#clmelDeploying FlexVPN with IKEv2 and SSLBRKSEC-3013Tom Alexander Technical Leader, Cisco ServicesEmail: thalexan@cisco.comBRKSEC-3013 Cisco Public 2015 Cisco and/or its affiliates. All rights reserved.Agenda FlexVPN Introduction Why FlexVPN FlexVPN Positioning FlexVPN Building Blocks Shortcut Switching (FlexMesh) FlexVPN & AAA Integration FlexVPN Redundancy Remote Access Wrap-up3 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicBefore We Begin...4Additional info slides: Rendered in the presentation PDF(download it through the Cisco Live portal) Not shown during the live presentation Cover extra details or small additional topicsFor your Reference slides: Just for your reference when back at work. Will notbe covered in detail 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public 5Tidbits about your Speaker Tom the Bug @ Bugathon 13Cruising on VPN Tunnels : 10 + yearsWhats on my wall-Treat your customer like your best friendLongest Webex Session @ TAC- 15+ hours straight 9 pm 12 noonMantra Work Hard Play Hard !Dont make work a job, make it Fun Email: thalexan@cisco.comAn Introduction to FlexVPN and IKEv2 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicEasyVPN, DMVPN and Crypto Mapscrypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp client configuration group ciscokey cisco123pool dvtiacl 100crypto isakmp profile dvtimatch identity group ciscoclient authentication list lvpnisakmp authorization list lvpnclient configuration address respondvirtual-template 1crypto ipsec transform-set dvti esp-3des esp-sha-hmaccrypto ipsec profile dvtiset transform-set dvtiset isakmp-profile dvtiinterface Virtual-Template1 type tunnelip unnumbered Ethernet0/0tunnel mode ipsec ipv4tunnel protection ipsec profile dvtiip local pool dvti 192.168.2.1 192.168.2.2ip route 0.0.0.0 0.0.0.0 10.0.0.2access-list 100 permit ip 192.168.1.0 0.0.0.255 anycrypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmacmode transportcrypto ipsec profile vpnprofileset transform-set vpn-ts-setinterface Tunnel0ip address 10.0.0.254 255.255.255.0ip nhrp map multicast dynamicip nhrp network-id 1tunnel source Serial1/0tunnel mode gre multipointtunnel protection ipsec profile vpnprofip route 192.168.0.0 255.255.0.0 Null0router bgp 1bgp log-neighbor-changesredistribute staticneighbor DMVPN peer-groupbgp listen range 10.0.0.0/24 peer-group DMVPNneighbor DMVPN remote-as 1no auto-summary crypto isakmp policy 1encr 3desauthentication pre-sharegroup 2crypto isakmp client configuration group ciscokey pr3sh@r3dk3ypool vpnpoolacl 110crypto ipsec transform-set vpn-ts-set esp-3des esp-sha-hmaccrypto dynamic-map dynamicmap 10set transform-set vpn-ts-setreverse-routecrypto map client-vpn-map client authentication list userauthencrypto map client-vpn-map isakmp authorization list groupauthorcrypto map client-vpn-map client configuration address initiatecrypto map client-vpn-map client configuration address respondcrypto map client-vpn-map 10 ipsec-isakmp dynamic dynamicmapinterface FastEthernet0/0ip address 83.137.194.62 255.255.255.240crypto map client-vpn-mapip local pool vpnpool 10.10.1.1 10.10.1.254access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicVPN Technology SelectionDeath by a thousand questionsFailover timeFailure detection methodHub & SpokeSpoke Spoke DirectDynamic RoutingRoute InjectionPer peer ACLsMulti-ISP HomingMulti-Hub HomingAAA ManageabilityIPv4/IPv6 dual stackCrypto Map or Tunnels3rdparty and legacy supportQoS supportScalabilityHigh AvailabilityDual DMVPNFeature orderMulticastSolution vs ComponentsDesign complexity 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Unifies One VPN to learn and deploy Everything works no questions askedUnified Overlay VPNsVPNInteropDynamicRoutingIPsecRoutingSpoke-spoke direct (shortcut)RemoteAccessSimple FailoverSource FailoverConfigpushPer-peer configPer-Peer QoSFull AAA ManagementEasy VPN No No Yes No Yes Yes No Yes Yes Yes YesDMVPN No Yes No Yes No partial No No No group NoCrypto MapYes No Yes No Yes poor No No No No NoFlex VPN Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Overview What is FlexVPN? IKEv2-based unified VPN technology that combines site-to-site, remote-access, hub-spoke and spoke-to-spoke topologies FlexVPN highlights Unified CLI Based on and compliant to IKEv2 standard Unified infrastructure: leverages IOS Point-to-Point tunnel interface Unified features: most features available across topologies Key features: AAA, Config-mode, dynamic routing, IPv6 Per Spoke level features for QOS, VRF, ZBFW, ACL, etc Simplified configuration using smart-defaults Interoperable with non-Cisco implementations Easier to learn, market and manage10 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 and FlexVPN Feature History - T trainPI Release Features introducedPI12 15.1(1)T IKEv2 CLI, IKEv2 Site-Site(sVTI-sVTI, sVTI-dVTI), IKEv2DMVPNPI13 15.1(2)T IKEv2 Suite-bPI14 15.1(3)T IKEv2 RA Server - interop with Win7 client, IKEv2 fragmentationPI15 15.1(4)M IKEv2 IPv6 - sVTI, Crypto-MapsPI16 15.2(1)T FlexVPN clientFlexVPN Server - interop with Win7, Anyconnect, FlexVPN clientsFlexVPN Server v6 - interop with Win7FlexVPN Smart Defaults, IKEv2 dVTI multi-SAPI17 15.2(2)T FlexVPN Spoke-Spoke, Mode Config Separation, FlexVPN TAC EFT feedback, IKEv2 Debug EnhancementsPI18 15.2(3)T FlexVPN Client - IPv6 and EAP support(MSCHAP-v2, MD5 and GTC), FlexVPN client - Mixed mode support using GRE (v4-over-v6 andv6-over-v4)IKEv2 Initial-Contact enhancementsPI19 15.2(4)M IKEv2 Load Balancer11 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 and FlexVPN Feature History - S trainXE Release Features introduced3.2 15.1(1)S IKEv2 Site-Site (sVTI-sVTI, sVTI-dVTI), IKEv2 DMVPN3.3 15.1(2)S IKEv2 RA Server - Win7 client3.5 15.2(1)S FlexVPN Server interop with WIn7, AnyconnectFlexVPN Smart Defaults, IKEv2 dVTI multi-SA3.7 15.2(3)S FlexVPN Server v6 interop with Win7, FlexVPN Client IPv4/IPv6 , Mixed mode support using GRE (v4-over-v6 andv6-over-v4), IKEv2 Initial-Contact enhancements, IKEv2 Debug Enhancements3.8 15.2(4)M FlexVPN Spoke-Spoke, FlexVPN client EAP support (MSCHAP-v2, MD5 and GTC), IKEv2 load balancer12 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 in a Few Words Defined in RFC 4306 - updated by RFC 5996 No interoperability with IKEv1 Usage ramping up rapidly! Both are using the same basic structure aiming at: Privacy Integrity Authentication Both run over UDP 500/450013 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlex is IKEv2 Only Why Flex now?14NAT-TDPDISAKMPRFC2408DOIRFC2407IKERFC2409IKEv2RFC5996Mode-configSame ObjectivesAuthenticationIntegrityPrivacyMore SecureSuite BAnti-DoSAuthentication OptionsEAPHybrid AuthPSK, RSA-SigSimilar but DifferentUses UDP ports 500 & 4500Identity Exchange is CleanerMain + Aggressive INITIALAcked notificationsFlexVPN Building Blocks 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN and InterfacesHub 1Spoke 1Tu0VT1VT1VA1 VA2Spoke 2VA1Tu0VT1VA1 Tu0Hub 2Tu0VA3Remote UserRemote AccessHub & SpokeDynamic MeshSite to SiteTuVTVAStatic TunnelVirtual TemplateVirtual Access(dynamically created)VT216 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 ConfigurationIntroduced in15.1(1)TIKEv2 policyIKEv2 keyringIKEv2 profileIKEv2 proposalOptional (default exists)crypto ikev2 proposal prop-1 encryption aes-cbc-128 3desintegrity sha1group 2!crypto ikev2 policy site-policyproposal prop-1!crypto ikev2 keyring V2-keyringpeer ciscoaddress 10.0.1.1pre-shared-key cisco123!crypto ikev2 profile profmatch identity remote address 10.0.1.1 authentication local pre-shareauthentication remote pre-sharekeyring V2-keyring17Optional (default exists) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 CLI OverviewIKEv2 Profile extensive CLI18crypto ikev2 profile defaultidentity local address 10.0.0.1identity local fqdn local.cisco.comidentity local email local@cisco.comidentity local dnmatch identity remote address 10.0.1.1 match identity remote fqdn remote.cisco.commatch identity remote fqdn domain cisco.commatch identity remote email remote@cisco.commatch identity remote email domain cisco.commatch certificate certificate_mapmatch fvrf redmatch address local 172.168.1.1authentication local pre-share [key ]authentication local rsa-sigauthentication local eapauthentication remote pre-share [key ]authentication remote rsa-sigauthentication remote eapkeyring local keyring aaa pki trustpoint Matching on peer identity or certificateMatching on local address and front VRFSelf Identity ControlAsymmetric local and remote authentication methodsIOS based and AAA based Pre-Shared Keyring 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 Basic NegotiationLengthInitiatorResponderHDR, SAi1, KEi, NiHDR IKE HeaderSA[i/r] cryptographic algorithms the peer proposes/acceptsKE[i/r] Initator Key Exchange materialN[i/r] Initiator/Responder NonceHDR, SAr1, KEr, Nr [Certreq]HDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}HDR, SK {IDr, [Cert], AUTH, TSi, TSr}SK payload encrypted and integrity protectedID[i/r] Initiator/Responder IdentityCert(req) Certificate (request)AUTH Authentication dataSA - Includes SA, Proposal and Transform Info to Create the 1st CHILD_SATs[i/r] Traffic Selector as src/dst proxies 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 Profile Match StatementsHDR, SK {IDi, [Cert], [Certreq], [IDr], AUTH, SAi2, TSi, TSr}SubjectName: CN=RouterName O=Cisco OU=EngineeringIssuerName: CN=PKI Server O=Cisco OU=IT172.16.0.1router.cisco.comrouter@cisco.commatch identity remote addressmatch identity remote fqdnmatch identity remote emailmatch certificate 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIPsec CLI OverviewTunnel Protection21crypto ipsec transform-set default esp-aes 128 esp-sha-hmaccrypto ipsec profile defaultset transform-set defaultset crypto ikev2 profile defaultinterface Virtual-Template1 type tunnelip unnumbered Loopback0tunnel protection ipsec profile defaultinterface Tunnel0ip address 10.0.0.1 255.255.255.252tunnel source Ethernet0/0tunnel destination 172.16.2.1tunnel protection ipsec profile defaultIPsec profile defines SA parameters and points to IKEv2 profileIPsec transformTunnel protection links to IPsec profileDynamic and Static point-to-point interfacesStatic point-to-point