© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 14 Virtual Private Network Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify how the PIX Firewall enables a secure VPN. Identify the tasks to configure PIX Firewall IPSec support. Identify the commands to configure PIX Firewall IPSec support. Configure a VPN between PIX Firewalls. Describe the Cisco VPN Client.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA The PIX Firewall Enables a Secure VPN
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall VPN Topologies Other vendors to a PIX Firewall VPN A PIX Firewall to a PIX Firewall VPN gateway A PIX Firewall to a router VPN gateway A VPN Client to a PIX Firewall VPN via dialup A VPN Client to a PIX Firewall VPN via a network Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Enables PIX Firewall VPN Features Data confidentiality Data integrity Data authentication Anti-replay IPSec Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA What Is IPSec? IETF standard that enables encrypted communication between peers Consists of open standards for securing private communications. Network layer encryption ensuring data confidentiality, integrity, and authentication. Scales from small to very large networks. Included in PIX Firewall version 5.0 and later. IPSec Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Standards Supported by the PIX Firewall IPSec (IP Security protocol) –Authentication Header (AH) –Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Data Encryption Standard (DES) Triple DES (3DES) Diffie-Hellman (DH) Message Digest 5 (MD5) Secure Hash Algorithm (SHA) Ravist, Shamir, Adelman signatures (RSA) Certificate Authorities (CA)
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Configuration Tasks
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 1Prepare to Configure VPN Support
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA IPSec Configuration Tasks Overview Task 1Prepare to configure VPN support. Task 2Configure IKE parameters. Task 3Configure IPSec parameters. Task 4Test and verify VPN configuration.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 1Prepare to Configure VPN Support Step 1Determine the IKE (IKE phase one) policy. Step 2Determine the IPSec (IKE phase two) policy. Step 3Ensure that the network works without encryption. Step 4Implicitly permit IPSec packets to bypass PIX Firewall access lists, access groups, and conduits.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Goal: Minimize misconfiguration Plan for IKE Planning includes the following steps: Identify IKE phase one policies for peers. Determine key distribution methods. Identify IPSec peer PIX Firewall IP addresses or hostnames.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA DH Group 1 IKE Phase One Policy Parameters IKE SA lifetime Authentication method Encryption algorithm Hash algorithm 3DES SHA-1 Parameter Key exchange RSA Signature DH Group 2 < 86,400 seconds Strong Stronger DES MD5 Pre-share 86,400 seconds
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Determine IKE Phase One Policy IKE SA lifetime Authentication method Encryption algorithm Hash algorithm Site 1 86,400 seconds DES SHA Site 2 DES SHA Pre-share Parameter 768-bit D-HKey exchange Pre-share 768-bit D-H 86,400 seconds e Site 1Site 2 e PIX1PIX Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Plan for IPSec Planning for IPSec includes the following: Select IPSec algorithms and parameters for optimal security and performance. Identify IPSec peer PIX Firewall details. Determine IP addresses and applications of hosts to be protected. Select manual or IKE-initiated SAs. Goal: Minimize misconfiguration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Determine IPSec (IKE Phase Two) Policy Peer PIX Firewall IP address Traffic (packet) type to be encrypted Site 1 IP Site 2 IP Transform set ESP-DES, Tunnel SA establishment Policy ipsec-isakmp Encrypting hosts e Site 1Site 2 e PIX1PIX Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 2Configure IKE Parameters
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Enable or Disable IKE Enables or disables IKE on the PIX Firewall interfaces. IKE is enabled by default. Disable IKE on interfaces not used for IPSec. isakmp enable interface-name Pixfirewall (config)# pixfirewall(config)# isakmp enable outside
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Configure an IKE Phase One Policy Creates a policy suite grouped by priority number. Creates policy suites that match peers. Can use default values. pixfirewall(config)# isakmp policy 10 encryption des pixfirewall(config)# isakmp policy 10 hash sha pixfirewall(config)# isakmp policy 10 authentication pre-share pixfirewall(config)# isakmp policy 10 group 1 pixfirewall(config)# isakmp policy 10 lifetime 86400
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA isakmp key keystring address peer-address [netmask] pixfirewall(config)# Step 3Configure the IKE Pre-shared Key Pre-shared keystring must be identical at both peers. Use any combination of alphanumeric characters up to 128 bytes for keystring. Specify peer-address as a host or wildcard address. Easy to configure, yet is not scalable. pixfirewall(config)# isakmp key cisco123 address
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall# show isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Step 4Verify IKE Phase One Policies Displays configured and default IKE protection suites.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 3Configure IPSec Parameters
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA access-list acl_ID {deny | permit} protocol source_addr source_mask destination_addr destination_mask pixfirewall(config)# Step 1Configure Interesting Traffic permit = encrypt deny = do not encrypt access-list selects IP traffic by address, network, or subnet pixfirewall# access-list 101 permit ip host host
