Configuring Cisco VPN

Morgan Stepp CCIE #12603 | [email protected] Page 1 of 15

Configuring Cisco VPN

Overview A Virtual Private Network (VPN) securely extends network access to remote users. Cisco’s VPN offering

comes in 4 major configurations; Site-to-Site, Easy VPN, Client, and SSL. The VPN deployment you choose

will depend upon your connectivity requirements.

This document will provide the configuration details of each by deploying and interconnecting all 4 VPN types

for a single customer. The examples will cover both ASA and IOS configurations. The following diagram

outlines our customer topology.

192.168.99.1

192.168.1.0/24

192.168.3.0/24

192.168.99.21.1.1.1

3.3.3.3

192.168.2.0/24

Site-to-Site

VPN

EzVPN

Client VPN

SSL VPN

DSL

Maui

Oahu

ASA2911

Home Offices

Kauai

DSL

Internet

871

871

Cisco Site-to-Site and Easy VPN Review Site-to-Site and Easy VPN provide remote office connectivity and eliminate the need for individual Desktop

client VPN applications. Each solution supports split tunneling which allows Internet destined traffic to be sent

unencrypted to the local ISP, while Corporate destined traffic is tunneled and encrypted.

Site-to-Site VPN requires remote offices to maintain a Static Public IP and is the premier solution for

permanent VPN connections. Examples of this are IPsec VPN, DMVPN, and GET VPN. Each VPN connection

requires a separate Tunnel-Policy with the Remote Public IP configured.

EzVPN can establish a VPN Tunnel using either DHCP or Static IP from an ISP. This is ideal for remote offices

and teleworkers with dynamic internet access such as Cable or DSL. Configuration on EzVPN Clients

(ASA/ISR) is minimal as security policies are delivered from a central EzVPN Server (ASA/ISR).


Cisco Client and SSL VPN Review

Client and SSL VPN provide remote-access connectivity to individual user desktops. Remote users can access

Corporate Network Resources securely from any Internet enabled location. Both solutions support split

tunneling.

The Client VPN is pre-installed software that enables remote access using an IPsec-compliant implementation.

The client can be preconfigured for mass deployments and initial logins which require little user intervention.

VPN access policies and configurations are downloaded from the central gateway and pushed to the client

when a connection is established, allowing simple deployment and management.

Cisco’s AnyConnect SSL solution provides remote users with secure VPN connections using Secure Socket Layer (SSL) and Datagram Transport Layer Security (DTLS). SSL Authentication to AnyConnect is done via a Web Browser which can automatically download the Anyconnect client. The client can be installed on Windows, Linux (Multiple Distros) and MAC OS X.

VPN Configuration In our VPN example, the majority of network resources reside in Maui. However, additional resources have

been installed in Oahu and Kauai. As a result, we need to provide connectivity for all users to all locations. For

example, users in Oahu should be able to communicate with users in Kauai through the ASA. Home Offices

should be allocated IP’s in the 192.168.254.0/24 subnet and also be granted VPN access to all locations.

Step 1: ASA VPN Preparation - NAT Exemptions and Hairpinning NAT is the enemy of VPN’s. In the majority of implementations, the ASA provides NAT services for internal

sources behind the ASA to external sources outside the ASA. We need to ensure internal sources to VPN

destinations are not exposed to this NAT processing. For example, the Oahu 192.168.2.0/24 should appear to

all Corporate segments using its original IP range. First, we define the networks we do not want to NAT.

object-group network MAUI

network-object 192.168.1.0 255.255.255.0

!

object-group network OAHU

network-object 192.168.2.0 255.255.255.0

!

object-group network KAUAI

network-object 192.168.3.0 255.255.255.0

!

object-group network HOME-OFFICE

network-object 192.168.254.0 255.255.255.0

Next, we instruct the ASA (8.4 or later) to exclude NAT for traffic matching the listed source and destination.

The "static MAUI MAUI" segment instructs the ASA to NAT MAUI to MAUI (itself), which in effect disables

NAT.

nat (inside,outside) source static MAUI MAUI destination static OAHU OAHU

nat (inside,outside) source static MAUI MAUI destination static KAUAI KAUAI

nat (inside,outside) source static MAUI MAUI destination static HOME-OFFICE HOME-OFFICE


The HOME-OFFICE object-group contains the subnet of the IP Pool provided by the ASA to Home Office

users. This subnet has been made exempt from NAT when accessing Maui in the last configuration line above.

