Home

Configuring FlexVPN Site-to-Site with Digital Certificate

May 3, 2016

Miftah Rahman Config Router, Security , , , Leave a comment

See here (see chapter “Authentication”) if you don’t know about Digital Certificate (a.k.a PKI a.k.a public key infrastructure a.k.a CA a.k.a Certificate Authority)

Now the question is…what is FlexVPN?

FlexVPN is Cisco terminology of VPN that can be connected and authenticate via multiple terms (in this case I’ll show you the Digital Certificate ways, VPN biasa juga bisa sih)

FlexVPN Benefits:

  • Bisa di deploy di MPLS Network (private or public)
  • Can accept both site-to-site and remote VPN at the same time
  • Failover Redudancy (can be done via dynamic routing over FlexVPN interface tunnel)
  • 3rd party compatibility…this is it…ga harus VPN ama cisco devices juga hahaha
  • Multicast support
  • Advanced QoS (bisa ditaro langsung pas traffic mau jalan atau di hub router-nya aja)
  • VRF awareness, cocok buat ISP

Mudah2an klo sempet kita oprek satu2 ini benefit2nya…bener kaga yang Cisco bilang…

Warning: FlexVPN relies heavily on the powerful IKEv2 (see here) to get it working, that why this VPN is so “flexible”…so, get you’re a** down to the new successor of ISAKMP and IKEv1…

Note: IOS 7200 15.4 ga lengkap config PKI server-nya, gw pake 3640 yang lama (surprisingly complete configuration about PKI server…)

DAN GUA BARU TAU TERNYATA ROUTER CISCO BISA JADI PKI SERVER!!! Gua kira harus pake VMware isi Windows Server….

——————————————–

The Idea and Network Design

Jadi HQ-R1 akan konek dengan BR-R2 via VPN…awalnya pake pre-shared-key (PSK), nanti kita ganti pake digital certificate (minta dari R3)

————————————————-

Configure IKEv2 first on both Routers

On HQ-R1 (and BR-R2 with necessary changes)

First…the hostname and domain (kepake nanti buat Digital Certificate, wajib ada hostname sama domain soalnya)

Second…Configure IKEv2 Keyring

Awalnya kita pake pre-shared-key untuk konek vpn (passwordnya “PSK”)

Third…Configure IKEv2 Profile

IKE-PROFILE

IKEv2 bisa asymmetric authentication (dia/local pake PSK, klo remote pake yang lain…kasus diatas sama2 pake PSK)

DPD (dead peer detection)…fitur yang include secara default di IKEv2 framework untuk ngedeteksi peer/ujung yang satu VPN-nya mati, 60..intervalnya, 2…nyoba 2x, on-demand…ya klo lagi butuh (ada settingan periodic kok)

Fourth…Configure IPsec profile with IKEv2 profile we created before

Fifth…Configure interface tunnel for private traffic and attach that ipsec profile in, don’t forget that ip route too

Verification…ping from loopback R1 (100.1) to R2 loopback (200.1) and type “show crypto ikev2 session” untuk liat ada IKEv2 proses ga pas lagi ping-pingan

show crypto ikev2 session

——————-

Configure certificate on R3-CA-SRV

Now….im actually amazed by Cisco Router to act like CA Server…lets see the configuration

Untuk jadi CA ada beberapa hal yang harus diperhatikan

  • Ganti hostname
  • Harus ada domain-name
  • Harus di set NTP (atau minimal clock-nya dibenerin)
  • Enable http…soalnya request certificate-nya dari port 80 (klo lo pernah setting2 PKI/CA di windows…pasti lu ngerti)
  • Settingan CA-nya…with crypto pki server [nama SERVER] seperti dibawah ini:

crypto pki server

Kasi password (contoh: cisco123), jadi klo ada yang mau minta request dibikin sertifikat (kek kita minta KTP ke kelurahan, istilahnya: ENROLL) harus tau password-nya

Jangan lupa di “no shutdown” untuk aktifin CA-nya

————————————————————————–

HQ-R1 enrollment to CA-SRV and change the authentication method from PSK to Digital Certificate

Ceritanya HQ-R1 minta dibikinin sertifikat ama R3-CA-SRV, soalnya dia mau konek VPN-an ama BR-R2, biar ga pake PSK (jablay?!?) lagi…

Klo pake PSK kan masalahnya pasti itu2 aja…kebanyakan PSK…kena raja singa…

Maksudnya…klo mau ke R2 pake kunci A, klo mau ke R3 pake kunci B, klo mau ke R4,R5,R6,R7..dll??…gantungan kunci kita bawa (not preferable with Company with many branch)

