Short and clear: Flex VPN
The goal of this article is a slightly deeper than superficial acquaintance of the reader with a relatively new method of building VPN connections - flex vpn and the IKEv2 key agreement protocol as its basis. Here I will try to consider the benefits of IKEv2 and flex vpn and give examples of site-to-site VPN configuration.
I myself am not a major expert in this topic, so I apologize if something is not exactly clarified.
Very short introduction.
')
I n Internet P rotocol Sec urity is a set of protocols consisting of:
o Authentication Headers (AH) - source authentication and packet integrity monitoring
o Encapsulating Security Payloads (ESP) - data encryption itself
o Security Associations (SA) - protocols that provide AH and ESP with the necessary information (such support).
IKEv2, like IKEv1, ISAKMP, and a couple of other, less well-known, are included in the SA group of protocols. The goal of IKEv2 is to provide authentic key negotiation within the framework of the ISAKMP framework. Published by the IETF in the already quite distant 2005 (IKEv1 - 1998), a full description with all the additions made is available in RFC 5996 (September 2010).
Benefits of IKEv2
Simplified Messaging
Only 4 are required to start secure data exchange (in the simplest case):
The initiator IKE_SA_INIT contains the cryptoalgorithm offered by the initiator, materials of the initiator key exchange (according to Diffie-Hellman) and the initiator time stamp (initiator nonce).
The responder’s IKE_SA_INIT contains the cryptographic algorithm selected by the responder, the transponder key exchange materials, the responder’s timestamp and, optionally, the certificate request.
The initiator / responder IKE_AUTH - already in encrypted form and with integrity protection, identifiers, certificates and other necessary information are transmitted.
Increased reliability
All transactions now require confirmation from the other side of the VPN connection. Thus, DeadPeerDetection is implemented.
Improved DDoS Protection
The advantage, which in modern realities, many experts call the key.
Due to the fact that all operations now require confirmation from the other side of the VPN connection, a large number of half-open sessions cannot be created on the device under attack.
It uses so-called. anti-clogging cookies.
(picture from Cisco Expo 2012 materials)
These cookies increase the efficiency of using the computing resources of VPN agents.
And, finally, smart defaults (Smart Defaults) is a bun that allows you to minimize the number of config lines by using the default settings, which, moreover, can be customized.
In addition to all of the above, a number of IKEv2 extensions have appeared to date, including the Mobility and Multihoming Protocol (MOBIKE), Redirect Mechanism, Quick Crash Detection Method, and several others.
Now directly about flex vpn
Picture again with Cisco Expo 2012 - flex vpn features:
Having fenced off a vegetable garden from various VPN solutions, rational humanity came to its senses, gathered all the useful things in one pile and, armed with the IKEv2 that came to the rescue, blinded a single, monolithic figure, without junk and dirt, brushed and washed. This is the essence and relevance of flex vpn. By solidity, I mean a single set of CLI commands.
But from here there is a disadvantage: absolute incompatibility with IKEv1.
Since flex vpn does not provide anything fundamentally new, there is no need to rush to rework already implemented solutions. In addition, the implementation is still damp: not every IOS with the declared support of ikev2 will correctly execute all the options for flex vpn interactions.
However, Cisco strongly recommends flex vpn in all new installations.
List of hardware supporting flex vpn:
- Second generation ISR (19xx, 29xx, 39xx) with a sec-k9 or hsec-k9 license;
- 7200;
- ASR 1000.
Officially, flex vpn is supported starting with iOS 15.2 (2) T.
Below is an example of the config of the simplest option - site-to-site vpn using smart defaults.
Site1:
crypto ikev2 keyring ikev2-kr
peer Site2
address 172.16.2.2
pre-shared-key local cisco123
pre-shared-key remote 123cisco
crypto ikev2 profile default
match identity remote address 172.16.2.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local ikev2-kr
interface Tunnel0
ip address 10.10.0.1 255.255.255.252
tunnel source Ethernet0 / 1
tunnel destination 172.16.2.2
tunnel protection ipsec profile default
ip route 192.168.2.0 255.255.255.0 Tunnel0
Site2 configuration is symmetrical.
As we see, encryption, transform-set, acl, Diffie-Hellman group were set by default - the dream of an IT person who is not familiar and does not want to get acquainted with cryptography. Equipment negotiates itself.
At the same time, if at one end of the connection the settings are set by smart default, and at the other by the hands of a hard-working administrator, this does not mean that the crypto session can not be established.
That's what's the matter.
Smart Defaults is a whole set of possible parameters that “bypass” devices before you finally agree.
Preset values:
Encryption: AES-CBC 256, 192, 128, 3DES
Hash: SHA-512,384,256, SHA-1, MD5
Diffy-Hellman group: group 5, 2
crypto ikev2 policy: match any
Transform-set: AES-128, 3DES / SHA, MD5
crypto ipsec profile default: default transform set, ikev2 profile default
It remains only to register the profile IKEv2 with the name default.
Interacting parties agree on a tree traversal algorithm. Those. a device with default values ​​will first try to apply AES-CBC 256 + SHA-512 + group 5, then AES-CBC 256 + SHA-512 + group 2, then AES-CBC 256 + SHA-384 + group 5 ... and so on, until will not select the set corresponding to the neighbor.
Simple and convenient, isn't it?