interfaces 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIntroducing Smart DefaultsIntelligent, reconfigurable defaults22crypto ipsec transform-set defaultesp-aes 128 esp-sha-hmaccrypto ipsec profile defaultset transform-set defaultset crypto ikev2 profile defaultcrypto ikev2 proposal defaultencryption aes-cbc-256 aes-cbc-128 3desintegrity sha512 sha 256 sha1 md5group 5 2crypto ikev2 policy defaultmatch fvrf anyproposal defaultcrypto ikev2 authorization policy defaultroute set interfaceroute accept anycrypto ikev2 profile defaultmatch identity remote address 10.0.1.1 authentication local rsa-sigauthentication remote rsa-sigaaa authorization user cert list default defaultpki trustpoint TP!interface Tunnel0ip address 192.168.0.1 255.255.255.252tunnel protection ipsec profile defaultWhat you need to specifycrypto ipsec transform-set defaultesp-aes 128 esp-sha-hmaccrypto ipsec profile defaultset transform-set defaultset crypto ikev2 profile defaultcrypto ikev2 proposal defaultencryption aes-cbc-256 aes-cbc-128 3desintegrity sha512 sha 256 sha1 md5group 5 2crypto ikev2 policy defaultmatch fvrf anyproposal defaultcrypto ikev2 authorisation policy defaultroute set interfaceroute accept anyThese constructs are the Smart Defaults 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicStatic Site-to-Site Example23Router 1 Router 2crypto ikev2 keyring my_keyringpeer R1hostname r1.cisco.compre-shared-key cisco123crypto ikev2 profile defaultmatch identity remote fqdn r1.cisco.comidentity local fqdn r2.cisco.comauthentication remote pre-shareauthentication local pre-sharekeyring local my_keyring!interface Tunnel0ip address 10.0.0.2 255.255.255.252tunnel source Ethernet0/0tunnel destination 192.0.2.1tunnel protection ipsec profile default!interface Ethernet0/0ip address 192.0.2.2 255.255.255.0!router ripversion 2network 10.0.0.0...My IKE ID is: r1.cisco.com(FQDN)My PSK authentication payload is...I want to protect GRE traffic between...Verify peers AUTH payload & produce our own based on configured PSKUse our own FQDN as IKE IDFinalize IPSec SAs (GRE between local & remote WAN addresses)Perform IKE SA agreement & Diffie-Hellman key exchange (not shown)My IKE ID is: r2.cisco.com(FQDN)My PSK authentication payload is...I agree to protect GRE traffic between...Map connection to IKEv2 profile default by matching on peer FQDNEstablish routing protocol neighbourship & exchange prefixesFlexVPN AAA Integration 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicDynamic Point-to-Point Interfaces25FlexVPN Server crypto ikev2 profile default...virtual-template 1!interface Virtual-Template1 type tunnelip unnumbered Loopback0tunnel mode ipsec ipv4tunnel protection ipsec profile defaultinterface Virtual-Access1ip unnumbered Loopback0tunnel source tunnel destination tunnel mode ipsec ipv4tunnel protection ipsec profile defaultservice-policy output mobile-QoSinterface Virtual-Access2ip unnumbered Loopback0tunnel source tunnel destination tunnel mode ipsec ipv4tunnel protection ipsec profile defaultservice-policy output traveler-QoSVT1VA1 VA2 VA3S default via Ethernet0/0L 10.0.1.1/32 local Loopback0S 10.0.1.10/32 via Virtual-Access1S 10.0.1.11/32 via Virtual-Access2S 10.0.1.12/32 via Virtual-Access3S 10.42.1.0/24 via Virtual-Access3interface Virtual-Access3ip unnumbered Loopback0tunnel source tunnel destination tunnel mode ipsec ipv4tunnel protection ipsec profile defaultservice-policy output home-office-QoS10.0.1.10/3210.0.1.11/3210.0.1.12/32interface Tunnel0ip address negotiatedtunnel source Ethernet0/0tunnel destination tunnel mode ipsec ipv4tunnel protection ipsec profile defaultTun0P2P interface templateDynamically instantiated P2P interfacesStatic P2P interface10.42.1.0/24Routing table (RIB/FIB) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicHigh-Level AAA Operations26Cert. AuthenticationEAP Client AuthenticationAAA PSK Retrieval PSK AuthenticationRA ClientIKEv2 InitiatorRADIUS ClientEAP SupplicantFlexVPN ServerIKEv2 ResponderRADIUS NASEAP AuthenticatorAAA ServerRADIUS ServerEAP BackendLocal AuthorisationRADIUS AuthorisationRADIUS Accounting Configuration ExchangeCached AuthorizationAuthenticationAuthorisationAccounting Your assigned IPv6 address is ... Your DNS server is ... There is no WINS server The protected subnets are ... 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicBuilding Block IKEv2 Name Mangler Start with the peers IKE or EAP identity Derive a username that is meaningful to AAA (local or RADIUS)27IKEv2 ExchangeClient IdentityIKEv2 Name ManglerAAA Username: joeRADIUS AAA RequestUsername: joe, password: ciscoLocal AAA RequestUsername: joecrypto ikev2 name-mangler extract-userfqdn hostname email usernamedn common-nameeap prefix delimiter @FQDN: joe.cisco.comEmail: joe@cisco.comDN: cn=joe,ou=IT,o=CiscoEAP: joe@ciscoStatic password(configurable)RA ClientIKEv2 InitiatorFlexVPN ServerIKEv2 ResponderRADIUS NASAAA ServerRADIUS Server 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAuthorisation Types Not mutually exclusive May be combined28Implicit User AuthorisationExplicit User AuthorisationExplicit Group Authorisationcrypto ikev2 profile defaultaaa authorization user {psk|eap} cachedcrypto ikev2 profile defaultaaa authorization user {psk|eap|cert} list list [name | name-mangler mangler]crypto ikev2 profile defaultaaa authorization group {psk|eap|cert} [override] list list [name | name-mangler mangler]Uses cached attributes received from RADIUS during AAA PSK retrieval or EAP authenticationRetrieves user attributes from RADIUS (local database not supported)Retrieves group attributes from RADIUS or local databaseReverse order of precedence (group > user)Eg. aaa authentication user eap mylist 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAttributes Merging29Cached User AttributesExplicit User Attributes Merged User Attributes Explicit Group AttributesFinal Merged Attributes Attribute ValueFramed-IP-Address 10.0.0.101ipsec:dns-servers 10.2.2.2Attribute ValueFramed-IP-Address 172.16.1.2Attribute ValueFramed-IP-Address 172.16.1.2ipsec:dns-servers 10.2.2.2Attribute Valueipsec:dns-servers 172.19.1.2ipsec:banner Welcome !Attribute ValueFramed-IP-Address 172.16.1.2ipsec:dns-servers 10.2.2.2ipsec:banner Welcome !Merged User Attributes take precedenceexcept if group override configuredExplicit User Attributes take precedenceFlexVPN Server AAA ServerReceived duringAAA-based authenticationReceived during explicituser authorisationReceived during explicit group authorisation 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAuthorisation Example30RA Client FlexVPN Serveraaa authorization network AUTHOR localaaa attribute list attr-Engattribute type interface-config ip vrf forwarding Eng"attribute type interface-config "ip unnumbered Loopback1"!crypto ikev2 authorization policy Engpool pool-Engnetmask 255.255.255.255aaa attribute list attr-Eng!crypto pki certificate map cisco 1subject-name co o = cisco!crypto ikev2 name-mangler get-oudn organization-unit!crypto ikev2 profile defaultmatch certificate ciscoidentity local dnauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint rootaaa authorization group cert list AUTHOR name-mangler ouvirtual-template 1!ip local pool pool-Eng 10.0.1.10 10.0.1.99!interface Loopback1vrf forwarding Engip address 10.0.1.1 255.255.255.255!interface Virtual-Template1 type tunnelno ip addresstunnel mode ipsec ipv4tunnel protection ipsec profile defaultMy IKE ID is cn=joe-pc, ou=Eng, o=CiscoHere is my identity certificateI need an IPv4 addressRun client IKE ID to name-mangler get-ou & username output is EngInvoke AAA with list here (local) & username Eng & auth policy EngClone V-Template1 into V-Access1, apply VRF & IP unnumberedAllocate IPv4 address from pool pool-EngMap connection to IKEv2 profile default by matching on cert-map ciscoYour IPv4 address is: 10.0.1.10/32interface Virtual-Access1vrf forwarding Engip unnumbered Loopback1tunnel source 192.0.2.2tunnel mode ipsec ipv4tunnel destination 192.168.221.129tunnel protection ipsec profile defaultPerform certificate-based authentication (not shown)show derived-config ...Accounting and Change of Authorisation 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAAA Accounting32192.168.100.0/24.1172.16.0.1.254Spoke 1: Connected 22:51 03-Jan 2015 123.6 MB in 207.2 MB outSpoke 2: Connected 11:12 12-Oct 2014 403.1 GB in 880.1 GB outSpoke 3: Connected 22:34 12-Oct 2014 450.5 GB in 832.0 GB outSpoke 4: Connected 16:51 11-Oct 2014 539.7 GB in 989.4 GB outSpoke 5: Connected 10:34 10-Oct 2014 245.3 GB in 103.8 GB outSpoke 6: Connected 10:34 13-Nov 2014 245.3 GB in 872.6 GB outWe know a lot about Spoke1 !Spoke 1: Connected 22:51 03-Jan 2015 123.6 MB in 207.2 MB outSpoke 2: Connected 11:12 12-Oct 2014 403.1 GB in 880.1 GB outSpoke 3: Connected 22:34 12-Oct 2014 450.5 GB in 832.0 GB outSpoke 4: Connected 16:51 11-Oct 2014 539.7 GB in 989.4 GB outSpoke 5: Connected 10:34 10-Oct 2014 245.3 GB in 103.8 GB outSpoke 6: Connected 10:34 13-Nov 2014 245.3 GB in 872.6 GB outSpoke 1 stands outSpoke 1: 21:52 02-Jan-2015 to 22:50 03-Jan 2015 200.7 MB in 442.7 MB outSpoke 1: 21:53 01-Jan-2015 to 21:50 02-Jan-2015 231.1 MB in 401.2 MB outSpoke 1: 21:52 31-Dec-2014 to 21:50 01-Jan-2014 216.4 MB in 398.8 MB outSpoke 1: 10:34 12-Oct-2014 to 21:50 31-Dec-2014 90.12 GB in 180.6 GB outSpoke 1: 10:34 11-Jun-2014 to 21:50 12-Oct-20140.75 TB in1.21 TB outSince 31 Dec, Spoke 1 has been disconnecting and reconnecting every 24 hours 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicActivating AAA AccountingAnd why it is a good idea too Because it is simple! Captures even short lived sessionsevent driven vs. polling (e.g. SNMP) Reliable protocol (acknowledged)more reliable than SNMP traps Maps the identity to the statisticsno more crossing tables (IPID) You may need it anyway Authorisation, IP pool33aaa group server radius MyRADIUSserver-private 192.168.104.101 key ciscoaaa accounting network ACCT start-stop group MyRADIUScrypto ikev2 profile defaultmatch identity fqdn domain mycompany.comauthentication local rsa-sigauthentication remote rsa-sigpki trustpoint TPaaa authorization group cert list default defaultaaa accounting cert ACCTvirtual-template 1Tell IKEv2 to report session statusA Good Idea ? 