Index
Symbols
+ (plus sign), 54
3DES, 111
3DS-CBC, 514
A
AAA (authentication, authorization, and accounting), 418
debug commands, 501
RADIUS-based AAA, authorization, 436
AAA accounting, FlexVPN server, 287
AAA authentication method, 278
AAA authorization, deriving virtual access configurations from (FlexVPN server), 293–294
aaa authorization, 223, 225, 229, 233
aaa authorization group, 229, 237–238
aaa authorization group override, 294
aaa authorization user, 285, 484
configuring for FlexVPN, 222–223
aaa new-model command, 222
AAA-based pre-shared keys
branch-1 router configuration, 382–383
branch-2 router configuration, 383
hub router configuration, 383–384
RADIUS server configuration, 384–386
configuring, 284
RADIUS attributes, 285
acceptable algorithms, 111
access, remote access (migration strategies), 565–566
access control, 4
accounting, 418
advanced features, FlexVPN client, 336
AES CBC mode, 112
AES GCM mode, 112
AES-CBC, 514
AES-CBC-192, 111
AES-CBC-256, 111
AES-CMAC-96, 515
AES-CTR, 514
AES-GCM-128, 111
AES-GCM-256, 111
AES-GMAC1, 514
AES-GMAC2, 513
AES-XCBC-MAC-96, 515
Aggregate authentication, 315
Aggregate XML, 315
Aggregation Services Routers (ASR), 87
Aggressive Mode, 70
AH (Authentication Header), 2–3
algorithms
combined algorithm overhead, 512–513
hash algorithms, for signatures, 163
IKEv2 encryption, Cisco IOS, 111
IKEv2 integrity, in Cisco IOS, 113
PRF (pseudorandom function), 41
pseudorandom function, IKEv2, 115
AMx, 70
anti-denial of service, 72
anti-replay services, 4, 16–17
ESP (Encapsulating Security Payload), 18
AnyConnect
EKU (Extended Key Usage), 469
FlexVPN server
auto-reconnect configuration attributes, 310–311
name verification, 468
AnyConnect-EAP, 146, 315, 315–316
configuring dual-factor authentication, 324–325
dual-factor authentication, 320–324
AnyConnect-EAP XML messages, dual-factor authentication, 322–324
APPLICATION_VERSION, 257
ASR (Aggregation Services Routers), 87
asymmetric cryptography, 8, 11–12
asymmetric keys, 132
asymmetric routing, considerations when moving to IKEv2, 547–548
attacks, MITM (man-in-the-middle) attack, 13
attributes
APPLICATION_VERSION, 257
backup-gateway attributes, configuring, 347
certificate attributes, 469
Cisco private use configuration attributes, 257–258
configuration attributes
configuration payload, 59
default-domain attributes, configuring, 344
FlexVPN, 253
interface-config AAA attribute, 293–294
interface-config attribute, 296
INTERNAL_IP4_ADDRESS, 254
INTERNAL_IP4_DNS, 256
INTERNAL_IP4_NBNS, 257
INTERNAL_IP4_NETMASK, 254
INTERNAL_IP4_SUBNET, 255
INTERNAL_IP6_ADDRESS, 255
INTERNAL_IP6_DNS, 256
INTERNAL_IP6_SUBNET, 256
IPv4 DNS server attributes, configuring, 340
IPv4 WINS attribute, 343
IPv6 DNS server attributes, configuring, 341
RADIUS attributes
AAA-based pre-shared keys, 285
CoA (change-of-authorization), 303–304
Split-DNS, configuring, 341
audit-session-id, 299, 303–304
AUTH payload, 13
authentication, 14, 73–74, 418
certificate-based authentication, 147–149
considerations when moving to IKEv2, 546–547
data origin authentication, 4
debugging, with PKI, 470
dual-factor authentication, AnyConnect-EAP, 320–324
EAP (Extensible Authentication Protocol), 434–436
EAP authentication. See EAP authentication, FlexVPN server
ECDSA (Elliptic-Curve Digital Signature Algorithm) authentication, 194–200
ESP (Encapsulating Security Payload), 17–18
IKEv2, 45
EAP (Extensible Authentication Protocol), 48–50
pre-shared-key-based authentication, 47
signature-based authentication, 46
IP Authentication Header, 15
PKI (Public Key Infrastructure), 431–434
pre-shared key authentication, 147
pre-shared-key-based authentication, 47
PSK, 429
RSA authentication, troubleshooting, 465–468
RSA authentication using HTTP URL lookup, 200–207
signature-based authentication, 46
user authentication, AnyConnect-EAP, 315
authentication command, 147
Authentication Header (AH), 2–3, 15
authentication header overhead, 509–510
authentication methods, IKEv2 profiles, 145–149
authentication pre-shared keys, 429–431
authentication remote anyconnect-eap, 323
configuring, 233
implicit authorization, 242–245
RADIUS-based AAA, 436
authorization policy
default IKEv2 authorization policy, 229–231
authorization types, FlexVPN, 245–250
auto detection of tunnel transport and encapsulation, 297–298
auto tunnel mode, 99
auto-detection of tunnel encapsulation and transport, FlexVPN, 219–221
automatic mode, tunnel initiation, FlexVPN client, 350
AutoReconnect, 311
auto-reconnect, FlexVPN server, 309–310
configuration attributes, 310–311
AutoReconnectBehavior, 311
avoid, 111
B
backup gateway lists, FlexVPN client, 347
backup gateways, FlexVPN client, 346
backup group command, 353
backup groups, FlexVPN client, 353–354
Backup Peers, 544
backup peers, FlexVPN hub resiliency, 411
backup-gateway attributes, configuring, 347
boolean expressions, tracking, lists of objects, 350–352
branch 1 configuration
FlexVPN, spoke configuration, 392–394
FlexVPN client, group and user authorization, 386
FlexVPN spoke, verification, 397–399
branch 2 configuration
FlexVPN, spoke configuration, 394–395
FlexVPN client, user authorization, 387
FlexVPN spoke, verification, 399–400
branch-1 router configuration, AAA-based pre-shared keys (FlexVPN), 382–383
branch-2 router configuration, AAA-based pre-shared keys (FlexVPN), 383
buffers, capture buffers, 457
building blocks of
FlexVPN
Cisco IOS AAA infrastructure, 221–223
point-to-point tunnel interfaces, 214–221
FlexVPN client
FlexVPN client profiles, 334
IKEv2 configuration exchange, 334
NAT (Network Address Translation), 335
object tracking, 334
static P2P tunnel interfaces, 334
IPsec, 2
access control, 4
anti-replay services, 4
confidentiality, 4
connectionless integrity, 4
data origin authentication, 4
key management protocol, 3
SAs (Security Associations), 3
security services, 3
TFC (Traffic Flow Confidentiality), 4–5
C
CA (certificate authority), 12
PKI (Public Key Infrastructure), 160–162
CAC (Call Admission Control), IKEv2, 157
Cookie Challenge and Call Admission Control, 207–210
cached keyword, 234
capacity, considerations when moving to IKEv2, 542–543
capture buffers, 457
capture points, 458
CBC (cipher block chaining), 510
CDP (Cisco Discovery Protocol), 86
CDP (CRL Distribution Point), 475
CEF (Cisco Express Forwarding), 94
CERT, 148
certificate attributes, 469
certificate authority. See CA (certificate authority)
certificate authority (CA), PKI (Public Key Infrastructure), 160–162
session deletion, IKEv2, 184
certificate maps, matching, peers, 472–473
certificate requests, 148
HTTP_CERT_LOOKUP_SUPPORTED, 39
certificate revocation, 473–476
Certificate Revocation Lists (CRLs), 163
certificate revocation method, 163
session deletion, 182
certificate-based authentication, 147–149
certificates
digital certificates, 12
HTTP URL-based certificate lookup, 156
certification revocation list (CRL), 181
CERTREQ, 148
CertReq, 26
CERTREQ payload, 476
CFG_ACK, 252
CFG_REPLY, 251
CFG_REQUEST, 251
CFG_SET, 252
change-of-authorization (CoA), 303–304
Child SAs, 24
childless initiation, 66
cipher block chaining (CBC), 510
Cisco AV pair, 325
Cisco Discovery Protocol (CDP), 86
Cisco Express Forwarding (CEF), 94
Cisco IKEv2 AnyConnect clients, 330
Cisco IOS
IKEv2 encryption, 111
IKEv2 integrity, 113
Diffie-Hellman group, 114
IPsec configuration
examples, 168
IPsec profiles, 167
PKI (Public Key Infrastructure), 159–160
CA (certificate authority), 160–162
pseudorandom function algorithms, IKEv2, 115
Cisco IOS AAA infrastructure, 221–223
configuring for FlexVPN, 222–223
Cisco IPsec flow monitor MIB, 425
