IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

Description

Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN

The IKEv2 protocol significantly improves VPN security, and Cisco’s FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.

The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You’ll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.

IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you’re a network engineer, architect, security specialist, or VPN administrator, you’ll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.

• Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more
• Implement modern secure VPNs with Cisco IOS and IOS-XE
• Plan and deploy IKEv2 in diverse real-world environments
• Configure IKEv2 proposals, policies, profiles, keyrings, and authorization
• Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation
• Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure
• Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures
• Deploy, configure, and customize FlexVPN clients
• Configure, manage, and troubleshoot the FlexVPN Load Balancer
• Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels
• Monitor IPsec VPNs with AAA, SNMP, and Syslog
• Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing
• Calculate IPsec overhead and fragmentation
• Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more

Sample Content

Sample Pages

Download the sample pages (includes Chapter 7 and the Index.)

Table of Contents

    Foreword xxvii

     Introduction xxxiii

 Part I Understanding IPsec VPNs

 Chapter 1 Introduction to IPsec VPNs 1

     The Need and Purpose of IPsec VPNs 2

     Building Blocks of IPsec 2

         Security Protocols 2

         Security Associations 3

         Key Management Protocol 3

     IPsec Security Services 3

         Access Control 4

         Anti-replay Services 4

        Confidentiality 4

         Connectionless Integrity 4

         Data Origin Authentication 4

         Traffic Flow Confidentiality 4

         Components of IPsec 5

         Security Parameter Index 5

         Security Policy Database 5

         Security Association Database 6

         Peer Authorization Database 6

         Lifetime 7

     Cryptography Used in IPsec VPNs 7

         Symmetric Cryptography 7

         Asymmetric Cryptography 8

         The Diffie-Hellman Exchange 8

     Public Key Infrastructure 11

         Public Key Cryptography 11

         Certificate Authorities 12

         Digital Certificates 12

         Digital Signatures Used in IKEv2 12

     Pre-Shared-Keys, or Shared Secret 13

     Encryption and Authentication 14

         IP Authentication Header 15

         Anti-Replay 16

 IP Encapsulating Security Payload (ESP) 17

         Authentication 18

         Encryption 18

         Anti-Replay 18

         Encapsulation Security Payload Datagram Format 18

        Encapsulating Security Payload Version 3 19

         Extended Sequence Numbers 19

         Traffic Flow Confidentiality 20

         Dummy Packets 20

     Modes of IPsec 20

         IPsec Transport Mode 20

         IPsec Tunnel Mode 21

     Summary 22

     References 22

 Part II Understanding IKEv2

 Chapter 2 IKEv2: The Protocol 23

     IKEv2 Overview 23

     The IKEv2 Exchange 24

     IKE_SA_INIT 25

         Diffie-Hellman Key Exchange 26

         Security Association Proposals 29

         Security Parameter Index (SPI) 34

         Nonce 35

         Cookie Notification 36

         Certificate Request 38

         HTTP_CERT_LOOKUP_SUPPORTED 39

     Key Material Generation 39

     IKE_AUTH 42

         Encrypted and Authenticated Payload 42

         Encrypted Payload Structure 43

         Identity 44

         Authentication 45

         Signature-Based Authentication 46

         (Pre) Shared-Key-Based Authentication 47

         EAP 48

         Traffic Selectors 50

         Initial Contact 52

     CREATE_CHILD_SA 53

         IPsec Security Association Creation 53

         IPsec Security Association Rekey 54

         IKEv2 Security Association Rekey 54

     IKEv2 Packet Structure Overview 55

     The INFORMATIONAL Exchange 56

         Notification 56

         Deleting Security Associations 57

         Configuration Payload Exchange 58

