HAPPY BOOKSGIVING
Use code BOOKSGIVING during checkout to save 40%-55% on books and eBooks. Shop now.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Also available in other formats.
Register your product to gain access to bonus material or receive a coupon.
Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN
The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.
The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.
IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.
Foreword xxvii
Introduction xxxiii
Part I Understanding IPsec VPNs
Chapter 1 Introduction to IPsec VPNs 1
The Need and Purpose of IPsec VPNs 2
Building Blocks of IPsec 2
Security Protocols 2
Security Associations 3
Key Management Protocol 3
IPsec Security Services 3
Access Control 4
Anti-replay Services 4
Confidentiality 4
Connectionless Integrity 4
Data Origin Authentication 4
Traffic Flow Confidentiality 4
Components of IPsec 5
Security Parameter Index 5
Security Policy Database 5
Security Association Database 6
Peer Authorization Database 6
Lifetime 7
Cryptography Used in IPsec VPNs 7
Symmetric Cryptography 7
Asymmetric Cryptography 8
The Diffie-Hellman Exchange 8
Public Key Infrastructure 11
Public Key Cryptography 11
Certificate Authorities 12
Digital Certificates 12
Digital Signatures Used in IKEv2 12
Pre-Shared-Keys, or Shared Secret 13
Encryption and Authentication 14
IP Authentication Header 15
Anti-Replay 16
IP Encapsulating Security Payload (ESP) 17
Authentication 18
Encryption 18
Anti-Replay 18
Encapsulation Security Payload Datagram Format 18
Encapsulating Security Payload Version 3 19
Extended Sequence Numbers 19
Traffic Flow Confidentiality 20
Dummy Packets 20
Modes of IPsec 20
IPsec Transport Mode 20
IPsec Tunnel Mode 21
Summary 22
References 22
Part II Understanding IKEv2
Chapter 2 IKEv2: The Protocol 23
IKEv2 Overview 23
The IKEv2 Exchange 24
IKE_SA_INIT 25
Diffie-Hellman Key Exchange 26
Security Association Proposals 29
Security Parameter Index (SPI) 34
Nonce 35
Cookie Notification 36
Certificate Request 38
HTTP_CERT_LOOKUP_SUPPORTED 39
Key Material Generation 39
IKE_AUTH 42
Encrypted and Authenticated Payload 42
Encrypted Payload Structure 43
Identity 44
Authentication 45
Signature-Based Authentication 46
(Pre) Shared-Key-Based Authentication 47
EAP 48
Traffic Selectors 50
Initial Contact 52
CREATE_CHILD_SA 53
IPsec Security Association Creation 53
IPsec Security Association Rekey 54
IKEv2 Security Association Rekey 54
IKEv2 Packet Structure Overview 55
The INFORMATIONAL Exchange 56
Notification 56
Deleting Security Associations 57
Configuration Payload Exchange 58
Dead Peer Detection/Keepalive/NAT Keepalive 59
IKEv2 Request – Response 61
IKEv2 and Network Address Translation 61
NAT Detection 64
Additions to RFC 7296 65
RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65
RFC 5685 Redirect Mechanism for the Internet Key Exchange
Protocol Version 2 (IKEv2) 65
RFC 6989 Additional Diffie-Hellman Tests for the Internet Key
Exchange Protocol Version 2 (IKEv2) 65
RFC 6023 A Childless Initiation of the Internet
Key Exchange Version 2 (IKEv2) Security Association (SA) 66
Summary 66
References 66
Chapter 3 Comparison of IKEv1 and IKEv2 67
Brief History of IKEv1 67
Exchange Modes 69
