode Step 1 Configure the router to respond to mode configuration requests. Step 2 Enable IKE queries for group policy lookup. Step 3 Enforce...

Apply the Crypto Map to Router Outside Interface

R1(config) interface ethernet0 1 R1(config-if) crypto map ClinetMap R1(config-if) end This task applies the crypto map to the Cisco Easy VPN Server router outside interface. The figure above shows an example of how to apply the crypto map to the outside interface. 4-330 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 This section describes how to enable DPD. crypto isakmp keepalive secs retries R1(config) crypto isakmp keepalive 20 10 2007 Cisco Systems, Inc. All rights re Use the...

Applying Crypto Maps to Interfaces

R1(config) interface ethernet0 1 R1(config-if) crypto map SNRS-MAP Applies the crypto map to outside Activates the IPsec policy 2007 Cisco Systems, Inc. All rights re A crypto map set will need to be applied to each interface through which IPsec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all of the interface traffic against the crypto map set and to use the specified policy during connection or SA negotiation on behalf of traffic to be...

Authentication

The Cisco Easy VPN Remote feature supports a two-stage process for authenticating the remote router to the central Cisco VPN concentrator. The first step is group-level authentication and is part of the control channel creation. In this first stage, two types of authentication credentials can be used either pre-shared keys or digital certificates. This discussion provides details about these options. The second authentication step is called Extended Authentication (XAUTH). In this step, the...

Authentication Bypass

All rights reserved This figure is an example of a web-based activation in which the user chose to connect only to the Internet by clicking the Internet Only option. This option is most useful for household members who need to browse the Internet while the remote teleworker is not available to authenticate the VPN tunnel for corporate use. Note If a user mistakenly closes the Web-Based Activation window, the window can be reopened by accessing the remote router (by...

Checking Connectivity Without IPsec Enabled

Basic connectivity between peers must be checked before you begin configuring IPsec. The router ping command can be used to test basic connectivity between IPsec peers. Although a successful Internet Control Message Protocol (ICMP) echo (ping) will verify basic connectivity between peers, you should ensure that the network works with any other protocols or ports that you want to encrypt, such as Telnet, FTP, or SQL*NET, before beginning IPsec configuration. After IPsec is activated, basic...

Checking for Existing IPsec Configurations

You should check the current Cisco router configuration to see if there are any IPsec policies already configured that are useful for, or may interfere with, the IPsec policies that you plan to configure. Previously configured IKE and IPsec policies and details can and should be used, if possible, to save configuration time. However, previously configured IKE and IPsec policies and details can make troubleshooting more difficult if problems arise. You can see whether any IPsec policies have...

Cisco Easy VPN

Cisco Unity is the common VPN language between Cisco devices. 2007 Cisco Systems, Inc. All rights re 2007 Cisco Systems, Inc. All rights re When deploying VPNs for teleworkers and small branch offices, ease of deployment is increasingly important. Cisco Easy VPN makes it easier than ever to deploy VPNs as part of small and medium businesses or large enterprise networks with Cisco products. Cisco Easy VPN Remote and Cisco Easy VPN Server offer flexibility, scalability, and ease of use for...

Cisco Easy VPN Server

Cisco Easy VPN Server enables Cisco IOS routers, Cisco ASA and Cisco PIX Firewalls, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remoteaccess VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. Using this feature, security policies defined at the headend are pushed to the remote VPN device, ensuring that those connections have up-to-date policies in place before the connection is established. In addition, a Cisco Easy...

Cisco Ios Ssl Vpn Client Full Network Access

Leverages depth of Cisco encryption client experience to deliver a lightweight, stable and easy-to-support SSL VPN tunneling client IPsec-like application access through web-pushed client Application agnostic full network access No touch central site configuration Compatible with Cisco softphone for VoIP support Multimedia data voice desktops for greatest user productivity Client may be either removed at end of session or left permanently installed No trace of client after session provides...

Cisco IOS WebVPN

Clientless and full network SSL VPN access 2007 Cisco Systems, Inc. All rights reserved. SSL-based VPN, or WebVPN, is an emerging technology that provides remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. SSL VPN provides the flexibility to support secure access for all users, regardless of the endpoint host from which they are establishing the connection. If application access requirements are modest, SSL VPN does not...

Clientless Mode Access

Microsoft Windows 2000 or XP 2007 Cisco Systems, Inc. All rights reserved. Microsoft Windows 2000 or XP 2007 Cisco Systems, Inc. All rights reserved. In clientless mode, the remote user accesses the internal or corporate network using a web browser on the client machine. The PC of the remote user must run the Windows 2000, Windows XP, or Linux operating systems.

Configure Client Authentication Properties

All rights reserved VPN Client I Properties for 10.86.194 173 Description (Documentation Concentrator Authentication I Transport Backup Servers Dial-Up C Group Authentication < Mutual Group Authentication Confirm Password ***** Under the Authentication tab, enter the information for the method that you want to use. You can connect as part of a group (configured on a VPN device) or by supplying an identity digital certificate.

Configure Connection to the Internet Through Dialup Networking

This section describes how to configure the client to use a dial-up connection. Configure Connection to the Internet Through Dial-Up Networking To connect to a private network using a dialup connection, complete these steps Step 1 Use a dialup connection to your ISP to connect to the Internet. Step 2 Use the Cisco VPN Client to connect to the private network through the Internet. To enable and configure this feature, check the Connect to the Internet via Dial-Up check box. This box is not...

