AAA and 802
-
Upload
faysal-bensalah -
Category
Documents
-
view
218 -
download
0
Transcript of AAA and 802
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 1/26
AAA and 802.1X Authentication8 votes
•
•
•
•
•
•
When it comes to securing the network, AAA and 802.1X authentication are two powerful tools we can
use. Let me show ou an e!ample wh ou might want this for our switches"
#etwork users might
$ring their own wireless router from home and connect it to the switch so the can share wireless
internet with all their colleagues. An access point like this is called a rogue access point and this
is something ou %&#'( want to see on our network. )t's hard to detect $ecause on the switch ou'll
onl see one *A+ address. (he router is doing #A( so ou will onl see one ) address, this is
something ou can't prevent with port securit.
&ne wa of dealing with issues like this is to use AAA.
AAA stands for Authentication, Authorization and Accounting"
• Authentication: Verify the identity of the user, who are you?
• Authorization: What is the user allowed to do? what resources can he/she access?
• Accounting: Used for billing and auditing.
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 2/26
(he idea $ehind AAA is that a user has to authenticate $efore getting access to the network. (he fa0-1
interface on witchA will $e $locked and ou are not even getting an ) address. (he onl thing the
user is allowed to do is send his-her credentials which will $e forwarded to the AAA server. )f our
credentials are &/ the port will $e un$locked and ou will $e granted access to the network.
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 3/26
802.1X is the mechanism that will block or unblock the interface. )t's called port-based
control. )n the picture a$ove an unknown user plugged in a ca$le to the switch.
All traffic is $eing dropped with the e!ception of EAPoL Extensible Authentication Protocol
oer LA!". A is what we use to e!change authentication information. &nce the user has
authenticated and everthing is &/ she is granted access to the network.
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 4/26
)n the picture a$ove ou see the terminolog that 802.1X uses. (he user device is called
the supplicant it 3supplies4 authentication information. (he switch is called
the authenticator $ecause it accepts the authentication information and passes it along to
the authentication serer . 5ser information is stored on the authentication server.
(here are two tpes of authentication servers"
• RADIUS
• TACACS+
(he most common authentication server is 6A%)5 6emote Authentication %ial )n 5ser ervice7. )t's
a protocol that has $een standardied $ the )(9. (A+A+: (erminal Access +ontroller Access;
+ontrol stem7 does a similar <o$ $ut its +isco proprietar.
(here are man different 6A%)5 servers ou can use, for e!ample"
• Cisco ACS (Cisco’s RADIUS and TACACS+ server software)
• Microsoft IAS (you can install it on Windows server 2003 or 2008).
• Freeradius (very powerful and free)
• Integrated in network devices (Cisco’s Wireless LAN controller have RADIUS server
software for example).
=ou now have an idea what the components are in a AAA 802.1X authentication setup. )n the ne!t
lesson ) will give ou a configuration e!ample how to implement this on a +isco +atalst witch.
6ate this Lesson"
+isco +>A+ +onfiguration !ample1 vote
•
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 5/26
•
•
•
•
•
+>A+ +onte!t >ased Access +ontrol7 is a firewall for +isco )& routers that offers some more
features than a simple access;list. +>A+ is a$le to inspect up to laer ? of the &) model and can
dnamicall create rules to allow return traffic. )t is similar to the refle!ive access;list $ut one of the
ke differences is that the refle!ive A+L onl inspects up to laer @.
)n this tutorial )'ll give ou an e!ample of +>A+ and ou'll see wh this firewall feature is ver useful.
