0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
67 Ansichten24 Seiten
The document describes setting up an IPSec remote access VPN between a remote user's system and a perimeter router.
Key steps include:
1. Configuring two routers and a remote user VM in the GNS3 network simulator.
2. Testing connectivity and troubleshooting until it is achieved between all devices.
3. Configuring the perimeter router R2 as an IPSec VPN server, using local AAA to authenticate users.
4. Configuring IKE phase 1 parameters including pre-shared keys, encryption, and authentication.
5. Configuring a remote user group policy with an IP pool and pre-shared key.
6. Configuring IKE phase 2 IPSec transform sets for encrypting and
The document describes setting up an IPSec remote access VPN between a remote user's system and a perimeter router.
Key steps include:
1. Configuring two routers and a remote user VM in the GNS3 network simulator.
2. Testing connectivity and troubleshooting until it is achieved between all devices.
3. Configuring the perimeter router R2 as an IPSec VPN server, using local AAA to authenticate users.
4. Configuring IKE phase 1 parameters including pre-shared keys, encryption, and authentication.
5. Configuring a remote user group policy with an IP pool and pre-shared key.
6. Configuring IKE phase 2 IPSec transform sets for encrypting and
The document describes setting up an IPSec remote access VPN between a remote user's system and a perimeter router.
Key steps include:
1. Configuring two routers and a remote user VM in the GNS3 network simulator.
2. Testing connectivity and troubleshooting until it is achieved between all devices.
3. Configuring the perimeter router R2 as an IPSec VPN server, using local AAA to authenticate users.
4. Configuring IKE phase 1 parameters including pre-shared keys, encryption, and authentication.
5. Configuring a remote user group policy with an IP pool and pre-shared key.
6. Configuring IKE phase 2 IPSec transform sets for encrypting and
Rich Macfarlane 2013 10.1 Details Aim: The aim of this lab is to introduce Virtual Private Network (VPN) concepts, using an IPSec remote access VPN between a remote users system and a perimeter router. This will allow a remote user to access the trusted organisational network securely, over an untrusted network, such as the Internet. 10.2 Activities 10.2.1 Setup GNS, or Physical Router, Topology Run the GNS network simulator from Windows Start Button>All Programs>GNS (as administrator). Configure GNS3 Preferences, and Images if necessary, as described in previous labs. Add 2 routers, and the XP virtual machine as defined in previous labs. Adding VMs to GNS3 guide is also available in the following document: www.dcs.napier.ac.uk/~cs342/CSN11111/GNSAddVM.pdf
Configure the router interfaces, and enable them with the no shutdown command. Configure RIP routing on both routers. (Once the GNS3 topology is created, the router starting configurations in Appendix A can be used as a shortcut, or guide, to create the router configurations). Note: the Internet cloud and tunnel are for illustration, and are not part of the GNS3 configuration.
IP S e c V P N T u n n e l Starting Topology
Run the task manager (and keep it running), and check CPU usage. If at any point it nears 100%, recalculate the idlepc value for the router type.
10.2.2 Test Connectivity Test connectivity, from each router, to each local router interface, and each of the other routers interfaces, and then the Remote user XP VM, as shown below.
From R2:
From R1:
To test connectivity from the 192.168.20.0 network, again an extended ping can be used. For example, from the R2 router:
R2# ping Protocol [ip]: Target IP address: 192.168.5.10 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 192.168.20.5 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.5.10, timeout is 2 seconds: Packet sent with a source address of 192.168.20.5 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/72 ms R2#
Where the pings successful? YES/NO
If not, troubleshoot the configuration, until connectivity is achieved.
Save R1 and R2 running configurations to the routers NVRAM, and then save the GNS3 project. Check the configurations have been saved to the host machine if you want to keep them.
To test connectivity from the Remote User to the companys HQ network, ping and traceroute can be used, as shown below.
If not, troubleshoot the configuration, until connectivity is achieved.
