Overview
This chapter will show you how to set up an IPSec remote access server on an appliance using the Cisco Easy VPN feature. “Easy VPN” is a marketing term coined by Cisco that describes the setup process for remote access users: it’s a fairly easy and simple process for a user to get a remote access IPSec tunnel up and running. The topics covered previously in Chapter 15 on ISAKMP Phase 1 apply to this chapter, as do some of the topics covered on site-to-site connections in Chapter 16. The topics covered in this chapter include
- Preparing your appliance as an Easy VPN server to allow IPSec remote access traffic
- Configuring parameters for the ISAKMP Phase 1 management connection, including Phase 1 policies, group policies, and tunnel groups
- Configuring parameters for the ISAKMP Phase 2 data connections, including dynamic and static crypto maps
- Verifying your remote access connectivity
- Viewing an example configuration of an Easy VPN server
- Load balancing remote access user connections by setting up a cluster of Easy VPN servers
Easy VPN Features
Even though Easy VPN supports the IPSec standards, Cisco has added many of its own features, and it places restrictions on the IPSec standards that are supported. The following two sections will discuss these items.
Supported IPSec Standards
The following are items Cisco supports that are part of the IPSec standard:
- Encryption algorithms DES, 3DES, and AES (NULL is supported for data connections)
- HMAC functions MD5 and SHA
- Device authentication methods RSA signatures (certificates) and pre-shared keys
- Diffie-Hellman (DH) key groups 2, 5, and 7
- Data connections ESP in tunnel mode, LZS compression, and PFS
- User authentication XAUTHv6
- IKE Mode Config v6 Assigning internal IP addresses to remotes
As you can see from the preceding list, not all IPSec standards are supported—AH, transport mode, and the DH key group 1, to name a few.
Cisco Additional Features
Cisco has added many, many features to enhance the security, administration, and flexibility of IPSec remote access. Some of the features of Easy VPN include the following:
- Centralized policies Policies are pushed to remotes, ensuring a uniform security policy that users can’t override.
- Group policy control You control what attributes are assigned to a user or group of users, like IP addresses, DNS and WINS server addresses, and split tunneling policies.
- Control of split tunneling Split tunneling controls what traffic is or isn’t protected by the tunnel. By default the Easy VPN server forces the client to tunnel all user traffic to the server; you can ease this restriction and define split tunneling policies for your users, which your server downloads to the remote and which the remote enforces.
- Dead Peer Detection (DPD) DPD allows the servers and remotes to detect when the other peer is no longer there, like when a remote has its dialup connection disconnected or is rebooted. This allows the Easy VPN devices to remove the tunnel and, for remotes, try a backup server.
- Initial contact If a remote becomes unexpectedly disconnected from a server and attempts to reestablish a connection to the server, the server will remove the old tunnel and allow a new one to be built.
These are just some of the features of Easy VPN. This and the next chapter will expand upon these features.
Easy VPN Connectivity
Unlike site-to-site connections that go through three steps in Phase 1 to build a management connection (negotiate the policies, DH, and device authentication), with Easy VPN, peers can go through a total of seven steps. Here are the seven steps Easy VPN can take when setting up the management connection during Phase 1:
- Step 1 The remote initiates the connection. During this initiation, the remote is configured for either pre-shared keys or certificates for authentication. If pre-shared keys are used, then Phase 1 will use aggressive mode; if certificates are used, then Phase 1 will use main mode.
- Step 2 The remote sends a list of preconfigured Phase 1 policies. These are defined in the Easy VPN remote software by Cisco, which the user and administrator have no control over. This information includes which DH key group, authentication method (pre-shared or certificates), HMAC functions, and encryption algorithms to use. This process reduces the configuration on the remote since users don’t have to worry about the policies; however, on the server, you must have at least one policy that matches. The server compares them in the order sent with the numerical order configured on the appliance. Therefore, the most secure policy on the appliance should have the lowest priority number assigned to it.
- Step 3 Diffie-Hellman (DH) is performed. The remote generates the keys for the encryption and HMAC function, protects them, and sends them to the server.
- Step 4 The two devices authenticate each other based on the authentication method configured/negotiated—pre-shared keys or certificates.
- Step 5 The Easy VPN server performs XAUTH (user authentication). This is a second level of authentication, since the pre-shared key or certificate is stored on the remote, which can present a security issue. This step is optional, but highly recommended—if someone steals a user’s laptop, for instance, the thief couldn’t bring up the tunnel unless he knew the user’s username and password. The Easy VPN server can authenticate the user by using the server’s local database or can forward the authentication information to an AAA server for authentication.