However, we also need to ensure this subnet is exempt from NAT when accessing Kauai and Oahu. Since all

of these locations are on the outside interface of the ASA, we will create a rule exempting specific outside to

outside traffic.

nat (outside,outside) source static HOME-OFFICE HOME-OFFICE destination static OAHU

nat (outside,outside) source static HOME-OFFICE HOME-OFFICE destination static KAUAI

When Home Office, Kauai, or Oahu users attempt to access each other, they will ingress and egress on the

ASA outside interface. This intra-interface communications is referred to as hairpinning and is disabled by

default. Enabling this feature is required for a VPN configuration like our example, were traffic entering an

interface will exit the same interface.

same-security-traffic permit intra-interface

By default, intra-interface communication is not permitted. We can test this

default behavior with the ASA packet tracer. In this example, Kauai

communication to Oahu fails prior to enabling intra interface

communications.

MAUI-ASA# packet-tracer input outside icmp 192.168.3.10 8 0 192.168.2.10 detailed Phase: 1

Type: FLOW-LOOKUP

Result: ALLOW

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Result: ALLOW

in 192.168.2.0 255.255.255.0 outside

Phase: 3

Type: ACCESS-LIST

Result: DROP

Implicit Rule

Drop-reason: (acl-drop) Flow is denied by configured rule

Step 2: ASA Security Associations ISAKMP is the negotiation protocol that lets two hosts agree on how to build an IPsec security association (SA). It provides a common framework for agreeing on the format of SA attributes. This includes negotiating with the peer about the SA, and modifying or deleting the SA. ISAKMP separates negotiation into two phases: Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects later ISAKMP negotiation messages. Phase 2 creates the tunnel that protects data. IKE uses ISAKMP to setup the SA for IPsec to use. IKE creates the cryptographic keys used to authenticate peers. Transform Sets combines an encryption method and an authentication method. During the IPsec security association negotiation with ISAKMP, the peers agree to use a particular transform set to protect a particular data flow. A transform set protects the data flows for the access list specified in the associated crypto map entry.

192.168.3.0/24

1.1.1.1

3.3.3.3

192.168.2.0/24

Site-to-Site

VPN

EzVPN

Maui

Oahu

ASA

Kauai

DSL

871

871

Internet

VPN Hairpinning


Enable ISAKMP on the outside interface and create ikev1 policies. This section covers the IKE Phase 1 in

which a bidirectional security agreement (SA) is established between IPSec peers. It is best to give the VPN

client options as different clients may use different security agreements. In this configuration we will use Policy

10 for our Site-to-Site and Easy VPN configurations. This will be explicitly spelled out in the upcoming

transform set.

These phase 1 policies will be used for the proceeding VPN types in this document.

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400



encryption aes-256

hash sha

group 2

lifetime 86400



encryption 3des

hash sha

group 2

lifetime 86400

Create a Transform Set to be used with Site-to-Site and Easy VPN connections. ! The transform set ESP-DES-MD5 matches ikev1 policy 10

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

! The transform set ESP-DES-MD5 matches ikev1 policy 20

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

! The transform set ESP-DES-MD5 matches ikev1 policy 30

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


Step 3: Site-to-Site IPsec VPN Configuration We will configure a Site-to-Site IPsec VPN between the Maui ASA and the Kauai 871. The subnets below will be enabled for IPsec protection.

1.1.1.1

Internet

Maui

ASA 871

Kauai

3.3.3.3

IPSEC Tunnel

192.168.1.0/24

192.168.2.0/24

192.168.254.0/24

192.168.3.0/24Tunneled Networks

Maui ASA Site-to-Site VPN Configuration Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. Kauai will use a Site-

to-Site IPsec tunnel which requires an extended ACL. The ACL on the Kauai 871 should mirror (reverse the

subnets) the ASA ACL below.

access-list KAUAI-VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0



Crypto Maps pull together the elements of IPsec security associations. You must apply a crypto map set to the outside interface through which IPsec traffic travels. Applying the crypto map set to an interface instructs the ASA to evaluate all interface traffic against the crypto map set and to use the specified policy during connection or security association negotiations.