Configure Isakmp Identity

R1(config) crypto isakmp identity address You should set the ISAKMP identity for each peer that uses pre-shared keys in an IKE policy. When two peers use IKE to establish IPsec SAs, each peer sends its identity to the remote peer. Each peer sends either its hostname or its IP address, depending on how you have set the ISAKMP identity of the router. By default, the ISAKMP identity of a peer is the IP address of the peer. If appropriate, you could change the identity to be the peer hostname...

Configure Transparent Tunneling

This section describes how to enable transparent tunneling. Description testSystem iJ Host l 0.10.32.32 W Enable Transparent Tunneling i IPSec over UDP (NAT t PAT ) C IPSec over TCP TCP Port 110000 Allow Local LAN Access Peer response timeout (seconds) 90 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-53 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-53 Next, configure transparent tunneling by completing the fields on the Transport tab.

Configuring ISAKMP

This topic describes how to configure ISAKMP using pre-shared keys. This topic describes how to configure ISAKMP using pre-shared keys. Step 3 RSA signatures (when using PKI). 2007 Cisco Systems, Inc. All rights reserved. IKE automatically negotiates IPsec SAs and enables IPsec secure communications without costly manual reconfigurations. IKE provides authentication of the IPsec peers, negotiates IPsec keys, and negotiates IPsec SAs . Multiple IKE policies can be defined between two IPsec peers...

Configuring Microsoft File Shares for Clientless Remote Access

In clientless remote-access mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the HTTPS-enabled browser. When enabled, a list of file server and directory links are displayed on the portal page after login. The administrator can customize permissions on the WebVPN gateway to provide limited read-only access for a single file or full write access and network browsing capabilities. CIFS is the protocol that provides access to Microsoft...

Configuring Thin Client Mode TCP Port Forwarding

The port-forward command is used to create the port-forwarding list. Application port number mapping (port forwarding) is configured with the local-port command in SSL VPN port-forward configuration mode. A port-forwarding list is configured for thin-client mode WebVPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP and User Datagram Protocol (UDP)-based applications that use well-known port numbers, such as POP3, SMTP, IMAP,...

Create a DHCP Server Pool

R6(config) ip dhcp pool Local-Pool R6(dhcp-config) network 10.0.6.0 2 55.255.255.0 R6(dhcp-config) default-router 10.0.6.2 R6(dhcp-config) exit R6(config) ip dhcp excluded-address 10.0.6.2 R6(config) ip dhcp pool Local-Pool R6(dhcp-config) network 10.0.6.0 2 55.255.255.0 R6(dhcp-config) default-router 10.0.6.2 R6(dhcp-config) exit R6(config) ip dhcp excluded-address 10.0.6.2 If you want to use the local router DHCP server to assign IP addresses to the hosts that are connected to the LAN...

Create a New Client Connection Entry

Connection Entries Status Certificates Log Options Conned New Import Modify Connection Entries Certificates Log j 63.67.72.134 10.10.99.30 10.10.32.32 10.10.32.32 10.10.32.32 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-49 To use the Cisco VPN Client, you must create at least one connection entry, which identifies the following information The VPN device (the remote server) to access Pre-shared keys the IPsec group to which the system administrator assigned you (Your group...

Create a New Client Connection Entry Cont

All rights reserveO A VPN Client Properties for 10.86.194.173 Connection Entry ConnectiorABC P HPE2 Description Documentation Concentrator i MjjjjX i l Authentication j Transport j Backup Servers Dial-Up r 6 roup Authentication ( Mutual Group Authentication Confirm Password I Step 10 Enter a unique name for this new connection. You can use any name to identify this connection for example, Engineering. This name can contain spaces, and it is not case-sensitive. Step 11...

Create Isakmp Policies with the crypto isakmp Command

R1(config) crypto isakmp policy 110 R1(config-isakmp) encryption 3des R1(config-isakmp) hash md5 R1(config-isakmp) authentication pre-share R1(config-isakmp) group 2 R1(config-isakmp) lifetime 36000 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.0 4-15 To define an IKE policy, follow these steps Step 1 Identify the policy to create and enter the ISAKMP configuration command mode. (Each policy is uniquely identified by the priority number that you assign.) router(config) crypto isakmp...

Create Isakmp Policy for Remote VPN Client Access

Authentication Pre-shared keys Encryption 3-DES Diffie-Hellman Group 2 Other settings Default R1(conf R1(conf R1(conf R1(conf R1(conf R1 ig) crypto isakmp enable ig) crypto isakmp policy 10 ig-isakmp) authentication pre-share ig-isakmp) encryption 3des ig-isakmp) group 2 -isakmp) end 2007 Cisco Systems, Inc. All rights reserved. Complete this task to configure the ISAKMP policy for all Cisco Easy VPN Remote clients attaching to this router. Use the standard ISAKMP configuration commands to...