Cisco meta data (CMD), 179
Cisco private use configuration attributes, 257–258
Cisco unity attributes, 253
clamping, MSS (Maximum Segment Size), 526–527
clear crypto ikev2 diagnose error, 461
clear crypto ikev2 sa, 186
clear crypto ikev2 sa remote, 360
clear crypto session, 186
clearing, IKEv2 FlexVPN client sessions, 360
client awareness, considerations when moving to IKEv2, 545
client connect tunnel interface-number, 348
client connect Tunnelo, 408, 412
client debugging, IKEv2, 450
client inside, 338
clients, remote access clients. See remote access clients
cloning, virtual access cloning, 295–297
cluster debugging, IKEv2, 450
cluster loads, FlexVPN load balancer, 369–372
CMD (Cisco meta data), 179
CoA (change-of-authorization), 303–304
co-existence, FlexVPN, authorization types, 245
collect command, 441
combined algorithm overhead, 512–513
combined mode ciphers, 77, 112
combined-mode ciphers, IKEv2 proposals, 110
commands
aaa authorization, 223, 225, 229, 233
aaa authorization group, 229, 237–238
aaa authorization group override, 294
aaa authorization user, 285, 484
aaa new-model command, 222
authenticate remote anyconnect-eap, 323
authentication, 147
backup group, 353
CFG_ACK, 252
CFG_REPLY, 251
CFG_REQUEST, 251
CFG_SET, 252
clear crypto ikev2 diagnose error, 461
clear crypto ikev2 sa, 186
clear crypto ikev2 sa remote, 360
clear crypto session, 186
client connect tunnel interface-number, 348
client connect Tunnelo, 408, 412
client inside, 338
collect, 441
config-exchange request, 251
config-exchange set accept, 251
config-exchange set send, 251
config-set, 497
copy run start, 346
crypto eap credential profile1, 337
crypto ikev2 authorization policy, 222, 228
crypto ikev2 cluster, 368
crypto ikev2 cookie-challenge number, 37
crypto ikev2 diagnose error, 159
crypto ikev2 disconnect-revoked-peers, 182
crypto ikev2 keyring, 129
crypto ikev2 name-mangler, 224
crypto ikev2 profile, 138
crypto ikev2 redirect client, 374
crypto ikev2 redirect gateway init, 377
crypto ipsec df-bit {clear | set | copy}, 528
crypto ipsec fragmentation, 532
crypto ipsec fragmentation {before-encryption | after-encryption}, 528
crypto ipsec profile, 348
crypto ipsec security-association replay window-size disable, 494
crypto key generate, 162
crypto mib ipsec flow history tunnel size, 427
crypto pki authenticate, 164
crypto pki profile enrollment, 163
debug aaa authorization, 436
debug aaa proto {local | radius}, 486–487
debug commands
AAA (authentication, authorization, and accounting), 501
EAP (Extensible Authentication Protocol), 501
IKEv2, 501
IPsec, 501
PKI (Public Key Infrastructure), 502
RADIUS, 501
debug crypto condition unmatched, 456
debug crypto ikev2, 187, 360, 436, 466, 473
debug crypto ikev2 client flexvpn, 353
debug crypto ikev2 cluster detail, 369
debug crypto ikev2 packet, 126, 450
debug crypto ikev2 packet debugging, 491
debug crypto ikev2 packet hexdump, 451
debug crypto ipsec, 453
debug crypto ipsec metadata sgt, 181
debug crypto kmi, 455
debug crypto pki, 473
debug ip dns name-list, 341
debug ip tcp, 474
debug vtemplate, 487
debug vtemplate cloning, 487
default crypto ikev2 authorization policy, 230
dn all, 227
dn common-name, 226
dn country, 227
dn domain, 226
dn locality, 227
dn organization, 227
dn organization-unit, 226
dn state, 227
eap all, 227
eap dn common-name, 227
eap dn country, 227
eap dn domain, 227
eap dn locality, 227
eap dn organization, 227
eap dn organization-unit, 227
eap prefix delimiter., 227
eap prefix delimiter @, 227
eap prefix delimiter (backslash), 227
eckeypair, 163
email all, 226
email domain, 226
email username, 226
enrollment url, 163
fqdn all, 226
fqdn domain, 226
fqdn hostname, 225
import all, 343
ip | ipv6 unnumbered, 102
ip address, 215
ip address negotiated, 334, 348
ip http server, 161
ip nat inside, 405
ip tcp adjust-mss, 527
ip unnumbered, 218
ip unreachables, 520
ip vrf, 100
IPsec commands, considerations when moving to IKEv2, 543–544
ipv6 address, 215
ipv6 mtu, 531
ipv6 tcp adjust-mss, 527
ipv6 unnumbered, 218
ipv6 unreachables, 522
ivrf, 152
match, 441
match certificate, 472
method-est, 163
monitor event-trace, 449
no crypto ipsec nat-transparency udp-encapsulation, 64
no lifetime, 184
no logging event link-status, 424
no route accept, 267
no shutdown, 161
peer reactivate, 346
pki trustpoint, 470
reconnect, 310
responder-only, 167
revocation-check method command, 164
route accept any, 230
service-policy, 296
set ikev2-profile, 167
set peer hostname dynamic, 130
set pfs, 167
set reverse-route, 167
set security-association, 167
set security-association replay window-size disable, 494
set transform-set, 167
show aaa attribute protocol radius, 228
show cef interface, 531
show commands
IKEv2, 500
IPsec, 500
PKI (Public Key Infrastructure), 501
troubleshooting, 447
show crypto ikev2 authorization policy, 229
show crypto ikev2 client flexvpn, 348, 358
show crypto ikev2 client flexvpn flex1 detail, 342
show crypto ikev2 client flexvpn name, 358
show crypto ikev2 cluster, 369, 374
show crypto ikev2 diagnose error, 460
show crypto ikev2 proposal, 34, 109, 463
show crypto ikev2 sa detail, 282
show crypto ikev2 sa detailed, 144, 177, 313, 343, 359, 397, 399
show crypto ikev2 session detailed, 144
show crypto ipsec sa, 530, 560
show crypto ipsec transform-set, 488
show crypto pki certificate verbose, 480
show crypto pki certificates, 467
show crypto pki counters, 475
show crypto pki trustpoints, 467
show crypto session brief, 560
show crypto session detail, 186, 313
show crypto sessions, 95
show crypto sockets, 95
show derived-config, 91
show ip dhcp import, 343
show ip dns name-list, 341, 343
show ip interfaces, 518
show ip nat statistics, 406
show ip nat translations, 406
show ip route vrf, 460
show ip traffic, 522
show ipv6 interfaces, 518
show ipv6 traffic, 523
show ntp associations, 471
show platform hardware qfp active feature ipfrag global, 522–523
show run all, 184
show running-config, 91
show running-configuration, 478
show standby, 375
show track, 359
SNMP IKE trap commands, 427
SNMP IPsec trap commands, 438–439
snmp-server enable traps ike tunnel start, 425
snmp-server enable traps ike tunnel stop, 426
snmp-server enable traps ipsec tunnel start, 438
snmp-server enable traps ipsec tunnel stop, 439
snmp-server enable traps snmp linkdown linkup, 439–440
snmp-server enable traps snmp linkup linkdown, 424–425
test aaa, 481
tunnel destination dynamic, 349, 412
tunnel destination peer-address, 90
tunnel mode gre ip, 94
tunnel path-mtu-discovery, 499, 534–535
tunnel protection, 139, 167–168, 216, 218
tunnel protection ipsec, 123
tunnel source, 218
tunnel source dynamic, 348, 408
tunnel vrf name, 102
virtual-template 1 mode auto, 396
vrf definition, 100
vrf forwarding, 100, 216, 218, 486
vrf forwarding name, 102
components of
FlexVPN load balancer, 363
HSRP (hot standby routing protocol), 366–367
IPsec, 5
PAD (Peer Authorization Database), 6
SAD (Security Association Database), 6
SPD (Security Policy Database), 5–6
SPI (Security Parameter Index), 5
Split-DNS, FlexVPN client, 340–343
conditional debugging, 456–457
confidentiality, 4
Config Payload, 58
config-exchange request, 251
config-exchange set accept, 251
config-exchange set send, 251
config-set command, 497
configuration attributes
auto-reconnect, FlexVPN server, 310–311
configuration constructs, IKEv2, 106
configuration examples
EAP (Extensible Authentication Protocol), FlexVPN server, 278–283
configuration exchange, FlexVPN, 250
configuration payload, 75
attributes, 59
configuration payload exchange, 58–59
configurations, IKEv2, 106
