IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS, 1st edition
Published by Cisco Press (September 12, 2016) © 2017
- Graham Bartlett
- Amjad Inamdar
eTextbook
- Available for purchase from all major ebook resellers, including InformIT.com.
- To request a review copy, click on the "Request a Review Copy" button.
- A print text (hardcover or paperback)Â
- Free shipping
- Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimisation. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.
IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organisation with IKEv2 and FlexVPN.
- Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more
- Implement modern secure VPNs with Cisco IOS and IOS-XE
- Plan and deploy IKEv2 in diverse real-world environments
- Configure IKEv2 proposals, policies, profiles, keyrings, and authorisation
- Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation
- Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure
- Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures
- Deploy, configure, and customize FlexVPN clients
- Configure, manage, and troubleshoot the FlexVPN Load Balancer
- Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels
- Monitor IPsec VPNs with AAA, SNMP, and Syslog
- Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing
- Calculate IPsec overhead and fragmentation
- Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more
The full text downloaded to your computer
With eBooks you can:
- search for key concepts, words and phrases
- make highlights and notes as you study
- share your notes with friends
eBooks are downloaded to your computer and accessible either offline through the Bookshelf (available as a free download), available online and also via the iPad and Android apps.
Upon purchase, you'll gain instant access to this eBook.
   Foreword xxvii
    Introduction xxxiii
 Part I Understanding IPsec VPNs
 Chapter 1 Introduction to IPsec VPNs 1
    The Need and Purpose of IPsec VPNs 2
    Building Blocks of IPsec 2
        Security Protocols 2
        Security Associations 3
        Key Management Protocol 3
    IPsec Security Services 3
        Access Control 4
        Anti-replay Services 4
       Confidentiality 4
        Connectionless Integrity 4
        Data Origin Authentication 4
        Traffic Flow Confidentiality 4
         Components of IPsec 5
        Security Parameter Index 5
        Security Policy Database 5
        Security Association Database 6
        Peer Authorization Database 6
        Lifetime 7
    Cryptography Used in IPsec VPNs 7
        Symmetric Cryptography 7
        Asymmetric Cryptography 8
        The Diffie-Hellman Exchange 8
    Public Key Infrastructure 11
        Public Key Cryptography 11
        Certificate Authorities 12
        Digital Certificates 12
        Digital Signatures Used in IKEv2 12
    Pre-Shared-Keys, or Shared Secret 13
    Encryption and Authentication 14
        IP Authentication Header 15
        Anti-Replay 16
 IP Encapsulating Security Payload (ESP) 17
        Authentication 18
        Encryption 18
        Anti-Replay 18
        Encapsulation Security Payload Datagram Format 18
       Encapsulating Security Payload Version 3 19
        Extended Sequence Numbers 19
        Traffic Flow Confidentiality 20
        Dummy Packets 20
    Modes of IPsec 20
        IPsec Transport Mode 20
        IPsec Tunnel Mode 21
    Summary 22
    References 22
 Part II Understanding IKEv2
 Chapter 2 IKEv2: The Protocol 23
    IKEv2 Overview 23
    The IKEv2 Exchange 24
    IKE_SA_INIT 25
        Diffie-Hellman Key Exchange 26
        Security Association Proposals 29
         Security Parameter Index (SPI) 34
        Nonce 35
        Cookie Notification 36
