book

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

Name: IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS
ISBN: 9780134426396

by Graham Bartlett, Amjad Inamdar

September 2016

Intermediate to advanced

450 pages

20h 48m

English

Cisco Press

Read now

Unlock full access

About This E-Book
Title Page
Copyright Page
About the Authors
Note from the Authors
About the Technical Reviewers
Dedications
Acknowledgments
Contents at a Glance
Contents

Foreword
Icons Used in This Book
Command Syntax Conventions
Introduction
Goals and MethodsWho Should Read This Book?How This Book is OrganizedChapter 1 Introduction to IPsec VPNsChapter 2 IKEv2: The ProtocolChapter 3 Comparison of IKEv1 and IKEv2Chapter 4 IOS IPsec ImplementationChapter 5 IKEv2 ConfigurationChapter 6 Advanced IKEv2 FeaturesChapter 7 IKEv2 DeploymentsChapter 8 Introduction to FlexVPNChapter 9 FlexVPN ServerChapter 10 FlexVPN ClientChapter 11 FlexVPN Load BalancerChapter 12 FlexVPN DeploymentsChapter 13 Monitoring IPsec VPNsChapter 14 Troubleshooting IPsec VPNsChapter 15 IPsec Overhead and FragmentationChapter 16 Migration Strategies
Part I: Understanding IPsec VPNs
Chapter 1. Introduction to IPsec VPNs
The Need and Purpose of IPsec VPNsBuilding Blocks of IPsecSecurity ProtocolsSecurity AssociationsKey Management ProtocolIPsec Security ServicesAccess ControlAnti-replay ServicesConfidentialityConnectionless IntegrityData Origin AuthenticationTraffic Flow ConfidentialityComponents of IPsecSecurity Parameter IndexSecurity Policy DatabaseSecurity Association DatabasePeer Authorization DatabaseLifetimeCryptography Used in IPsec VPNsSymmetric CryptographyAsymmetric CryptographyThe Diffie-Hellman ExchangePublic Key InfrastructurePublic Key CryptographyCertificate AuthoritiesDigital CertificatesDigital Signatures Used in IKEv2Pre-Shared-Keys, or Shared SecretEncryption and AuthenticationIP Authentication HeaderIP Encapsulating Security Payload (ESP)Encapsulating Security Payload Version 3Modes of IPsecIPsec Transport ModeIPsec Tunnel ModeSummaryReferences
Part II: Understanding IKEv2
Chapter 2. IKEv2: The Protocol
IKEv2 OverviewThe IKEv2 ExchangeIKE_SA_INITDiffie-Hellman Key ExchangeSecurity Association ProposalsSecurity Parameter Index (SPI)NonceCookie NotificationCertificate RequestHTTP_CERT_LOOKUP_SUPPORTEDKey Material GenerationIKE_AUTHEncrypted and Authenticated PayloadEncrypted Payload StructureIdentityAuthenticationTraffic SelectorsInitial ContactCREATE_CHILD_SAIPsec Security Association CreationIPsec Security Association RekeyIKEv2 Security Association RekeyIKEv2 Packet Structure OverviewThe INFORMATIONAL ExchangeNotificationDeleting Security AssociationsConfiguration Payload ExchangeDead Peer Detection/Keepalive/NAT KeepaliveIKEv2 Request – ResponseIKEv2 and Network Address TranslationNAT DetectionAdditions to RFC7296RFC5998 An Extension for EAP-Only Authentication in IKEv2RFC5685 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)RFC6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)RFC6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)SummaryReferences
Chapter 3. Comparison of IKEv1 and IKEv2
Brief History of IKEv1Exchange ModesIKEv1IKEv2Anti-Denial of ServiceLifetimeAuthenticationHigh AvailabilityTraffic SelectorsUse of IdentitiesNetwork Address TranslationConfiguration PayloadMobility & Multi-homingMatching on IdentityReliabilityCryptographic Exchange BloatCombined Mode CiphersContinuous Channel ModeSummaryReferences