         Dead Peer Detection/Keepalive/NAT Keepalive 59

         IKEv2 Request – Response 61

     IKEv2 and Network Address Translation 61

         NAT Detection 64

     Additions to RFC 7296 65

     RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65

     RFC 5685 Redirect Mechanism for the Internet Key Exchange

         Protocol Version 2 (IKEv2) 65

     RFC 6989 Additional Diffie-Hellman Tests for the Internet Key

         Exchange Protocol Version 2 (IKEv2) 65

     RFC 6023 A Childless Initiation of the Internet

         Key Exchange Version 2 (IKEv2) Security Association (SA) 66

     Summary 66

     References 66

 Chapter 3 Comparison of IKEv1 and IKEv2 67

     Brief History of IKEv1 67

     Exchange Modes 69

         IKEv1 70

         IKEv2 71

     Anti-Denial of Service 72

     Lifetime 72

     Authentication 73

     High Availability 74

     Traffic Selectors 74

     Use of Identities 74

     Network Address Translation 74

     Configuration Payload 75

     Mobility & Multi-homing 75

     Matching on Identity 75

     Reliability 77

     Cryptographic Exchange Bloat 77

     Combined Mode Ciphers 77

     Continuous Channel Mode 77

     Summary 77

     References 78

 Part III IPsec VPNs on Cisco IOS

 Chapter 4 IOS IPsec Implementation 79

     Modes of Encapsulation 82

         GRE Encapsulation 82

         GRE over IPsec 83

         IPsec Transport Mode with GRE over IPsec 83

         IPsec Tunnel mode with GRE over IPsec 84

         Traffic 85

         Multicast Traffic 85

         Non-IP Protocols 86

     The Demise of Crypto Maps 86

     Interface Types 87

         Virtual Interfaces: VTI and GRE/IPsec 87

         Traffic Selection by Routing 88

         Static Tunnel Interfaces 90

         Dynamic Tunnel Interfaces 91

         sVTI and dVTI 92

         Multipoint GRE 92

     Tunnel Protection and Crypto Sockets 94

     Implementation Modes 96

         Dual Stack 96

         Mixed Mode 96

         Auto Tunnel Mode 99

     VRF-Aware IPsec 99

         VRF in Brief 99

         VRF-Aware GRE and VRF-Aware IPsec 101

         VRF-Aware GRE over IPsec 102

     Summary 103

     Reference 104

 Part IV IKEv2 Implementation

 Chapter 5 IKEv2 Configuration 105

     IKEv2 Configuration Overview 105

         The Guiding Principle 106

         Scope of IKEv2 Configuration 106

         IKEv2 Configuration Constructs 106

     IKEv2 Proposal 107

         Configuring the IKEv2 Proposal 108

         Configuring IKEv2 Encryption 111

         Configuring IKEv2 Integrity 113

         Configuring IKEv2 Diffie-Hellman 113

         Configuring IKEv2 Pseudorandom Function 115

         Default IKEv2 Proposal 115

     IKEv2 Policy 117

         Configuring an IKEv2 Policy 118

         Configuring IKEv2 Proposals under IKEv2 Policy 119

         Configuring Match Statements under IKEv2 Policy 120

         Default IKEv2 Policy 121

         IKEv2 Policy Selection on the Initiator 122

         IKEv2 Policy Selection on Responder 124

         IKEv2 Policy Configuration Examples 125

         Per-peer IKEv2 Policy 125

         IKEv2 Policy with Multiple Proposals 126

     IKEv2 Keyring 128

         Configuring IKEv2 Keyring 129

         Configuring a Peer Block in Keyring 130

         Key Lookup on Initiator 132

         Key Lookup on Responder 133

         IKEv2 Keyring Configuration Example 134

         IKEv2 Keyring Key Points 136

     IKEv2 Profile 136

         IKEv2 Profile as Peer Authorization Database 137

         Configuring IKEv2 Profile 138

         Configuring Match Statements in IKEv2 Profile 139

         Matching any Peer Identity 142

         Defining the Scope of IKEv2 Profile 143

         Defining the Local IKE Identity 143

         Defining Local and Remote Authentication Methods 145

         IKEv2 Dead Peer Detection 149

         IKEv2 Initial Contact 151

         IKEv2 SA Lifetime 151

         NAT Keepalives 152

         IVRF (inside VRF) 152

         Virtual Template Interface 153

         Disabling IKEv2 Profile 153

         Displaying IKEv2 Profiles 153

         IKEv2 Profile Selection on Initiator and Responder 154

         IKEv2 Profile Key Points 154

     IKEv2 Global Configuration 155

         HTTP URL-based Certificate Lookup 156

