AAA and 802

8/16/2019 AAA and 802

http://slidepdf.com/reader/full/aaa-and-802 1/26

AAA and 802.1X Authentication8 votes

•

•

•

•

•

•

When it comes to securing the network, AAA and 802.1X authentication are two powerful tools we can

use. Let me show ou an e!ample wh ou might want this for our switches"

#etwork users might

$ring their own wireless router from home and connect it to the switch so the can share wireless

internet with all their colleagues. An access point like this is called a rogue access point and this

is something ou %&#'( want to see on our network. )t's hard to detect $ecause on the switch ou'll

onl see one *A+ address. (he router is doing #A( so ou will onl see one ) address, this is

something ou can't prevent with port securit.

&ne wa of dealing with issues like this is to use AAA.

AAA stands for Authentication, Authorization and Accounting"

• Authentication: Verify the identity of the user, who are you?

• Authorization: What is the user allowed to do? what resources can he/she access?

• Accounting: Used for billing and auditing.

https://networklessons.com/switching/how-to-configure-port-security-on-cisco-switch/

https://networklessons.com/switching/how-to-configure-port-security-on-cisco-switch/

8/16/2019 AAA and 802


(he idea $ehind AAA is that a user has to authenticate $efore getting access to the network. (he fa0-1

interface on witchA will $e $locked and ou are not even getting an ) address. (he onl thing the

user is allowed to do is send his-her credentials which will $e forwarded to the AAA server. )f our

credentials are &/ the port will $e un$locked and ou will $e granted access to the network.

8/16/2019 AAA and 802


802.1X is the mechanism that will block or unblock the interface. )t's called port-based

control. )n the picture a$ove an unknown user plugged in a ca$le to the switch.

All traffic is $eing dropped with the e!ception of EAPoL Extensible Authentication Protocol

oer LA!". A is what we use to e!change authentication information. &nce the user has

authenticated and everthing is &/ she is granted access to the network.

8/16/2019 AAA and 802


)n the picture a$ove ou see the terminolog that 802.1X uses. (he user device is called

the supplicant it 3supplies4 authentication information. (he switch is called

the authenticator $ecause it accepts the authentication information and passes it along to

the authentication serer . 5ser information is stored on the authentication server.

(here are two tpes of authentication servers"

• RADIUS

• TACACS+

(he most common authentication server is 6A%)5 6emote Authentication %ial )n 5ser ervice7. )t's

a protocol that has $een standardied $ the )(9. (A+A+: (erminal Access +ontroller Access;

+ontrol stem7 does a similar <o$ $ut its +isco proprietar.

(here are man different 6A%)5 servers ou can use, for e!ample"

• Cisco ACS (Cisco’s RADIUS and TACACS+ server software)

• Microsoft IAS (you can install it on Windows server 2003 or 2008).

• Freeradius (very powerful and free)

• Integrated in network devices (Cisco’s Wireless LAN controller have RADIUS server

software for example).

=ou now have an idea what the components are in a AAA 802.1X authentication setup. )n the ne!t

lesson ) will give ou a configuration e!ample how to implement this on a +isco +atalst witch.

6ate this Lesson"

+isco +>A+ +onfiguration !ample1 vote

•

https://networklessons.com/security/aaa-configuration-cisco-switch/





8/16/2019 AAA and 802


•

•

•

•

•

+>A+ +onte!t >ased Access +ontrol7 is a firewall for +isco )& routers that offers some more

features than a simple access;list. +>A+ is a$le to inspect up to laer ? of the &) model and can

dnamicall create rules to allow return traffic. )t is similar to the refle!ive access;list $ut one of the

ke differences is that the refle!ive A+L onl inspects up to laer @.

)n this tutorial )'ll give ou an e!ample of +>A+ and ou'll see wh this firewall feature is ver useful.

