Networking, Security & Cloud Knowledge

Showing posts with label IKEv2. Show all posts
Showing posts with label IKEv2. Show all posts

Wednesday, October 12, 2022

VPN:

 

IPSEC

·       It is protocol suit based on IETF (Internet Engineering Task Force) standard used together to setup encrypted connection between devices.

·       Used to connect private network over internet = VPN (Virtual Private Network)

·       Operate in two modes: Transport mode & Tunnel modes

 

IPSec provides:

ü  confidentiality,

ü  peer authentication,

ü  data integrate,

ü  replay protection and

ü  access control.

 

 

Problem with IPSec it reduces throughput of network over 80%, NAT has issue to overcome we use NAT-traversal.

 

ESP & AH

Subprotocol of IPSEC

·       ESP (Encapsulation Security Payload): provide encryption service to IPSec / IP

o   Confidentiality, limited non-repudiation (since it doesn’t encrypt IP header)

o   Encrypt IP payload (data) not IP header.

o   End to End security (between client to server or site to site)

o   ESP can be used in tunnel or transport mode

§  Tunnel mode: between two gateways. It encrypts all data IP header and all data above it.

§  In transport mode it encrypts only IP payload and not header. Both sides should be host.

o   NIDS (Network intrusion detection system) can monitor traffic before tunnel, in transport mode we use HIDS (Host based Intrusion Detection System)

o   ESP can be used with or without AH, in tunnel mode we use ESP with AH and without AH in transport mode.

·       AH (provide connectionless integrity)

o   Both data integrity and source integrity combine into non-repudiation where sender of packet cannot deny that he has not send this packet.

o   AH don’t provide confidential

o   Only used in tunnel mode

o   Issue with AH as it encrypts IP header 

 

 

 

ESP provide encryption from data in layer L4 and L7

 

AH added new IP header

 

 

Security = encryption + integrity + authentication

Encryption user keys (aes / 3des)

Integrity uses hash (Cisco support sha and md5)

 

ISAKMP

Entire security lies in creating and exchanging key, by using one the method bellow.

1.     Use public shared key and send to other 3rd party

2.     Use static key

3.     Key exchange algorithm (public, private key pair)

 

Key is exchanged on ISAKMP (Internet security association key management protocol)

·       It is framework to create Security SA and key exchange.

·       Used to carry messages for IKE

·       Used for negotiating, establish, modify, and delete security association (SA) and related parameter.

·       Used for denial-of-service protection

·       ISAKMP don’t exchange key, actual key exchange is done using

o   Pre-shared through IKE

o   KINK (Kerberized Internet Negotiation of keys , where we used 3rd party KDC (Key Distribution Center) for distributing of keys between two endpoints.

o   IPSECKEY Resource Record (RR) where public keys of domains are published. It uses DNSSEC (DNSSecurity)

 

 

SA

§  Security Association (SAs) are session parameters for AH and ESP

§  SPI (Security parameter index) which is of 32, which denote the SA

§  It is simplex, we must create two SA for ESP and 2 SA for AH in each direction (inbound and outbound)

 

 

 

IKE (Internet Key Exchange)

§  IKE is used to setup security association

§  Based on X.509 digital certificate for authentication

§  This can be pre-shared or shared through DNS

§  UDP 500 and 4550 (when NAT is used)

§  There are two phases in IKE

o   Phase I:

§  ISAKMP SA using Diffie-Hellman (DH) for key exchange.

§  It is management traffic to establish a policy for IPSec devices

§  Bidirectional (single security association for both side)

o   Phase II:

§  IPSec SA are established

§  For data protection

§  Simplex / Unidirectional (Two SA for each direction)

o   Highest protocol will be used by IKE. E.g., DES (Data Encryption Standard) will be superseded AES (Advanced Encryption Standard)

 

Phase 1 = ISAKMP SA = Mgmt. (1-bidirectional)

  Phase 2 = IPSec SA = Data (2-unidirectional)

 


 

IKE Modes

§  Main mode (3 X two-way exchanges)

o   1st exchange: Proposal   algorithm and hash

o   2nd exchange: DH to generate shared key

o   3rd exchange: Peer identity = IP, FQDN

§  Aggressive mode (fewer exchange), faster than main mode

§  Quick mode: used in Phase II to build IPSec SA

 

 

IKE Version

IKEv1

§  9 / 6 message based on mode main or aggressive.

