STP

Finally I have decided to place all STPs in one place. Recall on these concepts become easy if all of them are in a single place.

[1.] Spanning-Tree Protocol (STP) (802.1d) :

It prevents loops from being formed when switches or bridges are interconnected via multiple paths (to provide redundancy). STP is 802.1D implementation by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. This algorithm guarantees that there is one and only one active path between two network devices. (Flex links with MAC move update, a non-stp loop-free redundancy).

STP Bridge Port Roles:
– root port (RP): Port connecting to root bridge through a least-cost path. Forwarding State.
– designated port (DP) : Port connecting the bridge to the network segment with least-cost path to the root. Forwarding state.
– blocked port (BP) : All other ports are blocked. Blocked state.

This provides us with a single active path to root and a redundant path.

In case of same path cost, following is used as tie breaker:
– Lowest Root Bridge ID
– Lower Path Cost to Root
– Lowest Sender Bridge ID

BPDU:
– All the computation is done on the basis of a message exchange called Bridge Protocol Data Units (BPDU).
– A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00.
– BPDUs are exchanged regularly (every 2 seconds by default)
– The designated port transmits BPDUs, and the non-designated port receives BPDUs.

STP Port States:
– Disabled : Administrativly on/off.
– Blocking : Only received BPDU data.
– Listening : Processing BPDU and awaiting more BPDUs. (Time spent here = 15sec)
– Learning : Learns source MAC addresses from data received, but no data forwarding. (Time spent here = 15sec)
– Forwarding : Normal operation, full send/receive.

Time taken to transition from Blocked->Forwarding is Forwarding delay (Listening time + Learning time = 30sec).

STP Enhancement Features:

[1 (a)]STP Uplink Fast : On a given bridge, the root port and all blocked ports (root/blocked/alternate) that are not self-looped form the uplink group. This feature places a port from uplink group in forwarding mode immediately, to restore connectivity to uplink switch.

(config)# spanning-tree uplinkfast

When uplink fast feature runs it flood dummy packets with the different MAC addresses that it has in its CAM table as a source, to ensure that rest of the switches update their CAM table accordingly.

NOTE: This feature increased switch priority to a significantly higher value than the default. This ensures that the switch is not likely to be elected root bridge. All the ports of the switch have their cost increased by 3000. This ensures that switch ports are not likely be elected designated ports.

[1 (b)] STP Backbone Fast : Switch processes the inferior BPDUs to check for any indirect link faliures using Root Link Query (RLQ) PDU. Saves on max_age time (20sec).

(config)# spanning-tree backbonefast

If enabled, needs to be there on all switches.

[2.] Rapid Spanning Tree Protocol (RSTP) (802.1w) :

It provides for faster spanning tree convergence after a topology change. It includes features equivalent to PortFast, UplinkFast and BackboneFast for faster network re-convergence.

RSTP bridge port roles:
– Root Port (RP) : Port connecting to root bridge through a least-cost path. Forwarding State.
– Designated Port (DP) : Port connecting the bridge to the network segment with least-cost path to the root. Forwarding state.
– Alternate Port (AP) : Port in a network segment that sends inferior BPDU as compared to BPDUs received. Analogos to blocked port in STP.
– Backup Port (BP) : It receives more useful BPDUs from the same bridge it is on and is a port blocked. Analogos to bloked port in STP. Self-looped.

STP Port States:
– Discarding : Administrativly on/off, Only received BPDU data, Processing BPDU and awaiting more BPDUs.
– Learning : Learns source MAC addresses from data received, but no data forwarding.
– Forwarding : Normal operation, full send/receive.

There are no timers involved, there is proposal and acknowledgement through BPDUs. Using ‘sync’ operation topology changes are implemented. In ‘Sync’ operation non-edge designated ports are blocked while BPDUs are processed.

The RSTP topology change mechanism clears the appropriate entries in the Content Addressable Memory (CAM) tables of the upstream bridge. In-built Uplink Fast feature.

The RSTP processes the inferior BPDUs to detect any in-direct link failure. In-built BackboneFast feature.
Features/Tools for STP:

[A] STP PortFast BPDU Guard: If a port with PortFast enabled sends BPDU. That port goes into errdisabled state. This is done generally for Host/Servers.

(config)# spanning-tree portfast bpduguard

[B] STP Root Guard: It is used to enforce the position of Root bridge in the network. Enabled on non-root ports that are connected to devices that are not supposed to be root.

Superior BPDU -> Root Guard enabled port -> Listening (Root-inconsistent) -> If superior BPDU stops -> Learning -> Forwarding

(config)# interface <interface-name>
(config-if)# spanning-tree guard root | spanning-tree rootguard

[C] STP Loop Guard : If BPDUs are not received on a non-designated port, and loop guard is enabled, that port is moved into the STP loop-inconsistent blocking state, instead of the listening / learning / forwarding state. Without the loop guard feature, the port assumes the designated port role.

It needs to be configured on Root and alternate/backup ports in STP. Excluding edge ports (portFast).

(config)#interface <interface-name>
(config-if)#spanning-tree guard loop

Loop guard blocks inconsistent ports on a per-VLAN basis.

[D] Unidirectional Link Detection (UDLD) : Detects physical link connectivity problems. Fundamentally, protection against miswiring.

!— For all fiber-optic LAN ports
(config)# udld {enable | aggressive}

!— Per-port configurtaion. Use ‘aggressive’ to put port in errdisable during error,
(config)# interface <interface-name>
(config-if)# udld port [aggressive]

!— Verification
# show udld <interface-name>

STP Loop Guard + UDLD = Good

[3.] Common Spanning-Tree (CST) :

It assumes one spanning-tree instance for the entire bridged network, regardless of the number of VLANs. This implementation reduces CPU load since only one Spanning Tree instance is maintained for the entire network. This implementation can be used when only one Layer 2 topology is needed in the network.

[4.] Per-VLAN Spanning Tree (PVST) :

It maintains a spanning tree instance for each VLAN configured in the network. It uses ISL Trunking and allows a VLAN trunk to be forwarding for some VLANs while blocking for other VLANs. Since PVST treats each VLAN as a separate network, it has the ability to load balance traffic (at layer-2) by forwarding some VLANs on one trunk and other Vlans on another trunk without causing a Spanning Tree loop.

(config)# spanning-tree mode pvst
(config)# spanning-tree vlan <vlan-range-A> root primary
(config)# spanning-tree vlan <vlan-range-B> root secondary

Example of load-balancing concept.

[5.] Per VLAN Spanning Tree Plus (PVST+) :

It provides the same functionality as PVST using 802.1Q trunking technology rather than ISL. PVST+ is an enhancement to the 802.1Q specification and is not supported on non-Cisco devices.

(config)# spanning-tree mode rapid-pvst
(config)# spanning-tree vlan <vlan-range-A> root primary
(config)# spanning-tree vlan <vlan-range-B> root secondary

[6.] Multiple (Instance)? STP (MISTP/MST) (802.1s) :

It is an IEEE standard which allows several VLANs to be mapped to a reduced number of spanning-tree instances. This is possible since most networks do not need more than a few logical topologies. Each instance handles multiple VLANs that have the same Layer 2 topology.
The MST feature is the IEEE 802.1s and is an amendment to 802.1Q. MST extends the 802.1w Rapid Spanning Tree (RST) algorithm to multiple spanning trees. This extension provides for both rapid convergence and load balancing in a VLAN environment. PVST+ and Rapid-PVST+ run spanning tree instance for each VLAN. In MST, you can group VLANs into a single instance. It uses Bridge Protocol Data Unit (BPDU) version 3 which is backward compatible with the 802.1D STP which uses BPDU version 0.

