SKIP THE SHIPPING
Use code NOSHIP during checkout to save 40% on eligible eBooks, now through January 5. Shop now.
Register your product to gain access to bonus material or receive a coupon.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
PDF The popular standard, used most often with the free Acrobat® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN
The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.
The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.
IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.
Download the sample pages (includes Chapter 7 and the Index.)
Foreword xxvii
Introduction xxxiii
Part I Understanding IPsec VPNs
Chapter 1 Introduction to IPsec VPNs 1
The Need and Purpose of IPsec VPNs 2
Building Blocks of IPsec 2
Security Protocols 2
Security Associations 3
Key Management Protocol 3
IPsec Security Services 3
Access Control 4
Anti-replay Services 4
Confidentiality 4
Connectionless Integrity 4
Data Origin Authentication 4
Traffic Flow Confidentiality 4
Components of IPsec 5
Security Parameter Index 5
Security Policy Database 5
Security Association Database 6
Peer Authorization Database 6
Lifetime 7
Cryptography Used in IPsec VPNs 7
Symmetric Cryptography 7
Asymmetric Cryptography 8
The Diffie-Hellman Exchange 8
Public Key Infrastructure 11
Public Key Cryptography 11
Certificate Authorities 12
Digital Certificates 12
Digital Signatures Used in IKEv2 12
Pre-Shared-Keys, or Shared Secret 13
Encryption and Authentication 14
IP Authentication Header 15
Anti-Replay 16
IP Encapsulating Security Payload (ESP) 17
Authentication 18
Encryption 18
Anti-Replay 18
Encapsulation Security Payload Datagram Format 18
Encapsulating Security Payload Version 3 19
Extended Sequence Numbers 19
Traffic Flow Confidentiality 20
Dummy Packets 20
Modes of IPsec 20
IPsec Transport Mode 20
IPsec Tunnel Mode 21
Summary 22
References 22
Part II Understanding IKEv2
Chapter 2 IKEv2: The Protocol 23
IKEv2 Overview 23
The IKEv2 Exchange 24
IKE_SA_INIT 25
Diffie-Hellman Key Exchange 26
Security Association Proposals 29
Security Parameter Index (SPI) 34
Nonce 35
Cookie Notification 36
Certificate Request 38
HTTP_CERT_LOOKUP_SUPPORTED 39
Key Material Generation 39
IKE_AUTH 42
Encrypted and Authenticated Payload 42
Encrypted Payload Structure 43
Identity 44
Authentication 45
Signature-Based Authentication 46
(Pre) Shared-Key-Based Authentication 47
EAP 48
Traffic Selectors 50
Initial Contact 52
CREATE_CHILD_SA 53
IPsec Security Association Creation 53
IPsec Security Association Rekey 54
IKEv2 Security Association Rekey 54
IKEv2 Packet Structure Overview 55
The INFORMATIONAL Exchange 56
Notification 56
Deleting Security Associations 57
Configuration Payload Exchange 58
Dead Peer Detection/Keepalive/NAT Keepalive 59
IKEv2 Request Response 61
IKEv2 and Network Address Translation 61
NAT Detection 64
Additions to RFC 7296 65
RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65
RFC 5685 Redirect Mechanism for the Internet Key Exchange
Protocol Version 2 (IKEv2) 65
RFC 6989 Additional Diffie-Hellman Tests for the Internet Key
Exchange Protocol Version 2 (IKEv2) 65
RFC 6023 A Childless Initiation of the Internet
Key Exchange Version 2 (IKEv2) Security Association (SA) 66
Summary 66
References 66
Chapter 3 Comparison of IKEv1 and IKEv2 67
Brief History of IKEv1 67
Exchange Modes 69
IKEv1 70
IKEv2 71
Anti-Denial of Service 72
Lifetime 72
Authentication 73
High Availability 74
Traffic Selectors 74
Use of Identities 74
Network Address Translation 74
Configuration Payload 75
Mobility & Multi-homing 75
Matching on Identity 75
Reliability 77
Cryptographic Exchange Bloat 77
Combined Mode Ciphers 77
