IKEv2 IPsec Virtual Private Networks
21%
off

IKEv2 IPsec Virtual Private Networks : Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 1 business day
When will my order arrive?

Description

Create and manage highly-secure Ipsec VPNs with IKEv2 and Cisco FlexVPN




The IKEv2 protocol significantly improves VPN security, and Cisco's FlexVPN offers a unified paradigm and command line interface for taking full advantage of it. Simple and modular, FlexVPN relies extensively on tunnel interfaces while maximizing compatibility with legacy VPNs. Now, two Cisco network security experts offer a complete, easy-tounderstand, and practical introduction to IKEv2, modern IPsec VPNs, and FlexVPN.




The authors explain each key concept, and then guide you through all facets of FlexVPN planning, deployment, migration, configuration, administration, troubleshooting, and optimization. You'll discover how IKEv2 improves on IKEv1, master key IKEv2 features, and learn how to apply them with Cisco FlexVPN.




IKEv2 IPsec Virtual Private Networks offers practical design examples for many common scenarios, addressing IPv4 and IPv6, servers, clients, NAT, pre-shared keys, resiliency, overhead, and more. If you're a network engineer, architect, security specialist, or VPN administrator, you'll find all the knowledge you need to protect your organization with IKEv2 and FlexVPN.






Understand IKEv2 improvements: anti-DDoS cookies, configuration payloads, acknowledged responses, and more
Implement modern secure VPNs with Cisco IOS and IOS-XE
Plan and deploy IKEv2 in diverse real-world environments
Configure IKEv2 proposals, policies, profiles, keyrings, and authorization
Use advanced IKEv2 features, including SGT transportation and IKEv2 fragmentation
Understand FlexVPN, its tunnel interface types, and IOS AAA infrastructure
Implement FlexVPN Server with EAP authentication, pre-shared keys, and digital signatures
Deploy, configure, and customize FlexVPN clients
Configure, manage, and troubleshoot the FlexVPN Load Balancer
Improve FlexVPN resiliency with dynamic tunnel source, backup peers, and backup tunnels
Monitor IPsec VPNs with AAA, SNMP, and Syslog
Troubleshoot connectivity, tunnel creation, authentication, authorization, data encapsulation, data encryption, and overlay routing
Calculate IPsec overhead and fragmentation
Plan your IKEv2 migration: hardware, VPN technologies, routing, restrictions, capacity, PKI, authentication, availability, and more
show more

Product details

  • Paperback | 656 pages
  • 189 x 232 x 34mm | 1,080g
  • Cisco Press
  • Indianapolis, United States
  • English
  • 1587144603
  • 9781587144608
  • 550,619