        Certificate Request 38
        HTTP_CERT_LOOKUP_SUPPORTED 39
    Key Material Generation 39
    IKE_AUTH 42
        Encrypted and Authenticated Payload 42
        Encrypted Payload Structure 43
        Identity 44
        Authentication 45
        Signature-Based Authentication 46
        (Pre) Shared-Key-Based Authentication 47
        EAP 48
        Traffic Selectors 50
        Initial Contact 52
    CREATE_CHILD_SA 53
        IPsec Security Association Creation 53
        IPsec Security Association Rekey 54
        IKEv2 Security Association Rekey 54
    IKEv2 Packet Structure Overview 55
    The INFORMATIONAL Exchange 56
        Notification 56
        Deleting Security Associations 57
        Configuration Payload Exchange 58
        Dead Peer Detection/Keepalive/NAT Keepalive 59
        IKEv2 Request – Response 61
    IKEv2 and Network Address Translation 61
        NAT Detection 64
    Additions to RFC 7296 65
    RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65
    RFC 5685 Redirect Mechanism for the Internet Key Exchange
        Protocol Version 2 (IKEv2) 65
    RFC 6989 Additional Diffie-Hellman Tests for the Internet Key
        Exchange Protocol Version 2 (IKEv2) 65
    RFC 6023 A Childless Initiation of the Internet
        Key Exchange Version 2 (IKEv2) Security Association (SA) 66
    Summary 66
     References 66
 Chapter 3 Comparison of IKEv1 and IKEv2 67
    Brief History of IKEv1 67
    Exchange Modes 69
        IKEv1 70
        IKEv2 71
    Anti-Denial of Service 72
    Lifetime 72
    Authentication 73
    High Availability 74
    Traffic Selectors 74
    Use of Identities 74
    Network Address Translation 74
    Configuration Payload 75
    Mobility & Multi-homing 75
    Matching on Identity 75
    Reliability 77
    Cryptographic Exchange Bloat 77
    Combined Mode Ciphers 77
    Continuous Channel Mode 77
    Summary 77
    References 78
 Part III IPsec VPNs on Cisco IOS
 Chapter 4 IOS IPsec Implementation 79
    Modes of Encapsulation 82
        GRE Encapsulation 82
        GRE over IPsec 83
        IPsec Transport Mode with GRE over IPsec 83
        IPsec Tunnel mode with GRE over IPsec 84
        Traffic 85
        Multicast Traffic 85
        Non-IP Protocols 86
    The Demise of Crypto Maps 86
    Interface Types 87
        Virtual Interfaces: VTI and GRE/IPsec 87
        Traffic Selection by Routing 88
        Static Tunnel Interfaces 90
        Dynamic Tunnel Interfaces 91
        sVTI and dVTI 92
        Multipoint GRE 92
    Tunnel Protection and Crypto Sockets 94
    Implementation Modes 96
        Dual Stack 96
        Mixed Mode 96
        Auto Tunnel Mode 99
    VRF-Aware IPsec 99
        VRF in Brief 99
         VRF-Aware GRE and VRF-Aware IPsec 101
        VRF-Aware GRE over IPsec 102
    Summary 103
    Reference 104
 Part IV IKEv2 Implementation
 Chapter 5 IKEv2 Configuration 105
    IKEv2 Configuration Overview 105
        The Guiding Principle 106
        Scope of IKEv2 Configuration 106
        IKEv2 Configuration Constructs 106
    IKEv2 Proposal 107
        Configuring the IKEv2 Proposal 108
        Configuring IKEv2 Encryption 111
        Configuring IKEv2 Integrity 113
        Configuring IKEv2 Diffie-Hellman 113
        Configuring IKEv2 Pseudorandom Function 115
        Default IKEv2 Proposal 115
    IKEv2 Policy 117
        Configuring an IKEv2 Policy 118
        Configuring IKEv2 Proposals under IKEv2 Policy 119
        Configuring Match Statements under IKEv2 Policy 120
        Default IKEv2 Policy 121
        IKEv2 Policy Selection on the Initiator 122
        IKEv2 Policy Selection on Responder 124
        IKEv2 Policy Configuration Examples 125
        Per-peer IKEv2 Policy 125
        IKEv2 Policy with Multiple Proposals 126