§  NAT will not work, we must enable NAT-Traversal

§  DPD (Dead Peer Detection) need to be enabled manually

§  Don’t support EAP authentication

§  Support symmetric authentication (use same method / pre-shared key on both side)

 

 

IKEv2

§  Less bandwidth and less message exchange

§  Following components are built-in

o   ISAKMP, AH/ESP, ISP DOI, DPD, NAT-T, mode config

o   Uses single phase

o   Has only two messages: Mandatory and optional

§  Support EAP (Extensible Authentication protocol) along with pre-shared key and certification authentication

Note: EAP allow to use LAN authentication method like AD or ISE integration

§  Support asymmetric authentication method

Note: Asymmetric authentication: different pre-shared key on both side or different method like pre-shared on one side and certificate on other

§  Support MOBIKE (mobility and multi homing protocol), instant connection on network change (e.g., IP change when we move in Wi-Fi coverage)

Note: MOBIKE e.g., VPN don’t drop when we connect from Wi-Fi to 4G or different network.

§  IKEv2 support more stronger encryption but still faster

§  Support PFS (Perfect forward Secrecy)

Note: PFS feature: force to use different key in PHASE I and PHASE II (re-keying mechanism)

§  Facility to negotiate multiple sets of selectors

For IKEv1 interesting traffic is defined using ACL and it’s limited to IP and port number.

§  Better reliability through improved sequence numbers and acknowledgments.

 

 

 


 

ISAKMP SA State for IKE Main Mode SA Negotiation.

·       MM_NO_STATE: ISAKMP SA has been created but nothing else has happened yet. “larval” at this state- there is no state

·       MM_SA_SETUP: Peers have agreed on parameters for the ISAKMP SA.

·       MN_HEY_EXCH: Peer exchanged DH public keys and have generated a shared secret. ISAKMP SA remains unauthenticated

·       MM_KEY_AUTH: the ISAKMP SA has been authenticated. If the router initiated these exchanges, this state transition immediately to QM_IDLE and Quick Mode exchange begins.

 

ISAKMP SA State for IKE Aggressive mode SA Negotiation.

·       AG_NO_STATE: ISAKMP SA has been created, but nothing else has been happened yet. There is not state.

·       AG_INIT_EXCH: the peers have done the first exchange in Aggressive Mode, but the SA is not authenticated.

·       AG_AUTH: peers have done the first exchange in Aggressive mode, but the SA is not authenticated.

 

 

 

DMVPN

 

DMVPN= mGRE + IPSec + NHRP

 

GRE (Generic Routing Encapsulation)

·       Simple non-negotiated tunnel

·       Protocol number 47

·       4-to-8-byte header + new ip header

·       P2P GRE, P2M mGRE

·       To configure P2P GRE

o   Tunnel ip

o   Tunnel source

o   Tunnel destination

o   Key

·       To configure mGRE

o   Ip address

o   Tunnel source

o   Tunnel key

o   Nhrp (instead of tunnel destination)

·       NBMA Address (non-broadcast multi access address) is WAN ip.

 

 

NHRP: (RFC 2332)

·       Allows peer to have dynamic ip

·       L2 protocol

·       Map tunnel / vpn address to NBMA address

·       Multicast traffic are sent to specific remote peer.

·       NHRP config

o   Ip nhrp network-id <id>

o   Ip nhrp map <vpn-tunnel-ip> <Nbma-address>

o   Ip nhrp map multicast <NBMA-Address>

Or

Ip nhrp map multicast dynamic

o   Ip nhrp nhs <vpn-tunnel-ip>

 

·       NHRP cache population

o   Manual / static

o   Registration (hub learn spoke)

o   Resolution

How DMVPN work:

·       Spoke router report (local IP) to Hub and join multi-point GRE network.

·       When spoke want to talk to another spoke it send nhrp request to hub.

