Part I Understanding IPsec VPNs
Chapter 1 Introduction to IPsec VPNs
The Need and Purpose of IPsec VPNs
Cryptography Used in IPsec VPNs
Digital Signatures Used in IKEv2
Pre-Shared-Keys, or Shared Secret
IP Encapsulating Security Payload (ESP)
Encapsulation Security Payload Datagram Format
Encapsulating Security Payload Version 3
Security Association Proposals
Security Parameter Index (SPI)
Encrypted and Authenticated Payload
Signature-Based Authentication
(Pre) Shared-Key-Based Authentication
IPsec Security Association Creation
IPsec Security Association Rekey
IKEv2 Security Association Rekey
IKEv2 Packet Structure Overview
Deleting Security Associations
Configuration Payload Exchange
Dead Peer Detection/Keepalive/NAT Keepalive
IKEv2 and Network Address Translation
RFC 5998 An Extension for EAP-Only Authentication in IKEv2
RFC 5685 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
Chapter 3 Comparison of IKEv1 and IKEv2
Part III IPsec VPNs on Cisco IOS
Chapter 4 IOS IPsec Implementation
IPsec Transport Mode with GRE over IPsec
IPsec Tunnel mode with GRE over IPsec
Virtual Interfaces: VTI and GRE/IPsec
Tunnel Protection and Crypto Sockets
VRF-Aware GRE and VRF-Aware IPsec
IKEv2 Configuration Constructs
Configuring the IKEv2 Proposal
Configuring IKEv2 Diffie-Hellman
Configuring IKEv2 Pseudorandom Function
Configuring IKEv2 Proposals under IKEv2 Policy
Configuring Match Statements under IKEv2 Policy
IKEv2 Policy Selection on the Initiator
IKEv2 Policy Selection on Responder
IKEv2 Policy Configuration Examples
IKEv2 Policy with Multiple Proposals
Configuring a Peer Block in Keyring
IKEv2 Keyring Configuration Example
IKEv2 Profile as Peer Authorization Database
Configuring Match Statements in IKEv2 Profile
Defining the Scope of IKEv2 Profile
Defining the Local IKE Identity
Defining Local and Remote Authentication Methods
IKEv2 Profile Selection on Initiator and Responder
HTTP URL-based Certificate Lookup
Chapter 6 Advanced IKEv2 Features
Introduction to IKEv2 Fragmentation
IKEv2 SGT Capability Negotiation
IKEv2 Session Deletion on Certificate Revocation
IKEv2 Session Deletion on Certificate Expiry
Pre-shared-key Authentication with Smart Defaults
Elliptic Curve Digital Signature Algorithm Authentication
RSA Authentication Using HTTP URL Lookup
IKEv2 Cookie Challenge and Call Admission Control
Chapter 8 Introduction to FlexVPN
Cisco IOS Point-to-Point Tunnel Interfaces
Configuring Static P2P Tunnel Interfaces
Configuring Virtual-Template Interfaces
Auto-Detection of Tunnel Encapsulation and Transport
Benefits of Per-Peer P2P Tunnel Interfaces
Configuring IKEv2 Name Mangler
Extracting Name from FQDN Identity
Extracting Name from Email Identity
Extracting Name from DN Identity
Extracting Name from EAP Identity
Default IKEv2 Authorization Policy
Configuring FlexVPN Authorization
FlexVPN User Authorization, Using an External AAA Server
FlexVPN Group Authorization, Using a Local AAA Database
FlexVPN Group Authorization, Using an External AAA Server
FlexVPN Implicit Authorization
FlexVPN Implicit Authorization Example
FlexVPN Authorization Types: Co-existence and Precedence
User Authorization Taking Higher Precedence
Group Authorization Taking Higher Precedence
FlexVPN Configuration Exchange
Enabling Configuration Exchange
FlexVPN Usage of Configuration Payloads
Configuration Attributes and Authorization
Configuration Exchange Examples
Learning Remote Subnets Locally
Learning Remote Subnets from Peer
Configuring AAA-based Pre-Shared Keys
RADIUS Attributes for AAA-Based Pre-Shared Keys
AAA-Based Pre-Shared Keys Example
Deriving Virtual-Access Configuration from a Virtual Template