10.2.3 Configure IPSec Remote Access VPN Server on R2 IPSec provides strong VPN security, using a suite of cryptographic security standards. It provides Authentication and Encryption to the IP layer, as well as transparently to the layers above. Routers, Firewalls and hosts can be configured as IPSec VPN endpoints (sometimes called VPN Terminators). A Cisco VPN Server will be configured on the R2 Perimeter Router. It can manage IPSec VPN policies, and push them out to VPN Clients on demand. This type of Cisco VPN Server can be configured on Routers, PIX/ASA security devices, and Cisco VPN Concentrators.
Access Control for Client VPN Policy Lookup using Local AAA AAA is used to authenticate a remote user, before a VPN policy is pushed to their VPN endpoint (The remote user XP VM in this case), and for authorisation for network access.
Use the following commands in Privileged command mode, to set up VPN policy lookup.
Start the AAA services on the router: R2# config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# aaa new-model Configure an authentication list VPNAUTHEN for the VPN connection login, to use the local AAA users accounts: R2(config)# aaa authentication login VPNAUTHEN local Configure an authorisation list VPNAUTHOR for the VPN connection using the network, to use the local AAA users accounts: R2(config)# aaa authorization network VPNAUTHOR local
Define User Accounts in the local user account db: R2(config)# username rich secret richpass R2(config)# username bob secret bobpass
Check the configuration of AAA is correct, by viewing the router configuration.
Where will the router look for user names and passwords to authenticate remote VPN clients?
IKE facilitates the IPSec connections via Security Associations. It manages and exchanges keys, the hash algorithms, and the IPSec Security Associations (SA).
To configure IKE on Cisco devices, the crypto isakmp command is used to create an IKE policy with a priority of 3 (1 is the highest). Each IKE policy is used to create a different VPN tunnel, as the router may be the end point for several VPNs. R2(config)# crypto isakmp policy 3 R2(config-isakmp)#
Now we are in ISAKMP policy configuration command mode, shown by the change in prompt. Next, we define that Pre-shared keys will be used to authenticate the peers at the end points of the VPN tunnel. The pre-shared keys are used with the hash algorithm in HMAC authentication of the sender in IKE phase I. R2(config-isakmp)# authentication pre-share
Define the hash algorithm which will be used in the authentication process. R2(config-isakmp)# hash md5
Define the key exchange mechanism to be used; the Diffie-Hellman group. The groups represent the length of keys generated: 768 bit Diffie-Hellman is Group 1, 1024 bit is group 2, and 1582 bit is group 3. Diffie-Hellman is used in phase I to exchange secret keys to be used for data encryption. R2(config-isakmp)# group 2
Define the encryption algorithm which will be used for data encryption (other options are des, aes-256 etc). R2(config-isakmp)# encryption 3des R2(config-isakmp)# exit R2(config)#
Check the crypto policy has been created successfully (check for typos). R2# show crypto isakmp policy Global IKE policy Protection suite of priority 3 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit R2# Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 6
Remote User Group Policy A group of users can be defined and a VPN policy, which is compatible with the client, is attached to the group. The VPN policy defines the VPN attributes pushed out to the VPN client(s).
Configure a local pool of IP Addresses to be allocated to VPN clients. In this case we will give the VPN clients addresses on the same subnet (this is not always the case). R2(config)# ip local pool IPPOOL 192.168.20.20 192.168.20.30
Configure a User Group Policy for Remote User VPN clients called REMOTE. R2(config)# crypto isakmp client configuration group REMOTE R2(config-isakmp-group)#
Now we are in ISAKMP group configuration command mode, shown by the change in prompt. Add a pre-shared key to the group policy, which will authenticate the VPN clients. R2(config-isakmp-group)# key vpn123
Assign an IP Address pool, which the VPN clients will use. R2(config-isakmp-group)# pool IPPOOL
Define a domain name, and exit ISAKMP group configuration mode. R2(config-isakmp-group)# domain HQ.com R2(config-isakmp-group)# exit
View the running configuration to check the Remote User Group Policy has been created succeesfully (check for typos).