configuring
AAA infrastructure, FlexVPN, 222–223
AAA-based pre-shared keys, FlexVPN server, 284
authorization, FlexVPN, 233
auto-reconnect, FlexVPN server, 313–315
backup-gateway attributes, 347
default-domain attributes, 344
Diffie-Hellman group, IKEv2, 113–114
dual-factor authentication, AnyConnect-EAP, 324–325
EAP (Extensible Authentication Protocol), FlexVPN server, 277–278
configuration examples, 278–283
FlexVPN, RADIUS servers, 388–390
FlexVPN client, dual-homed branch routers, 411–412
integrity, IKEv2, 113
IPv4 DNS server attributes, 340
IPv4 WINS attribute, 343
IPv6 DNS server attributes, 341
keys, in peer blocks, 132
match statements
peer blocks, in keyring, 130
peers, in peer blocks, 130–131
pseudorandom function, IKEv2, 115
RADIUS change-of-authorization (CoA), 304
RADIUS Packet-of-Disconnect, FlexVPN server, 300
Split-DNS attributes, 341
static P2P tunnel interfaces, 214–216
trustpoints (TP), 476
user authentication, AnyConnect-EAP, 318–319
virtual-template interfaces, 216–219
connect auto mode, 408
connectionless integrity, 4
context-specific configuration, IKEv2, 106
continuous channel mode, 77
Cookie Challenge, IKEv2, 156
IKEv2 Cookie Challenge and Call Admission Control, 207–210
cookie notification, IKEv2, 36–38
copy run start, 346
Counter (CTR) mode, 510
CREATE_CHILD_SA, 24, 53, 53–54
CRL (certification revocation list), 181
CRL Distribution Point (CDP), 475
CRLs (Certificate Revocation Lists), 163
crypto eap credential profile1, 337
crypto ikev2 authorization policy, 222, 228
crypto ikev2 cluster, 368
crypto ikev2 cookie-challenge number, 37
crypto ikev2 diagnose error, 159
crypto ikev2 direct gateway init, 377
crypto ikev2 disconnect-revoked-peers, 182
crypto ikev2 error, 448
crypto ikev2 keyring, 129
crypto ikev2 name-mangler, 224
crypto ikev2 profile, 138
crypto ikev2 redirect client, 374
crypto ipsec df-bit {clear | set | copy}, 528
crypto ipsec error, 448
crypto ipsec fragmentation, 532
crypto ipsec fragmentation {before-encryption | after-encryption}, 528
crypto ipsec profile, 348
crypto ipsec security-association replay window-size disable, 494
crypto key generate, 162
crypto maps, 79
versus tunnel protection, 80–81
crypto mib ipsec flow history tunnel size, 427
crypto pki authenticate, 164
crypto pki profile enrollment, 163
crypto pki server, 160
cryptographic exchange bloat, 77
cryptographic strength, 111–112
pre-shared keys, 135
cryptography
asymmetric cryptography, 11–12
IPsec VPNs, 7
asymmetric cryptography, 8
CTR (Counter) mode, 510
D
data encapsulation, GRE (generic routing encapsulation), 495
data encryption, 488
data origin authentication, 4
data usage, monitoring, 440–443
datagram format, ESP (Encapsulating Security Payload), 18–19
Dead Peer Detection (DPD), IKEv2, 149–151, 158–159
debug aaa authorization, 436
debug aaa proto {local | radius}, 486–487
debug commands
AAA (authentication, authorization, and accounting), 501
EAP (Extensible Authentication Protocol), 501
IKEv2, 501
IPsec, 501
PKI (Public Key Infrastructure), 502
RADIUS, 501
debug crypto condition unmatched, 456
debug crypto ikev2, 123, 187, 360, 436, 466, 473
debug crypto ikev2 client flexvpn, 353, 450
debug crypto ikev2 cluster detail, 369, 375
debug crypto ikev2 packet, 126, 450
debug crypto ikev2 packet debugging, 491
debug crypto ikev2 packet hexdump, 451
debug crypto ipsec, 453
debug crypto ipsec metadata sgt, 181
debug crypto pki, 473
debug ip dns name-list, 341
debug ip packet, 406
debug ip tcp, 474
debug vtemplate, 487
debug vtemplate cloning, 487
debugging, 449
authentication, with PKI, 470
conditional debugging, 456–457
FlexVPN client, 360
IPsec debugging, 453
KMI (Key Management Interface), 453–455
PKI (Public Key Infrastructure), 456
verbose debugging, 181
default crypto ikev2 authorization policy, 230
default IKEv2 authorization policy, 229–231
default IKEv2 policies, 121–122
default proposals, IKEv2, 115–117
default-domain attributes, configuring, 344
defaults, smart defaults, 168–169
deleting, SAs (Security Associations), 57–58
deployments
IKEv2
Cookie Challenge and Call Admission Control, 207–210
pre-shared-key authentication with smart defaults, 189–194
RSA authentication using HTTP URL lookup, 200–207
depo, IKEv2, ECDSA (Elliptic-Curve Digital Signature Algorithm) authentication, 194–200
DER (Distinguished Encoding Rules), 44, 201
DES, 111
detail keyword, 559
detection, NAT-D (Network Address Translation-Detection), 64
DF (Don’t Fragment), 172
diagnose error, IKEv2, 460–461
diagnostics, IKEv2, 159
dial backups, FlexVPN client, 352–353
Differentiated Services Code Point (DSCP), 74
Diffie, Whitfield, 9
Diffie-Hellman exchange, 8–11, 24, 26–29
initiators, 28
MITM (man-in-the-middle) attack, 45
SA_INIT, 29
Diffie-Hellman group, 30
Diffie-Hellman tests, IKEv2, 65
digital certificates, 12
digital signatures, 12
disabling
anti-replay, 494
default IKEv2 policies, 122
default IKEv2 proposals, 116
profiles, IKEv2, 153
disconnecting revoked peers, 182
DisconnectOnSuspend, 311
displaying, profiles, IKEv2, 153–154
Distinguished Encoding Rules (DER), 44, 201
distinguished name (DN), 224
DN (distinguished name), 224
extracting names from, 226–227
dn all, 227
dn common-name, 226
dn country, 227
dn domain, 226
dn locality, 227
dn organization, 227
dn organization-unit, 226
dn state, 227
domain names, FlexVPN client, 344–345
Don’t Fragment (DF), 172
DPD (Dead Peer Detection), IKEv2, 149–151, 158–159
DSCP (Differentiated Services Code Point), 74
dual stack
FlexVPN client, 335
GRE (generic routing encapsulation), 96
dual-factor authentication
AnyConnect-EAP XML messages, 322–324
configuring with AnyConnect-EAP, 324–325
dual-homed branch routers, FlexVPN client configuration, 408–409, 411–412
dummy packets, ESP (Encapsulating Security Payload) version 3, 20
dynamic keyword, 346
dynamic routing, FlexVPN client, 335
dynamic routing protocols, 498–499
dynamic tunnel interfaces, 91–92
dynamic tunnel source, FlexVPN WAN resiliency, 407–408
dynamic VTI (dVTI), 92
E
EAP (Extensible Authentication Protocol), 48–50, 146, 480–485
debug commands, 501
FlexVPN server, configuring, 277–278
eap all, 227
EAP methods, 272
eap dn common-name, 227
eap dn country, 227
eap dn domain, 227
eap dn locality, 227
eap dn organization, 227
eap dn organization-unit, 227
eap dn state, 227
EAP identity, 224
extracting names, 227
EAP message flow, FlexVPN server, 273
EAP methods
FlexVPN server, 272
TLS (transport layer security), 272
eap prefix delimiter., 227
eap prefix delimiter @, 227
eap prefix delimiter , 227
EAP timeout, FlexVPN server, 275
EAP tunneled methods, 272
ECDH (Elliptic Curve Diffie Hellman), 10
ECDSA (Elliptic-Curve Digital Signature Algorithm), 73
ECDSA (Elliptic-Curve Digital Signature Algorithm) authentication
ECDSA (Elliptic-Curve Digital Signature Algorithm) signatures, 12
eckeypair, 163
EEM (embedded event manager), 356–358
EIGRP (enhanced interior gateway routing protocol), 191
EKU (Extended Key Usage), 469, 480
AnyConnect, 469
Elliptic Curve Diffie Hellman (ECDH), 10
extracting names from, 226
IKE identity types, 224
email all, 226
email domain, 226
email username, 226
embedded event manager (EEM), 356–358
enabling, configuration exchange, FlexVPN, 250–251
encapsulating security payload overhead, 507–509
Encapsulating Security Payload (ESP). See ESP (Encapsulating Security Payload), 2–3
encapsulation, modes of encapsulation, 82
GRE over IPsec, 83
encipherment, 7
ENCR (Encryption algorithm), 30
encrypted payload structures, 43–44
ESP (Encapsulating Security Payload), 17–18
IKEv2
algorithms in Cisco IOS, 111
