Wednesday, 23 September 2020

FlexVPN - Site-to-Site (1)

IKEv2
 
Few words on IKEv2:

-    described in RFC 7296 (initially RFC 5996)
-    offers dynamic key exchange and peer authentication
-    addresses measures to fix vulnerabilities of IKEv1 (anti-DoS)
-    supports Extensible Authentication Protocol (EAP)
-    it is not backward compatible with IKEv1
-    operates in two phases
-    industry standard, can operate in multivendor environment


IKEv2 operation:
-    Phase 1 is IKE_SA it consist a message pair IKE_SA_INIT (key exchange policy)
-    Phase 2 is CHILD_SA, first message pair is IKE_AUTH, additional CHILD_SA can be sent for rekey and information messages (data policy) 


R1 is the Initiator / R2 is the Responder

SA – security association
KE – Key exchange
Nr,Ni – Nonce
Cert-Req – Certificate Request
Cert – Certificate
IDi – Identification (Initiator/Responder)
TSi – Traffic selector – Initiator
TSr – traffic selector – Responder

 
IKEv2 authentication methods:
-    pre-shared keys (PSK)
-    digital signatures
-    EAP


IPSec 


IPSec consist of two main security protocols:
- Authentication Header (AH- IP protocol ID  51) – used for authentication and Integrity, enforces anti replay protection (receiving host sets replay bit in the header). AH is applied to datagram only.
- Encapsulation Security Payload (ESP- IP protocol ID 50) – used to provide confidentiality (encryption), data origin authentication, integrity, optional anti-replay service. Performs encryption at the IP packet layer, support symmetric algorithms by default 56-bit DES.

The AH can be applied alone or together with the ESP.

IPSec supports following standards:
-    Data encryption standard (DES), Triple DES (3 DES)
-    Delffie – Hellman (D-H)
-    Message Digest 5 (MD5)
-    Rivest, Shamir, and Adelman (RSA) signatures
-    IKEv1/v2
-    Certificate Authorities


IPSec operates in two modes:
-    Tunnel mode – A new IP header is created in place of the original this allow for encryption of entire original packet. Tunnel mode is used to encrypt traffic between secure IPSec Gateways i.e. Site to Site VPN or Cisco VPN Client and a IPSec Gateway.
-    Transport mode – The AH or ESP is inserted behind the IP header, the IP header can be authenticated but not encrypted. Use example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
In transport mode IP header is exposed.


Smart Defaults – this feature minimize FlexVPN configuration process. For example is following configuration steps can be skipped:
-    IKEv2 Proposal
-    IKEv2 Policy
-    IPSec transform-set
-    IPSec profile


default values will be picked, to verify default values:
-    sh crypto ikev2 proposal
-    sh crypto ikev2 policy
-    sh crypto ipsec transform
-    sh crypto ipsec profile


The think to remember is to use “default” as a name for the ikev2 profile.


LAB. Site to site FlexVPN with SVTI (using smart defaults)

 


 

RTR-01

crypto ikev2 keyring FlexVPN

 peer rtr-02

  address 20.0.0.1

  pre-shared-key local cisco

  pre-shared-key remote cisco

 

crypto ikev2 profile default

 description --->Basic FlexVPN<---

 match identity remote address 0.0.0.0

 authentication remote pre-share

 authentication local pre-share

 keyring local FlexVPN

 

crypto ikev2 dpd 10 3 on-demand

 

interface Tunnel200

 description FlexVPN-to-rtr-02

 ip address 10.120.0.1 255.255.255.252

 tunnel source Ethernet1/1

 tunnel mode ipsec ipv4

 tunnel destination 20.0.0.1

 tunnel protection ipsec profile default

 

RTR-02

crypto ikev2 keyring FlexVPN

 peer rtr-01

  address 10.0.0.1

  pre-shared-key local cisco

  pre-shared-key remote cisco

 

crypto ikev2 profile default

 description --->Basic FlexVPN<---

 match identity remote address 0.0.0.0

 authentication remote pre-share

 authentication local pre-share

 keyring local FlexVPN

 

crypto ikev2 dpd 10 3 on-demand

 

interface Tunnel200

 description FlexVPN-to-rtr-01

 ip address 10.120.0.2 255.255.255.252

 tunnel source Ethernet1/0

 tunnel mode ipsec ipv4

 tunnel destination 10.0.0.1

 tunnel protection ipsec profile default



Verification:

RTR-01-HUB#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.0.0.1/500          20.0.0.1/500          none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/248 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: 6445B887B3DC849B       Remote spi: CB227544A6FD4612
      Local id: 10.0.0.1
      Remote id: 20.0.0.1
      Local req msg id:  2              Remote req msg id:  0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 3
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes

 IPv6 Crypto IKEv2  SA

RTR-01-HUB

RTR-02#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         20.0.0.1/500          10.0.0.1/500          none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/159 sec
      CE id: 1001, Session-id: 1
      Status Description: Negotiation done
      Local spi: CB227544A6FD4612       Remote spi: 6445B887B3DC849B
      Local id: 20.0.0.1
      Remote id: 10.0.0.1
      Local req msg id:  0              Remote req msg id:  2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued:  0              Remote req queued:  2
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 3
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

 

Wireshark capture of the test ping from rtr-01 to rtr-02.

 



Plumbing... QoS

Rule no 1. QoS does not help in situations where there is no enough bandwidth but helps optimize performance by prioritization of the traffi...