Re: FlexVPN - any tip to supply a secondary identity?

pingduck · ‎12-12-2018

I followed the following example to setup a Hub-and-Spoke FlexVPN testbed:

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html

(Basic Connectivity Configuration)

The client uses identity like "Client1@cisco.com", "Client2@cisco.com", etc. But I have an additional requirement. I want an additional pre-configured information from the Spoke client, something like a mac-address or serial number, that I can retrieve from the Hub. Something like "Client1+AB233422@cisco.com", Client2+EB3223444@cisco.com". Such that, from the Hub, I can identify the exact device which is initiating the connection. The additional identity does not need to be secured (meaning it is a configuration on the client), it just should not be pre-configured on the Hub. i.e. the Hub still use "Client1@cisco.com", "Client2@cisco.com" for authentication.

Can this be done? Can the client supply additional id information during VPN establishment such that the information is visible from the Hub?

Rob Ingram · ‎12-13-2018

Hi,

I don't fully understand why you want to do what you want, why do you need to send 2 identities? Just send 1 from the spoke, does this example give you what you need? (I think it should be self explanitory):-

HUB

crypto ikev2 profile IKEV2_PROFILE

match identity fqdn domain cisco.com

identity local fqdn HUB@cisco.com

SPOKE1

crypto ikev2 profile IKEV2_PROFILE

match identity fqdn domain cisco.com

identity local fqdn Client1+AB233422@cisco.com

SPOKE2

crypto ikev2 profile IKEV2_PROFILE

match identity fqdn domain cisco.com

identity local fqdn Client2+EB3223444@cisco.com

HTH

pingduck · ‎12-13-2018

What I am saying is, if I switch the hardware. I want the client to switch from "Client2+EB3223444@cisco.com" to "Client2+DE3434345@cisco.com". But I don't want to change the authentication config on the Hub.

"Client2+EB3223444@cisco.com" is just an example. I know EB3223444 is part of the authentication string in this example. I want something that is not part of the authentication but cannot be visible from Hub.

Rob Ingram · ‎12-13-2018

Well the authentication is PSK/Certificate or EAP. The identity is used to identify the routers in order to match against the IKEv2 Profile.

In the example above you don't need to change any configuration on the Hub if you replace a spoke. You specify the hubs's local identity and then match on a remote identity with a fqdn in the domain cisco.com. So if you change the identity/hardware on the spoke the Hub will correct identify the spoke and authenticate, assuming PSK/Cert/EAP is correct.

pingduck · ‎12-13-2018

It won't work for me because the client identity needs to be checked on Hub. They don't have same PSK.

Rob Ingram · ‎12-13-2018

The client identity is checked on the Hub.

If you need different PSK then match the keyring on the ip address. E.g:-

crypto ikev2 keyring KEYRING
peer SPOKE1
identity address 1.1.1.1
pre-shared-key local Cisco1234
pre-shared-key remote Cisco1234
!
peer SPOKE2
identity address 2.2.2.2
pre-shared-key local Cisco5678
pre-shared-key remote Cisco5678

Does that work for you?

You can still use the fqdn identity in the IKEv2 profile to identify the spoke to the hub

pingduck · ‎12-13-2018

Unfortunately, no. The client's WAN IP is dynamically assigned.

Rob Ingram · ‎12-13-2018

Configure authorization with name-mangler?

pingduck · ‎12-13-2018

That is an interesting idea!

However, I can't use "Client1@AB233422.cisco.com" because it won't match the domain "cisco.com". The same for FQDN because it is also built on 2 parts - hostname + domain. I fear that if I remove

match identity remote email domain cisco.com

from the Hub, it will weaken my security.

This left me with DN and EAP. I believe DN is certificate based and it is not something I can easily modify (to add that Client1 + AB233422 combination). I don't see an identify local EAP option on the Spoke.

So close!

rmfalconer · ‎12-14-2018

Is there a reason you're using the @ symbol in the fqdn?

If you use something like the below config using a dot and and specify remote fqdn, it should work by just matching the domain.

I'm using this for ikev2 with DMVPN and it works fine.

HUB

crypto ikev2 profile IKEV2_PROFILE

match identity remote fqdn domain cisco.com

identity local fqdn HUB.cisco.com

SPOKE1

crypto ikev2 profile IKEV2_PROFILE

match identity remote fqdn cisco.com

identity local fqdn Client1+AB233422.cisco.com

pingduck · ‎12-14-2018

The "@" symbol is for email address based authentication. AFAIK, whether it is email or fqdn, it is really just a 2 parted string. With email, the delimiter is the "@". With fqdn, the delimiter is the first period (.).

In your example, how do you configure the ikev2 keyring? In my case, it is:

peer Client1
 identity email Client1@cisco.com
 pre-shared-key cisco

I can change it to use fqdn

peer Client1
 identity fqdn Client1.cisco.com
 pre-shared-key cisco

But it won't match Client1-AB233422.cisco.com ('+' is not a valid symbol for fqdn).

rmfalconer · ‎12-14-2018

There's a keyring set up with different peers. I've included the hub and spoke below. But my configuration won't work the way you want since I define the peer specifically by hostname. If the spokes ever change names, I would need to update my hub keyring.

You could just set it for the domain.com only instead of the hostname.domain.com

HUB:

crypto ikev2 keyring HUB-KEYRING
peer SPOKE-1
identity fqdn SPOKE-1.xxxxx.com
pre-shared-key <key>

(or you could try)
peer ALL-SPOKES
identity fqdn domain xxxxx.com
pre-shared-key <key>

SPOKE:
crypto ikev2 keyring SPOKE-KEYRING
peer HUB
address <HUB address>
identity HUB.xxxxx.com
pre-shared-key <key>