FTD VPN with Certificate authentication

Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.

This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.

Continue reading “FTD VPN with Certificate authentication”

Advertisements

IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router

Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.

Hardware/Software used:
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)

Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”

Recommended IKEv2 Proposal

IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not recommended.

As of Cisco IOS-XE v16.8.1 the default IKEv2 Proposal will be updated, more information here: https://gblogs.cisco.com/uki/deep-dive-a-vpn-journey/

As of 2018 the recommended IKEv2 Proposal ciphers are:
Encryption:
AES-CBC-256
Integrity: SHA512 SHA384
PRF: SHA512 SHA384
DH Group: Group19 Group 14 Group21 Group5

Continue reading “Recommended IKEv2 Proposal”

FlexVPN Remote Access VPN

In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.

This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:

Continue reading “FlexVPN Remote Access VPN”

FlexVPN external AAA with RADIUS

This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.

The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch.  An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “FlexVPN external AAA with RADIUS”

ASA AnyConnect IKEv2/IPSec VPN

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “ASA AnyConnect IKEv2/IPSec VPN”

ASA AnyConnect SSL-VPN

This blog post will document how to configure an AnyConnect SSL-VPN on a Cisco ASA firewall using Cisco ISE (2.1 patch 5) as a AAA server for authentication.

ISE Configuration

It is assumed that ISE is installed and configured with the basics (IP addresses and integrated into AD).

Define the ASA as a Network Device

  • Navigate to Administration > Network Resources > Network Devices
  • Create new by clicking Add and define the ASA
  • Specify the INSIDE interface IP address of the ASA
  • Tick the RADIUS Authentication Settings box
  • Specify a shared secret, this will need to match on the ASA configuration
  • Click Save


Continue reading “ASA AnyConnect SSL-VPN”