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAAA Accounting34RA Client FlexVPN Server RADIUS ServerIKEv2 (EAP) & IPsecaaa accounting network rad start-stop group fradaaa group server radius fradserver-private 10.0.0.2 auth-port 1812 acct-port 1813 key s3cr3t!crypto ikev2 profile defaultaaa authentication eap fradaaa authorization user eap cachedaaa accounting eap fradUpon client connection:RADIUS Acct-Request (Start)Upon client disconnection:RADIUS Acct-Request (Stop)RADIUS Acct-ResponseRADIUS Acct-ResponseAcct-Session-Id = "0000001B"Cisco-AVPair = "isakmp-phase1-id=acvpn"Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"Framed-IP-Address = 10.0.1.101User-Name = "joe@cisco"Cisco-AVPair = "connect-progress=No Progress"Acct-Authentic = LocalAcct-Status-Type = StartNAS-IP-Address = 10.0.0.1Acct-Delay-Time = 0Acct-Session-Id = "0000001B"Cisco-AVPair = "isakmp-phase1-id=acvpn"Cisco-AVPair = "isakmp-initator-ip=192.168.221.129"Framed-IP-Address = 10.0.1.101User-Name = "joe@cisco"Acct-Authentic = LocalCisco-AVPair = "connect-progress=No Progress"Acct-Session-Time = 104Acct-Input-Octets = 13906Acct-Output-Octets = 11040Acct-Input-Packets = 207Acct-Output-Packets = 92Acct-Terminate-Cause = 0Cisco-AVPair = "disc-cause-ext=No Reason"Acct-Status-Type = StopNAS-IP-Address = 10.0.0.1Acct-Delay-Time = 0Accounting-Request (Start)Accounting-Request (Stop)192.168.221.129 10.0.0.1Assigned address: 10.0.1.10110.0.0.2IKE ID Client publicIP addressAssigned IP addressEAP usernameStatisticsDemo AAA CoA Magic !Tom the Pundit 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicA Simplistic ConfigurationRADIUS based Authentication, Authorisation and Accounting36aaa group server radius ISEserver-private 192.168.104.101 key CISCO!aaa authentication login ISE group ISEaaa authorization network ISE group ISE aaa accounting network ISE start-stop group ISE!aaa server radius dynamic-authorclient 192.168.104.101 server-key CISCOauth-type all!crypto ikev2 profile defaultmatch identity remote anyidentity local dnauthentication remote eap query-identityauthentication local rsa-sigpki trustpoint TRUSTPOINTaaa authentication eap ISEaaa authorization user eap cachedaaa accounting eap ISEvirtual-template 1EAP AuthenticationAccounting (optional but recommended)Authorization 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicHow CoA WorksSession is set up V-Access is populated37192.168.100.0/24.1 .254ACCESS (Request, Audit Session ID, username, password)ACCESS (Accept, Profile)ip access-list 100 inservice-policy Silver outPossibly more (if EAP)Generated by IOS, Cisco Av pair Uniquely identifies each client sessionFlexVPN Server 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAccountingSession is set up Accounting Starts38192.168.100.0/24.1 .254Unique ID, generated by IOSACCT (Audit Session ID, START, params)ACCT (Audit Session ID, ACK)ip access-list 100 inservice-policy Silver outFlexVPN Server 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicCoA Packet of DisconnectRemote clearing of a session39192.168.100.0/24.1 .254Session is terminatedCoA (Disconnect-Request, Audit Session ID)CoA (Disconnect-Request ACK, Audit Session ID)Accounting tells the administrator whether it is worth sending(session status)FlexVPN Server 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicCoA Change of AuthorisationThe Real Thing 40192.168.100.0/24.1 .254Session is updatedCoA (CoA-Request, Audit Session ID, new profile)CoA (CoA-Request ACK, Audit Session ID)ip access-list 100 inservice-policy Gold outip access-list 100 inservice-policy Silver outservice-policy Slow outFlexVPN ServerShortcut Switching With IKEv2 Routing 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Mesh Network Diagram with Hub Resiliency42172.16.0.1Virtual-Access InterfacesStatic Tunnel InterfaceVirtual-Access Interfaces172.16.0.2192.168.100.0/24.1 .2 .254 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicEthernet0/0: 172.16.0.1Ethernet0/1: 192.168.100.1Loopback0: 10.0.0.254/32Interfaces172.16.0.1/32 172.16.1.254 (E0/0)192.168.1.0/24 Ethernet 0/1Routing TableHub and Spoke Bootstrap Config Exchange43.1172.16.0.1172.16.1.1IDi=Spoke1.cisco.com, Auth, TSi, TSr,CFG_Req(IP4_SUBNET)IDr, cert, Auth, TSi, TSr,CFG_Reply(IP4_SUBNET=10.0.0.254/32, 192.168.0.0/16;IP4_ADDRESS=10.0.0.1)CFG_set(IP4_SUBNET=10.0.0.1/32, 192.168.1.0/24,10.0.0.1/32)CFG_ack()10.0.0.254/32 Tunnel 0192.168.0.0/16 Tunnel 0VirtualAccess1: 10.0.0.254/32.254192.168.1.0/24SA Prop (AES-256, SHA-1, DH 5), KEi, NiSA Prop (AES-256, SHA-1, DH 5), KEr, NrEthernet0/0: 172.16.1.1Ethernet0/1: 192.168.1.1Tunnel0: Interfaces10.0.0.10.0.0.0/0 172.16.0.254 (E0/0)192.168.100.0/24 Ethernet 0/1Routing Table10.0.0.1/32 VirtualAccess1192.168.1.0/24 VirtualAccess1192.168.100.0/24Supernet covering all spokes LAN prefixesSpoke Assigned Address (optional) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Hub and Spoke IKE Route Exchange44Physical: 172.16.1.1Tunnel: 10.0.0.1Physical: 172.16.2.1Tunnel: 10.0.0.2Physical: 172.16.0.1Tunnel: 10.0.0.254Hub 1.1Physical: 172.16.0.2Tunnel: 10.0.0.253192.168.100.0/24Hub 2.2Tunnel 100Spoke 1192.168.1.0/24Spoke 2192.168.2.0/24C 192.168.1.0/24 Eth0C 10.0.0.1 Tunnel0S 0.0.0.0/0 Dialer0S 10.0.0.254/32 Tunnel0S 192.168.0.0/16 Tunnel0Routing Table-NHRP Table-NHRP TableC 192.168.2.0/24 Eth0C 10.0.0.2 Tunnel1S 0.0.0.0/0 Dialer0S 10.0.0.253/32 Tunnel1S 192.168.0.0/16 Tunnel1Routing TableC 10.0.0.254 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.1 V-Access1S 192.168.1.0/24V-Access1Routing TableC 10.0.0.253 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.2 V-Access1S 192.168.2.0/24 V-Access1Routing Table 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Mesh Indirection45Physical: 172.16.1.1Tunnel: 10.0.0.1Physical: 172.16.2.1Tunnel: 10.0.0.2Physical: 172.16.0.1Tunnel: 10.0.0.254Hub 1.1Physical: 172.16.0.2Tunnel: 10.0.0.253192.168.100.0/24Hub 2.2Tunnel 100Spoke 1192.168.1.0/24Spoke 2192.168.2.0/24C 192.168.1.0/24 Eth0C 10.0.0.1 Tunnel0S 0.0.0.0/0 Dialer0S 10.0.0.254/32 Tunnel0S 192.168.0.0/16 Tunnel0Routing Table-NHRP Table-NHRP TableC 192.168.2.0/24 Eth0C 10.0.0.2 Tunnel1S 0.0.0.0/0 Dialer0S 10.0.0.253/32 Tunnel1S 192.168.0.0/16 Tunnel1Routing TableC 10.0.0.254 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.1 V-Access1S 192.168.1.0/24V-Access1Routing TableC 10.0.0.253 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.2 V-Access1S 192.168.2.0/24 V-Access1Routing TableThere is a better path directly to spoke 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Mesh Resolution46Physical: 172.16.1.1Tunnel: 10.0.0.1Physical: 172.16.2.1Tunnel: 10.0.0.2Physical: 172.16.0.1Tunnel: 10.0.0.254Hub 1.1Physical: 172.16.0.2Tunnel: 10.0.0.253192.168.100.0/24Hub 2.2Tunnel 100Spoke 1192.168.1.0/24Spoke 2192.168.2.0/24C 192.168.1.0/24 Eth0C 10.0.0.1 Tunnel0S 0.0.0.0/0 Dialer0S 10.0.0.254/32 Tunnel0S 192.168.0.0/16 Tunnel0H/S 10.0.0.2/32 V-Access1H/S 192.168.2.0/24 V-Access1Routing Table10.0.0.2/32 172.16.2.1192.168.2.0/24 172.16.2.1NHRP Table10.0.0.1 172.16.1.1NHRP TableC 192.168.2.0/24 Eth0C 10.0.0.2 Tunnel1S 0.0.0.0/0 Dialer0S 10.0.0.253/32 Tunnel1S 192.168.0.0/16 Tunnel1H/S 10.0.0.1/32 V-Access1Routing TableC 10.0.0.254 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.1 V-Access1S 192.168.1.0/24V-Access1Routing TableC 10.0.0.253 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.2 V-Access1S 192.168.2.0/24 V-Access1Routing TableResolution(192.168.2.2)Resolution Reply(192.168.2.0/24) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Mesh Shortcut Forwarding47Physical: 172.16.1.1Tunnel: 10.0.0.1Physical: 172.16.2.1Tunnel: 10.0.0.2Physical: 172.16.0.1Tunnel: 10.0.0.254Hub 1.1Physical: 172.16.0.2Tunnel: 10.0.0.253192.168.100.0/24Hub 2.2Tunnel 100Spoke 1192.168.1.0/24Spoke 2192.168.2.0/24C 192.168.1.0/24 Eth0C 10.0.0.1 Tunnel0S 0.0.0.0/0 Dialer0S 10.0.0.254/32 Tunnel0S 192.168.0.0/16 Tunnel0H/S 10.0.0.2/32 V-Access1H/S 192.168.2.0/24 V-Access1Routing Table10.0.0.2/32 172.16.2.1192.168.2.0/24 172.16.2.1NHRP Table10.0.0.1 172.16.1.1NHRP TableC 192.168.2.0/24 Eth0C 10.0.0.2 Tunnel1S 0.0.0.0/0 Dialer0S 10.0.0.253/32 Tunnel1S 192.168.0.0/16 Tunnel1H/S 10.0.0.1/32 V-Access1Routing TableC 10.0.0.254 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.1 V-Access1S 192.168.1.0/24V-Access1Routing TableC 10.0.0.253 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.2 V-Access1S 192.168.2.0/24 V-Access1Routing Table 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicinterface Virtual-Template1 type tunnelip unnumbered Loopback0ip nhrp network-id 1ip nhrp redirectip access-group AllowMyBGP intunnel protection ipsec profile default!interface Loopback0ip address 10.0.0.254 255.255.255.255!interface Tunnel100ip unnumbered Loopback0ip nhrp network-id 1ip nhrp redirecttunnel source Ethernet0/1tunnel destination 192.168.100.2crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Hub1.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1!crypto ikev2 authorization policy defaultroute set remote 10.0.0.0 255.0.0.0route set remote 192.168.0.0 255.255.0.0FlexVPN Mesh (IKEv2 Routing)Hub 1 Configuration48Static per-spoke features applied hereLocal or AAA spoke profiles supported. Can even control QoS, ZBF, NHRP redirect, network-id, Hub 1 dedicated overlay addressInter-Hub link(not encrypted)Accept connections from SpokesNHRP is the magicAll V-Access will be in the same network-idSame NHRP network-id on v-access and inter-hub linkDefines which prefixes should be protectedThese prefixes can also be setby RADIUS 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicinterface Virtual-Template1 type tunnelip unnumbered Loopback0ip nhrp network-id 1ip nhrp redirectip access-group AllowMyBGP intunnel protection ipsec profile default!interface Loopback0ip address 10.0.0.254 255.255.255.255!interface Tunnel100ip unnumbered Loopback0ip nhrp network-id 1ip nhrp redirecttunnel source Ethernet0/1tunnel destination 192.168.100.2crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Hub2.