Create Transform Sets

R1(config) crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac 2007 Cisco Systems, Inc. All rights This task creates a transform set for the Cisco Easy VPN Remote clients to use when they attempt to build an IPsec tunnel to this router. Use the standard method for creating a transform set, as shown in this figure. Here is an example of how to create a transform set for Cisco Easy VPN Remote client access R1(config) crypto ipsec transform-set transform-set-name transform1 4-322...

Creating a New Connection Entry

Use the following procedure to create a new connection entry. Step 1 Start the Cisco VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client. Step 8 The Cisco VPN Client application starts and displays the advanced mode main window. If you are not already there, choose the Options menu in simple mode and choose Advanced Mode or press Ctrl-M. Step 9 Choose New from the toolbar or the Connection Entries menu. The VPN Client displays a form.

Creating Crypto ACLs

Create an extended ACL to define what traffic will be protected. Must be a mirror image of peer's crypto ACL. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-36 As with the previous configuration, configuring crypto ACLs for digital signatures is the same as with pre-shared keys. Complete these steps to configure your crypto ACL router(config) ip access-list extended < name> Step 2 Define which traffic is to be protected. router(config-ext-nacl) permit protocol source...

Crypto Map Parameters

All rights You can apply only one crypto map set to a single interface. The crypto map set can include a combination of IPsec using IKE, and IPsec with manually configured SA entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces. If you create more than one crypto map entry for a given interface, use the sequence number (seq-num) of each map entry to rank the map entries the lower the sequence number,...

Debug CA Commands

10.0.1.12 I * A ' * I 10.0.6.12 2007 Cisco Systems, Inc. All rights re Some commands are available to troubleshoot CA interoperability. You can use the debug crypto pki messages and the debug crypto pki transactions commands to assist you in finding any issues related to CA operations. 4-156 Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Declaring a CA

R1(config) crypto pki trustpoint vpnca R1(ca-trustpoint) enrollment url http vpnca 80 2007 Cisco Systems, Inc. All rights re The example shown in the figure declares a CA and identifies characteristics of the CA. In this example, the name vpnca is created for the CA, which is located at http vpnca port 80. This is the minimum possible configuration required to declare a CA. Follow these steps to declare a CA server Step 1 Declare which CA your router will use. Issuing the crypto pki trustpoint...

Default GRE Characteristics

Tunneling of arbitrary OSI Layer 3 payload is primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-B overhead by default (20-B IP header and 4-B GRE header) 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-3 GRE encapsulation uses a protocol type field in the GRE header to support the encapsulation of any Open Systems Interconnection (OSI) Layer 3 protocol. GRE itself is completely stateless it does...

Define Group Policy for Mode Configuration Push

This section describes the steps involved in defining the policy attributes that are pushed to the client via mode configuration. Step 1 Add the group profile to be defined. Step 2 Configure the ISAKMP pre-shared key. Step 4 Specify the Microsoft WINS servers. Step 6 Specify the local IP address pool. 2007 Cisco Systems, Inc. All rights reserved. Complete this task to define a group policy to be pushed during mode configuration. Although users can belong to only one group per connection, they...

Define IKE Policy Parameters

You can select specific values for each IKE parameter per the IKE standard. You choose one value over another based on the security level that you desire and the type of IPsec peer to which you will connect. There are five parameters to define in each IKE policy, as outlined in the figure and in the table. The figure shows the relative strength of each parameter the table shows the default values. 4-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc....

DMVPN Example

10.0.0.11 172.16.1.1 10.0.0.12 172.16.2.1 Physical 172.16.2.1 Tunnel0 10.0.0.12 Physical 172.17.0.1 TunnelO 10.0.0.1 Physical 172.17.0.1 TunnelO 10.0.0.1 Physical 172.16.2.1 Tunnel0 10.0.0.12 2007 Cisco Systems, Inc. All rights reserved. In the figure, the DMVPN example illustrates the following 1. A PC (192.168.1.25) on the spoke A subnet wants to contact the web server (192.168.2.37) behind spoke B. It sends a packet toward the server. 2. The spoke A router consults its routing table for a...

DMVPN Example Cont

Physical 172.17.0.1 Tunnel0 10.0.0.1 Physical 172.17.0.1 Tunnel0 10.0.0.1 Physical 172.16.2.1 Tunnel0 10.0.0.12 Physical 172.16.2.1 Tunnel0 10.0.0.12 2007 Cisco Systems, Inc. All rights re 2007 Cisco Systems, Inc. All rights re 5. Spoke A receives the NHRP response and enters it in its NHRP table. This triggers IPsec to create a tunnel directly to 172.16.2.1. (Spoke A uses its public address for the IPsec peer.) 4-194 Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Dynamic Multipoint VPNs

Local LAN addresses can be private. Dynamic Spoke-to-Spoke IPsec Tunnels Dynamic Spoke-to-Spoke IPsec Tunnels 2007 Cisco Systems, Inc. All rights Some companies may want to interconnect small sites together, while simultaneously connecting to a main site over the Internet. When small sites are interconnected, it is difficult to maintain the configurations for all of the connections. It is also difficult to create, add, and change a large full-mesh network...

Enable and Add Backup Servers

This section describes how to enable and add backup servers. 2007 Cisco Systems, Inc. All rights re The private network may include one or more backup VPN servers to use if the primary server is not available. Your system administrator tells you whether to enable backup servers. Information on backup servers can download automatically from the Cisco VPN concentrator, or you can manually enter this information. To enable backup servers from the Cisco VPN Client, complete the following steps Step...

