Cisco IOS Router SSL-VPN with RADIUS

This post describes how to configure a Cisco IOS Router with WebVPN. Cisco ISE (v2.1) will be used as a RADIUS server, to provide authentication and authorization. For testing purposes group membership will be used to determined which RADIUS attributes will be pushed to the connecting client.

RADIUS Server Configuration

For authorization Admin users will be permitted to use split tunnel, these configuration settings will be controlled centrally and pushed to the clients if they pass authorization.

Define Network Device

Add the Router as a Network Device, ensure to enter the shared secret password, this must match the shared secret configured on the router.

Continue reading “Cisco IOS Router SSL-VPN with RADIUS” →

ASA AnyConnect VPN with Static Client IP Address

Overview

When using a Cisco ASA with the AnyConnect VPN Client software in some instances it is useful to assign the same static IP address to a client whenever they connect to the VPN. Within Active Directory you can configure per user a static IP address and use this IP address whenever the user connects to the VPN. The RADIUS Server (in this instance Cisco ISE 2.0) can be configured to query the attribute in AD which is the” msRADIUSFramedIPAddress” value and assign to the client whenever they connect.

This post only describes configuring a static IP address on a Cisco AnyConnect Remote Access VPN. Refer to the following posts for more detail instructions on how to configure ASA Remote Access VPN and integrated with Cisco ISE for authentication:

ASA AnyConnect SSL-VPN
ASA AnyConnect IKEv2/IPSec VPN

Continue reading “ASA AnyConnect VPN with Static Client IP Address” →

DMVPN Phase 3 Dual Hub

This post details the configuration on how to configure a DMVPN Phase 3 VPN in a Dual Hub Single Cloud. I previously wrote a post on configuring DMVPN Phase 2, refer to this post for more detailed information on configuring DMVPN.

As per most previous posts GNS3 was used to lab the configuration. I had to use the Advanced Security IOS image “c7200-advsecurityk9-mz.152-4.M7” instead of my normal Advanced IP Services IOS image “c7200-advipservicesk9-mz.152-4.S4” because that version does not support NHRP redirect required for DMVPN Phase 3. The error received when configuring NHRP redirect is: % NHRP-WARNING: ‘ip nhrp redirect’ failed to initialise.

This post covers the following:

• Front Door VRF
• Crypto Keyring
• Dual DMVPN Hub configuration
• DMVPN Spoke configuration
• DMVPN NHS Clustering (dual active Hubs and Active/Standby Hub)
• DMVPN Phase 3

The router default ISAKMP Policy, IPSec Transform Set and IPSec Profile were used and therefore not covered in this post. This previous post covers ISAKMP and IPSec Policy/Profile creation.

The lab scenario has 6 x Cisco IOS 15.2(4) routers as represented in the diagram below.

Continue reading “DMVPN Phase 3 Dual Hub” →

ASA IKEv2/IPSec Site-to-Site VPN

This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.

The following lab scenario was setup in GNS3 using the following images:

• Cisco ASAv version 9.5(2)
• Cisco IOS version 15.2(4)

A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.

Continue reading “ASA IKEv2/IPSec Site-to-Site VPN” →

FlexVPN Hub-and-Spoke

In a FlexVPN Hub and Spoke design spoke routers are configured with a normal static VTI with the tunnel destination of the Hub’s IP address, the Hub however is configured with a Dynamic VTI. The DVTI on the Hub router is not configured with a static mapping to the peer’s IP address. The VTI on the Hub is created dynamically from a preconfigured tunnel template “virtual-template” when a tunnel is initiated by the spoke router/peer. The dynamic tunnel spawns a separate “virtual-access” interface for each spoke tunnel, inheriting the configuration from the cloned the template.

Continue reading “FlexVPN Hub-and-Spoke” →

FlexVPN static VTI

As mentioned in the previous blog post when configuring FlexVPN configuration can be minimized by using the Smart Defaults, they comprises of default configurations for IKEv2 Proposal, IKEv2 Policy, IPSec Profile and Transform Set. This post provides a simple configuration example when using Smart Defaults and when using custom configurations.

Configuration Example – FlexVPN SVTI with Smart Defaults

This simple lab configuration is to setup a SVTI Site-to-Site VPN between 2 Cisco IOS routers.

Continue reading “FlexVPN static VTI” →

FlexVPN Overview

FlexVPN is a framework to configure IPSec VPNs on Cisco IOS devices; it was created to simplify the deployment of VPN solutions of all type (Site-to-Site, Remote Access etc). It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1.

IKEv2 Features

• IKEv2 is more secure than IKEv1 because it supports the latest Suite B cryptographic algorithms
• Built-in support for Dead Peer Detection (DPD) and NAT-Traversal
• Is resistant to DoS attacks
• Consolidated IKEv1 main and aggressive modes into one method, called “initial”
• Supports more authentication methods; in addition to PSK, certificates it also supports EAP authentication.
• XAUTH not used in IKEv2, EAP is used for authentication instead: EAP Tunneling: EAP-TLS, EAP-PEAP, EAP-PSK, EAP Non-Tunnelling: EAP-MSCHAPv2, EAP-MD5, EAP-GTC and EAP Anyconnect
  
  

Continue reading “FlexVPN Overview” →

Configuring a Cisco IOS VTI based tunnel

IPSec VTIs (Virtual Tunnels Interfaces) simplifies the configuration of a VPN compared to using crypto maps or GRE IPSec Tunnels. A benefit of using VTIs does not require of tying a configuration to a physical interface, rather allowing bespoke configuration per VTI. You can use a dynamic routing protocol (EIGRP, OSPF etc) or QoS defined per VTI.

VTI Configuration Example using defaults

To setup a basic IKEv1 VTI based site-to-site VPN you can use the Crypto defaults (ISAKMP Policy, IPSec Transform Set and IPSec Profile), in addition to the VTI the only crypto configuration needs to be a Pre-Shared Key.

Define a Pre-Shared Key

crypto isakmp key cisco123 address 0.0.0.0

Configure Tunnel Interface

interface tunnel 0
 ip address 10.10.0.1 255.255.255.0
 tunnel source fastethernet 0/0
 tunnel destination 1.1.1.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile default

Continue reading “Configuring a Cisco IOS VTI based tunnel” →

Configuring Dynamic Multipoint VPN (DMVPN)

The Dynamic Multipoint VPN (DMVPN) allows for a large scale IPSec VPN deployment with reduced configuration/complexity. It uses GRE, Next Hop Resolution Protocol (NHRP) and IPSec Encryption and unlike traditional IPSec VPNs DMVPN does not require Crypto ACLs, instead DMVPN requires a single mGRE tunnel interface and a single IPSec profile. In a large DMVPN environment this greatly reduces the size of configuration on the hub router.

DMVPN can be deployed using two models; Hub-and-Spoke and Spoke-to-Spoke:

Hub-and-Spoke (Phase 1) – requires each spoke have a point-to-point to GRE interface to build a tunnel to the hub router, all traffic flows through the hub router.

Spoke-to-Spoke  (Phase 2 and Phase 3) – requires each spoke to have an mGRE interface, to provide spoke-to-spoke communication in addition to Hub-and-spoke communication.

Continue reading “Configuring Dynamic Multipoint VPN (DMVPN)” →