Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
5
Helpful
3
Replies

IPSEC VTI per user configuration

ldmccalla
Level 1
Level 1

‎12-21-2015 01:01 PM - edited ‎02-21-2020 08:35 PM

Hi,

im building a network of remote routers that will connect to a HQ router. The remote routers will be using dynamic IPs on the public internet but the HQ router (VPN server) will have a static IP.  i'd like to build a network like a DMVPN system however using the same key/password on every device is not an option. In addition to this, I also need to dynamically assign the remote tunnel interface IP based on a username list in the VPN server.

I'm trying to use IPsec VTIs with per user configurations in a "Local AAA server" on the HQ router.

Has anyone done anything similar to this?

Leon

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎12-22-2015 08:28 PM

Abort that approach.  Use certificates instead.  The approach below will be good for about 500 nodes (I deliberately turn CDP on - because the diagnostics are great but it wont scale really really big).

The below will need 15.2 or better.  Do not attempt it on 15.1 or below.

Hub configuration something like:

aaa new-model
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network grouplist local

crypto pki server ca-server-ak
 database level names
 database archive pem password xxxx
 lifetime certificate 3650
 lifetime ca-certificate 7305 23 59
 auto-rollover 365
 database url flash:

crypto pki trustpoint ca-server-ak
  revocation-check crl
  rsakeypair ca-server-ak

crypto pki trustpoint ca-client-ak
  enrollment url http://<head end public ip>:80
  revocation-check crl
  rsakeypair ca-client-ak
  auto-enroll regenerate

crypto pki certificate map ca-certificate-map 10
  issuer-name eq cn = ca-server-ak

crypto ikev2 authorization policy default
 pool FlexSpokes
 route set interface
!
crypto ikev2 proposal default
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21

crypto ikev2 profile Flex_IKEv2
 match certificate ca-certificate-map
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint ca-client-ak
 aaa authorization group cert list default default
 virtual-template 1

crypto ipsec transform-set ikev2 esp-gcm 256
 mode transport
!
crypto ipsec profile default
 set transform-set ikev2
 set pfs group24
 set ikev2-profile Flex_IKEv2

interface Loopback230
 ip address 172.16.230.1 255.255.255.255

interface Virtual-Template1 type tunnel
  bandwidth 2000
  ip unnumbered Loopback230
  ip nhrp network-id 2
  cdp enable
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default

ip local pool FlexSpokes 169.254.0.1 169.254.1.254

And a spoke configuration something like:

aaa new-model
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network grouplist local

crypto pki trustpoint ca-client-ak
  enrollment url http://<head end public IP>:80
  revocation-check crl
  rsakeypair ca-client-ak
  auto-enroll regenerate

crypto pki certificate map ca-certificate-map 10
  issuer-name co ca-server-ak

crypto ikev2 proposal default
  encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
  integrity sha512 sha384 sha256
  group 21

crypto ikev2 profile Flex_IKEv2
 match certificate ca-certificate-map
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint ca-client-ak
 aaa authorization group cert list default default

crypto ikev2 dpd 15 3 on-demand

crypto ipsec transform-set ikev2 esp-gcm 256
 mode transport

crypto ipsec profile default
 set transform-set ikev2
 set pfs group24
 set ikev2-profile Flex_IKEv2

interface Tunnel230
 bandwidth 2000
 ip address negotiated
 ip nhrp network-id 2
 ip tcp adjust-mss 1360
 cdp enable
 tunnel source <outside interface or public IP address>
 tunnel destination <head end public IP>
 tunnel path-mtu-discovery
 tunnel protection ipsec profile default

No all you need to do is slap whatever routing you want in.  EIGRP or BGP with peer groups are good choices.  Also read up on manually requesting and approving certificates on the hub CA server.

ldmccalla
Level 1
Level 1
In response to Philip D'Ath

‎12-24-2015 05:10 AM

why are certificates a better option? suppose i want to block access to one particular remote. Can i pair remote certificates with the local user list on the server?

PS thanks for the configuration. its a great start.

Leon

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to ldmccalla

‎12-25-2015 10:59 PM

Certificates are considerably strong than usernames and passwords and more scalable.  If you wanted to block on site you can just revoke its certificate.

You could create two policies, one using certificate for remote sites, and another using usernames and password for actual humans using a VPN client.

0 Helpful
Customers Also Viewed These Support Documents