Home

Configuring FlexVPN Site-to-Site with Digital Certificate

Leave a comment

See here (see chapter “Authentication”) if you don’t know about Digital Certificate (a.k.a PKI a.k.a public key infrastructure a.k.a CA a.k.a Certificate Authority)

Now the question is…what is FlexVPN?

FlexVPN is Cisco terminology of VPN that can be connected and authenticate via multiple terms (in this case I’ll show you the Digital Certificate ways, VPN biasa juga bisa sih)

FlexVPN Benefits:

  • Bisa di deploy di MPLS Network (private or public)
  • Can accept both site-to-site and remote VPN at the same time
  • Failover Redudancy (can be done via dynamic routing over FlexVPN interface tunnel)
  • 3rd party compatibility…this is it…ga harus VPN ama cisco devices juga hahaha
  • Multicast support
  • Advanced QoS (bisa ditaro langsung pas traffic mau jalan atau di hub router-nya aja)
  • VRF awareness, cocok buat ISP

Mudah2an klo sempet kita oprek satu2 ini benefit2nya…bener kaga yang Cisco bilang…

Warning: FlexVPN relies heavily on the powerful IKEv2 (see here) to get it working, that why this VPN is so “flexible”…so, get you’re a** down to the new successor of ISAKMP and IKEv1…

Note: IOS 7200 15.4 ga lengkap config PKI server-nya, gw pake 3640 yang lama (surprisingly complete configuration about PKI server…)

DAN GUA BARU TAU TERNYATA ROUTER CISCO BISA JADI PKI SERVER!!! Gua kira harus pake VMware isi Windows Server….

——————————————–

The Idea and Network Design

Jadi HQ-R1 akan konek dengan BR-R2 via VPN…awalnya pake pre-shared-key (PSK), nanti kita ganti pake digital certificate (minta dari R3)

————————————————-

Configure IKEv2 first on both Routers

On HQ-R1 (and BR-R2 with necessary changes)

First…the hostname and domain (kepake nanti buat Digital Certificate, wajib ada hostname sama domain soalnya)

Second…Configure IKEv2 Keyring

Awalnya kita pake pre-shared-key untuk konek vpn (passwordnya “PSK”)

Third…Configure IKEv2 Profile

IKE-PROFILE

IKEv2 bisa asymmetric authentication (dia/local pake PSK, klo remote pake yang lain…kasus diatas sama2 pake PSK)

DPD (dead peer detection)…fitur yang include secara default di IKEv2 framework untuk ngedeteksi peer/ujung yang satu VPN-nya mati, 60..intervalnya, 2…nyoba 2x, on-demand…ya klo lagi butuh (ada settingan periodic kok)

Fourth…Configure IPsec profile with IKEv2 profile we created before

Fifth…Configure interface tunnel for private traffic and attach that ipsec profile in, don’t forget that ip route too

Verification…ping from loopback R1 (100.1) to R2 loopback (200.1) and type “show crypto ikev2 session” untuk liat ada IKEv2 proses ga pas lagi ping-pingan

show crypto ikev2 session

——————-

Configure certificate on R3-CA-SRV

Now….im actually amazed by Cisco Router to act like CA Server…lets see the configuration

Untuk jadi CA ada beberapa hal yang harus diperhatikan

  • Ganti hostname
  • Harus ada domain-name
  • Harus di set NTP (atau minimal clock-nya dibenerin)
  • Enable http…soalnya request certificate-nya dari port 80 (klo lo pernah setting2 PKI/CA di windows…pasti lu ngerti)
  • Settingan CA-nya…with crypto pki server [nama SERVER] seperti dibawah ini:

crypto pki server

Kasi password (contoh: cisco123), jadi klo ada yang mau minta request dibikin sertifikat (kek kita minta KTP ke kelurahan, istilahnya: ENROLL) harus tau password-nya

Jangan lupa di “no shutdown” untuk aktifin CA-nya

————————————————————————–

HQ-R1 enrollment to CA-SRV and change the authentication method from PSK to Digital Certificate

Ceritanya HQ-R1 minta dibikinin sertifikat ama R3-CA-SRV, soalnya dia mau konek VPN-an ama BR-R2, biar ga pake PSK (jablay?!?) lagi…

Klo pake PSK kan masalahnya pasti itu2 aja…kebanyakan PSK…kena raja singa…

Maksudnya…klo mau ke R2 pake kunci A, klo mau ke R3 pake kunci B, klo mau ke R4,R5,R6,R7..dll??…gantungan kunci kita bawa (not preferable with Company with many branch)

First…bikin dulu path ke R3-CA-SRV buat request certificate

Look at keyword enrollment…pake URL ke port 80 (that’s what I mean enable http in R3-CA-SRV)

