Guide to VPN in Small Office Environment V_1_0

8/3/2019 Guide to VPN in Small Office Environment V_1_0

http://slidepdf.com/reader/full/guide-to-vpn-in-small-office-environment-v10 1/16

How to implement VPN in small office environment



Prelude ......................................................................................................................................................................3

VPN connection & architecture ............................................................................................................................4

Our remote access in a nutshell: ........................................................................................................................ ...4

Basis of configuration: ................................................................................................................................ ........ .5

Theory behind the tunnel ............................................................................................................................. ........ ..5

Tunnel mining .........................................................................................................................................................6

VPN configuration walk-through ...................................................................................................................... ....8

VPN server configuration .....................................................................................................................................8

............................................................................................................................................................................11

VPN client configuration ...................................................................................................................................12

What’s next .................................................................................................................................................... ........15

In conclusion .................................................................................................................................................. ........16

Sources ....................................................................................................................................................................16

2



Prelude

This guide has been made to asset the basic information about remote access VPN. Internet

hands out a wide spread of information for this type of configuration. All the aspects have not

been thoroughly covered in this guide, but it should give you a at least a glimpse to the worldof remote access VPN’s.

Only perquisites for the guide is to have basic knowledge with router configuration. This

means in general that you are familiar with the different modes when configuring router IOS,

from user exec mode to global configuration mode.

3



VPN connection & architecture

VPN(Virtual Private Network) is a secure network over a public network. A VPN tunnel can

be implemented between two or more hosts. For example with a VPN tunnel you can connect

two offices located on different continents and get them to interact with each other, like in a

physical LAN.

The type of connection we are going to implement is called a VPN remote access connection.

The connection is a tunnel between two peers, host and a server.

In our case the host is a computer using Cisco VPN client software and a Cisco router is

configured as the VPN server. Host connects to the server through the Internet and the server

can be configured to provide access to a private network.

This guide will only concentrate on the tunnel between client and the server, and everything

else beyond that will be left a mystery.

Our remote access in a nutshell:

1. Client/server authentication using pre-shared secret. A pre-shared secret is a pre-

defined key that the negotiating peers know and use in order to trust each other. The

pre-shared key exchange operation is secured with encryption and used with all

connecting peers. This could be seen as group authentication.

4



2. After the group authentication it’s time for individual users authentication. Server

authenticates clients using a local database. Specific usernames and passwords are

installed manually on the router.

3. After the user is authenticated, client and server negotiate how data traffic inside the

tunnel is secured. After this the tunnel should be up and running.

Basis of configuration:

Client configuration consists of a group name, a pre-shared key, user name and password.

Server configuration consists of group policies and their pre-shared keys, local databases for

remote users and Security Associations for the tunnel. Security Associations define how the

data is finally transferred inside the tunnel.

Theory behind the tunnel

The remote access tunnel in our case is an IPSec VPN tunnel. We’ll use ISAKMP protocol

hybrid IKE for pre-shared key exchange, IKE extension Xauth, using commands of Cisco

IOS software, for remote user authentication & authorization and IPSec SA’s under IKE SA’s

protection to secure the actual data transfer.

Makes sense? I’ll try to clear that out for you.

IPSec(IP Security) is a standard of protocols used to secure IP communications. IPSec acts at

the network layer of the OSI-model, protecting and authentication IP packets between

participating IPSec devices known as peers. IPSec is the entity that we’re building here.

IPSec tunnel consists of the following:

ISAKMP(Internet Security Association and Key Management Protocol). This is a network

protocol for key exchange and SA negotiations. It’s basically a set of tools for security, from

encrypting data to authentication and key exchange.

When we look inside the ISAKMP protocol, there’s something called IKE(Internet Key

Exchange). IKE is a protocol hybrid that implements key exchanges in the ISAKMP protocol.

In our configuration IKE first provides “group level” authentication, which in other words

means that IKE takes care of pre-shared key exchanges and negotiates an IKE SA(SecurityAssociations). IKE SA will be used to protect the forthcoming IPSec SA negotiations.