The Cisco site has a document called FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS
Release 15.2M & T ”with configs for all occasions.
I myself am not a major expert in this topic, so I apologize if something is not exactly clarified.
Very short introduction.
')
I n Internet P rotocol Sec urity is a set of protocols consisting of:
o Authentication Headers (AH) - source authentication and packet integrity monitoring
o Encapsulating Security Payloads (ESP) - data encryption itself
o Security Associations (SA) - protocols that provide AH and ESP with the necessary information (such support).
IKEv2, like IKEv1, ISAKMP, and a couple of other, less well-known, are included in the SA group of protocols. The goal of IKEv2 is to provide authentic key negotiation within the framework of the ISAKMP framework. Published by the IETF in the already quite distant 2005 (IKEv1 - 1998), a full description with all the additions made is available in RFC 5996 (September 2010).
Benefits of IKEv2
Simplified Messaging
Only 4 are required to start secure data exchange (in the simplest case):
The initiator IKE_SA_INIT contains the cryptoalgorithm offered by the initiator, materials of the initiator key exchange (according to Diffie-Hellman) and the initiator time stamp (initiator nonce).
The responder’s IKE_SA_INIT contains the cryptographic algorithm selected by the responder, the transponder key exchange materials, the responder’s timestamp and, optionally, the certificate request.
The initiator / responder IKE_AUTH - already in encrypted form and with integrity protection, identifiers, certificates and other necessary information are transmitted.
Increased reliability
All transactions now require confirmation from the other side of the VPN connection. Thus, DeadPeerDetection is implemented.
Improved DDoS Protection
The advantage, which in modern realities, many experts call the key.
Due to the fact that all operations now require confirmation from the other side of the VPN connection, a large number of half-open sessions cannot be created on the device under attack.
It uses so-called. anti-clogging cookies.
(picture from Cisco Expo 2012 materials)
These cookies increase the efficiency of using the computing resources of VPN agents.
And, finally, smart defaults (Smart Defaults) is a bun that allows you to minimize the number of config lines by using the default settings, which, moreover, can be customized.
In addition to all of the above, a number of IKEv2 extensions have appeared to date, including the Mobility and Multihoming Protocol (MOBIKE), Redirect Mechanism, Quick Crash Detection Method, and several others.
Now directly about flex vpn
Clothes. FlexVPN It still is a way to go.
Picture again with Cisco Expo 2012 - flex vpn features:
Having fenced off a vegetable garden from various VPN solutions, rational humanity came to its senses, gathered all the useful things in one pile and, armed with the IKEv2 that came to the rescue, blinded a single, monolithic figure, without junk and dirt, brushed and washed. This is the essence and relevance of flex vpn. By solidity, I mean a single set of CLI commands.
But from here there is a disadvantage: absolute incompatibility with IKEv1.
Since flex vpn does not provide anything fundamentally new, there is no need to rush to rework already implemented solutions. In addition, the implementation is still damp: not every IOS with the declared support of ikev2 will correctly execute all the options for flex vpn interactions.
However, Cisco strongly recommends flex vpn in all new installations.
List of hardware supporting flex vpn:
- Second generation ISR (19xx, 29xx, 39xx) with a sec-k9 or hsec-k9 license;
- 7200;
- ASR 1000.
Officially, flex vpn is supported starting with iOS 15.2 (2) T.
Below is an example of the config of the simplest option - site-to-site vpn using smart defaults.
Site1:
crypto ikev2 keyring ikev2-kr
peer Site2
address 172.16.2.2
pre-shared-key local cisco123
pre-shared-key remote 123cisco
crypto ikev2 profile default
match identity remote address 172.16.2.2 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local ikev2-kr
interface Tunnel0
ip address 10.10.0.1 255.255.255.252
tunnel source Ethernet0 / 1
tunnel destination 172.16.2.2
tunnel protection ipsec profile default
ip route 192.168.2.0 255.255.255.0 Tunnel0
Site2 configuration is symmetrical.
As we see, encryption, transform-set, acl, Diffie-Hellman group were set by default - the dream of an IT person who is not familiar and does not want to get acquainted with cryptography. Equipment negotiates itself.
At the same time, if at one end of the connection the settings are set by smart default, and at the other by the hands of a hard-working administrator, this does not mean that the crypto session can not be established.
That's what's the matter.
Smart Defaults is a whole set of possible parameters that “bypass” devices before you finally agree.
Preset values:
Encryption: AES-CBC 256, 192, 128, 3DES
Hash: SHA-512,384,256, SHA-1, MD5
Diffy-Hellman group: group 5, 2
crypto ikev2 policy: match any
Transform-set: AES-128, 3DES / SHA, MD5
crypto ipsec profile default: default transform set, ikev2 profile default
It remains only to register the profile IKEv2 with the name default.
Interacting parties agree on a tree traversal algorithm. Those. a device with default values ​​will first try to apply AES-CBC 256 + SHA-512 + group 5, then AES-CBC 256 + SHA-512 + group 2, then AES-CBC 256 + SHA-384 + group 5 ... and so on, until will not select the set corresponding to the neighbor.
Simple and convenient, isn't it?
The Cisco site has a document called FlexVPN and Internet Key Exchange Version 2 Configuration Guide, Cisco IOS
Release 15.2M & T ”with configs for all occasions.
Source: https://habr.com/ru/post/160555/
All Articles