By default, all the VLANs are grouped into IST0, which is called an Internal Spanning Tree (IST). You can manually create instances numbered 1 to 4094, and they are labeled MSTn (n =1 to 4094), but the region can support only up to 65 instances. Some of the releases supports only 16 instances.

IST/CST/CIST: IST is the only instance that can send and receive BPDUs in the MST network. An MSTn instance is local to the region. ISTs in different regions are interconnected through a Common Spanning Tree (CST). The collection of ISTs in each MST region and the CST that connects the ISTs are called the Common and Internal Spanning Tree (CIST).

!— This needs to be applied on all switches
(config)# spanning-tree mst configuration
(config-mst)# name <region-name>
(config-mst)# revision <number>
(config-mst)# instance <number> vlan <vlan-range-A>
(config-mst)# instance <number+1> vlan <vlan-range-B>
(config-mst)# exit

Default Instance 0 will have all vlans that are not defined under any instance.

!— This needs to go on distribution switches for load-balancing (only an example)
(config)# spanning-tree mst 0-1 priority 0  | spanning-tree mst 0-1 priority primary
(config)# spanning-tree mst 2 priority 4096 | spanning-tree mst 2 priority secondary

0,1,2 are MST ‘instance’ numbers.

!— This needs to be on all switches
(config)# spanning-tree mode mst

Flex Links & Move Update

Flex Links & Move Update

I came across Cisco’s Flex links and MAC Address Table Move Update feature. Many might already be aware of this. This is a cool feature, ultra simple and from the looks of it simplest. Basically it provides link redundancy and loop free. It can be used in place of STP, and the ports on which it is used STP gets disabled.

So this is how it works:

– It has a pair of link (2 physical ports, 2 port-channel, 1 physical + 1 port-channel)

– One link is flagged as Primary and other in the pair as backup. At any given point only one link can be active.

– If the primary goes down backup takes over.

Question: How does other switches in the network know about the port change and mac address being learned from a different port on destination switch?

Answer: This is where MAC Address Table Move Update feature comes into play. If configured access switch can send the update that the it is using new link to forward MACs. Same needs to be enabled on up-link switches so that they can receive it and interpret it and update their MAC tables; Avoiding loops. Cool.

Sounds cool, how to configure this?

(conf)# interface <primary-interface-id>

(conf-if)# switchport backup interface <standby-interface-id>

What about MAC move, how do we configure that?

(conf)# mac address-table move update transmit

(conf)# mac address-table move update receive

Any options to customize it? Sure.

!— Preemption
(conf)# interface <primary-interface-id>
(conf-if)# switchport backup interface <backup-interface-id>
(conf-if)# switchport backup interface <backup-interface-id> preemption mode [forced | bandwidth | off]

forced -> <primary-interface-id> port will take over whenever active
bandwidth -> Highest bandwidth link act as active
off -> No preemption (default)

!— Delay between takeover after preemption

(conf-if)# switchport backup interface <backup-interface-id> preemption delay <delay-time>

Default <delay-time>: 35 sec

!— Sending MAC Address Table Move Update through a non-default VLAN

(conf-if)# switchport backup interface <backup-interface-id> mmu primary vlan <vlan-id>

Default: lowest VLAN ID on the interface.

Lets confirm and monitor the configuration changes:

# show interface switchport backup
# show interface switchport backup detail
# show mac-address-table move update

 

Flex links and load-balancing

Reading Pascal’s comment and looking into Flex links I realized that they do support VLAN load-balancing (platform/code dependent).

VLAN Flex Link load-balancing allows users to configure a Flex Link pair so that both ports simultaneously forward the traffic for some mutually exclusive VLANs. For example, if Flex Link ports are configured for 1-100 VLANs, the traffic of the first 50 VLANs can be forwarded on one port and the rest on the other port. If one of the ports fail, the other active port forwards all the traffic. When the failed port comes back up, it resumes forwarding traffic in the preferred vlans. This way, apart from providing the redundancy, this Flex Link pair can be used for load balancing. Also, Flex Link VLAN load-balancing does not impose any restrictions on uplink switches.

(config)# interface <primary-interface-id>
(config)# switchport backup interface <backup-interface-id> prefer vlan <vlan-range>

<vlan-range>: 1 to 4094

Source:

VLAN Flex Link Load Balancing and Support

Configuring VLAN Load Balancing on Flex Links

Nice!!!

 

Cisco CSM on Ubuntu

To get Cisco CSM running on Ubuntu (presumably on other Linux variant) we need following:

1. Install wine.

Many ways to do that though,

-> sudo apt-get install wine

I installed version ‘wine-1.2.2’ on Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic i686).

2. Get a copy of  advpack.dll

(http://www.dll-files.com/dllindex/dll-files.shtml?advpack)

What is advpack.dll for?

http://www.processlibrary.com/directory/files/advpack/19231/

-> Unzip the file and copy the dll to ~/.wine/drive_c/windows/system32/

-> At the command prompt, type: winecfg

-> Click on the ‘Libraries’ tab

-> Under: ‘New override’ for library -> choose: ‘advpack’ and click add.

[Source: http://ubuntuforums.org/showthread.php?t=298910%5D

3. Install JRE

Get any version of JRE from http://java.sun.com

In my case I got ‘jre-6u25-windows-i586.exe’

Install by invoking wine as,

-> wine jre-6u25-windows-i586.exe

4. Install CSMClientSetup.exe

Do this from command line as,

-> wine CSMClientSetup.exe

The installation might fail with error about heap size,

$ wine CSMClientSetup.exe
cwd: C:\users\pbanga\Temp\I1306959214\Windows
cmd: “C:\users\pbanga\Temp\I1306959214\Windows\resource\jre\bin\javaw.exe” -Xms134217728 -Xmx1073741824 -classpath “C:\users\pbanga\Temp\I1306959214\InstallerData\IAClasses.zip;C:\users\pbanga\Temp\I1306959214\InstallerData\Execute.zip;C:\users\pbanga\Temp\I1306959214\Windows\InstallerData\Execute.zip;C:\users\pbanga\Temp\I1306959214\InstallerData\Resource1.zip;C:\users\pbanga\Temp\I1306959214\Windows\InstallerData\Resource1.zip;C:\users\pbanga\Temp\I1306959214\InstallerData;C:\users\pbanga\Temp\I1306959214\Windows\InstallerData;” com.zerog.lax.LAX “C:/users/pbanga/Temp/I1306959214/Windows/CSMClientSetup.lax” “C:/users/pbanga/Temp/lax8d01.tmp”
Error occurred during initialization of VM
Could not reserve enough space for object heap

At this point copy the complete cmd as it is and simply replace -Xms<n> with -Xms256m and -Xmx<n> with -Xmx256m; then run this command with wine. You can increase or decrease it till your application launches successfully.