The group level authentication, which is used for all connecting peers, is called IKE Phase

One. IKE Phase Two is when IKE SA is set and the IPSec SA’s are being negotiated.

Security Associations, or SA’s, are a set of protocols. To be more exact, SA’s define how data

exchange between sending and receiving peers is secured. For example, when you choose

how to protect and secure your data transfer from various possibilities, you define the SA.

And when you configured it, you deployed the SA.

5



Now back to IKE. Inside the IKE there’s Xauth to be used for user authentication. Xauth is an

enhancement to the existing IKE protocol. Xauth uses Cisco IOS software AAA

authentication methods to perform user level authentication.

AAA stands for Authentication, Authorization and Accounting. It’s a set of commands that lie

ready to be implemented in the router IOS.

Tunnel mining

The tunnel negotiations start when the client peer sends interesting traffic to the server.

Traffic is considered interesting when a packet triggers an access-list that defines traffic to be

protected. Server then checks the assigned group name, then comes pre-shared exchange and

finally username & password are validated.

Pre-shared key exchange as follows:

1. Client randomly chooses a string and sends it to server.

2. Server hashes the received string together with the pre-shared secret and yields a hash

value, dependent on the random string and the pre-shared secret.

3. Server sends the result of hashing back to client.

4. Client calculates its own hash of the random string, together with the pre-shared

secret, and matches it with the received result from the other peer. If they match,

server knows the pre-shared secret, and is considered authenticated.

5. Now server randomly chooses a different random string and sends it to client.

6. Client also hashes the received string with the pre-shared secret.

7. Client sends the authenticated hash back to server.

8. Server locally hashes the random value and the pre-shared secret and matches it

against the received authenticated hash. If they are equal, client is also authenticated.

These was IKE Phase One of the negotiations. At this point the client and server are

authenticated and trust each other. IKE SA is now negotiated and ready to protect IPSec SAnegotiations.

6



Between IKE Phase One and Two there’s the Xauth user authentication. This happens outside

both IKE phases. Connecting client is prompted to provide username & password and server

checks local database for a match. When match is found, IKE Phase Two negotiations are

initiated.

Now we get to the IPSec SA negotiations. IPSec SA’s can be created to use one of two

protocols, or both. ESP(Encapsulating Security Payload) and AH(Authentication Header)

protocols are harnessed to bring security to data transfer when the tunnel is up and running.

These protocols bring data (1)integrity and (2)encryption to the transfer. After IPSec SA

negotiations, IKE Phase Two is complete and the tunnel is up.

One more time, the IPSec process negotiation:

1. Client sends interesting traffic to Server

2. Client and Server negotiate IKE Phase One session

3. User authentication through Xauth

4. Client and Server negotiate IKE Phase Two session

5. Information is exchanged via IPSec tunnel

6. IPSec tunnel is terminated

IKE was split to two phases to make this more clearer:

IKE Phase One includes* IKE policies for all peers *

- Encryption algorithm

- Hash algorithm

- IKE lifetime

- Key exchange

Outcome of IKE Phase One is IKE SA

Xauth happens before IKE phase 2 and it includes

- User authentication and authorization based on a database located on the router

IKE phase Two includes* Configuration how the data is transformed after tunnel is up *

- Authentication algorithm

- Encapsulation algorithm

Outcome of IKE Phase Two is IPSec SA

7



VPN configuration walk-through

VPN server configuration

IKE Phase One

We’ll start with IKE Phase One configuration. First ISAKMP policy is defined. This is the

definition how the IKE Phase One will be done. To be more exact, these are the specifications

for pre-shared key exchange.

Router(config)#crypto isakmp policy 3

As previously decided, pre-shared keys are used to authenticate the connecting peers.

Router(config-isakmp)#authentication pre-share

The Diffie-Helfmann algorithm is used to create a the random string used in pre-shared key exchange. The algorithm builds a secret key for the peers when they

negotiate over an insecure channel. Here it is set to level 2 – this specifies a 1024-bit

DH group.