Encapsulating Security Payload

All rights reserved SNRS V2.0 4-5 ESP is designed to provide a mix of security services in IPv4 and IPv6. ESP seeks to provide confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP payload. ESP is defined in RFC 2406, IP Encapsulating Security Payload (ESP). IP protocol 50 Note Use of ESP will increase the IP protocol processing costs in participating systems and will also increase the...

Encrypting GRE Tunnel Traffic

To encrypt only traffic through the GRE tunnel, follow these additional instructions When you set up your encryption ACL, the list should contain only one criteria statement. In this one statement, specify gre as the protocol, specify the tunnel source address as the source, and specify the tunnel destination address as the destination. Apply the crypto map to both the physical interface and to the tunnel interface. Note Without GRE tunnels, you only had to apply the crypto map to the physical...

Encryption ACLs and GRE

When using IPsec with GRE, the access control list (ACL) for encrypting traffic does not define the traffic to be protected instead, it should allow GRE between the source and destination of the GRE tunnel. Without a further ACL on the tunnel interface, this configuration will allow for all packets forwarded to the GRE tunnel to get encrypted. 2007 Cisco Systems, Inc. Secured Connectivity 4-175 R1(config-if) ip address 172.16.1.1 255.255.255.0 R1(config-if) tunnel source 172.30.1.2...

Ensure ACLs Are Compatible with IPsec

R1 show ip access-lists Extended IP access list 101 10 permit ahp host 172.30.1.2 host 172.30.6.2 20 permit esp host 172.30.1.2 host 172.30.6.2 30 permit udp host 172.30.1.2 host 172.30.6.2 eq isakmp 40 permit udp host 172.30.1.2 host 172.30.6.2 eq non500-isakmp ACLs must be compatible with IPsec. The ACLs must allow the following protocols through Encapsulation Security Payload 2007 Cisco Systems, Inc. Secured Connectivity 4-129

Extended IP ACLs for Crypto ACLs

Site 1 110.0.1.0 R6 10.0.6.0 g Site 2 10.0.1.12 I I I 10.0.6.12 R1(config) ip access-list extended 103 R1(config-ext-nacl) permit tcp 10.0.1.0 0.0.0.255 10.0.6.0 0.0.0.255 Define which IP traffic will be protected by encryption (interesting traffic) Permit encrypt deny do not encrypt 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 -25 To create an ACL, use the following commands Define an encryption ACL by number and specify conditions to determine which IP packets will be protected....

Fully Meshed VPNs

There are static public addresses between peers Local LAN addresses can be private or public. The fully meshed site-to-site design refers to a mesh of IPsec tunnels connecting between remote sites. For any-to-any connectivity, a full mesh of tunnels is required to provide a path between all of the sites. Site-to-site VPNs are primarily deployed to connect branch office locations to the central site of an enterprise and to each other. This configuration requires the IPsec peers to utilize public...

Group Policy Configuration Commands

Router(config) webvpn context SSLVPN router(config-webvpn-context) policy group SSL-policy router(config-webvpn-group) banner Login Successful router(config-webvpn-group) nbns-list NBNS-SERVERS router(config-webvpn-group) timeout idle 1800 router(config-webvpn-group) timeout session 36000 router(config-webvpn-group) url-list Internal router(config-webvpn-group) port-forward Portlist 2007 Cisco Systems, Inc. All rights reserved.SNRS v2.0 4-2C 2007 Cisco Systems, Inc. Secured Connectivity 4-249

How Cisco Easy VPN Works

This topic describes the operations of Cisco Easy VPN. Cisco Easy VPN Remote Connection Process Client requests remaining parameters Client requests remaining parameters Cisco VPN Client initiates the IKE aggressive mode for preshared keys or main mode for PKI Multiple ISAKMP proposals ISAKMP SA is established Cisco VPN Client initiates the IKE aggressive mode for preshared keys or main mode for PKI Multiple ISAKMP proposals ISAKMP SA is established RRI route to 6 client is injected into...

How IKE Works

Peers negotiate a secure, authenticated communications channel. Security associations are negotiated on behalf of IPsec services. Peers negotiate a secure, authenticated communications channel. Security associations are negotiated on behalf of IPsec services. 2007 Cisco Systems, Inc. All rights Oakley and Skeme each define a method to establish an authenticated key exchange. This includes the construction of payloads, the information that payloads carry, the order in which payloads are...

How Many Crypto Maps Should You Create

R1(config) crypto map SNRS-MAP 110 ipsec-isakmp R1(config) crypto map map-name 110 ipsec-manual R1(config) crypto map SNRS-MAP 110 ipsec-isakmp R1(config) crypto map map-name 110 ipsec-manual R1(config) crypto map MYMAP 110 ipsec-isakmp R1(config-crypto-map) match address 110 R1(config-crypto-map) set peer 172.30.6.2 R1(config-crypto-map) set transform-set SNRS R1(config-crypto-map) set security-association lifetime seconds 36000 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-29

How These Lifetimes Work

The SA (and corresponding keys) will expire according to whichever occurs sooner, either after the number of seconds has passed (specified by the seconds keyword) or after the amount of traffic in kilobytes has passed (specified by the kilobytes keyword). A new SA is negotiated before the lifetime threshold of the existing SA is reached, to ensure that a new SA is ready for use when the old one expires. The new SA is negotiated either 30 seconds before the seconds lifetime expires or when the...