For me this worked,

$wine “C:\users\pbanga\Temp\I1306959214\Windows\resource\jre\bin\javaw.exe” -Xms256m -Xmx256m -classpath “C:\users\pbanga\Temp\I1306959214\InstallerData\IAClasses.zip;C:\users\pbanga\Temp\I1306959214\InstallerData\Execute.zip;C:\users\pbanga\Temp\I1306959214\Windows\InstallerData\Execute.zip;C:\users\pbanga\Temp\I1306959214\InstallerData\Resource1.zip;C:\users\pbanga\Temp\I1306959214\Windows\InstallerData\Resource1.zip;C:\users\pbanga\Temp\I1306959214\InstallerData;C:\users\pbanga\Temp\I1306959214\Windows\InstallerData;” com.zerog.lax.LAX “C:/users/pbanga/Temp/I1306959214/Windows/CSMClientSetup.lax” “C:/users/pbanga/Temp/lax8d01.tmp”

5. Launch CSM Client

First time it may fail if you try to launch using the shortcut from the desktop or the one in the program menu under Wine. If that happens follow the same approach as adopted in the previous step. Launch it from command line and fix the heap size.

In my case launch from shortcut failed and I ran it from command line as,

$ wine /home/pbanga/.wine/drive_c/Program\ Files/Cisco\ Systems/Cisco\ Security\ Manager\ Client/csm-desktop-4.0.1.0.exe
cwd: C:\Program Files\Cisco Systems\Cisco Security Manager Client
cmd: “C:\Program Files\Cisco Systems\Cisco Security Manager Client\_jvm\bin\javaw.exe” -Xmx1073741824 -XX:NewRatio=3 -classpath “C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-activity-gui.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-activity-shared.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-admin-gui.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-assignment-shared.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-audit-gui.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-audit-shared.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-backendmessage-shared.jar;…………..truncated……………com.zerog.lax.LAX “C:/Program Files/Cisco Systems/Cisco Security Manager Client/csm-desktop-4.0.1.0.lax” “C:/users/pbanga/Temp/lax34f.tmp”
Error occurred during initialization of VM
Could not reserve enough space for object heap

In this case too I replaced -Xmx<n> with -Xmx256m and ran it again as,

$wine “C:\Program Files\Cisco Systems\Cisco Security Manager Client\_jvm\bin\javaw.exe” -Xmx256m -XX:NewRatio=3 -classpath “C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-activity-gui.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-activity-shared.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-admin-gui.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-assignment-shared.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-audit-gui.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-audit-shared.jar;C:\Program Files\Cisco Systems\Cisco Security Manager Client\jars\athena-backendmessage-shared.jar;…………..truncated……………com.zerog.lax.LAX “C:/Program Files/Cisco Systems/Cisco Security Manager Client/csm-desktop-4.0.1.0.lax” “C:/users/pbanga/Temp/lax34f.tmp”

So far, I could now launch CSM from the shortcut, without re-following the above set to launch it. I haven’t tried rebooting the system and trying again to see of CSM launches again successfully or not. Once I will do that I will update the result.

UPDATE: Found that after reload the CSM Client shortcut complains about Java thing. Reason is same the heap size. I will see if I can find a place to set the default heap size to 256 or above in java or CSM client. For the time being this is what works for me.

I created a ‘Launcher’ (right click -> create launcher).

Command: wine “C:\Program Files\Cisco Systems\Cisco Security Manager Client\_jvm\bin\javaw.exe” -Xmx256m -XX:NewRatio=3…………truncated………….com.zerog.lax.LAX “C:/Program Files/Cisco Systems/Cisco Security Manager Client/csm-desktop-4.0.1.0.lax” “C:/users/pbanga/Temp/lax34f.tmp”

Working Directory: C:\Program Files\Cisco Systems\Cisco Security Manager Client

Choose a funky icon and launch it. Command line lovers can simply create an executable script.

Bottom line: For time being until we find where to fix the heap size permanently in wine for java or CSM. Create a launcher and works like it does in windows. If the launcher ever breaks, I hope you know how to get the correct command 😉

NOTE:  I do get this message when I launch the CSM client,

“Failed to get client version.
CSM client will still try to come up, but there is possible mismatch between client and server versions.
Your client installation might be corrupted.

action”

It has not caused any problems so far. Will see if can get this error message to go for good.

Articles Online!

I recently wrote two article and both of them are available. I would love to share the articles and would request to spread it to those who might need it =)

 

Q&A with the Authors of “AAA Identity Management Security”
http://www.ciscopress.com/articles/article.asp?p=1678180

Cisco Secure Access Control System (ACS) 5.2 and User Change Password (UCP)
http://www.ciscopress.com/articles/article.asp?p=1678922

Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure Access Control Server 5.x

http://www.cisco.com/web/services/news/ts_newsletter/tech/chalktalk/index.html

http://tinyurl.com/4aeazt3

Enjoy =)

Exploring Basic IPSec VPN on Cisco IOS – Part II

Exploring Basic IPSec VPN on Cisco IOS

 

[Part II: Exploring IKE Phase II on Cisco IOS]

 

1. Configure crypto access list to specify the protected traffic.

Here we must first decide what needs to be protected and that is done using an extended named or numbered access-list. The ‘permit’ keyword is used to tell what needs to be protected, and if required ‘deny’ keyword is used to what need not be protected.

access-list <access-list-id> {deny | permit} <protocol> <source> <wildcard> <dest> <wildcard> [log]

The access-list needs to be mirrored on peers, to ensure that same type of traffic is protected from both ends; else tunnel may not set up.

 

2. Configure Transform Set for IPSec Phase II security negotiation.

crypto ipsec transform-set <set-name> <transform1> [<transform2> [<transform3>]]    mode [tunnel | transport]

<transformn>: ah-md5-hmac, ah-sha-hmac, comp-lzs, esp-3des, esp-aes, esp-des, esp-md5-hmac, esp-null, esp-seal, esp-sha-hmac

Default ‘mode’: Tunnel

Both ends must have at-least one compatible transform to agree on.

 

3. Configure Crypto Map

Crypto maps are used to bind everything together that we configured previously to setup IPSec SA. Crypto maps are applied on interface.

Each interface à Single Crypto Map à Multiple Interface

Each interface can only have a single crypto map applied, but a single crypto map can be applied to multiple interfaces.

There are three types of crypto maps that we can define.

§         Static Crypto Map (using IKE to establish SA)

§         Dynamic Crypto Map

§         Static Crypto Map with Manual SA

Static Crypto Map (using IKE to establish SA)

crypto map <map-name> <seq-num> ipsec-isakmp    match address <access-list-id>    set peer {<hostname> | <ip-address>}    set transform-set <set-name1> [<set-name2>…<set-name6>]    set security-association lifetime {seconds <sec> | kilobytes <kb> | kilobytes disable}    set security-association level per-host    set pfs [group1 | group2 | group5]

Everything in above command is self-explanatory. The only command that is not much used is,

“set security-association level per-host”: This will create separate SAs for each source and destination host pair. If there is multiple host pair in a subnet that communicates over IPSec tunnel, this can rapidly consume resources.

As an example; if we have crypto ACL between subnet 192.168.1.0/24 to 192.168.2.0/24. Communication between host 192.168.1.1 and host 192.168.2.1 will create one SA pair & communication between host 192.168.1.1 and host 192.168.2.2 will create a separate SA pair.