    IKEv2 Keyring 128
        Configuring IKEv2 Keyring 129
        Configuring a Peer Block in Keyring 130
        Key Lookup on Initiator 132
        Key Lookup on Responder 133
        IKEv2 Keyring Configuration Example 134
        IKEv2 Keyring Key Points 136
    IKEv2 Profile 136
        IKEv2 Profile as Peer Authorization Database 137
        Configuring IKEv2 Profile 138
        Configuring Match Statements in IKEv2 Profile 139
         Matching any Peer Identity 142
        Defining the Scope of IKEv2 Profile 143
        Defining the Local IKE Identity 143
        Defining Local and Remote Authentication Methods 145
        IKEv2 Dead Peer Detection 149
        IKEv2 Initial Contact 151
        IKEv2 SA Lifetime 151
        NAT Keepalives 152
        IVRF (inside VRF) 152
        Virtual Template Interface 153
        Disabling IKEv2 Profile 153
        Displaying IKEv2 Profiles 153
        IKEv2 Profile Selection on Initiator and Responder 154
        IKEv2 Profile Key Points 154
    IKEv2 Global Configuration 155
        HTTP URL-based Certificate Lookup 156
        IKEv2 Cookie Challenge 156
        IKEv2 Call Admission Control 157
        IKEv2 Window Size 158
        Dead Peer Detection 158
        NAT Keepalive 159
        IKEv2 Diagnostics 159
    PKI Configuration 159
        Certificate Authority 160
        Public-Private Key Pair 162
        PKI Trustpoint 163
        PKI Example 164
    IPsec Configuration 166
        IPsec Profile 167
        IPsec Configuration Example 168
        Smart Defaults 168
    Summary 169
 Chapter 6 Advanced IKEv2 Features 171
    Introduction to IKEv2 Fragmentation 171
        IP Fragmentation Overview 172
         IKEv2 and Fragmentation 173
    IKEv2 SGT Capability Negotiation 178
    IKEv2 Session Authentication 181
        IKEv2 Session Deletion on Certificate Revocation 182
        IKEv2 Session Deletion on Certificate Expiry 184
    IKEv2 Session Lifetime 185
    Summary 187
    References 188
 Chapter 7 IKEv2 Deployments 189
    Pre-shared-key Authentication with Smart Defaults 189
        Elliptic Curve Digital Signature Algorithm Authentication 194
        RSA Authentication Using HTTP URL Lookup 200
        IKEv2 Cookie Challenge and Call Admission Control 207
    Summary 210
 Part V FlexVPN
 Chapter 8 Introduction to FlexVPN 211
    FlexVPN Overview 211
        The Rationale 212
        FlexVPN Value Proposition 213
    FlexVPN Building Blocks 213
        IKEv2 213
        Cisco IOS Point-to-Point Tunnel Interfaces 214
        Configuring Static P2P Tunnel Interfaces 214
        Configuring Virtual-Template Interfaces 216
        Auto-Detection of Tunnel Encapsulation and Transport 219
        Benefits of Per-Peer P2P Tunnel Interfaces 221
        Cisco IOS AAA Infrastructure 221
        Configuring AAA for FlexVPN 222
    IKEv2 Name Mangler 223
        Configuring IKEv2 Name Mangler 224
        Extracting Name from FQDN Identity 225
        Extracting Name from Email Identity 226
        Extracting Name from DN Identity 226
        Extracting Name from EAP Identity 227
    IKEv2 Authorization Policy 228
        Default IKEv2 Authorization Policy 229
    FlexVPN Authorization 231
        Configuring FlexVPN Authorization 233
        FlexVPN User Authorization 235
        FlexVPN User Authorization, Using an External AAA Server 235
        FlexVPN Group Authorization 237
         FlexVPN Group Authorization, Using a Local AAA Database 238
        FlexVPN Group Authorization, Using an External AAA Server 239
        FlexVPN Implicit Authorization 242
        FlexVPN Implicit Authorization Example 243
        FlexVPN Authorization Types: Co-existence and Precedence 245