Hub Configuration Cont

Router(config) interface Tunnel 0 router(config-if) ip address 172.16.16.1 255.255.255.0 router(config-if) no ip next-hop-self eigrp 1 router(config-if) ip nhrp authentication cisco123 router(config-if) ip nhrp map multicast dynamic router(config-if) ip nhrp network-id 99 router(config-if) no ip split-horizon eigrp 1router(config-if) tunnel source FastEthernet 0 1 router(config-if) tunnel key 999 router(config-if) tunnel mode gre multipoint router(config-if) tunnel protection ipsec profile...

Huband Spoke IPsec VPNs

This topic describes hub-and-spoke IPsec VPNs. Static public address needed at the hub only. Spoke addresses can be dynamically applied using DHCP. Static public address needed at the hub only. Spoke addresses can be dynamically applied using DHCP. 2007 Cisco Systems, Inc. All rights In a hub-and-spoke network configuration, the spoke sites connect with IPsec tunnels to a hub site to establish connectivity to the network. The hub site consists of high-end tunnel aggregation routers servicing...

Identify IPsec Peers

All rights An important part of determining the IPsec policy is to identify the IPsec peer that the Cisco router will communicate with. The peer must support IPsec as specified in the RFCs as supported by Cisco IOS Software. Many different types of peers are possible. Before configuration, identify all the potential peers and their VPN capabilities. Possible peers include, but are not limited to, the following Cisco ASA or Cisco PIX Firewall IPsec products from other...

IKE and IPsec Configuration

Follow these steps to configure IKE and IPsec Step 1 Pre-configure your ISAKMP policies as you did when setting up a site-to-site IPsec VPN using pre-shared keys. The only exception is that you will configure a group wildcard for the spokes addresses in the next step. Step 2 Configure ISAKMP to use a group (wildcard) pre-shared key. hub_router1config) crypto isakmp key 0 key address 0.0.0.0 Step 3 Create an IPsec profile.

IKE Phase 1 Policy Parameters

RSA encryption (nonces) RSA signature 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-6 An IKE policy defines a combination of security parameters used during the IKE negotiation. A group of policies makes up a protection suite of multiple policies that enable IPsec peers to establish IKE sessions and establish SAs with a minimal configuration. The figure shows an example of possible combinations of IKE parameters into either a strong or stronger policy suite.

Install Cisco VPN Client

All rights re You can install the Cisco VPN Client on your system through either of two applications InstallShield and Microsoft Windows Installer. Both applications use installation wizards to walk you through the installation. Installing the Cisco VPN Client through InstallShield includes an uninstall icon in the program group Windows Installer does not. In the latter case, to manually remove Cisco VPN Client applications, you can use the Microsoft Add Remove...

Install Cisco VPN Client Cont

If you have not removed a previously installed Cisco VPN Client, when you execute the vpnclient_en.exe command or vpnclient_en.msi command, an error message displays. You must uninstall the previously installed Cisco VPN Client before proceeding with the new installation. To remove a Cisco VPN Client installed with Microsoft Windows Installer, use the Microsoft Windows Add Remove Programs control panel. To remove a Cisco VPN Client installed with InstallShield, choose Start > Programs >...

Installing the Cisco VPN Client Through Install Shield

To install the Cisco VPN Client on your system using InstallShield, follow these steps. It is suggested that you accept the defaults unless your system administrator has instructed you otherwise. Step 1 Exit all Microsoft Windows programs, and disable any antivirus software. Step 2 Insert the Cisco Systems CD-ROM in the CD-ROM drive of your system. Step 3 Choose Start > Run. The Run dialog box appears. Step 4 Enter E VPN Client CD-ROM InstallShield setup.exe, where E is the CD-ROM Note Cisco...

Internet Security Association and Key Management Protocol

- Creation and management of SAs 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-8 ISAKMP is defined in RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP defines the procedures for authenticating a communicating peer, creation and management of SAs, key generation techniques, and threat mitigation (for example, denial of service DoS and replay attacks). While IPsec is the actual protocol that protects the IP datagrams, ISAKMP is the protocol that...

Psec Configuration Example

This section gives an example of an IPsec configuration for a site-to-site VPN using pre-shared keys. crypto isakmp policy 110 encr 3des hash md5 lifetime 36000 crypto isakmp key cisco1234 address 172.30.6.2 crypto isakmp policy 110 encr 3des hash md5 lifetime 36000 crypto isakmp key cisco1234 address 172.30.1.2 crypto ipsec transform-set SNRS esp-des crypto ipsec transform-set SNRS esp-des crypto map SNRS-MAP 10 ipsec-isakmp set peer 172.30.6.2 set transform-set SNRS match address 101 crypto...

Psec Configuration Task List

This topic describes the tasks required to configure IPsec on a Cisco router. This topic describes the tasks required to configure IPsec on a Cisco router. Ensure ACLs lists are compatible with IPsec Set global lifetimes for IPsec SAs 2007 Cisco Systems, Inc. All rights reserved. IPsec configuration on a Cisco router involves the configuration of IKE policies and IPsec configurations. You also need to make sure that your network devices are not interfering with the IPsec process. The tasks...

