Cisco asa ikev2 remote access

L2TP/IPsec на Cisco ASA 5510 для подключения Windows клиентов с авторизацией в AD

Создаём пул адресов, из которых будет выдаваться IP-адреса клиентам:

ip local pool vpnn_access 10.0.1.2-10.0.1.254 mask 255.255.255.0

Добавляем aaa-сервер, чтобы пользователи могли авторизовываться в Active Directory:

aaa-server kerberos_server protocol kerberos
aaa-server kerberos_server (inside) host 10.0.0.10
kerberos-realm MYDOMAIN
Разрешаем протокол IKEv1 на внешнем интерфейсе асы:
crypto ikev1 enable outside

Добавляем политику шифрования:
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Добавляем трансформ-сет. Так как по умолчанию используется туннельный режим, принудительно указываем транспорт:
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

Создаём динамическую крипто-карту с нашим трансформ-сетом…
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA-TRANS

… и привязываем её к внешнему интерфейсу:
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

Создаём access-list с сетями, доступ к которым будет через наш туннель (вообще, split-tunnel — это не безопасно, но тем не менее):

access-list split-tunnel standard permit 10.0.0.0 255.255.0.0

Указываем в политике группы имя домена, DNS-сервер и тип подключения:
group-policy l2tp_ra_gp attributes
dns-server value 10.0.0.10 10.0.0.11
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value mydomain
intercept-dhcp enable

Есть 3 пути задания имени туннельной группы:

1) Задать произвольное имя в параметрах подключения клиента (tunnel-group MY_TUNNEL general-attributes);
2) Если параметр не указан, то используется IP-адрес клиента (tunnel-group 10.10.10.10 general-attributes);
3) Ну и если туннельной группы для IP-адреса нет, то используется группа DefaultRAGroup.

Т.к. клиенты будут использовать динамические IP-адреса и в VPN-клиенте Windows нельзя указать имя группы, то 3-й вариант — как раз наш случай.

tunnel-group DefaultRAGroup general-attributes
address-pool vpnn_access
authentication-server-group kerberos_server
default-group-policy l2tp_ra_gp
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key $tr0NgPr3$@r3D(!KeY)
isakmp keepalive threshold 60 retry 3
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1

Переходим к настройке Windows

Идем в «Параметры» -> «Сеть и Интернет» -> «VPN»

Нажимаем на «Добавление VPN-подключения»

Идем в «Панель управления» -> «Сеть и Интернет» -> «Центр управления сетями и общим доступом» -> «Изменение параметров адаптера», открываем свойства нашего подключения.

На вкладке «Безопасность» выставляем тип подключения «Протокол L2TP с IPSec», выбираем обязательное шифрование и разрешаем протоколы проверки подлинности PAP (для аутентификации через AD) и/или MS CHAPv2 (для локальной аутентификации)

В окне «Дополнительные свойства», вызываемом кнопкой «Дополнительные параметры», вводим общий ключ.

На вкладке «Сеть» отключаем IPv6, вызываем свойства IPv4 где нажимаем кнопку «Дополнительно». На вкладке «Параметры IP», необходимо снять галочку «Использовать шлюз в удаленной сети», чтобы клиент пользовался Интернетом минуя наш VPN, соответственно если в организации действует соответствующая политика информационной безопасности, то делать этого не нужно, но придется настроить на клиенте NAT/Proxy. Если же мы все-таки пускаем траффик в обход, то нужно снять галку «Отключить добавление маршрута, основанное на классе», иначе в таблице маршрутизации добавится запись заворачивающая сеть 10.0.0.0/8 в VPN, что может породить проблемы с доступом через сети мобильных операторов, использующих десятую сеть.

На этом все, нажимаем «Подключиться».

Если что-то пошло не так, включаем на асе дебаг и внимательно читаем.

