cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13718
Views
20
Helpful
10
Comments
olpeleri
Cisco Employee
Cisco Employee

 

Introduction

 

With the release of AC 3.0 on mobile devices we have the chance of connecting any smartphone to an ikev2 flexvpn headend.

 

AC 30 has been released for Apple.

 

https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8

 

Release notes are available here:

 

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html

 


Design considerations

 

 

Anyconnect on smart device will integrate seamlessly into a flexvpn head end without any tweaking on the router.

 

Per RFC5996, If we use EAP to authenticate a client, the hub MUST be authenticated by providing a certificate.

 

The underlying reason is the following:

iIf we were using a PSK instead and one person has access to the client and to the head end infrastructure, by using arp poisoining he could impersonate the hub and then decode the user password.

 

By using a certificate we avoid this situation.

 

  • Anyconnect expect the router to present a certificate with the right Extended Key Usage [ TLS webserver - Typically using the webserver template on a microsoft CA server].
  • The certificate Common Name need to be equal to the connection  DNS name defined on the anyconnect.
  • If the CN on the certificate is not populated in your dns, then you need to have a Subject Alternate Name [SAN] defined.   
    • SAN DNS:anyconnect.cisco.com will restrict to connect to an ip that will be resolved as anyconnect.cisco.com
    • SAN DNS:*.cisco.com will allow to connect to any router where the DNS lookup point to something in cisco.com

 

 

Router configuration

 

! Definition of Radius config since when EAP is defined, the router proxy simply the request to a radius server

! Working radius are Cisco ACS [ EAP-MD5] Cisco ISE [ EAP-MSCHAP-V2, EAP-MD5, EAP-GTC]  Microsoft Radius [ EAP-MSCHAP-V2] Linux Freeradius [ EAP-MD5/EAP-GTC/EAP-MSCHAP-V2]

aaa new-model

!

!

aaa group server radius freeradius

server-private 172.16.0.254 auth-port 1812 acct-port 1813 key cisco123

!

aaa authentication login win7 group freeradius

aaa accounting network default start-stop group freeradius

!

!Definition of the local certificate truspoint.

!Here I'm using enrollment terminal since I want to select the Webserver template from the Microsoft win2008 CA. SCEP gives access to the ike intermediate template which is not suitable

!

crypto pki trustpoint anyconnect

enrollment terminal

subject-name cn=R1-HUB.cisco.com,ou=ikev2,ou=TAC,o=Cisco

revocation-check none

rsakeypair flexanyconnect 2048

!

!

crypto pki certificate chain anyconnect

certificate 18180951000000000A8D

certificate ca 77E790F86C3BAD9647633D8428015203

!

!

! Integrity SHA-1 is required by anyconnect to properly select the right PRF

crypto ikev2 proposal myprop

encryption aes-cbc-256

integrity sha1

group 5

!

crypto ikev2 policy mypol

match fvrf any

proposal myprop

!

!

!Ikev2 profile definition matching the IKE IDentity defined on the client

crypto ikev2 profile default

match identity remote key-id anyconnect_remote_access

match identity remote key-id cisco.com

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint anyconnect

dpd 60 2 on-demand

aaa authentication eap win7

aaa authorization user eap cached

aaa accounting eap default

virtual-template 1

! Authentication local is rsa sig / remote is EAP - We need to query the remote identity.

! PKI trustpoint need to be anchored as security measure. Without that we can't select our certificate

! accounting is important if the radius provide the pool ip address

! authorization user eap cached will load up the attributes received by the radius during the EAP authentication [ eg IP , IKE Routing, ...]

crypto ipsec transform-set default esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile default

set ikev2-profile default

!

!

!

!

!

! Virtual template loopback unnumbered address

interface Loopback0

description VT source interface

ip address 10.0.0.1 255.255.255.255

!

interface Ethernet0/0

description LAN

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/1

description WAN

ip address 172.16.0.1 255.255.255.0

!

!Virtual template do not need a tunnel source [ not required]

! ip unnumbered to loopback is required

! Tunnel mode ipsec ipv4 needed for AnyConnect

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile default

!

ip local pool mypool 192.168.200.1 192.168.200.254

!

ip route 0.0.0.0 0.0.0.0 172.16.0.254 name route_to_internet

!

access-list 99 permit any

 


Radius config

 


In this example radius is provided on a Linux PC running freeradius.