On the ASA, configure the crypto map “CMAP” and use sequence 10 to define IPsec security associations for

the Site-to-Site VPN tunnel to Kauai. The “address” keyword references the extended ACL above which

determines the traffic to tunnel.

crypto map CMAP 10 match address KAUAI-VPN

crypto map CMAP 10 set peer 3.3.3.3

crypto map CMAP 10 set ikev1 transform-set ESP-DES-MD5

Alternatively, we could reference multiple transform sets to allow flexibility for remote endpoints.

crypto map CMAP 10 set ikev1 transform-set ESP-DES-MD5 ESP-AES-256-SHA ESP-3DES-SHA

Assign the crypto map to the ASA outside interface. Only 1 crypto map may be applied per interface, which is

why we have chosen to use a generic name.

crypto map CMAP interface outside

Create an IPsec Tunnel Group matching the Public IP of the Kauai 871 and assign a psk password.

tunnel-group 3.3.3.3 type ipsec-l2l


tunnel-group 3.3.3.3 ipsec-attributes

ikev1 pre-shared-key Kauai!

Kauai 871 Site-to-Site VPN Configuration Create a Transform Set to be used with Site-to-Site connections. Define ASA IPSec Peer IP and Password. crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto isakmp key Kauai! address 1.1.1.1 no-xauth

Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. Kauai will use a Site-

to-Site IPsec tunnel which requires an extended ACL. Notice the IOS ACL configuration is much different than

in the ASA. The IOS ACL permit statements are the reverse of those in the ASA ACL. In order to IPSEC

encrypt traffic between remote subnets, the crypto ACL’s used must mirror each other.

ip access-list extended MAUI-VPN

permit ip 192.168.3.0 255.255.255.0 192.168.1.0 0.0.0.255

permit ip 192.168.3.0 255.255.255.0 192.168.2.0 0.0.0.255

permit ip 192.168.3.0 255.255.255.0 192.168.254.0 0.0.0.255

Configure the crypto map “CMAP” and use sequence 10 to define IPsec security associations for the Site-to-

Site VPN tunnel to Kauai. We use the same crypto map name here as on the ASA, though this is not required.

crypto map CMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set ESP-DES-MD5

match address MAUI-VPN

Configure the isakmp policy to match ikev1 policy 10 on the ASA.

crypto isakmp policy 10

encr des

hash md5


group 2

Assign the crypto map to the ASA outside interface. Only 1 crypto map may be applied per interface, which is

why we have chosen to use a generic name.

interface Ethernet0

crypto map CMAP

Verify Site-to-Site VPN Configuration

KAUAI-871#show crypto isakmp sa

dst src state conn-id slot status

1.1.1.1 3.3.3.3 QM_IDLE 16 0 ACTIVE

KAUAI-871#show crypto ipsec sa


interface: Ethernet0

Crypto map tag: CMAP, local addr 3.3.3.3

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer 1.1.1.1 port 500

KAUAI-871#ping 192.168.1.1 source 192.168.3.1

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1 !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/78/80 ms

Step 4: Easy VPN Configuration We will configure Easy VPN between the Maui ASA and the Oahu 871. The subnets below will be enabled for IPsec protection.

1.1.1.1

Internet

Maui

ASA 871

Oahu

DSL

IPSEC Tunnel

192.168.1.0/24

192.168.3.0/24

192.168.254.0/24


Maui ASA Easy VPN Configuration We will use the previously defined Transform Set for our Easy VPN connection. crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

Create the dynamic crypto map “DMAP” and assign the transform set TS1. This dynamic crypto map will be

used for Easy VPN and Client VPN connections.

crypto dynamic-map DMAP 10 set ikev1 transform-set ESP-DES-MD5

Bind the dynamic crypto map “DMAP” to the previously defined crypto map “CMAP”. Notice the dynamic crypto

map is assigned the highest (last) possible sequence number. Ensure you do this to avoid Site-to-Site VPN

connections incorrectly matching the dynamic crypto map.

crypto map CMAP 65535 ipsec-isakmp dynamic dmap

Configure an ACL that determines which networks to Tunnel (encrypt) through the VPN. With EzVPN, policies

are downloaded automatically, so a matching ACL is not required on the Oahu 871.

access-list OAHU-VPN standard permit 192.168.1.0 255.255.255.0




Configure a Group Policy and User account for authentication to the the Oahu EZVPN. Enable network

extension mode (NEM) to present routable networks over the VPN tunnel.

