Virtual Private Network (VPN) Flashcards
Protocols use in VPN (7)
Point-to-Point Tunneling (PPTP)
Layer 2 Forwarding (L2F) Protocol
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE) Protocol
Multiprotocol Label Switching (MPLS) Protocol
Internet Security Protocol (IPSec)
Secure Socket Layer (SSL)
VPN Implementation are categorized in Two Groups
- Site-to-Site VPN (enable two sites to establish VPN tunnels between two or more network infrastructure devices in different sites so that they can communicate over a shared medium as the internet
- Remote-Access VPN (enable user to work from remote locations)
Uses the internet key exchange (IKE) Protocol to negotiate and establish secured site-to-site remote access VPN tunnels.
IPSec
Is a framework provided by the internet security association and key management protocol (ISAKAMP)
IKE (Internet Key Exchange)
Attributes in IKEv1 Phase 1
- encryption algorithms
- hashing algorithms
- diffie-hellman groups
- authentication method
- vendor specific attributes
Traditional Encryption use in IKE
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advance Encryption Standard (AES)
- AES 192:
- AES 256
Hashing Algorithms sample
Secure Hash algorithms (SHA)
Message digest algorithm 5 (MD5)
IPSEc uses two different protocols to encapsulate data over a VPN Tunnel
Encapsulate security payload (ESP) : IP protocol 50 Authentication Header (AH) : IP Protocol 51
IPSec can use two modes with either AH or ESP:
Transport mode: protect upper-layer protocols such as User Datagram Protocol (UDP) and TCP
Tunnel Mode : protect the entire IP Packet
This features allows VPN peers to dynamically discover wheter an address translation device exists betweeen them. If they detect NAT/PAT device, they use UDP Port 4500 to encapsulate the date packets, subsequently allowing the NAT device to successfully translate and forward the packets
NAT Traversal (NAT-T)
Difference with IKEv1 and IKEv2
- IKEv1 Phase 1 has two possible exchanges main mode and aggressive mode. IKEv2 IKE_SA. has a single exchange of message pair
- IKEv2 has a simple exchange of two message pairs for the CHILD_SA. IKEv1 in phase 2 has at least three message pairs.
- IKEV2 supports the use of next-generation encryption protocols and anti-DOS capabilities
- IKEv1 does not allow the use of Extensible Authenticaiton Protocol (EAP). EAP allows IKEv2 to provide a solution for remote-access VPN as well..
Remote-Access VPN Provides this properties if HTTPS(HTTP over SSL/TLS) is used
- Secure communication using cryptographic algorithms (https/tls offers confidentiality, integrity and authentication)
- Ubitquity- make it possible for VPN users to access corporate resources remotely from anywhere using any PC without having to pre-install a remote access VPN client
- low management cost- the clientless type of remote access VPN free of deployment cost and free of maintenance problems
- effective operation with a firewall and nat
Is a solution designed to secure connections from mobile devices. This
Cisco AnyConnect Secure Mobility
Cisco IOS and Cisco iOS-XE tunnels interface support different types of encapsulation (or modes)
- Generic Routing Encapsulation (GRE) protocol
- IP-in-IP
- Distance Vector Multicast Routing Protocol (DVMRP)
- IPv6-in-IPv4
Is defined by RFC 2784 and extend by RFC 2890. Provides a simple mechanism to encapsulate packets of any protocol (the payload packets) over any other protocol(the delivery protocol) between two endpoints.
Generic Routing Protocol (GRE)
this command was introduced to simplify IPSEC and GRE configurations.
Tunnel Mode
command to configure Multiple GRE(mGRE) interface
tunnel mode gre multipoint
Type of GRE Encapsulation where a single static GRE tunnel interface is used as the endpoint for multiple site-to-site tunnels.
Multipoint GRE (mGRE)
Is a technology created by Cisco to reduced the hub router configuration.. When deploying this, you configure a single mGRE tunnel interface, a single IPSEC profile and no crypto access-list on the hub router.