Part III: IPsec VPNs on Cisco IOS
Chapter 4. IOS IPsec Implementation
Modes of EncapsulationGRE EncapsulationGRE over IPsecIPsec Transport Mode with GRE over IPsecIPsec Tunnel mode with GRE over IPsecTrafficThe Demise of Crypto MapsInterface TypesVirtual Interfaces: VTI and GRE/IPsecTraffic Selection by RoutingStatic Tunnel InterfacesDynamic Tunnel InterfacessVTI and dVTIMultipoint GRETunnel Protection and Crypto SocketsImplementation ModesDual StackMixed ModeAuto Tunnel ModeVRF-Aware IPsecVRF in BriefVRF-Aware GRE and VRF-Aware IPsecVRF-Aware GRE over IPsecSummaryReference
Part IV: IKEv2 Implementation
Chapter 5. IKEv2 Configuration
IKEv2 Configuration OverviewThe Guiding PrincipleScope of IKEv2 ConfigurationIKEv2 Configuration ConstructsIKEv2 ProposalConfiguring the IKEv2 ProposalConfiguring IKEv2 EncryptionConfiguring IKEv2 IntegrityConfiguring IKEv2 Diffie-HellmanConfiguring IKEv2 Pseudorandom FunctionDefault IKEv2 ProposalIKEv2 PolicyConfiguring an IKEv2 PolicyDefault IKEv2 PolicyIKEv2 Policy Selection on the InitiatorIKEv2 Policy Selection on ResponderIKEv2 Policy Configuration ExamplesIKEv2 KeyringConfiguring IKEv2 KeyringKey Lookup on InitiatorKey Lookup on ResponderIKEv2 Keyring Configuration ExampleIKEv2 Keyring Key PointsIKEv2 ProfileIKEv2 Profile as Peer Authorization DatabaseConfiguring IKEv2 ProfileIKEv2 Profile Selection on Initiator and ResponderIKEv2 Profile Key PointsIKEv2 Global ConfigurationHTTP URL-based Certificate LookupIKEv2 Cookie ChallengeIKEv2 Call Admission ControlIKEv2 Window SizeDead Peer DetectionNAT KeepaliveIKEv2 DiagnosticsPKI ConfigurationCertificate AuthorityPublic-Private Key PairPKI TrustpointPKI ExampleIPsec ConfigurationIPsec ProfileIPsec Configuration ExampleSmart DefaultsSummary
Chapter 6. Advanced IKEv2 Features
Introduction to IKEv2 FragmentationIP Fragmentation OverviewIKEv2 and FragmentationIKEv2 SGT Capability NegotiationIKEv2 Session AuthenticationIKEv2 Session Deletion on Certificate RevocationIKEv2 Session Deletion on Certificate ExpiryIKEv2 Session LifetimeSummaryReferences
Chapter 7. IKEv2 Deployments
Pre-shared-key Authentication with Smart DefaultsElliptic Curve Digital Signature Algorithm AuthenticationRSA Authentication Using HTTP URL LookupIKEv2 Cookie Challenge and Call Admission ControlSummary
Part V: FlexVPN
Chapter 8. Introduction to FlexVPN
FlexVPN OverviewThe RationaleFlexVPN Value PropositionFlexVPN Building BlocksIKEv2Cisco IOS Point-to-Point Tunnel InterfacesCisco IOS AAA InfrastructureIKEv2 Name ManglerConfiguring IKEv2 Name ManglerIKEv2 Authorization PolicyDefault IKEv2 Authorization PolicyFlexVPN AuthorizationConfiguring FlexVPN AuthorizationFlexVPN User AuthorizationFlexVPN Group AuthorizationFlexVPN Implicit AuthorizationFlexVPN Authorization Types: Co-existence and PrecedenceFlexVPN Configuration ExchangeEnabling Configuration ExchangeFlexVPN Usage of Configuration PayloadsConfiguration Attributes and AuthorizationConfiguration Exchange ExamplesFlexVPN RoutingLearning Remote Subnets LocallyLearning Remote Subnets from PeerSummary
Chapter 9. FlexVPN Server