         IKEv2 Cookie Challenge 156

         IKEv2 Call Admission Control 157

         IKEv2 Window Size 158

         Dead Peer Detection 158

         NAT Keepalive 159

         IKEv2 Diagnostics 159

     PKI Configuration 159

         Certificate Authority 160

         Public-Private Key Pair 162

         PKI Trustpoint 163

         PKI Example 164

     IPsec Configuration 166

         IPsec Profile 167

         IPsec Configuration Example 168

         Smart Defaults 168

     Summary 169

 Chapter 6 Advanced IKEv2 Features 171

     Introduction to IKEv2 Fragmentation 171

         IP Fragmentation Overview 172

         IKEv2 and Fragmentation 173

     IKEv2 SGT Capability Negotiation 178

     IKEv2 Session Authentication 181

         IKEv2 Session Deletion on Certificate Revocation 182

         IKEv2 Session Deletion on Certificate Expiry 184

     IKEv2 Session Lifetime 185

     Summary 187

     References 188

 Chapter 7 IKEv2 Deployments 189

     Pre-shared-key Authentication with Smart Defaults 189

         Elliptic Curve Digital Signature Algorithm Authentication 194

         RSA Authentication Using HTTP URL Lookup 200

         IKEv2 Cookie Challenge and Call Admission Control 207

     Summary 210

 Part V FlexVPN

 Chapter 8 Introduction to FlexVPN 211

     FlexVPN Overview 211

         The Rationale 212

         FlexVPN Value Proposition 213

     FlexVPN Building Blocks 213

         IKEv2 213

         Cisco IOS Point-to-Point Tunnel Interfaces 214

         Configuring Static P2P Tunnel Interfaces 214

         Configuring Virtual-Template Interfaces 216

         Auto-Detection of Tunnel Encapsulation and Transport 219

         Benefits of Per-Peer P2P Tunnel Interfaces 221

         Cisco IOS AAA Infrastructure 221

         Configuring AAA for FlexVPN 222

     IKEv2 Name Mangler 223

         Configuring IKEv2 Name Mangler 224

         Extracting Name from FQDN Identity 225

         Extracting Name from Email Identity 226

         Extracting Name from DN Identity 226

         Extracting Name from EAP Identity 227

     IKEv2 Authorization Policy 228

         Default IKEv2 Authorization Policy 229

     FlexVPN Authorization 231

         Configuring FlexVPN Authorization 233

         FlexVPN User Authorization 235

         FlexVPN User Authorization, Using an External AAA Server 235

         FlexVPN Group Authorization 237

         FlexVPN Group Authorization, Using a Local AAA Database 238

         FlexVPN Group Authorization, Using an External AAA Server 239

         FlexVPN Implicit Authorization 242

         FlexVPN Implicit Authorization Example 243

         FlexVPN Authorization Types: Co-existence and Precedence 245

         User Authorization Taking Higher Precedence 247

         Group Authorization Taking Higher Precedence 249

     FlexVPN Configuration Exchange 250

         Enabling Configuration Exchange 250

         FlexVPN Usage of Configuration Payloads 251

         Configuration Attributes and Authorization 253

         Configuration Exchange Examples 259

     FlexVPN Routing 264

         Learning Remote Subnets Locally 265

         Learning Remote Subnets from Peer 266

     Summary 268

 Chapter 9 FlexVPN Server 269

     Sequence of Events 270

     EAP Authentication 271

         EAP Methods 272

         EAP Message Flow 273

         EAP Identity 273

         EAP Timeout 275

         EAP Authentication Steps 275

         Configuring EAP 277

         EAP Configuration Example 278

     AAA-based Pre-shared Keys 283

         Configuring AAA-based Pre-Shared Keys 284

         RADIUS Attributes for AAA-Based Pre-Shared Keys 285

         AAA-Based Pre-Shared Keys Example 285

     Accounting 287

     Per-Session Interface 290

         Deriving Virtual-Access Configuration from a Virtual Template 291

         Deriving Virtual-Access Configuration from AAA Authorization 293

         The interface-config AAA Attribute 293

         Deriving Virtual-Access Configuration from an Incoming Session 294

         Virtual-Access Cloning Example 295

     Auto Detection of Tunnel Transport and Encapsulation 297

     RADIUS Packet of Disconnect 299

         Configuring RADIUS Packet of Disconnect 300

         RADIUS Packet of Disconnect Example 301