Dynamic Multipoint VPN (DMVPN)
Provides a collection of features and capabilities to protect IP multicast group traffic or unicast traffic over a private WAN
Group Encrypted Transport VPN (GETVPN)
GETVPN relies on the following building blocks to provide the required functionality
- GDOI (RFC 6407)
- Key Servers (KSs)
- Cooperative (COOPS) KSs
- Group Members (GMs)
- IP tunnel header preservation
- Group Security association
- Rekey mechanisim
- Time-based anti-reply (TBAR)
- G-IKEv2
- IP-D3P
Minimum Requirements of a basic GETVPN key server configuration
- IKE Policy
- RSA key for re-keying
- IPSEC phase 2 policies
- Traffic classification
Minimum Requirements of a basic GETVPN group member configuration
IKE Policy
GDOI crypto map
Crypto map applied to an interface
Is a framework to configure IPSEC VPN on Cisco IOS devices. IT was created to simplify the deployment of VPN solutions of all type
FlexVPN
Benefits of FlexVPN
- can interoperate with Non-CISCO IKEv2 implementations
- Support different VPN (point-to-point, remote-access, hub-and-spoke, dynamic mesh
- combines all these different VPN technologies using one command-line interface (CLI) set of configurations
- Support for dynamic overlay routing
- Integration with CISCO IOS AAA
- Support GRE and native IPSEC encapsulations
- Support IPV4 and IPv6 overlay and underlay
Show commands for troubleshooting IPSec VPN in Cisco Routers
- show cyrpto isakmp sa
- show crypto ikev2 sa
- show crypto ikev2 sa detailed
- show crypto ikev2 sessions
Show commands to display IKEv2 statistic
- show crypto ikev2 stats
- show crypto ikev2 stats exchange
- show crypto ikev2 stats ext-service
- show crypto ikev2 stats priority-queue
- show crypto ikev2 stats timeout
Debug commands to troubleshoot IPSec implementations
- debug crypto isakmp
- debug crypto ikev2
- debug crypto ikev2 internal
- debug radius authentication
- debug crypto ipsec
Commands to obtain and view error events or exceptions in IKEV2 negotiations
show monitor event-trace crypto ikev2
Configuring site-to-site on Cisco ASA firewalls
- Enable isakmp
- create isakmp policy
- set the tunnel type
- define the ipsec policy
- configure the crypto map
- configure traffic filtering (optional)
- bypass NAt
- enable perfect forward secrecy
command to enabling IKEv2 in the Cisco ASA site-to-site VPN config
crypto ikev2 enable outside
command in creating isakmp policy in Cisco ASA site-to-site VPN config
crypto ikev2 policy1
- encryption aes-256
- integrity sha
- group 5
- prf sha
- lifetime seconds 86400
commands in setting up tunnel group in Cisco ASA site-to-site VPN config
tunnel-group x.x.x.x type ipsec-121
tunnel-group x.x.x.x ipsec-attributes
>ikev2 remote-authentication pre-shared-key secret
>ikev2 local-authentication pre-shared-key secret
commands in configuring IPSec policy in the Cisco ASA for site-to-site VPN
crypto ipsec ikev2 ipsec-proposal mypolicy
>protocol esp encryption aes-256
>protocol esp integrity sha-512
Configuring crypto-map in Cisco ASA for site-to-site VPN
configure terminal
access-list outside-cryptomap line 1 remark ACL to encrypt traffic from site-a to site-b
access list outside-cryptomap line 2 extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto map outside_map 1 match address outside-cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev2 ipsec-proposal mypolicy
crypto map outside_map 1 interface outside
commands that is enabled by default and allow cisco ASA to bypass the ACL check for all the VPN tunnels, including remote-access IPSec Tunnels and SSL VPN tunnels
sysopt connection permit-vpn
command in CISCO asa for NAT Exempt Policy
object network 192.168-Net >subnet 192.168.10.0 255.255.255.0 object network 10.10-Net >subnet 10.10.10.0 255.255.255.0 nat (inside,outside) source static 192.168-Net 10.10-Net destination static 192.168-Net 10.10-Net
Is a cryptographic technique where newly generated keys are unrelated to any previously generated key
Perfect Forward Secrecy (FPS)
command in cisco ASA in enabling FPS
crypto map outside_map 10 set pfs group5
Additional attributes in Cisco Site-to-SIte VPN configuration
OSPF updates over IPSec Reverse route injection NAT traversal Tunnel Default Gateway Management Access Fragmentation policies
Steps in configuring IPSec Remote Access VPN in Cisco ASA
- enable isakmp (IKEV1)
- create IKEv1 (isakmp) policy
- set up tunnel group policies
- define the IPSec policy
- configure user authentication
- assign an ip address
- create a crypto map
- configure traffic filtering (optional)
- bypass NAT (optional)
- set up split tunneling (optional)
11 define DNs and WINS address (optional)
Cisco ASA supports the following SSL VPN Modes