IP Authentication Header, 15–16
Encryption Algorithm (ENCR), 30
enhanced interior gateway routing protocol (EIGRP), 191
Enrollment over Secure Transport (EST), 163
enrollment url, 163
error debugging, IKEv2, 450
ESN (Extended Sequence Numbers), 30
ESP (Encapsulating Security Payload), 2–3, 17, 504
anti-replay services, 18
authentication, 18
confidentiality, 4
encryption, 18
ESP (Encapsulating Security Payload) version 3, 19
dummy packets, 20
extended sequence numbers, 19
TFC (Traffic Flow Confidentiality), 20
ESP-NULL, 16
EST (Enrollment over Secure Transport), 163
event-trace monitoring, 447–449
examples
AAA-based pre-shared keys, FlexVPN server, 285–287
configuration exchange, FlexVPN, 259–264
EAP (Extensible Authentication Protocol), FlexVPN server, 278–283
FlexVPN, implicit authorization, 243–245
IKEv2 load balancing, FlexVPN load balancer, 376–378
IPsec configuration, 168
RADIUS change-of-authorization (CoA), FlexVPN server, 305–309
RADIUS Packet-of-Disconnect, FlexVPN server, 301–303
soft migration, transitioning from IKEv1 to IKEv2, 551–552
virtual access cloning, 295–297
exchange modes
Exchange Type, 55
explicit padding, 510
Extended Authentication within IKE (XAUTH), 69
Extended Authentication within ISAKMP/Oakley, 69
Extended Key Usage (EKU), 469
extended sequence numbers, ESP (Encapsulating Security Payload) version 3, 19
Extensible Authentication Protocol. See EAP (Extensible Authentication Protocol)
extensions, for EAP-only authentication, 65
external AAA servers, FlexVPN, group authorization, 239–241
extracting names
from EAP identity, 227
from email identity, 226
FlexVPN client, 336
F
familiarization, considerations when moving to IKEv2, 545
FIB (Forwarding Information BAse), 94
flapping tunnel interface, 499
Flexible NetFlow, 418
FlexVPN, 540
AAA-based pre-shared keys, 381–382
branch-1 router configuration, 382–383
branch-2 router configuration, 383
hub router configuration, 383–384
RADIUS server configuration, 384–386
attributes, 253
configuring, 233
implicit authorization, 242–245
auto-detection of tunnel encapsulation and transport, 219–221
building blocks of
Cisco IOS AAA infrastructure, 221–223
point-to-point tunnel interfaces, 214–221
Cisco private use configuration attributes, 257–258
configuration attributes, 258
configuration exchange, 250
configuration payload, 251–253, 258
configuring
default IKEv2 authorization policy, 229–231
group and user authorization, 386
IKEv2, authorization policy, 228–229
migration strategies, 544
remote subnets, 264
routing, dual stack, and tunnel mode auto, 391–392
spoke configuration
branch 1 configuration, 392–394
branch 2 configuration, 394–395
verification at branch 1, 397–399
verification at branch 2, 399–400
value proposition, 213
virtual access cloning examples, 295–297
FlexVPN backup tunnels, track-based tunnel activation, 414–415
FlexVPN client
advanced features, 336
backup gateway lists, 347
backup gateways, 346
building blocks of
FlexVPN client profiles, 334
IKEv2 configuration exchange, 334
NAT (Network Address Translation), 335
object tracking, 334
static P2P tunnel interfaces, 334
clearing IKEv2 FlexVPN client sessions, 360
configuring on dual-homed branch routers, 411–412
debugging, 360
dual stack, 335
dual-homed branch routers, configuring, 408–409
dynamic routing, 335
EAP authentication, 335, 337–338
EzVPN, 336
FlexVPN load balancer, 374
group and user authorization
branch 1 configuration, 386
branch 2 configuration, 387
NAT (Network Address Translation), 354–355, 404–405
network extension modes, 336
PKI (Public Key Infrastructure), 356
pre-shared keys, 356
reactivating peers, 346
resolution of FQDN (fully qualified domain names), 346
setting up FlexVPN servers, 336–337
tracking, 356
EEM (embedded event manager), 356–358
tracking lists of objects, with boolean expressions, 350–352
troubleshooting
debugging, 360
tunnel destination, 349
tunnel initiation, 350
automatic mode, 350
manual mode, 350
track mode, 350
verification, 409–410, 412–413
WINS (Windows Internet Naming Service), 343–344
FlexVPN client profiles, 334
FlexVPN feature, 90
FlexVPN hub resiliency, backup peers, 411
FlexVPN IKEv2 Load Balancer, 367–369
components of, 363
HSRP (hot standby routing protocol), 366–367
FlexVPN client, 374
FlexVPN IKEv2 Load Balancer, 367–369
IKEv2 load balancing, examples, 376–378
troubleshooting, IKEv2 load balancing, 374–375
FlexVPN server
AAA-based pre-shared keys, 283–284
configuring, 284
RADIUS attributes, 285
configuring dual-factor authentication, 324–325
configuring user authentication, 318–319
dual-factor authentication, 320–324
auto detection of tunnel transport and encapsulation, 297–298
EAP (Extensible Authentication Protocol)
configuration examples, 278–283
EAP methods, 272
EAP message flow, 273
EAP timeout, 275
configuration attributes, 310–311
per-session interface, 290–291
query-identity, 277
RADIUS change-of-authorization (CoA), 303–304
configuring, 304
RADIUS Packet-of-Disconnect, 299–300
configuring, 300
remote access clients, 329
Cisco IKEv2 AnyConnect clients, 330
Microsoft Windows 7 IKEv2 clients, 329–330
timeout option, 278
virtual access configurations
incoming sessions, 294
FlexVPN WAN resiliency
dual-homed branch routers, FlexVPN client configuration, 408–409
dynamic tunnel source, 407–408
FlexVPN client, verification, 409–410
flow monitors, 441
flow records, 441
Forwarding Information Base (FIB), 94
FQDN (fully qualified domain name), 224
extracting names from, 225–226
resolution of FQDN (fully qualified domain names), FlexVPN client, 346
fqdn all, 226
fqdn domain, 226
fqdn hostname, 225
fragmentation
session authentication, 181–182
session deletion on certificate expiry, 184
session deletion on certificate revocation, 182–184
IPsec
MTU (maximum transmission unit), 518–519
PMTUD (path MTU discovery), 523–525, 527–531
TCP MSS clamping, 525
tunnels, 531
GRE (generic routing encapsulation), 532–533
GRE over IPsec, 534
PMTUD (path MTU discovery), 534–535
Front-door VRF (VFRF), 118
G
generic routing encapsulation. See GRE (generic routing encapsulation)
global configuration, IKEv2, 106, 155
HTTP URL-based certificate lookup, 156
global IKE, considerations when moving to IKEv2, 543–544
GRE (generic routing encapsulation), 80, 495
fragmentation, tunnels, 532–533
implementation modes
auto tunnel mode, 99
dual stack, 96
traffic, non-IP protocols, 86
GRE over IPsec, 83
fragmentation, tunnels, 534
GRE tunnel keys, mismatching, 495
GRE/IP encapsulation, 82
group authorization
FlexVPN client, 386
branch 1 configuration, 386
branch 2 configuration, 387
guiding principles, IKEv2, 106
H
half connections, 36
hard migration, transitioning from IKEv1 to IKEv2, 548–549
hardware limitations, considerations when moving to IKEv2, 540
Hardware Security Modules (HSM), 545
hash algorithms, signatures, 163
Hashed Message Authentication Code (HMAC), 4
Hellman, Martin, 9
high availability, 74
considerations when moving to IKEv2, 547
HMAC (Hashed Message Authentication Code), 4, 18, 40
HMAC-MD5–96, 515
HMAC-SHA-256–128, 515
HMAC-SHA-384–192, 515
HMAC-SHA-512–256, 515
hot standby routing protocol (HSRP), FlexVPN load balancer, 366–367
HSM (Hardware Security Modules), 545
HSRP (hot standby routing protocol), FlexVPN load balancer, 366–367
HTTP URL lookup, RSA authentication using HTTP URL lookup, 200–207
HTTP URL-based certificate lookup, 156
HTTP_CERT_LOOKUP_SUPPORTED, 39
hub configuration, FlexVPN, spoke configuration, 395–397
hub router configuration, AAA-based pre-shared keys, FlexVPN, 383–384
hub-and-spoke topology
hard migration, 549
I
ICV (Integrity Check Value), 4, 15