 

cisco   Cleartext-Password := "cisco"

        Framed-IP-Address = 172.16.1.1,

        Service-Type = Framed-User,

        Service-Type = Login,

        Cisco-AVPair +="ipsec:route-set-interface=1"

 

Radius is providing:

  • an ip address for the client, Alternatively you could setup a Cisco-AVPair +="ipsec:addr-pool=<an_ip_pool_defined_on_the_router"
  • route-set-interface=1 will inject the spoke tunnel ip into the routing table in order to make it reachable via the virtual-access [mandatory]
  •  

 

Smartphone config

 

 

Upgrade or install Anyconnect from your vendor store.
The configuration is really simple. It's just a matter of few fields to fill in.

 

Install Root CA

 

First of all, you have to install the CA server in your trusted profile. The easiest is to access that CA Certificate via http

 

http://<mywindows2008_ca_server>/certsrv 

 

When we download the CA cert, we are prompted to enter the pin and the CA server is installed in the smart device.

 

 

Launch app and select "Add VPN connection"

photo1.PNG

 

 

Enter router destination address

 

Very easy operation either add the IP or the dns name you will connect.

 

Remember if it's an IP, then you need a SAN field in your router certificate that will match the dns reverse resolution the client will do when connecting.

 

If it's a valid DNS name, then it need to match the CN from the router certificate or at least the SAN field from the same certificate

 

Self signed certs are NOT working.

 

 

 

photo2.PNG

 

Select "Advanced" and configure the ikev2 parameters

 

Turn on "Connect with IPSEC"

 

photo3.PNG

 

Modify Authentication from "EAP-Anyconnect" [ which is ASA specific] to EAP-MD5 / GTC / MSCHAP-V2 depending on the radius infrastructure you've in house] . Here in my example, I will use EAP-MD5.

 

photo4.PNG

 


Define the ikev2 identity in order to select the right ikev2 profile on the router

 

photo5.PNG

 

In our case it's "cisco.com"

 


Store the connection by selecting "save"

 

photo6.PNG

 


Connect.....

 

During the negotiation, Anyconnect will prompt for user and password.

That user will be checked against the radius server by using the eap framework.

At this stage, the router is forwarding the request back and forward between Anyconnect and the radius.

 

 

photo7.PNG

 

As soon the ACCESS-ACCEPT has been received by the router [ from the radius].

 

The router will parse the attributes and provide the required IP / IKE routing / Other parameters either to the client and to the virtual-access interface that has been created on the router.

Connected!

 

 

 

photo8.PNG

 

 

FlexVPN is a modular VPN that simplify designs and deployment.

 

This is the next generation solution.

 

If you have any questions, please feel free to comment.

 

Olivier Pelerin


CCIE Security #20306

TAC Escalation VPN - Brussels

Comments
gthjohansson
Level 4
Level 4

Great post
can you btw tell me how to get EAP-GTC to work in ACS ?

And do you know if I can integrate ACS with LDAP identity store if I use EAP-GTC as an authentication mechanism ?

again great post and thanks alot 

olpeleri
Cisco Employee
Cisco Employee

Thanks for your feedback.

My bad. EAP-GTC is not implemented as radius Phase I , just as inner method. I will update the document.

It seems ISE supports more protocols

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html [ table-5-1]

Cheers,

Olivier

gthjohansson
Level 4
Level 4

Hi

Np at all .. I was hoping that I missed something
I have also tried to get EAP-GTC working with ISE but without any luck so I am beginning to suspect that EAP-GTC is only supported as an inner method in ISE

regards

Gudmundur

olpeleri
Cisco Employee
Cisco Employee

Could be - I never used ISE so far.

ibrtuyima
Community Member

thanks for doing this great post

just have small question, how can we enable split tunnel in this scenario.

best regards

bebo

olpeleri
Cisco Employee
Cisco Employee

Hello Bebo,

Thanks for your comments.

Flexvpn / Anyconnect supports Split-tunneling

If your policy is on the radius, then you would add the following setting

Cisco-AVPair += "ipsec:route-set=prefix 10.0.0.0/8"

[ Assuming you want to tunnel ONLY traffic to 10/8

If your policy is local, then you would add the following attribute under your local authorization policy

route set access-list <..>

The ACL as well will contains the destination networks you want to reach from the client

Cheers

Olivier

Acruzgreg
Level 1
Level 1

Great post Olivier,

I have a cuestion,,, Do you need any license in the headend? I hay a router ASR1000 and i would implement this solution,,

Thanks in advance,

regards

Cruz

olpeleri
Cisco Employee
Cisco Employee

Hello,


The only platforms where licensing is required (ASR1001 or ASR1002-X) just requires the 'normal' ipsec license.

Cheers,

baptiste
Level 1
Level 1

It's working ! Thanks a lot

Tao Lei
Level 1
Level 1

I tried this solution, but it does not work under Cisco Secure Client 5.0.00246 and IOS-XE 17.03.05.