)'ll $e using routers for this"

)n the e!ample a$ove we have routers. )magine the router on the left side 617 is some device on

the internet while 6 is a host on our LA#. 62 will $e the router that is protecting us from traffic on the

)nternet, this is where we configure +>A+. Let's start with the $asic configurationBsetting up )

addresses and some static routes for connectivit"

https://networklessons.com/security/reflexive-access-list/

https://networklessons.com/security/reflexive-access-list/

8/16/2019 AAA and 802


R1(config)#interface fastethernet 0/0 R1(config-if)#no shutdown

R1(config-if)#ip address 192.168.12.1 255.255.255.0


R2(config-if)#ip address 192.168.12.2 255.255.255.0 R2(config-

if)#interface fastethernet 0/1 R2(config-if)#no shutdown




And two static routes so 61 and 6 can reach each other"

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.23.2

&ur idea is to protect our LA# from all the evil stuff on the )nternet, in order to do so we'll create an

access;list that drops everthing from the )nternet. (he access;list looks like this"

R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET

R2(config-ext-nacl)#deny ip any any log R2(config)#interface

fastEthernet 0/0 R2(config-if)#ip access-group

DENY_ALL_FROM_INTERNET in

(his access;list is ver effectiveBit will drop everthing from the )nternetC ) added the 3den ip an an

log4 so ou can see dropped packets on the console. =ou don't have to add it $ecause everthing is

dropped $ default, $ut it helps to show dropped packets. (here's one pro$lem with this A+L however,

let's see what happens when ) send a ping from 6 to 61"

R3#ping 192.168.12.1 Type escape sequence to abort. Sending 5,

100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: .....

Success rate is 0 percent (0/5)

(hese pings are failing, and this is what ou see on the console of 62"

R2# %SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp

192.168.12.1 -> 192.168.23.3 (0/0), 1 packet

(hese packets are dropped $ the in$ound A+L on 62 as illustrated $elow"

8/16/2019 AAA and 802


)f we want to solve this pro$lem we would have to add a permit statement in the access;list so the ping

makes it through. (hat's not a scala$le solution since we don't know what kind of traffic we have on

our LA# and we don't want a $ig access;list with hundreds of permit statements.

What we are going to do is configure +>A+ so it will inspect the traffic and automaticall allows the

return traffic through. )'ll give ou an e!ample how ou can do this for D(( traffic"

R2(config)#ip inspect name FIREWALL http

&ur inspect rule is called E9)6WALLE and we tell +>A+ to inspect D(( traffic. We need to appl

this inspect rule to an interface"

R2(config)#interface fastEthernet 0/0 R2(config-if)#ip inspect

FIREWALL out

)n m e!ample )Fm appling it out$ound on 62 towards 61. LetFs ena$le D(( server on 61 so we

have something to connect to"

R1(config)#ip http server

8/16/2019 AAA and 802


LetFs connect from 6 to 61"

R3#telnet 192.168.12.1 80 Trying 192.168.12.1, 80 ... Open

)t sas open which means that 6 was a$le to connect to 61. LetFs see what +>A+ thinks a$out this"

R2#show ip inspect sessions Established Sessions Session

6702F3E0 (192.168.23.3:36456)=>(192.168.12.1:80) http SIS_OPEN

=ou can see that +>A+ inspected our D(( traffic and is permitting it through the access;list. )f ou

want ou can take a detailed look at the inspection rules"

R2#show ip inspect all Session audit trail is disabled

Session alert is enabled one-minute (sampling period) thresholds

are [unlimited : unlimited] connections max-incomplete sessions

thresholds are [unlimited : unlimited] max-incomplete tcp

connections per host is unlimited. Block-time 0 minute. tcp

synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time

is 3600 sec -- udp idle-time is 30 sec tcp reassembly queue

length 16; timeout 5 sec; memory-limit 1024 kilo bytes dns-

timeout is 5 sec Inspection Rule Configuration Inspection name

FIREWALL http alert is on audit-trail is off timeout 3600

Interface Configuration Interface FastEthernet0/0 Inboundinspection rule is not set Outgoing inspection rule is FIREWALL

http alert is on audit-trail is off timeout 3600 Inbound access

list is DENY_ALL_FROM_INTERNET Outgoing access list is not set

Established Sessions Session 6702F3E0

(192.168.23.3:36456)=>(192.168.12.1:80) http SIS_OPEN

6ight now we are onl allowing D(( traffic through the access;list. )f ou want a less restrictive

firewall ou can also permit entire protocols like (+ or 5%. A good e!ample would $e something like

this"

R2(config)#ip inspect name FIREWALL tcp R2(config)#ip inspect

name FIREWALL udp R2(config)#ip inspect name FIREWALL icmp

(his tells +>A+ to inspect (+, 5% and )+* traffic. (his ensures that G0H of our traffic from the

LA# will $e a$le to reach hosts on the )nternet and make it $ack through our access;list.