ID_DER_ASN1_DN, 45
ID_DER_ASN1_GN, 45
ID_IPV4_ADDR, 44
ID_IPV6_ADDR, 45
ID_KEY_ID, 45
ID_RFC 822_ADDR, 45
EAP identity, FlexVPN server, 273–275
IKEv2, 74
local IKE identities, defining local IKE identities, 143–145
identity services engine (ISE), 178
identity times, IKE identity types, 224
IETF (Internet Engineering Task Force), 23
IKE (Internet Key Exchange), 2
IKE identity types, 224
IKE trap commands, SNMP (Simple Network Management Protocol), 427
IKE_AUTH, 13, 24, 42, 174, 175–176
identity, 45
parameters, 43
troubleshooting, 464
ECDSA (Elliptic-Curve Digital Signature Algorithm) authentication, 465–468
IKEv1
anti-denial of service, 72
combined mode ciphers, 77
configuration payload, 75
continuous channel mode, 77
cryptographic ciphers, 77
high availability, 74
NAT (Network Address Translation), 74–75
traffic selectors, 74
IKEv2 (Internet Key Exchange protocol version 2), 1
anti-denial of service, 72
EAP (Extensible Authentication Protocol), 48–50
pre-shared-key-based authentication, 47
signature-based authentication, 46
auto-reconnect
FlexVPN server, configuration attributes, 310–311
FlexVPN server, configuring, 313–315
FlexVPN server, smart DPD, 311–313
CAC (Call Admission Control), 157
HTTP_CERT_LOOKUP_SUPPORTED, 39
clearing IKEv2 FlexVPN client sessions, 360
client debugging, 450
cluster debugging, 450
combined mode ciphers, 77
configuration constructs, 106
configuration exchange, FlexVPN client, 334
configuration payload, 75
considerations when moving to IKEv2
client awareness, 545
current VPN technology, 540–541
familiarization, 545
FlexVPN, 544
hardware limitations, 540
high availability, 547
IP addresses, 543
IPv6, 546
PKI (Public Key Infrastructure), 545–546
restrictions when running IKEv1 and IKEv2 simultaneously, 541–542
routing protocols, 541
software, 543
VPN gateways, 543
context-specific configuration, 106
continuous channel mode, 77
Cookie Challenge, 156
cryptographic exchange bloat, 77
debug commands, 501
deployments
Cookie Challenge and Call Admission Control, 207–210
ECDSA (Elliptic-Curve Digital Signature Algorithm) authentication, 194–200
pre-shared-key authentication with smart defaults, 189–194
RSA authentication using HTTP URL lookup, 200–207
diagnostics, 159
Diffie-Hellman group, configuring, 113–114
DPD (Dead Peer Detection), 149–151, 158–159
dual-factor authentication, 320–321
encrypted payload structures, 43–44
encryption, 14
algorithms in Cisco IOS, 111
error debugging, 450
fragmentation, 171–172, 173–178
global configuration, 106, 155
HTTP URL-based certificate lookup, 156
guiding principles, 106
high availability, 74
integrity, configuring, 113
internal debugging, 450
key material generation, 39–42
configuration examples, 134–135
key lookup on initiators, 132–133
key lookup on responders, 133–134
overview, 136
pre-shared-key authentication with smart defaults, 190
MOBIKE, 75
NAT (Network Address Translation), 61–64, 74–75
packet debugging, 450
PKI (Public Key Infrastructure)
configuring match statements, 120–121
configuring proposals under, 119–120
default IKEv2 policies, 121–122
policy configuration examples
per-peer IKEv2 policies, 125–126
policy selection
pre-shared key lookup parameters, 134
configuring match statements, 139–142
defining local and remote authentication methods, 145–149
defining local IKE identities, 143–145
defining scope, 143
disabling, 153
initial contact, 151
initiators and responders, 154
IVRF (inside VRF), 152
lifetime, 151
matching peer identity, 142–143
matching peers by identity, 141–142
NAT keepalives, 152
peer authorization database, 137–138
pre-shared-key authentication with smart defaults, 190
virtual template interface, 153
configuring under IKEv2 policies, 119–120
protected tunnel interface, 558
pseudorandom function, configuring, 115
public-private key pair, 162
redirect, FlexVPN load balancer, 363–366, 372–373
reliability, 77
request-response, 61
SAs (Security Associations)
lifetime, 151
session authentication, 181–182
session deletion on certificate expiry, 184
session deletion on certificate revocation, 182–184
SGT (security group tags), 178–181
shared secrets, 13
show commands, 500
SNMP (Simple Network Management Protocol), 425–427
standard attributes, 253
traffic selectors, 74
window size, 158
Diffie-Hellman exchange, 26–29
SPI (Security Parameter Index), 34–35
IKEv2-password-local, 285
IKEv2-password-remote, 285
impact of, fragmentation, 535–536
implementation modes, GRE (generic routing encapsulation)
auto tunnel mode, 99
dual stack, 96
implicit authorization, 269, 285
import all, 343
inacl, 304
incoming sessions, deriving virtual access configurations, FlexVPN server, 294
INFORMATIONAL exchange, 56
deleting SAs (Security Associations), 57–58
initial contact, IKEv2, 52, 151
initial exchange, 24
initial handshake, 24
INITIAL_CONTACT, 52
initialization vector (IV), 18
initiators
Diffie-Hellman exchange, 28
policy selection, IKEv2, 122–124
profiles, IKEv2, 154
inside VRF (IVRF), 118
INTEG (Integrity algorithm), 30
integrity, 15
connectionless integrity, 4
IKEv2, configuring, 113
Integrity Algorithm, 30
Integrity Check Value (ICV), 4, 15
interface Tunnel number, 91
interface-config AAA attribute, 293–294
interface-config attribute, 296, 303
interfaces
dynamic tunnel interfaces, 91–92
flapping tunnel interface, 499
P2P (point-to-point) tunnel interfaces, 214–221
per-peer P2P tunnel interfaces, 221
static P2P tunnel interfaces, 214–216
static tunnel interfaces, 90
traffic selection by routing, 88–90
virtual access interfaces, 217
virtual template interface, 291–293
virtual-access interface, 290–291
internal debugging, IKEv2, 450
INTERNAL_IP4_ADDRESS, 254
INTERNAL_IP4_DNS, 256
INTERNAL_IP4_NBNS, 257
INTERNAL_IP4_NETMASK, 254
INTERNAL_IP4_SUBNET, 255
INTERNAL_IP6_ADDRESS, 255
INTERNAL_IP6_DNS, 256
INTERNAL_IP6_SUBNET, 256
Internet Engineering Task Force. See IETF (Internet Engineering Task Force)
Internet Key Exchange (IKE), 2
Internet Key Exchange protocol version 2. See IKEv2
ip | ipv6 unnumbered, 102
ip address, 215
ip address negotiated, 334, 348
IP addresses, considerations when moving to IKEv2, 543
IP Authentication Header, 15–16
IP fragmentation, overview, 172–173
ip http server, 161
ip nat inside, 405
ip nat outside command, 355, 405
IP protocol numbers, 50
ip tcp adjust-mss, 527
ip unnumbered, 218
ip unreachables, 520
ip vrf, 100
IP_FQDN, 44
IPsec
building blocks of, 2
access control, 4
anti-replay services, 4
confidentiality, 4
connectionless integrity, 4
data origin authentication, 4
key management protocol, 3
SAs (Security Associations), 3
security services, 3
TFC (Traffic Flow Confidentiality), 4–5
components of, 5
PAD (Peer Authorization Database), 6
SAD (Security Association Database), 6
SPD (Security Policy Database), 5–6
SPI (Security Parameter Index), 5
debug commands, 501
fragmentation
MTU (maximum transmission unit), 518–519
PMTUD (path MTU discovery), 523–525, 527–531
TCP MSS clamping, 525
GRE over IPsec, 83
modes of, 20
tunnel mode, 21
overlay routing, 495
show commands, 500
VRF (Virtual Routing and Forwarding), 99–101
IPsec commands, considerations when moving to IKEv2, 543–544
examples, 168
IPsec debugging, 453
IPsec dVTI, 153
IPsec mode overhead (without GRE), 505
encapsulating security payload overhead, 507–509
IPsec mode overhead (without GRE), 505
IPsec profiles, 167
IPsec Remote Access Client (IRAC), 58
IPsec Remote Access Server (IRAS), 58
IPsec SA
rekey, 54
traffic selectors, 51
IPsec security services, 3
IPsec SNMP trap, 437
IPsec transport mode, GRE over IPsec, 83–84
IPsec tunnel encapsulation, 92
IPsec tunnel mode