В итоге имеем VPN-подключение без стороннего софта, такого как Cisco VPN Client (устарел, ставит драйвер) или Cisco AnyConnect (ставит драйвер).

P.S: Под найтивный клиент Android тоже работает.

L2TP/IPsec на Cisco ASA 5510 для подключения Windows клиентов с авторизацией в AD : 3 комментария

Годная статья. Детально!

ПРивет, ошибку пишет (CISCO ASA 5505)
crypto ikev1 enable outside ERROR INVALID INPUT DETECTED at MARKER
Ругается на ikev2

Привет.
А на что указывает маркер? Это при вводе команды в режиме глобальеой конфигурации?

Cisco asa ikev2 remote access

The Cisco AnyConnect Secure Mobility Solution provides a comprehensive, highly secure enterprise mobility solution. the Cisco AnyConnect Secure Mobility Solution continues to lead with next-generation security and encryption, including support for the Suite B set of cryptographic algorithms, and support for IPv6 networks. More importantly, it adapts its tunneling protocol to the most efficient method. AnyConnect client can be used to connect both SSL VPN as well as IKEv2 IPSec VPN. In this document we will see how to configure only IKEv2 IPSec VPN.

! Generate rsa keys, which will be used in configuring trustpoint for obtaininng certificate.

crypto key generate rsa label VPNKeyPair modulus 1024 noconfirm

! Configure a trustpoint and enroll for Self-Signed-Certificate.

crypto ca trustpoint LocalTrust
enrollment self
fqdn ravpn.pacificgroup.co.in
subject-name CN=ravpn.pacificgroup.co.in
keypair VPNKeyPair
crypto ca enroll LocalTrust noconfirm

! Create a local IP pool for assigning IP addresses to the clients.

ip local pool RA_VPN_POOL 10.10.20.1-10.10.20.255 mask 255.255.255.0

! copy Anyconnect client package to flash

copy tftp://192.168.100.10/anyconnect-win-3.1.04059-k9.pkg flash:

! copy the client profile xml file to flash

copy tftp://192.168.100.10/IKEv2_ANYCONNECT_VPN_client_profile.xml disk0:

NOTE: The AnyConnect client protocol defaults to SSL. To enable IPsec IKEv2, you must configure the IKEv2 settings on the ASA and also configure IKEv2 as the primary protocol in the client profile. The IKEv2enabled profile must be deployed to the endpoint computer, otherwise the client attempts to connect using SSL.

Читать еще: Объекты ms access

! Refer to the below client profile template, which is reusable after editing the HostName and HostAddress.

! Global webvpn configuration

webvpn
anyconnect profiles IKEv2_ANYCONNECT_VPN_client_profile disk0:/IKEv2_ANYCONNECT_VPN_client_profile.xml

! Local user creation

username prashant password 123456

! G roup Policy configurat ion

group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN internal
group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN attributes
vpn-tunnel-protocol ikev2
webvpn
anyconnect profiles value IKEv2_ANYCONNECT_VPN_client_profile type user
group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN attributes
dns-server value 192.168.100.10

! Tunnel group configuration

tunnel-group IKEv2_ANYCONNECT_VPN type remote-access
tunnel-group IKEv2_ANYCONNECT_VPN general-attributes
default-group-policy GroupPolicy_IKEv2_ANYCONNECT_VPN
address-pool RA_VPN_POOL
tunnel-group IKEv2_ANYCONNECT_VPN webvpn-attributes
group-alias IKEv2_ANYCONNECT_VPN enable

! ISAKMP policy configuration.

crypto ikev2 policy 40
group 2 5
encryption aes

! Enable IKEv2 on outside interface
! Associate a trustpoint with the IKEv2
! Configure IPSec parameters

crypto ikev2 enable OUTSIDE
crypto ikev2 remote-access trustpoint LocalTrust
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption AES
protocol esp integrity sha-1

! configure dynamic-map and associate it with a crypto-map
! apply the crypto map to the outside interface

crypto dynamic-map IKEv2_RA_VPN_CRYPTO_MAP 1000 set ikev2 ipsec-proposal AES
crypto map OUTSIDE_map 500 ipsec-isakmp dynamic IKEv2_RA_VPN_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE

Configuring site-to-site IPSEC VPN on ASA using IKEv2

The scenario of configuring site-to-site VPN between two Cisco Adaptive Security Appliances is often used by companies that have more than one geographical location sharing the same resources, documents, servers, etc. The Cisco ASA is often used as VPN terminator, supporting a variety of VPN types and protocols.