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1!crypto ikev2 authorization policy defaultroute set remote 10.0.0.0 255.0.0.0route set remote 192.168.0.0 255.255.0.0FlexVPN Mesh (IKEv2 Routing) Hub 2 Configuration49Dedicated Identity (optional)Dedicated Overlay Address 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicinterface Loopback0ip address 10.0.0.2 255.255.255.255interface Tunnel0ip unnumbered Loopback0ip nhrp network-id 1ip nhrp shortcut virtual-template 1tunnel source Ethernet0/0tunnel destination 172.16.0.1tunnel protection ipsec profile default!interface Tunnel1ip unnumbered Loopback0ip nhrp network-id 1ip nhrp shortcut virtual-template 1tunnel source Ethernet0/0tunnel destination 172.16.0.2tunnel protection ipsec profile defaultinterface Virtual-Template1 type tunnelip unnumbered Loopback0ip nhrp network-id 1ip nhrp shortcut virtual-template 1tunnel protection ipsec profile defaultFlexVPN Mesh (IKEv2 Routing)Spoke Configuration50V-Template to clone for spoke-spoke tunnelsTunnel to Hub 1Tunnel1 to Hub 2QoS Everywhere!crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Spoke2.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1Needed for tunnel address exchangeQoScan be applied herecrypto ikev2 authorization policy defaultroute set interfaceroute set interface e0/0Shortcut SwitchingWith a routing protocol (BGP) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Mesh with BGP Routing52Physical: 172.16.1.1Tunnel: 10.0.0.1Physical: 172.16.2.1Tunnel: 10.0.0.2Physical: 172.16.0.1Tunnel: 10.0.0.254Hub 1.1Physical: 172.16.0.2Tunnel: 10.0.0.253192.168.100.0/24Hub 2.2Tunnel 100Spoke 1192.168.1.0/24Spoke 2192.168.2.0/24C 192.168.1.0/24 Eth0C 10.0.0.1 Tunnel0S 0.0.0.0/0 Dialer0S 10.0.0.254/32 Tunnel0B 192.168.0.0/16 10.0.0.254Routing Table-NHRP Table-NHRP TableC 192.168.2.0/24 Eth0C 10.0.0.2 Tunnel1S 0.0.0.0/0 Dialer0S 10.0.0.253/32 Tunnel1B 192.168.0.0/16 10.0.0.253Routing TableC 10.0.0.254 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.1 V-Access1B 192.168.1.0/2410.0.0.1Routing TableC 10.0.0.253 Loopback0C 192.168.100.0/24 Eth0S 192.168.0.0/16 Tunnel100S 10.0.0.0/8 Tunnel100S 10.0.0.2 V-Access1B 192.168.2.0/24 10.0.0.2Routing Table 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2router bgp 1bgp log-neighbor-changesbgp listen range 10.0.0.0/24 peer-group Flex!address-family ipv4neighbor Flex peer-groupneighbor Flex remote-as 1neighbor Flex timers 5 15neighbor Flex next-hop-self allredistribute static route-map rmexit-address-family!route-map rm permit 10match tag 2crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Hub1.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1interface Virtual-Template1 type tunnelip unnumbered Loopback0ip access-group AllowMyBGP inip nhrp network-id 1ip nhrp redirecttunnel protection ipsec profile defaultinterface Loopback0ip address 10.0.0.254 255.255.255.255interface Tunnel100ip unnumbered Loopback0ip nhrp network-id 1ip nhrp redirecttunnel source Ethernet0/1tunnel destination 192.168.100.2FlexVPN Mesh (BGP)Hub 1 Configuration53Static per-per config hereLocal or AAA spoke profiles supported. Can even control QoS, NHRP redirect, network-id, Hub 1 dedicated overlay addressInter-Hub link(not encrypted)NHRP is the magicAll V-Access will be in the same network-idSame NHRP network-id on v-access and inter-hub linkAccept connectionsfrom Spokesroute-map filters static routes to redistribute in BGPDynamically accept spoke BGP peering! 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicip route 10.0.0.0 255.0.0.0 Tunnel100 tag 2ip route 192.168.0.0 255.255.0.0 Tunnel100 tag 2router bgp 1bgp log-neighbor-changesbgp listen range 10.0.0.0/24 peer-group Flex!address-family ipv4redistribute static route-map rmneighbor Flex peer-groupneighbor Flex remote-as 1neighbor Flex timers 5 15neighbor Flex next-hop-self allexit-address-family!route-map rm permit 10match tag 2crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Hub2.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1interface Virtual-Template1 type tunnelip unnumbered Loopback0ip access-group AllowMyBGP inip nhrp network-id 1ip nhrp redirecttunnel protection ipsec profile defaultinterface Loopback0ip address 10.0.0.253 255.255.255.255interface Tunnel100ip unnumbered Loopback0ip nhrp network-id 1ip nhrp redirecttunnel source Ethernet0/1tunnel destination 192.168.100.1FlexVPN Mesh (BGP)Hub 2 Configuration Almost the same as Hub 1 again!54Dedicated Identity (optional)Dedicated Overlay Address 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicinterface Loopback0ip address 10.0.0.2 255.255.255.255interface Tunnel0ip unnumbered Loopback0ip nhrp network-id 1ip nhrp shortcut virtual-template 1tunnel source Ethernet0/0tunnel destination 172.16.0.1tunnel protection ipsec profile default!interface Tunnel1ip unnumbered Loopback0ip nhrp network-id 1ip nhrp shortcut virtual-template 1tunnel source Ethernet0/0tunnel destination 172.16.0.2tunnel protection ipsec profile defaultinterface Virtual-Template1 type tunnelip unnumbered Loopback0ip nhrp network-id 1ip nhrp shortcut virtual-template 1tunnel protection ipsec profile defaultFlexVPN Mesh (BGP)Spoke Configuration55Tunnel to Hub 1Tunnel1 to Hub 2QoS Everywhere!crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Spoke2.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1Needed for tunnel address exchangeQoScan be applied hererouter bgp 1bgp log-neighbor-changesneighbor 10.0.0.253 remote-as 1neighbor 10.0.0.253 timers 5 15neighbor 10.0.0.254 remote-as 1neighbor 10.0.0.254 timers 5 15!address-family ipv4network 192.168.2.0neighbor 10.0.0.253 activateneighbor 10.0.0.254 activatemaximum-paths ibgp 2V-Template to clone for spoke-spoke tunnelsPer Session Features: ACL, VRF ,ZbFW, QoS 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicProvisioning Per-Peer FeaturesCentral and Distributed Models57192.168.100.0/24.1172.16.0.1.254Option #1: Features on different Virtual-TemplateOption #3: Centralized Policy enforcement on RADIUSSome spokes with high bandwidthSome spokes with low bandwidthSome spokes belong to VRF RedSome spokes belong to VRF BlueOption #2: Local AAA profiles on Router 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public172.16.1.253 172.16.1.254VRF InjectionHub injects traffic in chosen VRF58.2 .1192.168.100.0/24.2 .1192.168.100.0/24.2 .1192.168.100.0/24Hub private interface(s) in Inside VRF (light)Virtual-Access in iVRFOptional VRF on spokes(Not in this example)Wan in Global Routing Tableor Front VRF 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicGlobal RoutingTableVRF RedVRF Blue VRF GreenInside-VRF and Front-VRF59Layer 4Layer 3Layer 2Layer 5+ IKE AAA BGPVirtual-Access Interface (Tunnel) created by IKEv2Front Door VRFaka fVRFInside VRFaka iVRFApplied by IKEv2:vrf forwarding Redtunnel vrf BlueRemote protected prefix added to iVRF table 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicGlobal RoutingTableVRF RedVRF Blue VRF GreenInside-VRF and Front-VRF60Layer 4Layer 3Layer 2Layer 5+ IKE AAA BGPOutput featuresPost-encapsulationTunnel Protection (encrypt)Tunnel EncapsulationInput featuresOutput features 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicQoS in a Nutshell Hierarchical ShaperEach Hub V-Access Needs Its Own Policy61Parent Shaper limits total BandwidthBandwidth ReservationPriority QueuingFair Queuing 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicQoS Policy Map(s) Based on Spoke Bandwidthclass-map Controlmatch ip precedence 6class-map Voicematch ip precedence 5policy-map SubPolicyclass Controlbandwidth 20class Voicepriority percent 60policy-map Silverclass class-defaultshape average 1000000service-policy SubPolicypolicy-map Goldclass class-defaultshape average 5000000service-policy SubPolicy1Mbps to each tunnel20Kbps Guaranteed to Control60% of Bandwidth for Voice5Mbps to each tunnel 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicGlobal RoutingTableVRF RedVRF Blue VRF GreeniVRF + fVRF + QoS + 63Layer 4Layer 3Layer 2Layer 5+ IKE AAA BGPApplied by IKEv2:vrf forwarding Redtunnel vrf Blueservice-policy out GoldAny feature can be applied here: MTU, NAT, NHRP network-id, NHRP redirect, FW Zone, QoS, VRF, ACLRoutes applied here 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publiccrypto ikev2 profile GREENmatch identity fqdn domain greenauthentication local rsa-sigauthentication remote rsa-sigpki trustpoint CAdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 3interface virtual-template3 type tunnelvrf forwarding GREENip unnumbered loopback3service-policy Silver outtunnel protection ipsec profile defaultcrypto ikev2 profile REDmatch identity fqdn domain redauthentication local rsa-sigauthentication remote rsa-sigpki trustpoint CAdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 2interface virtual-template2 type tunnelvrf forwarding REDip unnumbered loopback2service-policy Gold outtunnel protection ipsec profile defaultVRF Injection Hub ConfigurationOption 1: Mapping with In-IOS configuration (without AAA)64crypto ikev2 profile BLUEmatch identity fqdn domain blueauthentication local rsa-sigauthentication remote rsa-sigpki trustpoint CAdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1interface virtual-template1 type tunnelvrf forwarding BLUEip unnumbered loopback1service-policy Gold outtunnel protection ipsec profile defaultVirtual-Template in VRFFQDN Domain is differentiatorLoopback in VRFDedicated IKEv2 profileAdd NHRP, ACLs,Heavy Configuration 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicVRF Injection Hub ConfigurationOption 2: Mapping with AAA group based configuration65aaa new-modelaaa authorization network default localcrypto ikev2 profile defaultmatch identity anyidentity local fqdn Hub1.cisco.comauthentication local rsa-sigauthentication remote rsa-sigpki trustpoint CAdpd 10 2 on-demandaaa authorization group cert default name-mangler domvirtual-template 1interface virtual-template1 type tunneltunnel protection ipsec profile defaultcrypto ikev2 name-mangler domfqdn domainVanilla Virtual-TemplateProfiles on IOSCommon IKEv2 profileaaa attribute list blueattribute type interface-config vrf forwarding BLUEattribute type interface-config ip unnumbered loopback1attribute type interface-config service-policy Gold outcrypto ikev2 authorization policy blueaaa attribute list blueroute set interfaceaaa attribute list redattribute type interface-config vrf forwarding REDattribute type interface-config ip unnumbered loopback2attribute type interface-config service-policy Silver