VTI (Virtual Tunnel Interface), 87–88
IPsec VPN methodology, troubleshooting, 446
IPsec VPNs, 2
cryptography, 7
asymmetric cryptography, 8
IPsec-v3 standards, 504
IPv4
tunnels, mixed mode, 96
IPv4 DNS server attributes, configuring, 340
IPv4 WINS attribute, 343
ipv4-pool, 250
IPv6
considerations when moving to IKEv2, 546
pre-shared-key authentication with smart defaults, 191
ipv6 address, 215
IPv6 DNS server attributes, configuring, 341
ipv6 mtu, 531
ipv6 tcp adjust-mss, 527
ipv6 unnumbered, 218
ipv6 unreachables, 522
IRAC (IPsec Remote Access Client), 58
IRAS (IPsec Remote Access Server), 58
irvf command, 152
ISAKMP, 68
ISE (identity services engine), 178
IV (initialization vector), 18
IVRF (inside VRF), 118
profiles, IKEv2, 152
K
KE (Key Exchange) payload, 27–28
KEi, 26
KEr, 26
Key Exchange payload. See KE (Key Exchange) payload
key lookup
Key Management Interface. See KMI (Key Management Interface)
key management protocol, 3
key material generation, IKEv2, 39–42
key pairs, public-private key pair, 162
Key Usage, 469
KEY_ENG_DELETE_SAS, 454
KEY_ENG_IPSEC_READY, 454
KEY_ENG_NOTIFY_INCR_COUNT, 454
KEY_ENG_REQUEST_SAS, 454
KEY_MGR_CREATE_IPSEC_SAS, 454
KEY_MGR_DELETE_SAS, 455
KEY_MGR_IKMP_READY, 454
KEY_MGR_SESSION_CLOSED, 455
KEY_MGR_VALIDATE_IPSEC_PROPOSALS, 454
configuration examples, 134–135
configuring peer blocks, 130
key lookup on initiators, 132–133
key lookup on responders, 133–134
overview, 136
pre-shared-key authentication with smart defaults, 190
keys
AAA-based pre-shared keys
FlexVPN server, 284
RADIUS attributes, 285
asymmetric keys, 132
authentication pre-shared keys, 429–431
configuring, in peer blocks, 132
GRE tunnel keys, mismatching, 495
cryptographic strength, 135
FlexVPN client, 356
symmetric keys, 132
KeyUsage extension, 469
keywords
cached, 234
detail, 559
dynamic keyword, 346
max-redirects, 374
sign, 476
timeout, 484
KMI (Key Management Interface), debugging, 453–455
L
legacy algorithms, 111
IKEv2, SAs (Security Associations), 151
SAs (Security Associations), 7
lifetime certificate, 184
liveness checking, 24
load balancers, FlexVPN load balancer. See FlexVPN load balancer
load balancing
high availability, 547
troubleshooting, IKEv2 load balancing, 374–375
local AAA database, FlexVPN, group authorization, 238–239
local authentication methods, IKEv2 profiles, 145–149
local IKE identities, defining, 143–145
M
Main mode, 70
Management Information Base (MIB), 419
man-in-the-middle (MITM) attack, 13
manual mode, tunnel initiation (FlexVPN client), 350
master session key (MSK), 272
match certificate command, 472
match certificates, 139, 140–141
match command, 441
match fvrf any statement, 122
match identity remote any, 142
match statements, configuring
matching
peers
with certificate maps, 472–473
maximum authentication header overhead, 516
maximum ESP overhead, 515
maximum ICV padding, 514
maximum input padding, 514
maximum output overhead, 514
Maximum Segment Size (MSS), 525–527
maximum transmission unit (MTU), 172
max-redirects, 374
MD5, 115
Md5, 113
messages, Proposal Incomplete message, 108
method-est, 163
methodologies, monitoring methodology, 422–423
mGRE, 83
MIB (Management Information Base), 419
Microsoft Windows 7 IKEv2 clients, FlexVPN server, 329–330
migration strategies, 539, 548
considerations when moving to IKEv2
client awareness, 545
current VPN technology, 540–541
familiarization, 545
FlexVPN, 544
hardware limitations, 540
high availability, 547
IP addresses, 543
IPv6, 546
PKI (Public Key Infrastructure), 545–546
restrictions when running IKEv1 and IKEv2 simultaneously, 541–542
routing protocols, 541
software, 543
VPN gateways, 543
topologies, 561
hub-and-spoke topology, 562–564
transitioning from IKEv1 to IKEv2, 548
migration verification, 559–561
mismatching, GRE tunnel keys, 495
MITM (man-in-the-middle) attack, 13
Diffie-Hellman exchange, 45
mixed mode, GRE (generic routing encapsulation), 96–99
MMx, 70
MOBIKE, 75
Mobility and Multihoming protocol, 75
modes, 79
continuous channel mode, 77
modes of encapsulation, 82
GRE over IPsec, 83
modes of IPsec, 20
tunnel mode, 21
modifying
default IKEv2 policies, 122
default IKEv2 proposals, 116–117
monitor even-trace crypto ipsec, 448
monitor event-trace, 449
monitor event-trace crypto ikev2, 448
monitoring
AAA (authentication, authorization, and accounting), 418
authentication pre-shared keys, 429–431
authorization, RADIUS-based AAA, 436
data encryption, SNMP with IPsec, 437–439
SNMP (Simple Network Management Protocol), 419–420
syslog, 421
VPN tunnel establishment, 425
Cisco IPsec flow monitor MIB, 425
monitoring methodology, 422–423
MPLS (Multiprotocol Label Switching), 2
MSK (master session key), 272
MSS (Maximum Segment Size), 525–526
MSS clamping, 525
MTU (maximum transmission unit), 172
multiple proposals, IKEv2 policy configuration examples, 126–127
Multiprotocol Label Switching. See MPLS (Multiprotocol Label Switching
multi-SA dVTI, 92
N
name verification, AnyConnect, 468
names, extracting
from EAP identity, 227
from email identity, 226
NAPT (network address port translation), 221
NAT (Network Address Translation), 74–75
FlexVPN client, 335, 354–355, 404–405
NAT keepalives, 59–61, 152, 159
NAT-D (Network Address Translation-Detection), 64
negotiations, SGT (security group tags), IKEv2, 178–181
network address port translation (NAPT), 221
network extension modes, FlexVPN client, 336
Network Time Protocol (NTP), 471
Next Hop Resolution Protocol (NHRP), 86, 93
next-generation encryption (NGE), 112
NGE (next-generation encryption), IKEv2, 125
NHRP (Next Hop Resolution Protocol), 86, 93
Ni, 26
no crypto ipsec nat-transparency udp-encapsulation, 64
no lifetime, 184
no logging event link-status, 424
no route accept, 267
no shutdown command, 161
non-broadcast, 93
non-IP protocols, 86
Notification payload, 56
notifications, REDIRECT notification, 363–366
Nr, 26
NTP (Network Time Protocol), 471
null encryption, 16
O
OAKLEY, 68
object tracking, FlexVPN client, 334
EEM (embedded event manager), 356–358
OCSP (online certificate status protocol), 181
on-demand mode, DPD (Dead Peer Detection), 150
online certificate status protocol (OCSP), 181
outacl, 304
outbound IPsec SA parameters, 215
overhead
authentication header overhead, 509–510
combined algorithm overhead, 512–513
GRE (generic routing encapsulation), 505–507
IPsec. See IPsec overhead
maximum authentication header overhead, 516
maximum ESP overhead, 515
overload limit, 372
P
P2P (point-to-point) tunnel interfaces, 214–221
packet debugging, IKEv2, 450
packet structure, IKEv2, 55–56
Packet-of-Disconnect (PoD), 299
PAD (Peer Authorization Database), 6
parameters
global configuration, IKEv2, 155
IKE_AUTH, 43
outbound IPsec SA parameters, 215
pre-shared key lookup parameters, IKEv2, 134
path MTU discovery (PMTUD), 172–173
Peer Authorization Database. See PAD (Peer Authorization Database)
peer blocks, configuring
in keyring, 130
keys, 132
peer identity, matching, IKEv2, 142–143
peer reactivate, 346
peers, 2
backup peers, FlexVPN hub resiliency, 411
configuring, in peer blocks, 130–131
matching
with certificate maps, 472–473
reactivating, FlexVPN client, 346
remote subnets, FlexVPN, 266–267
revoked peers, disconnecting, 182
PEM (Privacy Enhanced Mail), 201
periodic mode, DPD (Dead Peer Detection), 150
per-peer IKEv2 policies, 125–126
per-peer P2P tunnel interfaces, 221
per-session interface, FlexVPN server, 290–291
PKI (Public Key Infrastructure), 11, 159–160, 456
CA (certificate authority), 12, 160–162
certificate-based authentication, 147–148
considerations when moving to IKEv2, 545–546
