Remote IPSec


Having covered site to site VPN, I feel now it’s time to get a notch higher and make our connection more secure and more flexible.

The need to give individuals on the move a connection to their corporate network and be able to access resources from anywhere they are in the world has become something of paramount importance.

In considering the best way to do this, security is of great importance for this connection. In our previous article, we covered remote VPN using PPTP/VPDN server. This method had it pros and cons. We saw that it is a less secure protocol and its pros were the ease of setting them up and low cost due to an already existing VPN client on all machines running Windows operating system.

To establish VPN connection via the insecure internet, we have below options for which security varies for each;
  •  PPTP/ VPDN Server
  •  IPSec
  •  SSL / Web VPN; Clientless SSL and client SSL VPN

Remote IPSec VPN:

In Remote IPSec VPN, a secure tunnel is established between a router/ASA or PIX firewall with a VPN client. This establishes a full tunnel with capability to access any type of resources available on their HQ office provided they have not been blocked for such access. Resources may include; print services, file services, mail services etc.
For this configuration I will be using below network;


Requirements:
  •  A Cisco running advanced security IOS.
  •  Cisco VPN client.
  •  A routable IP on the WAN interface of the router/security device; ASA/PIX firewall.
  •  An active internet link for remote user.


Split tunneling; a VPN feature allowing VPN users to connect to their corporate networks via VPN while at the same time they are able to access internet.  It is not advisable to have split tunneling enabled where security is at a paramount consideration. where it is to be enabled, an access-list should be configured to allow it.

Steps:
Enable AAA for user authentication and group authorization;
R2(config)#aaa new-model
R2(config)#aaa authentication login UserAuth local
R2(config)#aaa authorization network GroupAuth local

Create users and passwords for local authentication of IPSec users. Every time IPSec client want to initiate a connection to the corporate office, the username and password will always be asked for.
R2(config)#username user1 password 0 cisco123
R2(config)#username jane password 0 jane123
R2(config)#username admin password 15 administarator123

Configure ISAKMP policy for IKE phase 1 negotiation;
R2(config)#crypto isakmp policy 4
R2(config-isakmp)#enc 3des
R2(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#exit

Create a VPN group and specify pre-shared key for this group, DNS to be assigned to VPN client and also the access-list that would provide split tunneling at the client ends; to allow simultaneous access to VPN traffic and internet. Also note that it is possible to set a maximum number of simultaneous connection that are allowed to happen at the same time.
R2(config)#crypto isakmp client configuration group MyVPNUSERS
R2(config-isakmp-group)#key cisco123
R2(config-isakmp-group)#dns 41.72.175.3
R2(config-isakmp-group)#pool VPN-POOL
R2(config-isakmp-group)#acl ACL VPNacl                       // split vpn access-list
R2(config-isakmp-group)#exit

Configure IKE phase 2 for actual data encryption;
R2(config)#crypto ipsec transform-set Myset esp-3des esp-sha-hmac
R2(cfg-crypto-trans)#exit

Create a dynamic map and apply the transform-set;
R2(config)#crypto dynamic-map DMAP 60
R2(config-crypto-map)#set transform-set Myset
R2(config-crypto-map)#reverse-route                          // to ensure static routes are incorp
R2(config-crypto-map)#exit

Create an actual crypto map and apply the AAA lists configured earlier;
R2(config)#crypto map VPN-MAP client authentication list UserAuth
R2(config)#crypto map VPN-MAP isakmp authorization list GroupAuth
R2(config)#crypto map VPN-MAP client configuration address respond
R2(config)#crypto map VPN-MAP 60 ipsec-isakmp dynamic DMAP

Create a pool of ip addresses to be assigned to VPN clients;
R2(config)#ip local pool VPN-POOL 10.1.74.5 10.1.74.250

Define the interesting traffic that need to be encrypted through the tunnel; any other traffic that is unencrypted (internet traffic) is exempted from going through the tunnel. NOTE; the same should be the case for our NAT; our interesting traffic should be exempted from the IPs being NAT’ed.
R2(config)#ip access-list extended VPNacl
R2(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255