outcrypto ikev2 authorization policy redaaa attribute list redroute set interfaceaaa attribute list greenattribute type interface-config vrf forwarding GREENattribute type interface-config ip unnumbered loopback3attribute type interface-config service-policy GOLD outcrypto ikev2 authorization policy greenaaa attribute list greenroute set interfaceProfile name extracted from Domain NameGroup profiles on IOS 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicVRF Injection Hub ConfigurationOption 3: RADIUS based profiles66aaa new-modelaaa authorization network default group RADIUSaaa group server radius RADIUSserver-private 192.168.100.2 auth-port 1812acct-port 1813 key cisco123crypto ikev2 profile defaultmatch identity anyidentity local fqdn Hub1.cisco.comauthentication local rsa-sigauthentication remote rsa-sigpki trustpoint CAaaa authorization group cert default name-mangler domvirtual-template 1interface virtual-template1 type tunneltunnel protection ipsec profile defaultcrypto ikev2 name-mangler domfqdn domainVanilla Virtual-TemplateProfiles stored on RADIUS serverCommon IKEv2 profileProfile blue / password ciscoipsec:route-accept=anyipsec:route-set=interfaceip:interface-config=vrf forwarding BLUEip:interface-config=ip unnumbered loopback 1ip:interface-config=service-policy Gold outProfile red / password ciscoipsec:route-accept=anyipsec:route-set=interfaceip:interface-config=vrf forwarding REDip:interface-config=ip unnumbered loopback 2ip:interface-config=service-policy Silver outProfile green / password ciscoipsec:route-accept=anyipsec:route-set=interfaceip:interface-config=vrf forwarding GREENip:interface-config=ip unnumbered loopback 3ip:interface-config=service-policy Gold outProfile name extracted from Domain NameGroup profiles on RADIUSCould be per peer profilesor group+peer (derivation)RADIUS Group Profiles 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicVRF Injection Hub ConfigurationFor both options: BGP and VRF configurations67ip route vrf BLUE 10.0.0.0 255.0.0.0 Null0ip route vrf BLUE 192.168.0.0 255.255.0.0 Null0ip route vrf RED 10.0.0.0 255.0.0.0 Null0ip route vrf RED 192.168.0.0 255.255.0.0 Null0ip route vrf GREEN 10.0.0.0 255.0.0.0 Null0ip route vrf GREEN 192.168.0.0 255.255.0.0 Null0router bgp 1bgp listen range 10.1.0.0/16 peer-group BluePeerbgp listen range 10.2.0.0/16 peer-group RedPeerbgp listen range 10.3.0.0/16 peer-group GreenPeer!address-family ipv4 vrf BLUEredistribute staticneighbor BluePeer peer-groupneighbor BluePeer remote-as 1exit-address-family!address-family ipv4 vrf REDredistribute staticneighbor RedPeer peer-groupneighbor RedPeer remote-as 1exit-address-family!address-family ipv4 vrf GREENredistribute staticneighbor GreenPeer peer-groupneighbor GreenPeer remote-as 1exit-address-familyBGP dynamic peeringThese address can not currently overlapFollow CSCtw69765.Each VRF has its own control section.Activate peer group in its corresponding VRFAttract summaries and drops non-reachable prefixesRedistributes above statics into BGPvrf definition BLUErd 1:1address-family ipv4address-family ipv6interface Loopback1vrf forwarding BLUEip address 10.0.0.254 255.255.255.255vrf definition REDrd 2:2address-family ipv4address-family ipv6interface Loopback2vrf forwarding REDip address 10.0.0.254 255.255.255.255vrf definition GREENrd 3:3address-family ipv4address-family ipv6interface Loopback3vrf forwarding GREENip address 10.0.0.254 255.255.255.255 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicVRF Injection Spoke ConfigurationVanilla IKE and BGP configurations68aaa new-modelaaa authorization network default local crypto ikev2 profile defaultmatch identity remote fqdn Hub1.cisco.commatch identity remote fqdn Hub2.cisco.comidentity local fqdn spoke1.RED authentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default default! interface Loopback0ip address 10.1.0.2 255.255.255.255!interface Tunnel0ip unnumbered Loopback0tunnel source Ethernet0/0tunnel destination 172.16.1.1tunnel protection ipsec profile default!interface Tunnel1ip unnumbered Loopback0tunnel source Ethernet0/0tunnel destination 172.16.4.1tunnel protection ipsec profile defaultTunnel to Hub2Profiles stored on RADIUS serverPlain simple IKEv2 profilerouter bgp 1bgp log-neighbor-changesnetwork 192.168.0.0 mask 255.255.0.0neighbor Hub peer-groupneighbor Hub remote-as 1neighbor Hub next-hop-selfneighbor 10.0.0.253 peer-group Hubneighbor 10.0.0.254 peer-group Hubmaximum-paths ibgp 2Tunnel to Hub1Just necessary for config exchangeiBGPTwo HubsBasic iBGP configurationEqual Cost Load BalancingIKEv2 Identity Defines GroupCase Study: Multi-tenant Hybrid Access 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public Requirements: Single router for softwareclients & remote branches (spokes) Spoke-to-spoke tunnels enabledon a per-branch basis VRF/ QoS enforced per user/branch Branches use IKE certificates, clientsuse EAP (password or TLS certificates) Proposed solution: Single IKEv2 profile & V-Template Differentiated AAA authorisationdepending on authentication methodUse Case: Mixed Client and Branch AccessInternetFlexVPN HubshortcuttunnelRADIUS/EAP Server(in management VRF)Tom (VRF green)QoS GoldJoe (VRF blue)QoS BronzeBranch A (VRF red)QoS GoldBranch B (VRF red)QoS SilverBob (VRF blue)QoS SilverMultiple VRFs behind hubIPsec tunnels 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicaaa new-modelaaa authentication login my-rad group my-radaaa authorization network my-rad group my-rad!crypto ikev2 profile defaultmatch identity remote fqdn domain example.commatch identity remote {key-id | email | address} ...identity local dnauthentication remote rsa-sigauthentication remote eap query-identityauthentication local rsa-sigpki trustpoint my-caaaa authentication eap my-radaaa authorization user eap cachedaaa authorization user cert list my-radvirtual-template 1 auto mode!interface Virtual-Template1 type tunnelno ip address[no need to specify tunnel mode]tunnel protection ipsec profile defaultFlexVPN Server ConfigurationRADIUS-based EAP authenticationand AAA authorisationMatch statements for clients(depending on allowed client types)Automatic detection of tunnel mode1(pure IPsec tunnel mode for clients, GRE/IPsec for branches/spokes)User authorisation using attributes returned during EAP authenticationAllow peers to authenticate usingeither EAP or certificatesMatch on FQDN domain for branchesBranch authorisation using RADIUS1Starting with IOS-XE 3.12S 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publicjoecleartext-password=c1sc0!ipsec:addr-pool=blueip:interface-config=vrf forwarding blueip:interface-config=ip unnumbered Loopback1ip:interface-config=service-policy output Bronzeip:interface-config=...branchA.example.comip:interface-config=vrf forwarding redip:interface-config=ip unnumbered Loopback3ip:interface-config=service-policy output Goldip:interface-config=ip nhrp network-id 3ip:interface-config=ip nhrp redirectipsec:route-set=prefix 192.168.0.0 255.255.0.0ipsec:route-accept=anybranchB.example.comip:interface-config=vrf forwarding greenip:interface-config=ip unnumbered Loopback2ip:interface-config=service-policy output Silveripsec:route-set=prefix 192.168.0.0 255.255.0.0ipsec:route-set=local 192.168.1.0 255.255.255.0RADIUS Server ConfigurationUser attributes returned by RADIUS with successful EAP authenticationClients can perform password-based or TLS-based EAP authentication(TLS: RADIUS account = CN or UPN)Branch router attributes returned by RADIUS during AAA authorisation stepAdd/remove NHRP to enable/disablespoke-to-spoke tunnels per branchBranch prefix / QoS controlled by AAA server (installed as local static route)Exchange prefixes via IKEv2 routing,branch prefix(es) controlled by branchFlexVPN High Availability 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup Mechanisms74Routing BasedDynamic Routing(BGP, EIGRP, OSPF, RIP)IKEv2 RoutingTunnel Origin/DestinationTunnel Peer Selection Tunnel Source SelectionBackup Peer ListStatic or DownloadablePeer State TrackingBackup GroupsPeer re-activationTunnel PivotingLoad-Balancing 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN BackupIKE Backup Peers (1)75172.16.0.1 172.16.0.2192.168.100.0/24.1 .2Tunnels are set up to a primary Hub 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN BackupIKE Backup Peers (2)76172.16.0.1 172.16.0.2192.168.100.0/24.1 .2Hub 1 FailsNew tunnels are set up to a backup Hub 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Publiccrypto ikev2 authorization policy defaultroute set interfaceroute set access-list 99Powerful Peer Syntaxpeer peer track peer peer track aaa authorization network default localcrypto ikev2 profile defaultmatch certificate HUBMAPidentity local fqdn Spoke1.cisco.comauthentication remote rsa-sigauthentication local pre-sharedkeyring local pki trustpoint CAaaa authorization group cert list default defaultdpd 30 2 on-demandcrypto ikev2 client flexvpn defaultclient connect tunnel 0peer 1 172.16.1.254peer 2 172.16.1.253interface Tunnel0ip address negotiatedtunnel source FastEthernet0/0tunnel destination dynamictunnel protection ipsec profile defaultFlexVPN BackupIKE Backup Peers (3) Spoke Config.77To Primary HubTo Secondary HubDetect Hub FailureNthsource selected only if corresponding track object is upDestination managed by FlexVPNAlso works with Routing ProtocolRADIUS Backup List Attributeipsec:ipsec-backup-gatewayUp to 10 backup gateways pushed by config-exchange 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup MechanismsBackup Peer List No explicit destination is configured on tunnel interface: tunnel destination dynamic Peer to connect to is derived from a list at tunnel establishment time The peer list can be fully static or partially downloadable Downloadable list require at least one static peer to retrieve the list from Peers are assigned a sequence number (explicit or implicit) which determine their priority The lowest the most preferred Selection of active peer in case of failure rely on the waterfall-model Use the peers in turn until the bottom of list is reached, then start again from top Dead Peer Detection (DPDs) are required for proper operations78 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup Downloadable Backup