debug commands, 502
debugging, 456
authentication, 470
digital certificates, 12
FlexVPN client, 356
public-key cryptography, 11–12
public-private key pair, 162
show commands, 501
PMTUD (path MTU discovery), 172–173
fragmentation, tunnels, 534–535
IPsec, fragmentation, 523–525, 527–531
PoD (Packet-of-Disconnect), FlexVPN server, 299
point-to-point tunnel interfaces. See P2P (point-to-point) tunnel interfaces
configuring match statements, 120–121
configuring proposals under, 119–120
default IKEv2 policies, 121–122
policy configuration examples, IKEv2
per-peer IKEv2 policies, 125–126
policy selection, IKEv2
precedence, FlexVPN
pre-shared key authentication, 147
pre-shared key lookup parameters, IKEv2, 134
cryptographic strength, 135
FlexVPN client, 356
pre-shared-key authentication with smart defaults, 189–194
pre-shared-key-based authentication, 47
PRF (pseudorandom function), 7, 30, 31, 40–41
algorithms, 41
IKEv2, configuring, 115
Privacy Enhanced Mail (PEM), 201
profiles
configuring match statements, 139–142
defining local and remote authentication methods, 145–149
defining local IKE identities, 143–145
defining scope, 143
disabling, 153
initial contact, 151
initiators and responders, 154
IVRF (inside VRF), 152
lifetime, 151
matching peer identity, 142–143
matching peers by identity, 141–142
NAT keepalives, 152
peer authorization database, 137–138
pre-shared-key authentication with smart defaults, 190
virtual template interface, 153
IPsec, 167
Proposal Incomplete message, 108
proposals
configuring under IKEv2 policies, 119–120
multiple proposals, IKEv2 policy configuration examples, 126–127
Security Association Proposals, 29–34
protected tunnel interface, IKEv2, 558
proto id, 491
protocols
AAA (authentication, authorization, and accounting), 418
AH (Authentication Header), 2–3
Authentication Header (AH), 15
CDP (Cisco Discovery Protocol), 86
dynamic routing protocols, 498–499
EAP (Extensible Authentication Protocol). See EAP (Extensible Authentication Protocol), 48–50
ESP (Encapsulating Security Payload), 2–3, 17
HSRP (hot standby routing protocol), FlexVPN load balancer, 366–367
ISAKMP, 68
NHRP (Next Hop Resolution Protocol), 86, 93
non-IP protocols, 86
OAKLEY, 68
OCSP (online certificate status protocol), 181
RFC 4301, 3
routing protocols, considerations when moving to IKEv2, 541
SKEME, 68
SNMP (Simple Network Management Protocol), 419–420
SXP (Security group tag exchange), 179
syslog, 421
UDP (User Datagram Protocol), 25
pseudorandom function. See PRF (pseudorandom function)
PSK, authentication, 429
Public Key Infrastructure. See PKI (Public Key Infrastructure)
public-key cryptography, 8
PKI (Public Key Infrastructure), 11–12
public-private key pair, 162
Q
QCR (quantum computer resistant), 112
query, 337
FlexVPN server, 277
Quick Mode, 70
R
RADIUS
debug commands, 501
PSK configuration, 478
RADIUS accounting, 287
authentication pre-shared keys, 429
RADIUS attributes
AAA-based pre-shared keys, 285
CoA (change-of-authorization), 303–304
RADIUS change-of-authorization (CoA)
configuring, 304
updating
RADIUS Packet-of-Disconnect, FlexVPN server, 299–300
configuring, 300
RADIUS servers
configuring
AAA-based pre-shared keys, 384–386
EAP (Extensible Authentication Protocol), configuration examples, 278, 280–281
reactivating peers, FlexVPN client, 346
reconnect, 310
Reconnect capable active session count, 315
Reconnect capable inactive session count, 315
ReconnectAfterResume, 311
reconnect-cleanup-interval, 311
reconnect-dpd-interval, 311
reconnect-session-id, 310
reconnect-timeout, 313
reconnect-token-id, 310
redirect, IKEv2, FlexVPN load balancer, 363–366, 372–373
redirect loops, FlexVPN load balancer, 373–374
redirect mechanisms, 65
REDIRECT notification, 363–366
REDIRECT payload, 65
re-enabling
default IKEv2 policies, 122
default IKEv2 proposals, 116
rekey, 7
IPsec SA, 54
SAs (Security Associations), IKEv2, 54–55
reliability, 77
remote access, migration strategies, 565–566
remote access clients, FlexVPN server, 329
Cisco IKEv2 AnyConnect clients, 330
Microsoft Windows 7 IKEv2 clients, 329–330
remote authentication methods, IKEv2 profiles, 145–149
remote subnets, FlexVPN, 264
request-response, IKEv2, 61
resolution of FQDN (fully qualified domain names), FlexVPN client, 346
responder-only, 167
responders
policy selection, IKEv2, 124–125
profiles, IKEv2, 154
restoring modified default IKEv2 proposals, 117
restrictions when running IKEv1 and IKEv2 simultaneously, 541–542
revocation, certificate revocation, 473–476
revocation-check method command, 164
revoked peers, disconnecting, 182
RFC (Request for Comments), 23
RFC 791, 520
RFC 2401, 68
RFC 2402, 68
RFC 2403, 68
RFC 2404, 68
RFC 2405, 68
RFC 2406, 68
RFC 2407, 68
RFC 2408, 68
RFC 2410, 68
RFC 2411, 68
RFC 2412, 68
RFC 2459, 469
RFC 3164, 421
RFC 3526, 11
RFC 3706, 69
RFC 3715, 69
RFC 3947, 69
RFC 3948, 69
RFC 4302, 15
RFC 4304, 69
RFC 4478, 182
RFC 4555, 75
RFC 4739, 321
RFC 4821, 525
RFC 4945, 469
RFC 5114, 11
RFC 5685, 65
RFC 5716, 299
RFC 5998, 65
RFC 6023, 66
RFC 6989, 65
RFC 7383, 174
RIB (Routing Information Base), 440, 495
Rivest-Shamir-Adleman (RSA) key pair, 160
Rivest-Shamir-Adleman Signature, 12
route accept any, 230
route set interface statement, 497
routing
asymmetric routing, considerations when moving to IKEv2, 547–548
static routing, 496
routing adjacency, 498
Routing Information Base (RIB), 440, 495
routing protocols, considerations when moving to IKEv2, 541
RSA (Rivest-Shamir-Adleman) key pair, 160
RSA authentication, troubleshooting, 465–468
RSA authentication using HTTP URL lookup, 200–207
S
Diffie-Hellman exchange, 29
parameters, 26
SA_INIT exchange, troubleshooting, 461–464
SAD (Security Association Database), 6
SAil, 26
SArl, 26
SAs (Security Associations), 2–3
IKEv2
lifetime, 151
lifetime, 7
rekey, 54
scope, IKEv2, profiles, 143
Security Association Database. See SAD (Security Association Database)
Security Association Proposals, 29–34
Security Association (SA), creating, 53–54
Security Associations. See SAs (Security Associations)
Security Associations (SA), deleting, 57–58
Security group tag exchange (SXP), 179
security group tags. See SGT (security group tags)
Security Information Event Management. See SIEM (Security Information Event Management)
security levels
IKEv2 syslog messages, 428–429
syslog, 421
Security Parameter Index (SPI), 3, 5
security payload overhead, encapsulating, 507–509
Security Policy Database. See SPD (Security Policy Database)
security services, IPsec, 3
selecting, trustpoints (TP), 476–477
sequence of events, FlexVPN server, 270–271
service-policy, 296
service-policy input, 304
session ACL, updating, with RADIUS CoA, 307–309
session authentication, IKEv2, 181–182
session deletion on certificate expiry, 184
session deletion on certificate revocation, IKEv2, 182–184
session lifetime, IKEv2, 185–187
session QoS policies, updating, with RADIUS CoA, 305–307
set ikev2-profile, 167
set peer hostname dynamic, 130
set pfs, 167
set reverse-route, 167
set security-association, 167
set security-association replay window-size disable, 494
set transform-set, 167
SET_WINDOW_SIZE notification payload, 158
SGT (security group tags), 171
SHA1, 115
Sha1, 113
SHA256, 115
SHA384, 115
Sha384, 113
SHA521, 115
Sha521, 113
shared secrets, 13
shared-key-based authentication, 47
show aaa attribute protocol radius, 228
show cef interface, 531
show commands
IKEv2, 500
IPsec, 500
PKI (Public Key Infrastructure), 501
troubleshooting, 447
show crypto ikev2 authorization policy, 229
show crypto ikev2 client flexvpn, 358
show crypto ikev2 client flexvpn flex1 detail, 342
