Using certificates to authenticate VPN peers is the most scalable authentication method. As of FTD 6.2.2 certificate enrolment is either via SCEP or manually using PKCS12. When using SCEP the FTD must have direct communication with the SCEP server in order to request the certificate, this may not be possible if the FTD is already deployed onsite. This leaves a PKCS12 file to import the signed certificate; this is a manual process, access to the console via SSH is all that is required.
This post will describe how to create a Certificate Template on a Windows CA, how to generate a certificate private key, csr and PKCS12 file and how to configure the VPN on the FMC.
Continue reading “FTD VPN with Certificate authentication”
Cisco introduced VTI to ASA Firewalls in version 9.7.1 as an alternative to policy based crypto maps. Cisco IOS routers have long supported VTI (sVTI, DVTI, DMVPN, FlexVPN etc). This post will describe the steps on how to configure a VTI between a Cisco ASA Firewall and a Cisco IOS Router.
Cisco ASAv (v9.9.1)
Cisco CSR1000v (v16.3.3)
Continue reading “IKEv2/IPSec VTI tunnel between ASA Firewall and IOS Router”
FlexVPN supports the use of Dynamic Routing protocols such as EIGRP, BGP and OSPF. FlexVPN also has the ability to advertise routes in the IKEv2 SA’s. In order to do this we must configure an IKEv2 Authorization Policy, this policy can be configured on the local router or centrally on a RADIUS server such as ISE.
This post only describes the steps how to configure a local IKEv2 Authorization Policy and IKEv2 Routing on a Hub and Spoke router. For further information on FlexVPN, review these blog posts Configure FlexVPN Hub and Spoke and Configure FlexVPN with certificate authentication.
Continue reading “FlexVPN IKEv2 Routing”
IKEv2 is an important protocol used in IPSec VPNs, it is used to securely authenticate peers by setting up security associations (SAs). Cisco IOS routers have predefined default encryption, integrity (hashing), DH group and PRF algorithms, some of these algorithms are no longer considered secure and therefore not recommended.
As of Cisco IOS-XE v16.8.1 the default IKEv2 Proposal will be updated, more information here: https://gblogs.cisco.com/uki/deep-dive-a-vpn-journey/
As of 2018 the recommended IKEv2 Proposal ciphers are:
Integrity: SHA512 SHA384
PRF: SHA512 SHA384
DH Group: Group19 Group 14 Group21 Group5
Continue reading “Recommended IKEv2 Proposal”
In addition to Site-to-Site VPNs, FlexVPN can also be used for Remote Access VPN. It uses the same familiar commands as used to configure the S2S VPNs. Remote Access VPN can use certificate authentication (mutual certificate authentication between router and AnyConnect client), EAP (MD5/MSCHAPv2) and AnyConnect EAP. Authentication and Authorization can be performed by local AAA or external RADIUS, which can authenticate the users against Active Directory Domain and authorize depending on AD group membership.
This post will describe how to configure FlexVPN Remote Access VPN using aggregated authentication (double authentication) using AD username/password and client certificate authentication. We will not describe the basics of configuring FlexVPN Hub-and-Spoke or certificate authentication; these have been described in previous posts here:
Continue reading “FlexVPN Remote Access VPN”
This post will describe how to configure FlexVPN authorization using RADIUS AAA, ISE 2.4 will be used as the RADIUS server.
The Hub router will authenticate the spoke routers with RSA certificates. The spoke routers’ certificate will have an value in the OU (organisational unit) field which will identify the location e.g. US-Branch or UK-Branch. An IKEv2 name-mangler will be used to extract the OU value from the certificate and use this in the authorization request to the RADIUS server. Depending on matching on location in the Authorization rules the RADIUS server will return different values per location.
Continue reading “FlexVPN external AAA with RADIUS”
See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).
Create a Crypto Keypair
crypto key generate rsa label VPN_KEY modulus 2048
Create a CA Trustpoint
crypto ca trustpoint LAB_PKI
Continue reading “ASA AnyConnect IKEv2/IPSec VPN”