Configure NAT, required to identify the inside IP addresses to be translated to outside interface for internet access.
R2(config)#ip nat inside source list 103 interface fa4 overload
R2(config)#ip access-list 130 deny  ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
R2(config)#ip access-list permit ip any any

Apply the crypto map onto the WAN interface/outbound

R2(config)int fa4
R2(config-if)#crypto map VPN-MAP

CONFIGURE VPN CLIENT:

Launch your installed VPN client and click on the “create New VPN Connection Entry”. Give your connection a name and Fill the details filled below in brown matching what had been configured on the crypto VPN group configured on the corporate router. Then save.



Select the connection you would like to connect to, and then click on connect.


You will be prompted for username and password.


The VPN client establishes a secure connection with the router at the corporate office.



You can now access resources in your corporate office as though your computer was directly connected on the network switch of the corporate office network. 

             END.

Comments

Post a Comment

Popular posts from this blog

MPLS - L2MPLS / L2 Circuits

Image
L2MPLS L2 Circuits Before MPLS MPLS Enabled Core: Required: Head office and Branch office to be interconnected on L2 which is of full redundancy on Service Provider Core Network Configuration: 1. Select VLAN to use for the circuit. For our case we assign VLAN 200 note: Configuration only done on Edge Devices (PE) 2.Configure on PE-1 Defining presudowire class to MPLS; #pseudowire-class ethernet-port encapsulation mpls #exit Note: fa0/0 is the interface facing HQ #show run int fa0/0.200 #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #xconnect 3.3.3.3 200 pw-class ethernet-port 3. Configure on PE-3: Defining presudowire class to MPLS; #pseudowire-class ethernet-port #encapsulation mpls #exit Note: fa0/0 is the interface facing HQ # no shut #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #Xconnect 1.1.1.1 200 pw-class ethernet-port Troubleshooting; Make sure that the CEF is enabled ...
Read more

GRE over IPSec Site to Site VPN

Image
IPSEC VERSUS IPSEC GRE As we mentioned, GRE provides no form of payload confidentiality or encryption. If the packet are sniffed over the public transit networks, their contents are in plain-text. IPSec solves this security concerns in GRE by encrypting part or all of the GRE packets GRE OVER IPSEC TUNNEL: GRE over IPSec tunnels supports multicast traffic whiles the standalone IPSec does not. It is for this reason why it is advisable to implement GRE over IPSec tunnels where routing protocols like EIGRP or OSPF are in use. Such protocols which need to send routing information across the tunnel through multicast, GRE over Multicast would be the most suitable since it allow and provide secure transport via the tunnel for these services. There are two IPSec tunnel modes – tunnel and transport. This configuration example will show the default, tunnel-mode IPSec encryption which protects the entire GRE header and payload. Setup: Steps to follow : - Create GRE ...
Read more

Enterprise Soln: High Availability - VRRP / HSRP

Image
  VRRP:  Virtual Router Redundancy Protocol Implementation Topology:   Configurations; Primary-Router: Interface gi0/1 description LAN vrrp 1 ip 10.1.1.254 vrrp 1 priority 110  vrrp 1 track gi0/0 65   ///default is 10 vrrp 1 track 100 decrement 65    // Track internet Track Internet Reachability: R1(config)#ip sla monitor 10 R1(config-sla-monitor)#type echo protocol ipIcmpEcho 8.8.8.8 R1(config-sla-monitor-echo)#frequency 5 R1(config-sla-monitor-echo)#exit R1(config)#ip sla monitor schedule 10 life forever start-time now R1(config)#track  100 rtr 10 Secondary-Router: interface gi0/1 description LAN-sec-gw ip address 10.1.1.2 255.255.255.0 vrrp 1 ip 10.1.1.254 vrrp 1 priority 90      vrrp 1 track 1 gi0/0 20 Note: 1) Default Priority is 100 (higher is better) ; So you need to set the Secondary Router with a slightly lower Value 2) No need to s...
Read more