- Step 6 The server uses IKE Client or Mode Config to download policy and configuration information to the remote. The IPSec standard only defines how to assign addressing information to the remote. Cisco supports many other policy and configuration parameters that you can optionally assign to the remote.
- Step 7 In the last step of Phase 1, the Reverse Route Injection (RRI) process can optionally take place. This is a Cisco-proprietary feature. With RRI, the server creates a static route for the internal IP address (a host route) that was assigned to the remote. This can be advertised by the server to internal routers and devices so that they know which Easy VPN server a particular remote is connected to.
| Note | |
Remote Access Verification
This section will discuss how to verify remote access connectivity to your appliance when it is acting as an Easy VPN Server. The commands I discussed in Chapter 16 also apply here (show crypto isakmp sa, show crypto ipsec sa, debug crypto isakmp, and so on); however, I’ll cover some additional ones in this chapter.
Viewing Remote Access Connections
To view the remote access connections terminated on your appliance, use the following commands:
ciscoasa# show vpn-sessiondb summary
ciscoasa# show vpn-sessiondb [detail] [full] {remote | l2l |
index indexnumber | webvpn | email-proxy}
[filter {name username | ipaddress IP_addr |
a-ipaddress IP_addr | p-ipaddress IP_addr |
tunnel-group group_name | protocol protocol_name |
encryption encryption_algorithm}] [sort {name |
ipaddress | a-ipaddress | p-ipaddress |
tunnel-group | protocol | encryption}] These commands can be used for all remote access connections: IPSec, L2TP/IPSec, and WebVPN. With the second command, you can narrow down what connections you want to see, making it easier to find a particular connection.
Here is an example of the session summary output from the preceding command:
ciscoasa# show vpn-sessiondb summary
Active Sessions: Session Information:
IPSec LAN-to-LAN : 0 Peak Concurrent : 0
IPSec Remote Access : 0 IPSec Limit : 750
WebVPN : 0 WebVPN Limit : 500
SSL VPN Client (SVC) : 0 Cumulative Sessions : 0
Email Proxy : 0
Total Active Sessions : 0 Percent Session Load : 0%
VPN LB Mgmt Sessions : 0
<--output omitted--> In the preceding example, you can see that there are no active sessions as well as see the total VPN connection limits on the appliance.
Here’s an example of displaying one connection:
ciscoasa# show vpn-sessiondb detail index 1
Session Type: Remote Detailed
Username : dealr
Index : 1
Assigned IP : 172.16.254.5 Public IP : 201.1.1.1
Protocol : IPSec Encryption : AES128
Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 604533
Client Type : WinNT Client Ver : 4.6.00.0049
Tunnel Group : administrator
Login Time : 15:22:46 EDT Tue May 10 2005
Duration : 7h:02m:03s
Filter Name :
NAC Result : Accepted
Posture Token: Healthy
VM Result : Static
VLAN : 10
IKE Sessions: 1 IPSec Sessions: 1 NAC Sessions: 1
IKE:
Session ID : 1
UDP Src Port: 500 UDP Dst Port : 500
IKE Neg Mode: Aggressive Auth Mode : preSharedKeysXauth
Encryption : 3DES Hashing : MD5
Rekey Int (T): 86400 Seconds Rekey Left(T): 61078 Seconds
D/H Group : 2
IPSec:
Session ID : 2
Local Addr : 0.0.0.0
Remote Addr : 172.16.254.5
Encryption : AES128 Hashing: SHA1
Encapsulation: Tunnel Rekey Int (T): 28800
Seconds Rekey Left(T): 26531 Seconds
Bytes Tx : 0 Bytes Rx : 604533
Pkts Tx : 0 Pkts Rx : 8126
<--output omitted--> In the preceding example, the dealr user from the administrator tunnel group has an IPSec connection established. This user is using the Windows 4.6 software client. Notice that NAC has been enabled and that this user has passed the NAC posture tests. Pre-shared keys were used for authentication, and the Phase 1 connection is protected with 3DES and MD5. The user was assigned an internal address of 172.16.254.5. The data connections are protected with AES-128 and SHA-1.
Disconnecting Remote Access Users
To disconnect a remote access user, use the following command:
ciscoasa# vpn-sessiondb logoff {remote | l2l | webvpn | email-proxy
protocol protocol_name | name username |
ipaddress IP_addr | tunnel-group group_name |
index index_number | all} You can disconnect all users from a particular type of access, a particular user based on username or index number (see the output of the show vpn-sessiondb command), a user’s IP address, all users in a particular tunnel group, or all the users.