IKEv1 70
IKEv2 71
Anti-Denial of Service 72
Lifetime 72
Authentication 73
High Availability 74
Traffic Selectors 74
Use of Identities 74
Network Address Translation 74
Configuration Payload 75
Mobility & Multi-homing 75
Matching on Identity 75
Reliability 77
Cryptographic Exchange Bloat 77
Combined Mode Ciphers 77
Continuous Channel Mode 77
Summary 77
References 78
Part III IPsec VPNs on Cisco IOS
Chapter 4 IOS IPsec Implementation 79
Modes of Encapsulation 82
GRE Encapsulation 82
GRE over IPsec 83
IPsec Transport Mode with GRE over IPsec 83
IPsec Tunnel mode with GRE over IPsec 84
Traffic 85
Multicast Traffic 85
Non-IP Protocols 86
The Demise of Crypto Maps 86
Interface Types 87
Virtual Interfaces: VTI and GRE/IPsec 87
Traffic Selection by Routing 88
Static Tunnel Interfaces 90
Dynamic Tunnel Interfaces 91
sVTI and dVTI 92
Multipoint GRE 92
Tunnel Protection and Crypto Sockets 94
Implementation Modes 96
Dual Stack 96
Mixed Mode 96
Auto Tunnel Mode 99
VRF-Aware IPsec 99
VRF in Brief 99
VRF-Aware GRE and VRF-Aware IPsec 101
VRF-Aware GRE over IPsec 102
Summary 103
Reference 104
Part IV IKEv2 Implementation
Chapter 5 IKEv2 Configuration 105
IKEv2 Configuration Overview 105
The Guiding Principle 106
Scope of IKEv2 Configuration 106
IKEv2 Configuration Constructs 106
IKEv2 Proposal 107
Configuring the IKEv2 Proposal 108
Configuring IKEv2 Encryption 111
Configuring IKEv2 Integrity 113
Configuring IKEv2 Diffie-Hellman 113
Configuring IKEv2 Pseudorandom Function 115
Default IKEv2 Proposal 115
IKEv2 Policy 117
Configuring an IKEv2 Policy 118
Configuring IKEv2 Proposals under IKEv2 Policy 119
Configuring Match Statements under IKEv2 Policy 120
Default IKEv2 Policy 121
IKEv2 Policy Selection on the Initiator 122
IKEv2 Policy Selection on Responder 124
IKEv2 Policy Configuration Examples 125
Per-peer IKEv2 Policy 125
IKEv2 Policy with Multiple Proposals 126
IKEv2 Keyring 128
Configuring IKEv2 Keyring 129
Configuring a Peer Block in Keyring 130
Key Lookup on Initiator 132
Key Lookup on Responder 133
IKEv2 Keyring Configuration Example 134
IKEv2 Keyring Key Points 136
IKEv2 Profile 136
IKEv2 Profile as Peer Authorization Database 137
Configuring IKEv2 Profile 138
Configuring Match Statements in IKEv2 Profile 139
Matching any Peer Identity 142
Defining the Scope of IKEv2 Profile 143
Defining the Local IKE Identity 143
Defining Local and Remote Authentication Methods 145
IKEv2 Dead Peer Detection 149
IKEv2 Initial Contact 151
IKEv2 SA Lifetime 151
NAT Keepalives 152
IVRF (inside VRF) 152
Virtual Template Interface 153
Disabling IKEv2 Profile 153
Displaying IKEv2 Profiles 153
IKEv2 Profile Selection on Initiator and Responder 154
IKEv2 Profile Key Points 154
IKEv2 Global Configuration 155
HTTP URL-based Certificate Lookup 156
IKEv2 Cookie Challenge 156
IKEv2 Call Admission Control 157
IKEv2 Window Size 158
Dead Peer Detection 158
NAT Keepalive 159
IKEv2 Diagnostics 159
PKI Configuration 159
Certificate Authority 160
Public-Private Key Pair 162
PKI Trustpoint 163
PKI Example 164
IPsec Configuration 166
IPsec Profile 167
IPsec Configuration Example 168
Smart Defaults 168
Summary 169
Chapter 6 Advanced IKEv2 Features 171
Introduction to IKEv2 Fragmentation 171
IP Fragmentation Overview 172