Trus ketik “crypto pki authenticate [nama CA]“…klo berhasil nanti R3 akan ngasi certificate dengan fingerprint unique punya dia

perhatiin Fingerprintnya…sama ga (nanti pas di BR-R2 kita bandingin)

Second, enroll…minta bikinin sertifikat dongss pake “crypto pki enroll [nama CA]”

crypto pki enroll

Nanti ada beberapa pertanyaan…intinya pas “request certificate from CA“…ketik “yes

Now…lets change HQ-R1 authentication method to RSA-SIG (digital certificate) from trustpoint CA kita and with identity pake dn (distinguished name…itu tu…HQ-R1.cisco.com)

And then…Verification

——————————————————————————-

Change authentication behavior BR-R2 using Certificate if HQ-R1 wants to connect

Pretty much the same…tentuin CA path-nya

See…FINGERPRINT-nya sama kan kek HQ-R1…(check sendiri konfigurasi R1 diatas)

Trus…bikin certificate map…biar klo ada mau konek ke BR-R2, pake metode yang ada certificate map itu…trus masukin deh itu map ke IKEv2 profile-nya

kita bisa liat diatas…klo ada yg mau konek ke BR-R2, tolong tunjukin certificate-nya, dan dia hanya percaya sama certificate yang dari CA-SRV yang kita tunjuk tadi

————————————-

Verification

Shut and then no shut int tunnel-nya, biar refresh ulang IKEv2 negosiasinya

show crypto ikev2 sa de

Di HQ-R1…dia mau VPN ke BR-R2 pake RSA…

Dan di BR_R2 (gambar dibawah)…klo ada yang mau konek pake verifikasi RSA…

show crypto ikev2 sa de 2

And…im done

———————–

References:

https://alexandremspmoraes.wordpress.com/2012/04/09/flex-vpn-a-new-paradigm-for-ipsec-deployment-on-cisco-routers/

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

Configuring Dynamic IPsec Point-to-Point VTI

Leave a comment

Introduction

For static VTI config, can be seen here

The problem with MOST of static tunneling (whether it GRE or VTI) is the administrative burden as number of the branchs grows

So, why not we create a dynamic one…a dynamic VTI Tunnel, like DMVPN…a hub-and-spoke topology

spoke router still use static VTI, but hub dont have to

Prerequisite for learning:

  • VPN Knowledge and Configuration
  • IKE phase 1 and phase 2

—————————————-

The Design

Untuk initial config-nya, pasang aja default static route dari R1,R2,R3 ke R4-Internet…di Internet pasang static route ke masing2 cabang

——————————————————–

The Configuration

Sebenernya yang aga berubah cuma di HUB nya aja (R1-HQ), di branch/spoke-nya pake normal Static VTI biasa

Settingannya standar IKEv1 site-to-site VPN kok…bikin key, policy, profile, dll…

On the Hub (R1-HQ)

Kita create “gantungan kunci”…dimana ada 2 kunci disana…masing2 buat R2 dan R2

Trus kita bikin SA (security association-nya, phase 1) untuk negosiasi sama branch mau pake enkripsi apa, hashing apa, key model apa…

(hash nya pake “sha”…ga ada di sana karena memang default, untuk ngeliat policy default-nya coba ketik “show crypto isakmp policy“)

Trus kita bikin profile…klo mau VPN-an pake “gantungan kunci” yang mana, ke site mana, pake interface apa

(virtual-template 1 nanti kita bikin dibawah)

Trus bikin phase 2-nya, ipsec transform-nya…kita pengen traffic kita di encapsulasi pake esp dengan enkripsi aes (esp-aes) plus key exchange-nya pake esp-sha-hmac biar secure

Masuking itu ipsec transform-nya ke profile…

Pfs = perfect forward secrecy….pake metode diffie-hellman group 5 (1500 bit) untuk ensure key/kunci yang dipake untuk VPN ga akan dipake 2x, jadi klo mau koneksi ulang..bikin lagi key nya (biar ga bisa di duplikat)

Trus bikin interface virtual-template, INILAH YANG MEMBEDAKAN STATIC VTI DAN DYNAMIC VTI

Di hub…kita ga pake interface tunnel…tp pake interface virtual-template

Configurasi di R2 dan R3

Pake STATIC VTI, sama aja

—————————————

Verification

Contoh gw ping dari ip 2.2.2.2 yang ada di Branch1 (R2-BR1)

Success, now lets see VPN session-nya

Yup….up and active

Ini bisa pake IKEv2 ga? Bisa…

—————————————————

References:

http://www.certvideos.com/configuring-dynamic-point-to-point-ipsec-vti-tunnels/

http://www.internet-computer-security.com/VPN-Guide/PFS.html

Older Entries Newer Entries