Peer List79Seq 10: Peer 1Seq 20: Peer 2 Peer 1 is selected initially(sequence number based) If Peer 1 fails, Peer 2 is selected(sequence number based) Upon connection to Peer 2, a downloadable peer list is received Upon failure of Peer 2, Peer 2.1 then 2.2 are selected (part of downloadable peer list) Downloadable list peers are used until last downloadable list peer fails Upon successful connection to next peer in static list, downloadable list is deletedSeq 10: Peer 2.1Seq 20: Peer 2.2Seq 30: Peer 3Static Peer List (Locally Configured)Downloadable Peer List 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup Re-activation of Primary Peer80track 1 ip sla 1 reachabilitytrack 2 ip sla 2 reachabilitytrack 3 ip sla 3 reachability!crypto ikev2 flexvpn client remote1peer 1 10.0.0.1 track 1peer 2 10.0.0.2 track 2peer 3 10.0.0.3 track 3peer reactivateclient connect Tunnel0!interface Tunnel0 ip address negotiatedtunnel destination dynamicclient10.0.0.110.0.0.210.0.0.3ICMP-echo IP SLA probeIPsec TunnelTracker state (Up/Down) Allow re-establishing tunnel directly to preferred peer as soon as it is available again Trackers are required for this feature 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup Backup Groups Warrant that a peer, belonging to different peer-lists in the same backup group, is never active in multiple peer-list at a given time81crypto ikev2 flexvpn client remote1peer 1 10.0.0.1peer 2 10.0.0.2peer 3 10.0.0.3backup group 1client connect Tunnel0crypto ikev2 flexvpn client remote2peer 1 10.0.0.1peer 2 10.0.0.2peer 3 10.0.0.3backup group 1client connect Tunnel1!interface Tunnel0ip address negotiatedtunnel destination dynamicinterface Tunnel1 ip address negotiatedtunnel destination dynamicHub 1Hub 2Hub 3ClientTu0Tu110.0.0.110.0.0.210.0.0.3Service Provider 2Service Provider 110.0.0.1 cannot be used asalready active in remote1 peer-list from same group 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup Tunnel Pivoting Use when different Service Providers are used to connect to remote host82ClientHubService Provider 2Cellular networktrack 1 ip sla 1 reachabilitycrypto ikev2 flexvpn client remote1peer 10.0.0.1source 1 interface GigabitEthernet0/0 track 1source 2 interface Cellular0/0client connect tunnel 0 interface Tunnel0 ip address negotiatedtunnel source dynamictunnel destination dynamicGigE0/0Cellular0/0ICMP-echo IP SLA probeIPsec TunnelTracker state (Up/Down)Service Provider 1 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco Public 83LANWAN10.0.0.0/24Hub 1 Hub 3 Hub 2.11 .13 .12.5Active Standby StandbySlave Master SlaveHSRP Election1. HSRP Active Router electionWinner takes over the VIP (.5)2. CLB RegistrationHSRP Standby become CLB Slavesand register to Master (HSRP Active)CLB RegistrationCLB RegistrationOn Hub 1:*Nov 20 12:43:58.488: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.13 connected.*Nov 20 12:43:58.493: %CLB-6-CLB_SLAVE_CONNECTED: Slave 10.0.0.12 connected.FlexVPN Backup IKEv2 Load-Balancer Client Connection 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Backup IKEv2 Load-Balancer Client Connection84LAN10.0.0.0/24Hub 1 Hub 3 Hub 2.11 .13 .12Active Standby StandbySlave Master Slave.5WAN2. CLB Master selects the LLG (Hub 3)1. Client sends IKE SA_INIT with REDIRECT_SUPPORTED toVIP (.5)3. CLB Master sends a redirect to client to Hub 34. Client establishes IKEv2 session with LLG Hub (Hub 3) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 Load-BalancerHub 1 Configuration Configuration of slave hubs is almost identical (except HSRP priority)!85crypto ikev2 redirect gateway init !crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Hub1.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1!crypto ikev2 authorization policy defaultroute set interface!crypto ikev2 clusterstandby-group vpngwslave max-session 10no shutdown! interface Ethernet0/0ip address 10.0.0.11 255.255.255.0standby 1 ip 10.0.0.5standby 1 name vpngw!interface Loopback0ip address 172.16.1.11 255.255.255.0!interface Virtual-Template1 type tunnelip unnumbered Loopback0ip mtu 1400tunnel source Ethernet1/0tunnel protection ipsec profile defaultActivates the sending of IKEv2 redirects during SA_INITHSRP Group Name must matchIKEv2 Cluster configuration 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 Load-BalancerClient Configuration86crypto ikev2 authorization policy defaultroute set interface!crypto ikev2 redirect client max-redirects 10!crypto ikev2 profile defaultmatch identity remote fqdn domain cisco.comidentity local fqdn Spoke2.cisco.comauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint TPdpd 10 2 on-demandaaa authorization group cert list default defaultvirtual-template 1!crypto ikev2 client flexvpn VPN_LBpeer 1 10.0.0.5client connect Tunnel0interface Tunnel0ip address 172.16.1.100 255.255.255.0ip mtu 1400tunnel source Ethernet0/0tunnel destination dynamictunnel protection ipsec profile defaultActivates IKEv2 redirection support and limit redirect count (DoS prevention) FlexVPN Peer configured with the VIP address only 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN BackupIKEv2 Load Balancer IKEv2 Load-Balancer Redirects inbound IKEv2 negotiation to Least Loaded Gateway (LLG) Implements RFC 5685 Redirect is performed during IKEv2 SA_INIT, IKE_AUTH Rely on HSRP for device failure detection and master selection Rely on Cisco Load Balancing (CLB) protocol (TCP/2012) to report load to cluster master Available since 15.2(4)M 87FlexVPN IKEv2 Remote Access 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnywhere, Any Device AccessLocationDeviceApplicationMore Diverse Users, Working from More Places, Using More Devices, Accessing More Diverse Applications, andPassing Sensitive DataAnyIKEV2IPSECSSLFlexVPNFramework89 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicIKEv2 Configuration Exchange90IKE_AUTHINFORMATIONALInitiator (RA client) requests configuration parameters from responder (RA server).INFORMATIONALInitiator (I) Responder (R)CFG_REQUESTCFG_REPLYCFG_SETCFG_ACKCFG_SETCFG_ACKInitiator and/or respondersends unsolicited configuration parameters to its peer.I would like: an IPv6 address a DNS & WINS server a list of IPv6 protected subnets Your assigned IPv6 address is ... Your DNS server is ... There is no WINS server The protected subnets are ... My local IPv6 address is ... My local IPv6 protected subnets are ... AcknowledgedDerived from peer authorisationDerived from peer authorisation 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicExtensible Authentication Protocol (EAP) No X-AUTH in IKEv2; EAP instead EAP A General protocol forauthentication that support multiple methods: Tunnelling: EAP-TLS, EAP/PSK, EAP-PEAP, Non-tunnelling (recommended): EAP-MS-CHAPv2, EAP-GTC, EAP-MD5, Implemented as additional IKE_AUTH exchanges Only used to authenticate initiator to responder Responder MUST authenticate using certificates Can severely increase number of messages (12-16) EAP comes with many caveats refer to documentation !!91 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicEAP Authentication92IKEv2 RADIUSEAP-GTC / EAP-MD5 / EAP-MSCHAPv2 / EAP-AKA / EAP-SIM / ...Username-Password/Token/Mobile Authentication (One-Way)RA ClientIKEv2 InitiatorRADIUS ClientEAP SupplicantFlexVPN ServerIKEv2 ResponderRADIUS NASEAP AuthenticatorAAA ServerRADIUS ServerEAP BackendTLS-Based Certificate Authentication (Mutual)IKEv2 RADIUSEAP-TLSTLS TLSIKEv2 RADIUSEAP-PEAP / EAP-TTLSEAP-MSCHAPv2 / EAP-TLS / ...TLS-Protected Nested Authentication (One-Way or Mutual)TLS TLSIKERA server authenticates to clientusing IKE certificates (mandatory)crypto ikev2 profile defaultauthentication remote eap query-identityaaa authentication eap frad 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicEAP Authentication Packet Flow93IKEv2 (IKE_AUTH)IDi, CFG_REQ, no AUTHIKEv2 (IKE_AUTH)IDr, AUTH(RSA), EAP(ID-Request)RADIUS (Access-Request)IKEv2 (IKE_AUTH) RADIUS (Access-Challenge)IKEv2 (IKE_AUTH)AUTH(MSK)EAP(EAP-Method-Pkt#1)IKEv2 (IKE_AUTH) RADIUS (Access-Request)EAP(EAP-Method-Pkt#2)IKEv2 (IKE_AUTH)RADIUS (Access-Accept)EAP(Success)MSK MSKIKEv2 (IKE_AUTH)CFG_REPLY, AUTH(MSK)EAP(ID-Response: IDEAP)EAP(Success), MSK, User-Name, Other user attributesIKEv2 (IKE_AUTH)crypto ikev2 profile defaultauthentication remote eap query-identityaaa authentication eap fradCached for authorisationRA ClientIKEv2 InitiatorRADIUS ClientEAP SupplicantFlexVPN ServerIKEv2 ResponderRADIUS NASEAP AuthenticatorAAA ServerRADIUS ServerEAP BackendEAP Username 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicRemote Access Clients Overview94AnyConnect(Desktop Version)AnyConnect(Mobile Version)WindowsNative IKEv2 ClientFlexVPNHardware ClientstrongSwanSupported OSes WindowsMac OS XLinuxAndroidApple iOSWindows 7 & 8 Cisco IOS 15.2+Not on IOS-XE / ASR1kNot on ISR-G1Linux, Mac OS X, Android, FreeBSD, ...Supported IKEv2 Authentication MethodsCertificatesEAPCertificatesEAPCertificatesEAPCertificatesEAPPre-Shared KeyCertificatesEAPPre-Shared KeySupported EAP Authentication MethodsEAP-MSCHAPv2EAP-GTCEAP-MD5EAP-MSCHAPv2EAP-GTCEAP-MD5EAP-MSCHAPv2EAP-TLS1EAP-PEAP1... and more (Win8)EAP-MSCHAPv2EAP-GTCEAP-MD5EAP-MSCHAPv2EAP-TLS1EAP-PEAP1... and more (plugins)Dual Stack(IPv4 & IPv6)3.1.05152 (with GRE)IOS-XE 3.14Planned(client limitation)Planned(headend limitation)Both (with GRE) Planned(headend limitation)Split Tunnelling Yes Yes Very limited (classful) Yes Yes1 EAP-TLS, EAP-TTLS, EAP-PEAP and others require (potentially dedicated) TLS certificates on EAP server & RA client2 IPsec Reverse Route Injection (RRI) and IKEv2 Route Exchange are enabled by default 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Secure Mobility Client Since AnyConnect 3.0, IKEv2/IPsec supported (previously only SSL/TLS) Desktop: Windows, Mac OS X, Linux Mobile: Apple iOS, Android Supported authentication methods: Machine Certificates (RSA signatures) EAP-MSCHAPv2 (password challenge/response, based on MS-CHAPv2) EAP-GTC (cleartext password authentication, used for one-time-passwords/tokens) EAP-MD5 (hash-based authentication)95 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect VPN Profile Editor96Add entry to server listConnection name Server FQDNOnly applies to EAP authentication methods...

