Introduction
The motivation for writing this book was to educate users and customers about the benefits that FlexVPN and IKEv2 bring and provide an in-depth coverage of the building blocks and topics related to IPsec VPNs in general, in an easy-to-understand manner. FlexVPN was a breath of fresh air with regards to VPN technologies; for the first time all VPN technologies could be configured under a single CLI construct. We want to educate users so that secure, efficient VPN technologies can be implemented not only using Cisco IOS, but with third-party equipment also.
FlexVPN has allowed IKEv2 and IPsec VPNs on Cisco IOS to become a lot more user friendly; IKE, IPsec, concepts of cryptography, and VPNs can be hard subjects to understand. This book is intended to explain these topics and allow the reader to not only grasp the concepts, but master them.
The books explains how IPsec VPNs deal with NAT traversal, fragmentation, segmentation, IP dual stack, multicast, non-IP protocols and so on.
When VPNs are configured, there are a plethora of options; this book is intended to clarify these with ample illustrations and configuration examples so technologies are implemented in a secure and streamlined fashion.
When we talk to customers, many are unaware of what’s happening under the hood and what impact a certain command will have. This book tries to clarify these points.
Goals and Methods
Provide a guide that will take the reader from knowing very little about VPN technologies to having an in-depth understanding.
Prevent customers from making mistakes that lead to network down scenarios or put the overall architecture at risk.
Give architects an understanding of the technology, allowing them to design VPN systems that meet business needs.
Give designers the knowledge where to position certain features.
Give implementors the understanding of how various features work along with end-to-end configurations examples that can be used as reference.
Give support staff an understanding of the protocols, configuring them, and how features integrate. This will result in a deep understanding, enabling timely debugging and troubleshooting.
Provide Security Operation Center guidance on telemetry that can be gained when an IKE and IPsec SA are created. This provides a methodology to perform monitoring and troubleshooting.
Provide advice and guidance on how to migrate existing IKEv1 architecture to using IKEv2.
Allow accreditors to understanding technologies, resulting in assurance that the architecture presented will meet the intended security requirements.
Give project managers an understanding of the components required to perform migrations from IKEv1 to IKEv2.
Who Should Read This Book?
Anyone that is involved with the lifecycle of deploying an IPsec VPN. This includes architects, designers, security engineers, support engineers, accreditors, and members of a SOC/NOC.
This book tries to explain the protocols at an RFC level, so it will provide the reader with an understanding that is not just specific to Cisco, but is applicable to any standards-based implementation.
For any individual that is developing services that are consumed by an IPsec VPN architecture (RADIUS, PKI, and similar ones), this book allows the reader to understand the protocol flows and the interaction between IKEv2/IPsec and their services.
VPN technologies are an integral part of the many of the Cisco certification tracks. This book would serve as a valuable study aid providing an in-depth coverage of the IPsec VPN foundational topics in an easy to understand manner. Some of such certification tracks are
Security-CCNA, CCNP and CCIE
Routing and Switching-CCNA, CCNP and CCIE
Design-CCDA, CCDP, CCDE
Service provider-CCIE
Simply put—if you want to understand IPsec VPN building blocks and architectures, and deploying IPsec VPNs when using IKEv2 this book is for you.
How this book is organized
This book contains a structured approached to VPN technologies.
Chapter 1 Introduction to IPsec VPNs
This chapter describes the purpose of VPNs and the types of cryptography (symmetric and asymmetric). We cover cryptographic protocols used in the generation of IPsec VPNs.
We explain how confidentiality and integrity are achieved using Encapsulation Security Payload (ESP) and how integrity is achieved using Authentication Header (AH).
We introduce IKE and IPsec and the relationship that these have.
This chapter describes the components that make up IPsec, including the Security Parameter Index (SPI), Security Policy Database (SPD), Security Association Database (SADB), Peer Authorization Database (PAD), lifetime, and sequence numbers. We explain how these are interlinked and what relationship exists.
The two modes of IPsec, tunnel and transport, are described. We explain the benefits of each. The benefits of ESP version 3 are described.
Chapter 2 IKEv2 the Protocol
The Internet Key Exchange (IKE) protocol is described in detail. The format of the IKE header and the various packet exchanges (SA_INIT, IKE_AUTH, INFORMATIONAL, CREATE_CHILD_SA) are described. You will understand how the IKE SA is created and the components that are used to construct this, such as key material generation.
Features of IKEv2, such as anti-replay, the anti-DDoS cookie, configuration payload, and acknowledged responses, are described along with the protocols used by IKE; encryption, integrity, PRF, and Diffie-Hellman are listed.
This chapter details how IKEv2 operates when NAT is used on the transport network. The various keepalive mechanisms are covered, including IKE and NAT keepalives. This chapter covers a number of additional IKEv2 related RFCs.
Chapter 3 Comparison of IKEv1 and IKEv2
Within this chapter the history of IPsec and IKEv1 is covered, including all the RFCs (2401 to 2412) that were created to define the implementation of IKEv1-based IPsec VPNs. The key similarities and the key differences of IKEv2 compared to IKEv1 are covered, including exchange modes, authentication, use of identities, anti-DDoS, lifetimes, and many more topics.