8/16/2019 AAA and 802


Last $ut not least, the e!amples a$ove onl appl to traffic that is #lo$ing through %our router . )t

doesnFt appl to locall% generated tra##ic from the router itself. Let me show ou what ) mean $

sending a ping from 62 to 61"

R2#ping 192.168.12.1 Type escape sequence to abort. Sending 5,100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: .....

Success rate is 0 percent (0/5)

(hese pings are not making it through the access;list...ouFll see this on the console of 62"

%SEC-6-IPACCESSLOGDP: list DENY_ALL_FROM_INTERNET denied icmp

192.168.12.1 -> 192.168.12.2 (0/0), 1 packet

(he pro$lem is that when 62 sends a ping, it is locall generated and not flowing through the router. )n

order to fi! this ouFll need to add some additional inspect rules"

R2(config)#ip inspect name FIREWALL tcp router-traffic

R2(config)#ip inspect name FIREWALL udp router-traffic

R2(config)#ip inspect name FIREWALL icmp router-traffic

LetFs tr that ping againC

R2#ping 192.168.12.1 Type escape sequence to abort. Sending 5,

100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8

ms

#ow itFs working...greatC =ou now know what +>A+ is a$out and how to configure it. %onFt forget that if

ou still want to connect to our +>A+;ena$led router from the )nternet using telnet, D, )+ or

anthing else then ou need to add some permit statements. DereFs an e!ample for D"

R2(config)#ip access-list extended DENY_ALL_FROM_INTERNET

R2(config-ext-nacl)#1 permit tcp any any eq 22

(hatFs all we have for now. ) hope this has $een a useful e!ample for ou to understand and configure

+>A+. )f ou have an Iuestions, feel free to leave a commentC

6ate this Lesson"

8/16/2019 AAA and 802


JLA# Dopping

votes

•

•

•

•

•

•

JLA# Dopping is an attack where the attacker is a$le to send traffic from one JLA# into another.

(here are two different methods to accomplish this"

• Double tags: the idea behind the attack is that the attacker isconnected to an interface in access mode with the same VLAN as thenative untagged VLAN on the trunk. The attacker sends a frame with two802.1 tags! the "inner# VLAN tag is the VLAN that we want to reach andthe "outer# VLAN tag is the native VLAN. $hen the switch receives the

frame! it wi%% remove the &rst 'native VLAN( 802.1 tag and forwards theframe with the second 802.1 tag on its trunk interface's(. The attackerhas now ")um*ed# from the native VLAN to the victim+s VLAN.,t+s a onewa- tri* but it cou%d be used *erha*s for a / attack.

• Switch spoofng: the attacker wi%% send T *ackets and tries tonegotiate a trunk with the switch! this is *ossib%e when -ou use the defau%t"d-namic auto# or "d-namic desirab%e# switch*ort mode. /nce -ou have atrunk to -our com*uter! -ou wi%% have access to a%% VLANs. This is basica%%-a miscon&guration since -ou shou%d never con&gure -our interfaces to usethe d-namic switch*ort modes.

Dere's an illustration for the dou$le tag method"

https://networklessons.com/switching/cisco-dtp-dynamic-trunking-protocol-negotiation/

https://networklessons.com/switching/cisco-dtp-dynamic-trunking-protocol-negotiation/

8/16/2019 AAA and 802


)n the picture a$ove we have two switches, W1 and W2. (he attacker is in JLA# 1 and our victim is

in JLA# 20. Dere are the configurations of the switches"

SW1# interface FastEthernet0/11 switchport mode access

interface FastEthernet0/24 switchport trunk encapsulation dot1q

switchport mode trunk switchport nonegotiate

SW2# interface FastEthernet0/2 switchport access vlan 20

switchport mode access interface FastEthernet0/24 switchport

trunk encapsulation dot1q switchport mode trunk

8/16/2019 AAA and 802


As ou can see a$ove the interfaces that connect to the computers are in access mode, the attacker is

in JLA# 1 while our victim is in JLA# 20. (he interface $etween the two switches is a 802.1K trunk.

%oes the dou$le tagging method actuall work (he idea is that the switch will <ust accept any frames

even if it's in access mode. ) tried this on a +isco +atalst witch MN0 running the ) services

12.2MM710 image.

