BRKSEC-2881.Pdf

BRKSEC-2881.Pdf

#CLUS Designing Remote- Access and Site-to- Site IPSec networks with FlexVPN Piotr Kupisiewicz – Technical Leader Services BRKSEC-2881 #CLUS Objectives & Prerequisites • Session objectives: • Introduce IKEv2 & FlexVPN, with a focus on AAA-based management • Demonstrate the value-add and possibilities of FlexVPN as a Remote Access solution with a variety of clients (software & hardware) • Solve simple & complex use cases using FlexVPN • It’s intermediate session • Other sessions of interest • BRKSEC-3036 – Advanced IPSec with FlexVPN and IKEv2 • BRKSEC-3005 - Cryptographic Protocols and Algorithms - a review #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 About me #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda • Introduction • IKEv2 Overview • Tunnel Interfaces • Configuration Building Blocks • FlexVPN AAA Integration • Remote Access Clients • Deployment Scenarios & Use Cases • Wrap-up #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco Webex Teams Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2881 by the speaker until June 18, 2018. #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Cisco Press Book ‘IKEv2 IPsec VPNs’ by Amjad Inamdar & Graham Bartlett Customer Reviews Cisco Press rebate One of the best technical books I've read code: CLSAVE This book is the IKEv2 VPN equivalent of Jeff Doyle's Routing TCP/IP Vol 1 & 2 - a must read for any network security engineer wanting to design and build secure VPN's. One of the best technical books I've read. Superb book and well worth the money for anyone even thinking about Cisco crypto This book is the most comprehensive book on IKEv2 for Cisco network engineers that you will find and is all about real-world scenarios. Definitive guide on modern IPsec VPN theory and practice Many times I wish I had a book like this to help distill many complex IETF RFCs into “plain English” and provide practical and actionable security best practices. Brilliant I bought the Kindle version of this on a bit of an impulse. I'm really glad I did, it's well worth the money. Not only can I establish secure IKEv2 tunnels, I also feel like I know the subject thoroughly now. Even in respect to non- Cisco equipment. The book is a great reference too. I don't usually leave reviews but was motivated to in this instance. Good job, highly recommended. The best book on IKEv2 IPsec VPNs The book is awesome! I appreciate authors' work on presenting deeply technical topics in extremely easy to understand manner. Finally, all you need to know about FLEX in one place! Well written , concise and accurate. An absolute must for anyone designing, https://www.amazon.com/IKEv2-IPsec-Virtual-PrivateNetworks/ supporting or troubleshooting IKEv2 VPNs. You too can become a FLEX dp/1587144603/ expert! Listed in the CCIE Security reading list Very good Book on IPsec VPN for Enterprise networks https://learningnetwork.cisco.com/community/certifications/ Very well Written book, This book touches on most important topic on ccie_security/written_exam/study-material building Dynamic VPN for enterprise networks. #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Introduction to FlexVPN FlexVPN Overview • What is FlexVPN? • IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-spoke and spoke-to-spoke topologies • FlexVPN highlights • Unified CLI • Based on and compliant to IKEv2 standard • Unified infrastructure: leverages IOS Point-to-Point tunnel interface • Unified features: most features available across topologies (AAA, IPv6, Routing…) • No IWAN Support • Simplified configuration using smart-defaults • Interoperable with non-Cisco implementations • Easy to learn, market and manage #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Key Platforms ASR 1000 series ISR 1100 ISR 800 Series & 4000 Series #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 IKEv2 Overview Comparing IKEv1 & IKEv2 Authentication Same Integrity Objectives Confidentiality DPD ISAKMP RFC 2408 Suite-B IPSec DOI IKEv2 More Secure RFC 2407 IKEv1 Mode IKEv2RFC 5996 Anti-DoS Config IKE RFC 2409 PSK, RSA-Sig NAT-T Authentication EAP Auth. Options Hybrid Auth. Cleaner Identity/Key Exchange Similar but Uses UDP Ports 500 & 4500 Different Main + Aggressive INITIAL Acknowledged Notifications #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 IKEv2 Exchanges Initiator (I) Responder (R) IKEv2 Security Association (SA) establishment IKE_SA_INIT (proposal selection, key exchange) Mutual