)'ll $e using routers for this"
)n the e!ample a$ove we have routers. )magine the router on the left side 617 is some device on
the internet while 6 is a host on our LA#. 62 will $e the router that is protecting us from traffic on the
)nternet, this is where we configure +>A+. Let's start with the $asic configurationBsetting up )
addresses and some static routes for connectivit"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 6/26
R1(config)#interface fastethernet 0/0 R1(config-if)#no shutdown
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R2(config)#interface fastethernet 0/0 R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.12.2 255.255.255.0 R2(config-
if)#interface fastethernet 0/1 R2(config-if)#no shutdown
R2(config-if)#ip address 192.168.23.2 255.255.255.0
R3(config)#interface fastethernet 0/0 R3(config-if)#no shutdown
R3(config-if)#ip address 192.168.23.3 255.255.255.0
And two static routes so 61 and 6 can reach each other"
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2
&ur idea is to protect our LA# from all the evil stuff on the )nternet, in order to do so we'll create an
access;list that drops everthing from the )nternet. (he access;list looks like this"
R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET
R2(config-ext-nacl)#deny ip any any log R2(config)#interface
fastEthernet 0/0 R2(config-if)#ip access-group
DENY_ALL_FROM_INTERNET in
(his access;list is ver effectiveBit will drop everthing from the )nternetC ) added the 3den ip an an
log4 so ou can see dropped packets on the console. =ou don't have to add it $ecause everthing is
dropped $ default, $ut it helps to show dropped packets. (here's one pro$lem with this A+L however,
let's see what happens when ) send a ping from 6 to 61"
R3#ping 192.168.12.1 Type escape sequence to abort. Sending 5,
100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: .....
Success rate is 0 percent (0/5)
(hese pings are failing, and this is what ou see on the console of 62"
R2# %SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp
192.168.12.1 -> 192.168.23.3 (0/0), 1 packet
(hese packets are dropped $ the in$ound A+L on 62 as illustrated $elow"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 7/26
)f we want to solve this pro$lem we would have to add a permit statement in the access;list so the ping
makes it through. (hat's not a scala$le solution since we don't know what kind of traffic we have on
our LA# and we don't want a $ig access;list with hundreds of permit statements.
What we are going to do is configure +>A+ so it will inspect the traffic and automaticall allows the
return traffic through. )'ll give ou an e!ample how ou can do this for D(( traffic"
R2(config)#ip inspect name FIREWALL http
&ur inspect rule is called E9)6WALLE and we tell +>A+ to inspect D(( traffic. We need to appl
this inspect rule to an interface"
R2(config)#interface fastEthernet 0/0 R2(config-if)#ip inspect
FIREWALL out
)n m e!ample )Fm appling it out$ound on 62 towards 61. LetFs ena$le D(( server on 61 so we
have something to connect to"
R1(config)#ip http server
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 8/26
LetFs connect from 6 to 61"
R3#telnet 192.168.12.1 80 Trying 192.168.12.1, 80 ... Open
)t sas open which means that 6 was a$le to connect to 61. LetFs see what +>A+ thinks a$out this"
R2#show ip inspect sessions Established Sessions Session
6702F3E0 (192.168.23.3:36456)=>(192.168.12.1:80) http SIS_OPEN
=ou can see that +>A+ inspected our D(( traffic and is permitting it through the access;list. )f ou
want ou can take a detailed look at the inspection rules"
R2#show ip inspect all Session audit trail is disabled
Session alert is enabled one-minute (sampling period) thresholds
are [unlimited : unlimited] connections max-incomplete sessions
thresholds are [unlimited : unlimited] max-incomplete tcp
connections per host is unlimited. Block-time 0 minute. tcp
synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time
is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue
length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-
timeout is 5 sec Inspection Rule Configuration Inspection name
FIREWALL http alert is on audit-trail is off timeout 3600
Interface Configuration Interface FastEthernet0/0 Inboundinspection rule is not set Outgoing inspection rule is FIREWALL
http alert is on audit-trail is off timeout 3600 Inbound access
list is DENY_ALL_FROM_INTERNET Outgoing access list is not set
Established Sessions Session 6702F3E0
(192.168.23.3:36456)=>(192.168.12.1:80) http SIS_OPEN
6ight now we are onl allowing D(( traffic through the access;list. )f ou want a less restrictive
firewall ou can also permit entire protocols like (+ or 5%. A good e!ample would $e something like
this"
R2(config)#ip inspect name FIREWALL tcp R2(config)#ip inspect
name FIREWALL udp R2(config)#ip inspect name FIREWALL icmp
(his tells +>A+ to inspect (+, 5% and )+* traffic. (his ensures that G0H of our traffic from the
LA# will $e a$le to reach hosts on the )nternet and make it $ack through our access;list.