After successful EAP-MD5 authentication, anyconnect client strangely additionally requests to authenticate with pre-shared key (for id IKE_IDENTITY), and finally IKE sa authentication failed.

---------------------------------------------------------------------------------------------

Oct 31 02:50:34.677: IKEv2:sending taolei@tjbn.net [EAP-Id] as username to AAA
Oct 31 02:50:34.678: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authentication request sent
Oct 31 02:50:34.682: IKEv2:(SA ID = 1):[AAA -> IKEv2] Successful response received
Oct 31 02:50:34.683: IKEv2-ERROR:Address type 2147516374 not supported

Oct 31 02:50:34.683: IKEv2:Received response from authenticator
Oct 31 02:50:34.683: IKEv2:(SESSION ID = 23,SA ID = 1):Sending EAP status message
Oct 31 02:50:34.683: IKEv2:(SESSION ID = 23,SA ID = 1):Building packet for encryption.
Payload contents:
EAP Next payload: NONE, reserved: 0x0, length: 8
Code: success: id: 215, length: 4

Oct 31 02:50:34.683: IKEv2:(SESSION ID = 23,SA ID = 1):Sending Packet [To 111.30.231.214:10319/From 192.168.15.22:4500/VRF i0:f0]
Initiator SPI : C46CDC364AC00D53 - Responder SPI : 651C80AECF8CC1FF Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE
Oct 31 02:50:34.683: IKEv2-PAK:(SESSION ID = 23,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 4, length: 80
Payload contents:
ENCR Next payload: EAP, reserved: 0x0, length: 52

Oct 31 02:50:34.683: IKEv2:(SESSION ID = 23,SA ID = 1):Starting timer (90 sec) to wait for auth message

Oct 31 02:50:34.696: IKEv2:(SESSION ID = 23,SA ID = 1):Received Packet [From 111.30.231.214:10319/To 192.168.15.22:4500/VRF i0:f0]
Initiator SPI : C46CDC364AC00D53 - Responder SPI : 651C80AECF8CC1FF Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST
Oct 31 02:50:34.697: IKEv2-PAK:(SESSION ID = 23,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 5, length: 128
Payload contents:
AUTH Next payload: NONE, reserved: 0x0, length: 56
Auth method PSK, reserved: 0x0, reserved 0x0

Oct 31 02:50:34.697: IKEv2:(SESSION ID = 23,SA ID = 1):Stopping timer to wait for auth message
Oct 31 02:50:34.697: IKEv2:(SESSION ID = 23,SA ID = 1):Send AUTH, to verify peer after EAP exchange
Oct 31 02:50:34.697: IKEv2:(SESSION ID = 23,SA ID = 1):Verify peer's authentication data
Oct 31 02:50:34.697: IKEv2:(SESSION ID = 23,SA ID = 1):Use preshared key for id TJBN, key len 32
Oct 31 02:50:34.697: IKEv2:(SESSION ID = 23,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Oct 31 02:50:34.697: IKEv2:(SESSION ID = 23,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Oct 31 02:50:34.698: IKEv2-ERROR:(SESSION ID = 23,SA ID = 1):: Failed to authenticate the IKE SA
Oct 31 02:50:34.698: IKEv2:(SESSION ID = 23,SA ID = 1):Verification of peer's authentication data FAILED
Oct 31 02:50:34.698: IKEv2:(SESSION ID = 23,SA ID = 1):Sending authentication failure notify
Oct 31 02:50:34.698: IKEv2:(SESSION ID = 23,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

Oct 31 02:50:34.698: IKEv2:(SESSION ID = 23,SA ID = 1):Sending Packet [To 111.30.231.214:10319/From 192.168.15.22:4500/VRF i0:f0]
Initiator SPI : C46CDC364AC00D53 - Responder SPI : 651C80AECF8CC1FF Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Oct 31 02:50:34.698: IKEv2-PAK:(SESSION ID = 23,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 5, length: 80
Payload contents:
ENCR Next payload: NOTIFY, reserved: 0x0, length: 52

Oct 31 02:50:34.698: IKEv2:(SESSION ID = 23,SA ID = 1):Auth exchange failed
Oct 31 02:50:34.699: IKEv2-ERROR:(SESSION ID = 23,SA ID = 1):: Auth exchange failed
Oct 31 02:50:34.699: IKEv2:(SESSION ID = 23,SA ID = 1):Abort exchange
Oct 31 02:50:34.699: IKEv2:(SESSION ID = 23,SA ID = 1):Deleting SA
Oct 31 02:50:34.699: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: