Overview
This chapter rounds out the discussion on IPSec, focusing on Easy VPN remote access clients. The topics discussed in this chapter include
-
Connection modes that Easy VPN remotes use
-
ASA 5505 remote client use and configuration
-
An easy VPN configuration example using the 5505 as a hardware client
Connection Modes
Easy VPN uses connection modes for Easy VPN remotes to establish tunnels to an Easy VPN server. Easy VPN supports three client mode connections:
-
Client mode
-
Network extension mode
-
Network extension plus mode
The connection modes are illustrated in Figure 18-1. The latter two modes are proprietary to Cisco. The following three sections will discuss each of these modes in more depth.
| Note | One restriction with remote access connections is that the remote can have only one tunnel up at a time. |
ASA 5505 Remote Client
ASA 5505s support hardware remote functionality for Easy VPN. Other supported hardware remotes include the PIX 501 and 506E, the VPN 3002, and the 800 to 3800 series routers. The following sections will discuss authentication options for your appliance acting as a hardware remote, as well as the basic configuration and management of the Easy VPN remote functionality.
Hardware Client XAUTH Authentication Methods
All authentication policies are controlled and defined on the Easy VPN server and pushed down to the hardware remote during IKE Mode Config (Phase 1). The default XAUTH authentication for a hardware remote is referred to as default or unit authentication. With unit authentication, the XAUTH username and password are stored locally on the hardware remote in flash memory along with the rest of the remote configuration. The problem with unit authentication is that if the hardware remote were stored in an insecure location at a remote office, it could be stolen; the thief could then bring up a tunnel with the authentication credentials stored on the hardware remote.
Secure unit authentication (SUA), previously called Interactive Unit Authentication (IUA), solves this security problem. SUA is a group policy defined on an Easy VPN server with the group policy secure-unit-authentication enable command (see Chapter 17). When enabled, the policy is passed from the server to the remote during Phase 1 Mode Config. Upon receiving the policy, if the hardware remote was originally using unit authentication, it will automatically erase the username and password used for XAUTH.
Since the XAUTH username and password are erased, someone behind the hardware remote will have to supply this information to bring up the tunnel. Only a web browser is supported for SUA. The easiest way to accomplish this is to have a user open a web browser connection to something beyond the external interface of the hardware remote. The hardware remote will intercept the web connection and redirect it to a local login page on the remote itself. The user then supplies the username and password for XAUTH in order to bring up the tunnel. Once authenticated, the user is redirected back to the URL that he was originally trying to reach.
One problem with this approach is that when all the users at the remote office come into work in the morning and power up their PCs and laptops, no one will know if the tunnel is up. I recommend putting their web browser in the Windows Startup folder with a default home page of a web server at the corporate office behind the Easy VPN server. Therefore, one of the users will see the login page and will authenticate, which will bring up the tunnel for everyone. Also, you’ll probably want to give the users different usernames and passwords, but put them in the same tunnel group.
| Note | Even though network extension mode automatically brings up a tunnel, the tunnel will fail to come up if you have an SUA policy defined—someone at the remote office will have to supply the XAUTH username and password; SUA and network extension mode combined gives you secure access to the corporate LAN and also gives corporate office access to and management of the remote office LAN devices. |
User Authentication
The problem with unit authentication and SUA is that once the tunnel is up, anyone connected to the remote office hardware remote can send traffic across the tunnel. This can be an issue in remote offices that are not as secure, perhaps because they are using wireless or because the office is a shared workspace.
User authentication is used in environments where you can’t control what devices are connected behind the hardware remote. Sometimes this feature is called “individual user authentication,” but Cisco commonly calls it user authentication. With user authentication, once the tunnel comes up (device and XAUTH authentication have occurred), each device behind the hardware remote that wants to send traffic across the tunnel must first authenticate. User authentication is enabled on the Easy VPN server and passed down to the hardware remote during the Phase 1 Mode Config step. To enable user authentication on the Easy VPN server, you configure the user-authentication enable command in the group policy associated with the hardware remote (see Chapter 17). The default idle timeout for a user is 30 minutes, after which the user will have to re-authenticate to use the tunnel again. This timeout can be changed on the Easy VPN server with the user-authentication-idle-timeout command in the related group policy (see Chapter 17).
