IKEv2 IPsec Virtual Private Networks
27%
off

IKEv2 IPsec Virtual Private Networks : Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 1 business day
When will my order arrive?

Description

Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN The IKEv2 protocol significantly improves VPN security, and Cisco's FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN. The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You'll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN. IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you're a network engineer, architect, security specialist, or VPN administrator, you'll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN. Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and moreImplement modern secure VPNs with Cisco IOS and IOS-XEPlan and deploy IKEv2 in diverse real-world environmentsConfigure IKEv2 proposals, policies, profiles, keyrings, and authorizationUse advanced IKEv2 features, including SGT transportation and IKEv2 fragmentationUnderstand FlexVPN, its tunnel interface types, and IOS AAA infrastructureImplement FlexVPN Server with EAP authentication, pre-shared keys, and digital signaturesDeploy, configure, and customize FlexVPN clientsConfigure, manage, and troubleshoot the FlexVPN Load BalancerImprove FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnelsMonitor IPsec VPNs with AAA, SNMP, and SyslogTroubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routingCalculate IPsec overhead and fragmentationPlan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and moreshow more

Product details

  • Paperback | 656 pages
  • 191 x 226 x 38.1mm | 1,080g
  • Pearson Education (US)
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587144603
  • 9781587144608
  • 410,724

About Graham Bartlett

Graham Bartlett, CCIE No. 26709, has designed a number of large scale Virtual Private Networks within the UK and worked with customers throughout the world using IKEv2 and Next Generation Encryption. Graham's interests include Security and Virtual Private Networks. Within this space he has discovered zero-day vulnerabilities, including the higest severity security advisory in the March 2015 Cisco IOS software and IOS XE software security advisory bundled publication. He has contributed to numerous IETF RFCs, and has intellectual property published as prior art. He is a CiscoLive speaker and has developed Cisco Security exam content (CCIE/CCNP). He is a CCP (Senior) IA Architect, CCP (Practitioner) Security & Information Risk Advisor, CCNP, CISSP, Cisco Security Ninja and holds a BSc(Hons) in Computer Systems and Networks. Amjad Inamdar CISSP 460898, is a Senior Technical Leader with Cisco IOS Security Engineering, India. He has primarily worked on design, development and deployment of Cisco IOS secure connectivity solutions including the industry leading FlexVPN, DMVPN, GETVPN and EzVPN solutions and is currently working on the Cisco next generation SD-WAN solution. He has contributed to IETF drafts, holds a Cisco patent and has prior art publications. He holds many industry certifications including CISSP, CCSK, CCNP Security, CCDP, CCNP R/S, CCNA (SP, Data Center, Wireless, Voice), Cisco Security Ninja and has presented security at conferences, internal forums and to Cisco customers and partners. He holds a degree (B.E) in Electronics and Communication Engineering.show more