(o test this, ) used scap on a computer running /ali"

# scapy INFO: Can't import python gnuplot wrapper . Won't be

able to plot. WARNING: No route found for IPv6 destination :: (no

default route?) Welcome to Scapy (2.2.0) >>>

Let's craft a nice frame"

>>> sendp(Ether(dst='ff:ff:ff:ff:ff:ff',

src='00:17:5a:ed:7a:f0')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/

IP(dst='255.255.255.255', src='192.168.1.1')/ICMP(),

iface='eth2')

Dere's what ou see a$ove"

• ource A3 address: 00:14:5a:ed:4a:f0

• estination A3 address: broadcast

• ,nner VLAN tag 20

• /uter VLAN tag 1

• estination , address: broadcast

• ource , address: 162.178.1.1

• /utgoing interface: eth2

Dere's a capture of this packet in wireshark"

http://www.secdev.org/projects/scapy/


https://www.kali.org/


https://www.kali.org/

8/16/2019 AAA and 802


)f everthing works then m switch should accept the frame, forward it on the trunk and $roadcast it in

JLA# 20. * MN0 switch doesn't like it at all though"

SW1#show interfaces FastEthernet 0/1 FastEthernet0/1 is up, line

protocol is up (connected) Hardware is Fast Ethernet, address

is 0019.569d.570d (bia 0019.569d.570d) MTU 1504 bytes, BW

100000 Kbit, DLY 100 usec, reliability 249/255, txload

1/255, rxload 1/255 Encapsulation ARPA, loopback not set

Keepalive set (10 sec) Full-duplex, 100Mb/s, media type is

10/100BaseTX input flow-control is off, output flow-control is

unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input

00:00:03, output 00:00:01, output hang never Last clearing of

"show interface" counters 00:09:17 Input queue: 0/75/0/0

(size/max/drops/flushes); Total output drops: 0 Queueingstrategy: fifo Output queue: 0/40 (size/max) 5 minute input

rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec,

0 packets/sec 90 packets input, 14876 bytes, 0 no buffer

Received 90 broadcasts (68 multicasts) 35 runts, 0 giants, 0

throttles 35 input errors, 0 CRC, 0 frame, 0 overrun, 0

ignored 0 watchdog, 68 multicast, 0 pause input 0

input packets with dribble condition detected 344 packets

output, 25499 bytes, 0 underruns 0 output errors, 0

collisions, 0 interface resets 0 babbles, 0 late collision,

0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out

8/16/2019 AAA and 802


A$ove ou can see that the num$er of runts and input errors has increased. * frames are dropped

and not accepted. #ormall this could occur if ou send gar$age frames $ut to prove that m dou$le

tagged frames are actuall valid, )Fll do one more e!periment.

LetFs configure the interface that connects to m attacker in trunk mode"

SW1(config)#interface FastEthernet 0/1 SW1(config-if)#switchport

trunk encapsulation dot1q SW1(config-if)#switchport mode trunk

And for our victim ) will use a router with an ) address on it and we will ena$le ) packet de$ugging"

VICTIM(config)#interface FastEthernet 0/1 VICTIM(config-if)#ipaddress 192.168.20.2 255.255.255.0

VICTIM#debug ip packet IP packet debugging is on

#ow when ) send another dou$le tagged packet, the switch should accept m frame with 802.1K tags.

LetFs send another scap packet"

>>> sendp(Ether(dst='ff:ff:ff:ff:ff:ff',

src='00:17:5a:ed:7a:f0')/Dot1Q(vlan=1)/Dot1Q(vlan=20)/

IP(dst='255.255.255.255', src='192.168.1.1')/ICMP(),iface='eth2')

#ow ) see this on m victim router"

VICTIM# IP: s=192.168.1.1 (FastEthernet0/1), d=255.255.255.255,

len 28, input feature, MCI Check(80), rtype 0, forus FALSE,

sendself FALSE, mtu 0, fwdchk FALSE IP: s=192.168.1.1

(FastEthernet0/1), d=255.255.255.255, len 28, rcvd 2 IP:

s=192.168.1.1 (FastEthernet0/1), d=255.255.255.255, len 28, stop

process pak for forus packet IP: s=192.168.20.2 (local),

d=192.168.1.1, len 28, unroutable

Oreat, ou can see that the victim router has received the crafted ) packet. )t doesnFt know how to

reach 1G2.1N8.1.1 so it is dropped $ut at least this proves that the switches forward m frame.