group-policy OAHU-EZVPN-GP internal

group-policy OAHU-EZVPN-GP attributes

vpn-tunnel-protocol ikev1

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value OAHU-VPN

nem enable

Configure a VPN User Account and associate this to the Easy VPN Group Policy.

username OAHU-EZVPN-USER password Oahu!

username OAHU-EZVPN-USER attributes

vpn-group-policy OAHU-EZVPN-GP

Create an IPsec Tunnel Group with the group-policy OAHU-EZVPN and an authentication password.

tunnel-group OAHU-EZVPN-TG type remote-access

tunnel-group OAHU-EZVPN-TG general-attributes

default-group-policy OAHU-EZVPN-GP

tunnel-group OAHU-EZVPN-TG ipsec-attributes

ikev1 pre-shared-key Oahu!

Oahu 871 Easy VPN Configuration Configure the Oahu 871 for EzVPN Client. The group name, group password, peer IP, user name, and user

password in the 871 client configuration below must match those configured in the ASA.

crypto ipsec client ezvpn OAHU-EZVPN

connect auto

group OAHU-EZVPN-TG key Oahu!

mode network-extension

peer 1.1.1.1

username OAHU-EZVPN-USER password Oahu!

xauth userid mode local

!

interface Ethernet1

description LAN Link

ip address 192.168.2.1 255.255.255.0

crypto ipsec client ezvpn OAHU-EZVPN inside

!

interface Ethernet0

description DSL WAN Link

ip address DHCP

crypto ipsec client ezvpn OAHU-EZVPN


Verify Easy VPN Configuration The Oahu site has pulled a public dhcp address of 2.2.2.2 from the DSL provider.

OAHU-871#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : OAHU-EZVPN

Inside interface list: Ethernet1

Outside interface: Ethernet0

Current State: IPSEC_ACTIVE

Last Event: XAUTH_STATUS

Save Password: Allowed

Current EzVPN Peer: 1.1.1.1

OAHU-871#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

1.1.1.1 2.2.2.2 QM_IDLE 1068 ACTIVE

OAHU-871# show crypto ipsec sa

interface: Ethernet0

Crypto map tag: Ethernet0-head-0, local addr 2.2.2.2



current_peer 1.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 359, #pkts encrypt: 359, #pkts digest: 359

#pkts decaps: 222, #pkts decrypt: 222, #pkts verify: 222

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: 2

OAHU-871# ping 192.168.1.1 source 192.168.2.1

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1 !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 46/48/50 ms


Step 5: Client VPN Configuration We will configure Client VPN support on the Maui ASA for Home Office Users. Home Office User Authentication will be maintained locally on the ASA. Home Offices will be allocated IP’s in the 192.168.254.0/24 subnet and be granted VPN access to all Corporate locations. The subnets below will be enabled for IPsec protection.

1.1.1.1

Internet

Maui

ASA 871

Home Office Client VPN

DSL

IPSEC Tunnel

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24


Configure the ASA to hand out Corporate routable IP space to Home Office VPN Clients.

ip local pool CLIENT-POOL 192.168.254.1-192.168.254.254 mask 255.255.255.0

Configure an ACL that determines which networks to Tunnel (encrypt) through the Home Office VPN.

access-list CLIENT-VPN standard permit 192.168.1.0 255.255.255.0



Configure a VPN Group Policy and supply the split-tunnel ACL. Configure DNS information for Corporate name

resolution.

group-policy CLIENTVPN-GP internal

group-policy CLIENTVPN-GP attributes

dns-server value 192.168.1.99 192.168.1.100

default-domain cisco.com

address-pools value CLIENT-POOL

vpn-tunnel-protocol ikev1


split-tunnel-network-list value CLIENT-VPN

Configure a VPN User Account and associate this to the Client VPN Group Policy.

username john.smith password cisco!

username john.smith attributes

vpn-group-policy CLIENTVPN-GP

Configure a VPN Tunnel Group and bind the Group Policy. Associate the IP Pool for address assignment.

tunnel-group CLIENTVPN-TG type remote-access

tunnel-group CLIENTVPN-TG general-attributes


address-pool CLIENT-POOL

default-group-policy CLIENTVPN-GP

Verify Client VPN Configuration Configure End User VPN Client for Login and Access verification