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 9/26
Last $ut not least, the e!amples a$ove onl appl to traffic that is #lo$ing through %our router . )t
doesnFt appl to locall% generated tra##ic from the router itself. Let me show ou what ) mean $
sending a ping from 62 to 61"
R2#ping 192.168.12.1 Type escape sequence to abort. Sending 5,100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: .....
Success rate is 0 percent (0/5)
(hese pings are not making it through the access;list...ouFll see this on the console of 62"
%SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp
192.168.12.1 -> 192.168.12.2 (0/0), 1 packet
(he pro$lem is that when 62 sends a ping, it is locall generated and not flowing through the router. )n
order to fi! this ouFll need to add some additional inspect rules"
R2(config)#ip inspect name FIREWALL tcp router-traffic
R2(config)#ip inspect name FIREWALL udp router-traffic
R2(config)#ip inspect name FIREWALL icmp router-traffic
LetFs tr that ping againC
R2#ping 192.168.12.1 Type escape sequence to abort. Sending 5,
100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8
ms
#ow itFs working...greatC =ou now know what +>A+ is a$out and how to configure it. %onFt forget that if
ou still want to connect to our +>A+;ena$led router from the )nternet using telnet, D, )+ or
anthing else then ou need to add some permit statements. DereFs an e!ample for D"
R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET
R2(config-ext-nacl)#1 permit tcp any any eq 22
(hatFs all we have for now. ) hope this has $een a useful e!ample for ou to understand and configure
+>A+. )f ou have an Iuestions, feel free to leave a commentC
6ate this Lesson"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 10/26
JLA# Dopping
votes
•
•
•
•
•
•
JLA# Dopping is an attack where the attacker is a$le to send traffic from one JLA# into another.
(here are two different methods to accomplish this"
• Double tags: the idea behind the attack is that the attacker isconnected to an interface in access mode with the same VLAN as thenative untagged VLAN on the trunk. The attacker sends a frame with two802.1 tags! the "inner# VLAN tag is the VLAN that we want to reach andthe "outer# VLAN tag is the native VLAN. $hen the switch receives the
frame! it wi%% remove the &rst 'native VLAN( 802.1 tag and forwards theframe with the second 802.1 tag on its trunk interface's(. The attackerhas now ")um*ed# from the native VLAN to the victim+s VLAN.,t+s a onewa- tri* but it cou%d be used *erha*s for a / attack.
• Switch spoofng: the attacker wi%% send T *ackets and tries tonegotiate a trunk with the switch! this is *ossib%e when -ou use the defau%t"d-namic auto# or "d-namic desirab%e# switch*ort mode. /nce -ou have atrunk to -our com*uter! -ou wi%% have access to a%% VLANs. This is basica%%-a miscon&guration since -ou shou%d never con&gure -our interfaces to usethe d-namic switch*ort modes.
Dere's an illustration for the dou$le tag method"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 11/26
)n the picture a$ove we have two switches, W1 and W2. (he attacker is in JLA# 1 and our victim is
in JLA# 20. Dere are the configurations of the switches"
SW1# interface FastEthernet0/11 switchport mode access
interface FastEthernet0/24 switchport trunk encapsulation dot1q
switchport mode trunk switchport nonegotiate
SW2# interface FastEthernet0/2 switchport access vlan 20
switchport mode access interface FastEthernet0/24 switchport
trunk encapsulation dot1q switchport mode trunk
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 12/26
As ou can see a$ove the interfaces that connect to the computers are in access mode, the attacker is
in JLA# 1 while our victim is in JLA# 20. (he interface $etween the two switches is a 802.1K trunk.
%oes the dou$le tagging method actuall work (he idea is that the switch will <ust accept any frames
even if it's in access mode. ) tried this on a +isco +atalst witch MN0 running the ) services
12.2MM710 image.