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pix1(config)# show static static (inside,outside) netmask pix1(config)# show access-list access-list 110 permit ip host host PIX1 pix6(config)# show static static (inside,outside) netmask pix2(config)# show access-list access-list 101 permit ip host host PIX6 e Site 1Site 2 e PIX1PIX Example Crypto ACLs Lists are symmetrical. Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] pixfirewall(config)# Step 2Configure an IPSec Transform Set Sets are limited to up to one AH and up to two ESP transforms. Default mode is tunnel. Configure matching sets between IPSec peers. pix1(config)# crypto ipsec transform-set pix6 esp-des
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Available IPSec Transforms ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Configure the Crypto Map Specifies IPSec (IKE phase two) parameters. Map names and sequence numbers group entries into a policy. pixfirewall(config)# crypto map MYMAP 10 ipsec-isakmp pixfirewall(config)# crypto map MYMAP 10 match address 101 pixfirewall(config)# crypto map MYMAP 10 set peer pixfirewall(config)# crypto map MYMAP 10 set transform-set pix6 pixfirewall(config)# crypto map MYMAP 10 set pfs group1 pixfirewall(config)# crypto map MYMAP 10 set security- association lifetime seconds 28800
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA crypto map map-name interface interface-name pixfirewall(config)# Step 4Apply the Crypto Map to an Interface Applies the crypto map to an interface. Activates IPSec policy. pixfirewall(config)# crypto map MYMAP interface outside
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pix1(config)# show crypto map Crypto Map "peer6" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix6, } Example Crypto Map for PIX1 e Site 1Site 2 e PIX1PIX Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pix6(config)# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, } Example Crypto Map for PIX6 e Site 1Site 2 e PIX1PIX Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Test and Verify VPN Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Test and Verify VPN Configuration Verify ACLs and interesting traffic. show access-list Verify correct IKE configuration. show isakmp show isakmp policy Verify correct IPSec configuration. show crypto ipsec transform-set
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Test and Verify VPN Configuration (cont.) Verify the correct crypto map configuration. show crypto map Clear the IPSec SA. clear crypto ipsec sa Clear the IKE SA. clear crypto isakmp sa Debug IKE and IPSec traffic through the PIX Firewall. debug crypto ipsec debug crypto isakmp
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA The Cisco VPN Client
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Topology Overview The PIX Firewall is configured for Pre-shared keys Xauth Mode config e PIX e0/ Router Remote user with a VPN Client Remote user with a VPN Client Remote user with a VPN Client CSACS Server (TACACS+) authenticates the remote client Internet/ISP
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Features Support for Windows ME, Windows 2000, and Windows XP. Data compression. Split tunneling. User authentication by way of VPN central-site device. Automatic VPN Client configuration. Internal MTU adjustment. CLI to the VPN Dialer. Start Before Logon. Software update notifications from the VPN device upon connection.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall to VPN Client Pre-Shared Example pixfirewall# write terminal access-list 80 permit ip ip address outside ip address inside ip local pool MYPOOL nat (inside) 0 access-list 80 route outside aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host tacacskey timeout 5 aaa authentication include any inbound MYTACACS sysopt connection permit-ipsec crypto ipsec transform-set AAADES esp-des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set AAADES
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall to VPN Client Pre-Shared Example (cont.) pixfirewall# write terminal crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP crypto map VPNPEER client authentication MYTACACS crypto map VPNPEER interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime vpngroup TRAINING address-pool MYPOOL vpngroup TRAINING idle-time 1800 vpngroup TRAINING password ********
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA VPN Client to PIX Firewall Example A new connection entry named vpnpeer0 is created. The remote server IP is the PIX Firewall outside interface. vpnpeer0
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA VPN Client to PIX Firewall Example (cont.) The group name matches the vpngroup name in the PIX Firewall. The password is the pre-shared key and must match the vpngroup password. You can use the digital certificate for authentication. TRAINING
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Assigns the IP Address to the VPN Client /24 Perimeter router Remote user with a VPN Client and Windows XP File server Corporate office DNS and WINS server Web server / Cable modem PIX Firewall ip local pool AAA server.10 Internet/ISP
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Scale PIX Firewall VPNs
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. CA server
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Enroll a PIX Firewall with a CA Configure CA support. Generate public or private keys. Authenticate the CA. Request signed certificates from the CA. CA administrator verifies request and sends signed certificates. CA server
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary The PIX Firewall enables a secure VPN. IPSec configuration tasks include configuring IKE and IPSec parameters. CAs enable scaling to a large number of IPSec peers. Remote users can establish secure VPN tunnels between PCs running Cisco VPN Client software and any Cisco VPN-enabled product, such as the PIX Firewall, that supports the Unified Client framework.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective.2.1 Student PC PIX Firewall Web/FTP CSACS Remote: 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB PIX Firewall Student PC Web/FTP CSACS
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Visual Objective P.0 Student PC VPN Client.1 Remote: P Local: P 10.0.P.0 RTS.2.1 PIX Firewall.150 Web FTP RBB