IKEv2 and Fragmentation 173
IKEv2 SGT Capability Negotiation 178
IKEv2 Session Authentication 181
IKEv2 Session Deletion on Certificate Revocation 182
IKEv2 Session Deletion on Certificate Expiry 184
IKEv2 Session Lifetime 185
Summary 187
References 188
Chapter 7 IKEv2 Deployments 189
Pre-shared-key Authentication with Smart Defaults 189
Elliptic Curve Digital Signature Algorithm Authentication 194
RSA Authentication Using HTTP URL Lookup 200
IKEv2 Cookie Challenge and Call Admission Control 207
Summary 210
Part V FlexVPN
Chapter 8 Introduction to FlexVPN 211
FlexVPN Overview 211
The Rationale 212
FlexVPN Value Proposition 213
FlexVPN Building Blocks 213
IKEv2 213
Cisco IOS Point-to-Point Tunnel Interfaces 214
Configuring Static P2P Tunnel Interfaces 214
Configuring Virtual-Template Interfaces 216
Auto-Detection of Tunnel Encapsulation and Transport 219
Benefits of Per-Peer P2P Tunnel Interfaces 221
Cisco IOS AAA Infrastructure 221
Configuring AAA for FlexVPN 222
IKEv2 Name Mangler 223
Configuring IKEv2 Name Mangler 224
Extracting Name from FQDN Identity 225
Extracting Name from Email Identity 226
Extracting Name from DN Identity 226
Extracting Name from EAP Identity 227
IKEv2 Authorization Policy 228
Default IKEv2 Authorization Policy 229
FlexVPN Authorization 231
Configuring FlexVPN Authorization 233
FlexVPN User Authorization 235
FlexVPN User Authorization, Using an External AAA Server 235
FlexVPN Group Authorization 237
FlexVPN Group Authorization, Using a Local AAA Database 238
FlexVPN Group Authorization, Using an External AAA Server 239
FlexVPN Implicit Authorization 242
FlexVPN Implicit Authorization Example 243
FlexVPN Authorization Types: Co-existence and Precedence 245
User Authorization Taking Higher Precedence 247
Group Authorization Taking Higher Precedence 249
FlexVPN Configuration Exchange 250
Enabling Configuration Exchange 250
FlexVPN Usage of Configuration Payloads 251
Configuration Attributes and Authorization 253
Configuration Exchange Examples 259
FlexVPN Routing 264
Learning Remote Subnets Locally 265
Learning Remote Subnets from Peer 266
Summary 268
Chapter 9 FlexVPN Server 269
Sequence of Events 270
EAP Authentication 271
EAP Methods 272
EAP Message Flow 273
EAP Identity 273
EAP Timeout 275
EAP Authentication Steps 275
Configuring EAP 277
EAP Configuration Example 278
AAA-based Pre-shared Keys 283
Configuring AAA-based Pre-Shared Keys 284
RADIUS Attributes for AAA-Based Pre-Shared Keys 285
AAA-Based Pre-Shared Keys Example 285
Accounting 287
Per-Session Interface 290
Deriving Virtual-Access Configuration from a Virtual Template 291
Deriving Virtual-Access Configuration from AAA Authorization 293
The interface-config AAA Attribute 293
Deriving Virtual-Access Configuration from an Incoming Session 294
Virtual-Access Cloning Example 295
Auto Detection of Tunnel Transport and Encapsulation 297
RADIUS Packet of Disconnect 299
Configuring RADIUS Packet of Disconnect 300
RADIUS Packet of Disconnect Example 301
RADIUS Change of Authorization (CoA) 303
Configuring RADIUS CoA 304
RADIUS CoA Examples 305
Updating Session QoS Policy, Using CoA 305
Updating the Session ACL, Using CoA 307
IKEv2 Auto-Reconnect 309
Auto-Reconnect Configuration Attributes 310
Smart DPD 311