Table of contents

Foreword xxvii Introduction xxxiii Part I Understanding IPsec VPNs Chapter 1 Introduction to IPsec VPNs 1 The Need and Purpose of IPsec VPNs 2 Building Blocks of IPsec 2 Security Protocols 2 Security Associations 3 Key Management Protocol 3 IPsec Security Services 3 Access Control 4 Anti-replay Services 4 Confidentiality 4 Connectionless Integrity 4 Data Origin Authentication 4 Traffic Flow Confidentiality 4Components of IPsec 5 Security Parameter Index 5 Security Policy Database 5 Security Association Database 6 Peer Authorization Database 6 Lifetime 7 Cryptography Used in IPsec VPNs 7 Symmetric Cryptography 7 Asymmetric Cryptography 8 The Diffie-Hellman Exchange 8 Public Key Infrastructure 11 Public Key Cryptography 11 Certificate Authorities 12 Digital Certificates 12 Digital Signatures Used in IKEv2 12 Pre-Shared-Keys, or Shared Secret 13 Encryption and Authentication 14 IP Authentication Header 15 Anti-Replay 16 IP Encapsulating Security Payload (ESP) 17 Authentication 18 Encryption 18 Anti-Replay 18 Encapsulation Security Payload Datagram Format 18 Encapsulating Security Payload Version 3 19 Extended Sequence Numbers 19 Traffic Flow Confidentiality 20 Dummy Packets 20 Modes of IPsec 20 IPsec Transport Mode 20 IPsec Tunnel Mode 21 Summary 22 References 22 Part II Understanding IKEv2 Chapter 2 IKEv2: The Protocol 23 IKEv2 Overview 23 The IKEv2 Exchange 24 IKE_SA_INIT 25 Diffie-Hellman Key Exchange 26 Security Association Proposals 29Security Parameter Index (SPI) 34 Nonce 35 Cookie Notification 36 Certificate Request 38 HTTP_CERT_LOOKUP_SUPPORTED 39 Key Material Generation 39 IKE_AUTH 42 Encrypted and Authenticated Payload 42 Encrypted Payload Structure 43 Identity 44 Authentication 45 Signature-Based Authentication 46 (Pre) Shared-Key-Based Authentication 47 EAP 48 Traffic Selectors 50 Initial Contact 52 CREATE_CHILD_SA 53 IPsec Security Association Creation 53 IPsec Security Association Rekey 54 IKEv2 Security Association Rekey 54 IKEv2 Packet Structure Overview 55 The INFORMATIONAL Exchange 56 Notification 56 Deleting Security Associations 57 Configuration Payload Exchange 58 Dead Peer Detection/Keepalive/NAT Keepalive 59 IKEv2 Request - Response 61 IKEv2 and Network Address Translation 61 NAT Detection 64 Additions to RFC 7296 65 RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65 RFC 5685 Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2) 65 RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) 65 RFC 6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) 66 Summary 66 References 66 Chapter 3 Comparison of IKEv1 and IKEv2 67 Brief History of IKEv1 67 Exchange Modes 69 IKEv1 70 IKEv2 71 Anti-Denial of Service 72 Lifetime 72 Authentication 73 High Availability 74 Traffic Selectors 74 Use of Identities 74 Network Address Translation 74 Configuration Payload 75 Mobility & Multi-homing 75 Matching on Identity 75 Reliability 77 Cryptographic Exchange Bloat 77 Combined Mode Ciphers 77 Continuous Channel Mode 77 Summary 77 References 78 Part III IPsec VPNs on Cisco IOS Chapter 4 IOS IPsec Implementation 79 Modes of Encapsulation 82 GRE Encapsulation 82 GRE over IPsec 83 IPsec Transport Mode with GRE over IPsec 83 IPsec Tunnel mode with GRE over IPsec 84 Traffic 85 Multicast Traffic 85 Non-IP Protocols 86 The Demise of Crypto Maps 86 Interface Types 87 Virtual Interfaces: VTI and GRE/IPsec 87 Traffic Selection by Routing 88 Static Tunnel Interfaces 90 Dynamic Tunnel Interfaces 91 sVTI and dVTI 92 Multipoint GRE 92 Tunnel Protection and Crypto Sockets 94 Implementation Modes 96 Dual Stack 96 Mixed Mode 96 Auto Tunnel Mode 99 VRF-Aware IPsec 99 VRF in Brief 99VRF-Aware GRE and VRF-Aware IPsec 101 VRF-Aware GRE over IPsec 102 Summary 103 Reference 104 Part IV IKEv2 Implementation Chapter 5 IKEv2 Configuration 105 IKEv2 Configuration Overview 105 The Guiding Principle 106 Scope of IKEv2 