First…bikin dulu path ke R3-CA-SRV buat request certificate

Look at keyword enrollment…pake URL ke port 80 (that’s what I mean enable http in R3-CA-SRV)

Trus ketik “crypto pki authenticate [nama CA]“…klo berhasil nanti R3 akan ngasi certificate dengan fingerprint unique punya dia

perhatiin Fingerprintnya…sama ga (nanti pas di BR-R2 kita bandingin)

Second, enroll…minta bikinin sertifikat dongss pake “crypto pki enroll [nama CA]”

crypto pki enroll

Nanti ada beberapa pertanyaan…intinya pas “request certificate from CA“…ketik “yes

Now…lets change HQ-R1 authentication method to RSA-SIG (digital certificate) from trustpoint CA kita and with identity pake dn (distinguished name…itu tu…HQ-R1.cisco.com)

And then…Verification

——————————————————————————-

Change authentication behavior BR-R2 using Certificate if HQ-R1 wants to connect

Pretty much the same…tentuin CA path-nya

See…FINGERPRINT-nya sama kan kek HQ-R1…(check sendiri konfigurasi R1 diatas)

Trus…bikin certificate map…biar klo ada mau konek ke BR-R2, pake metode yang ada certificate map itu…trus masukin deh itu map ke IKEv2 profile-nya

kita bisa liat diatas…klo ada yg mau konek ke BR-R2, tolong tunjukin certificate-nya, dan dia hanya percaya sama certificate yang dari CA-SRV yang kita tunjuk tadi

————————————-

Verification

Shut and then no shut int tunnel-nya, biar refresh ulang IKEv2 negosiasinya

show crypto ikev2 sa de

Di HQ-R1…dia mau VPN ke BR-R2 pake RSA…

Dan di BR_R2 (gambar dibawah)…klo ada yang mau konek pake verifikasi RSA…

show crypto ikev2 sa de 2

And…im done

———————–

References:

https://alexandremspmoraes.wordpress.com/2012/04/09/flex-vpn-a-new-paradigm-for-ipsec-deployment-on-cisco-routers/

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

How VPN works (especially site2site one)

May 3, 2016

Miftah Rahman Network Theory , , , , , , , , , , , , , , , , , 4 Comments

Well, another one of my note that left behind, I’ll make sure this one goes to my blog as well…

Gua buat catetan ini karena banyak konfigurasi yang ga ngerti pas lagi buat VPN…

ini command buat apaaa…kenapa harus adaaa…dsb dsb…

Make sure you read my basic VPN article first

———————————————————-

VPN Networking Protocol, the basic

There are 4 main protocols:

  • PPTP (Point-to-Point Tunnel Protocol), metode agar gimana caranya client/workstation bisa konek ke VPN (kek remote VPN gitu)
  • L2TP (Layer 2 Tunnel Protocol), metode agar gimana caranya Main Office Network bisa konek ke Branch Office network via ISP tapi dengan skema IP yang sama/network yang sama (contoh: main network pake IP 10.1.1.0~10.1.1.200, nah branch network tinggal make ip sisanya sampe 10.1.1.254…seakan2 nge-LAN gituh…walaupun beda wilayah)
  • IPsec (IP Security)…metode enkripsi untuk layer 3 (IP – internet Protocol)
  • SSL (Secure Socket Layer)…metode enkripsi untuk layer 4 keatas

Like I said…VPN networking protocol (Layer 3 in OSI Layer)…

The difference? I’ll explain it to you simply in one line: PPTP < L2TP < SSL < IPsec

Yang gunain PPTP rata2 adalah Microsoft Client (using Microsoft Windows Platform) and this protocol is a weak one (but easier to use and configure), link

Yang gunain L2TP rata2 adalah ISP…kelemahannya adalah Layer 3 ga dienkripsi (untuk itu biasanya digabung sama IPsec)

Yang gunain SSL adalah remote user untuk Remove VPN, user2 hanya perlu komputer yang support “HTTPS” (clientless, ga perlu install macem2, cukup browser aja)

Yang terakhir yang paling bagus adalah IPsec (RFC 4301)…jeleknya adalah settingannya aga banyak, plus harus disetting on both side of network, that’s why SSL more preferable in common user

——————————————————————

So…IPsec huh?

IPsec is quite complex (that’s why it secure…), why?

