- Introduction
- Design considerations
- Router configuration
- Radius config
- Smartphone config
- Install Root CA
- Launch app and select "Add VPN connection"
- Enter router destination address
- Select "Advanced" and configure the ikev2 parameters
- Define the ikev2 identity in order to select the right ikev2 profile on the router
- Store the connection by selecting "save"
- Connect.....
- Connected!
Introduction
With the release of AC 3.0 on mobile devices we have the chance of connecting any smartphone to an ikev2 flexvpn headend.
AC 30 has been released for Apple.
https://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8
Release notes are available here:
Design considerations
Anyconnect on smart device will integrate seamlessly into a flexvpn head end without any tweaking on the router.
Per RFC5996, If we use EAP to authenticate a client, the hub MUST be authenticated by providing a certificate.
The underlying reason is the following:
iIf we were using a PSK instead and one person has access to the client and to the head end infrastructure, by using arp poisoining he could impersonate the hub and then decode the user password.
By using a certificate we avoid this situation.
- Anyconnect expect the router to present a certificate with the right Extended Key Usage [ TLS webserver - Typically using the webserver template on a microsoft CA server].
- The certificate Common Name need to be equal to the connection DNS name defined on the anyconnect.
- If the CN on the certificate is not populated in your dns, then you need to have a Subject Alternate Name [SAN] defined.
- SAN DNS:anyconnect.cisco.com will restrict to connect to an ip that will be resolved as anyconnect.cisco.com
- SAN DNS:*.cisco.com will allow to connect to any router where the DNS lookup point to something in cisco.com
Router configuration
! Definition of Radius config since when EAP is defined, the router proxy simply the request to a radius server
! Working radius are Cisco ACS [ EAP-MD5] Cisco ISE [ EAP-MSCHAP-V2, EAP-MD5, EAP-GTC] Microsoft Radius [ EAP-MSCHAP-V2] Linux Freeradius [ EAP-MD5/EAP-GTC/EAP-MSCHAP-V2]
aaa new-model
!
!
aaa group server radius freeradius
server-private 172.16.0.254 auth-port 1812 acct-port 1813 key cisco123
!
aaa authentication login win7 group freeradius
aaa accounting network default start-stop group freeradius
!
!Definition of the local certificate truspoint.
!Here I'm using enrollment terminal since I want to select the Webserver template from the Microsoft win2008 CA. SCEP gives access to the ike intermediate template which is not suitable
!
crypto pki trustpoint anyconnect
enrollment terminal
subject-name cn=R1-HUB.cisco.com,ou=ikev2,ou=TAC,o=Cisco
revocation-check none
rsakeypair flexanyconnect 2048
!
!
crypto pki certificate chain anyconnect
certificate 18180951000000000A8D
certificate ca 77E790F86C3BAD9647633D8428015203
!
!
! Integrity SHA-1 is required by anyconnect to properly select the right PRF
crypto ikev2 proposal myprop
encryption aes-cbc-256
integrity sha1
group 5
!
crypto ikev2 policy mypol
match fvrf any
proposal myprop
!
!
!Ikev2 profile definition matching the IKE IDentity defined on the client
crypto ikev2 profile default
match identity remote key-id anyconnect_remote_access
match identity remote key-id cisco.com
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint anyconnect
dpd 60 2 on-demand
aaa authentication eap win7
aaa authorization user eap cached
aaa accounting eap default
virtual-template 1
! Authentication local is rsa sig / remote is EAP - We need to query the remote identity.
! PKI trustpoint need to be anchored as security measure. Without that we can't select our certificate
! accounting is important if the radius provide the pool ip address
! authorization user eap cached will load up the attributes received by the radius during the EAP authentication [ eg IP , IKE Routing, ...]
crypto ipsec transform-set default esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile default
set ikev2-profile default
!
!
!
!
!
! Virtual template loopback unnumbered address
interface Loopback0
description VT source interface
ip address 10.0.0.1 255.255.255.255
!
interface Ethernet0/0
description LAN
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/1
description WAN
ip address 172.16.0.1 255.255.255.0
!
!Virtual template do not need a tunnel source [ not required]
! ip unnumbered to loopback is required
! Tunnel mode ipsec ipv4 needed for AnyConnect
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip local pool mypool 192.168.200.1 192.168.200.254
!
ip route 0.0.0.0 0.0.0.0 172.16.0.254 name route_to_internet
!
access-list 99 permit any
Radius config
In this example radius is provided on a Linux PC running freeradius.
cisco Cleartext-Password := "cisco"
Framed-IP-Address = 172.16.1.1,
Service-Type = Framed-User,
Service-Type = Login,
Cisco-AVPair +="ipsec:route-set-interface=1"
Radius is providing:
- an ip address for the client, Alternatively you could setup a Cisco-AVPair +="ipsec:addr-pool=<an_ip_pool_defined_on_the_router"
- route-set-interface=1 will inject the spoke tunnel ip into the routing table in order to make it reachable via the virtual-access [mandatory]
Smartphone config
Upgrade or install Anyconnect from your vendor store.
The configuration is really simple. It's just a matter of few fields to fill in.
Install Root CA
First of all, you have to install the CA server in your trusted profile. The easiest is to access that CA Certificate via http
http://<mywindows2008_ca_server>/certsrv
When we download the CA cert, we are prompted to enter the pin and the CA server is installed in the smart device.
Launch app and select "Add VPN connection"
Enter router destination address
Very easy operation either add the IP or the dns name you will connect.
Remember if it's an IP, then you need a SAN field in your router certificate that will match the dns reverse resolution the client will do when connecting.
If it's a valid DNS name, then it need to match the CN from the router certificate or at least the SAN field from the same certificate
Self signed certs are NOT working.
Select "Advanced" and configure the ikev2 parameters
Turn on "Connect with IPSEC"
Modify Authentication from "EAP-Anyconnect" [ which is ASA specific] to EAP-MD5 / GTC / MSCHAP-V2 depending on the radius infrastructure you've in house] . Here in my example, I will use EAP-MD5.
Define the ikev2 identity in order to select the right ikev2 profile on the router
In our case it's "cisco.com"
Store the connection by selecting "save"
Connect.....
During the negotiation, Anyconnect will prompt for user and password.
That user will be checked against the radius server by using the eap framework.
At this stage, the router is forwarding the request back and forward between Anyconnect and the radius.
As soon the ACCESS-ACCEPT has been received by the router [ from the radius].
The router will parse the attributes and provide the required IP / IKE routing / Other parameters either to the client and to the virtual-access interface that has been created on the router.
Connected!
FlexVPN is a modular VPN that simplify designs and deployment.
This is the next generation solution.
If you have any questions, please feel free to comment.
Olivier Pelerin
CCIE Security #20306
TAC Escalation VPN - Brussels