In this tutorial, we are going to configure a site-to-site VPN using IKEv2. IKEv2 is the new standard for configuring IPSEC VPNs. Although the legacy IKEv1 is widely used in real world networks, it’s good to know how to configure IKEv2 as well since this is usually required in high-security VPN networks (for compliance purposes).

As described in the topology scenario below, a VPN tunnel will be created between ASA1 and ASA2, connecting the two company sites, HQ and Branch1.

Behind each security appliance there is a private LAN network. After configuring the VPN tunnel, the private LAN networks in HQ and Branch1 (two geographically dispersed locations) will be able to communicate over the internet and share resources.

We will refer to the diagram below for this configuration tutorial.

We will start by configuring IP addressing. On ASA1 and ASA2, we will configure the inside interfaces as connected to LAN and the outside interfaces facing the VPN tunnel. In real world networks, the outside interfaces will be on a different subnet and use public IP addressing. Here we will use 10.10.10.0/24 for the outside network just for making things easier.

ASA1

ASA1(config)# interface GigabitEthernet0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config-if)# interface GigabitEthernet1
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ip address 10.10.10.1 255.255.255.0
ASA1(config-if)# no shutdown

ASA1# show interfaces ip brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.1.2 YES manual up up
GigabitEthernet1 10.10.10.1 YES manual up up

ASA2

ASA2(config)# interface GigabitEthernet0
ASA2(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA2(config-if)# ip address 192.168.2.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2(config-if)# interface GigabitEthernet1
ASA2(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA2(config-if)# ip address 10.10.10.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2# show interfaces ip brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.2.2 YES manual up up
GigabitEthernet1 10.10.10.2 YES manual up up

Next, we will configure the ISAKMP policies with IKEv2. We will first use the crypto ikev2 policy command to enter IKEv2 policy configuration mode, where we will configure the IKEv2 parameters.

In this scenario, we used 3DES encryption with Diffie-Hellman group 2, hash function SHA-1 and an encryption key lifetime of 43200 seconds (12 hours).

ASA1

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# encryption 3des
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 43200

Finally, after the parameters have been set, we will enable IKEv2 on the outside interface

ASA1(config-ikev2-policy)# crypto ikev2 enable outside

ASA2

ASA2(config)# crypto ikev2 policy 1
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# encryption 3des
ASA2(config-ikev2-policy)# prf sha
ASA2(config-ikev2-policy)# lifetime seconds 43200
ASA2(config-ikev2-policy)# crypto ikev2 enable outside

Next, we will configure IKEv2 proposal. As opposed to IKEv1, where we configured a transform set that combines the encryption and authentication method, with IKEv2 we can configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy.

For this scenario, we will first enter ipsec proposal configuration mode and there set the parameters.

ASA1

ASA1(config)#crypto ipsec ikev2 ipsec-proposal P1
ASA1(config-ipsec-proposal)#protocol esp encryption 3des aes des
ASA1(config-ipsec-proposal)#protocol esp integrity sha-1

ASA2

The same configuration is applied to ASA2.

ASA2(config)# crypto ipsec ikev2 ipsec-proposal P1
ASA2(config-ipsec-proposal)# protocol esp encryption 3des aes des
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1

Next we need to identify the VPN interesting traffic with an access list.

ASA1(config)# access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

The mirror ACL should be configured on ASA2.