10.2.5 Configure IKE Phase II Parameters Data Protection An IPSec Transform Set must now be configured. A transform set specifies the encryption and authentication algorithms used to protect the data within the IPSec VPN tunnel. IKE Phase I is the control of the tunnel, Phase II is the transformation of the data being protected.
Create a new transform set REMOTE_USER_SET, which will use the Encapsulating Security Payload (ESP) protocol, with AES for data encryption and SHA HMAC for data authentication and integrity. R2(config)# crypto ipsec transform-set REMOTE_USER_SET esp-aes esp-sha-hmac
Set IPSec to use Tunnel mode, which means the entire IP Packet will be protected. R2(cfg-crypto-trans)# mode tunnel R2(cfg-crypto-trans)# exit
What is the alternative to the ESP protocol?
What does the Authentication Header (AH) protocol not provide which ESP does?
A Crypto map represents the IPSec configuration for a VPN, and must be created to allow the setup of IKE Phase II Security Associations (SA) for traffic to be protected (1 in each direction). Create a crypto map template, using the transform set REMOTE_USER_SET. R2(config)# crypto dynamic-map DYN_MAP 10 R2(config-crypto-map)# set transform-set REMOTE_USER_SET R2(config-crypto-map)# reverse-route R2(config-crypto-map)# exit R2(config)#
Create a crypto map REMOTE_USER_MAP, and specify client configuration settings. In this case the router is set to respond to VPN Client requests. R2(config)# crypto map REMOTE_USER_MAP client configuration address respond
For the REMOTE_USER_MAP crypto map, specify VPN clients User Authentication. Set the authentication list to VPNAUTHEN we created earlier, to specify that user accounts are local. R2(config)# crypto map REMOTE_USER_MAP client authentication list VPNAUTHEN
For the REMOTE_USER_MAP crypto map, allow IKE group policy querying by VPN clients. Set the authorisation list to VPNAUTHOR we created earlier, to specify the policy is stored locally. R2(config)# crypto map REMOTE_USER_MAP isakmp authorization list VPNAUTHOR
For the REMOTE_USER_MAP crypto map, set the ipsec-isakmp parameter to specify IKE will be used to establish security associations, and assign the dynamic crypto map template. The number 10 is the sequence number, lower numbered maps are used before higher numbered. R2(config)# crypto map REMOTE_USER_MAP 10 ipsec-isakmp dynamic DYN_MAP
Assign the crypto map to the outside interface. R2(config)# int fa1/0 R2(config-if)# crypto map REMOTE_USER_MAP R2(config-if)# exit *Mar 1 03:50:30.447: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config)#
Fa1/0 R2(config)# interface S1/0 R2(config-if)# crypto map REMOTE_USER_MAP Trusted, Internal Network Untrusted Internet Encrypted VPN Traffic Unencrypted VPN Traffic IP S e c V P N T u n n e l
Check the IPSec VPN Server configuration, and the interface its applied on, using the following. R2# show crypto map Crypto Map "REMOTE_USER_MAP" 10 ipsec-isakmp Dynamic map template tag: DYN_MAP Interfaces using crypto map REMOTE_USER_MAP: FastEthernet1/0 R2#
Check the IPSec ESP configuration, using the following. R2# show crypto ipsec transform-set Transform set REMOTE_USER_SET: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, }, R2#
10.2.6 Configure VPN Client on the Remote User System The VPN Client should be installed on the XP VM supplied for the course. If not, contact your instructor. Create a new VPN Connection Entry On the XP VM, start the VPN Client software, with Start>Programs>Cisco Sytems VPN Client>VPN Client, as shown below. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 9
Select Connection Entries>New, or click the New icon, as shown below.