Table of contents

Foreword xxvii

Introduction xxxiii

Part I Understanding IPsec VPNs

Chapter 1 Introduction to IPsec VPNs 1

The Need and Purpose of IPsec VPNs 2

Building Blocks of IPsec 2

Security Protocols 2

Security Associations 3

Key Management Protocol 3

IPsec Security Services 3

Access Control 4

Anti-replay Services 4

Confidentiality 4

Connectionless Integrity 4

Data Origin Authentication 4

Traffic Flow Confidentiality 4

Components of IPsec 5

Security Parameter Index 5

Security Policy Database 5

Security Association Database 6

Peer Authorization Database 6

Lifetime 7

Cryptography Used in IPsec VPNs 7

Symmetric Cryptography 7

Asymmetric Cryptography 8

The Diffie-Hellman Exchange 8

Public Key Infrastructure 11

Public Key Cryptography 11

Certificate Authorities 12

Digital Certificates 12

Digital Signatures Used in IKEv2 12

Pre-Shared-Keys, or Shared Secret 13

Encryption and Authentication 14

IP Authentication Header 15

Anti-Replay 16

IP Encapsulating Security Payload (ESP) 17

Authentication 18

Encryption 18

Anti-Replay 18

Encapsulation Security Payload Datagram Format 18

Encapsulating Security Payload Version 3 19

Extended Sequence Numbers 19

Traffic Flow Confidentiality 20

Dummy Packets 20

Modes of IPsec 20

IPsec Transport Mode 20

IPsec Tunnel Mode 21

Summary 22

References 22

Part II Understanding IKEv2

Chapter 2 IKEv2: The Protocol 23

IKEv2 Overview 23

The IKEv2 Exchange 24

IKE_SA_INIT 25

Diffie-Hellman Key Exchange 26

Security Association Proposals 29

Security Parameter Index (SPI) 34

Nonce 35

Cookie Notification 36

Certificate Request 38

HTTP_CERT_LOOKUP_SUPPORTED 39

Key Material Generation 39

IKE_AUTH 42

Encrypted and Authenticated Payload 42

Encrypted Payload Structure 43

Identity 44

Authentication 45

Signature-Based Authentication 46

(Pre) Shared-Key-Based Authentication 47

EAP 48

Traffic Selectors 50

Initial Contact 52

CREATE_CHILD_SA 53

IPsec Security Association Creation 53

IPsec Security Association Rekey 54

IKEv2 Security Association Rekey 54

IKEv2 Packet Structure Overview 55

The INFORMATIONAL Exchange 56

Notification 56

Deleting Security Associations 57

Configuration Payload Exchange 58

Dead Peer Detection/Keepalive/NAT Keepalive 59

IKEv2 Request - Response 61

IKEv2 and Network Address Translation 61

NAT Detection 64

Additions to RFC 7296 65

RFC 5998 An Extension for EAP-Only Authentication in IKEv2 65

RFC 5685 Redirect Mechanism for the Internet Key Exchange

Protocol Version 2 (IKEv2) 65

RFC 6989 Additional Diffie-Hellman Tests for the Internet Key

Exchange Protocol Version 2 (IKEv2) 65

RFC 6023 A Childless Initiation of the Internet

Key Exchange Version 2 (IKEv2) Security Association (SA) 66

Summary 66

References 66

Chapter 3 Comparison of IKEv1 and IKEv2 67

Brief History of IKEv1 67

Exchange Modes 69

IKEv1 70

IKEv2 71

Anti-Denial of Service 72

Lifetime 72

Authentication 73

High Availability 74

Traffic Selectors 74

Use of Identities 74

Network Address Translation 74

Configuration Payload 75

Mobility & Multi-homing 75

Matching on Identity 75

Reliability 77

Cryptographic Exchange Bloat 77

Combined Mode Ciphers 77

Continuous Channel Mode 77

Summary 77

References 78

Part III IPsec VPNs on Cisco IOS

Chapter 4 IOS IPsec Implementation 79

Modes of Encapsulation 82

GRE Encapsulation 82

GRE over IPsec 83

IPsec Transport Mode with GRE over IPsec 83

IPsec Tunnel mode with GRE over IPsec 84

Traffic 85

Multicast Traffic 85

Non-IP Protocols 86

The Demise of Crypto Maps 86