        User Authorization Taking Higher Precedence 247
        Group Authorization Taking Higher Precedence 249
    FlexVPN Configuration Exchange 250
        Enabling Configuration Exchange 250
        FlexVPN Usage of Configuration Payloads 251
        Configuration Attributes and Authorization 253
        Configuration Exchange Examples 259
    FlexVPN Routing 264
        Learning Remote Subnets Locally 265
        Learning Remote Subnets from Peer 266
    Summary 268
 Chapter 9 FlexVPN Server 269
    Sequence of Events 270
    EAP Authentication 271
        EAP Methods 272
        EAP Message Flow 273
        EAP Identity 273
        EAP Timeout 275
        EAP Authentication Steps 275
        Configuring EAP 277
        EAP Configuration Example 278
    AAA-based Pre-shared Keys 283
        Configuring AAA-based Pre-Shared Keys 284
        RADIUS Attributes for AAA-Based Pre-Shared Keys 285
        AAA-Based Pre-Shared Keys Example 285
    Accounting 287
    Per-Session Interface 290
        Deriving Virtual-Access Configuration from a Virtual Template 291
        Deriving Virtual-Access Configuration from AAA Authorization 293
        The interface-config AAA Attribute 293
        Deriving Virtual-Access Configuration from an Incoming Session 294
        Virtual-Access Cloning Example 295
    Auto Detection of Tunnel Transport and Encapsulation 297
     RADIUS Packet of Disconnect 299
        Configuring RADIUS Packet of Disconnect 300
        RADIUS Packet of Disconnect Example 301
    RADIUS Change of Authorization (CoA) 303
        Configuring RADIUS CoA 304
        RADIUS CoA Examples 305
        Updating Session QoS Policy, Using CoA 305
        Updating the Session ACL, Using CoA 307
    IKEv2 Auto-Reconnect 309
        Auto-Reconnect Configuration Attributes 310
        Smart DPD 311
        Configuring IKEv2 Auto-Reconnect 313
    User Authentication, Using AnyConnect-EAP 315
        AnyConnect-EAP 315
        AnyConnect-EAP XML Messages for User Authentication 316
        Configuring User Authentication, Using AnyConnect-EAP 318
        AnyConnect Configuration for Aggregate Authentication 320
    Dual-factor Authentication, Using AnyConnect-EAP 320
        AnyConnect-EAP XML Messages for dual-factor authentication 322
        Configuring Dual-factor Authentication, Using AnyConnect-EAP 324
    RADIUS Attributes Supported by the FlexVPN Server 325
    Remote Access Clients Supported by FlexVPN Server 329
        FlexVPN Remote Access Client 329
        Microsoft Windows7 IKEv2 Client 329
        Cisco IKEv2 AnyConnect Client 330
    Summary 330
    Reference 330
 Chapter 10 FlexVPN Client 331
    Introduction 331
    FlexVPN Client Overview 332
        FlexVPN Client Building Blocks 333
        IKEv2 Configuration Exchange 334
        Static Point-to-Point Tunnel Interface 334
        FlexVPN Client Profile 334
        Object Tracking 334
        NAT 335
        FlexVPN Client Features 335
        Dual Stack Support 335
         EAP Authentication 335
        Dynamic Routing 335
        Support for EzVPN Client and Network Extension Modes 336
        Advanced Features 336
    Setting up the FlexVPN Server 336
    EAP Authentication 337
    Split-DNS 338
        Components of Split-DNS 340
    Windows Internet Naming Service (WINS) 343
    Domain Name 344
    FlexVPN Client Profile 345
    Backup Gateways 346
        Resolution of Fully Qualified Domain Names 346
        Reactivating Peers 346
        Backup Gateway List 347
    Tunnel Interface 347
        Tunnel Source 348
        Tunnel Destination 349
    Tunnel Initiation 350
        Automatic Mode 350
        Manual Mode 350
        Track Mode 350
        Tracking a List of Objects, Using a Boolean Expression 350