Enter the IP Address of the outside interface of the VPN Server device, in this case 10.1.1.2. Click on the Authentication tab, and click the Group Authentication radio button. Enter the VPN User Group Name we configured earlier, and the Shared-Key defined for the group. What is the name of the VPN Remote User Group?
What is the shared-key used to authenticate?
Which IKE Phase is this used in?
Which technique is used for authentication?
Save the VPN Connection Entry, and the VPN Client application should look like the below. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 10
10.2.7 Test the Remote Access VPN On the Remote User XP VM, open a command window, and use the ipconfig command to check the network interface configuration, as shown below.
From the Remote User XP VM connect to the HQ network, using a VPN tunnel. From the VPN Client window, Double click the HQ Connection. The following dialog box should be shown. Enter the user and password of a user account.
Was the authentication successful? YES/NO Which user was successfully authenticated?
Where are these user accounts defined?
Once connected, the VPN Client application window should look like the following. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 11
The VPN client lock icon should be shown in the Windows system tray, as shown below.
Hover the mouse over the lock icon. What is displayed?
On the R2 router the similar to the following should be shown. R2(config)# 04:50:35.370: %CRYPTO-4-SESSION_STATUS: Crypto tunnel is UP . Peer 192.168.5.10:500 Id: REMOTE
On the Remote User XP VM, open a command window, and use the ipconfig command to check the interfaces and IP Addresses now. What has changed?
What is the IP Address?
Where is this from?
A second virtual interface should have been created by the VPN Client, as shown below. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 12
Disconnect from the VPN using the Disconnect button on the VPN client, and then reconnect, and log in again. On the XP VM, use the ipconfig command again. What is the IP Address of the virtual interface?
Where is this created from, and how many are left?
Right click the lock icon in the sytem tray and select Notifications, as shown below. This shows the connection history.
Right click the lock icon in the system tray and select Statistics, and select the Tunnel Details tab, as shown below. The Tunnel Details tab shows Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 13
What is the IP Address of the IPSec VPN server?
What is the Client IP Address of the current IPSec VPN Tunnel?
Which encryption algorithm is being used?
Which algorithm is being used for authentication?
Which type of algorithm is this?
Click the Reset button, and Leave the Statistics window open. From a command window ping the 192.168.20.5 interface. How many packets have been encrypted and sent through the VPN tunnel?
How many packets have been received through the VPN tunnel, and decrypted?
The window should look similar to the below. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 14
Start Wireshark on the Remote User XP VM. Select the Capture>Interfaces menu item. From a command window ping the inside network, at 192.168.20.5. Which interface does Wireshark report packets passing through?
The interfaces window should look like the following.
Click Start on the VPN adapter interface. Ping again if packets are not displayed. Click on a packet and click on ICMP protocol, in the protocols pane. Which protocol do of the packets contain?
What is the source IP Address of the packets?
What is the destination IP Address of the packets?
The Wireshark window, packets pane, should look something like the following.
The Wireshark window, packet detail, and packet contents panes, should look something like the following. Note: the ICMP payload.
Start Wireshark on the R1 Fa0/0 interface. From a command window ping the inside network, at 192.168.20.5. If the Wireshark doe not show any Select the Capture>Interfaces menu item and select the VMWare adapter with packets flowing through. (This should be the 192.168.5.1 Virtual network adapter) Which interface does Wireshark report packets passing through?
The interfaces window should look like the following.
Click Start on the VPN adapter interface. Ping again if packets are not displayed. Click on a packet and click on ICMP protocol, in the protocols pane. Which protocol do of the packets contain?
What is port number used by the protocol?
What is the source IP Address of the packets?
What is the destination IP Address of the packets?
What are the contents of the packets?
What has happened to the packets?
These are the same ping packets, but have been encrypted and encapsulated with an ESP header, at each end of the IPSec VPN tunnel. The Wireshark window should look something like the following.
In the Packet detail (protocols) pane, click on IP header. Is this the original ICMP packet IP header?