Deriving Virtual-Access Configuration from AAA Authorization
The interface-config AAA Attribute
Deriving Virtual-Access Configuration from an Incoming Session
Virtual-Access Cloning Example
Auto Detection of Tunnel Transport and Encapsulation
Configuring RADIUS Packet of Disconnect
RADIUS Packet of Disconnect Example
RADIUS Change of Authorization (CoA)
Updating Session QoS Policy, Using CoA
Updating the Session ACL, Using CoA
Auto-Reconnect Configuration Attributes
Configuring IKEv2 Auto-Reconnect
User Authentication, Using AnyConnect-EAP
AnyConnect-EAP XML Messages for User Authentication
Configuring User Authentication, Using AnyConnect-EAP
AnyConnect Configuration for Aggregate Authentication
Dual-factor Authentication, Using AnyConnect-EAP
AnyConnect-EAP XML Messages for dual-factor authentication
Configuring Dual-factor Authentication, Using AnyConnect-EAP
RADIUS Attributes Supported by the FlexVPN Server
Remote Access Clients Supported by FlexVPN Server
Microsoft Windows7 IKEv2 Client
FlexVPN Client Building Blocks
Static Point-to-Point Tunnel Interface
Support for EzVPN Client and Network Extension Modes
Windows Internet Naming Service (WINS)
Resolution of Fully Qualified Domain Names
Tracking a List of Objects, Using a Boolean Expression
Use of Public Key Infrastructure and Pre-Shared Keys
Tracked Object Based on Embedded Event Manager
Troubleshooting FlexVPN Client
Clearing IKEv2 FlexVPN Client Sessions
Chapter 11 FlexVPN Load Balancer
Components of the FlexVPN Load Balancer
Troubleshooting IKEv2 Load Balancing
Chapter 12 FlexVPN Deployments
FlexVPN AAA-Based Pre-Shared Keys
Configuration on the Branch-1 Router
Configuration on the Branch-2 Router
Configuration on the Hub Router
Configuration on the RADIUS Server
FlexVPN User and Group Authorization
FlexVPN Client Configuration at Branch 1
FlexVPN Client Configuration at Branch 2
Configuration on the FlexVPN Server
Configuration on the RADIUS Server
Logs Specific to FlexVPN Client-1
Logs Specific to FlexVPN Client-2
FlexVPN Routing, Dual Stack, and Tunnel Mode Auto
FlexVPN Spoke Configuration at Branch-1
FlexVPN Spoke Configuration at Branch-2
FlexVPN Hub Configuration at the HQ
Verification on FlexVPN Spoke at Branch-1
Verification on FlexVPN Spoke at Branch-2
Verification on the FlexVPN Hub at HQ
FlexVPN Client NAT to the Server-Assigned IP Address
Configuration on the FlexVPN Client
Verification on the FlexVPN Client
FlexVPN WAN Resiliency, Using Dynamic Tunnel Source
FlexVPN Client Configuration on the Dual-Homed Branch Router
Verification on the FlexVPN Client
FlexVPN Hub Resiliency, Using Backup Peers
FlexVPN Client Configuration on the Branch Router
Verification on the FlexVPN Client
FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation
Verification on the FlexVPN Client
Chapter 13 Monitoring IPsec VPNs
Authentication, Authorization, and Accounting (AAA)
Simple Network Management Protocol
Authorization Using RADIUS-Based AAA
Data Encryption: SNMP with IPsec
Chapter 14 Troubleshooting IPsec VPNs
Key Management Interface Debugging
Troubleshooting the IKE_SA_INIT Exchange
Troubleshooting the IKE_AUTH Exchange
Troubleshooting RSA or ECDSA Authentication
Debugging Authentication Using PKI
Matching Peer Using Certificate Maps
Extensible Authentication Protocol (EAP)
Chapter 15 IPsec Overhead and Fragmentation
IPsec Mode Overhead (without GRE)
Encapsulating Security Payload Overhead
Authentication Header Overhead
Combined-mode Algorithm Overhead
Maximum Encapsulation Security Payload Overhead
Maximum Authentication Header Overhead
Chapter 16 Migration Strategies
Introduction to Migrating to IKEv2 and FlexVPN
Consideration when Migrating to IKEv2