Monday, August 27, 2012

VPNs


I have actually worked a fair amount with IOS VPNs and even some VPN3K in the past. It will be interesting to see how the configuration is adapted to the ASA platform.
  • IOS and ASA LAN-to-LAN w/ PSK
    • Setting ISAKMP policy is the same as IOS. You must explicitly enable isakmp on the firewall interface
    • sysopt connection permit-vpn is what allows VPNs to bypass ACL checking
    • You use tunnel-group to attach the PSK to the host address
    • The crypto map configuration is slightly different than IOS, but if you have done it on IOS, you will get it.
    • This all of course through a pretty basic firewall - no nat.
  • LAN-to-LAN w/ PSK & NAT
    • Different than IOS - you cannot use a deny access-list statement in a nat (inside) statement
    • Instead, you must use nat exempt - nat (inside) 0 access-list EXEMPT
    • Outside of this, nothing special
  • LAN-to-LAN w/ Digital Certificates (as opposed to paper certificates?!)
    • This is certainly something new for me as far as configuration goes. I've read a decent about about setting up a ca and issuing certificates, but I've never actually configured it
    • I had way too many issues, but mainly on the CA side (never setup a windows CA before)
    • IKE Authentication will be rsa-sig as opposed to pre-shared key
    • You must configure the CA, authenticate the CA and then enroll with the CA. This is where I ran in to problems on the CA side. Took a while to get the SCEP up and going. For anyone that had problems like I did, here is the latest link on where to download the SCEP add-on : http://www.microsoft.com/en-us/download/details.aspx?id=2178
    • After finally configuring everything, including CA - it didn't work! What now? I got this error on my IOS box 
Translating "ciscoacs-bzykjz"

Aug 26 11:46:46.803: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!
R3#
Aug 26 11:46:46.807: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 136.1.123.12
R3#
Aug 26 11:46:47.859: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 136.1.123.12 failed its sanity check or is malformed
R3#                 
Translating "ciscoacs-bzykjz"

Aug 26 11:47:16.702: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!
    • So it looked like the name resolution was failing as I recognized the "ciscoacs-bzykjz" as the hostname of my Windows 2003 server. Added an 'ip host ciscoacs-bzykjz x.x.x.x" on my IOS box and like magic - it worked!
    • You can also create a tunnel-group based on the FQDN. To work, you need to set both identities to be the hostname. These must also be the name you used to request your certificate from the CA.
  • When configuring L2L between IOS devices across the firewall with NAT, you need to make some adjustments.
      • Wildcard key on outside peer as the traffic will be NAT'ed from the inside host ( could by interface, but could also be POOL)
      • Creation of a dynamic map since you aren't defining a specific peer due to the nat
        • crypto dynamic-map DYNAMIC 10
        • set transform-set 3DES_MD5
        • crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
        • interface Fa0/0
        • crypto map VPN
  • Overlapping NAT - this is a real world scenario where there is overlapping address space at both endpoints. A simple 'ip nat inside source static network x.x.x.x y.y.y.y /zz' at both sides, with routes pointed to the global address at both endpoints.
      • You must also configure the ACL for the L2L appropriately as well.
      • Spent way too much time troubleshooting this one. I did not apply my access-list on the ASA but both endpoints believed the tunnel to be up but no traffic would pass. I applied the access-list and things began to flow.
  • Lan-to-Lan with aggressive mode
    • The main advantage of IKE aggressive mode is the identity is present during IKE negotiation, allowing flexible policy lookup.
    • When tied in with NAT, we can use the hostname as the identity to avoid using the previously used wildcard key on the outside host
    • This is where you use ISAKMP profiles - to define the ISAKMP mode and configure self-identity.
    • You must also configure the key as hostname and not IP.
    • You have to apply the ISAKMP profile to the crypto map - 'crypto map VPN isakmp-profile AGGRESSIVE'
    • On the outside, you would not need the AGGRESSIVE profile - just 'crypto isakmp identity hostname'
    • You think you need an 'ip host R1 x.x.x.x' here, but that is not the case. This type of configured tunnel can only be created from inside -> outside.
    • Again here, you use the dynamic map. The is very little the outside host knows about the inside.
    • Here you will see that from the inside, we are actually authenticated with the outside peer address 'ISAKMP:(1001):SA has been authenticated with 136.1.122.2
    • 'local crypto endpt.: 136.1.121.1, remote crypto endpt.: 136.1.122.2'
    • On the outside, you will see we are authenticated/peered with the ASA outside address ' local crypto endpt.: 136.1.122.2, remote crypto endpt.: 136.1.122.12'
  • IOS Lan-to-Lan across ASA w/ Digital Certificates
    • I didn't see how this was any different other than allowing traffic for NTP and WWW for certificate enrollment
Ok, next on the plate is DMVPN. The VPN section was pretty straight forward and I did a little better than I thought I would. I've made good progress now - over 1/3 of the way through volume one. 

No comments:

Post a Comment