THE FASCINATING WORLD OF NETWORKING
OPTIMIZED FOR GOOGLE CHROME
FlexVPN Site-to-Site using GRE over IPSec and assymetrical authentication: PKI and PSK
Date: 9-11-2016
​
Links:
​
This a tribute to AUTRUNK’s and Intense School’s Web Pages.
Table of Contents
Introduction to FlexVPN
Cisco introduced IKEv2 in its lOS version 15.x and ASA OS 8.4. When we use IKEv2 and deploy SiteSite VPN, we call it Flex Site-Site. Similarly when we use IKEv2 and deploy Remote Access VPN, we call it Flex Remote Access VPN on lOS. IKEv2 simplifies the message exchange and provides support for VoIP.
​
FlexVPN relies on open-standards-based IKEv2 as a security technology and provides on top of it many Cisco® specific enhancements to provide high levels of security, added value, and competitive differentiations.
Flex VPNs offer a unified and modular framework for VPN implementation:
- Site-to-Site.
- Remote Access.
- Hub and Spoke, Spoke-to-Spoke.
Legacy Crypto Maps, although still valid for IKEv2, are not recommended. Crypto maps are considered a legacy configuration construct for IKEv2. It is recommended that you migrate existing crypto map based setups to use tunnel protection and virtual interfaces.
FlexVPN and GNS3
All my labs have been created using standard GNS3: GNS3 7.0.4 running on Windows XP Professional, 32 bits, with 4 GB RAM and Pentium Dual-Core CPU E5300 2.60 GHz, no VT-x/AMD-V hardware aceleration. Currently I can’t afford buying a new machine for virtualization, but maybe next year. It’s a requirement for continue studying CCNP Security.
​
NOTE I think there is no need for real Cisco equipment and powerful machines to pass CCNP R&S and the first and last exams of CCNP Security, but it would be better to have one or both of them.
​
Up to now, I have tested several configurations using ikev2 on GNS3. Only 7200 routers with IOS version 15.x allow to implement FlexVPN on standard GNS3, even though Cisco says these routers don’t support IKEv2 capabilities. The results are:
-
You can implement FlexVPN Site to Site using Crypto Maps (not recommended).
-
You can also use static VTI and GRE IPSec tunnels.
-
DVTI using virtual template interfaces works fine, but no LAN to LAN connection between spokes (bug on IOS or GNS3).
-
Pushing Policies work fine: Routing inside the IKEv2 SAs and IP addresses negotiated in tunnel interfaces.
-
Migration from DMVPN Hub to Spoke to FlexVPN is restricted to Hub and Spoke tunnels.
-
Direct Spoke to Spoke tunnels fails: the ip nhrp redirect feature doesn’t work along with IKEv2.
-
RSA Authentication using a CA Server is possible, but PKI Server and IKEv2 configuration are not compatible on the same router.
Conclusions: The best option to implement FlexVPN is by using real equipment, IOU or Cisco CSR1000v.
CSR 1000V can be installed in VirtualBox and used in GNS3. See: https://herdingpackets.net/2014/02/06/using-the-cisco-csr1000v-in-gns3-with-virtualbox/comment-page-1/
​
NOTE I have not tested IOU or CSR1000V, so this is based only on what I have read. I recommend some articles from www.intenseschool.com, particularly those written down by Adeolu Owokade.
GNS3 Topology
As mentioned before, we need a standalone router working as a CA Server, with PKI Server capability.
​
IOS for IOS_CA = c7200-adventerprisek9-mz.152-4.M2.bin
IOS for R1 & R2 = c7200-adventerprisek9-mz.152-4.S7.bin
​
As you know, to use a minimum of CPU cycles on your computer, the best option to implement a GNS3 topology is by using the same routers with the same IOSes (with a good shared Idle PC value) . In this case this is impossible, CPU usage is greater than 50% in my computer. But you can use BES.exe or Process Lasso to improve the performance of your PC.
​
NOTE Here I will use GRE over IPSec tunnel. Remember, you can also use static VTI, DVTI or Crypto Maps.
​
IOS_CA works as a certificate authority (CA). R1 and R2 request certificates to IOS_CA.
Configurations
Interface configurations
R1
fa0/0: 200.1.13.1/24
Tunnel 0: 10.1.13.1/24
Lo0: 192.168.1.1/24 <-- LAN
​
R2
fa0/0: 200.1.13.3/24
Tunnel0: 10.1.13.3/24
Lo0: 192.168.2.1/24 <-- LAN
​
IOS_CA
fa0/0: 200.1.13.2/24
Lo0: 10.0.0.1/32 <-- NTP source
IOS_CA Configuration
! Configure this router as a NTP Server
​
clock timezone GMT 0
ntp master
ntp source lo0
!
​
! Configure this router as a CA Server
ip http server
!
