guide to vpn in small office environment v_1_0
TRANSCRIPT
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 1/16
How to implement VPN in small office environment
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 2/16
Prelude ......................................................................................................................................................................3
VPN connection & architecture ............................................................................................................................4
Our remote access in a nutshell: ........................................................................................................................ ...4
Basis of configuration: ................................................................................................................................ ........ .5
Theory behind the tunnel ............................................................................................................................. ........ ..5
Tunnel mining .........................................................................................................................................................6
VPN configuration walk-through ...................................................................................................................... ....8
VPN server configuration .....................................................................................................................................8
............................................................................................................................................................................11
VPN client configuration ...................................................................................................................................12
What’s next .................................................................................................................................................... ........15
In conclusion .................................................................................................................................................. ........16
Sources ....................................................................................................................................................................16
2
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 3/16
Prelude
This guide has been made to asset the basic information about remote access VPN. Internet
hands out a wide spread of information for this type of configuration. All the aspects have not
been thoroughly covered in this guide, but it should give you a at least a glimpse to the worldof remote access VPN’s.
Only perquisites for the guide is to have basic knowledge with router configuration. This
means in general that you are familiar with the different modes when configuring router IOS,
from user exec mode to global configuration mode.
3
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 4/16
VPN connection & architecture
VPN(Virtual Private Network) is a secure network over a public network. A VPN tunnel can
be implemented between two or more hosts. For example with a VPN tunnel you can connect
two offices located on different continents and get them to interact with each other, like in a
physical LAN.
The type of connection we are going to implement is called a VPN remote access connection.
The connection is a tunnel between two peers, host and a server.
In our case the host is a computer using Cisco VPN client software and a Cisco router is
configured as the VPN server. Host connects to the server through the Internet and the server
can be configured to provide access to a private network.
This guide will only concentrate on the tunnel between client and the server, and everything
else beyond that will be left a mystery.
Our remote access in a nutshell:
1. Client/server authentication using pre-shared secret. A pre-shared secret is a pre-
defined key that the negotiating peers know and use in order to trust each other. The
pre-shared key exchange operation is secured with encryption and used with all
connecting peers. This could be seen as group authentication.
4
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 5/16
2. After the group authentication it’s time for individual users authentication. Server
authenticates clients using a local database. Specific usernames and passwords are
installed manually on the router.
3. After the user is authenticated, client and server negotiate how data traffic inside the
tunnel is secured. After this the tunnel should be up and running.
Basis of configuration:
Client configuration consists of a group name, a pre-shared key, user name and password.
Server configuration consists of group policies and their pre-shared keys, local databases for
remote users and Security Associations for the tunnel. Security Associations define how the
data is finally transferred inside the tunnel.
Theory behind the tunnel
The remote access tunnel in our case is an IPSec VPN tunnel. We’ll use ISAKMP protocol
hybrid IKE for pre-shared key exchange, IKE extension Xauth, using commands of Cisco
IOS software, for remote user authentication & authorization and IPSec SA’s under IKE SA’s
protection to secure the actual data transfer.
Makes sense? I’ll try to clear that out for you.
IPSec(IP Security) is a standard of protocols used to secure IP communications. IPSec acts at
the network layer of the OSI-model, protecting and authentication IP packets between
participating IPSec devices known as peers. IPSec is the entity that we’re building here.
IPSec tunnel consists of the following:
ISAKMP(Internet Security Association and Key Management Protocol). This is a network
protocol for key exchange and SA negotiations. It’s basically a set of tools for security, from
encrypting data to authentication and key exchange.
When we look inside the ISAKMP protocol, there’s something called IKE(Internet Key
Exchange). IKE is a protocol hybrid that implements key exchanges in the ISAKMP protocol.
In our configuration IKE first provides “group level” authentication, which in other words
means that IKE takes care of pre-shared key exchanges and negotiates an IKE SA(SecurityAssociations). IKE SA will be used to protect the forthcoming IPSec SA negotiations.
