Академический Документы
Профессиональный Документы
Культура Документы
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#LTRSEC-3004
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Objectives and Prerequisites
• Session Objectives
• To understand IKEv2
• To showcase FlexVPN, Cisco’s unified VPN solution
• To provide a hands-on experience for configuring a number of common FlexVPN
deployment scenarios
• Prerequisites
• General knowledge of IP routing
• Knowledge of IPSec based VPN Technologies
• Basic Understanding of IKEv2, IPv6, Multicast is a plus
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Related Sessions
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Press Book ‘IKEv2 IPsec VPNs’ by Amjad Inamdar & Graham Bartlett
Brilliant
Listed in the CCIE Security reading list It's well worth the money. I feel like I know the subject thoroughly now. I don't usually leave
https://learningnetwork.cisco.com/community/certifications/ reviews but was motivated to in this instance. Good job, highly recommended.
ccie_security/written_exam/study-material
Great Book
Very in depth and detail explanations. It has greatly enhanced my understanding of IKEv2,
IPSec, and Cisco's implementations.
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Introduction
• FlexVPN Overview
• IKEv2 and Smart Defaults
TECSEC-3725 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
IKEv2 Protocol Overview
CREATE_CHILD_SA
Second CHILD_SA created
(2 messages)
A Protected data B
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
IKEv2 Configuration Constructs
IKEv2 Proposal (optional)
• Specifies one or more of: crypto ikev2 proposal prop-1
• Encryption algorithm(s) encryption 3des aes-cbc-128
• Integrity algorithm(s) integrity md5 sha1
• DH group(s)
prf md5 sha1
group 5 2
• PRF algorithm
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IKEv2 Configuration Constructs
IKEv2 Policy (optional)
crypto ikev2 policy site-policy
• Specifies one or more proposal(s) match fvrf Internet-vrf
with matching criteria match address local 192.168.1.1
• fVRF (default: global proposal prop-1
• Local address (default: any) proposal prop-2
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IKEv2 Configuration Constructs
IKEv2 Keyring (optional)
crypto ikev2 keyring secretkeys
• Optional for PSK authentication peer cisco
• Local database of pre-shared keys address 10.0.1.1
pre-shared-key local cisco
• Keys can be symmetrical or asymmetrical
pre-shared-key remote ocsic
• Key lookup based on:
• Address
• Hostname (on initiator only)
• Identity (on responder only)
• Peer block:
• One key or key pair per block
• Overlapping peer blocks: use most specific match
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IKEv2 Configuration Constructs
IKEv2 Profile
• Mandatory, central IKEv2 CLI construct
crypto ikev2 profile profile1
• Set of non-negotiable parameters: match identity remote address 10.0.1.1
• Local/Remote authentication authentication local pre-shared key <key>
• local IKE identity authentication remote rsa-sig
identity local email user1@cisco.com
• keyring, trustpoint(s)
keyring secretkeys
pki trustpoint tp-remote verify
• Selected by matching:
• Peer identity/certificate, fVRF, local address
• Overlapping policies: considered a misconfig
• Matching rules:
• Statements of same type logically OR'ed
• Statements of different types logically AND'ed
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Introducing Smart Defaults
Intelligent, reconfigurable defaults
crypto ipsec transform-set default crypto ikev2 profile default
esp-aes
esp-aes 128
128 esp-sha-hmac
esp-sha-hmac match identity remote address 10.0.1.1
authentication local rsa-sig
crypto ipsec profile default authentication remote rsa-sig
set transform-set default aaa authorization user cert list default default
set ikev2-profile
crypto ikev2-profile
defaultdefault pki trustpoint root
!
crypto ikev2 proposal default interface Tunnel0
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 ip address 192.168.0.1 255.255.255.252
integrity sha512 sha384 sha256 sha1 md5 tunnel protection ipsec profile default
group 5 2
What you need to specify
crypto ikev2 policy default
match fvrf any
proposal default
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Reconfigurable Defaults
All defaults can be modified, deactivated, or restored
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
CiscoLive 2018 LTRSEC-3004
FlexVPN Lab Topology FreeRadius Server
.100
172.16.0.0/24
.2 .3
IPv4 WAN Connection
Hub-1 Hub-2
IPv6 WAN Connection .2 .3
209.1.1.2/24 .2
209.1.3.2/24
DHCP
Spoke-1 Spk-4-Host
Spoke-3
.1 209.1.2.2/24
.1
172.16.1.0/24 Spoke-2 172.16.3.0/24
.1
172.16.2.0/24 .2
.2
.2 Spk-3-Host
Spk-1-Host
Spk-2-Host
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
FlexVPN Hub and Spoke
FlexVPN Hub-and-Spoke Example
The example uses VTI, certificate authentication, dynamic routing & Smart Defaults
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
FlexVPN Hub-and-Spoke Example
Responder (Central site)
hostname central interface Virtual-Template1 type tunnel
ip domain name cisco.com ip unnumbered Loopback0
! tunnel source Ethernet0/0
crypto ikev2 profile central-to-branch tunnel mode ipsec ipv4
match ident remote fqdn domain cisco.com tunnel protection ipsec profile default
identity local fqdn central.cisco.com !
