Wednesday, September 5, 2012

EasyVPN and SSL VPN

EasyVPN

  • The below config is for client mode
  • Most EasyVPN configuration is under the 'crypto isakmp client' configuration
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local EZVPN
crypto isakmp client configuration group EZVPN
 key CISCO
 pool EZVPN
 acl SPLIT_TUNNEL
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 
crypto dynamic-map DYNAMIC 10
 set transform-set 3DES_MD5 
 reverse-route
crypto map VPN isakmp authorization list EZVPN
crypto map VPN client authentication list EZVPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC 
 crypto map VPN
  • On the client, configuration is under 'crypto ipsec client'
crypto ipsec client ezvpn EZVPN
 connect manual
 group EZVPN key CISCO
 mode client
 peer 136.1.123.3
 xauth userid mode interactive
interface Lo0
 crypto ipsec client ezvpn EZVPN inside
interface Fa0/0
 crypto ipsec client ezvpn EZVPN
  • In a manual configuration, you connect the tunnel with 'crypto ipsec client ezvpn connect'. If you have configured xauth, you will need to enter 'crypto ipsec client ezvpn xauth' following the connect statement to enter your credentials.
  • You can have multiple inside/outside interfaces
  • You can have multiple subnets, but you must use an ACL to capture the subnets.
    • crypto ipsec client ezvpn EZVPN
    • acl ACCESS_LIST_NAME
  • Show/clear commands include
    • show crypto ipsec client ezvpn
    • show ip nat statistics
    • clear crypto ipsec client ezvpn
  • You can also enable network-extension mode, which means there is no NAT, no pool and the remote addresses are routable on the protected network.
  • Configuration on an ASA is similar, albeit using tunnel-groups and group-policy
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) EZVPN
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (inside) EZVPN
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
 address-pool EZVPN
 default-group-policy EZVPN
tunnel-group EZVPN ipsec-attributes
 pre-shared-key *
!
group-policy EZVPN internal
group-policy EZVPN attributes
 dns-server value 10.0.0.100
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac 
crypto dynamic-map DYNAMIC 10 set transform-set 3DES_MD5
crypto dynamic-map DYNAMIC 10 set reverse-route
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
  • Configuring ASA w/ VPN Client and external policy
    • This required configuration and setup of the ACS server. I have no experience with ACS other than adding users/groups/etc. I do have experience with RADIUS in an ISP environment, so the concept isn't totally foreign.
    • Define Radius server with the 'aaa-server' command on ASA
    • To use an external policy, use 'group-policy EZVPN external server-group RADIUS password CISCO'
    • Add ASA as AAA Client in ACS
    • Under Interface - Radius (VPN3k, ASA, PIX) enable the VSAs you are required to use such as Primary DNS, IPSec-Authentication,Split-tunnel list
    • Create an EZVPN Group in ACS and fill in the values for the selected VSA
    • Finally, add user and assign to EZVPN group
    • This configuration enables group authentication to the ACS, but user authentication to the ASA
  • Authenticate remote VPN user to ACS
    • user authentication is performed prior to group-policy download, so you can specify policy per-user.
    • The OU is used for group match in ACS
WebVPN
  • Configuration seemed straight-forward.
  • WebVPN configuration is under the webvpn context
  • You can create group-policy for webvpn
group-policy WEBVPN attributes
 webvpn
  filter value WEBACCESS
  url-entry enable
  • There are special access list for webvpn called webtype
  • There is also a webvpn tunnel-group type
  • You configure port-forwards under the main webvpn context
port-forward TELNET_R3 20023 136.1.121.1 telnet 

SSL VPN
  • Similar to WebVPN setup. You indicate where the client image as located, and enable it under webvpn
webvpn
  svc image disk0:/sslclient.pkg 1
  svc enable
  • You need to create a pool for SSL VPN users (ip local pool)
  • Create a group policy similar to webvpn
group-policy SSLVPN attributes
  vpn-tunnel-protocol webvpn
  webvpn
    svc required
    svc keep-installer installed
  • Create a tunnel group
tunnel-group SSLVPN type webvpn
tunnel-group SSLVPN general-attributes
  address-pool NAME
  default-group-policy SSLVPN
  • Attach policy to username
username CISCO attributes
  vpn-group-policy SSLVPN

No comments:

Post a Comment