 

Dynamic Crypto Map

Dynamic crypto maps can only be used with IKE. It is used in scenarios where remote peers are unknown.

crypto dynamic-map <dynamic-map-name> <dynamic-seq-num>    set transform-set <set-name1> [<set-name2>…<set-name6>]    match address <access-list-id>    set peer {<hostname> | <ip-address>}      < This is rarely configured    set security-association lifetime {seconds <sec> | kilobytes <kb> | kilobytes disable}    set pfs [group1 | group2 | group5] crypto map <map-name>  <seq-num> ipsec-isakmp dynamic <dynamic-map-name>  [discover]

In case of dynamic crypto map, initiator is always remote peer. If traffic is initiated from/behind the server matching the crypto ACL, then that traffic is dropped as there are no pre-existing SAs.

There is a feature called Tunnel Endpoint Discovery (TED), it is a Cisco proprietary and is used to dynamically discover the remote peer. This is only successful if IP’s in crypto ACL are route-able. TED can only be used with dynamic crypto map and it always uses Tunnel Mode. The “discover” keyword at the end of crypto map enables this feature. With this feature if SAs does not exist on the initiator then using TED remote peer is determined and tunnel is setup.

 

Static Crypto Map with Manual SA

IPSec SAs can also be statically configured in case any of the peers does not support IKE exchange, or if we want to test IPSec using manual SAs and then move to IKE.

In case of Manual SA we can only have a single permit statement in crypto ACL, single peer and single transform set.

crypto map <map-name> <seq-num> ipsec-manual    match address <access-list-id>    set peer {<hostname> | <ip-address>}    set transform-set <set-name>     set session-key inbound ah <spi> <hex-key>    or    set session-key outbound ah <spi> <hex-key>     set session-key inbound esp <spi> cipher <hex-key> [authenticator <hex-key>]    or    set session-key outbound esp <spi> cipher <hex-key> [authenticator <hex-key>]

 

4. Apply Crypto Map to Interface

interface <interface>    crypto map <map-name>

At this stage we are done with Basic IPSec VPN.

Cisco’s VPN solutions are built on five underlying VPN technologies:

• Standard IPsec

• Dynamic Multipoint VPN (DMVPN)

• Easy VPN

• Generic Routing Encapsulation (GRE) tunneling, and

• Group Encrypted Transport VPN (GET VPN).

In future posts we will look at above VPN solutions, which will allow us to make use of our learning in Part I & II.

Site-To-Site VPN using RSA Encryption Nonce (Manual Method)

Standard IPSec: Site-To-Site VPN using RSA Encryption Nonce (Manual Method)

 

We will use following diagram to understand Standard IPSec configuration using IKE authentication as RSA Encryption Nonce.

 

 

1. IKE Phase I Policy Security Parameters:

R1: R1(config)# crypto isakmp policy 1 R1(config-isakmp)# authentication rsa-encr   R2: R1(config)# crypto isakmp policy 1 R1(config-isakmp)# authentication rsa-encr   Rest of the parameters will be default i.e., Encryption: DES Hash: SHA Group: 1 Lifetime: 86400 sec

 

1. Generate RSA keys and/or Elliptic Curve keys on the peers: [The IOS available for this particular setup did not have an option for elliptic curve keys]

 

In this example I will not use label to generate RSA keys, so that keys are created using default label of device’s hostname. We need to ensure that device domain-name is configured for key generation; this is not a required if we explicitly specify the label name.

 

I will use ‘general-keys’ for RSA Encryption. The ‘general-keys’ option creates a single RSA key pair (public and private key) for encryption and signing.

 

R1: Configuring the domain name. R1(config)# ip domain name prem.com Both commands have same effect. R1(config)# crypto key generate rsa general-keys modulus 512 Or R1(config)# crypto key generate rsa

 

To check the configured general purpose public RSA key; issue command,

R1:   R1#show crypto key mypubkey rsa % Key pair was generated at: 00:07:02 UTC Mar 1 2002 Key name: R1.prem.com  Usage: General Purpose Key  Key is not exportable.  Key Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D5F344 C4F78952   EC1FE483 0FC6D0A5 27C6116E F051361F BBDCD903 D89B89DC 07847AC0 EDE6C60C   36956E78 91C9B9F3 8D7555CC 05E3F3CE E456CB23 AEC81E4D A5020301 0001 % Key pair was generated at: 00:07:02 UTC Mar 1 2002 Key name: R1.prem.com.server  Usage: Encryption Key  Key is not exportable.  Key Data:   307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00E1AAC8 325B8768   F96E02A3 E1FA3F08 43C0EDF1 45AB37AC 08E02FC3 C7AEFC9F AA301E6C C887D7E5   3424F374 A565460E 905CE0BF A109B811 DE902FFD 6690408A 13606280 07214A9E   B33908BB F7D3DB5E FC1EBE1B 1D6606DB B88A71DA 41055C64 D3020301 0001

 

Key name: R1.prem.com: This is the general purpose RSA public key used for encryption and signing (authentication). This needs to be specified on the peer configuration.

 

Key name: R1.prem.com.server: This is the CA (Server) public keys. This is not used for encryption and signing (authentication). The ‘.server’ specifies that it is a CA public key.

 

R2: Configuring the domain name. R2(config)# ip domain name prem.com Both commands have same effect. R2(config)# crypto key generate rsa general-keys modulus 512 Or R2(config)# crypto key generate rsa

 

Checking the generated general purpose public key:

R2#show crypto key mypubkey rsa % Key pair was generated at: 00:07:55 UTC Mar 1 2002 Key name: R2.prem.com  Usage: General Purpose Key  Key is not exportable.  Key Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C0ECBC 0E46F161   854EC6CE 9F63E0C5 5C8F20CC 94CD2748 9AC7E8D3 79116871 E26BF3C3 F62F0A08   DA5D7FB1 A039D5B3 BE173979 BFF956CA 630F8AB7 9C662AC9 2B020301 0001 % Key pair was generated at: 00:07:56 UTC Mar 1 2002 Key name: R2.prem.com.server  Usage: Encryption Key  Key is not exportable.  Key Data:   307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C92390 3BABFE9B   5C7D4799 1EE96CDF 369024D9 70BC369B F71AB050 DDD04456 DA031A8E 4773CD13   D7F544AD 45C5921D 6C5006EC 1AA75E91 14E1869D 486BAEAE 53B711ED 6E77B288   D2CC6CE0 C8EB7BE7 9058E3AF 201C1CBA E11A8A9B E6E6C649 87020301 0001

 

 

1. Configure RSA public key:

 

Configure public key chain on R1:

R1: Enter public key chain rsa. R1(config)# crypto key pubkey-chain rsa Configure the peer ID (ID that will be sent by R2). R1(config-pubkey-chain)# addressed-key 1.1.1.2 Configure the peer IP address (R2’s). R1(config-pubkey-key)# address 1.1.1.2 Configure peer’s public key (R2’s General Purpose Public Key) R1(config-pubkey-key)# key-string 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C0ECBC 0E46F161 854EC6CE 9F63E0C5 5C8F20CC 94CD2748 9AC7E8D3 79116871 E26BF3C3 F62F0A08 DA5D7FB1 A039D5B3 BE173979 BFF956CA 630F8AB7 9C662AC9 2B020301 0001 Quit

 

Verify configured public key chain on R1:

R1#show crypto key pubkey-chain rsa Codes: M – Manually configured, C – Extracted from certificate   Code Usage         IP-Address/VRF         Keyring          Name M    General          1.1.1.2             default            R1#show crypto key pubkey-chain rsa address 1.1.1.2 Key address:          1.1.1.2              Usage: General Purpose Key  Source: Manually entered  Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C0ECBC 0E46F161   854EC6CE 9F63E0C5 5C8F20CC 94CD2748 9AC7E8D3 79116871 E26BF3C3 F62F0A08   DA5D7FB1 A039D5B3 BE173979 BFF956CA 630F8AB7 9C662AC9 2B020301 0001