Читать еще: Api access key

ASA2(config)# access-list ACL2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The next step is to define a tunnel group. There are two default tunnel groups in the ASA: DefaultRAGroup is the default IPsec remote-access tunnel group and DefaultL2Lgroup is the default IPsec LAN-to-LAN tunnel group.

To establish a LAN-to-LAN connection, two attributes must be set:

– Connection type – IPsec LAN-to-LAN.

– Authentication method for the IP – in this scenario we will use preshared key for IKEv2.

The name of the tunnel is the IP address of the peer. IKEv2 preshared key is configured as 32fjsk0392fg.

NOTE: For ikev2 you can have asymmetric pre-shared keys. You can configure a different local and different remote pre-shared key. If you want to have a configuration similar with the legacy ikev1 technology, you need to have the same local and remote pre-shared keys (as we do in our example below)

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

ASA2

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

Finally, we will create a crypto map linking the access list, the peer and the IKEv2 proposal. We will apply this crypto map to the ASA outside interface.

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

ASA2

Similar configuration will be applied to ASA2:

ASA2(config)# crypto map cmap 1 match address ACL2
ASA2(config)# crypto map cmap 1 set peer 10.10.10.1
ASA2(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA2(config)# crypto map cmap interface outside

The above concludes the actual IPSEC lan-to-lan configuration. In real world scenarios, the two ASA devices would be connected to the Internet and access from internal users towards the Internet must be provided as well (in addition to the lan-to-lan traffic).

This requirement (i.e internet access for users in each site) necessitates the configuration of NAT rules in order to translate the internal private IP addresses to a public IP. Let’s configure this new requirement below:

Internet Access and NAT Exclusion for VPN traffic

IPSEC VPN traffic does not work with NAT. You must not perform NAT on VPN packets. Therefore, in addition to configuring Internet access (with using NAT overload in our example here), we must also configure NAT exclusion for VPN traffic:

1) Configure NAT Overload (PAT) for Internet Access

ASA1

object network HQ
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

object network Branch1
subnet 192.168.2.0 255.255.255.0

ASA2

object network Branch1
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface

object network HQ
subnet 192.168.1.0 255.255.255.0

2) Configure NAT Exclusion for VPN Traffic

ASA1

nat (inside,outside) source static HQ HQ destination static Branch1 Branch1 no-proxy-arp route-lookup

ASA2

nat (inside,outside) source static Branch1 Branch1 destination static HQ HQ no-proxy-arp route-looku

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429

Problem

You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. its not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMPВ IKEv2 on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see В “crypto ikev2 enable outside” then you need to issue that command.

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established. It sets the encryption type (AES-256), the hashing/integrity algorithm (SHA-256), The Diffie Hellman group exchange version, and the Level of PRFВ (Pseudo Random Function). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused рџ™‚ ).

Читать еще: Access при расширении прорисовывать линии строки

4. We stated above that we are going to use AES-256В and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

5. Finally we need to create a “Cryptomap”, this is the ‘thing’ that fires up the tunnel, when the ACL INTERESTING TRAFFIC is used, it also defines the transform set for “Phase 2” of the VPN Tunnel, that will also use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

5. Don’t forget to save your hard work with a “write mem” command.

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

Simply change the values in red where;

10.0.0.0 255.255.255.0 is the network behind the ASA you are working on.
10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
2.2.2.2 is the peer IP address of the device you are attempting to connect to.
1234567 Is the shared secret you will use at both ends.

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429

Problem

You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. its not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Solution

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

4. We stated above that we are going to use AES-256В and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

5. Don’t forget to save your hard work with a “write mem” command.

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

Simply change the values in red where;

10.0.0.0 255.255.255.0 is the network behind the ASA you are working on.
10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
2.2.2.2 is the peer IP address of the device you are attempting to connect to.
1234567 Is the shared secret you will use at both ends.