(o test this, ) used scap on a computer running /ali"
# scapy INFO: Can't import python gnuplot wrapper . Won't be
able to plot. WARNING: No route found for IPv6 destination :: (no
default route?) Welcome to Scapy (2.2.0) >>>
Let's craft a nice frame"
>>> sendp(Ether(dst='ff:ff:ff:ff:ff:ff',
src='00:17:5a:ed:7a:f0')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/
IP(dst='255.255.255.255', src='192.168.1.1')/ICMP(),
iface='eth2')
Dere's what ou see a$ove"
• ource A3 address: 00:14:5a:ed:4a:f0
• estination A3 address: broadcast
• ,nner VLAN tag 20
• /uter VLAN tag 1
• estination , address: broadcast
• ource , address: 162.178.1.1
• /utgoing interface: eth2
Dere's a capture of this packet in wireshark"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 13/26
)f everthing works then m switch should accept the frame, forward it on the trunk and $roadcast it in
JLA# 20. * MN0 switch doesn't like it at all though"
SW1#show interfaces FastEthernet 0/1 FastEthernet0/1 is up, line
protocol is up (connected) Hardware is Fast Ethernet, address
is 0019.569d.570d (bia 0019.569d.570d) MTU 1504 bytes, BW
100000 Kbit, DLY 100 usec, reliability 249/255, txload
1/255, rxload 1/255 Encapsulation ARPA, loopback not set
Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is
10/100BaseTX input flow-control is off, output flow-control is
unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input
00:00:03, output 00:00:01, output hang never Last clearing of
"show interface" counters 00:09:17 Input queue: 0/75/0/0
(size/max/drops/flushes); Total output drops: 0 Queueingstrategy: fifo Output queue: 0/40 (size/max) 5 minute input
rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec,
0 packets/sec 90 packets input, 14876 bytes, 0 no buffer
Received 90 broadcasts (68 multicasts) 35 runts, 0 giants, 0
throttles 35 input errors, 0 CRC, 0 frame, 0 overrun, 0
ignored 0 watchdog, 68 multicast, 0 pause input 0
input packets with dribble condition detected 344 packets
output, 25499 bytes, 0 underruns 0 output errors, 0
collisions, 0 interface resets 0 babbles, 0 late collision,
0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 14/26
A$ove ou can see that the num$er of runts and input errors has increased. * frames are dropped
and not accepted. #ormall this could occur if ou send gar$age frames $ut to prove that m dou$le
tagged frames are actuall valid, )Fll do one more e!periment.
LetFs configure the interface that connects to m attacker in trunk mode"
SW1(config)#interface FastEthernet 0/1 SW1(config-if)#switchport
trunk encapsulation dot1q SW1(config-if)#switchport mode trunk
And for our victim ) will use a router with an ) address on it and we will ena$le ) packet de$ugging"
VICTIM(config)#interface FastEthernet 0/1 VICTIM(config-if)#ipaddress 192.168.20.2 255.255.255.0
VICTIM#debug ip packet IP packet debugging is on
#ow when ) send another dou$le tagged packet, the switch should accept m frame with 802.1K tags.
LetFs send another scap packet"
>>> sendp(Ether(dst='ff:ff:ff:ff:ff:ff',
src='00:17:5a:ed:7a:f0')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/
IP(dst='255.255.255.255', src='192.168.1.1')/ICMP(),iface='eth2')
#ow ) see this on m victim router"
VICTIM# IP: s=192.168.1.1 (FastEthernet0/1), d=255.255.255.255,
len 28, input feature, MCI Check(80), rtype 0, forus FALSE,
sendself FALSE, mtu 0, fwdchk FALSE IP: s=192.168.1.1
(FastEthernet0/1), d=255.255.255.255, len 28, rcvd 2 IP:
s=192.168.1.1 (FastEthernet0/1), d=255.255.255.255, len 28, stop
process pak for forus packet IP: s=192.168.20.2 (local),
d=192.168.1.1, len 28, unroutable
Oreat, ou can see that the victim router has received the crafted ) packet. )t doesnFt know how to
reach 1G2.1N8.1.1 so it is dropped $ut at least this proves that the switches forward m frame.
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 15/26
+onclusion
JLA# hopping is pro$a$l one of those attacks that everone thinks is reall scar $ut that seems to
impossi$le on modern )& images, the switch simpl refuses to accept an 802.1K frames on access
mode interfaces. 9rom what )Fve read, this attack is possi$le on older switch models - )& images and
perhaps switches from other vendors are vulnera$le to this. &nce ) get m hands on an older
switch then ) might give this another tr...