Configuration 106 IKEv2 Configuration Constructs 106 IKEv2 Proposal 107 Configuring the IKEv2 Proposal 108 Configuring IKEv2 Encryption 111 Configuring IKEv2 Integrity 113 Configuring IKEv2 Diffie-Hellman 113 Configuring IKEv2 Pseudorandom Function 115 Default IKEv2 Proposal 115 IKEv2 Policy 117 Configuring an IKEv2 Policy 118 Configuring IKEv2 Proposals under IKEv2 Policy 119 Configuring Match Statements under IKEv2 Policy 120 Default IKEv2 Policy 121 IKEv2 Policy Selection on the Initiator 122 IKEv2 Policy Selection on Responder 124 IKEv2 Policy Configuration Examples 125 Per-peer IKEv2 Policy 125 IKEv2 Policy with Multiple Proposals 126 IKEv2 Keyring 128 Configuring IKEv2 Keyring 129 Configuring a Peer Block in Keyring 130 Key Lookup on Initiator 132 Key Lookup on Responder 133 IKEv2 Keyring Configuration Example 134 IKEv2 Keyring Key Points 136 IKEv2 Profile 136 IKEv2 Profile as Peer Authorization Database 137 Configuring IKEv2 Profile 138 Configuring Match Statements in IKEv2 Profile 139Matching any Peer Identity 142 Defining the Scope of IKEv2 Profile 143 Defining the Local IKE Identity 143 Defining Local and Remote Authentication Methods 145 IKEv2 Dead Peer Detection 149 IKEv2 Initial Contact 151 IKEv2 SA Lifetime 151 NAT Keepalives 152 IVRF (inside VRF) 152 Virtual Template Interface 153 Disabling IKEv2 Profile 153 Displaying IKEv2 Profiles 153 IKEv2 Profile Selection on Initiator and Responder 154 IKEv2 Profile Key Points 154 IKEv2 Global Configuration 155 HTTP URL-based Certificate Lookup 156 IKEv2 Cookie Challenge 156 IKEv2 Call Admission Control 157 IKEv2 Window Size 158 Dead Peer Detection 158 NAT Keepalive 159 IKEv2 Diagnostics 159 PKI Configuration 159 Certificate Authority 160 Public-Private Key Pair 162 PKI Trustpoint 163 PKI Example 164 IPsec Configuration 166 IPsec Profile 167 IPsec Configuration Example 168 Smart Defaults 168 Summary 169 Chapter 6 Advanced IKEv2 Features 171 Introduction to IKEv2 Fragmentation 171 IP Fragmentation Overview 172IKEv2 and Fragmentation 173 IKEv2 SGT Capability Negotiation 178 IKEv2 Session Authentication 181 IKEv2 Session Deletion on Certificate Revocation 182 IKEv2 Session Deletion on Certificate Expiry 184 IKEv2 Session Lifetime 185 Summary 187 References 188 Chapter 7 IKEv2 Deployments 189 Pre-shared-key Authentication with Smart Defaults 189 Elliptic Curve Digital Signature Algorithm Authentication 194 RSA Authentication Using HTTP URL Lookup 200 IKEv2 Cookie Challenge and Call Admission Control 207 Summary 210 Part V FlexVPN Chapter 8 Introduction to FlexVPN 211 FlexVPN Overview 211 The Rationale 212 FlexVPN Value Proposition 213 FlexVPN Building Blocks 213 IKEv2 213 Cisco IOS Point-to-Point Tunnel Interfaces 214 Configuring Static P2P Tunnel Interfaces 214 Configuring Virtual-Template Interfaces 216 Auto-Detection of Tunnel Encapsulation and Transport 219 Benefits of Per-Peer P2P Tunnel Interfaces 221 Cisco IOS AAA Infrastructure 221 Configuring AAA for FlexVPN 222 IKEv2 Name Mangler 223 Configuring IKEv2 Name Mangler 224 Extracting Name from FQDN Identity 225 Extracting Name from Email Identity 226 Extracting Name from DN Identity 226 Extracting Name from EAP Identity 227 IKEv2 Authorization Policy 228 Default IKEv2 Authorization Policy 229 FlexVPN Authorization 231 Configuring FlexVPN Authorization 233 FlexVPN User Authorization 235 FlexVPN User Authorization, Using an External AAA Server 235 FlexVPN Group Authorization 237FlexVPN Group Authorization, Using a Local AAA Database 238 FlexVPN Group Authorization, Using an External AAA Server 239 FlexVPN Implicit Authorization 242 FlexVPN Implicit Authorization Example 243 FlexVPN Authorization Types: Co-existence and Precedence 245 User Authorization Taking Higher Precedence 247 Group Authorization Taking Higher Precedence 249 FlexVPN Configuration Exchange 250 Enabling Configuration Exchange 250 FlexVPN Usage