authentication local rsa-sig router rip
authentication remote rsa-sig version 2
pki trustpoint CA passive-interface Ethernet1/0
virtual-template 1 network 172.16.0.0
! network 192.168.100.0
interface Loopback0
ip address 172.16.0.100 255.255.255.0
!
interface Ethernet0/0
ip address 10.0.0.100 255.255.255.0
!
interface Ethernet1/0 Spoke Hub
ip address 192.168.100.1 255.255.255.0
(initiator) (responder)
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
FlexVPN Spoke to Spoke (Shortcut Switching)
• FlexVPN Spoke-Spoke
• Allows direct tunnel between FlexVPN spokes
• Uses sVTI/dVTI, NHRP and optional routing protocol
• No NHRP registrations from spokes to hub
• NHRP
• Resolves spoke overlay addresses to transport addresses
• IPSec Virtual-Access Interface (VAI)
• IPSec VAI created on either side, per spoke tunnel
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
FlexVPN Spoke to Spoke
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
FlexVPN Spoke to Spoke (1)
Routing table Hub
C 10.0.0.254/32 Loopback0 192.168.100.0/24
C 192.168.100.0/24 Eth0
S 10.0.0.1 V-Access1
B 192.168.0.0/29 V-Access1 Physical: 172.16.0.1
S 10.0.0.2 V-Access2 Tunnel: 10.0.0.254
B 192.168.0.8/29 V-Access2
Physical: 172.16.1.1
Tunnel: 10.0.0.1 Physical: 172.16.2.1
Tunnel: 10.0.0.2
NHRP table NHRP table
- -
Spoke 2
Spoke 1
Routing table 192.168.0.8/29
192.168.0.0/29 Routing table
C 192.168.0.0/29 Eth0
C 192.168.0.8/29 Eth0
S 0.0.0.0/0 Dialer0
S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0
S 10.0.0.254/32 Tunnel0
B 192.168.0.0/16 Tunnel0
B 192.168.0.0/16 Tunnel0
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
FlexVPN Spoke to Spoke (2)
Routing table Hub
C 10.0.0.254/32 Loopback0 192.168.100.0/24
C 192.168.100.0/24 Eth0
S 10.0.0.1 V-Access1
B 192.168.0.0/29 V-Access1
S 10.0.0.2 V-Access2 Physical: 172.16.0.1
B 192.168.0.8/29 V-Access2 Tunnel: 10.0.0.254
Physical: 172.16.1.1
Tunnel: 10.0.0.1 Physical: 172.16.2.1
Resolution Reply Tunnel: 10.0.0.2
NHRP table
10.0.0.2/32 172.16.2.1 NHRP table
192.168.0.8/2910.0.0.2172.16.2.1 10.0.0.1 172.16.1.1
192.168.0.8/29 172.16.2.1
Spoke 1 Spoke 2
Routing table
192.168.0.0/29 192.168.0.8/29 Routing table
C 192.168.0.0/29 Eth0
S 0.0.0.0/0 Dialer0 C 192.168.0.8/29 Eth0
S 10.0.0.254/32 Tunnel0 S 0.0.0.0/0 Dialer0
B 192.168.0.0/16 Tunnel0 S 10.0.0.254/32 Tunnel0
H 10.0.0.2/32 V-Access1 B 192.168.0.0/16 Tunnel0
H 192.168.0.8/29 V-Access1 H 10.0.0.1/32 V-Access1
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
FlexVPN Spoke to Spoke (3)
Routing table Hub
C 10.0.0.254/32 Loopback0 192.168.100.0/24
C 192.168.100.0/24 Eth0
S 10.0.0.1 V-Access1
B 192.168.0.0/29 V-Access1 Physical: 172.16.0.1
S 10.0.0.2 V-Access2 Tunnel: 10.0.0.254
B 192.168.0.8/29 V-Access2
Physical: 172.16.1.1
Tunnel: 10.0.0.1 Physical: 172.16.2.1
Tunnel: 10.0.0.2
NHRP table
10.0.0.2/32 172.16.2.1 NHRP table
192.168.0.8/29 172.16.2.1 10.0.0.1 172.16.1.1
Spoke 1 Spoke 2
Routing table 192.168.0.0/29 192.168.0.8/29
C 192.168.0.0/29 Eth0 Routing table
S 0.0.0.0/0 Dialer0 C 192.168.0.8/29 Eth0
S 10.0.0.254/32 Tunnel0 S 0.0.0.0/0 Dialer0
B 192.168.0.0/16 Tunnel0 S 10.0.0.254/32 Tunnel0
H 10.0.0.2/32 V-Access1 B 192.168.0.0/16 Tunnel0