8/16/2019 AAA and 802


+onclusion

JLA# hopping is pro$a$l one of those attacks that everone thinks is reall scar $ut that seems to

impossi$le on modern )& images, the switch simpl refuses to accept an 802.1K frames on access

mode interfaces. 9rom what )Fve read, this attack is possi$le on older switch models - )& images and

perhaps switches from other vendors are vulnera$le to this. &nce ) get m hands on an older

switch then ) might give this another tr...

• 3on&gurations

• $1

• $2

• V,3T,

Want to take a look for ourself Dere ou will find the configuration of each device.

)f ou are interested, hereFs the wireshark capture of the dou$le tagged frame"

Scapy 802.1Q Double Tag

)f ou have an Iuestions, feel free to leave a commentC

6ate this Lesson"

htt*s:www.c%oudshark.orgca*tures58df709d7549

+isco AA ite;to;ite )/v2 )+J#

2 votes

•

•

•

https://www.cloudshark.org/captures/58df603d6573

https://www.cloudshark.org/captures/58df603d6573

8/16/2019 AAA and 802


•

•

•

)/v2 has $een pu$lished in 69+ MGGN in eptem$er 2010 and is full supported on +isco AA

firewalls. )n this lesson ou will learn how to configure site;to;site )/v2 )sec J#. )f ou haven't

seen it $efore, in a previous lesson ) showed ou how to configure )/v1 )sec J#.

We will use the following topolog for this e!ample"

https://networklessons.com/security/cisco-asa-site-site-ikev1-ipsec-vpn/

https://networklessons.com/security/cisco-asa-site-site-ikev1-ipsec-vpn/

8/16/2019 AAA and 802


AA1 and AA2 are a$le to reach each other through their 3&5()%4 thernet 0-1 interfaces. (heir

thernet 0-0 interfaces are the 3)#)%4 where we have 61 and 62. (he goal is to configure )/v2

)+ site;to;site J# $etween AA1 and AA2 so that 61 and 62 are a$le to reach each other.

+onfiguration

9irst we will configure the )/v2 polic which is similar to phase 1 of )/v1.

)/v2 olic +onfiguration

Dere's what it looks like for $oth AA firewalls"

ASA1 & ASA2# (config)# crypto ikev2 policy 10 ASA1(config-ikev2-policy)# encryption aes ASA1(config-ikev2-policy)# group 2

ASA1(config-ikev2-policy)# prf sha ASA1(config-ikev2-policy)#

lifetime seconds 86400

(he configuration is similar to the )/v1 polic, the onl new command is pr# sha. 69 is the seudo

6andom 9unction algorithm which is the same as the integrit algorithm.

)/v2 )+ roposal

(his section is similar to phase 2 of )/v1 where we have to configure a transform set. 9or )/v2 we

call this the )+ proposal which is configured like this"

ASA1 & ASA2# (config)# crypto ipsec ikev2 ipsec-proposal

MY_PROPOSAL (config-ipsec-proposal)# protocol esp encryption aes

(config-ipsec-proposal)# protocol esp integrity sha-1

We will use , A as the encrption algorithm and DA for integrit. #e!t step is to configure an

access;list that defines what traffic we will encrpt"

ASA1(config)# access-list LAN1_LAN2 extended permit ip host

192.168.1.1 host 192.168.2.2

ASA2(config)# access-list LAN2_LAN1 extended permit ip host

192.168.2.2 host 192.168.1.1

#ow we have to configure a crpto map that com$ines the access;list, remote peer and )/v2

proposal together"

8/16/2019 AAA and 802


ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2

ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2

ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal

MY_PROPOSAL ASA1(config)# crypto map MY_CRYPTO_MAP interface

OUTSIDE


ASA2(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1

ASA2(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal

MY_PROPOSAL ASA2(config)# crypto

map MY_CRYPTO_MAP interface OUTSIDE

(he crpto map is called 3*=P+6=(&P*A4 and it specifies the access;list, remote peer and the

)/v2 proposal. )t has $een attached to the &5()% interface.

(he ne!t step is to configure a tunnel group. (his is where we define authentication and the pre;

shared;ke"

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l

ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes

ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-

key CISCO123 ASA1(config-tunnel-ipsec)# ikev2 remote-

authentication pre-shared-key CISCO456



ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-

key CISCO456 ASA2(config-tunnel-ipsec)# ikev2 remote-

authentication pre-shared-key CISCO123

A$ove we configured the remote peer and the )+ tpe lan to lan7. )/v2 allows us to use different

authentication methods for each peer. )n this e!ample ) used a different pre;shared ke for each peer.