Interface Types 87

Virtual Interfaces: VTI and GRE/IPsec 87

Traffic Selection by Routing 88

Static Tunnel Interfaces 90

Dynamic Tunnel Interfaces 91

sVTI and dVTI 92

Multipoint GRE 92

Tunnel Protection and Crypto Sockets 94

Implementation Modes 96

Dual Stack 96

Mixed Mode 96

Auto Tunnel Mode 99

VRF-Aware IPsec 99

VRF in Brief 99

VRF-Aware GRE and VRF-Aware IPsec 101

VRF-Aware GRE over IPsec 102

Summary 103

Reference 104

Part IV IKEv2 Implementation

Chapter 5 IKEv2 Configuration 105

IKEv2 Configuration Overview 105

The Guiding Principle 106

Scope of IKEv2 Configuration 106

IKEv2 Configuration Constructs 106

IKEv2 Proposal 107

Configuring the IKEv2 Proposal 108

Configuring IKEv2 Encryption 111

Configuring IKEv2 Integrity 113

Configuring IKEv2 Diffie-Hellman 113

Configuring IKEv2 Pseudorandom Function 115

Default IKEv2 Proposal 115

IKEv2 Policy 117

Configuring an IKEv2 Policy 118

Configuring IKEv2 Proposals under IKEv2 Policy 119

Configuring Match Statements under IKEv2 Policy 120

Default IKEv2 Policy 121

IKEv2 Policy Selection on the Initiator 122

IKEv2 Policy Selection on Responder 124

IKEv2 Policy Configuration Examples 125

Per-peer IKEv2 Policy 125

IKEv2 Policy with Multiple Proposals 126

IKEv2 Keyring 128

Configuring IKEv2 Keyring 129

Configuring a Peer Block in Keyring 130

Key Lookup on Initiator 132

Key Lookup on Responder 133

IKEv2 Keyring Configuration Example 134

IKEv2 Keyring Key Points 136

IKEv2 Profile 136

IKEv2 Profile as Peer Authorization Database 137

Configuring IKEv2 Profile 138

Configuring Match Statements in IKEv2 Profile 139

Matching any Peer Identity 142

Defining the Scope of IKEv2 Profile 143

Defining the Local IKE Identity 143

Defining Local and Remote Authentication Methods 145

IKEv2 Dead Peer Detection 149

IKEv2 Initial Contact 151

IKEv2 SA Lifetime 151

NAT Keepalives 152

IVRF (inside VRF) 152

Virtual Template Interface 153

Disabling IKEv2 Profile 153

Displaying IKEv2 Profiles 153

IKEv2 Profile Selection on Initiator and Responder 154

IKEv2 Profile Key Points 154

IKEv2 Global Configuration 155

HTTP URL-based Certificate Lookup 156

IKEv2 Cookie Challenge 156

IKEv2 Call Admission Control 157

IKEv2 Window Size 158

Dead Peer Detection 158

NAT Keepalive 159

IKEv2 Diagnostics 159

PKI Configuration 159

Certificate Authority 160

Public-Private Key Pair 162

PKI Trustpoint 163

PKI Example 164

IPsec Configuration 166

IPsec Profile 167

IPsec Configuration Example 168

Smart Defaults 168

Summary 169

Chapter 6 Advanced IKEv2 Features 171

Introduction to IKEv2 Fragmentation 171

IP Fragmentation Overview 172

IKEv2 and Fragmentation 173

IKEv2 SGT Capability Negotiation 178

IKEv2 Session Authentication 181

IKEv2 Session Deletion on Certificate Revocation 182

IKEv2 Session Deletion on Certificate Expiry 184

IKEv2 Session Lifetime 185

Summary 187

References 188

Chapter 7 IKEv2 Deployments 189

Pre-shared-key Authentication with Smart Defaults 189

Elliptic Curve Digital Signature Algorithm Authentication 194

RSA Authentication Using HTTP URL Lookup 200

IKEv2 Cookie Challenge and Call Admission Control 207

Summary 210

Part V FlexVPN

Chapter 8 Introduction to FlexVPN 211

FlexVPN Overview 211

The Rationale 212

FlexVPN Value Proposition 213

FlexVPN Building Blocks 213

IKEv2 213

Cisco IOS Point-to-Point Tunnel Interfaces 214

Configuring Static P2P Tunnel Interfaces 214

Configuring Virtual-Template Interfaces 216

Auto-Detection of Tunnel Encapsulation and Transport 219