 

DMVPN Advantage:

·       Don’t need static IP

·       Scalable solution

·       Device build up tunnel dynamically

 

 

 

LAB 1: SITE-to-SITE vpn ikev1

 Topology


STEP to create ikev1 Site-to-Site vpn tunnel:

1.     Create pre-share key

2.     Create crypto isakmp policy (authentication, encryption, hash, and group)

3.     Create IPsec transform-set

4.     Create ACL to define interesting traffic

5.     Create crypto map (set peer, transform-set, ACL-interesting traffic)

6.     Create tunnel (source, destination, and mode gre IP)

7.     Apply crypto ma to WAN interface

 

 

R1 Config

 

crypto isakmp key cisco123 address 192.168.2.2

 

crypto isakmp policy 2

 encr 3des

 hash md5

 authentication pre-share

 group 2

 

crypto ipsec transform-set TS esp-3des esp-md5-hmac

 

 

ip access-list extended GRE

 permit ip any any

 

crypto map CRYPTOMAP 10 ipsec-isakmp

 set peer 192.168.2.2

 set transform-set TS

 match address GRE

 

interface Tunnel0

 ip address 172.16.1.1 255.255.255.0

 ip mtu 1400

 tunnel source Ethernet1/0

 tunnel destination 192.168.2.2

 

int eth 1/0

 ip address 192.168.1.1 255.255.255.0

  crypto map CRYPTOMAP

 

 

R1#  sh cry isakmp key

R1#  sh crypto isakmp policy

R1#  sh crypto is sa

R1#sh cry isakmp peers

R1#sh crypto ipsec transform-set

R1#sh cry ipsec sa

 

R3 will have identical mirror config.

 

 

 

 

LAB 2: SITE-to-SITE vpn ikev2

 





 

Step to create ikev2 site-to-site vpn:

Step 1: ikev2 proposal (encryption, integrity and DH group)

Step 2: create ikev2 policy  (call proposal)

Step 3: Create ikev2 key ring (peer name, address and local and remote pre-share key)

Step 4: create ikev2 profile (match local and remote identity, local and remote authentication method, call key-ring)

Step 5: create IPsec transform-set

Step 6: ACL for interesting traffic

Step 7: create crypto map (transform-set, profile, peer, DH group, ACL)

Step 8: Apply crypto map to wan

Step 9: create tunnel interface

 

 

R1#

crypto ikev2 proposal Pro1

 encryption aes-cbc-128

 integrity md5

 group 2

 

crypto ikev2 policy Policy1

 proposal Pro1

 

crypto ikev2 keyring K-Ring

 peer R3

  address 192.168.2.2

  pre-shared-key local cisco123

  pre-shared-key remote cisco123

 !

crypto ikev2 profile Profile1

 match identity remote address 192.168.2.2 255.255.255.255

 identity local address 192.168.1.1

 authentication remote pre-share

 authentication local pre-share

 keyring local K-Ring

 

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

 mode tunnel

 

ip access-list extended GRE

 permit ip any any

 

crypto map CMAP 1 ipsec-isakmp

 set peer 192.168.2.2

 set transform-set TSET

 set pfs group2

 set ikev2-profile Profile1

 match address GRE

 crypto map CMAP

 

interface Tunnel0

 ip address 172.16.1.1 255.255.255.0

 tunnel source Ethernet1/1

 tunnel destination 192.168.2.2

 tunnel mode gre ip

i

nterface Ethernet1/1

 ip address 192.168.1.1 255.255.255.0

 ip mtu 1400

 ip tcp adjust-mss 1360

 duplex full

 crypto map CMAP

end

 

debug crypto ikev2 packet

debug crypto ikev2 internal

show crypto ikev2 sa detailed

show crypto ipsec sa

show crypto session

 

R1#sh cry ikev2 sa

 

 

R1#sh crypto ikev2 session


 

 

 

 

 

 

LAB 3: DMVPN with IKEv1




Step to create ikev1 DMVPN tunnel:

1.     Crypto pre-share key

2.     Crypto isakmp policy (authentication , encryption, hash and DH group)

3.     Transform set

4.     Profile (transform set)

5.     ACL for interesting traffic

6.     Crypto MAP

7.     Apply crypto map to wan interface.

 

R1-Configuration for Hub
!
crypto isamkp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto isakmp policy 10 
  authentication pre-share
  group 2

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

Crypto ipsec profile MY_PROFILE
 Set transform-set TSET
!