    Dial Backup 352
    Backup Group 353
    Network Address Translation 354
    Design Considerations 356
        Use of Public Key Infrastructure and Pre-Shared Keys 356
        The Power of Tracking 356
        Tracked Object Based on Embedded Event Manager 356
    Troubleshooting FlexVPN Client 358
        Useful Show Commands 358
        Debugging FlexVPN Client 360
        Clearing IKEv2 FlexVPN Client Sessions 360
    Summary 361
 Chapter 11 FlexVPN Load Balancer 363
    Introduction 363
    Components of the FlexVPN Load Balancer 363
        IKEv2 Redirect 363
        Hot Standby Routing Protocol 366
    FlexVPN IKEv2 Load Balancer 367
        Cluster Load 369
         IKEv2 Redirect 372
        Redirect Loops 373
    FlexVPN Client 374
    Troubleshooting IKEv2 Load Balancing 374
    IKEv2 Load Balancer Example 376
    Summary 379
 Chapter 12 FlexVPN Deployments 381
    Introduction 381
    FlexVPN AAA-Based Pre-Shared Keys 381
        Configuration on the Branch-1 Router 382
        Configuration on the Branch-2 Router 383
        Configuration on the Hub Router 383
        Configuration on the RADIUS Server 384
    FlexVPN User and Group Authorization 386
        FlexVPN Client Configuration at Branch 1 386
        FlexVPN Client Configuration at Branch 2 387
        Configuration on the FlexVPN Server 387
        Configuration on the RADIUS Server 388
        Logs Specific to FlexVPN Client-1 389
        Logs Specific to FlexVPN Client-2 390
    FlexVPN Routing, Dual Stack, and Tunnel Mode Auto 391
        FlexVPN Spoke Configuration at Branch-1 392
        FlexVPN Spoke Configuration at Branch-2 394
        FlexVPN Hub Configuration at the HQ 395
        Verification on FlexVPN Spoke at Branch-1 397
        Verification on FlexVPN Spoke at Branch-2 399
        Verification on the FlexVPN Hub at HQ 401
    FlexVPN Client NAT to the Server-Assigned IP Address 404
        Configuration on the FlexVPN Client 404
        Verification on the FlexVPN Client 405
    FlexVPN WAN Resiliency, Using Dynamic Tunnel Source 407
        FlexVPN Client Configuration on the Dual-Homed Branch Router 408
        Verification on the FlexVPN Client 409
    FlexVPN Hub Resiliency, Using Backup Peers 411
        FlexVPN Client Configuration on the Branch Router 411
        Verification on the FlexVPN Client 412
    FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation 414
        Verification on the FlexVPN Client 415
    Summary 416
 Part VI IPsec VPN Maintenance
 Chapter 13 Monitoring IPsec VPNs 417
    Introduction to Monitoring 417
         Authentication, Authorization, and Accounting (AAA) 418
        NetFlow 418
        Simple Network Management Protocol 419
        VRF-Aware SNMP 420
        Syslog 421
    Monitoring Methodology 422
        IP Connectivity 423
        VPN Tunnel Establishment 425
        Cisco IPsec Flow Monitor MIB 425
        SNMP with IKEv2 425
        Syslog 428
        Pre-Shared Key Authentication 429
        PKI Authentication 431
        EAP Authentication 434
        Authorization Using RADIUS-Based AAA 436
        Data Encryption: SNMP with IPsec 437
        Overlay Routing 439
        Data Usage 440
    Summary 443
    References 443
 Chapter 14 Troubleshooting IPsec VPNs 445
    Introduction 445
    Tools of Troubleshooting 446
        Show Commands 447
        Syslog Messages 447
        Event-Trace Monitoring 447
        Debugging 449
        IKEv2 Debugging 449
        IPsec Debugging 453
        Key Management Interface Debugging 453
        PKI Debugging 456
        Conditional Debugging 456
    IP Connectivity 457
    VPN Tunnel Establishment 460
        IKEv2 Diagnose Error 460
        Troubleshooting the IKE_SA_INIT Exchange 461