Continuous Channel Mode 77
Summary 77
References 78
Part III IPsec VPNs on Cisco IOS
Chapter 4 IOS IPsec Implementation 79
Modes of Encapsulation 82
GRE Encapsulation 82
GRE over IPsec 83
IPsec Transport Mode with GRE over IPsec 83
IPsec Tunnel mode with GRE over IPsec 84
Traffic 85
Multicast Traffic 85
Non-IP Protocols 86
The Demise of Crypto Maps 86
Interface Types 87
Virtual Interfaces: VTI and GRE/IPsec 87
Traffic Selection by Routing 88
Static Tunnel Interfaces 90
Dynamic Tunnel Interfaces 91
sVTI and dVTI 92
Multipoint GRE 92
Tunnel Protection and Crypto Sockets 94
Implementation Modes 96
Dual Stack 96
Mixed Mode 96
Auto Tunnel Mode 99
VRF-Aware IPsec 99
VRF in Brief 99
VRF-Aware GRE and VRF-Aware IPsec 101
VRF-Aware GRE over IPsec 102
Summary 103
Reference 104
Part IV IKEv2 Implementation
Chapter 5 IKEv2 Configuration 105
IKEv2 Configuration Overview 105
The Guiding Principle 106
Scope of IKEv2 Configuration 106
IKEv2 Configuration Constructs 106
IKEv2 Proposal 107
Configuring the IKEv2 Proposal 108
Configuring IKEv2 Encryption 111
Configuring IKEv2 Integrity 113
Configuring IKEv2 Diffie-Hellman 113
Configuring IKEv2 Pseudorandom Function 115
Default IKEv2 Proposal 115
IKEv2 Policy 117
Configuring an IKEv2 Policy 118
Configuring IKEv2 Proposals under IKEv2 Policy 119
Configuring Match Statements under IKEv2 Policy 120
Default IKEv2 Policy 121
IKEv2 Policy Selection on the Initiator 122
IKEv2 Policy Selection on Responder 124
IKEv2 Policy Configuration Examples 125
Per-peer IKEv2 Policy 125
IKEv2 Policy with Multiple Proposals 126
IKEv2 Keyring 128
Configuring IKEv2 Keyring 129
Configuring a Peer Block in Keyring 130
Key Lookup on Initiator 132
Key Lookup on Responder 133
IKEv2 Keyring Configuration Example 134
IKEv2 Keyring Key Points 136
IKEv2 Profile 136
IKEv2 Profile as Peer Authorization Database 137
Configuring IKEv2 Profile 138
Configuring Match Statements in IKEv2 Profile 139
Matching any Peer Identity 142
Defining the Scope of IKEv2 Profile 143
Defining the Local IKE Identity 143
Defining Local and Remote Authentication Methods 145
IKEv2 Dead Peer Detection 149
IKEv2 Initial Contact 151
IKEv2 SA Lifetime 151
NAT Keepalives 152
IVRF (inside VRF) 152
Virtual Template Interface 153
Disabling IKEv2 Profile 153
Displaying IKEv2 Profiles 153
IKEv2 Profile Selection on Initiator and Responder 154
IKEv2 Profile Key Points 154
IKEv2 Global Configuration 155
HTTP URL-based Certificate Lookup 156
IKEv2 Cookie Challenge 156
IKEv2 Call Admission Control 157
IKEv2 Window Size 158
Dead Peer Detection 158
NAT Keepalive 159
IKEv2 Diagnostics 159
PKI Configuration 159
Certificate Authority 160
Public-Private Key Pair 162
PKI Trustpoint 163
PKI Example 164
IPsec Configuration 166
IPsec Profile 167
IPsec Configuration Example 168
Smart Defaults 168
Summary 169
Chapter 6 Advanced IKEv2 Features 171
Introduction to IKEv2 Fragmentation 171
IP Fragmentation Overview 172
IKEv2 and Fragmentation 173
IKEv2 SGT Capability Negotiation 178
IKEv2 Session Authentication 181
IKEv2 Session Deletion on Certificate Revocation 182
IKEv2 Session Deletion on Certificate Expiry 184
IKEv2 Session Lifetime 185
Summary 187
References 188
Chapter 7 IKEv2 Deployments 189
Pre-shared-key Authentication with Smart Defaults 189
Elliptic Curve Digital Signature Algorithm Authentication 194
RSA Authentication Using HTTP URL Lookup 200
IKEv2 Cookie Challenge and Call Admission Control 207
Summary 210
Part V FlexVPN
Chapter 8 Introduction to FlexVPN 211
FlexVPN Overview 211
The Rationale 212
FlexVPN Value Proposition 213
FlexVPN Building Blocks 213
IKEv2 213
Cisco IOS Point-to-Point Tunnel Interfaces 214