Router(config-isakmp)#group 2

Hashing algorithm is used to confirm message integrity. MD5(Message Digest 5) is

implemented. MD5 uses a 128-bit shared secret key. You can also consider

SHA(Secure Hash Algorithm), which is a successor to MD5. SHA is considered

cryptographically stronger than MD5.

Router(config-isakmp)#hash md5

This is the message encryption used when exchanging data. 3DES is the strongest kind

of encryption that IKE provides. It uses 168-bit encryption. Other option would be a

56-bit DES. In a nutshell, 3DES is practically DES encryption used three times on the

same data. 3DES is anyway approximately twice as strong as DES.

Router(config-isakmp)#encryption 3des

Time elapsed in seconds before IKE SA expires. 86400 is the default value. Assign

less time if needed.

Router(config-isakmp)#lifetime 86400

Back to global configuration mode.Router(config-isakmp)#exit

Next we wrap the remote users together to group “SALES” and assign them a pre-shared key

and an IP address pool to use.

Router(config)#crypto isakmp client configuration group SALES

Assign a pre-shared key. Here we choose it to be “cisco123”.

Router(config-isakmp-group)#key cisco123

The IP address pool. The “mypool” will be defined on forthcoming stage.

Router(config-isakmp-group)#pool mypool

8



Assign a domain for the clients. “Skynet” was the most infamous computer network

ever to attack mankind.

Router(config-isakmp-group)#domain skynet.com

And again back to global configuration mode.

Router(config-isakmp-group)#exit

IKE Phase One configuration is now complete. Next stage is the individual user

authentication with Xauth.

Enable authorization, authentication and accounting. AAA ignition.

Router(config)#aaa new-model

To use for authentication in login, a local user list is defined. For a small office environment

local database is all that’s needed. The login command determines that when VPN clients

connects, they will be prompted for a username and password.

Router(config)#aaa authentication login authen local

Here you assign specific rights to an authenticated user. A local user list is defined, similar to

authentication. User authorization happens right after user authentication, depending on of

course that the authentication was successful. The network command defines that

authorization is used for network services. It can include a PPP, SLIP, or ARAP connection.

Router(config)#aaa authorization network author local

The local user database. This is how to add user information and tell the router who to

authenticate.

Router(config)#username vpnstudent password cisco

Pool of addresses for the connecting remote peers. Connecting peers need a secondary IP

address from the server, because user’s local IP address and the one assigned by the server are

the end-points of the connection. Data is transferred between these two addresses.

Router(config)#ip local pool mypool A.B.C.D A.B.C.D

IKE Phase Two

The transform-set. Now we get to the point when all authentication is done and the VPN

Client and Server trust each other. Next we define how the data is transformed to secure

transfer when the tunnel is up. These are the IPSec Security Associations(SA).

The protocols IPSec uses are ESP(Encapsulating Security Payload) and AH(Authentication

Header). ESP provides authentication, data confidentiality and message integrity. AH protocol

provides authentication and message integrity, but does not offer confidentiality. These

protocols can be used independently or combined. We’ll deploy only ESP in tunnel mode.

9



IP packet transformation:

168-bit 3DES is deployed for encapsulation and SHA for authentication.. The HMAC(Hashed

Message Authentication Code) in the end of the esp-sha-hmac command is the extension to

SHA. That’s to provide the value of the hash, which is used by the remote peer to validate

message integrity.

Router(config)#crypto ipsec transform-set myset esp-3des esp-sha-hmac

Back to global configuration mode.

Router(cfg-crypto-trans)#exit

Crypto maps are used to tie all this info about incoming remote connections together. You

define all that is needed, as we have done know, and finally wrap everything in the form of a

map. The map is then assigned to the correct interface on the router.

The dynamic map is for unknown peers. Use a dynamic map when you don’t know the IP

addresses of connecting peers. You could think of this as harnessing remote users from all

over the world. You don’t have to know exactly where they are, and neither do they.