Benefits of Per-Peer P2P Tunnel Interfaces 221

Cisco IOS AAA Infrastructure 221

Configuring AAA for FlexVPN 222

IKEv2 Name Mangler 223

Configuring IKEv2 Name Mangler 224

Extracting Name from FQDN Identity 225

Extracting Name from Email Identity 226

Extracting Name from DN Identity 226

Extracting Name from EAP Identity 227

IKEv2 Authorization Policy 228

Default IKEv2 Authorization Policy 229

FlexVPN Authorization 231

Configuring FlexVPN Authorization 233

FlexVPN User Authorization 235

FlexVPN User Authorization, Using an External AAA Server 235

FlexVPN Group Authorization 237

FlexVPN Group Authorization, Using a Local AAA Database 238

FlexVPN Group Authorization, Using an External AAA Server 239

FlexVPN Implicit Authorization 242

FlexVPN Implicit Authorization Example 243

FlexVPN Authorization Types: Co-existence and Precedence 245

User Authorization Taking Higher Precedence 247

Group Authorization Taking Higher Precedence 249

FlexVPN Configuration Exchange 250

Enabling Configuration Exchange 250

FlexVPN Usage of Configuration Payloads 251

Configuration Attributes and Authorization 253

Configuration Exchange Examples 259

FlexVPN Routing 264

Learning Remote Subnets Locally 265

Learning Remote Subnets from Peer 266

Summary 268

Chapter 9 FlexVPN Server 269

Sequence of Events 270

EAP Authentication 271

EAP Methods 272

EAP Message Flow 273

EAP Identity 273

EAP Timeout 275

EAP Authentication Steps 275

Configuring EAP 277

EAP Configuration Example 278

AAA-based Pre-shared Keys 283

Configuring AAA-based Pre-Shared Keys 284

RADIUS Attributes for AAA-Based Pre-Shared Keys 285

AAA-Based Pre-Shared Keys Example 285

Accounting 287

Per-Session Interface 290

Deriving Virtual-Access Configuration from a Virtual Template 291

Deriving Virtual-Access Configuration from AAA Authorization 293

The interface-config AAA Attribute 293

Deriving Virtual-Access Configuration from an Incoming Session 294

Virtual-Access Cloning Example 295

Auto Detection of Tunnel Transport and Encapsulation 297

RADIUS Packet of Disconnect 299

Configuring RADIUS Packet of Disconnect 300

RADIUS Packet of Disconnect Example 301

RADIUS Change of Authorization (CoA) 303

Configuring RADIUS CoA 304

RADIUS CoA Examples 305

Updating Session QoS Policy, Using CoA 305

Updating the Session ACL, Using CoA 307

IKEv2 Auto-Reconnect 309

Auto-Reconnect Configuration Attributes 310

Smart DPD 311

Configuring IKEv2 Auto-Reconnect 313

User Authentication, Using AnyConnect-EAP 315

AnyConnect-EAP 315

AnyConnect-EAP XML Messages for User Authentication 316

Configuring User Authentication, Using AnyConnect-EAP 318

AnyConnect Configuration for Aggregate Authentication 320

Dual-factor Authentication, Using AnyConnect-EAP 320

AnyConnect-EAP XML Messages for dual-factor authentication 322

Configuring Dual-factor Authentication, Using AnyConnect-EAP 324

RADIUS Attributes Supported by the FlexVPN Server 325

Remote Access Clients Supported by FlexVPN Server 329

FlexVPN Remote Access Client 329

Microsoft Windows7 IKEv2 Client 329

Cisco IKEv2 AnyConnect Client 330

Summary 330

Reference 330

Chapter 10 FlexVPN Client 331

Introduction 331

FlexVPN Client Overview 332

FlexVPN Client Building Blocks 333

IKEv2 Configuration Exchange 334

Static Point-to-Point Tunnel Interface 334

FlexVPN Client Profile 334

Object Tracking 334

NAT 335

FlexVPN Client Features 335

Dual Stack Support 335

EAP Authentication 335

Dynamic Routing 335

Support for EzVPN Client and Network Extension Modes 336

Advanced Features 336