  • Because there must be some policy how to exchange and manage the key
  • Because there must be some protocol that can authenticate traffic
  • Or, there must be a protocol that CAN both encrypt and authenticate the traffic

From seeing above image, you’ll understand what I mean…

So, dalam membangun VPN terutama site2site…settingan IPsec pasti ada…

This guy itself support 2 encryption modes:

  • Transport mode: encrypt only payload (data), header ga diutak atik

ipsec-modes-transport-tunnel-3

  • Tunnel mode: default, more secure, header packet (inget…yg CCNA, PDU layer internet apa pada TCP/IP protocol?!?) juga di enkripsi

——————————————————–

Key Management, Policy, and Negotiation

Yup…we’re talking about IKE* (Internet Key Exchange)

Yang namanya VPN pasti ada tuker2an kunci (traffic VPN kan di enkripsi…cara buka-nya gimana…validasi peering VPN-nya juga gimana)

Nah, kita membahas how IKE works…

This protocol consist of 2 phase

  • Phase 1 (ISAKMP* Phase):
    • Specify gateway addresses (local ip buat VPN gateway traffic inbound dan remote ip VPN gateway traffic outbound)
    • Specify authentication…mau pake PSK* (pre-shared-key) atau mau pake Digital Certificate* (via CA*/PKI*)
    • Specify NAT-T* (NAT Traversal)
    • Specify Transform-set*
    • Phase 1 ada 2 mode:
      • Main Mode: more secure but slower…commonly used
      • Aggressive Mode: fast without encryption…biasanya klo salah satu IP Gateway ada yang dinamis, contoh:

    • All of those parameter above is called SA*

Don’t worry…I’ll explain those Terminology used in this article on the bottom chapter

  • Phase 2 (IPsec Phase):
    • Specify what traffic/network go through VPN (Access-list anyone?!?)
    • Specify the use of PFS*
    • Specify the proposal
      • authenticate and encrypt the traffic (ESP* – Encapsulating Security Payload)
      • or authenticate only (AH – Authentication Header), better performance-less secure
      • or both of them…AH and ESP (not common anymore, everyone prefers ESP now)
    • Specify Expiry Date…for Key and Session

Nah, IKE itu ada 2 versi…versi jadul yaitu IKEv1 dan versi robust and flexible one which called IKEv2

—————————————————————

IKEv1 and v2

IKEv1

  • Defined in RFC 2409
  • Use UDP port 500
  • Using “Phased” approach (ISAKMP – RFC 2408 on phase 1)

IKEv2

  • One of the document is RFC 4306 and RFC 5996
  • Same…use UDP port 500, and port 4500
  • Not backward compatible to IKEv1
  • Using Child SA instead of phase
  • Fewer exchanges data to form than IKEv1
  • Has built-in DPD*
  • Resistant to DoS attack because of cookie mechanism
  • Has built-in NAT-T
  • Can be used with EAP*

3 steps in IKEv2 exchange messages:

  • IKE_SA_INIT: tuker2 proposal SA sama peer, klo match…ke step selanjutnya (klo di IKEv1, mm-main mode alias phase 1-nya udah 4x bolak balik transaksi peering VPN)
  • IKE_AUTH & CREATE_CHILD_SA: authentikasi peers dan bikin child SA (ini kek Phase 2 di IKEv2, qm-quick mode)
    • CHILD_SA ini berguna untuk notifikasi peer mati, keepalive, authentication message, bikin key baru/rekeying dll
    • Klo ga ada child_sa, berarti balik lagi ke phase 1…repot
    • Ini artinya lebih cepet connect/reconnect-nya

IKEv2 provide better DoS prevention

Di IKE…hacker bisa ngirim SPI* (lets say peer initiation) to victim router with many spoofed IP address, hasilnya…consume CPU resources karena banyak “half open” initiation yang masuk, klo ga ada mekanisme prevention DoS…maka ketika victim router establish connection ke router peer DENGAN SPI/KEY YANG DIKASI HACKER…wassalam, ketauan semua isinya, soalnya hacker bisa generate sendiri key-nya (orang dia yang bikin) plus bisa decrypt traffic pake kunci itu

Di IKEv2, mereka pake cookies pas pertama kali peering VPN (ada semacam fingerprint lah)…jadi klo hacker ngirim SPI intended for man-in-the-middle attack…si victim router tinggal ngomong…”bener ga lu ngirim ginian?
Ke router asli-nya….karena router asli-nya punya cookie pas pertama kali peering…tinggal di cek…klo salah, di drop

Nah, di Cisco…mereka punya teknologi yang bernama FlexVPN* that relies heavily on IKEv2…

—————————————————————

Terminology

ISAKMP (Internet Security Association and Key Management Protocol): this is a framework…of protocol, kek lu mau masuk ke istana Negara…pasti ada protocol yang harus dipenuhi sebelum lu bisa masuk, nah protocol2 itu kan ga Cuma 1…pasti ada parameter2 lain yang harus dipenuhi. Kumpulan protocol2 ini di VPN dinamakan SA (security association)