 

Configure public key chain on R2:

R2: Enter public key chain rsa R2(config)# crypto key pubkey-chain rsa Configure the peer ID (ID that will be sent by R1) R2(config-pubkey-chain)# addressed-key 1.1.1.1 Configure the peer IP address (R1’s) R2(config-pubkey-key)# address 1.1.1.1 Configure peer’s public key (R2’s General Purpose Public Key) R2(config-pubkey-key)# key-string    305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D5F344 C4F78952    EC1FE483 0FC6D0A5 27C6116E F051361F BBDCD903 D89B89DC 07847AC0 EDE6C60C    36956E78 91C9B9F3 8D7555CC 05E3F3CE E456CB23 AEC81E4D A5020301 0001   Quit

 

Verify public key chain on R2:

R2#show crypto key pubkey-chain rsa Codes: M – Manually configured, C – Extracted from certificate   Code Usage         IP-Address/VRF         Keyring          Name M    General          1.1.1.1             default            R2#show crypto key pubkey-chain rsa address 1.1.1.1 Key address:          1.1.1.1              Usage: General Purpose Key  Source: Manually entered  Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D5F344 C4F78952   EC1FE483 0FC6D0A5 27C6116E F051361F BBDCD903 D89B89DC 07847AC0 EDE6C60C   36956E78 91C9B9F3 8D7555CC 05E3F3CE E456CB23 AEC81E4D A5020301 0001

 

1. We are done with IKE Phase I parameters. I will configure IKE Phase II parameters for both peers below:

 

R1: R1(config)# crypto ipsec transform-set SET esp-des esp-md5-hmac   R2: R2(config)# crypto ipsec transform-set SET esp-des esp-md5-hmac

 

1. Define traffic to be sent over VPN tunnel.

 

R1: Creating a virtual network. R1(config)# interface Loopback0 R1(config-interface)# ip address 192.168.1.1 255.255.255.0 Route to reach R2’s virtual network R1(config)# ip route 192.168.2.0 255.255.255.0 1.1.1.2 Traffic to be sent over VPN tunnel (From R1 -> R2) R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

 

R2: Creating a virtual network. R2(config)# interface Loopback0 R2(config-interface)# ip address 192.168.2.1 255.255.255.0 Route to reach R1’s virtual network. R2(config)# ip route 192.168.1.0 255.255.255.0 1.1.1.1 Traffic to be sent over VPN tunnel (From R2 -> R1) R2(config)# access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

1. IKE crypto map for IPSec SA negotiation

 

R1: interface FastEthernet0/0  ip address 1.1.1.1 255.255.255.0  crypto map MAP   R2: interface FastEthernet0/0  ip address 1.1.1.2 255.255.255.0  crypto map MAP

 

Initiate traffic from either end to match the access list, i.e,

R1: ping 192.168.2.1 source loopback 0 Or R1: ping 192.168.1.1 source loopback 0   Both pings should be successful. As they match ACL. R1: source:192.168.2.0 destination:192.168.1.0 R2: source: 192.168.1.0 destination: 192.168.2.0

 

Verify that tunnel is established:

R1#show crypto isakmp sa dst             src             state          conn-id slot status 1.1.1.2         1.1.1.1         QM_IDLE              1    0 ACTIVE   QM_IDLE means Phase II Quick mode was negotiated successfully and is currently idle.   R1#show crypto isakmp sa detail Codes: C – IKE configuration mode, D – Dead Peer Detection        K – Keepalives, N – NAT-traversal        X – IKE Extended Authentication        psk – Preshared key, rsig – RSA signature        renc – RSA encryption   C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap. 1     1.1.1.1         1.1.1.2                  ACTIVE des  sha  renc 1  23:53:15            Connection-id:Engine-id =  1:1(software)

 

Similar output can be seen on R2. One more command can be used to ensure IKE Phase II was established successfully,

“show crypto ipsec sa”

We will look into details of this command later on in coming examples.

 

In above example we used “general-keys”. We can also use special usage keys “usage-keys”. The ‘usage-keys’ option creates a separate RSA key pair (public and private key) for encryption and signing.

 

Configuration on R1 for usage keys:

R1: Create usage-keys R1(config)# crypto key generate rsa usage-keys modulus 512 Or R1(config)# crypto key generate rsa usage-keys   Check the created public keys for encryption and signing (authentication). R1#show crypto key mypubkey rsa % Key pair was generated at: 01:32:03 UTC Mar 1 2002 Key name: R1.prem.com  Usage: Signature Key  Key is not exportable.  Key Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A104A0 8DD39243   4ED17CE1 BE421F88 1923A7C2 54CE3E3B B5534114 0BD28E0B 70265418 1D79538F   FFA27893 3D3D71E2 7CA6B247 384A1B91 1EF3663A D86D3936 B9020301 0001 % Key pair was generated at: 01:32:04 UTC Mar 1 2002 Key name: R1.prem.com  Usage: Encryption Key  Key is not exportable.  Key Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C10BCE 735E40F0   41DC17B3 DAC43F6B 855A0363 1F8415F2 AAD88AB3 3EFC4171 AFD56207 C081855B   936AC876 ED61E2C5 591143AC 10DF1248 D5C0F734 93B4D4F8 69020301 0001 % Key pair was generated at: 01:32:05 UTC Mar 1 2002 Key name: R1.prem.com.server  Usage: Encryption Key  Key is not exportable.  Key Data:   307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AAF13A 518E5399   B23A4230 C8BEFFEB 8EAEFE46 B22D48E4 0AE0D032 661B55B9 29DCA53C 393C1536   DCBAD0A3 ADFE9937 D2BB30C8 FD03EABF 3D48471B D810C812 D590D7EF C00290B2   71385E51 1642247A 6A014446 EEBDFB91 EC3D61A2 09619296 F1020301 0001   Key name: R1.prem.com: This public key is used for Signing. Key name: R1.prem.com: This public key is used for Encryption. Key name: R1.prem.com.server: This is the CA Server public key.   Configure R2’s private key for encryption and signing in R1’s public key chain: R1: R1(config)# crypto key pubkey-chain rsa  addressed-key 1.1.1.2 encryption   address 1.1.1.2   key-string    305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C95A44 41B2F961    15DA29DE 90110ADA 34BEE0BB 81F66C29 4B43EBDA 4DD2B363 908AF0E0 7F734E73    3D8F73DA 052871A0 C2551337 758C9C1A 2C367E7D 474475EC 95020301 0001   quit  addressed-key 1.1.1.2 signature   address 1.1.1.2   key-string    305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00AE89F6 24381561    5CE2A159 C3B5713C FB9F4D98 0F97BB78 0B4E8B59 4B7BE4AF CEFC0B2E 08BA14B4    F5E32E4D 3FA17C0B 14F95EF4 A90869D8 78BCE3E6 70221BBB D7020301 0001   Quit   Verify configured public key chain: R1: R1#show crypto key pubkey-chain rsa Codes: M – Manually configured, C – Extracted from certificate   Code Usage         IP-Address/VRF         Keyring          Name M    Encrypt          1.1.1.2             default          M    Signing          1.1.1.2             default            R1#show crypto key pubkey-chain rsa address 1.1.1.2 Key address:          1.1.1.2              Usage: Encryption Key  Source: Manually entered  Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C95A44 41B2F961   15DA29DE 90110ADA 34BEE0BB 81F66C29 4B43EBDA 4DD2B363 908AF0E0 7F734E73   3D8F73DA 052871A0 C2551337 758C9C1A 2C367E7D 474475EC 95020301 0001   Key address:          1.1.1.2              Usage: Signature Key  Source: Manually entered  Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00AE89F6 24381561   5CE2A159 C3B5713C FB9F4D98 0F97BB78 0B4E8B59 4B7BE4AF CEFC0B2E 08BA14B4   F5E32E4D 3FA17C0B 14F95EF4 A90869D8 78BCE3E6 70221BBB D7020301 0001