Psec Overview

Combines three protocols into a cohesive security framework Provides a framework for the negotiation of security parameters and establishment of authenticated keys Provides a framework for the authenticating and securing of data Provides a framework for encrypting, authenticating, and securing of data 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-2 IPsec is designed to provide interoperable, high-quality, and cryptographically based security. IPsec is defined in (RFC 2401). The set...

Psec Policy Example

Traffic (packet) type to be encrypted 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-1C 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-1C Determining network design details includes defining a more detailed IPsec policy for protecting traffic. You can then use the detailed policy to help select IPsec transform sets and modes of operation. Your IPsec policy should answer the following questions What protections are required or are acceptable for the protected traffic Which...

Psec Quick Mode Completes the Connection

Remote PC with Cisco Easy VPN Remote Client v4.x Remote PC with Cisco Easy VPN Remote Client v4.x Cisco IOS Release 12.3(11)T Cisco Easy VPN Server Cisco IOS Release 12.3(11)T Cisco Easy VPN Server After the configuration parameters have been successfully received by the Cisco VPN Client, IPsec quick mode is initiated to negotiate IPsec SA establishment. After IPsec SA establishment, the VPN connection is complete. 2007 Cisco Systems, Inc. All rights reserved.

Psec VPN Deployment Options

This topic describes various IPsec VPN deployment options. This topic describes various IPsec VPN deployment options. 2007 Cisco Systems, Inc. All rights reserved. An IPsec VPN is a VPN that is deployed on a shared infrastructure using IPsec encryption technology. IPsec VPNs are used as an alternative to WAN infrastructure that replace or augment existing private networks that utilize leased-line or enterprise-owned Frame Relay and ATM networks. IPsec VPNs do not inherently change WAN...

Isakmp Policy Example

All rights reserved. SNRS V2.0 4-7 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-7 You should determine IKE policy details for each peer before configuring IKE. The figure shows a summary of IKE policy details that will be configured in examples and in labs for this lesson. The authentication method of pre-shared keys is covered in this lesson. Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Isakmp Policy Negotiation

Crypto isakmp policy 110 encryption 3des authentication pre-share hash md5 group 2 lifetime 36000 crypto isakmp policy 210 authentication rsa-sig hash sha crypto isakmp policy 310 authentication pre-share hash sha crypto isakmp policy 150 encryption 3des authentication pre-share hash md5 group 2 lifetime 36000 crypto isakmp policy 250 authentication rsa-sig hash sha crypto isakmp policy 350 authentication pre-share hash md5 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-16 ISAKMP...

Load Sharing

You can define multiple remote peers using crypto maps to allow for load sharing. If one peer fails, there will still be a protected path. The peer to which packets are actually sent is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list. Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Mutual Group Authentication

To use mutual group authentication, you need a root certificate that is compatible with the central-site VPN installed on your system. Your network administrator can load a root certificate on your system during installation. When you select mutual group authentication, the Cisco VPN Client software verifies whether you have a root certificate installed. If not, it prompts you to install one. Before you continue, you must import a root certificate. When you have installed a root certificate (if...

Optional Enable Xauth Save Password

R1(config) crypto isakmp client configuration group VPN-REMOTE-ACCESS R1(config-isakmp-group) save-password This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration group command. 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-44 Cisco Easy VPN Remote uses one of three available authentication methods No XAUTH When no XAUTH is used, there is no authentication for the user when establishing the VPN tunnels. This is the least secure...

Optional Initiate the VPN Tunnel XAUTH

01 34 42 EZVPN Pending XAuth Request, Please enter the following command 01 34 42 EZVPN crypto ipsec client ezvpn xauth Cisco IOS message Waiting for valid Xauth username and password. R6 crypto ipsec client ezvpn xauth Enter Username and Password vpnusers Password ******** With XAUTH When SA expires, username and password must be manually entered. With XAUTH Save Password enabled When SA expires, the last valid username and password will be reused automatically. 2007 Cisco Systems, Inc. All...

Ospf

Running OSPF over a DMVPN network has some of the same challenges as running OSPF over other types of networks. Historically, a single OSPF area should not contain more than 50 routers, and there should not be more than 3 areas on a router. Although current routers have stronger processors, the additional overhead of encryption and NHRP negates much of this. For this reason, the 50-router limit per area should be observed. In addition, because only the hub is in direct communications with all...

Other Protocols and Terminology

This topic describes some other protocols and terminologies used with IPsec. This topic describes some other protocols and terminologies used with IPsec. 2007 Cisco Systems, Inc. All rights reserved. Listed here are some other protocols and terms used with IPsec. Advanced Encryption Standard (AES) AES was finalized as a Federal Information Processing Standard (FIPS)-approved cryptographic algorithm to be used to protect electronic data transmission (FIPS PUB 197). AES is based on the Rijndael...

Parameters Defined in a Policy

There are five parameters to define in each IKE policy, as shown in the table. There are five parameters to define in each IKE policy, as shown in the table. These parameters apply to the IKE negotiations when the IKE SA is established. These parameters apply to the IKE negotiations when the IKE SA is established. You can create multiple IKE policies, each with a different combination of parameter values. For each policy that you create, you assign a unique priority (1 through 10,000, with 1...