of Configuration Payloads 251 Configuration Attributes and Authorization 253 Configuration Exchange Examples 259 FlexVPN Routing 264 Learning Remote Subnets Locally 265 Learning Remote Subnets from Peer 266 Summary 268 Chapter 9 FlexVPN Server 269 Sequence of Events 270 EAP Authentication 271 EAP Methods 272 EAP Message Flow 273 EAP Identity 273 EAP Timeout 275 EAP Authentication Steps 275 Configuring EAP 277 EAP Configuration Example 278 AAA-based Pre-shared Keys 283 Configuring AAA-based Pre-Shared Keys 284 RADIUS Attributes for AAA-Based Pre-Shared Keys 285 AAA-Based Pre-Shared Keys Example 285 Accounting 287 Per-Session Interface 290 Deriving Virtual-Access Configuration from a Virtual Template 291 Deriving Virtual-Access Configuration from AAA Authorization 293 The interface-config AAA Attribute 293 Deriving Virtual-Access Configuration from an Incoming Session 294 Virtual-Access Cloning Example 295 Auto Detection of Tunnel Transport and Encapsulation 297 RADIUS Packet of Disconnect 299 Configuring RADIUS Packet of Disconnect 300 RADIUS Packet of Disconnect Example 301 RADIUS Change of Authorization (CoA) 303 Configuring RADIUS CoA 304 RADIUS CoA Examples 305 Updating Session QoS Policy, Using CoA 305 Updating the Session ACL, Using CoA 307 IKEv2 Auto-Reconnect 309 Auto-Reconnect Configuration Attributes 310 Smart DPD 311 Configuring IKEv2 Auto-Reconnect 313 User Authentication, Using AnyConnect-EAP 315 AnyConnect-EAP 315 AnyConnect-EAP XML Messages for User Authentication 316 Configuring User Authentication, Using AnyConnect-EAP 318 AnyConnect Configuration for Aggregate Authentication 320 Dual-factor Authentication, Using AnyConnect-EAP 320 AnyConnect-EAP XML Messages for dual-factor authentication 322 Configuring Dual-factor Authentication, Using AnyConnect-EAP 324 RADIUS Attributes Supported by the FlexVPN Server 325 Remote Access Clients Supported by FlexVPN Server 329 FlexVPN Remote Access Client 329 Microsoft Windows7 IKEv2 Client 329 Cisco IKEv2 AnyConnect Client 330 Summary 330 Reference 330 Chapter 10 FlexVPN Client 331 Introduction 331 FlexVPN Client Overview 332 FlexVPN Client Building Blocks 333 IKEv2 Configuration Exchange 334 Static Point-to-Point Tunnel Interface 334 FlexVPN Client Profile 334 Object Tracking 334 NAT 335 FlexVPN Client Features 335 Dual Stack Support 335EAP Authentication 335 Dynamic Routing 335 Support for EzVPN Client and Network Extension Modes 336 Advanced Features 336 Setting up the FlexVPN Server 336 EAP Authentication 337 Split-DNS 338 Components of Split-DNS 340 Windows Internet Naming Service (WINS) 343 Domain Name 344 FlexVPN Client Profile 345 Backup Gateways 346 Resolution of Fully Qualified Domain Names 346 Reactivating Peers 346 Backup Gateway List 347 Tunnel Interface 347 Tunnel Source 348 Tunnel Destination 349 Tunnel Initiation 350 Automatic Mode 350 Manual Mode 350 Track Mode 350 Tracking a List of Objects, Using a Boolean Expression 350 Dial Backup 352 Backup Group 353 Network Address Translation 354 Design Considerations 356 Use of Public Key Infrastructure and Pre-Shared Keys 356 The Power of Tracking 356 Tracked Object Based on Embedded Event Manager 356 Troubleshooting FlexVPN Client 358 Useful Show Commands 358 Debugging FlexVPN Client 360 Clearing IKEv2 FlexVPN Client Sessions 360 Summary 361 Chapter 11 FlexVPN Load Balancer 363 Introduction 363 Components of the FlexVPN Load Balancer 363 IKEv2 Redirect 363 Hot Standby Routing Protocol 366 FlexVPN IKEv2 Load Balancer 367 Cluster Load 369IKEv2 Redirect 372 Redirect Loops 373 FlexVPN Client 374 Troubleshooting IKEv2 Load Balancing 374 IKEv2 Load Balancer Example 376 Summary 379 Chapter 12 FlexVPN Deployments 381 Introduction 381 FlexVPN AAA-Based Pre-Shared Keys 381 Configuration on the Branch-1 Router 382 Configuration on the Branch-2 Router 383 Configuration on the Hub Router 383 Configuration on the