H 192.168.0.8/29 V-Access1 H 10.0.0.1/32 V-Access1
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
CiscoLive 2017 LTRSEC-2050
EIGRP Routing Considerations
interface Virtual-Template1 type tunnel
ip summary-address eigrp 100 172.16.0.0 255.255.0.0
WAN Connection
172.16.0.0/24
LAN Connection
.2 .3
Summary
Broadband Backup routes to
Hub-1 Hub-2
spokes
IPSEC Tunnel . .3
172.16.0.0/16 2
200.1.1.0/24
Spoke configured
as EIGRP Stub
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
IKEv2 with Configuration Payload
IKE_SA_INIT IKE_SA Authentication
(2 messages) parameters negotiated
A Protected data B
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
FlexVPN Site to Site: IKEv2 Routing
Routes sent to peer are determined by:
Inbound route filter (by tag or AD) is Route Accept? interface (‘route set interface’)
possible using ‘route accept’
access-list (‘route set access-list’)
Default is ‘accept any’! CFG_REQUEST
direct statement (‘route set remote’)
CFG_REPLY
C 192.168.1.0/24 Eth0 C 192.168.100.0/24 Eth0
Routing Table
Routing Table
C 10.0.0.2 Tunnel0 C 10.0.0.254/32 -> Loopback0
S 0.0.0.0/0 Dialer0 S 0.0.0.0/0 Dialer0
S 10.0.0.254/32 Tunnel0 S 192.168.0.0/16 Null0
S 192.168.0.0/16 Tunnel0 S 10.0.0.2/32 Tunnel0
Initiator Responder S 192.168.1.0/24 Tunnel0
CFG_SET
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
CiscoLive 2018 LTRSEC-3004
FlexVPN Lab Topology FreeRadius Server
.100
172.16.0.0/24
.2 .3
IPv4 WAN Connection
Hub-1 Hub-2
IPv6 WAN Connection .2 .3
209.1.1.2/24 .2
209.1.3.2/24
DHCP
Spoke-1 Spk-4-Host
Spoke-3
.1 209.1.2.2/24
.1
172.16.1.0/24 Spoke-2 172.16.3.0/24
.1
172.16.2.0/24 .2
.2
.2 Spk-3-Host
Spk-1-Host
Spk-2-Host
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
FlexVPN IPv6 Deployment and High
Availability
FlexVPN and IPv6 Deployment Options
IPv6 IPSec VTI Tunnel
IPv6 Private IPv6 Private
Mixed-mode
supported
No dual-stack
Requires GRE to
transport IPv4
and IPv6 traffic
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Auto Tunnel Mode
• Reduces deployment complexity due to different encapsulations
• Automatic detection of:
• Tunneling protocol – IPSec or GRE interface tunnel 1
tunnel mode gre ip
FlexVPN Hub
IPv4
crypto ikev2 profile ALL-SPOKES interface tunnel 1
tunnel mode gre ipv6
virtual-template 1 mode auto
!
interface virtual-template 1 type tunnel interface tunnel 1
tunnel mode ipsec ipv6
tunnel mode gre ip
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
FlexVPN Redundancy Configurations
• FlexVPN offers a variety of redundancy options for high availability
Hub Hub
Hub
HSRP VIP
Hub Hub
ISP1 ISP2
Spoke
Spoke Spoke
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
FlexVPN Lab Topology
CiscoLive 2018 LTRSEC-3004
FlexVPN Lab Topology FreeRadius Server
.100
172.16.0.0/24
.2 .3
IPv4 WAN Connection
Hub-1 Hub-2
IPv6 WAN Connection .2 .3
209.1.1.2/24 .2
209.1.3.2/24
DHCP
Spoke-1 Spk-4-Host
Spoke-3
.1 209.1.2.2/24
.1
172.16.1.0/24 Spoke-2 172.16.3.0/24
.1
172.16.2.0/24 .2
.2
.2 Spk-3-Host
Spk-1-Host
Spk-2-Host
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#LTRSEC-3004
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
LTRSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Thank you