 

 

Configuration on R2 for usage keys:

R2: Create usage-keys R2(config)# crypto key generate rsa usage-keys modulus 512 Or R2(config)# crypto key generate rsa usage-keys   Check the created public keys for encryption and signing (authentication). R2#show crypto key mypubkey rsa % Key pair was generated at: 01:32:13 UTC Mar 1 2002 Key name: R2.prem.com  Usage: Signature Key  Key is not exportable.  Key Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00AE89F6 24381561   5CE2A159 C3B5713C FB9F4D98 0F97BB78 0B4E8B59 4B7BE4AF CEFC0B2E 08BA14B4   F5E32E4D 3FA17C0B 14F95EF4 A90869D8 78BCE3E6 70221BBB D7020301 0001 % Key pair was generated at: 01:32:13 UTC Mar 1 2002 Key name: R2.prem.com  Usage: Encryption Key  Key is not exportable.  Key Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C95A44 41B2F961   15DA29DE 90110ADA 34BEE0BB 81F66C29 4B43EBDA 4DD2B363 908AF0E0 7F734E73   3D8F73DA 052871A0 C2551337 758C9C1A 2C367E7D 474475EC 95020301 0001 % Key pair was generated at: 01:32:14 UTC Mar 1 2002 Key name: R2.prem.com.server  Usage: Encryption Key  Key is not exportable.  Key Data:   307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00AA542D 649F5F93   E28AA7E6 D5DBE655 91813824 C817ECAD EC9AC3C7 0B780DE7 4D4E498D AB2A4C06   6C738A18 B6A4694F 97089EB3 97492416 7785DC86 44A61C5D FD1D5820 1B80EB5F   CF0003C2 7A73F8D2 289702ED C1DE9AFF 66C47E99 A9D049B7 D5020301 0001   Configure R2’s private key for encryption and signing in R1’s public key chain: R2(config)# crypto key pubkey-chain rsa  addressed-key 1.1.1.1 encryption   address 1.1.1.1   key-string    305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C10BCE 735E40F0    41DC17B3 DAC43F6B 855A0363 1F8415F2 AAD88AB3 3EFC4171 AFD56207 C081855B    936AC876 ED61E2C5 591143AC 10DF1248 D5C0F734 93B4D4F8 69020301 0001   quit  addressed-key 1.1.1.1 signature   address 1.1.1.1   key-string    305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A104A0 8DD39243    4ED17CE1 BE421F88 1923A7C2 54CE3E3B B5534114 0BD28E0B 70265418 1D79538F    FFA27893 3D3D71E2 7CA6B247 384A1B91 1EF3663A D86D3936 B9020301 0001   Quit   Verify configured public key chain: R2#show crypto key pubkey-chain rsa Codes: M – Manually configured, C – Extracted from certificate   Code Usage         IP-Address/VRF         Keyring          Name M    Encrypt          1.1.1.1             default          M    Signing          1.1.1.1             default            R2#show crypto key pubkey-chain rsa address 1.1.1.1 Key address:          1.1.1.1              Usage: Encryption Key  Source: Manually entered  Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C10BCE 735E40F0   41DC17B3 DAC43F6B 855A0363 1F8415F2 AAD88AB3 3EFC4171 AFD56207 C081855B   936AC876 ED61E2C5 591143AC 10DF1248 D5C0F734 93B4D4F8 69020301 0001   Key address:          1.1.1.1              Usage: Signature Key  Source: Manually entered  Data:   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A104A0 8DD39243   4ED17CE1 BE421F88 1923A7C2 54CE3E3B B5534114 0BD28E0B 70265418 1D79538F   FFA27893 3D3D71E2 7CA6B247 384A1B91 1EF3663A D86D3936 B9020301 0001

Exploring Basic IPSec VPN on Cisco IOS – Part I

Exploring Basic IPSec VPN on Cisco IOS

 

[Part I: Exploring IKE Phase I on Cisco IOS]

 

1. IKE Policy: Phase I Policy Security Parameters

 

Router(config)# crypto isakmp policy <priority> Router(config-isakmp)# encryption {des | 3des | aes | aes 192 | aes 256} Router(config-isakmp)# hash {sha | sha256 | sha384 | md5} Router(config-isakmp)# authentication {rsa-sig | rsa-encr | pre-share} Router(config-isakmp)# group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20} Router(config-isakmp)# lifetime <seconds>

<priority>: 1 to 10,000; 1 is the highest priority.

<seconds>: 60 to 86,400; default value: 86,400.

 

Verify Configured IKE Policy:

Router# show crypto isakmp policy   Global IKE policy Protection suite of priority 1         encryption algorithm:   AES – Advanced Encryption Standard (256 bit keys).         hash algorithm:         Secure Hash Standard         authentication method:  Pre-Shared Key         Diffie-Hellman group:   #5 (1536 bit)         lifetime:               50000 seconds, no volume limit Default protection suite         encryption algorithm:   DES – Data Encryption Standard (56 bit keys).         hash algorithm:         Secure Hash Standard         authentication method:  Rivest-Shamir-Adleman Signature         Diffie-Hellman group:   #1 (768 bit)         lifetime:               86400 seconds, no volume limit

 

The following table gives the key sizes recommended by the National Institute of Standards and Technology to protect keys used in conventional encryption algorithms like the (DES) and (AES) together with the key sizes for RSA, Diffie-Hellman and elliptic curves that are needed to provide equivalent security.

 

Symmetric Key Size (bits)	RSA and Diffie-Hellman Key Size (bits)	Elliptic Curve Key Size (bits)
80	1024	160
112	2048	224
128	3072	256
192	7680	384
256	15360	521

Source (http://www.nsa.gov/business/programs/elliptic_curve.shtml)

 

Encryption Algorithm	Key Size (bits)
DES	56
3DES	168
AES	128
AES 192	192
AES 256	256

 

DH Group	Key Size (bits)
1	768
2	1024
5	1536
14	2048
15	3072
16	4096
19 (Elliptic Curve DH)	256
20 (ECDH)	384

 

Symmetric Key Size (bits)	RSA and Diffie-Hellman Key Size (bits)	Elliptic Curve Key Size (bits)
80	1024 (DH 2)	160
112	2048 (DH 14)	224
(AES) 128	3072 (DH 15)	256 (DH 19)
(AES 192) 192	7680	384 (DH 20)
(AES 256) 256	15360	521

2. IKE Authentication

• RSA Signatures

• RSA Encrypted Nonce’s

• Pre-shared Keys

 

RSA Signatures: Peers need to obtain certificate from CA. [Will cover this in a separate note.]

 

RSA Encrypted Nonce: For RSA encrypted Nonce we must ensure that each peers has the public keys of the other peer. This can be done using two methods.