- Clientless (remote client need only a SSL-enabled broswer)
- Thin Client (remote clients need to install small java applet)
- Full tunnel (remote client need to install SSL VPN Client)
Cisco ASA remote-access design considerations
- analyze current environment and determine which features
- determine how you user connect to corporate network (hotel kiosks, computer in public)
- determine the size of SSLVPN deployment (concurrent users)
- load balancing
- make sure you have the appropriate licenses
The infrastructure requirements for SSL VPN includes but not limited to
- ASA placement (if behind another firewall make sure to open the ports)
- User accounts (active directory, radius,RSA, secureID, ldap)
- Administrative privileges: required for all connections with port forwarding if you want to use host mapping
Pre-SSL VPN Configurations steps
- enroll digital certificates
- set up tunnel and group policies
- set up user authentication
command in cisco asa to import a CA certificate manually
crypto ca trustpoint sslcertexample
>enrollment terminal
crypto ca authenticate sslcertexample
command in cisco asa to manually enroll a certificate
configure terminal >domain-name domain.org >crypto key generate rsa label domaincert >crypto ca trustpoint domaincert >>keypair domaincertrsa >>id-usage ssl-ipsec >>no fqdn >>subject-name CN=omar-asa >>enrollment terminal >>crypto ca encroll domaincert
command to import Identity certificate
crypto sa import domaincert certificate
command to activating the Identity Certificate
ssl trust-point domaincert outside
Cisco ASA uses an inheritance model when it pushes network and security policies to the end-user sessions. You can configure policies at the following three policy locations
Under the default group policy (DfltGrpPolicy)
Under the user’s assigned group policy
Under the specific users policy
Cisco ASA supports a number of authentication mechanism and databases
RADIUS NT Domain Kerberos SDI LDAP Digital certificates SMart Cards SAML Local databases
UDP ports uses by CISCO ASA as defaults for authentication and accounting
1645 and 1646
Most Radius servers uses this assigned ports for authentication and accounting (official IANA)
1812 and 1813
command in ASA to configure RADIUS server as authentication server
aaa-server Radius Protocol radius
aaa-server Radius (inside) host 192.168.10.123
>key thisisthekey
Steps in enabling Clientless SSL VPN
- enable clientless SSL VPN on an interface
- configure SSL VPN Portal customization
- configure bookmarks
- configure WebTypes ACLs
- configure application access
- configure client-server plug-ins
command on Cisco ASA to enable SSL VPN on the outside interface
webvpn
>enable outside
Cisco ASA methods that allows application access
- smart tunnel (works on application layer and establishing Winsock 2 connections)
- port forwarding
Cisco AnyConnect Secure mobility client VPN can be installed on a users computer using one of these methods
- Web-enabled mode (download thru browser)
- standalone mode (download from file server or cisco.com)
Configuring of Cisco AnyConnect Secure Mobility client VPN is a two step process
- Load the Cisco Anyconnect Secure Mobility client package
2. Define Cisco Anyconnect Secure Mobility Client VPN attributes
Before Cisco AnyConnect Secure Mobility Client SSL VPN tunnel is functional, you have to configure the following two required actions
- Enabling Cisco AnyConnect Secure mobility connections
2. Address pool definition
Optional attributes to enhance the functionality of the Cisco AnyConnect Secure Mobility client
Split tunneling DNS and WINS assignment Keeping SSL VPN client installed DTLS Configuring traffic filters Configure a tunnel group
Cisco ASA support 3 different method to assign IP address back to the client
- local address pool
- dhcp server
- radius server
With this Cisco ASA notifies Cisco Anyconnect Clients about secured subnets. The VPN clients, using the secured routes, encrypts only those packets that are destined for the network behind the security appliance
Split tunneling
Steps in configuring SSL and IPSEC-IKEv2 remote access VPN with the Remote Access VPN Policy wizard
- Navigate to Devices>VPN>Remote Access
- Enter a name. Select VPN Protocols (SSL or IPSec-IKEv2)
- Configure connections profile
- Set AAA method (AAA,certificates or both)
- Select Radius server or different for authorization and accounting
- Configure different attributes in the group policy (authorization profile, ip address, any connect settings, vlan mapping and user sessions)
- Add an address pool
- create an IP Pool
- Select the anyconnect image that VPN Users will use to connect to remote access.