Setting up the FlexVPN Server 336

EAP Authentication 337

Split-DNS 338

Components of Split-DNS 340

Windows Internet Naming Service (WINS) 343

Domain Name 344

FlexVPN Client Profile 345

Backup Gateways 346

Resolution of Fully Qualified Domain Names 346

Reactivating Peers 346

Backup Gateway List 347

Tunnel Interface 347

Tunnel Source 348

Tunnel Destination 349

Tunnel Initiation 350

Automatic Mode 350

Manual Mode 350

Track Mode 350

Tracking a List of Objects, Using a Boolean Expression 350

Dial Backup 352

Backup Group 353

Network Address Translation 354

Design Considerations 356

Use of Public Key Infrastructure and Pre-Shared Keys 356

The Power of Tracking 356

Tracked Object Based on Embedded Event Manager 356

Troubleshooting FlexVPN Client 358

Useful Show Commands 358

Debugging FlexVPN Client 360

Clearing IKEv2 FlexVPN Client Sessions 360

Summary 361

Chapter 11 FlexVPN Load Balancer 363

Introduction 363

Components of the FlexVPN Load Balancer 363

IKEv2 Redirect 363

Hot Standby Routing Protocol 366

FlexVPN IKEv2 Load Balancer 367

Cluster Load 369

IKEv2 Redirect 372

Redirect Loops 373

FlexVPN Client 374

Troubleshooting IKEv2 Load Balancing 374

IKEv2 Load Balancer Example 376

Summary 379

Chapter 12 FlexVPN Deployments 381

Introduction 381

FlexVPN AAA-Based Pre-Shared Keys 381

Configuration on the Branch-1 Router 382

Configuration on the Branch-2 Router 383

Configuration on the Hub Router 383

Configuration on the RADIUS Server 384

FlexVPN User and Group Authorization 386

FlexVPN Client Configuration at Branch 1 386

FlexVPN Client Configuration at Branch 2 387

Configuration on the FlexVPN Server 387

Configuration on the RADIUS Server 388

Logs Specific to FlexVPN Client-1 389

Logs Specific to FlexVPN Client-2 390

FlexVPN Routing, Dual Stack, and Tunnel Mode Auto 391

FlexVPN Spoke Configuration at Branch-1 392

FlexVPN Spoke Configuration at Branch-2 394

FlexVPN Hub Configuration at the HQ 395

Verification on FlexVPN Spoke at Branch-1 397

Verification on FlexVPN Spoke at Branch-2 399

Verification on the FlexVPN Hub at HQ 401

FlexVPN Client NAT to the Server-Assigned IP Address 404

Configuration on the FlexVPN Client 404

Verification on the FlexVPN Client 405

FlexVPN WAN Resiliency, Using Dynamic Tunnel Source 407

FlexVPN Client Configuration on the Dual-Homed Branch Router 408

Verification on the FlexVPN Client 409

FlexVPN Hub Resiliency, Using Backup Peers 411

FlexVPN Client Configuration on the Branch Router 411

Verification on the FlexVPN Client 412

FlexVPN Backup Tunnel, Using Track-Based Tunnel Activation 414

Verification on the FlexVPN Client 415

Summary 416

Part VI IPsec VPN Maintenance

Chapter 13 Monitoring IPsec VPNs 417

Introduction to Monitoring 417

Authentication, Authorization, and Accounting (AAA) 418

NetFlow 418

Simple Network Management Protocol 419

VRF-Aware SNMP 420

Syslog 421

Monitoring Methodology 422

IP Connectivity 423

VPN Tunnel Establishment 425

Cisco IPsec Flow Monitor MIB 425

SNMP with IKEv2 425

Syslog 428

Pre-Shared Key Authentication 429

PKI Authentication 431

EAP Authentication 434

Authorization Using RADIUS-Based AAA 436

Data Encryption: SNMP with IPsec 437

Overlay Routing 439

Data Usage 440

Summary 443

References 443

Chapter 14 Troubleshooting IPsec VPNs 445

Introduction 445

Tools of Troubleshooting 446

Show Commands 447

Syslog Messages 447

Event-Trace Monitoring 447

Debugging 449

IKEv2 Debugging 449

IPsec Debugging 453

Key Management Interface Debugging 453

PKI Debugging 456