FlexVPNflexra.cisco.comIPsectrueEAP-GTCacvpn

...Resulting XML Profile 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Backup Server List97Add backup server(s) to list...

FlexVPNflexra.cisco.com

flexra2.cisco.com

...Resulting XML ProfileWANPrimary server stops respondingClient will try connecting to backup server(s)Primary Backup 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Seamless Auto-Reconnect98WAN2: Network failure detectedClient will attempt to reconnect automatically1: Connected4: ISP/WAN comes back upSession resumed without any user interventioncrypto ikev2 profile defaultreconnect [timeout ]3: Server marks session as inactive, awaiting reconnection until the configured timeoutWAN1: Connectedover 3Gcrypto ikev2 profile defaultreconnect [timeout ]2: Switching to WiFiDifferent IP address3: Session resumedover WiFi link withoutany user interventionAlso works when computer suspends & resumes (behaviour controllable through XML profile) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Desktop Profile Deployment Options99XMLOS Default LocationWindows %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile Mac OS, Linux /opt/cisco/anyconnect/profileUse a Software Management SystemXMLAdd the profile to the AnyConnect packageSend the profile via emailDownload the profile to the file system 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Mobile Profile Deployment Options100XMLanyconnect://import?type=profile&uri=locationExample location: http://example.com/profile.xmlSend the profile via emailInstall the profile via a URI handlerImport it from Local File system or URIManual Connection CreationMDM (Mobile Device Management) 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Mobile Manual Connection101Connection nameServer FQDNEnable IKEv2Select authentication methodCreate newmanual connectionCisco ASA onlySpecify IKE ID for EAP methodsCertificate selection 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Mobile URI Handler Profile Deployment Import profiles, certificates, andcreate connection entries Apple iOS & Android Importvia URL, email, device storage Also connect & disconnect VPN using URI Handler102anyconnect://create/?name=FlexVPN&host=flexra.cisco.com&protocol=IPsec&authentication=EAP-MD5&ike-identity=acvpnPrompt or Enabled - Required for URI HandlerConnection successfully created 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Mobile Certificate Deployment Package certificate & keypair into PKCS#12 file Apple iOS Import PKCS#12 from URL or email attachment Provision credentials or set up SCEPenrollment using configuration profile(e.g. via iPhone Configuration Utility) Android Import PKCS#12 from URL, email or filesystem Use existing credentials from Credential Storage103 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyConnect Certificate Requirements1 Required in AC 3.0.8 to 3.0.10 (CSCuc07598)2 Required in AC 3.0 (all versions), lifted in 3.13 Not required: may be omitted or set to any value Optional: may be omitted or set to the specified value104AnyConnect ClientIKEv2 CertificateFlexVPN ServerIKEv2 CertificateUsed for Mutual RSA-SIG Mutual RSA-SIGEAP (all types)Common Name (CN) Anything Anything (if SAN field present)Server FQDN (if no SAN field)Key Usage (KU) Digital Signature Digital SignatureKey Encipherment or Key AgreementExtended Key Usage (EKU) Optional1,3If present: TLS Client AuthenticationOptional2,3If present: TLS Server Authentication or IKE IntermediateSubject Alternative Name (SAN) Not required3Optional3If present: Server FQDN 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Hardware Client Example Sample configuration: Static tunnel interface driven by FlexVPN Client Profile Local AAA authorisation (default IKEv2 author. policy) Certificate-based mutual authentication (no EAP) Tunnel interface configuration: IP address assigned through IKEv2 Configuration Exchange Tunnel destination set dynamically Default IKEv2 routing between client & server: Client advertises route for Tunnel0 assigned IP address Client installs networks advertised by server 105aaa new-modelaaa authorization network here local!crypto pki trustpoint rootrsakeypair root!crypto pki certificate map cisco 1subject-name co o = cisco!crypto ikev2 profile defaultmatch certificate ciscoidentity local dnauthentication remote rsa-sigauthentication local rsa-sigpki trustpoint rootaaa authorization group cert list here default!crypto ikev2 client flexvpn flexrapeer 1 fqdn flexra.cisco.com dynamicclient connect Tunnel0!interface Tunnel0ip address negotiatedtunnel source Ethernet0/0tunnel mode ipsec ipv4tunnel destination dynamictunnel protection ipsec profile defaultclient#show crypto ikev2 authorization policy defaultIKEv2 Authorization Policy : defaultroute set interfaceroute accept any tag : 1 distance : 1 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Network Extension106interface Tunnel0ip address negotiated!interface Ethernet0/1ip address 10.42.1.1 255.255.255.0FlexVPN Server FlexVPN Client10.42.1.0/24 Eth0/110.0.0.0/8 WANinterface Loopback1ip address 10.0.1.1 255.255.255.255!interface Virtual-Template1 type tunnelip unnumbered Loopback1route set interfaceroute set remote ipv4 10.42.1.0route set interfaceroute set remote ipv4 10.0.0.0 255.0.0.0Lo1: 10.0.1.1/32Eth0/0S10.0.0.0/8 is directly connected, Tunnel0S10.0.1.1/32 is directly connected, Tunnel0C10.0.1.22/32 is directly connected, Tunnel0S10.0.1.22/32 is directly connected, Virtual-Access1S10.42.1.0/24 is directly connected, Virtual-Access1Client LAN directly reachable over tunnel(prefix can be redistributed into IGP)Assigned IP: 10.0.1.22/32Summary prefix reachable through tunnel Assigned IP address reachable over client VALocal/remote addresses & prefixes exchanged using IKEv2 routing 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN Client Profile Key Features Peer list with object tracking: Ordered list of FlexVPN servers (by address or FQDN) Enable/disable entries based on tracking object state Additional peers can be pushed by server during Config Exchange Connection modes: Automatic (infinite loop, 10 seconds between tries) When tracking object goes up/down (enables dial backup) Manual (CLI-triggered) EAP local authentication (IKEv2 initiator only): Username prompt only if server does query-identity Alternative: static credentials in IKEv2 profile More than a Remote Access client: Can also be used in hub-spoke & dynamic mesh designs Useful when advanced initiator logic is required (dial backup, object tracking, ...)107crypto ikev2 client flexvpn flexrapeer 1 peer 2 track 10 uppeer 3 track 20 down!track 10 interface line-protocoltrack 20 ip route reachabilityconnect autoconnect track 10 upconnect manualcrypto ikev2 profile defaultauthentication local eapclient#crypto ikev2 client flexvpn connectEnter the command 'crypto eap credentials flexra'client#crypto eap credentials flexraEnter the Username for profile flexra: joe@ciscoEnter the password for username joe@cisco:DemoAnyConnect Secure Mobility ClientTom the Sardar 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyconnect Mobile Profile & Certificate Deployment Demo109FlexVPN ServerAdministrator Sequence of Events1: Retrieve CA certificate as a file2: Insert anyconnectconnection URI into email3: AttachCA certand send emailObjective: Deploy anyconnect connection entry and CA certificate to Android Mobile deviceanyconnect://create/?name=FlexVPN&host=Flex_hub.mydomain.com&protocol=IPsec&authentication=EAP-MD5&ike-identity=acvpnUser Sequence of Events1: Enable External control on Anyconnect2: Click on hyperlink to create anyconnect connection3: Click on CA cert attachment to import CA cert 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyconnect Windows 7 Profile Deployment Demo110FlexVPN ServerXMLAnyconnect XML profile added to package and installed on Windows DesktopAdministrator Sequence of Events1:Create profile using profile Editor2:Bundle Profile with Installation PackageObjective: Deploy anyconnect XML User profile containing connection information to a remote desktop.User Sequence of Events1:User retrieves Installation Package2:User Installs package3:Profile is automatically imported FlexVPN SSL 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN SSL Overview112 InfrastructureClientsWindows Mac OS X LinuxDesktopMobileApple iOSiPhone and iPadHTCMotorolaSamsungVersion 4.0+HTCLenovoMotorolaSamsung Version 4.0+BB10 (future) Smartphone PlaybookAndroidSmartphones Tablets ManagementASDMSecure ConnectivityCisco ASRCisco Cloud Services Router1000VIOS-XE 3.15.1S / 15.5(2)S1 ASR1006/1013 with ESP100/200ASR1002-X and ASR1001-X onlyIOS-XE 3.12.1S / 15.4(2).1S First release of SSLVPN support (on ASR / CSR) Client-based only (AnyConnect) No clientless support Integrated into FlexVPN framework AAA integration Virtual tunnel interfaces Smart defaults CLI consistency ASR not supported on previous ESP (ESP 2.5 up to 40 due to lack of crypto engine support) Tentative date June 2015 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFeatures Not Supported In Initial Release Automatic anyconnect software upgrade from headend Web Launch for anyconnect (from browser) Client side certificates Hostscan andPosture Name mangler Two-Factor & Double Authentication IPv6 Mixed-Mode / Dual-Stack DTLS113 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicFlexVPN SSL and InterfacesHub 1VT1VA1 VA2u0VA3Smartphone UserRemote AccessSessionsVTVAVirtual TemplateVirtual AccessVT2Remote UserRemote UserPer user attributes such as ACL, QoS, VRF, ZBFW can be applied granularly114 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicWhat is SSL/TLS? Stands for Secure Socket Layer Protocol that enables privacy and data integrity between client and server Protocol developed by Netscape in mid 1990. Predecessor of TLS [ Transport Layer Security] SSL 1.0 and 2.0 had a number of security flaws which led to the design of sslv3 [1996 draft got republished as historical document in RFC6101] TLS 1.0 is designed in RFC2246 as the next-gen protocol in order to replace SSLv3 ( SSLv3 is now considered as insecure] TLS 1.0 has evolved over time: TLS 1.1 [ RFC4346] added protection against CBC attacks and added explicit IV TLS 1.2 [ RFC5246] added enhancements in hashing / signing. Expansion of authenticated encryption ciphers used for GCM115 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicProtected dataA BSSL/TLS Exchanges OverviewTCP connection bootstrap TCP 3 way handshake (3 messages)Negotiate security capabilities Client Hello Server Hello (2 messages)Server authentication and Pub Key Exchange (1 message)Server auth keying material exchangeClient key exchange, Change Cipher Spec (1 message) Generate encryption keysServer finished / Client finished (2 messages)Anti MITM encrypted exchange116 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicThe TLS Handshake - Simplified* Some of the Handshake protocols such as Certificate, Server Hello Done, can be combined in one packet or arrive in different SSL packetsClientServerClient HelloI want a secure connection. Here are the cipher suites I supportServer HelloHere are the security protocols we shall useServerCertificateServerHelloDoneHeres who I am(server certificate) I am done for now waiting for you Here is the key we use for encryption(pre-master key encrypted using server public key) I am switching to a secure channel (Future messages will be encrypted )I am done with SSL/TLS negotiationI am also switching to a secure channel (Future messages will be encrypted)I am also done with SSL/TLS negotiationClientKeyExchangeChangeCipherSpecFinishedChangeCipherSpecFinishedCipher suite example117 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicHANDLES COMMUNICATIONWITH THE APPLICATIONSSL Handshake PROTOCOLSINITIALISES COMMUNCATIONBETWEEN CLIENT & SERVERINITIALISES SECURECOMMUNICATIONHANDLES DATACOMPRESSIONERROR HANDLINGTLS/SSL Protocol Building Blocks 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Handshake- Client HelloClient proposes basic SA attributes along with random number materialVN Version NumberCR Client random value [32 bytes long] based on client date [ 4 bytes] + random data [ 28 bytes] used later to generate master secretSI The sessionID is included to enable the client to resume a previous session ( Optional )CS Cipher suites list available on the client [ eg is TLS_RSA_WITH_AES_128_CBC_SHATLS is the protocol version,RSA is the algorithm that will be used for the key exchangeAES_128_CBC is the encryption algorithmSHA is the hash function.CA Compression Algorithm ( none is currently supported with IOS )EXT - Extensions like renegotiation, Server name Indication ClientVN, CR, SI, CS, CA, EXTServer119 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Handshake- Server HelloServer sends back a set of acceptable attributes, along with key exchange material and optional certificate requestVN Version Number. The Server sends the highest version supported by both sides.CR Client random value [32 bytes long] based on server date [ 4 bytes ] + random data [ 28 bytes]used later to generate master secretSI The sessionID will be sent by the Server NewSessionID will be generated if the ClientHello does not contain a SessionID ResumedSessionID will reuse the ClientHello SessionID if the server is willing to Null will be used if its a new session but the server is not willing to resume it.CS The server will choose the strongest cipher supported byboth Client & Server. If no agreement a handshake failure will be sentCA Compression Algorithm ( none is currently supported )VN, SR, SI, CS, CAClient Server120 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Handshake- Server CertificateServer sends its certificate which include his public RSA key which will be used later by the client to encrypt the premaster secret.Certificate The Server will send its certificate to the client. The client will extract the server public key from the certificate Public key will be used to authenticate the server. Later on, that public key will be used as well to encrypt the premaster secretServer Hello Done Server Hello has been completed and we are waiting for the Client to proceedCertificate ,Server Hello DoneClient Server121 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Handshake- Client key exchangeClient generates a session key that can be only decrypted by the ServerClt Key Exch Client Key Exchange the premaster secret( computed from both client and server random) is encrypted by the the Server Public RSA key. The session will be derived from that MasterSecret. Only the server can decrypt it since has the correct private RSA keyChg Cipher Spec Change Cipher Spec Client notify the Server that subsequent packets will be encrypted using negotiated keys and algorithmsClt Finished Client Finishedcontains the hash of the entire conversation that is used to provide further protection against man-in-the-middle attacksClientClt Key Exch, Chg Cipher Spec, Clt FinishedServer122 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Handshake- Server Finished, Change Cipher SpecServer sends back Change Cipher Spec message and his Hash of the entire exchangeChange Cipher Spec By sending Change Cipher Spec, the server is announcing to the client that following packets will be encrypted using negotiated keys and algorithms.Subsequent packets from both client and serverwill be encryptedServer Finished Server Finishedcontains the hash of the entire conversation that is used to provide further protection against Man-in-the-middle attacksChange Cipher Spec ,Server FinishedClient Server123 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Record Protocol: Protected data Record protocol receives data from application layer Data fragmented in blocks ( encryption)or reassembled to its original format ( decryption) Sequentially numbers data blocks Compress/Decompress data based on negotiated compression algorithm Encrypt / Decrypt data using negotiated encryption keys / cryptographic algorithm Apply HMAC to outgoing data. Check HMAC when data is receivedcontentType (1 byte)SSL version(2 bytes)Length (2 bytes)HMAC / PADENCRYPTEDAPPLICATONDATATCP header ( 20 bytes)IP header ( 20 bytes)124 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicData Fragmentationdatadata fragmentdata fragmentMACMACencrypteddata and MACencrypteddata and MACrecordheaderrecordheaderrecord header: content type; version; length MAC: of data, sequence number, content type with the help of a key: MxFragment: each SSL fragment 214bytes (~16 Kbytes)TCPheaderIPheaderTCPheaderIPheader 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Alert Protocol Alerting protocol based on different alert levels : warning(1) fatal(2) Different Alert Messages: close_notify(0), unknown_ca(48) bad_record_mac(20) insufficient_security(71) record_overflow(22) certificate_revoked(44) Exhaustive list: http://tools.ietf.org/html/rfc5246#appendix-A.3 A session cannot be resumed once terminated by Fatal Alerts.126 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicURI:https://sslvpn.example.comSSL and Certificates: Server Certificate Validation Router certificate should be trusted by clients Public (well-known) Certificate Authority (e.g. Verisign) Enterprise Certificate Authority, e.g. Microsoft AD Self-Signed (need to import certificate to all clients) URL matches with CN/SAN in Server Certificate ?127Enterprise CAInternetIntranetPublic CAServerServer certificate:DN: CN=srv1, OU=IT, O=CiscoSAN: IPAddr 10.0.0.1SAN: DNSName srv1.cisco.comSAN: DNSName sslvpn.example.comMatch 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicKey Usage and Extended Key Usage Checking Extended Key Usage (EKU) and Key Usage (KU) determine how certificate can be used (client authentication, server authentication, email encryption etc) AnyConnect does not require EKU or KU to be in ASA server certificate From AnyConnect 3.1: if EKU or KU are present, they must be correct EKU must contain Server Authentication KU must contain Digital Signature and Key Encipherment128 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyconnect and Untrusted Certificates If the server certificate is not trusted, do you want the user to be able to accept the certificate? .... or do you want AnyConnect to refuse to connect?129