        Troubleshooting the IKE_AUTH Exchange 464
     Authentication 464
        Troubleshooting RSA or ECDSA Authentication 465
        Certificate Attributes 469
        Debugging Authentication Using PKI 470
        Certificate Expiry 470
        Matching Peer Using Certificate Maps 472
        Certificate Revocation 473
        Trustpoint Configuration 476
        Trustpoint Selection 476
        Pre-Shared Key 478
        Extensible Authentication Protocol (EAP) 480
    Authorization 485
    Data Encryption 488
        Debugging IPsec 488
        IPsec Anti-Replay 491
    Data Encapsulation 495
        Mismatching GRE Tunnel Keys 495
    Overlay Routing 495
        Static Routing 496
        IKEv2 Routing 496
        Dynamic Routing Protocols 498
    Summary 499
    References 502
 Part VII IPsec Overhead
 Chapter 15 IPsec Overhead and Fragmentation 503
    Introduction 503
    Computing the IPsec Overhead 504
        General Considerations 504
        IPsec Mode Overhead (without GRE) 505
        GRE Overhead 505
        Encapsulating Security Payload Overhead 507
        Authentication Header Overhead 509
        Encryption Overhead 510
        Integrity Overhead 511
        Combined-mode Algorithm Overhead 512
        Plaintext MTU 513
        Maximum Overhead 514
        Maximum Encapsulation Security Payload Overhead 515
         Maximum Authentication Header Overhead 516
        Extra Overhead 516
    IPsec and Fragmentation 518
        Maximum Transmission Unit 518
        Fragmentation in IPv4 519
        Fragmentation in IPv6 522
        Path MTU Discovery 523
        TCP MSS Clamping 525
        MSS Refresher 525
        MSS Adjustment 526
        IPsec Fragmentation and PMTUD 527
        Fragmentation on Tunnels 531
        IPsec Only (VTI) 531
        GRE Only 532
        GRE over IPsec 534
        Tunnel PMTUD 534
        The Impact of Fragmentation 535
    Summary 536
    References 536
 Part VIII Migration to IKEv2
 Chapter 16 Migration Strategies 539
    Introduction to Migrating to IKEv2 and FlexVPN 539
    Consideration when Migrating to IKEv2 539
        Hardware Limi
Graham Bartlett, CCIE No. 26709, has designed a number of large scale Virtual Private Networks within the UK and worked with customers throughout the world using IKEv2 and Next Generation Encryption. Graham’s interests include Security and Virtual Private Networks. Within this space he has discovered zero-day vulnerabilities, including the higest severity security advisory in the March 2015 Cisco IOS software and IOS XE software security advisory bundled publication. He has contributed to numerous IETF RFCs, and has intellectual property published as prior art. He is a CiscoLive speaker and has developed Cisco Security exam content (CCIE/CCNP). He is a CCP (Senior) IA Architect, CCP (Practitioner) Security & Information Risk Advisor, CCNP, CISSP, Cisco Security Ninja and holds a BSc(Hons) in Computer Systems and Networks.
Amjad Inamdar CISSP 460898, is a Senior Technical Leader with Cisco IOS Security Engineering, India. He has primarily worked on design, development and deployment of Cisco IOS secure connectivity solutions including the industry leading FlexVPN, DMVPN, GETVPN and EzVPN solutions and is currently working on the Cisco next generation SD-WAN solution. He has contributed to IETF drafts, holds a Cisco patent and has prior art publications. He holds many industry certifications including CISSP, CCSK, CCNP Security, CCDP, CCNP R/S, CCNA (SP, Data Center, Wireless, Voice), Cisco Security Ninja and has presented security at conferences, internal forums and to Cisco customers and partners. He holds a degree (B.E) in Electronics and Communication Engineering.
Need help? Get in touch