Sequence of EventsEAP AuthenticationEAP MethodsEAP Message FlowEAP IdentityEAP TimeoutEAP Authentication StepsConfiguring EAPEAP Configuration ExampleAAA-based Pre-shared KeysConfiguring AAA-based Pre-Shared KeysRADIUS Attributes for AAA-Based Pre-Shared KeysAAA-Based Pre-Shared Keys ExampleAccountingPer-Session InterfaceDeriving Virtual-Access Configuration from a Virtual-TemplateDeriving Virtual-Access Configuration from AAA AuthorizationDeriving Virtual-Access Configuration from an Incoming SessionVirtual-Access Cloning ExampleAuto Detection of Tunnel Transport and EncapsulationRADIUS Packet of DisconnectConfiguring RADIUS Packet of DisconnectRADIUS Packet of Disconnect ExampleRADIUS Change of Authorization (CoA)Configuring RADIUS CoARADIUS CoA ExamplesIKEv2 Auto-ReconnectAuto-Reconnect Configuration AttributesSmart DPDConfiguring IKEv2 Auto-ReconnectUser Authentication, Using AnyConnect-EAPAnyConnect-EAPConfiguring User Authentication, Using AnyConnect-EAPAnyConnect Configuration for Aggregate AuthenticationDual-factor Authentication, Using AnyConnect-EAPConfiguring Dual-factor Authentication, Using AnyConnect-EAPRADIUS Attributes Supported by the FlexVPN ServerRemote Access Clients Supported by FlexVPN ServerSummaryReference
Chapter 10. FlexVPN Client
IntroductionFlexVPN Client OverviewFlexVPN Client Building BlocksFlexVPN Client FeaturesSetting up the FlexVPN ServerEAP AuthenticationSplit-DNSComponents of Split-DNSWindows Internet Naming Service (WINS)Domain NameFlexVPN Client ProfileBackup GatewaysResolution of Fully Qualified Domain NamesReactivating PeersBackup Gateway ListTunnel InterfaceTunnel SourceTunnel DestinationTunnel InitiationAutomatic ModeManual ModeTrack ModeDial BackupBackup GroupNetwork Address TranslationDesign ConsiderationsUse of Public Key Infrastructure and Pre-Shared KeysThe Power of TrackingTroubleshooting FlexVPN ClientUseful Show CommandsDebugging FlexVPN ClientClearing IKEv2 FlexVPN Client SessionsSummary
Chapter 11. FlexVPN Load Balancer
IntroductionComponents of the FlexVPN Load BalancerIKEv2 RedirectHot Standby Routing ProtocolFlexVPN IKEv2 Load BalancerCluster LoadIKEv2 RedirectRedirect LoopsFlexVPN ClientTroubleshooting IKEv2 Load BalancingIKEv2 Load Balancer ExampleSummary
Chapter 12. FlexVPN Deployments
IntroductionFlexVPN AAA-Based Pre-Shared KeysConfiguration on the Branch-1 RouterConfiguration on the Branch-2 RouterConfiguration on the Hub RouterConfiguration on the RADIUS ServerFlexVPN User and Group AuthorizationFlexVPN Client Configuration at Branch 1FlexVPN Client Configuration at Branch 2Configuration on the FlexVPN ServerConfiguration on the RADIUS ServerLogs Specific to FlexVPN Client-1Logs Specific to FlexVPN Client-2FlexVPN Routing, Dual Stack, and Tunnel Mode AutoFlexVPN Spoke Configuration at Branch-1FlexVPN Spoke Configuration at Branch-2FlexVPN Hub Configuration at the HQVerification on FlexVPN Spoke at Branch-1Verification on FlexVPN Spoke at Branch-2Verification on the FlexVPN Hub at HQFlexVPN Client NAT to the Server-Assigned IP AddressConfiguration on the FlexVPN ClientVerification on the FlexVPN ClientFlexVPN WAN Resiliency, Using Dynamic Tunnel SourceFlexVPN Client Configuration on the Dual-Homed Branch RouterVerification on the FlexVPN ClientFlexVPN Hub Resiliency, Using Backup PeersFlexVPN Client Configuration on the Branch RouterVerification on the FlexVPN ClientFlexVPN Backup Tunnel, Using Track-Based Tunnel ActivationVerification on the FlexVPN ClientSummary
Part VI: IPsec VPN Maintenance
Chapter 13. Monitoring IPsec VPNs