As with SUA, users must use a web browser to authenticate; again, I recommend putting their web browser in the Windows Startup folder with a default home page of a web server behind the Easy VPN server. This way they will see the login page when they boot up their computer and log in, and can immediately start using the tunnel to access corporate resources. Once authenticated, the hardware remote keeps track of authenticated devices based on their IP/MAC address pairs, so if a device changes its IP or MAC address, it will have to re-authenticate to use the tunnel.
One problem with user authentication is that a web browser is required to perform the authentication; certain devices, like wireless devices performing LEAP, IP phones, and network printers, don’t have a web browser, can’t authenticate, and thus can’t use the tunnel. As I mentioned in Chapter 17, you can exempt Cisco IP phones and wireless devices performing LEAP authentication by using the ip-phone-bypass enable and leap-bypass enable commands, respectively, in the hardware remote group policy.
Basic Client Configuration
Configuring the ASA 5505 as a hardware remote is a much easier process than configuring it as an Easy VPN server. Here are the commands to configure the appliance as a hardware remote:
ciscoasa(config)# vpnclient enable
ciscoasa(config)# vpnclient server IP_primary [IP_secondary_1 ...
IP_secondary10]
ciscoasa(config)# vpnclient vpngroup group_name password preshared_key
ciscoasa(config)# vpnclient trustpoint CA_name [chain]
ciscoasa(config)# vpnclient username XAUTH_username password password
ciscoasa(config)# vpnclient mode {client-mode | network-extension-mode}
ciscoasa(config)# vpnclient nem-st-autoconnect
ciscoasa(config)# vpnclient ipsec-over-tcp [port tcp_port_#]
ciscoasa(config)# crypto ipsec df-bit clear-df if_name
ciscoasa(config)# vpnclient mac-exempt mac_addr1 mac_mask1
[mac_addr2 mac_mask2...mac_addrX mac_maskX]
ciscoasa(config)# vpnclient {connect | disconnect} To enable the ASA 5505 as a hardware remote, use the vpnclient enable command. The vpnclient server command specifies the Easy VPN Server to connect to. When connecting to a load balancing cluster (see Chapter 17), enter the virtual IP address that represents the cluster. If you are using pre-shared keys for group authentication, then use the vpnclient vpngroup command to configure the tunnel group name that the 5505 belongs to and the pre-shared key associated with the tunnel group. If you omit this command, the 5505 assumes certificates are being used for device authentication. If the 5505 has more than one certificate, you can specify which identity certificate to use with the vpnclient trustpoint command. The chain parameter is used in a CA hierarchical implementation: the root and all subordinate CA certificates, along with the identity certificate, are shared with the Easy VPN server during device authentication. Obtaining certificates on appliances was discussed in Chapter 15.
If you are using unit (default) authentication, the XAUTH username and password need to be defined with the vpnclient username command. If you don’t specify the connection mode with the vpnclient mode command, it defaults to client mode. To configure the 5505 to automatically initiate IPSec data tunnels when NEM and split tunneling are configured, use the vpnclient nem-st-autoconnect command.
If you’ll need to use IPSec over TCP, enable it with the vpnclient ipsec-over-tcp command on the 5505—the port defaults to 10000, but can be changed. You’ll also need to enable IPSec over TCP on the Easy VPN server and match the port number. For large TCP segments from the user, make sure that the DF (don’t fragment) bit is cleared in the TCP segment header for large packets on the external interface with the crypto ipsec df-bit clear-df command.