Configuring IKEv2 Auto-Reconnect 313
User Authentication, Using AnyConnect-EAP 315
AnyConnect-EAP 315
AnyConnect-EAP XML Messages for User Authentication 316
Configuring User Authentication, Using AnyConnect-EAP 318
AnyConnect Configuration for Aggregate Authentication 320
Dual-factor Authentication, Using AnyConnect-EAP 320
AnyConnect-EAP XML Messages for dual-factor authentication 322
Configuring Dual-factor Authentication, Using AnyConnect-EAP 324
RADIUS Attributes Supported by the FlexVPN Server 325
Remote Access Clients Supported by FlexVPN Server 329
FlexVPN Remote Access Client 329
Microsoft Windows7 IKEv2 Client 329
Cisco IKEv2 AnyConnect Client 330
Summary 330
Reference 330
Chapter 10 FlexVPN Client 331
Introduction 331
FlexVPN Client Overview 332
FlexVPN Client Building Blocks 333
IKEv2 Configuration Exchange 334
Static Point-to-Point Tunnel Interface 334
FlexVPN Client Profile 334
Object Tracking 334
NAT 335
FlexVPN Client Features 335
Dual Stack Support 335
EAP Authentication 335
Dynamic Routing 335
Support for EzVPN Client and Network Extension Modes 336
Advanced Features 336
Setting up the FlexVPN Server 336
EAP Authentication 337
Split-DNS 338
Components of Split-DNS 340
Windows Internet Naming Service (WINS) 343
Domain Name 344
FlexVPN Client Profile 345
Backup Gateways 346
Resolution of Fully Qualified Domain Names 346
Reactivating Peers 346
Backup Gateway List 347
Tunnel Interface 347
Tunnel Source 348
Tunnel Destination 349
Tunnel Initiation 350
Automatic Mode 350
Manual Mode 350
Track Mode 350
Tracking a List of Objects, Using a Boolean Expression 350
Dial Backup 352
Backup Group 353
Network Address Translation 354
Design Considerations 356
Use of Public Key Infrastructure and Pre-Shared Keys 356
The Power of Tracking 356
Tracked Object Based on Embedded Event Manager 356
Troubleshooting FlexVPN Client 358
Useful Show Commands 358
Debugging FlexVPN Client 360
Clearing IKEv2 FlexVPN Client Sessions 360
Summary 361
Chapter 11 FlexVPN Load Balancer 363
Introduction 363
Components of the FlexVPN Load Balancer 363
IKEv2 Redirect 363
Hot Standby Routing Protocol 366
FlexVPN IKEv2 Load Balancer 367
Cluster Load 369
IKEv2 Redirect 372
Redirect Loops 373
FlexVPN Client 374
Troubleshooting IKEv2 Load Balancing 374
IKEv2 Load Balancer Example 376
Summary 379
Chapter 12 FlexVPN Deployments 381
Introduction 381
FlexVPN AAA-Based Pre-Shared Keys 381
Configuration on the Branch-1 Router 382
Configuration on the Branch-2 Router 383
Configuration on the Hub Router 383
Configuration on the RADIUS Server 384
FlexVPN User and Group Authorization 386
FlexVPN Client Configuration at Branch 1 386
FlexVPN Client Configuration at Branch 2 387
Configuration on the FlexVPN Server 387
Configuration on the RADIUS Server 388
Logs Specific to FlexVPN Client-1 389
Logs Specific to FlexVPN Client-2 390
FlexVPN Routing, Dual Stack, and Tunnel Mode Auto 391
FlexVPN Spoke Configuration at Branch-1 392
FlexVPN Spoke Configuration at Branch-2 394
FlexVPN Hub Configuration at the HQ 395
Verification on FlexVPN Spoke at Branch-1 397
Verification on FlexVPN Spoke at Branch-2 399
Verification on the FlexVPN Hub at HQ 401
FlexVPN Client NAT to the Server-Assigned IP Address 404
Configuration on the FlexVPN Client 404