• 3on&gurations
• $1
• $2
• V,3T,
Want to take a look for ourself Dere ou will find the configuration of each device.
)f ou are interested, hereFs the wireshark capture of the dou$le tagged frame"
Scapy 802.1Q Double Tag
)f ou have an Iuestions, feel free to leave a commentC
6ate this Lesson"
htt*s:www.c%oudshark.orgca*tures58df709d7549
+isco AA ite;to;ite )/v2 )+J#
2 votes
•
•
•
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 16/26
•
•
•
)/v2 has $een pu$lished in 69+ MGGN in eptem$er 2010 and is full supported on +isco AA
firewalls. )n this lesson ou will learn how to configure site;to;site )/v2 )sec J#. )f ou haven't
seen it $efore, in a previous lesson ) showed ou how to configure )/v1 )sec J#.
We will use the following topolog for this e!ample"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 17/26
AA1 and AA2 are a$le to reach each other through their 3&5()%4 thernet 0-1 interfaces. (heir
thernet 0-0 interfaces are the 3)#)%4 where we have 61 and 62. (he goal is to configure )/v2
)+ site;to;site J# $etween AA1 and AA2 so that 61 and 62 are a$le to reach each other.
+onfiguration
9irst we will configure the )/v2 polic which is similar to phase 1 of )/v1.
)/v2 olic +onfiguration
Dere's what it looks like for $oth AA firewalls"
ASA1 & ASA2# (config)# crypto ikev2 policy 10 ASA1(config-ikev2-policy)# encryption aes ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha ASA1(config-ikev2-policy)#
lifetime seconds 86400
(he configuration is similar to the )/v1 polic, the onl new command is pr# sha. 69 is the seudo
6andom 9unction algorithm which is the same as the integrit algorithm.
)/v2 )+ roposal
(his section is similar to phase 2 of )/v1 where we have to configure a transform set. 9or )/v2 we
call this the )+ proposal which is configured like this"
ASA1 & ASA2# (config)# crypto ipsec ikev2 ipsec-proposal
MY_PROPOSAL (config-ipsec-proposal)# protocol esp encryption aes
(config-ipsec-proposal)# protocol esp integrity sha-1
We will use , A as the encrption algorithm and DA for integrit. #e!t step is to configure an
access;list that defines what traffic we will encrpt"
ASA1(config)# access-list LAN1_LAN2 extended permit ip host
192.168.1.1 host 192.168.2.2
ASA2(config)# access-list LAN2_LAN1 extended permit ip host
192.168.2.2 host 192.168.1.1
#ow we have to configure a crpto map that com$ines the access;list, remote peer and )/v2
proposal together"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 18/26
ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal
MY_PROPOSAL ASA1(config)# crypto map MY_CRYPTO_MAP interface
OUTSIDE
ASA2(config)# crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal
MY_PROPOSAL ASA2(config)# crypto
map MY_CRYPTO_MAP interface OUTSIDE
(he crpto map is called 3*=P+6=(&P*A4 and it specifies the access;list, remote peer and the
)/v2 proposal. )t has $een attached to the &5()% interface.
(he ne!t step is to configure a tunnel group. (his is where we define authentication and the pre;
shared;ke"
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-
key CISCO123 ASA1(config-tunnel-ipsec)# ikev2 remote-
authentication pre-shared-key CISCO456
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-
key CISCO456 ASA2(config-tunnel-ipsec)# ikev2 remote-
authentication pre-shared-key CISCO123
A$ove we configured the remote peer and the )+ tpe lan to lan7. )/v2 allows us to use different
authentication methods for each peer. )n this e!ample ) used a different pre;shared ke for each peer.
(he last step is to ena$le )/v2 on the interface"
ASA1(config)# crypto ikev2 enable OUTSIDE
ASA2(config)# crypto ikev2 enable OUTSIDE
(his takes care of the )/v2 configuration. %onFt forget to configure routing so that AA1 and AA2
know how to reach each others )#)% interfaces"
ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 19/26
(his completes the configuration. LetFs see if it works...