What are the 3 parts of the ESP header structure?
What does ESP header part 3 contain?
The Wireshark window should look something like the following.
The structure of the ESP packet is shown below. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 18
New IP header ESP Header Security Parameters Index Sequence Number Payload Data IP header DATA Encrypted Authenticated
On the R2 router use the following to display the current VPN tunnels. R2# show crypto session Crypto session current status Interface: FastEthernet1/0 Session status: UP-ACTIVE Peer: 192.168.5.10 port 1200 IKE SA: local 10.1.1.2/500 remote 192.168.5.10/1200 Active IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.50.21 Active SAs: 2, origin: dynamic crypto map R2#
How many Active Security Associations are there?
Why?
On the R2 router the following can be used to display the current state of the IPSec Security Associations. The following command shows initialised IPSec SAs. R2# show crypto isakmp sa dst src state conn-id slot status 10.1.1.2 192.168.5.10 QM_IDLE 2 0 ACTIVE R2#
The following can be used to display the IPSec SA encrypted traffic in detail. R2# show crypto ipsec sa
The following shows part of the output. Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 19
Now review the final configuration for Router R2 in Appendix B. 10.3 Appendix A Starting router configurations
R1 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! interface FastEthernet0/0 description int to the 192.168.5.0/24 network ip address 192.168.5.5 255.255.255.0 duplex auto speed auto Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 20
no shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet1/0 description int to the Internet ip address 10.1.1.1 255.255.255.252 duplex auto speed auto no shutdown ! router rip network 0.0.0.0 ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! end
R2 version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! interface FastEthernet0/0 ip address 192.168.20.5 255.255.255.0 duplex auto speed auto no shutdown ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet1/0 Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 21
ip address 10.1.1.2 255.255.255.252 duplex auto speed auto no shutdown ! router rip network 0.0.0.0 ! ip forward-protocol nd ! ip http server no ip http secure-server ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! end
10.4 Appendix B Remote Access IPSec VPN router configurations IP S e c V P N T u n n e l
R1 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 5 ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! Inside network interface FastEthernet0/0 description int to the local 192.168.5.0/24 network ip address 192.168.5.5 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ! Internet interface FastEthernet1/0 description int to the 10.1.1.0/24 network ip address 10.1.1.1 255.255.255.252 duplex auto speed auto ! router rip network 0.0.0.0 ! ip forward-protocol nd ! ! ip http server Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 23
no ip http secure-server ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login ! ! end
R2 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! ! AAA for user authentication and authorisation aaa new-model ! aaa authentication login VPNAUTHEN local aaa authorization network VPNAUTHOR local ! aaa session-id common memory-size iomem 5 ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! ! Local user accounts username rich password 0 richpass username bob password 0 bobpass ! ! ! IPSec Phase 1 SA parameters - IKE crypto isakmp policy 3 hash md5 authentication pre-share group 2 ! ! Remote VPN User Group parameters crypto isakmp client configuration group REMOTE key vpn123 domain cisco.com pool IPPOOL ! ! ! IPSec encryption and authentication algorithms crypto ipsec transform-set MYSET esp-des esp-md5-hmac ! ! IPsec Phase 2 SA parameters crypto dynamic-map DYNMAP 10 set transform-set MYSET reverse-route Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 24
! ! crypto map CLIENTMAP client authentication list VPNAUTHEN crypto map CLIENTMAP isakmp authorization list VPNAUTHOR crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP ! ! ! Inside network interface FastEthernet0/0 ip address 192.168.20.5 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ! IPSec crypto map on outside interface interface FastEthernet1/0 ip address 10.1.1.2 255.255.255.252 duplex auto speed auto crypto map CLIENTMAP ! ! ! Advertise all connected routes router rip network 0.0.0.0 ! ! ! IP Address pool for VPN remote users ip local pool IPPOOL 192.168.20.20 192.168.20.30 ip forward-protocol nd ! ! ip http server no ip http secure-server ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 ! ! end