Chapter 4 IOS IPsec implementation
The specific types of VPN implementation of Cisco IOS and IOS-XE are introduced. This chapter describes how to implement tunnel or transport mode. The two encapsulation types, GRE and VTI, are described, along with their benefits and limitations. The various implementation modes (dual stack, mixed mode, and auto) are covered. We also introduce VRF-aware IPsec.
Chapter 5 IKEv2 Configuration
This chapter contains an overview of the IKEv2 configuration features and how these interoperate. The various components of IKEv2 are covered: IKEv2 proposal, IKEv2 policy, IKEv2 profile, IKEv2 keyring, and the IKEv2 global configuration. We also cover other components that are critical to configuring IPsec VPNs, such as PKI and IPsec. The powerful pre-configured attributes are introduced, and their benefits are explained.
Chapter 6 Advanced IKEv2 features
This chapter covers IKEv2 advanced features, including some that are not part of the standard IKEv2 RFC. IKEv2 fragmentation and the transportation of Security Group Tags (SGT) are described, along with the methods to delete a session should a peer be revoked or the peer’s certificate expire. The lifetime of the IKEv2 session is examined and the effect this has is described in detail.
Chapter 7 IKEv2 deployments
This chapter described a number of scenarios to give the reader an understanding of the various types of IKEv2 deployments. Both IPv4 and IPv6 are covered, with authentication using pre-shared keys, RSA certificates, ECDSA certificates, and HTTP URL Cert. The IKE anti-DDoS mechanism is illustrated in detail.
Chapter 8 Introduction to FlexVPN
After an overview of FlexVPN, the tunnel interface types (static, virtual-template, and virtual-access) and IOS AAA infrastructure are described in detail. The building blocks of FlexVPN—Name Mangler, IKEv2 authorization policy, with user, group. and implicit authorization—are described. The configuration exchange is illustrated, along with advertising prefixes using IKEv2 routing.
Chapter 9 FlexVPN Server
The chapter provides an overview of FlexVPN Server. EAP authentication is described in detail, along with AAA-based pre-shared keys. Deriving virtual-access interfaces from virtual-templates is illustrated, along with automatic detection of the tunnel mode and encapsulation type using mode auto. RADIUS Packet of Disconnect and Change of Authorization (CoA) are described. The IKEv2 auto-reconnect, AnyConnect-EAP, and dual-factor authentication features are described. The FlexVPN Server supported clients are covered.
Chapter 10 FlexVPN Client
This chapter begins with an overview of FlexVPN Client. EAP authentication is described in detail. Client-specific attributes are described: split-DNS, WINS, and Domain Name. The FlexVPN client profile is described. The following specific features of FlexVPN client are illustrated: Backup gateways, dial backup, backup groups, tunnel interface types, tunnel initiation types, and FlexVPN with NAT. This chapter describes design considerations and troubleshooting specific to the FlexVPN client.
Chapter 11 FlexVPN Load Balancer
This chapter presents an overview of the FlexVPN Load Balancer. It details the core components and RFC 5685 “IKEv2 Redirect and Hot Standby Routing Protocol.” How the cluster operates, including cluster load, is detailed. FlexVPN client and server configurations are illustrated. Troubleshooting a specific FlexVPN load balancer configuration is described, and a number of example configurations are shown.
Chapter 12 FlexVPN Deployments
This chapter contains a number of example scenarios which illustrate the following FlexVPN deployments: AAA-based pre-shared key, user and group authorization, FlexVPN routing with dual-stack and tunnel mode auto, NAT with server-assigned IP addresses, WAN resilient using dynamic tunnel source, hub resiliency using backup peers, and FlexVPN backup tunnel using track-based activation.
Chapter 13 Monitoring IPsec VPNs
This chapter describes common methods for monitoring IPsec VPNs using AAA, SNMP, and syslog. A monitoring methodology is described that covers IP connectivity, VPN tunnel establishment, authentication, authorization, data encapsulation, data encryption, and overlay routing.
Chapter 14 Troubleshooting IPsec VPNs
This chapter describes the tools of troubleshooting: Event Trace Monitoring, IKEv2, IPsec, KMI and conditional debugging. Troubleshooting steps are described for IP connectivity, VPN tunnel establishment, authentication, authorization, data encapsulation, data encryption, and overlay routing.
Chapter 15 IPsec overhead and Fragmentation
This chapter describes computing IPsec overhead for ESP and AH and the effect that IPsec and fragmentation have for both IPv4 and IPv6. The following topics are illustrated: Path MTU Discovery (PMTUD), TCP MSS clamping, fragmentation, and PMTUD (specifically on tunnel interfaces). The impact of fragmentation is described.
Chapter 16 Migration Strategies
The chapter illustrates the considerations when migrating from IKEv1 to IKEv2. It covers hardware, VPN technologies, routing protocols, restrictions for IKEv1 and IKEv2, capacity planning, global commands, FlexVPN features, PKI authentication, high availability, and asymmetric routing. Migration strategies for hard and soft migrations are covered. It also discusses considerations for specific topologies: site-to-site, hub-and-spoke, and remote access. There is also an example migration scenario.