Jerification
Oenerate some traffic $etween 61 and 62 so that the AA firewalls have to esta$lish the )+
tunnel. 9irst weFll check if we have a )/v2 securit association"
ASA1# show crypto isakmp sa There are no IKEv1 SAs IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status
Role 7658533 10.10.10.1/500 10.10.10.2/500
READY INITIATOR Encr: AES-CBC, keysize: 128, Hash:
SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/22 sec Child sa: local selector
192.168.1.1/0 - 192.168.1.1/65535 remote selector
192.168.2.2/0 - 192.168.2.2/65535 ESP spi in/out:
0x99589369/0xfcd7e620
(his is looking good, a securit association has $een esta$lished $etween AA1 and AA2. LetFs
check if traffic is encrpted"
ASA1# show crypto ipsec sa interface: OUTSIDE Crypto map tag:
MY_CRYPTO_MAP, seq num: 1, local addr: 10.10.10.1 access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host
192.168.2.2 local ident (addr/mask/prot/port):
(192.168.1.1/255.255.255.255/0/0) remote ident
(addr/mask/prot/port): (192.168.2.2/255.255.255.255/0/0)
current_peer: 10.10.10.2 #pkts encaps: 4, #pkts encrypt:
4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts
verify: 4 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp
failed: 0 #pre-frag successes: 0, #pre-frag failures: 0,
#fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0,
#decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC
sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors
rcvd: 0 #send errors: 0, #recv errors: 0 local
crypto endpt.: 10.10.10.1/500, remote crypto endpt.:
10.10.10.2/500 path mtu 1500, ipsec overhead 74(44), media
mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FCD7E620 current inbound spi :
99589369 inbound esp sas: spi:
0x99589369 (2572718953) transform: esp-aes esp-sha-hmac
no compression in use settings ={L2L, Tunnel, IKEv2, }slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP sa
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 20/26
timing: remaining key lifetime (kB/sec): (4193279/28737)
IV size: 16 bytes replay detection support: Y
Anti replay bitmap: 0x00000000 0x0000001F outbound
esp sas: spi: 0xFCD7E620 (4242007584) transform:
esp-aes esp-sha-hmac no compression in use settings
={L2L, Tunnel, IKEv2, } slot: 0, conn_id: 4096, crypto-
map: MY_CRYPTO_MAP sa timing: remaining key lifetime
(kB/sec): (3962879/28737) IV size: 16 bytes
replay detection support: Y Anti replay bitmap:
0x00000000 0x00000001
Looking good, packets have $een encrpted and decrpted. Dopefull this lesson was useful to learn
how to configure )/v2 )+ site;to;site J#. )f ou have an Iuestions, <ust leave a comment.
+isco AA ite;to;ite )/v1 )sec J#
M votes
•
•
•
•
•
•
ite;to;site )sec J#s are used to 3$ridge4 two distant LA#s together over the )nternet. #ormall on
the LA# we use private addresses so without tunneling, the two LA#s would $e una$le to
communicate with each other.
)n this lesson ou will learn how to configure )/v1 )sec $etween two +isco AA firewalls to $ridge
two LA#s together.
+onfiguration
We will use the following topolog for this e!ample"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 21/26
AA1 and AA2 are connected with each other using their thernet 0-1 interfaces. (his is the
3&5()%4 securit one so imagine that this is their )nternet connection. ach AA has an thernet
0-0 interface which is connected to the 3)#)%4 securit one. 61 is in network 1G2.1N8.1.0 -2@ while
62 is in 1G2.1N8.2.0 -2@. (he goal is to ensure that 61 and 62 can communicate with each other
through the )sec tunnel.
hase 1 +onfiguration
hase 1 of )sec is used to esta$lish a secure channel $etween the two peers that will $e used for
further data transmission. (he AAs will e!change secret kes, the authenticate each other and will
negotiate a$out the )/ securit policies. (his is what happens in phase 1"
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 22/26
• Authenticate and *rotect the identities of the ,sec *eers.
• Negotiate a matching ,; *o%ic- between ,sec *eers to *rotect the ,;e<change.