(he last step is to ena$le )/v2 on the interface"

ASA1(config)# crypto ikev2 enable OUTSIDE

ASA2(config)# crypto ikev2 enable OUTSIDE

(his takes care of the )/v2 configuration. %onFt forget to configure routing so that AA1 and AA2

know how to reach each others )#)% interfaces"

ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2


8/16/2019 AAA and 802


(his completes the configuration. LetFs see if it works...

Jerification

Oenerate some traffic $etween 61 and 62 so that the AA firewalls have to esta$lish the )+

tunnel. 9irst weFll check if we have a )/v2 securit association"

ASA1# show crypto isakmp sa There are no IKEv1 SAs IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status

Role 7658533 10.10.10.1/500 10.10.10.2/500

READY INITIATOR Encr: AES-CBC, keysize: 128, Hash:

SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/22 sec Child sa: local selector

192.168.1.1/0 - 192.168.1.1/65535 remote selector

192.168.2.2/0 - 192.168.2.2/65535 ESP spi in/out:

0x99589369/0xfcd7e620

(his is looking good, a securit association has $een esta$lished $etween AA1 and AA2. LetFs

check if traffic is encrpted"

ASA1# show crypto ipsec sa interface: OUTSIDE Crypto map tag:

MY_CRYPTO_MAP, seq num: 1, local addr: 10.10.10.1 access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host

192.168.2.2 local ident (addr/mask/prot/port):

(192.168.1.1/255.255.255.255/0/0) remote ident

(addr/mask/prot/port): (192.168.2.2/255.255.255.255/0/0)

current_peer: 10.10.10.2 #pkts encaps: 4, #pkts encrypt:

4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts

verify: 4 #pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp

failed: 0 #pre-frag successes: 0, #pre-frag failures: 0,

#fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0,

#decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC

sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors

rcvd: 0 #send errors: 0, #recv errors: 0 local

crypto endpt.: 10.10.10.1/500, remote crypto endpt.:

10.10.10.2/500 path mtu 1500, ipsec overhead 74(44), media

mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: FCD7E620 current inbound spi :

99589369 inbound esp sas: spi:

0x99589369 (2572718953) transform: esp-aes esp-sha-hmac

no compression in use settings ={L2L, Tunnel, IKEv2, }slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP sa

8/16/2019 AAA and 802


timing: remaining key lifetime (kB/sec): (4193279/28737)

IV size: 16 bytes replay detection support: Y

Anti replay bitmap: 0x00000000 0x0000001F outbound

esp sas: spi: 0xFCD7E620 (4242007584) transform:

esp-aes esp-sha-hmac no compression in use settings

={L2L, Tunnel, IKEv2, } slot: 0, conn_id: 4096, crypto-

map: MY_CRYPTO_MAP sa timing: remaining key lifetime

(kB/sec): (3962879/28737) IV size: 16 bytes

replay detection support: Y Anti replay bitmap:

0x00000000 0x00000001

Looking good, packets have $een encrpted and decrpted. Dopefull this lesson was useful to learn

how to configure )/v2 )+ site;to;site J#. )f ou have an Iuestions, <ust leave a comment.

+isco AA ite;to;ite )/v1 )sec J#

M votes

•

•

•

•

•

•

ite;to;site )sec J#s are used to 3$ridge4 two distant LA#s together over the )nternet. #ormall on

the LA# we use private addresses so without tunneling, the two LA#s would $e una$le to

communicate with each other.

)n this lesson ou will learn how to configure )/v1 )sec $etween two +isco AA firewalls to $ridge

two LA#s together.

+onfiguration

We will use the following topolog for this e!ample"

8/16/2019 AAA and 802


AA1 and AA2 are connected with each other using their thernet 0-1 interfaces. (his is the

3&5()%4 securit one so imagine that this is their )nternet connection. ach AA has an thernet

0-0 interface which is connected to the 3)#)%4 securit one. 61 is in network 1G2.1N8.1.0 -2@ while

62 is in 1G2.1N8.2.0 -2@. (he goal is to ensure that 61 and 62 can communicate with each other

through the )sec tunnel.

hase 1 +onfiguration

hase 1 of )sec is used to esta$lish a secure channel $etween the two peers that will $e used for

further data transmission. (he AAs will e!change secret kes, the authenticate each other and will

negotiate a$out the )/ securit policies. (his is what happens in phase 1"

8/16/2019 AAA and 802


• Authenticate and *rotect the identities of the ,sec *eers.