Router(config)#crypto dynamic-map dynmap 10

Assign the transform-set previously configured.

Router(config-crypto-map)#set transform-set myset

When enabled in an IPSec crypto map, RRI (Reverse Route Injection) will learn all

the subnets from any network that is defined in the crypto access control list (ACL) asthe destination network. The learned routes are installed into the local routing table as

static routes that point to the encrypted interface. When the IPSec tunnel is torn down,

the associated static routes will be removed.

Router(config-crypto-map)#reverse-route

Router(config-crypto-map)#exit

Assign router to initiate or reply to mode configuration requests, required by the VPN Client.

Mode configuration requests are those initiated during IKE Phase One.

Router(config)#crypto map map client configuration address respond

10



Deploy the list authen for authentication.

Router(config)#crypto map map client authentication list authen

Deploy the list author for authorization.

Router(config)#crypto map map isakmp authorization list author

And finally attach the dynamic map to our crypto map. There is a sequence number after map,

which is used to rank multiple entries within one crypto map set. The lower the sequence

number, the higher the priority. The ipsec-isakmp command triggers the use of IKE to protect

SA negotiations.

Router(config)#crypto map map 10 ipsec-isakmp dynamic dynmap

The map is now ready to be implement to the router’s outside interface.

Router(config)#interface e0/0

Router(config-if)#crypto map mapRouter(config-if)#exit

11



VPN client configuration

After installing the Cisco VPN Client;

1. Click the New button. The New Connection Entry wizard opens.

2. Enter a name for the connection in Connection Entry field.

3. Enter IP address of the server in Host field.

4. Click on the Group Authentication radio button and complete the following substeps. The

following entries are always case sensitive.• Enter a group name, SALES.

• Enter the group password, cisco123.

• Confirm the password, cisco123.

12



5. Click the Save button and leave the Cisco Systems VPN Client window open.

The network parameters for the VPN Client have been configured and a new VPN private

networking connection entry has been created successfully.

6. Click Connect. The User Authentication window opens and several messages flash by

quickly. Complete the following substeps:

• When prompted for a username, enter vpnstudent.

• When prompted to enter a password, enter cisco.

7. Click OK.

The Authentication window disappears and a VPN lock icon appears in the system tray. The

VPN Client has been successfully launched.

You can monitor the Cisco client by using command prompt.

13



In command prompt, type ipconfig

Notice the last LAN address. This is a virtual interface created by Cisco VPN client.

Right-click the VPN symbol located in the bottom right corner of your screen. Choose

Statistics. The window opened will show the statistics of your connection.

14



What’s next

First thing you might want to look at are access-lists. To get the remote connection to work,

you need to punch some holes in the router firewall/access-lists.

For IPSec:

Open the UDP port 500 & IP protocol 50 and 51

Router(config)#access-list 110 permit ahp A.B.C.D A.B.C.D any

Router(config)#access-list 110 permit esp A.B.C.D A.B.C.D any

Router(config)#access-list 110 permit udp A.B.C.D A.B.C.D any eq isakmp

For L2TP:

Open UDPN port 1701

Router(config)#access-list 111 permit udp A.B.C.D A.B.C.D any eq 1701

For PPTP:

Open TCP port 1723 & IP protocol ID 47(called GRE)

Router(config)#access-list 112 permit tcp A.B.C.D A.B.C.D any eq 1723

Router(config)#access-list 112 permit gre A.B.C.D A.B.C.D any

15



In conclusion

This guide described a VPN connection that I have been able to successfully implement in

testing environment. The whole basis of this configuration were pre-shared keys.

In my opinion, when the connection is based on pre-shared keys, they are also the weakest

link. For a more secure connection, you might want to deploy certificates for peer

authentication.

Sources

- Cisco Fundamentals of Network Security: Router v1.2

- Internet

16

Guide to VPN in Small Office Environment V_1_0

Documents

Transcript of Guide to VPN in Small Office Environment V_1_0