MAUI-ASA# show crypto ipsec sa user john.smith

username: john.smith

Crypto map tag: dmap, seq num: 10, local addr: 1.1.1.1



current_peer: 4.4.4.4, username: john.smith

dynamic allocated peer ip: 192.168.254.1

#pkts encaps: 261, #pkts encrypt: 261, #pkts digest: 261

#pkts decaps: 245, #pkts decrypt: 245, #pkts verify: 245

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 261, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 4.4.4.4/61574

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: AE9395B9

current inbound spi : 62C6E7FD

inbound esp sas:

spi: 0x62C6E7FD (1657202685)

transform: esp-des esp-md5-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 98516992, crypto-map: dmap

sa timing: remaining key lifetime (sec): 28683

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xAE9395B9 (2928907705)

transform: esp-des esp-md5-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 98516992, crypto-map: dmap

sa timing: remaining key lifetime (sec): 28683

IV size: 8 bytes


replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Step 6: SSL VPN Configuration Configure Anyconnect SSL VPN on the Maui ASA.

1.1.1.1

Internet

Maui

ASA 871

Home Office Clientless VPN

DSL

IPSEC Tunnel

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24


Download the latest AnyConnect Client Files from CCO and upload these to the ASA Flash.

ASA01# sh flash

--#-- --length-- -----date/time------ path

122 5387450 Jun 20 2011 10:16:48 anyconnect-dart-win-2.5.3041-k9.pkg

123 6285465 Jun 20 2011 10:17:26 anyconnect-macosx-i386-2.5.3041-k9.pkg

For SSL VPN address assignment, we will use the previously configured Home Office IP Local Pool.

ip local pool CLIENT-POOL 192.168.254.1-192.168.254.254 mask 255.255.255.0

For SSL VPN split-tunneling, we will use the previously configured Home Office ACL.


access-list CLIENT -VPN standard permit 192.168.2.0 255.255.255.0


Enable WebVPN on the outside interface and identify the Anyconnect client images. Enable the display of the

tunnel-group list on the WebVPN Login page. This allows users to select and login to their desired Group.

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-dart-win-2.5.3041-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3041-k9.pkg 2

anyconnect enable

tunnel-group-list enable

Configure a VPN Group Policy and supply the split-tunnel ACL. Configure DNS information for Corporate name

resolution. Configure the tunnel protocol as SSL. For the WebVPN characteristics, we will keep the client

installed to stop the SSL VPN Client from attempting to install every time users connect. We will launch a web

page upon SSL login that can be used for Intranet access or other purposes.


group-policy SSLVPN-GP internal

group-policy SSLVPN-GP attributes

vpn-tunnel-protocol ssl-client

dns-server value 192.168.1.99 192.168.1.100


split-tunnel-network-list value HOME-OFFICE-SPLIT-TUNNEL

webvpn

anyconnect keep-installer installed

anyconnect ssl rekey time 30

anyconnect ssl rekey method ssl

anyconnect ask none default anyconnect

homepage value http://www.vpnparadise.com

Configure an VPN User Account and associate this to the SSL VPN Group Policy.

username jane.doe password ciscorocks!

username jane.doe attributes

vpn-group-policy SSLVPN-GP

Configure a VPN Tunnel Group and bind the Group Policy. Associate the IP Pool for address assignment. We

will mask the actual Tunnel Group name with a Group Alias.

tunnel-group SSLVPN-TG type remote-access

tunnel-group SSLVPN-TG general-attributes

address-pool HOME-OFFICE-POOL

default-group-policy SSLVPN-GP

tunnel-group SSLVPN-TG webvpn-attributes

group-alias SSLVPN enable

Verify Client VPN Configuration Launch Web Browser to login and test SSL VPN. Notice the Tunnel Group Alias is displayed in the Login

browser.


MAUI-ASA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : jane.doe Index : 16

Assigned IP : 192.168.254.2 Public IP : 4.4.4.4

Protocol : Clientless SSL-Tunnel DTLS-Tunnel

License : AnyConnect Essentials

Encryption : 3DES Hashing : SHA1

Bytes Tx : 541923 Bytes Rx : 341600

Group Policy : SSLVPN-GP Tunnel Group : SSLVPN-TP

Login Time : 8:17:32 EDT Fri Jul 22 2011

Duration : 0h:3m:11s

Configuring Cisco VPN

Documents

anti replay

remaining

byte icmp

dmap sa timing

remote crypto

vpn user account

gp attributes

dynamic crypto