• Negotiate a matching ,; *o%ic- between ,sec *eers to *rotect the ,;e<change.

• erform an authenticated i=e>?e%%man e<change to have matchingshared secret ke-s.

• etu* a secure tunne% for ,; *hase 2.

Dere's what the configuration looks like on AA1"

ASA1(config)# crypto ikev1 policy 10 ASA1(config-ikev1-policy)#

authentication pre-share ASA1(config-ikev1-policy)# encryption

aes ASA1(config-ikev1-policy)# hash sha ASA1(config-ikev1-

policy)# group 2 ASA1(config-ikev1-policy)# lifetime 3600

Let me $reak down this configuration for ou"

• The ,;v1 *o%ic- starts with a *riorit- number! , *icked number 10. The%ower the number! the higher the *riorit-@-ou can use this if -ou havemu%ti*%e *eers.

• $e use a *re>shared ke- for authentication.

• ;ncr-*tion is done with A;.

• ?A is used for hashing.

• $e use i=e>?e%%man grou* 2 for secret ke- e<change.

• The securit- association is 9700 seconds! once this e<*ires we wi%% do arenegotiation.

,f -ou use an- AA version before AA 8. then the ke-word "ikev1# has to bere*%aced with "isakm*#.

(he )/v1 polic is configured $ut we still have to ena$le it"

ASA1(config)# crypto ikev1 enable OUTSIDE ASA1(config)# crypto

isakmp identity address

(he first command ena$les our )/v1 polic on the &5()% interface and the second command is

used so the AA identifies itself with its ) address, not its 9K%# 9ull Kualified %omain #ame7.

We configured the )/v1 polic and activated it on the interface $ut we still have to specif the remote

peer and a pre;shared ke. (his is done with a tunnel;group"


8/16/2019 AAA and 802


(he ) address a$ove is the ) address of the &5()% interface on AA2. (he tpe 3ipsec;l2l4

means lan;to;lan. Let's configure the pre;shared ke now"


ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

(he pre;shared ke is configured as an attri$ute for the remote peer. )'ll use 3*=PDA6%P/=4 as

the pre;shared ke $etween the two AA firewalls. (his takes care of the phase 1 configuration on

AA1, we'll configure the same thing on AA2"

ASA2(config)# crypto ikev1 policy 10 ASA2(config-ikev1-policy)#

authentication pre-share ASA2(config-ikev1-policy)# encryptionaes ASA2(config-ikev1-policy)# hash sha ASA2(config-ikev1-

policy)# group 2 ASA2(config-ikev1-policy)# lifetime 3600

ASA2(config)# crypto ikev1 enable outside ASA2(config)# crypto

isakmp identity address



ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

hase 1 is now configured on $oth AA firewalls. Let's continue with phase 2B

hase 2 configuration

&nce the secure tunnel from phase 1 has $een esta$lished, we will start phase 2. )n this phase the

two firewalls will negotiate a$out the )sec securit parameters that will $e used to protect the traffic

within the tunnel. )n short, this is what happens in phase 2"

• Negotiate ,sec securit- *arameters through the secure tunne% from*hase 1.

• ;stab%ish ,sec securit- associations.• eriodica%%- renegotiates ,sec securit- associations for securit-.

Dere's what the configuration looks like, we'll start with AA1"

ASA1(config)# access-list LAN1_LAN2 extended permit ip

192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

9irst we configure an access;list that defines what traffic we are going to encrpt. (his will $e the traffic

$etween 1G2.1N8.1.0 -2@ and 1G2.1N8.2.0 -2@.

8/16/2019 AAA and 802


(he )sec peers will negotiate a$out the encrption and authentication algorithms and this is done

using a transform;set. Dere's what it looks like"

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET

esp-aes-256 esp-sha-hmac

(he transform set is called 3*=P(6A#9&6*P(4 and it specifies that we want to use with

2MN;$it A encrption and DA for authentication. &nce we configured the transform set we need to

configure a crpto map which has all the phase 2 parameters"


ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2 ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set

MY_TRANSFORM_SET ASA1(config)# crypto map MY_CRYPTO_MAP 10 set

security-association lifetime seconds 3600 ASA1(config)# crypto

map MY_CRYPTO_MAP interface OUTSIDE

Let me e!plain the configuration step $ step"

• The cr-*to ma* is ca%%ed BCD3ECT/DAB and number 10 is theseFuence number. The seFuence number is used because -ou can have a

sing%e cr-*to ma* for mu%ti*%e diGerent remote *eers.• The set peer command con&gures the , address of the remote *eer!