Verification on the FlexVPN Client 405
FlexVPN WAN Resiliency, Using Dynamic Tunnel Source 407
FlexVPN Client Configuration on the Dual-Homed Branch Router 408
Verification on the FlexVPN Client 409
FlexVPN Hub Resiliency, Using Backup Peers 411
FlexVPN Client Configuration on the Branch Router 411
Verification on the FlexVPN Client 412
FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation 414
Verification on the FlexVPN Client 415
Summary 416
Part VI IPsec VPN Maintenance
Chapter 13 Monitoring IPsec VPNs 417
Introduction to Monitoring 417
Authentication, Authorization, and Accounting (AAA) 418
NetFlow 418
Simple Network Management Protocol 419
VRF-Aware SNMP 420
Syslog 421
Monitoring Methodology 422
IP Connectivity 423
VPN Tunnel Establishment 425
Cisco IPsec Flow Monitor MIB 425
SNMP with IKEv2 425
Syslog 428
Pre-Shared Key Authentication 429
PKI Authentication 431
EAP Authentication 434
Authorization Using RADIUS-Based AAA 436
Data Encryption: SNMP with IPsec 437
Overlay Routing 439
Data Usage 440
Summary 443
References 443
Chapter 14 Troubleshooting IPsec VPNs 445
Introduction 445
Tools of Troubleshooting 446
Show Commands 447
Syslog Messages 447
Event-Trace Monitoring 447
Debugging 449
IKEv2 Debugging 449
IPsec Debugging 453
Key Management Interface Debugging 453
PKI Debugging 456
Conditional Debugging 456
IP Connectivity 457
VPN Tunnel Establishment 460
IKEv2 Diagnose Error 460
Troubleshooting the IKE_SA_INIT Exchange 461
Troubleshooting the IKE_AUTH Exchange 464
Authentication 464
Troubleshooting RSA or ECDSA Authentication 465
Certificate Attributes 469
Debugging Authentication Using PKI 470
Certificate Expiry 470
Matching Peer Using Certificate Maps 472
Certificate Revocation 473
Trustpoint Configuration 476
Trustpoint Selection 476
Pre-Shared Key 478
Extensible Authentication Protocol (EAP) 480
Authorization 485
Data Encryption 488
Debugging IPsec 488
IPsec Anti-Replay 491
Data Encapsulation 495
Mismatching GRE Tunnel Keys 495
Overlay Routing 495
Static Routing 496
IKEv2 Routing 496
Dynamic Routing Protocols 498
Summary 499
References 502
Part VII IPsec Overhead
Chapter 15 IPsec Overhead and Fragmentation 503
Introduction 503
Computing the IPsec Overhead 504
General Considerations 504
IPsec Mode Overhead (without GRE) 505
GRE Overhead 505
Encapsulating Security Payload Overhead 507
Authentication Header Overhead 509
Encryption Overhead 510
Integrity Overhead 511
Combined-mode Algorithm Overhead 512
Plaintext MTU 513
Maximum Overhead 514
Maximum Encapsulation Security Payload Overhead 515
Maximum Authentication Header Overhead 516
Extra Overhead 516
IPsec and Fragmentation 518
Maximum Transmission Unit 518
Fragmentation in IPv4 519
Fragmentation in IPv6 522
Path MTU Discovery 523
TCP MSS Clamping 525
MSS Refresher 525
MSS Adjustment 526
IPsec Fragmentation and PMTUD 527
Fragmentation on Tunnels 531
IPsec Only (VTI) 531
GRE Only 532
GRE over IPsec 534
Tunnel PMTUD 534
The Impact of Fragmentation 535
Summary 536
References 536
Part VIII Migration to IKEv2
Chapter 16 Migration Strategies 539
Introduction to Migrating to IKEv2 and FlexVPN 539
Consideration when Migrating to IKEv2 539
Hardware Limi
Download the errata for this book.
Download the replacement Figure 7.1.