false

true

2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicEnsure Clients Trust the Router Certificate AnyConnect usesOS to validate certificate Microsoft Windows: MS CAPI MAC OS: Keychain Linux: Varies with distribution Tip: Examine warnings with browser Untrusted CA chain Mismatch domain name Validity time ( NTP?)130 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicProtected dataA BAnyconnect Connection FlowSelect the group we want to connect Group or URL SelectionAuthenticate the user & get attributes User authenticationVPN Downloader Anyconnect S/W & profile updatesCSTP Connect Apply attributes on the clientAggregate AuthenticationSSL only(no IKEv2) on IOS131 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAnyconnect Aggregate Authentication Platform-independent framework for authentication and config exchange Common XML Data format for both IPSEC and SSL Allows new client side features without headend s/w change Opaque info can be sent from headend Opaque info meaningful to client only Easier Integration of new features Double Authentication Certificate Authentication Multiple Request/Response Types Init Auth request / response Config request / response Complete

3.1.05182

win

00-0c-29-46-bb-3fgroup2https://sslvpn.example.com

Example132 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicAggregate Authentication High level FlowInitAuthentication ReplyAuthentication RequestEnterprise NetworkRouterCompleteImage/Profiledownload / upgradeConfig (image, profile)Aggregate Authentication(eg. Connect to https://sslvpn.example.com)Initiates tunnel establishment (CONNECT)requestattributes like ip addressSend attributes (eg. Ip address)Tunnel established - Client traffic over tunnelI would like: an IPv4 address a domain-name, DNS server List of protected IPv4 subnets Your assigned IPv4 address is ... Your DNS server is ... My protected IPv4 subnets are ...Anyconnect Client 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Aggr. Auth Flow - Anyconnect group selectionHTTP POST msg contains the server host and URL Host VPN Headend URL defined on the client. IP address or FQDN. To avoid any certificate issues, this URL must match the HUB server CN or SAN.

POST / HTTP/1.1Host: flexssl.cisco.comUser-Agent: AnyConnect Windows 3.1.05182X-Aggregate-Auth: 1X-AnyConnect-Platform: win

3.1.05182winhttps://flexssl.cisco.com

ClientPOST /group FQDN/IP/URLServerAggregate Auth type Init134 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Aggr. Auth Flow - Authentication RequestServer requests username/Password with auth-requestHTTP/1.1 200 OK Acknowledge FQDN / IP group selectionXML Aggregate auth [ proprietary protocol request ]HTTP/1.1 200 OK

X-Aggregate-Auth: 1

.LoginPlease enter your username and password.

.HTTP/1.1 200 OK, XMLClient ServerAggregate Auth type Auth-request135 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Aggr. Auth Flow - User AuthenticationClient HTTP post msg sends auth-reply Host VPN Headend URL/GROUP defined on the client. IP address or FQDN. XML XML file contains user / password / machine information / tunnel-group /*Jan 13 07:35:24.906: POST /CL2015 HTTP/1.1POST /CL2015 HTTP/1.1

3.1.06073winciscocisco

ClientPOST HOST/group XMLServerAggregate Auth type Auth-reply136 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Aggr. Auth Flow - Authentication SuccessfulUser authentication by the server is successful HTTP/1.1 200 OK Acknowledge authenticationXML Provide server XML profile location / Pre-installed server package version information for that particular OS. VPN Downloader will kick in if the version on the Server is newer than on the clientHTTP/1.1 200 OK

Success/auth>

/CACHE/webvpn/stc/profiles/CL2015.xmluri>binaries/anyconnect-win-3.1.06073-web-deploy-k9.exeAnyConnect Secure Mobility Client

HTTP/1.1 200 OK, XMLClient ServerAggregate Auth type complete , config137 2015 Cisco and/or its affiliates. All rights reserved. BRKSEC-3013 Cisco PublicSSL Connection Flow Tunnel EstablishmentClient connect and request attributesCONNECT initiate the tunnel establishment for datapath by accessing /CSCOSSLC/tunnel HTTP/1.1CSTP attributes Client attributes requested from headend and capabilities supported (eg.IPV6)CONNECT /CSCOSSLC/tunnel HTTP/1.1Host: flexssl.cisco.comUser-Agent: Cisco AnyConnect VPN Agent for Windows 3.1.06073

X-CSTP-Version: 1X-CSTP-Hostname: olpeleri-WE01X-CSTP-MTU: 1399X-CSTP-Address-Type: IPv6,IPv4X-CSTP-Local-Address-IP4: 192.168.255.166X-CSTP-Base-MTU: 15