- Select network interface and identity certificate
- view the summary of the remote access vpn policy configurations
The only supported client on endpoint devices for Remote vpn connectivity to Cisco FTD devices
AnyConnect
debug command use to troubleshoot remote access vpn connections on FTD devices.
debug webvpn conditions {group-name, p-ipaddress ip address, subnet subnet_mask, reset , username
ex. debug webvpn condition user hannah
show webvpn debug-condition
Steps in configuring Site-to-Site VPN in FTD devices
- Navigate to Devices>VPN>Site-to-Site VPN
- create new vpn topology by clicking firepower device
- enter a unique name for the new topology and specify a topology type
- specify the node pairs
- select the devices you want to configure to establish site-to-site VPN tunnel, their associated interfaces and the IP Address.
Example of DMVPN Hub Configuration
!The ISAKMP policy crypto isakmp policy 1 encryption aes authentication pre-share group 14 ! A dynamic ISAKMP key and IPsec profile crypto isakmp key supersecretkey address 0.0.0.0 crypto ipsec transform-set trans2 esp-aes esp-sha-hmac mode transport ! crypto ipsec profile my_hub_vpn_profile set transform-set trans2 !! The tunnel interface with NHRP Interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp authentication anothersupersecretkey ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 300 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ! This line must match on all nodes that want to use this mGRE tunnel. tunnel key 100000 tunnel protection ipsec profile my_hub_vpn_profile ! interface GigabitEthernet0/0 ip address 172.16.0.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.0.1 255.255.255.0 ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.0.0 0.0.0.255
A spoke configuration sample of DMVPN
crypto isakmp policy 1 encr aes authentication pre-share group 14 crypto isakmp key supersecretkey address 0.0.0.0 ! crypto ipsec transform-set trans2 esp-aes esp-sha-hmac mode transport ! crypto ipsec profile my_spoke_vpn_profile set transform-set trans2 ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 ip nhrp authentication anothersupersecretkey ip nhrp map 10.0.0.1 172.17.0.1 ip nhrp map multicast 172.17.0.1 ip nhrp network-id 99 ip nhrp holdtime 300 ! Configures the hub router as the NHRP next-hop server. ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile my_spoke_vpn_profile ! interface GigabitEthernet0/0 ip address dhcp hostname Spoke1 ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! router eigrp 1 network 10.0.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255
Example of FlexVPN Server Configuration
! AAA configuration. R1 is configured with AAA authorization to use
! the RADIUS server (10.1.2.3) to retrieve the IKEv2 pre-shared keys.
aaa new-model
aaa group server radius radius_group1
server name radius_server1
! aaa authorization network aaa_psk_list group radius_group1
! radius server radius_server1
address ipv4 10.1.2.3 auth-port 1645 acct-port 1646
key radius_server1_key
! The IKEv2 name mangler is configured to derive the AAA username from
! the hostname portion of the peer IKEv2 identity of type FQDN.
! When each branch router is configured with a unique local FQDN identity,
! the name mangler will yield a unique AAA username for the pre-shared key
! lookup on the RADIUS server.
! The IKEv2 profile is configured to match all the branch routers, based on
! the domain portion (secretcorp.org) of the peer FQDN identity.
! The profile is configured to use an AAA-based keyring that would retrieve
! the pre-shared keys, using AAA authorization from the RADIUS
! server specified in the referenced AAA method list.
! The referenced IKEv2 name mangler will yield a unique AAA username for
! pre-shared key lookup on the RADIUS server that is derived from the
! username portion the peer FQDN identity.
crypto ikev2 name-mangler aaa_psk_name_mangler
fqdn hostname
! crypto ikev2 profile default
match identity remote fqdn domain example.com
identity local fqdn hq.example.com
authentication local pre-share
authentication remote pre-share
keyring aaa aaa_psk_list name-mangler aaa_psk_name_mangler
Example of FlexVPN Client Configuration
crypto ikev2 keyring local_keyring peer hub-router address 10.1.1.1 pre-shared-key branch1-hub-key crypto ikev2 profile default match identity remote fqdn hq.secretcorp.org identity local fqdn rtp-branch.secretcorp.org authentication local pre-share authentication remote pre-share keyring local local_keyring
Feature that allows logging information to be stored in binary files so that you can later retrieve them without adding any more stress on the infrastructure device
Event-trace monitoring