Conditional Debugging 456

IP Connectivity 457

VPN Tunnel Establishment 460

IKEv2 Diagnose Error 460

Troubleshooting the IKE_SA_INIT Exchange 461

Troubleshooting the IKE_AUTH Exchange 464

Authentication 464

Troubleshooting RSA or ECDSA Authentication 465

Certificate Attributes 469

Debugging Authentication Using PKI 470

Certificate Expiry 470

Matching Peer Using Certificate Maps 472

Certificate Revocation 473

Trustpoint Configuration 476

Trustpoint Selection 476

Pre-Shared Key 478

Extensible Authentication Protocol (EAP) 480

Authorization 485

Data Encryption 488

Debugging IPsec 488

IPsec Anti-Replay 491

Data Encapsulation 495

Mismatching GRE Tunnel Keys 495

Overlay Routing 495

Static Routing 496

IKEv2 Routing 496

Dynamic Routing Protocols 498

Summary 499

References 502

Part VII IPsec Overhead

Chapter 15 IPsec Overhead and Fragmentation 503

Introduction 503

Computing the IPsec Overhead 504

General Considerations 504

IPsec Mode Overhead (without GRE) 505

GRE Overhead 505

Encapsulating Security Payload Overhead 507

Authentication Header Overhead 509

Encryption Overhead 510

Integrity Overhead 511

Combined-mode Algorithm Overhead 512

Plaintext MTU 513

Maximum Overhead 514

Maximum Encapsulation Security Payload Overhead 515

Maximum Authentication Header Overhead 516

Extra Overhead 516

IPsec and Fragmentation 518

Maximum Transmission Unit 518

Fragmentation in IPv4 519

Fragmentation in IPv6 522

Path MTU Discovery 523

TCP MSS Clamping 525

MSS Refresher 525

MSS Adjustment 526

IPsec Fragmentation and PMTUD 527

Fragmentation on Tunnels 531

IPsec Only (VTI) 531

GRE Only 532

GRE over IPsec 534

Tunnel PMTUD 534

The Impact of Fragmentation 535

Summary 536

References 536

Part VIII Migration to IKEv2

Chapter 16 Migration Strategies 539

Introduction to Migrating to IKEv2 and FlexVPN 539

Consideration when Migrating to IKEv2 539

Hardware Limi
show more

About Amjad Inamdar

Graham Bartlett, CCIE No. 26709, has designed a number of large scale Virtual Private Networks within the UK and worked with customers throughout the world using IKEv2 and Next Generation Encryption. Graham's interests include Security and Virtual Private Networks. Within this space he has discovered zero-day vulnerabilities, including the higest severity security advisory in the March 2015 Cisco IOS software and IOS XE software security advisory bundled publication. He has contributed to numerous IETF RFCs, and has intellectual property published as prior art. He is a CiscoLive speaker and has developed Cisco Security exam content (CCIE/CCNP). He is a CCP (Senior) IA Architect, CCP (Practitioner) Security & Information Risk Advisor, CCNP, CISSP, Cisco Security Ninja and holds a BSc(Hons) in Computer Systems and Networks.




Amjad Inamdar CISSP 460898, is a Senior Technical Leader with Cisco IOS Security Engineering, India. He has primarily worked on design, development and deployment of Cisco IOS secure connectivity solutions including the industry leading FlexVPN, DMVPN, GETVPN and EzVPN solutions and is currently working on the Cisco next generation SD-WAN solution. He has contributed to IETF drafts, holds a Cisco patent and has prior art publications. He holds many industry certifications including CISSP, CCSK, CCNP Security, CCDP, CCNP R/S, CCNA (SP, Data Center, Wireless, Voice), Cisco Security Ninja and has presented security at conferences, internal forums and to Cisco customers and partners. He holds a degree (B.E) in Electronics and Communication Engineering.
show more