The group level authentication, which is used for all connecting peers, is called IKE Phase
One. IKE Phase Two is when IKE SA is set and the IPSec SA’s are being negotiated.
Security Associations, or SA’s, are a set of protocols. To be more exact, SA’s define how data
exchange between sending and receiving peers is secured. For example, when you choose
how to protect and secure your data transfer from various possibilities, you define the SA.
And when you configured it, you deployed the SA.
5
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 6/16
Now back to IKE. Inside the IKE there’s Xauth to be used for user authentication. Xauth is an
enhancement to the existing IKE protocol. Xauth uses Cisco IOS software AAA
authentication methods to perform user level authentication.
AAA stands for Authentication, Authorization and Accounting. It’s a set of commands that lie
ready to be implemented in the router IOS.
Tunnel mining
The tunnel negotiations start when the client peer sends interesting traffic to the server.
Traffic is considered interesting when a packet triggers an access-list that defines traffic to be
protected. Server then checks the assigned group name, then comes pre-shared exchange and
finally username & password are validated.
Pre-shared key exchange as follows:
1. Client randomly chooses a string and sends it to server.
2. Server hashes the received string together with the pre-shared secret and yields a hash
value, dependent on the random string and the pre-shared secret.
3. Server sends the result of hashing back to client.
4. Client calculates its own hash of the random string, together with the pre-shared
secret, and matches it with the received result from the other peer. If they match,
server knows the pre-shared secret, and is considered authenticated.
5. Now server randomly chooses a different random string and sends it to client.
6. Client also hashes the received string with the pre-shared secret.
7. Client sends the authenticated hash back to server.
8. Server locally hashes the random value and the pre-shared secret and matches it
against the received authenticated hash. If they are equal, client is also authenticated.
These was IKE Phase One of the negotiations. At this point the client and server are
authenticated and trust each other. IKE SA is now negotiated and ready to protect IPSec SAnegotiations.
6
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 7/16
Between IKE Phase One and Two there’s the Xauth user authentication. This happens outside
both IKE phases. Connecting client is prompted to provide username & password and server
checks local database for a match. When match is found, IKE Phase Two negotiations are
initiated.
Now we get to the IPSec SA negotiations. IPSec SA’s can be created to use one of two
protocols, or both. ESP(Encapsulating Security Payload) and AH(Authentication Header)
protocols are harnessed to bring security to data transfer when the tunnel is up and running.
These protocols bring data (1)integrity and (2)encryption to the transfer. After IPSec SA
negotiations, IKE Phase Two is complete and the tunnel is up.
One more time, the IPSec process negotiation:
1. Client sends interesting traffic to Server
2. Client and Server negotiate IKE Phase One session
3. User authentication through Xauth
4. Client and Server negotiate IKE Phase Two session
5. Information is exchanged via IPSec tunnel
6. IPSec tunnel is terminated
IKE was split to two phases to make this more clearer:
IKE Phase One includes* IKE policies for all peers *
- Encryption algorithm
- Hash algorithm
- IKE lifetime
- Key exchange
Outcome of IKE Phase One is IKE SA
Xauth happens before IKE phase 2 and it includes
- User authentication and authorization based on a database located on the router
IKE phase Two includes* Configuration how the data is transformed after tunnel is up *
- Authentication algorithm
- Encapsulation algorithm
Outcome of IKE Phase Two is IPSec SA
7
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 8/16
VPN configuration walk-through
VPN server configuration
IKE Phase One
We’ll start with IKE Phase One configuration. First ISAKMP policy is defined. This is the
definition how the IKE Phase One will be done. To be more exact, these are the specifications
for pre-shared key exchange.
Router(config)#crypto isakmp policy 3
As previously decided, pre-shared keys are used to authenticate the connecting peers.
Router(config-isakmp)#authentication pre-share
The Diffie-Helfmann algorithm is used to create a the random string used in pre-shared key exchange. The algorithm builds a secret key for the peers when they
negotiate over an insecure channel. Here it is set to level 2 – this specifies a 1024-bit
DH group.