AA2 in this e<am*%e.

• The set ikev1 transor!set command is used to refer to thetransform set that we con&gured before.

• The set security!association command s*eci&es when the securit-association wi%% e<*ire and when we do a renegotiation.

• The interace command activates the cr-*to ma* on the interface.

We will create a similar configuration on AA2"

ASA2(config)# access-list LAN2_LAN1 extended permit ip

192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA2(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET

esp-aes-256 esp-sha-hmac ASA2(config)# crypto map MY_CRYPTO_MAP

10 match address LAN2_LAN1 ASA2(config)# crypto map MY_CRYPTO_MAP

10 set peer 10.10.10.1 ASA2(config)# crypto map MY_CRYPTO_MAP

10 set ikev1 transform-set MY_TRANSFORM_SET ASA2(config)# crypto

map MY_CRYPTO_MAP 10 set security-association lifetime seconds

3600 ASA2(config)# crypto map

MY_CRYPTO_MAP interface OUTSIDE

8/16/2019 AAA and 802


(his takes care of phase 1 and phase on $oth AA firewalls. Last $ut not least, make sure that the

firewalls know how to reach each others su$nets, ) will use a static route for this"



verthing is in place so letFs verif our work...

Jerification

We reIuire some traffic $etween 61 and 62 to trigger the AA firewalls to $uild the tunnel. )Fll send a

ping from 61 to 62"

R1#ping 192.168.2.2 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2

seconds: !!!!! Success rate is 100 percent (5/5), round-trip

min/avg/max = 1/2/4 ms

(he ping works so it looks promising, we have to verif however that our traffic is encrpted"

ASA1# show crypto isakmp sa IKEv1 SAs: Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during

rekey) Total IKE SA: 1 1 IKE Peer: 10.10.10.2 Type :

L2L Role : initiator Rekey : no

State : MM_ACTIVE There are no IKEv2 SAs

(he important thing to look for is the state which is &&'A()*+E. (his means that the )sec tunnel

has $een esta$lished. #ow we can check if our packets and encrpted"

ASA1# show crypto ipsec sa interface: OUTSIDE Crypto map tag:

MY_CRYPTO_MAP, seq num: 10, local addr: 10.10.10.1 access-

list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0 local ident

(addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port):

(192.168.2.0/255.255.255.0/0/0) current_peer: 10.10.10.2

#pkts encaps: 1697, #pkts encrypt: 1697, #pkts digest: 1697

#pkts decaps: 1696, #pkts decrypt: 1696, #pkts verify: 1696

#pkts compressed: 0, #pkts decompressed: 0 #pkts not

compressed: 1697, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #fragments

8/16/2019 AAA and 802


created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated

frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0 local crypto endpt.:

10.10.10.1/0, remote crypto endpt.: 10.10.10.2/0 path mtu

1500, ipsec overhead 74(44), media mtu 1500 PMTU time

remaining (sec): 0, DF policy: copy-df ICMP error

validation: disabled, TFC packets: disabled current

outbound spi: EECD69E6 current inbound spi : F74C0050

inbound esp sas: spi: 0xF74C0050 (4148953168)

transform: esp-aes-256 esp-sha-hmac no compression in

use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id:

4096, crypto-map: MY_CRYPTO_MAP sa timing: remaining key

lifetime (kB/sec): (3914834/3423) IV size: 16 bytes

replay detection support: Y Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xEECD69E6(4006439398) transform: esp-aes-256 esp-sha-hmac no

compression in use settings ={L2L, Tunnel, IKEv1, }

slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP sa

timing: remaining key lifetime (kB/sec): (3914834/3423)

IV size: 16 bytes replay detection support: Y

Anti replay bitmap: 0x00000000 0x00000001

(his is looking good, ou can see the access;list that matches our traffic and the num$er of encrpted

and decrpted packets.

• 3on&gurations

• AA1

• AA2

• E1

• E2

Want to take a look for ourself Dere ou will find the configuration of each device.

) hope this e!ample has $een useful for ou, if ou have an Iuestions feel free to leave a commentC

6ate this Lesson"

•

AAA and 802

Documents

Transcript of AAA and 802