     RADIUS Change of Authorization (CoA) 303

         Configuring RADIUS CoA 304

         RADIUS CoA Examples 305

         Updating Session QoS Policy, Using CoA 305

         Updating the Session ACL, Using CoA 307

     IKEv2 Auto-Reconnect 309

         Auto-Reconnect Configuration Attributes 310

         Smart DPD 311

         Configuring IKEv2 Auto-Reconnect 313

     User Authentication, Using AnyConnect-EAP 315

         AnyConnect-EAP 315

         AnyConnect-EAP XML Messages for User Authentication 316

         Configuring User Authentication, Using AnyConnect-EAP 318

         AnyConnect Configuration for Aggregate Authentication 320

     Dual-factor Authentication, Using AnyConnect-EAP 320

         AnyConnect-EAP XML Messages for dual-factor authentication 322

         Configuring Dual-factor Authentication, Using AnyConnect-EAP 324

     RADIUS Attributes Supported by the FlexVPN Server 325

     Remote Access Clients Supported by FlexVPN Server 329

         FlexVPN Remote Access Client 329

         Microsoft Windows7 IKEv2 Client 329

         Cisco IKEv2 AnyConnect Client 330

     Summary 330

     Reference 330

 Chapter 10 FlexVPN Client 331

     Introduction 331

     FlexVPN Client Overview 332

         FlexVPN Client Building Blocks 333

         IKEv2 Configuration Exchange 334

         Static Point-to-Point Tunnel Interface 334

         FlexVPN Client Profile 334

         Object Tracking 334

         NAT 335

         FlexVPN Client Features 335

         Dual Stack Support 335

         EAP Authentication 335

         Dynamic Routing 335

         Support for EzVPN Client and Network Extension Modes 336

         Advanced Features 336

     Setting up the FlexVPN Server 336

     EAP Authentication 337

     Split-DNS 338

         Components of Split-DNS 340

     Windows Internet Naming Service (WINS) 343

     Domain Name 344

     FlexVPN Client Profile 345

     Backup Gateways 346

         Resolution of Fully Qualified Domain Names 346

         Reactivating Peers 346

         Backup Gateway List 347

     Tunnel Interface 347

         Tunnel Source 348

         Tunnel Destination 349

     Tunnel Initiation 350

         Automatic Mode 350

         Manual Mode 350

         Track Mode 350

         Tracking a List of Objects, Using a Boolean Expression 350

     Dial Backup 352

     Backup Group 353

     Network Address Translation 354

     Design Considerations 356

         Use of Public Key Infrastructure and Pre-Shared Keys 356

         The Power of Tracking 356

         Tracked Object Based on Embedded Event Manager 356

     Troubleshooting FlexVPN Client 358

         Useful Show Commands 358

         Debugging FlexVPN Client 360

         Clearing IKEv2 FlexVPN Client Sessions 360

     Summary 361

 Chapter 11 FlexVPN Load Balancer 363

     Introduction 363

     Components of the FlexVPN Load Balancer 363

         IKEv2 Redirect 363

         Hot Standby Routing Protocol 366

     FlexVPN IKEv2 Load Balancer 367

         Cluster Load 369

         IKEv2 Redirect 372

         Redirect Loops 373

     FlexVPN Client 374

     Troubleshooting IKEv2 Load Balancing 374

     IKEv2 Load Balancer Example 376

     Summary 379

 Chapter 12 FlexVPN Deployments 381

     Introduction 381

     FlexVPN AAA-Based Pre-Shared Keys 381

         Configuration on the Branch-1 Router 382

         Configuration on the Branch-2 Router 383

         Configuration on the Hub Router 383

         Configuration on the RADIUS Server 384

     FlexVPN User and Group Authorization 386

         FlexVPN Client Configuration at Branch 1 386

         FlexVPN Client Configuration at Branch 2 387

         Configuration on the FlexVPN Server 387

         Configuration on the RADIUS Server 388

         Logs Specific to FlexVPN Client-1 389

         Logs Specific to FlexVPN Client-2 390

     FlexVPN Routing, Dual Stack, and Tunnel Mode Auto 391

         FlexVPN Spoke Configuration at Branch-1 392

         FlexVPN Spoke Configuration at Branch-2 394

         FlexVPN Hub Configuration at the HQ 395

         Verification on FlexVPN Spoke at Branch-1 397

         Verification on FlexVPN Spoke at Branch-2 399

         Verification on the FlexVPN Hub at HQ 401