Plan for CA Support Determine CA Server Details

All rights reserved. SNRS v2.0 4-17 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-17 This figure illustrates the minimum information needed to configure a CA server on a Cisco router. Depending on the CA server chosen, other variables may also have to be identified and resolved. 2007 Cisco Systems, Inc. Secured Connectivity 4-133

Preparing for IPsec

Sending 5, 10 0-byte ICMP Echos to 10.0.1.3, timeout is 2 seconds Success rate is 100 percent (5 5), round-trip min avg max 1 1 4 ms encryption algorithm DES - Data Encryption Standard (56 bit keys) hash algorithm Secure Hash Standard authentication method Rivest-Shamir-Adleman Signature Diffie-Hellman group 1 (768 bit) lifetime 86400 seconds, no volume limit R1 show crypto map No crypto maps found. R1 show crypto ipsec transform-set R1 Preparing for IPsec includes these tasks Checking...

Purpose of Crypto ACLs

Outbound Indicate the data flow to be protected by IPsec Inbound Filter out and discard traffic that should have been protected by IPsec 2007 Cisco Systems, Inc. All rights Crypto ACLs define which IP traffic will be protected by encryption. Extended ACLs are used to specify further source and destination addresses and packet type. Use encryption ACLs to control which packets on an interface are encrypted or decrypted, and which are transmitted as plain text (unencrypted). When a packet is...

Remote Access Using Cisco Easy VPN

PC with Cisco Easy VPN Remote Client v4.x PC with Cisco Easy VPN Remote Client v4.x 2007 Cisco Systems, Inc. All rights 2007 Cisco Systems, Inc. All rights In the example in the figure, the VPN gateway is a Cisco IOS router running the Cisco Easy VPN Server feature. Remote Cisco IOS routers and Cisco VPN Software Clients connect to the Cisco Easy VPN Server for access to the corporate intranet. The Cisco Easy VPN Remote feature requires that the destination peer be a Cisco Easy VPN Server or...

Removing RSA Key Pairs

You might want to remove an RSA key pair for one of the following reasons During manual PKI operations and maintenance, old RSA keys can be removed and replaced with new keys. An existing CA is replaced and the new CA requires newly generated keys for example, the required key size might have changed in an organization so you would have to delete the old 1024-bit keys and generate new 2048-bit keys. To remove all RSA keys or the specified RSA key pair that has been generated by your router,...

Show crypto ipsec sa Command

Crypto map tag SNRS-MAP, local addr 172 pkts compressed 0, pkts decompressed pkts not compressed 0, pkts compr. failed 0 current outbound spi 0x1B02 9B45(453155 653) 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-37 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-37 Use the show crypto ipsec sa command to view the settings used by current SAs. If no keyword is used, all SAs are displayed. router show crypto ipsec sa map map-name address identity interface interface-type...

Show crypto map Command

R1 show crypto map interface fastEthernet 0 1 Crypto Map SNRS-MAP 10 ipsec-isakmp Peer 172.30.6.2 Extended IP access list 101 access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.6.0 Security association lifetime 4608000 kilobytes 3600 seconds PFS (Y N) N Transform sets SNRS, Interfaces using crypto map SNRS-MAP FastEthernet0 1 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-35 The show crypto map command is used to view the crypto map configuration. If no keywords are used, all crypto...

Show webvpn context Command

Router show webvpn context SSLVPN Admin Status up Operation Status up CSD Status Disabled Certificate authentication type All attributes (like CRL) are verified AAA Authentication List not configured AAA Authentication Domain not configured Default Group Policy SSL-Policy Associated WebVPN Gateway SNRS-GW Domain Name Maximum Users Allowed 10000 (default) NAT Address not configured VRF Name not configured 2007 Cisco Systems, Inc. All rights reservecl.SNRS v2.0 4-35 This figure is a sample output...

Show webvpn policy group Command

Router show webvpn policy group csdpolicy context WEBVPN group policy SSL-policy context SSLVPN url list name Internal port forward name Portlist nbns list name NBNS-Servers functions file-access file-browse file-entry svc address pool name webvpn-pool keep sslvpn client installed disabled split include 192.168.0.0 255.255.0.0 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-36 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 4-36 This figure is a sample output from the show...

Show webvpn session user Command

Router show webvpn session user userl context WebVPN user name userl IP address 10.0.1 Created 00 00 19, Last-used 00 00 18 port forward name EMAIL 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-3 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-3 This figure is a sample output from the show webvpn session user command. 4-270 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc.

Single Dmvpn Topology

This figure represents a single DMVPN topology. In a single DMVPN cloud topology, there are two hub routers on the same DMVPN subnet. Therefore, the branch router requires an mGRE interface. Because of this mGRE interface, branch routers attempt interbranch communications if so directed by the routing table. As a result, this model should be considered a spoke-to-spoke topology. The hub-and-spoke deployment model can be configured in a single DMVPN cloud topology with only one hub router. This...