Router(config-isakmp)#group 2
Hashing algorithm is used to confirm message integrity. MD5(Message Digest 5) is
implemented. MD5 uses a 128-bit shared secret key. You can also consider
SHA(Secure Hash Algorithm), which is a successor to MD5. SHA is considered
cryptographically stronger than MD5.
Router(config-isakmp)#hash md5
This is the message encryption used when exchanging data. 3DES is the strongest kind
of encryption that IKE provides. It uses 168-bit encryption. Other option would be a
56-bit DES. In a nutshell, 3DES is practically DES encryption used three times on the
same data. 3DES is anyway approximately twice as strong as DES.
Router(config-isakmp)#encryption 3des
Time elapsed in seconds before IKE SA expires. 86400 is the default value. Assign
less time if needed.
Router(config-isakmp)#lifetime 86400
Back to global configuration mode.Router(config-isakmp)#exit
Next we wrap the remote users together to group “SALES” and assign them a pre-shared key
and an IP address pool to use.
Router(config)#crypto isakmp client configuration group SALES
Assign a pre-shared key. Here we choose it to be “cisco123”.
Router(config-isakmp-group)#key cisco123
The IP address pool. The “mypool” will be defined on forthcoming stage.
Router(config-isakmp-group)#pool mypool
8
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 9/16
Assign a domain for the clients. “Skynet” was the most infamous computer network
ever to attack mankind.
Router(config-isakmp-group)#domain skynet.com
And again back to global configuration mode.
Router(config-isakmp-group)#exit
IKE Phase One configuration is now complete. Next stage is the individual user
authentication with Xauth.
Enable authorization, authentication and accounting. AAA ignition.
Router(config)#aaa new-model
To use for authentication in login, a local user list is defined. For a small office environment
local database is all that’s needed. The login command determines that when VPN clients
connects, they will be prompted for a username and password.
Router(config)#aaa authentication login authen local
Here you assign specific rights to an authenticated user. A local user list is defined, similar to
authentication. User authorization happens right after user authentication, depending on of
course that the authentication was successful. The network command defines that
authorization is used for network services. It can include a PPP, SLIP, or ARAP connection.
Router(config)#aaa authorization network author local
The local user database. This is how to add user information and tell the router who to
authenticate.
Router(config)#username vpnstudent password cisco
Pool of addresses for the connecting remote peers. Connecting peers need a secondary IP
address from the server, because user’s local IP address and the one assigned by the server are
the end-points of the connection. Data is transferred between these two addresses.
Router(config)#ip local pool mypool A.B.C.D A.B.C.D
IKE Phase Two
The transform-set. Now we get to the point when all authentication is done and the VPN
Client and Server trust each other. Next we define how the data is transformed to secure
transfer when the tunnel is up. These are the IPSec Security Associations(SA).
The protocols IPSec uses are ESP(Encapsulating Security Payload) and AH(Authentication
Header). ESP provides authentication, data confidentiality and message integrity. AH protocol
provides authentication and message integrity, but does not offer confidentiality. These
protocols can be used independently or combined. We’ll deploy only ESP in tunnel mode.
9
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 10/16
IP packet transformation:
168-bit 3DES is deployed for encapsulation and SHA for authentication.. The HMAC(Hashed
Message Authentication Code) in the end of the esp-sha-hmac command is the extension to
SHA. That’s to provide the value of the hash, which is used by the remote peer to validate
message integrity.
Router(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac
Back to global configuration mode.
Router(cfg-crypto-trans)#exit
Crypto maps are used to tie all this info about incoming remote connections together. You
define all that is needed, as we have done know, and finally wrap everything in the form of a
map. The map is then assigned to the correct interface on the router.
The dynamic map is for unknown peers. Use a dynamic map when you don’t know the IP
addresses of connecting peers. You could think of this as harnessing remote users from all
over the world. You don’t have to know exactly where they are, and neither do they.