     FlexVPN Client NAT to the Server-Assigned IP Address 404

         Configuration on the FlexVPN Client 404

         Verification on the FlexVPN Client 405

     FlexVPN WAN Resiliency, Using Dynamic Tunnel Source 407

         FlexVPN Client Configuration on the Dual-Homed Branch Router 408

         Verification on the FlexVPN Client 409

     FlexVPN Hub Resiliency, Using Backup Peers 411

         FlexVPN Client Configuration on the Branch Router 411

         Verification on the FlexVPN Client 412

     FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation 414

         Verification on the FlexVPN Client 415

     Summary 416

 Part VI IPsec VPN Maintenance

 Chapter 13 Monitoring IPsec VPNs 417

     Introduction to Monitoring 417

         Authentication, Authorization, and Accounting (AAA) 418

         NetFlow 418

         Simple Network Management Protocol 419

         VRF-Aware SNMP 420

         Syslog 421

     Monitoring Methodology 422

         IP Connectivity 423

         VPN Tunnel Establishment 425

         Cisco IPsec Flow Monitor MIB 425

         SNMP with IKEv2 425

         Syslog 428

         Pre-Shared Key Authentication 429

         PKI Authentication 431

         EAP Authentication 434

         Authorization Using RADIUS-Based AAA 436

         Data Encryption: SNMP with IPsec 437

         Overlay Routing 439

         Data Usage 440

     Summary 443

     References 443

 Chapter 14 Troubleshooting IPsec VPNs 445

     Introduction 445

     Tools of Troubleshooting 446

         Show Commands 447

         Syslog Messages 447

         Event-Trace Monitoring 447

         Debugging 449

         IKEv2 Debugging 449

         IPsec Debugging 453

         Key Management Interface Debugging 453

         PKI Debugging 456

         Conditional Debugging 456

     IP Connectivity 457

     VPN Tunnel Establishment 460

         IKEv2 Diagnose Error 460

         Troubleshooting the IKE_SA_INIT Exchange 461

         Troubleshooting the IKE_AUTH Exchange 464

     Authentication 464

         Troubleshooting RSA or ECDSA Authentication 465

         Certificate Attributes 469

         Debugging Authentication Using PKI 470

         Certificate Expiry 470

         Matching Peer Using Certificate Maps 472

         Certificate Revocation 473

         Trustpoint Configuration 476

         Trustpoint Selection 476

         Pre-Shared Key 478

         Extensible Authentication Protocol (EAP) 480

     Authorization 485

     Data Encryption 488

         Debugging IPsec 488

         IPsec Anti-Replay 491

     Data Encapsulation 495

         Mismatching GRE Tunnel Keys 495

     Overlay Routing 495

         Static Routing 496

         IKEv2 Routing 496

         Dynamic Routing Protocols 498

     Summary 499

     References 502

 Part VII IPsec Overhead

 Chapter 15 IPsec Overhead and Fragmentation 503

     Introduction 503

     Computing the IPsec Overhead 504

         General Considerations 504

         IPsec Mode Overhead (without GRE) 505

         GRE Overhead 505

         Encapsulating Security Payload Overhead 507

         Authentication Header Overhead 509

         Encryption Overhead 510

         Integrity Overhead 511

         Combined-mode Algorithm Overhead 512

         Plaintext MTU 513

         Maximum Overhead 514

         Maximum Encapsulation Security Payload Overhead 515

         Maximum Authentication Header Overhead 516

         Extra Overhead 516

     IPsec and Fragmentation 518

         Maximum Transmission Unit 518

         Fragmentation in IPv4 519

         Fragmentation in IPv6 522

         Path MTU Discovery 523

         TCP MSS Clamping 525

         MSS Refresher 525

         MSS Adjustment 526

         IPsec Fragmentation and PMTUD 527

         Fragmentation on Tunnels 531

         IPsec Only (VTI) 531

         GRE Only 532

         GRE over IPsec 534

         Tunnel PMTUD 534

         The Impact of Fragmentation 535

     Summary 536

     References 536

 Part VIII Migration to IKEv2

 Chapter 16 Migration Strategies 539

     Introduction to Migrating to IKEv2 and FlexVPN 539

     Consideration when Migrating to IKEv2 539

         Hardware Limi

Updates

Errata

Download the errata for this book.

Download the replacement Figure 7.1.

Submit Errata