show crypto ikev2 client flexvpn name, 358
show crypto ikev2 cluster, 369, 374
show crypto ikev2 diagnose error, 460
show crypto ikev2 flexvpn, 348
show crypto ikev2 proposal, 34, 109, 463
show crypto ikev2 sa detail, 282
show crypto ikev2 sa detailed, 144, 177, 313, 343, 359, 397, 399
show crypto ikev2 session detailed, 144
show crypto ikev2 stats reconnect, 315
show crypto ipsec sa, 530, 560
show crypto ipsec transform-set, 488
show crypto pki certificate verbose, 480
show crypto pki certificates, 467
show crypto pki counters, 475
show crypto pki trustpoints, 467
show crypto session brief, 560
show crypto session detail, 186, 313
show crypto sessions, 95
show crypto sockets, 95
show derived-config, 91
show ip dhcp import, 343
show ip dns name-list, 341, 343
show ip interfaces, 518
show ip nat statistics, 406
show ip nat translations, 406
show ip route vrf, 460
show ip traffic, 522
show ipv6 interfaces, 518
show ipv6 traffic, 523
show ntp associations, 471
show platform hardware qfp active feature ipfrag global, 522–523
show run all, 184
show running-config, 91
show running-configuration command, 478
show standby, 375
show track, 359
SIA (subject information access), 202
SIEM (Security Information Event Management), 417
sign keyword, 476
signature-based authentication, 46
signatures
digital signatures, IKEv2, 12–13
hash algorithms, 163
Simple Network Management Protocol (SNMP), 419–420
site-to-site, migration strategies, 561–562
SKEME, 68
SKEY, 76
SKEYID, 75
slave priority, 370
pre-shared-key authentication with smart defaults, 189–194
smart DPD, auto-reconnect, FlexVPN server, 311–313
SNMP (Simple Network Management Protocol), 419–420
IKE trap commands, 427
with IKEv2, VPN tunnel establishment, 425–427
with IPsec, data encryption, 437–439
VRF-aware SNMP, 420
SNMP agent, 419
SNMP manager, 419
snmp-server enable traps, 425
snmp-server enable traps ike tunnel start, 425
snmp-server enable traps ike tunnel stop, 426
snmp-server enable traps ipsec tunnel start, 437, 438
snmp-server enable traps ipsec tunnel stop, 439
snmp-server enable traps snmp linkdown linkup, 439–440
snmp-server enable traps snmp linkup linkdown, 424
soft migration, transitioning from IKEv1 to IKEv2, 549–559
software, considerations when moving to IKEv2, 543
SPD (Security Policy Database), 5–6
SPI (Security Parameter Index), 3, 5
Split-DNS
attributes, configuring, 341
spoke configuration, FlexVPN
branch 1 configuration, 392–394
branch 2 configuration, 394–395
verification at branch 1, 397–399
verification at branch 2, 399–400
static P2P tunnel interfaces, 214–216
FlexVPN client, 334
static routing, 496
static tunnel interfaces, 90
static VTI (sVTI), 92
subject information access (SIA), 202
sub-modes
IKEv2 policies, 119
IKEv2 proposals, 108
subnets, remote subnets, FlexVPN, 264, 265–266
sub-policy-in, 304
sub-policy-out, 304
sub-qos-policy-in, 304
sub-qos-policy-out, 304
sVTI (static VTI), 92
SXP (Security group tag exchange), 179
symmetric cryptography, IPsec VPNs, 7–8
symmetric keys, 132
syslog, 421
syslog messages, troubleshooting, 447
T
TCAM (ternary content-addressable memory), 87
test aaa command, 481
TFC (Traffic Flow Confidentiality), 4–5, 504
ESP (Encapsulating Security Payload) version 3, 20
timeout keyword, 484
timeout option, FlexVPN server, 275, 278
TLS (transport layer security), EAP methods, 272
tools for troubleshooting, 446–447
event-trace monitoring, 447–449
show commands, 447
syslog messages, 447
topologies, migration strategies, 561
hub-and-spoke topology, 562–564
TP (trustpoints), 148, 163–164, 195
configuring, 476
track mode, tunnel, FlexVPN client, 350
track-based tunnel activation, FlexVPN backup tunnels, 414–415
tracking
FlexVPN client, 356
EEM (embedded event manager), 356–358
lists of objects, with boolean expressions, 350–352
traffic
non-IP protocols, 86
Traffic Flow Confidentiality. See TFC (Traffic Flow Confidentiality), 504
traffic selectors, 4, 50–52, 74
IPsec SA, 51
transitioning from IKEv1 to IKEv2, 548
transport mode
traps
IPsec SNMP trap, 437
SNMP IPsec trap commands, 438–439
troubleshooting
debugging, 449
conditional debugging, 456–457
IPsec debugging, 453
KMI (Key Management Interface), 453–455
PKI (Public Key Infrastructure), 456
FlexVPN client
debugging, 360
IKE_AUTH, 464
ECDSA (Elliptic-Curve Digital Signature Algorithm) authentication, 465–468
IKEv2, diagnose error, 460–461
IPsec VPN methodology, 446
event-trace monitoring, 447–449
show commands, 447
syslog messages, 447
VPN tunnel establishment, 460
trustpoints (TP), 148, 163–164, 195
configuring, 476
tunnel destination, 88, 215, 218
FlexVPN client, 349
tunnel destination dynamic, 349, 412
tunnel destination peer-address, 90
tunnel encapsulation modes, 215
auto detection, FlexVPN server, 297–298
tunnel endpoints, 88
tunnel initiation, FlexVPN client, 350
automatic mode, 350
manual mode, 350
track mode, 350
AH (Authentication Header), 3
ESP (Encapsulating Security Payload), 3
IPsec, 21
tunnel mode auto, FlexVPN, 391–392
tunnel mode gre ip, 94, 214, 216
tunnel mode IPSEC, 298
tunnel mode ipsec, 214–215, 217
tunnel mode ipsec ipv4, 96
tunnel mode ipsec ipv4 v6-overlay, 97
tunnel mode ipsec ipv6, 96
tunnel mode ipsec ipv6 v4-overlay, 97–98
tunnel path-mtu-discovery, 499, 534–535
Tunnel Pivot, 544
tunnel protection, 80, 94–95, 139, 216, 218
IPsec parameters, 167
tunnel protection command, 167–168
tunnel protection ipsec, 123
tunnel source dynamic, 348, 408
tunnel vrf name, 102
Tunnel-Password, 285
tunnels
FlexVPN backup tunnels, track-based tunnel activation, 414–415
fragmentation, 531
GRE (generic routing encapsulation), 532–533
GRE over IPsec, 534
PMTUD (path MTU discovery), 534–535
type tunnel, 91
U
UDP (User Datagram Protocol), 25
uniform resource identifier (URI), 202
updating
session ACL with RADIUS CoA, 307–309
session QoS policies, RADIUS change-of-authorization (CoA), 305–307
URI (uniform resource identifier), 202
user authentication, AnyConnect-EAP, 315, 316–318
user authorization
FlexVPN client, 386
branch 1 configuration, 386
branch 2 configuration, 387
User Datagram Protocol (UDP), 25
V
value proposition, FlexVPN, 213
verbose debugging, 181
verification
FlexVPN client, 409–410, 412–413
NAT (Network Address Translation), 405–407
FlexVPN spoke
branch 2 configuration, 399–400
VFRF (Front-door VRF), 118
virtual access cloning, examples, 295–297
virtual access configurations, FlexVPN server
deriving from AAA authorization, 293–294
deriving from incoming sessions, 294
deriving from virtual templates, 291–293
virtual access interfaces, 217
virtual IPsec interfaces, 85–86
Virtual Routing and Forwarding. See VRF (Virtual Routing and Forwarding)
virtual template interface
FlexVPN server, virtual access configurations, 291–293
IKEv2 profiles, 153
Virtual Tunnel Interface (VTI), 87–88
virtual-access interface, 290–291
virtual-template 1 mode auto, 396
virtual-template interfaces, FlexVPN feature, 91
VPN gateways, considerations when moving to IKEv2, 543
VPN peers, 2
VPN technology, considerations when moving to IKEv2, 540–541
VPN tunnel establishment, 425, 460
Cisco IPsec flow monitor MIB, 425
VRF (Virtual Routing and Forwarding), 81, 118
VRF aware, 101
GRE (generic routing encapsulation), 101–102
vrf definition, 100
vrf forwarding, 100, 216, 218, 486
vrf forwarding name, 102
VRF-aware SNMP, 420
VTI (Virtual Tunnel Interface), 87–88
W
wildcard keys, 130
window size, IKEv2, 158
WINS (Windows Internet Naming Service), FlexVPN client, 343–344
worst case maximum overhead, 514–515
X-Y-Z
XAUTH (Extended Authentication within IKE), 69
XML
Aggregate XML, 315