! First the trustpoint
crypto pki trustpoint IOS_CA
subject-name cn=CA,ou=juantron.com
!
! After, the PKI Server
crypto pki server IOS_CA
no database archive
! auto grant certificates
grant auto
! define certificate type server (i.e network device), client etc. some use cases require extended key usage (eku) to be
! explicitly stated in the certificate.
eku server-auth client-auth
no shut
!Define a password for this and re-type that password
NOTE You can find a detailed and more complete configuration in two of my articles:
- PKI.
​
NOTE Depending on your IOS version, you may first need to generate an RSA key with a label that is the same as the IOS certificate server name, as well as a domain name (ip domain-name name) and a hostname (remember the command show hosts to see the default domain name). On my IOS version (15.2), the RSA key was automatically generated, and there is no need to define the domain name.
R1 Configuration
! Configure the trustpoint
​
crypto pki trustpoint IOS_CA
! request certificate from IOS_CA
enrollment url http://200.1.13.2:80
revocation-check none
! Authenticate to the CA Server
! authenticate to the CA server and accept its public key
! Time must be synchronised with IOS_CA
ip route 10.0.0.1 255.255.255.255 200.1.13.2
clock timezone GMT 0
ntp server 10.0.0.1
!
! Before continuing, use show ntp status to see if this peer is synchronized with the NTP Server
crypto pki authenticate IOS_CA
! Accept the certificate
​
! Send the certificate enrollment request to the CA Server
crypto pki enroll IOS_CA
! Type a password, re-enter the password, and answer the questions; finally, request the certificate
! Configure the pre-share key (PSK):
We will use mixed authentication in this lab. When R2 connects to R1, R1 will use RSA to authenticate locally; when R1 connects to R2, R2 will use PSK to authenticate locally:
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.13.3
pre-shared-key juantron
!
! Configure IKEv2 profile:
crypto ikev2 profile FLEXVPN-Static
! restrict remote address to enhance security. It can be configured as ‘any’
match identity remote address 200.1.13.3 255.255.255.255
! configure PSK authentication when authenticate to remote device
! When R1 connects to R2, R2 will use PSK to authenticate locally. Therefore, R1 will use PSK as remote authentication method.
authentication remote pre-share
! When R2 connects to R1, R1 will use RSA to authenticate locally. Therefore, R2 will use RSA as remote authentication method.
authentication local rsa-sig
! use previously define key ring
keyring local mykeys
pki trustpoint IOS_CA
! configure dead peer detection attributes
dpd 60 2 on-demand
​
! IPSec Profile
​
Apply IKEv2 profile to IPSec profile, so that when IPSec profile is applied on the tunnel interface, the designated IKEv2 profile will be executed:
​
crypto ipsec profile default
set ikev2-profile FLEXVPN-Static
​
! Apply IPSec profile on tunnel interface to encrypt
interface Tunnel0
ip address 10.1.13.1 255.255.255.0
tunnel source fa0/0
tunnel destination 200.1.13.3
tunnel protection ipsec profile default
​
! Advertising the local networks
ip route 192.168.2.0 255.255.255.0 tu0
R2 Configuration
! Configure the trustpoint
​
crypto pki trustpoint IOS_CA
enrollment url http://200.1.13.2:80
revocation-check none
! Authenticate to the CA Server
ip route 10.0.0.1 255.255.255.255 200.1.13.2
clock timezone GMT 0
ntp server 10.0.0.1
!
crypto pki authenticate IOS_CA
​
! Send the certificate enrollment request to the CA Server
crypto pki enroll IOS_CA
​
! Configure the pre-share key (PSK):
crypto ikev2 keyring mykeys
peer SPOKE
address 200.1.13.1
pre-shared-key juantron
!
! Configure IKEv2 profile:
crypto ikev2 profile FLEXVPN-Static
match identity remote address 200.1.13.1 255.255.255.255
authentication remote rsa-sig
authentication local pre-share
keyring local mykeys
pki trustpoint IOS_CA
dpd 60 2 on-demand
!
! IPSec Profile
​
crypto ipsec profile default
set ikev2-profile FLEXVPN-Static
!