Interface  tunnel 0
 bandwidth 1000 
 no ip  next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 Ip address 172.16.1.1 255.255.255.0
 ip mtu 1400
 ip  tcp adjust-mass 1360
 Ip nhrp authentication cisco123
 Ip nhrp map multicast dynamic
 Ip nhrp network-id 5
tunnel source eth 1/1
tunne mode gre multipoint
tunne key key6
tunnel protection ipsec profile MY_PROFOLE

 

router eigrp 1
 network 10.10.10.0 0.0.0.255
 no auto-summary
 exit

 

Configuration on spoke R2 
!
crypto isakmp policy 10
 authentication pre-share
 group 2
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto ipsec profile MY_PROFILE
 Set transform-set TSET
! 
interface tunnel 0
 bandwidth 1000
 ip add 172.16.1.2 255.25255.255.0
 ip mtu 1400
 ip tcp adjust-mass 1360 
 ip nhrp authentication cisco123
 ip nhrp map multicast 192.168.1.1
 ip nhrp nhs 172.16.1.1
 ip nhrp map 192.168.1.1 172.16.1.1
 ip nhrp network-id 5 
tunnel source eth 1/1
tunnel mode gre multipoint
tunnel key 6

 

router eigrp 1
 network 20.20.20.0 0.0.0.255

Note: R3 will have identical configuration as R1, with updated tunnel ip.

# Show ip nhrp deail

# show crypto ipsec sa

 

 

LAB 4: DMVPN with IKEv2


 

Steps for IKEv2 DMVPN:

1.     IKEv2 proposal (define encryption, integrity, and group)

2.     IKEv2 policy (attach proposal to policy)

3.     IKEv2 keyring (peer, local and remote key)

4.     IKEv2 profile (attach key ring)

5.     IPsec profile (call ikev2 profile)

6.     Create tunnel: apply ipsec profile using tunnel protection ipsec profile command

 

 

Topology:

 

 

 

 

R1 Hub Config

crypto ikev2 proposal ikev2-proposal

 encryption aes-cbc-256

 integrity sha512

 group 15

 

 

crypto ikev2 policy ikev2-policy

 proposal ikev2-proposal

 

crypto ikev2 keyring K-Ring

 peer ANY

  address 0.0.0.0 0.0.0.0

  pre-shared-key cisco123

 !

crypto ikev2 profile ikev2-profile

 match identity remote address 0.0.0.0

 authentication remote pre-share

 authentication local pre-share

 keyring local K-Ring

 

crypto ipsec profile ipsec-profile

 set ikev2-profile ikev2-profile

 

interface Ethernet1/1

 ip address 192.168.1.1 255.255.255.0

 ip mtu 1400

 ip tcp adjust-mss 1360

 duplex full

end

 

 

 

interface Tunnel0

 ip address 172.16.1.1 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco123

 ip nhrp map multicast dynamic

 ip nhrp network-id 1

 tunnel source Ethernet1/1

 tunnel mode gre multipoint

 tunnel protection ipsec profile ipsec-profile

end

 

 

 

 

R2 Spoke Config

 

crypto ikev2 proposal ikev2-proposal

 encryption aes-cbc-256

 integrity sha512

 group 15

 

crypto ikev2 policy ikev2-policy

 proposal ikev2-proposal

 

crypto ikev2 keyring K-Ring

 peer ANY

  address 0.0.0.0 0.0.0.0

  pre-shared-key cisco123

 !

crypto ikev2 profile ikev2-profile

 match identity remote address 0.0.0.0

 authentication remote pre-share

 authentication local pre-share

 keyring local K-Ring

 

crypto ipsec profile ipsec-profile

 set identity ANY

 set ikev2-profile ikev2-profile

 

 

interface Tunnel0

 bandwidth 1000

 ip address 172.16.1.2 255.255.255.0

 no ip redirects

 ip nhrp authentication cisco123

 ip nhrp map multicast 192.168.1.1

 ip nhrp map 172.16.1.1 192.168.1.1

 ip nhrp network-id 1

 ip nhrp nhs 172.16.1.1

 tunnel source Ethernet1/1

 tunnel mode gre multipoint

 tunnel protection ipsec profile ipsec-profile

end

 

interface Ethernet1/1

 ip address 192.168.1.2 255.255.255.0

 ip mtu 1400

 ip tcp adjust-mss 1360

 duplex full

 

 

 

R2 #sh cry ikev2 session

 

R2#sh crypto ikev2 sa