Introduction to MonitoringAuthentication, Authorization, and Accounting (AAA)NetFlowSimple Network Management ProtocolSyslogMonitoring MethodologyIP ConnectivityVPN Tunnel EstablishmentPre-Shared Key AuthenticationPKI AuthenticationEAP AuthenticationAuthorization Using RADIUS-Based AAAData Encryption: SNMP with IPsecOverlay RoutingData UsageSummaryReferences
Chapter 14. Troubleshooting IPsec VPNs
IntroductionTools of TroubleshootingShow CommandsSyslog MessagesEvent-Trace MonitoringDebuggingKey Management Interface DebuggingPKI DebuggingConditional DebuggingIP ConnectivityVPN Tunnel EstablishmentIKEv2 Diagnose ErrorTroubleshooting the IKE_SA_INIT ExchangeAuthenticationTroubleshooting RSA or ECDSA AuthenticationCertificate AttributesDebugging Authentication Using PKICertificate ExpiryMatching Peer Using Certificate MapsCertificate RevocationTrustpoint ConfigurationTrustpoint SelectionPre-Shared KeyExtensible Authentication Protocol (EAP)AuthorizationData EncryptionDebugging IPsecIPsec Anti-ReplayData EncapsulationMismatching GRE Tunnel KeysOverlay RoutingStatic RoutingIKEv2 RoutingDynamic Routing ProtocolsSummaryReferences
Part VII: IPsec Overhead
Chapter 15. IPsec Overhead and Fragmentation
IntroductionComputing the IPsec OverheadGeneral ConsiderationsIPsec Mode Overhead (without GRE)GRE OverheadEncapsulating Security Payload OverheadAuthentication Header OverheadEncryption OverheadIntegrity OverheadCombined-mode Algorithm OverheadPlaintext MTUMaximum OverheadIPsec and FragmentationMaximum Transmission UnitFragmentation in IPv4Fragmentation in IPv6Path MTU DiscoveryTCP MSS ClampingIPsec Fragmentation and PMTUDFragmentation on TunnelsThe Impact of FragmentationSummaryReferences
Part VIII: Migration to IKEv2
Chapter 16. Migration Strategies
Introduction to Migrating to IKEv2 and FlexVPNConsideration when Migrating to IKEv2Hardware LimitationsCurrent VPN TechnologyRouting Protocol SelectionRestrictions When Running IKEv1 and IKEv2 SimultaneouslyCurrent CapacityIP AddressesSoftwareAmending the VPN GatewayGlobal IKE and IPsec CommandsFlexVPN FeaturesFamiliarizationClient AwarenessPublic Key InfrastructureInternet Protocol Version 6AuthenticationHigh AvailabilityAsymmetric RoutingMigration StrategiesHard MigrationSoft MigrationMigration VerificationConsideration for TopologiesSite-to-SiteHub and SpokeRemote AccessSummary
Index
Inside Front Cover
Inside Back Cover
Code Snippets

Content preview from IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

Chapter 9. FlexVPN Server

This chapter introduces the Cisco IOS FlexVPN server. The FlexVPN server acts as a VPN headend for the remote-access and hub-spoke VPN topologies. The FlexVPN server leverages the IKEv2 configuration and the FlexVPN building blocks discussed in the earlier chapters. It dynamically instantiates a point-to-point tunnel interface for every peer session and leverages AAA to support EAP authentication, AAA-based pre-shared keys, session accounting, and for authorization to derive session policy attributes that are sent to the peer via configuration exchange and/or applied on the session interface. The chapter discusses the features that are relevant to FlexVPN server.

The chapter covers the following main topics

Sequence ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

IPsec Virtual Private Network Fundamentals

Publisher Resources

ISBN: 9780134426396Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

by Graham Bartlett, Amjad Inamdar

Chapter 9. FlexVPN Server

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.