authentication & identity exchange Initial IPSec SAs establishment IKE_AUTH Certificate exchange (optional) Configuration exchange (optional) Additional IPSec SAs establishment CREATE_CHILD_SA IKEv2 & IPSec SA rekey Can be (I R) with ACK or (R I) with ACK INFORMATIONAL Notifications (SA deletion, liveness check, ...) Configuration exchange (one or both ways) #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Key Differentiators IKEv1 IKEv2 Auth messages 6 max Open ended First IPsec SA 6-9 messages ~ 4-6 messages minimum Authentication pubkey-sig, [pubkey-encr], PSK pubkey-sig, PSK, EAP, asymmetrical authentication Security Vulnerable to DOS attacks Anti-clogging, Suite-B Support, … IKE rekey Requires re-auth (expensive) No Re-auth Notifies Fire & Forget Acknowledged Message Segmentation None, relies on IP fragmentation Protocol built in NG Cryptography Support is stopped* Yes #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Tunnel Interfaces Dynamic Point-to-Point Virtual Interfaces P2P virtual interface template FlexVPN Server crypto ikev2 profile default ... virtual-template 1 Dynamically instantiated P2P interfaces ! interface Virtual-Access1 interface Virtual-Template1 type tunnel ipinterfaceunnumbered Virtual Loopback0-Access2 ip unnumbered Loopback0 ipipinterfaceaccessunnumbered-group Virtual Loopback0mobile-Access3-users VT1 tunnel mode ipsec ipv4 ipipvrfipaccessunnumberedforwarding-group travelerLoopback0mobile-VRF-users tunnel protection ipsec profile default tunnelip ipvrf accesssourceforwarding- group<local travelerhome-address>-office-VRF-users VA1 VA2 VA3 tunneltunnelip vrfdestination sourceforwarding <local <remote -homeaddress>-officeaddress>-VRF tunneltunneltunnel mode destination source ipsec <localipv4 <remote-address>-address> Server routing table (RIB/FIB) tunneltunneltunnel protection mode destination ipsec ipsecipv4 <remoteprofile-address> default S default via Ethernet0/0 servicetunneltunnel- policyprotection mode outputipsec ipsec ipv4mobileprofile-QoS default L 10.0.1.1/32 local Loopback0 servicetunnel-policy protection output ipsec travelerprofile-QoS default S 10.0.1.10/32 via Virtual-Access1 service-policy output home-office-QoS S 10.0.1.11/32 via Virtual-Access2 S 10.0.1.12/32 via Virtual-Access3 S 10.42.1.0/24 via Virtual-Access3 Static P2P virtual interface interface Tunnel0 ip address negotiated 10.0.1.10/32 10.0.1.11/32 10.0.1.12/32 tunnel source Ethernet0/0 Tun0 tunnel destination <server-address> tunnel mode ipsec ipv4 10.42.1.0/24 tunnel protection ipsec profile default #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Interface Features FlexVPN Server Pre-encapsulation RIB/FIB (routing table) IPSec encapsulation interface output features (tunnel protection) (apply to cleartext packet) Interface input features Post-encapsulation (apply to cleartext packet) interface output features (apply to encrypted packet) Eth0/0 (LAN) V- Eth0/1(WAN) Access1 IP L4 Data IP IPsec IP L4 Data Encrypted Cleartext Traffic Encrypted Traffic (from server LAN) (to RA client) Interface feature (NAT, PBR, QoS, NetFlow, ...) #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Tunnel Encapsulation • IPSec Tunnel Mode (IPv4 or IPv6) interface Virtual-Template1 type tunnel tunnel mode ipsec {ipv4 | ipv6} • Classic dVTI: compatibility with software clients tunnel protection ipsec profile default (any-to-any or any-to-assigned-address) IP IPsec IP L4 Data • Multi-SA dVTI: compatibility with legacy Encrypted crypto map peers (ASA, other vendors) • IPv4 over IPv6 Mixed Mode in IOS-XE3.10 • GRE over IPSec interface Virtual-Template1 type tunnel tunnel mode gre {ip | ipv6} • Enables tunneling of non-IP protocols (e.g. MPLS) tunnel protection ipsec profile default • Required for dynamic mesh scenarios (aka DMVPN, IP IPsec GRE IP L4 Data but with the extra flexibility of point-to-point interfaces) Encrypted • “tunnel mode gre ip” is the default on static & dynamic tunnel interfaces #CLUS BRKSEC-2881 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 IPv6 Support Summary • GRE over IPSec Passenger Protocol – Dual-stack (IPv4 + IPv6 IPv4 IPv6 over IPSec) out of the box IPv4 ✔ ✔ IPv6 ✔ ✔ Transport Transport Protocol Passenger Protocol • IPSec Tunnel Mode IPv4 IPv6 – Dual-stack support IPv4 ✔ ✔ – IPv4 over IPv6 mixed-mode IPv6 ✔ ✔ (Since XE3.10) Transport Transport Protocol

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    115 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us