• erform an authenticated i=e>?e%%man e<change to have matchingshared secret ke-s.
• etu* a secure tunne% for ,; *hase 2.
Dere's what the configuration looks like on AA1"
ASA1(config)# crypto ikev1 policy 10 ASA1(config-ikev1-policy)#
authentication pre-share ASA1(config-ikev1-policy)# encryption
aes ASA1(config-ikev1-policy)# hash sha ASA1(config-ikev1-
policy)# group 2 ASA1(config-ikev1-policy)# lifetime 3600
Let me $reak down this configuration for ou"
• The ,;v1 *o%ic- starts with a *riorit- number! , *icked number 10. The%ower the number! the higher the *riorit-@-ou can use this if -ou havemu%ti*%e *eers.
• $e use a *re>shared ke- for authentication.
• ;ncr-*tion is done with A;.
• ?A is used for hashing.
• $e use i=e>?e%%man grou* 2 for secret ke- e<change.
• The securit- association is 9700 seconds! once this e<*ires we wi%% do arenegotiation.
,f -ou use an- AA version before AA 8. then the ke-word "ikev1# has to bere*%aced with "isakm*#.
(he )/v1 polic is configured $ut we still have to ena$le it"
ASA1(config)# crypto ikev1 enable OUTSIDE ASA1(config)# crypto
isakmp identity address
(he first command ena$les our )/v1 polic on the &5()% interface and the second command is
used so the AA identifies itself with its ) address, not its 9K%# 9ull Kualified %omain #ame7.
We configured the )/v1 polic and activated it on the interface $ut we still have to specif the remote
peer and a pre;shared ke. (his is done with a tunnel;group"
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 23/26
(he ) address a$ove is the ) address of the &5()% interface on AA2. (he tpe 3ipsec;l2l4
means lan;to;lan. Let's configure the pre;shared ke now"
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY
(he pre;shared ke is configured as an attri$ute for the remote peer. )'ll use 3*=PDA6%P/=4 as
the pre;shared ke $etween the two AA firewalls. (his takes care of the phase 1 configuration on
AA1, we'll configure the same thing on AA2"
ASA2(config)# crypto ikev1 policy 10 ASA2(config-ikev1-policy)#
authentication pre-share ASA2(config-ikev1-policy)# encryptionaes ASA2(config-ikev1-policy)# hash sha ASA2(config-ikev1-
policy)# group 2 ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config)# crypto ikev1 enable outside ASA2(config)# crypto
isakmp identity address
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY
hase 1 is now configured on $oth AA firewalls. Let's continue with phase 2B
hase 2 configuration
&nce the secure tunnel from phase 1 has $een esta$lished, we will start phase 2. )n this phase the
two firewalls will negotiate a$out the )sec securit parameters that will $e used to protect the traffic
within the tunnel. )n short, this is what happens in phase 2"
• Negotiate ,sec securit- *arameters through the secure tunne% from*hase 1.
• ;stab%ish ,sec securit- associations.• eriodica%%- renegotiates ,sec securit- associations for securit-.
Dere's what the configuration looks like, we'll start with AA1"
ASA1(config)# access-list LAN1_LAN2 extended permit ip
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
9irst we configure an access;list that defines what traffic we are going to encrpt. (his will $e the traffic
$etween 1G2.1N8.1.0 -2@ and 1G2.1N8.2.0 -2@.
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 24/26
(he )sec peers will negotiate a$out the encrption and authentication algorithms and this is done
using a transform;set. Dere's what it looks like"
ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET
esp-aes-256 esp-sha-hmac
(he transform set is called 3*=P(6A#9&6*P(4 and it specifies that we want to use with
2MN;$it A encrption and DA for authentication. &nce we configured the transform set we need to
configure a crpto map which has all the phase 2 parameters"
ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2 ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set
MY_TRANSFORM_SET ASA1(config)# crypto map MY_CRYPTO_MAP 10 set
security-association lifetime seconds 3600 ASA1(config)# crypto
map MY_CRYPTO_MAP interface OUTSIDE
Let me e!plain the configuration step $ step"
• The cr-*to ma* is ca%%ed BCD3ECT/DAB and number 10 is theseFuence number. The seFuence number is used because -ou can have a
sing%e cr-*to ma* for mu%ti*%e diGerent remote *eers.• The set peer command con&gures the , address of the remote *eer!