Configuring Static P2P Tunnel Interfaces 214
Configuring Virtual-Template Interfaces 216
Auto-Detection of Tunnel Encapsulation and Transport 219
Benefits of Per-Peer P2P Tunnel Interfaces 221
Cisco IOS AAA Infrastructure 221
Configuring AAA for FlexVPN 222
IKEv2 Name Mangler 223
Configuring IKEv2 Name Mangler 224
Extracting Name from FQDN Identity 225
Extracting Name from Email Identity 226
Extracting Name from DN Identity 226
Extracting Name from EAP Identity 227
IKEv2 Authorization Policy 228
Default IKEv2 Authorization Policy 229
FlexVPN Authorization 231
Configuring FlexVPN Authorization 233
FlexVPN User Authorization 235
FlexVPN User Authorization, Using an External AAA Server 235
FlexVPN Group Authorization 237
FlexVPN Group Authorization, Using a Local AAA Database 238
FlexVPN Group Authorization, Using an External AAA Server 239
FlexVPN Implicit Authorization 242
FlexVPN Implicit Authorization Example 243
FlexVPN Authorization Types: Co-existence and Precedence 245
User Authorization Taking Higher Precedence 247
Group Authorization Taking Higher Precedence 249
FlexVPN Configuration Exchange 250
Enabling Configuration Exchange 250
FlexVPN Usage of Configuration Payloads 251
Configuration Attributes and Authorization 253
Configuration Exchange Examples 259
FlexVPN Routing 264
Learning Remote Subnets Locally 265
Learning Remote Subnets from Peer 266
Summary 268
Chapter 9 FlexVPN Server 269
Sequence of Events 270
EAP Authentication 271
EAP Methods 272
EAP Message Flow 273
EAP Identity 273
EAP Timeout 275
EAP Authentication Steps 275
Configuring EAP 277
EAP Configuration Example 278
AAA-based Pre-shared Keys 283
Configuring AAA-based Pre-Shared Keys 284
RADIUS Attributes for AAA-Based Pre-Shared Keys 285
AAA-Based Pre-Shared Keys Example 285
Accounting 287
Per-Session Interface 290
Deriving Virtual-Access Configuration from a Virtual Template 291
Deriving Virtual-Access Configuration from AAA Authorization 293
The interface-config AAA Attribute 293
Deriving Virtual-Access Configuration from an Incoming Session 294
Virtual-Access Cloning Example 295
Auto Detection of Tunnel Transport and Encapsulation 297
RADIUS Packet of Disconnect 299
Configuring RADIUS Packet of Disconnect 300
RADIUS Packet of Disconnect Example 301
RADIUS Change of Authorization (CoA) 303
Configuring RADIUS CoA 304
RADIUS CoA Examples 305
Updating Session QoS Policy, Using CoA 305
Updating the Session ACL, Using CoA 307
IKEv2 Auto-Reconnect 309
Auto-Reconnect Configuration Attributes 310
Smart DPD 311
Configuring IKEv2 Auto-Reconnect 313
User Authentication, Using AnyConnect-EAP 315
AnyConnect-EAP 315
AnyConnect-EAP XML Messages for User Authentication 316
Configuring User Authentication, Using AnyConnect-EAP 318
AnyConnect Configuration for Aggregate Authentication 320
Dual-factor Authentication, Using AnyConnect-EAP 320
AnyConnect-EAP XML Messages for dual-factor authentication 322
Configuring Dual-factor Authentication, Using AnyConnect-EAP 324
RADIUS Attributes Supported by the FlexVPN Server 325
Remote Access Clients Supported by FlexVPN Server 329
FlexVPN Remote Access Client 329
Microsoft Windows7 IKEv2 Client 329
Cisco IKEv2 AnyConnect Client 330
Summary 330
Reference 330
Chapter 10 FlexVPN Client 331
Introduction 331
FlexVPN Client Overview 332
FlexVPN Client Building Blocks 333
IKEv2 Configuration Exchange 334
Static Point-to-Point Tunnel Interface 334
FlexVPN Client Profile 334
Object Tracking 334
NAT 335
FlexVPN Client Features 335
Dual Stack Support 335
EAP Authentication 335
Dynamic Routing 335
Support for EzVPN Client and Network Extension Modes 336
Download the errata for this book.
Download the replacement Figure 7.1.