! Apply IPSec profile on tunnel interface to encrypt
interface Tunnel0
ip address 10.1.13.3 255.255.255.0
tunnel source fa0/0
tunnel destination 200.1.13.1
tunnel protection ipsec profile default
​
! Advertising the local networks
​
ip route 192.168.1.0 255.255.255.0 tu0
NOTE When tunnel0 is up, on R2 you’ll see:
Nov 4 18:30:30.216: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Nov 4 18:30:30.368: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Nov 4 18:30:31.448: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 200.1.13.1 (type 1) and certificate addr with
Verification
R2#show crypto ikev2 sa detailed
Nov 4 18:31:47.761: %SYS-5-CONFIG_I: Configured from console by console
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.13.3/500 200.1.13.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
Life/Active Time: 86400/80 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: 35B49766FAF3FF9E Remote spi: F771E5621C6D6A6E
Local id: 200.1.13.3
Remote id: 200.1.13.1
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 60 seconds, retry 2
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
--output omitted--
R2#show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 200.1.13.1 port 500
IKEv2 SA: local 200.1.13.3/500 remote 200.1.13.1/500 Active
IPSEC FLOW: permit 47 host 200.1.13.3 host 200.1.13.1
Active SAs: 2, origin: crypto map
R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.13.1/500 200.1.13.3/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: PSK
Life/Active Time: 86400/248 sec
R1#ping 192.168.2.1 so l0
R1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.13.1
protected vrf: (none)
local ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)
current_peer 200.1.13.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 384, #pkts encrypt: 384, #pkts digest: 384
#pkts decaps: 384, #pkts decrypt: 384, #pkts verify: 384
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.13.1, remote crypto endpt.: 200.1.13.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xFF380F5C(4281864028)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD9D96B31(3654904625)
--output omitted—
R2#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.13.3
protected vrf: (none)
local ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)
current_peer 200.1.13.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 773, #pkts encrypt: 773, #pkts digest: 773
#pkts decaps: 773, #pkts decrypt: 773, #pkts verify: 773
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.1.13.3, remote crypto endpt.: 200.1.13.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD9D96B31(3654904625)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFF380F5C(4281864028)
--output omitted--
R2#ping 192.168.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 180/194/204 ms
R2#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.13.3
protected vrf: (none)
local ident (addr/mask/prot/port): (200.1.13.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (200.1.13.1/255.255.255.255/47/0)
current_peer 200.1.13.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778
#pkts decaps: 778, #pkts decrypt: 778, #pkts verify: 778
--output omitted—
NOTE As you can see, there are 5 more encrypted/decrypted packets, so traffic between internal subnets is also encrypted.
Routing
To propagate routes over the VPN tunnel, you can use:
-
Static routes
-
A dynamic routing protocol, with the routes advertised through the tunnel to be protected.
-
Advertise the routes inside the IKEv2 SAs.
Previously, static routes were used, now let’s use the third option.
​
R1
! First, remove the static route:
no ip route 192.168.2.0 255.255.255.0 tu 0
!
aaa new-model
aaa authorization network IKEv2_LIST local
!
ip access-list standard R1-SUBNETS
permit 192.168.1.0 0.0.0.255
!
crypto ikev2 authorization policy R1-AUTHR-POLICY
route set interface
route set access-list R1-SUBNETS
!
crypto ikev2 profile FLEXVPN-Static
aaa authorization group psk list IKEv2_LIST R1-AUTHR-POLICY
R2
! First, remove the static route:
no ip route 192.168.1.0 255.255.255.0 tu 0
!
aaa new-model
aaa authorization network IKEv2_LIST local
!
ip access-list standard R2-SUBNETS
permit 192.168.2.0 0.0.0.255
!
crypto ikev2 authorization policy R2-AUTHR-POLICY
route set interface
route set access-list R2-SUBNETS
!
crypto ikev2 profile FLEXVPN-Static
aaa authorization group cert list IKEv2_LIST R2-AUTHR-POLICY
Once the IKE SAs have been rebuilt using:
R1#clear crypto ikev2 sa
R1#conf t
R1(config)# int tu 0
R1(config-if)#shut
R1(config-if)#no shut
We now see the remote subnets listed at the bottom of the show crypto ikev2 sa detailed command:
​
R1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 200.1.13.1/500 200.1.13.3/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: PSK
Life/Active Time: 86400/22 sec
CE id: 1002, Session-id: 2
Status Description: Negotiation done
Local spi: 3B96E5256D4D978E Remote spi: 3AF14ABEBAA0A7B3
Local id: 200.1.13.1
Remote id: 200.1.13.3
Local req msg id: 3 Remote req msg id: 0
Local next msg id: 3 Remote next msg id: 0
Local req queued: 3 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 60 seconds, retry 2
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
192.168.2.0 255.255.255.0
R1#ping 192.168.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/184/204 ms
R2#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 200.1.13.3/500 200.1.13.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: RSA
Life/Active Time: 86400/160 sec
CE id: 1006, Session-id: 4
Status Description: Negotiation done
Local spi: 3E1DF6430EE18980 Remote spi: 5DA0EDA52A4EC435
Local id: 200.1.13.3
Remote id: 200.1.13.1
Local req msg id: 4 Remote req msg id: 0
Local next msg id: 4 Remote next msg id: 0
Local req queued: 4 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 60 seconds, retry 2
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Remote subnets:
192.168.1.0 255.255.255.0
And this is all. If you liked this article, please advertise it.
Bye, bye.
NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.
Thank you for your co-operation in helping me to improve.