AA2 in this e<am*%e.
• The set ikev1 transor!set command is used to refer to thetransform set that we con&gured before.
• The set security!association command s*eci&es when the securit-association wi%% e<*ire and when we do a renegotiation.
• The interace command activates the cr-*to ma* on the interface.
We will create a similar configuration on AA2"
ASA2(config)# access-list LAN2_LAN1 extended permit ip
192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET
esp-aes-256 esp-sha-hmac ASA2(config)# crypto map MY_CRYPTO_MAP
10 match address LAN2_LAN1 ASA2(config)# crypto map MY_CRYPTO_MAP
10 set peer 10.10.10.1 ASA2(config)# crypto map MY_CRYPTO_MAP
10 set ikev1 transform-set MY_TRANSFORM_SET ASA2(config)# crypto
map MY_CRYPTO_MAP 10 set security-association lifetime seconds
3600 ASA2(config)# crypto map
MY_CRYPTO_MAP interface OUTSIDE
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 25/26
(his takes care of phase 1 and phase on $oth AA firewalls. Last $ut not least, make sure that the
firewalls know how to reach each others su$nets, ) will use a static route for this"
ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1
verthing is in place so letFs verif our work...
Jerification
We reIuire some traffic $etween 61 and 62 to trigger the AA firewalls to $uild the tunnel. )Fll send a
ping from 61 to 62"
R1#ping 192.168.2.2 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2
seconds: !!!!! Success rate is 100 percent (5/5), round-trip
min/avg/max = 1/2/4 ms
(he ping works so it looks promising, we have to verif however that our traffic is encrpted"
ASA1# show crypto isakmp sa IKEv1 SAs: Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.2 Type :
L2L Role : initiator Rekey : no
State : MM_ACTIVE There are no IKEv2 SAs
(he important thing to look for is the state which is &&'A()*+E. (his means that the )sec tunnel
has $een esta$lished. #ow we can check if our packets and encrpted"
ASA1# show crypto ipsec sa interface: OUTSIDE Crypto map tag:
MY_CRYPTO_MAP, seq num: 10, local addr: 10.10.10.1 access-
list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0 local ident
(addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.2.0/255.255.255.0/0/0) current_peer: 10.10.10.2
#pkts encaps: 1697, #pkts encrypt: 1697, #pkts digest: 1697
#pkts decaps: 1696, #pkts decrypt: 1696, #pkts verify: 1696
#pkts compressed: 0, #pkts decompressed: 0 #pkts not
compressed: 1697, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #fragments
8/16/2019 AAA and 802
http://slidepdf.com/reader/full/aaa-and-802 26/26
created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated
frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0 local crypto endpt.:
10.10.10.1/0, remote crypto endpt.: 10.10.10.2/0 path mtu
1500, ipsec overhead 74(44), media mtu 1500 PMTU time
remaining (sec): 0, DF policy: copy-df ICMP error
validation: disabled, TFC packets: disabled current
outbound spi: EECD69E6 current inbound spi : F74C0050
inbound esp sas: spi: 0xF74C0050 (4148953168)
transform: esp-aes-256 esp-sha-hmac no compression in
use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id:
4096, crypto-map: MY_CRYPTO_MAP sa timing: remaining key
lifetime (kB/sec): (3914834/3423) IV size: 16 bytes
replay detection support: Y Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xEECD69E6(4006439398) transform: esp-aes-256 esp-sha-hmac no
compression in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP sa
timing: remaining key lifetime (kB/sec): (3914834/3423)
IV size: 16 bytes replay detection support: Y
Anti replay bitmap: 0x00000000 0x00000001
(his is looking good, ou can see the access;list that matches our traffic and the num$er of encrpted
and decrpted packets.
• 3on&gurations
• AA1
• AA2
• E1
• E2
Want to take a look for ourself Dere ou will find the configuration of each device.
) hope this e!ample has $een useful for ou, if ou have an Iuestions feel free to leave a commentC
6ate this Lesson"
•