Router(config)#crypto dynamic-map dynmap 10
Assign the transform-set previously configured.
Router(config-crypto-map)#set transform-set myset
When enabled in an IPSec crypto map, RRI (Reverse Route Injection) will learn all
the subnets from any network that is defined in the crypto access control list (ACL) asthe destination network. The learned routes are installed into the local routing table as
static routes that point to the encrypted interface. When the IPSec tunnel is torn down,
the associated static routes will be removed.
Router(config-crypto-map)#reverse-route
Router(config-crypto-map)#exit
Assign router to initiate or reply to mode configuration requests, required by the VPN Client.
Mode configuration requests are those initiated during IKE Phase One.
Router(config)#crypto map map client configuration address respond
10
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 11/16
Deploy the list authen for authentication.
Router(config)#crypto map map client authentication list authen
Deploy the list author for authorization.
Router(config)#crypto map map isakmp authorization list author
And finally attach the dynamic map to our crypto map. There is a sequence number after map,
which is used to rank multiple entries within one crypto map set. The lower the sequence
number, the higher the priority. The ipsec-isakmp command triggers the use of IKE to protect
SA negotiations.
Router(config)#crypto map map 10 ipsec-isakmp dynamic dynmap
The map is now ready to be implement to the router’s outside interface.
Router(config)#interface e0/0
Router(config-if)#crypto map mapRouter(config-if)#exit
11
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 12/16
VPN client configuration
After installing the Cisco VPN Client;
1. Click the New button. The New Connection Entry wizard opens.
2. Enter a name for the connection in Connection Entry field.
3. Enter IP address of the server in Host field.
4. Click on the Group Authentication radio button and complete the following substeps. The
following entries are always case sensitive.• Enter a group name, SALES.
• Enter the group password, cisco123.
• Confirm the password, cisco123.
12
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 13/16
5. Click the Save button and leave the Cisco Systems VPN Client window open.
The network parameters for the VPN Client have been configured and a new VPN private
networking connection entry has been created successfully.
6. Click Connect. The User Authentication window opens and several messages flash by
quickly. Complete the following substeps:
• When prompted for a username, enter vpnstudent.
• When prompted to enter a password, enter cisco.
7. Click OK.
The Authentication window disappears and a VPN lock icon appears in the system tray. The
VPN Client has been successfully launched.
You can monitor the Cisco client by using command prompt.
13
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 14/16
In command prompt, type ipconfig
Notice the last LAN address. This is a virtual interface created by Cisco VPN client.
Right-click the VPN symbol located in the bottom right corner of your screen. Choose
Statistics. The window opened will show the statistics of your connection.
14
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 15/16
What’s next
First thing you might want to look at are access-lists. To get the remote connection to work,
you need to punch some holes in the router firewall/access-lists.
For IPSec:
Open the UDP port 500 & IP protocol 50 and 51
Router(config)#access-list 110 permit ahp A.B.C.D A.B.C.D any
Router(config)#access-list 110 permit esp A.B.C.D A.B.C.D any
Router(config)#access-list 110 permit udp A.B.C.D A.B.C.D any eq isakmp
For L2TP:
Open UDPN port 1701
Router(config)#access-list 111 permit udp A.B.C.D A.B.C.D any eq 1701
For PPTP:
Open TCP port 1723 & IP protocol ID 47(called GRE)
Router(config)#access-list 112 permit tcp A.B.C.D A.B.C.D any eq 1723
Router(config)#access-list 112 permit gre A.B.C.D A.B.C.D any
15
8/3/2019 Guide to VPN in Small Office Environment V_1_0
http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 16/16
In conclusion
This guide described a VPN connection that I have been able to successfully implement in
testing environment. The whole basis of this configuration were pre-shared keys.
In my opinion, when the connection is based on pre-shared keys, they are also the weakest
link. For a more secure connection, you might want to deploy certificates for peer
authentication.
Sources
- Cisco Fundamentals of Network Security: Router v1.2
- Internet
16