 

§         Using Certificates: In this configure two IKE policy,

o       Higher priority policy – Encryption as RSA Encrypted Nonces

o       Lower priority policy – Encryption as RSA Signatures

 

When Phase I IKE will occur, as there are no public keys available, RSA Signatures will be used first time. After the exchange peers will have each other’s public keys. Now, future IKE exchange will use RSA Encrypted Nonce as both ends have each other’s public keys.

 

§         Manual RSA Keys: For manual configuration of RSA keys we need to do following,

 

o       Generate RSA keys and/or Elliptic Curve keys on the peers

Router(config)# crypto key generate rsa {general-keys | usage-keys} [label <key-label>] [exportable] [modulus <modulus-size>]   Router(config)# crypto key generate ec keysize [256 | 384] [label <label-string>]

<modulus-size>: 350 to 4096 bits

 

o       Specify RSA public keys of other peers

Router(config)# crypto key pubkey-chain rsa Router(config-pubkey-chain)# named-key <key-name> [encryption | signature]  or Router(config-pubkey-chain)# addressed-key <key-address> [encryption | signature] Router(config-pubkey-key)# address <ip-address> Router(config-pubkey-key)# key-string <key-string>

<key-name>: Hostname/ID of the other peer

<key-address>: IP address of the peer

<ip-address>: IP address of the peer

<key-string>: Public key of the peer for encryption and/or authentication

 

[Will add RSA-Encryption-Nonce configuration section for further details]Added new post 🙂 

Pre-shared Keys:

Specify the ISAKMP ID: R(config)# crypto isakmp identity {address | dn | hostname} If ID is hostname, then ensure DNS is configured else configure mapping: R(config)# ip host <hostname> <address1> [<address2>…<address8>] Configure the pre-shared key and the peer address: R(config)# crypto isakmp key <keystring> address <peer-address> [mask] [no-xauth] or R(config)# crypto isakmp key <keystring> hostname <hostname> [no-xauth]

<addressn>: IP address of a host

<keystring>: Pre-shared key

<peer-address>: IP address of peer

 

 

3. IKE Mode Configuration: Only if gateway needs to download network-level configuration, such as IP address.

Configure IP pool to provide IP address: Router(config)# ip local pool <pool-name> <start-addr> <end-addr> Specify the pool from which IP address will be given out: Router(config)# crypto isakmp client configuration address-pool local <pool-name> Specify how gateway will behave i.e. initiate mode config or respond to mode config. Router(config)# crypto map <tag> client configuration address [initiate | respond]

 

4. IKE Crypto Map for IPSec SA Negotiation

Router(config)# crypto map <tag> <sequence> ipsec-isakmp Router(config-isakmp)# set pfs {group1 | group2 | group5 | group14 | group15 | group16 | group19 | group20}

<tag>: Crypto map name.

<sequence>: Specifies sequence to insert into crypto map entry.

 

Summary

Required:   Router(config)# crypto isakmp policy <priority> Router(config-isakmp)# encryption {des | 3des | aes | aes 192 | aes 256} Router(config-isakmp)# hash {sha | sha256 | sha384 | md5} Router(config-isakmp)# authentication {rsa-sig | rsa-encr | pre-share} Router(config-isakmp)# group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20} Router(config-isakmp)# lifetime <seconds>   Only If "authentication rsa-encr":   Router(config)# crypto key generate rsa {general-keys | usage-keys} [label <key-label>] [exportable] [modulus <modulus-size>] Router(config)# crypto key generate ec keysize [256 | 384] [label <label-string>]   Router(config)# crypto key pubkey-chain rsa Router(config-pubkey-chain)# named-key <key-name> [encryption | signature]  or Router(config-pubkey-chain)# addressed-key <key-address> [encryption | signature] Router(config-pubkey-key)# address <ip-address> Router(config-pubkey-key)# key-string <key-string>   Only if "authentication pre-share":   R(config)# crypto isakmp identity {address | dn | hostname} R(config)# ip host <hostname> <address1> [<address2>…<address8>] R(config)# crypto isakmp key <keystring> address <peer-address> [mask] [no-xauth] or R(config)# crypto isakmp key <keystring> hostname <hostname> [no-xauth]   Only if we require Mode configuration, e.g, EZVPN, Remote Access:   Router(config)# ip local pool <pool-name> <start-addr> <end-addr> Router(config)# crypto isakmp client configuration address-pool local <pool-name> Router(config)# crypto map <tag> client configuration address [initiate | respond]   Required:   Router(config)# crypto map <tag> <sequence> ipsec-isakmp Router(config-isakmp)# set pfs {group1 | group2 | group5 | group14 | group15 | group16 | group19 | group20}

 

[Part II: Exploring IKE Phase II on Cisco IOS]

[Will cover IKE Phase II in a new post]

IPSec (Internet Protocol Security)

This article can never do justice to what IPSec is. I am only trying to cover that much which will not make one overwhelmed with the information, and to a point that everyone can understand.

IPSec is a framework of open standards for protecting communication over IP. IPSec works at same layer as IP i.e. Internet Layer (Of TCP/IP).

IPSec combines three main protocols to form a security framework:

• IKE (Internet Key Exchange) protocol : For negotiating security parameters & establishing authentication keys.  It automates entire key-exchange process.
• ESP (Encapsulating Security Payload) protocol : For encrypting, authenticating & securing data.
• AH (Authentication Header) protocol : For authenticating and securing data.

Like IPSec, IKE is also a combination of three different protocols:

• SKEME : Provides mechanism for using public key encryption for authentication purpose.
• Oakley : Provides a mode-based mechanism for deriving an encryption key between two IPSec peers.
• ISAKMP : Defines architecture for message exchange, which includes packet formats and state transitions between two IPSec peers.

Before we go any further we need to be aware of meaning of few terms that we will use in further understanding:

Overview of practical implementation of IPSec:

Main Mode: It is an IKE Phase I. It broadly it consists of three step:

• SA negotiation
• Diffie-Hellman and Nonce exchange
• Authentication

Main mode requires 6 message exchange before it completes Phase 1 of IPSec. Let’s take a look at an example that involves IKE Phase I Main Mode and IKE Phase II Quick Mode with pre-shared keys.

CloudShark: Main Mode

In Message 1 & 2 (SA negotiation),

Initiator sends,

Cookie: As a unique identifier of a negotiation exchange.CKY-I = md5{(scr-ip, dest-ip), random number, time & date}

ProposalsThis message is not encrypted.

Responder responds with,

• Cookie: CKY-R = md5{(src-ip,dest-ip), random number, time & date}

• Selected Proposal:

This packet is also unencrypted.

In Message 3 & 4 (Diffie-Hellman and Nonce exchange),

Initiator sends,

• DH Public Value (i): Diffie-Hellman Public value(key) is generated using shared key already known.
• Nonce Value (N_i): It is a very large random number.

This message exchange is also unencrypted.

Responder responds with,

• DH Public Value (r)
• Nonce Value (N_r)

This message is also unencrypted.

This completes 4 message exchange between Initiator and Responder for IPSec Main Mode (MM). The values exchanged above i, r, Ni,Nr are used generate various keys.

Before both ends start next message exchange they derive the,

DH Shared Secret, that comes out to be same on both end.

Based on, Nonce Exchanged, DH Shared Secret calculated and pre shared key stored locally.