Framework: i might have to explain this because I’ve used this words many times…klo protocol itu aturan, nah framework itu adalah kumpulan peraturan2

PSK (Pre-shared-key): think this as a password or key to enter a door…password being said must exactly same like password remembered by door guard (key also…must match in order to unlock the door), lawannya PSK? Digital Certificate

Digital Certificate: tired remembering all the password for site A, site B, site C, and so on…?? Or exhausted from bringing all keys in “Key-chain” to unlock all the doors?…this is the solution, it like ID Card for US…as long as You (as ID Card bearer) and Door Guard recognize the Card (who made it of course) then you ready to go…

PKI (Public Key Infrastucture): this is a framework explaining how to create digital certificate, which mentioned above

CA (Certificate Authority): ini server yang bikin digital certificate, dia yang bikin, dia juga yang verifikasi keasliannya

RA (Registration Authority): ini optional, klo lu mau CA cuma bikin sertifikat dan yang nge-cek validitasnya server lain…si RA ini untuk ngecek validitas certificate-nya

CRL (Certificate Revocation List): ini serial number-nya certificate…di dalemnya ada masa berlaku ini sertifikat (expiry date)

SCEP (Simple Certificate Enrollment Protocol): Cisco punya, kek PKI Framework-nya Cisco…simple, Cuma pake HTTP untuk ngirim dan nerima request dan sertifikat

NAT-T (NAT Traversal): NAT and IPsec is not compatible each other, NAT itu kan ganti IP…jelas akan break salah satu rules dari VPN yaitu integrity (make sure data hasn’t been changed). NAT-T ini bikin header UDP di”depan”nya IPsec…jadi yang dibaca UDP NAT-nya dulu bukan IPsec-nya…both side harus aware klo mereka pake NAT-T (bahasa mudahnya…2-2nya harus dienable NAT-T klo mau pake VPN). Workaround for NAT-T? just use IP PUBLIC on your Firewall/Gateway

SA (Security Association): men-define mau pake apa enkripsinya, integritynya (hashing), bikin key sama tuker2annya mau pake apa

  • Encryption mode: aes, des, 3des
  • Hashing mode: md5 atau sha
  • Key exchange mechanism: DH = diffie-hellman, all variant
  • Expiry date untuk key-nya

Transform Set: isinya adalah metode yang akan digunakan oleh IPsec…mau pake ESP apa AH

PFS (Perfect Forward Secrecy): ensure itu VPN peer ga make key yang sama klo mau bikin session VPN baru

ESP (Encapsulation Security Payload): defined in RFC 4303 using IP Protocol* 50, isinya bagaimana caranya kita bisa authenticate dan encrypt itu traffic lewat VPN

IP Protocol: tipe2 sub-protocol didalam IP itu sendiri, contoh: 50 – ESP, 51 – AH, 46 – RVSP buat QoS, dll…(link)

AH (Authentication Header): more fast but less secure than ESP, only authenticate header with no encryption

DPD (Dead Peer Detection): teknologi untuk memastikan VPN peering kita ga down…kek IP SLA-nya VPN lah (default di IKEv2 sudah bisa setting ginian, ga perlu konfigurasi khusus kek di IKEv1)

EAP (Extensible Authentication Protocol): sebuah framework untuk extend PPP protocol yang mengatur bagaimana caranya mengauthentikasi user (bisa pake password, AAA, LEAP-nya Cisco, EAPOL-nya ethernet LAN, dll)

SPI (Security Parameter Indexes): mekanisme identifikasi SA ke packet yang datang (besarnya 32 bit)

——————–

References:

ISAKMP – https://tools.ietf.org/html/rfc2408

IKE – https://www.ietf.org/rfc/rfc2409.txt

Security Architecture for IP – https://tools.ietf.org/html/rfc4301

IPsec – https://tools.ietf.org/html/rfc4303

IKEv2 – https://tools.ietf.org/html/rfc4306

IKEv2 Updated – https://tools.ietf.org/html/rfc5996

http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html

https://tools.ietf.org/html/draft-ietf-ipsec-ikev2-tutorial-01

http://www.juniper.net/documentation/en_US/junos12.3×48/topics/concept/vpn-security-ikev2-understanding.html

http://security.stackexchange.com/questions/56434/understanding-the-details-of-spi-in-ike-and-ipsec

https://supportforums.cisco.com/document/21746/what-extensible-authentication-protocol

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

CCNP Security SIMOS powerpoint slide