RADIUS Server 384 FlexVPN User and Group Authorization 386 FlexVPN Client Configuration at Branch 1 386 FlexVPN Client Configuration at Branch 2 387 Configuration on the FlexVPN Server 387 Configuration on the RADIUS Server 388 Logs Specific to FlexVPN Client-1 389 Logs Specific to FlexVPN Client-2 390 FlexVPN Routing, Dual Stack, and Tunnel Mode Auto 391 FlexVPN Spoke Configuration at Branch-1 392 FlexVPN Spoke Configuration at Branch-2 394 FlexVPN Hub Configuration at the HQ 395 Verification on FlexVPN Spoke at Branch-1 397 Verification on FlexVPN Spoke at Branch-2 399 Verification on the FlexVPN Hub at HQ 401 FlexVPN Client NAT to the Server-Assigned IP Address 404 Configuration on the FlexVPN Client 404 Verification on the FlexVPN Client 405 FlexVPN WAN Resiliency, Using Dynamic Tunnel Source 407 FlexVPN Client Configuration on the Dual-Homed Branch Router 408 Verification on the FlexVPN Client 409 FlexVPN Hub Resiliency, Using Backup Peers 411 FlexVPN Client Configuration on the Branch Router 411 Verification on the FlexVPN Client 412 FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation 414 Verification on the FlexVPN Client 415 Summary 416 Part VI IPsec VPN Maintenance Chapter 13 Monitoring IPsec VPNs 417 Introduction to Monitoring 417Authentication, Authorization, and Accounting (AAA) 418 NetFlow 418 Simple Network Management Protocol 419 VRF-Aware SNMP 420 Syslog 421 Monitoring Methodology 422 IP Connectivity 423 VPN Tunnel Establishment 425 Cisco IPsec Flow Monitor MIB 425 SNMP with IKEv2 425 Syslog 428 Pre-Shared Key Authentication 429 PKI Authentication 431 EAP Authentication 434 Authorization Using RADIUS-Based AAA 436 Data Encryption: SNMP with IPsec 437 Overlay Routing 439 Data Usage 440 Summary 443 References 443 Chapter 14 Troubleshooting IPsec VPNs 445 Introduction 445 Tools of Troubleshooting 446 Show Commands 447 Syslog Messages 447 Event-Trace Monitoring 447 Debugging 449 IKEv2 Debugging 449 IPsec Debugging 453 Key Management Interface Debugging 453 PKI Debugging 456 Conditional Debugging 456 IP Connectivity 457 VPN Tunnel Establishment 460 IKEv2 Diagnose Error 460 Troubleshooting the IKE_SA_INIT Exchange 461 Troubleshooting the IKE_AUTH Exchange 464 Authentication 464 Troubleshooting RSA or ECDSA Authentication 465 Certificate Attributes 469 Debugging Authentication Using PKI 470 Certificate Expiry 470 Matching Peer Using Certificate Maps 472 Certificate Revocation 473 Trustpoint Configuration 476 Trustpoint Selection 476 Pre-Shared Key 478 Extensible Authentication Protocol (EAP) 480 Authorization 485 Data Encryption 488 Debugging IPsec 488 IPsec Anti-Replay 491 Data Encapsulation 495 Mismatching GRE Tunnel Keys 495 Overlay Routing 495 Static Routing 496 IKEv2 Routing 496 Dynamic Routing Protocols 498 Summary 499 References 502 Part VII IPsec Overhead Chapter 15 IPsec Overhead and Fragmentation 503 Introduction 503 Computing the IPsec Overhead 504 General Considerations 504 IPsec Mode Overhead (without GRE) 505 GRE Overhead 505 Encapsulating Security Payload Overhead 507 Authentication Header Overhead 509 Encryption Overhead 510 Integrity Overhead 511 Combined-mode Algorithm Overhead 512 Plaintext MTU 513 Maximum Overhead 514 Maximum Encapsulation Security Payload Overhead 515Maximum Authentication Header Overhead 516 Extra Overhead 516 IPsec and Fragmentation 518 Maximum Transmission Unit 518 Fragmentation in IPv4 519 Fragmentation in IPv6 522 Path MTU Discovery 523 TCP MSS Clamping 525 MSS Refresher 525 MSS Adjustment 526 IPsec Fragmentation and PMTUD 527 Fragmentation on Tunnels 531 IPsec Only (VTI) 531 GRE Only 532 GRE over IPsec 534 Tunnel PMTUD 534 The Impact of Fragmentation 535 Summary 536 References 536 Part VIII Migration to IKEv2 Chapter 16 Migration Strategies 539 Introduction to Migrating to IKEv2 and FlexVPN 539 Consideration when Migrating to IKEv2 539 Hardware Limishow more