Spoke Configuration

Router(config-if) ip address 172.16.16.X 255.255.255.0 router(config-if) ip mtu 1416 router(config-if) no ip next-hop-self eigrp router(config-if) ip nhrp authentication cisco123 router(config-if) ip nhrp map 172.16.16.1 172.30.1.2 router(config-if) ip nhrp map multicast 172.30.1.2 router(config-if) ip nhrp nhs 172.16.16.1 router(config-if) ip nhrp network-id 99 router(config-if) no ip split-horizon eigrp 1 router(config-if) tunnel source FastEthernet 0 1 router(config-if) tunnel key 999...

Ssl Vpn Login Successful

All rights re This message will appear when a login has been successful. 4-262 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. SSL VPN Portal Page and Floating Toolbar The portal page is the main page for the WebVPN functionality. Items that you have not configured are not displayed on the portal page. Note E-mail access is supported by thin-client mode, which is downloaded using the Start

Ssl Vpn Logout Dialog

If remote users click the window close button, the WebVPN gateway prompts them to confirm that they want to close the session. 4-264 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. All rights reserved. The logout page displays if the remote user clicks the logout link, or if the session terminates because of an idle timeout or a maximum connection time. 2007 Cisco Systems, Inc. Secured Connectivity 4-265

Step 1 Create a Dynamic Crypto

Transform-set VPNTRANSFORM reverse-route transform-set VPNTRANSFORM reverse-route R1(config) crypto dynamic-map Dynamic-Map 10 R1(config-crypto-map) set transform-set VPNTRANSFORM R1(config-crypto-map) reverse-route R1(config-crypto-map) end Complete these steps to create a dynamic crypto map. Step 1 Create a dynamic crypto map entry and enter the crypto map configuration mode using the crypto dynamic-map command. R1(config) crypto dynamic map-name seq-num Specifies the name of the dynamic...

Step 1 Enable AAA Login Authentication

R1(config) aaa authentication login VPNUSERS local 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-4 Step 1 Enable AAA login authentication using the aaa authentication login command in global configuration mode. The syntax for the aaa authentication login command is as follows aaa authentication login list-name method1 method2 aaa authentication login list-name method1 method2 Character string used to name the list of authentication methods activated when a user logs in The list name...

Step 2 Create Isakmp Policies

R1(config) crypto isakmp policy 110 Defines an ISAKMP policy, which is a set of parameters used during IKE negotiation Invokes the config-isakmp command mode 2007 Cisco Systems, Inc. All rights re You must create ISAKMP policies at each peer. An ISAKMP policy defines a combination of security parameters to be used during the IKE negotiation.

Step 2 Set Xauth Timeout Value

R1(config) crypto isakmp xauth timeout 20 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 4-42 Step 2 Set the XAUTH timeout value using the crypto isakmp xauth timeout command. The syntax for the crypto isakmp xauth timeout command is as follows crypto isakmp xauth timeout seconds 4-334 Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Step 3 Enable Isakmp Xauth for Crypto

R1(config) crypto map CLIENTMAP client authentication list VPNUSERS 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 4-43 Step 3 Enable ISAKMP XAUTH for the dynamic crypto map using the crypto map command. The syntax for the crypto map command is as follows crypto map map-name client authentication list list-name crypto map map-name client authentication list list-name Name that you assign to the crypto map set Character string used to name the list of authentication methods activated...

Syntax Description

(Optional) Defines a VPN routing and forwarding instance (VRF) table The vrf-name argument specifies a name for the VRF table. The first character can be either a letter or a number. If you use a number, the types of operations that you can perform are limited. Modem telephone number that is mapped to the IP host address for use in Cisco modem user interface mode You must enter the letter t before the telephone number. (Optional) TCP port number to connect to when using the defined hostname in...

Testing and Verifying IPsec

This topic describes the commands used to test and verify IPsec configurations. This topic describes the commands used to test and verify IPsec configurations. Display your configured ISAKMP policies Display your configured transform sets Display the current state of your IPsec SAs 2007 Cisco Systems, Inc. All rights reserved. There are several commands available to test and verify IPsec site-to-site configurations. Just as you did with pre-shared keys, you can perform the following actions to...

Thin Client Mode Access

Microsoft Windows 2000 or XP Microsoft Windows 2000 or XP 2007 Cisco Systems, Inc. All rights ri Thin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the portal page. The Java applet acts as a TCP proxy on the client machine for the services that you configure on the gateway. The applications that are supported in...

Tunnel Configuration

The following configuration example uses EIGRP as the routing protocol. Step 1 Specify a tunnel interface number and enter interface configuration mode. router_spoke(config) interface Tunnel 0 Step 2 Set a primary or secondary IP address for the tunnel interface. router_spoke(config-if) ip address 172.16.16.2 255.255.255.0 Step 3 Set the MTU size, in bytes, of IP packets sent on the interface. router_spoke(config-if) ip mtu 1416 Step 4 Change the EIGRP maximum hold time. This time should not...

Tunnel Mode Access

Microsoft Windows 2000 or XP Microsoft Windows 2000 or XP 2007 Cisco Systems, Inc. All rights ri In a typical clientless remote-access scenario, remote users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and e-mail). In tunnel mode, remote users use an SSL tunnel to move data at the network (IP) layer IP over SSL. Therefore, tunnel mode supports most IP-based applications. Tunnel mode supports many popular corporate...