Three new keys are generated which are called Session Key(SKEY ID).

SKEY ID = fn(pre-shared, N_i|N_r)

SKEY ID_d = fn(SKEY ID, g^DH|CKY-I|CKY-R|0)

SKEY ID_a = fn(SKEY ID, SKEY ID_d|g^DH|CKY-I|CKY-R|1)

SKEY ID_e = fn(SKEY ID, SKEY ID_a|g^DH|CKY-I|CKY-R|2)

SKEY ID_a : It is used to provide Data Integrity & Authentication to subsequent IKE messages.SKEY ID_e : It is used to Encrypt subsequent IKE messages.

In Message 5 & 6 (Authentication),

Initiator sends,

• Identity Payload: It contains initiator’s IP address or hostname (ID-I).
• Hash Payload: The hash is used for authentication purposes. The responder calculates the hash on its end, both hash need to match for authentication to succeed.

HASH-I = fn(SKEY ID, CKY-I, CKY-R, Pre-shared key (PK-I), SA Payload, Proposals+Transforms, ID-I)

Hash uses SKEY ID_a.

Identity & Hash Payload is encrypted using SKEY ID_e.

This message exchange is encrypted.

Responder responds with,

• Identity Payload: Responder’s IP or hostname (ID-R).
• Hash Payload: HASH-R = fn(SKEY ID, CKI-I, CKY-R, Pre-Shared Key (PR-R), SA Payload, Proposals+Transforms,ID_R)

The message is encrypted with SKEY ID_e and Hash uses SKEY ID_a.

Aggressive Mode: It is also IPSec Phase I, but it consists of only 3 message exchange. Though it is quick, all the messages exchanged are unencrypted, It is less secure when compared to Main Mode. In Main mode both ends authenticate each other during message exchange 5 & 6 using a HASH, that hash is encrypted using the session keys. In case of Aggressive Mode, HASH are exchanged in message 2 & 3. In message 2, Responder sends the HASH to initiator, but that HASH is not encrypted and can be seen on wire. In message excahnge 3 the HASH sent by the Initiator is encrypted. This is among one of the difference between Aggressive Mode and Main Mode.

CloudShark: Aggressive Mode

Example of Aggressive mode using pre-shared keys:

Message 1:

Initiator –> Responder

• Cookie (CKY-I), Proposals, Protocol, SPI, Transforms etc.
• DH Public Value(i)
• Nonce (Ni)
• ID-I

All information provided by Initiator is enough for Responder only to generate DH shared secret and SKEY’s. Initiator still needs more info to generate SKEYs. This message exchange in unencrypted.

Message 2:

Responder –> Initiator

• Cookie (CKY-R), Chosen proposal, chosen transform
• DH Public Value(r)
• Nonce (Nr)
• ID-R
• Hash: HASH-R = fn(SKEY ID, CKY-I, CKY-R, pre-shared key (PK-R), SA payload,….)

This message exchange in unencrypted.

At this stage Initiator has enough information to generate DH Shared secret and SKEY’s. Before sending next message both ends have all the information required to start IPSec Phase II.

Message 3:

Initiator –> Responder

• Hash: HASH-I = fn(SKEY ID, CKY-I, CKY-R, pre-shared key (PK-I), SA payload, proposal, transform, ID-I)

All three messages are unencrypted. This message is encrypted.

[Will include Aggressive mode capture sooner. Included as promised :)]

PFS (Perfect Forward Secrecy): It is a property that the Initiator of an IKE negotiation can “suggest” to the responder. This is sent as a key exchange attribute during first message of quick mode. If responder agrees for PFS, then quick mode continues. Otherwise, it returns “Attribute Not Supported”, and the initiator can continue without PFS if it is configured so.

PFS is a property that forces peers to generate a new DH Secret during Quick Mode exchange. This allows the SKEYs to be generated using new DH secret.

Both ends must have same PFS DH Group.

Quick Mode: It is IKE Phase II mode. It is used to negotiate IPSec SA (Security Association).

All quick mode messages are encrypted using encryption keys SKEYs generated in IKE Phase I.

It generally has 3 message exchange,

Message 1:

Initiator –> Responder

• Proposals: ESP, SHA, DH Group, Initiator SPI…
• Transforms: Tunnel/Transport, IPSec timeouts
• new DH Public Value(i’) (If PFS)
• ID-Si : source proxy
• ID-Di: destination proxy
• Hash: HASH-I = fn(SKEY ID_a, Message ID, Ni, Proposals, Transforms, new DH Public Value (If PFS))

All information is encrypted using SKEY ID_e.

Message 2:

Responder –> Initiator

• Proposals: Accepted proposals, Responder SPI
• new DH Public Value (r’) (If PFS)
• ID-Sr: source proxy
• ID-Dr: destination proxy
• Hash: HASH-R = fn(SKEY ID_a, Message ID, Ni, Nr, Accepted proposals & Transforms, new DH Public Value (if PFS))

After Message 2 is exchanged, then both ends calculate two IPSec SA (incoming and outgoing).

If there was PFS, then at this stage new DH Secret is generated and new SKEYs are generated.

incoming IPSec SA = fn(SKEY ID_d, protocol(ISAKMP), DH Secret, SPIr, Ni,Nr)

outgoing IPSec SA = fn(SKEY ID_d, protocol(ISAKMP), DH Secret, SPIi, Ni, Nr)

Security Association (SA): A collection of connection-specific parameters, and each partner can have one or more Security Associations. When a datagram arrives, three (or two) pieces of data are used to locate the correct SA inside the Security Associations Database (SADB):

1. Partner IP address
2. IPsec Protocol (ESP or AH)
3. Security Parameters Index

Message 3:

Initiator –> Responder

• Hash : HASH-I = fn(SKEY ID_a, Message ID, Ni, Nr)

Above discussion shows how IPSec is build with,

IKE Phase 1 (Main/Aggressive Mode) –> IKE Phase 2 (Quick Mode) –> Secured Data

IKE Phase 1 using Digital Certificates:

All message exchange are same except for message exchange 5 & 6 (Authentication Exchange).

Message 5:

Initiator –> Responder

• Initiator’s Certificate with its Public keys.
• ID-I
• Signature: HASH-I encrypted using Private Key of Initiator.

Above exchange is encrypted with SKEY ID_e.

Message 6:

Responder –> Initiator

• Responder’s certificate with its Public keys.
• ID-R
• Signature: HASH-R encrypted using Private Key of Responder.

Above exchange is encrypted with SKEY ID_e.

Tunnel/Transport with ESP/AH

AH (Authentication Header): IP Protocol 51. It provides no mechanism for encrypting data. All it provides a mechanism for encapsulating and authentication data to ensure that the data was not tampered in transit and was sent by the intended source. In this Data as well as IP header is authenticated.

ESP (Encapsulating Security Payload): IP Protocol 50. It defines how it provides encapsulation, encryption and authentication for the IP packet.

AAA Identity Management Security

How it happened? Don’t ask me But i finally did. It took like 2 years to get this “project” done. Finally I have contributed back to the IP network community with something at least, that makes me feel good, more than me being an author. Anyways, I hope that this book finds its way to people and help them at whatever level it can.

Holiday season has begun. I have nothing much planned. As a matter of fact I never have anything planned ever before hand. Things just come and I have to complete them. It could be interesting and boring. Lets see what 2011 holds for me and people around me.

Till then enjoy this title.

AAA Identity Management Security