If user authentication is employed, you can use the vpnclient mac-exempt command to exclude certain devices, like file and print servers, from authenticating in order to use the tunnel. The MAC address mask is the network mask for the corresponding MAC address. A MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer. A MAC mask of 0000.0000.0000 matches a single device.
| Tip | As you can see from the preceding configuration, you don’t have to configure any ISAKMP policies, tunnel groups or policies, transform sets, or crypto maps. Actually most of these components are configured, but you don’t have to do it: the appliance will do this automatically for you! So you can see why Cisco uses the term “Easy VPN” to describe their IPSec remote access solution. |
Tunnel Maintenance
When using client mode on the ASA 5505, you can execute the vpnclient connect command to bring up a tunnel or the vpnclient disconnect command to tear down a tunnel. When you’re using network extension mode, the vpnclient connect command really doesn’t do anything, since the 5505 will automatically bring up the tunnel and keep on trying if it can’t. Likewise the vpnclient disconnect command will tear down a tunnel, but if the 5505 is using network extension mode, the tunnel will automatically be rebuilt.
Easy VPN Configuration Example with a Hardware Remote
To help illustrate how to configure an ASA 5505 as a hardware remote and have it build a tunnel to an Easy VPN server (also a security appliance), the following two sections will cover the configuration of these two devices.
ASA 5505 Configuration Example
The following configuration example shows how simple it is to set up a network extension mode connection on a 5505 using pre-shared keys:
client(config)# vpnclient enable
client(config)# vpnclient server 192.1.1.1
client(config)# vpnclient vpngroup hwclients password group_secret
client(config)# vpnclient username asa5505-1 password asa_secret
client(config)# vpnclient mode network-extension-mode
As you can see from this configuration, the setup is very easy.
Example Easy VPN Server Configuration
Here’s the Easy VPN server configuration for an appliance that will accept tunnel connections from the ASA 5505 hardware remotes:
ciscoasa(config)# sysopt connection permit-vpn
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp nat-traversal 30
ciscoasa(config)# crypto isakmp policy 10
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# lifetime 3600
ciscoasa(config)# group-policy hw_policy internal
ciscoasa(config)# group-policy hw_policy attributes
ciscoasa(config-group-policy)# vpn-idle-timeout 15
ciscoasa(config-group-policy)# nem enable
ciscoasa(config-group-policy)# exit
ciscoasa(config)# tunnel-group hwclients type ipsec-ra
ciscoasa(config)# tunnel-group hwclients type general-attributes
ciscoasa(config-tunnel-general)# authentication-server-group LOCAL
ciscoasa(config-tunnel-general)# default-group-policy hw_policy
ciscoasa(config)# tunnel-group hwclients ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key group_secret
ciscoasa(config-tunnel-ipsec)# isakmp keepalive threshold 30 retry 5
ciscoasa(config-tunnel-ipsec)# exit
ciscoasa(config)# username asa5505-1 password asa_secret privilege 0
ciscoasa(config)# username asa5505-1 attributes
ciscoasa(config-username)# password-storage enable
ciscoasa(config-username)# vpn-framed-ip-address
10.0.1.223 255.255.255.0
ciscoasa(config-username)# exit
ciscoasa(config)# access-list ACLnonat permit ip 10.0.0.0 255.0.0.0
10.0.1.223 255.255.255.255
ciscoasa(config)# nat (inside) 0 access-list ACLnonat
ciscoasa(config)# crypto ipsec transform-set hw_trans
esp-3des esp-md5-hmac
ciscoasa(config)# crypto dynamic-map dyn_map 1
set transform-set hw_trans
ciscoasa(config)# crypto dynamic-map dyn_map 1 set reverse-route
ciscoasa(config)# crypto map stat_map 10000 ipsec-isakmp
dynamic dyn_map
ciscoasa(config)# crypto map stat_map interface outside
This example is similar to the one shown and discussed previously in Chapter 17, so I’ll skip most of the commands and focus on the parts that are important for the 5505 hardware remote. First, notice that the group policy has network extension mode enabled (nem enable command). Second, a tunnel group was created with a pre-shared key, and DPD was enabled (automatically done on the ASA 5505 hardware remote). Third, a local user account was created for the 5505; its attributes allow the XAUTH information to be stored on the 5505 (overrides the default); and a static address is assigned for network extension plus mode. Last, Identity NAT was configured to exempt the internally assigned address from address translation on the Easy VPN server.
