Advertisements
Home

How VPN works (especially site2site one)

Leave a comment

Well, another one of my note that left behind, I’ll make sure this one goes to my blog as well…

Gua buat catetan ini karena banyak konfigurasi yang ga ngerti pas lagi buat VPN…

ini command buat apaaa…kenapa harus adaaa…dsb dsb…

Make sure you read my basic VPN article first

———————————————————-

VPN Networking Protocol, the basic

There are 4 main protocols:

  • PPTP (Point-to-Point Tunnel Protocol), metode agar gimana caranya client/workstation bisa konek ke VPN (kek remote VPN gitu)
  • L2TP (Layer 2 Tunnel Protocol), metode agar gimana caranya Main Office Network bisa konek ke Branch Office network via ISP tapi dengan skema IP yang sama/network yang sama (contoh: main network pake IP 10.1.1.0~10.1.1.200, nah branch network tinggal make ip sisanya sampe 10.1.1.254…seakan2 nge-LAN gituh…walaupun beda wilayah)
  • IPsec (IP Security)…metode enkripsi untuk layer 3 (IP – internet Protocol)
  • SSL (Secure Socket Layer)…metode enkripsi untuk layer 4 keatas

Like I said…VPN networking protocol (Layer 3 in OSI Layer)…

The difference? I’ll explain it to you simply in one line: PPTP < L2TP < SSL < IPsec

Yang gunain PPTP rata2 adalah Microsoft Client (using Microsoft Windows Platform) and this protocol is a weak one (but easier to use and configure), link

Yang gunain L2TP rata2 adalah ISP…kelemahannya adalah Layer 3 ga dienkripsi (untuk itu biasanya digabung sama IPsec)

Yang gunain SSL adalah remote user untuk Remove VPN, user2 hanya perlu komputer yang support “HTTPS” (clientless, ga perlu install macem2, cukup browser aja)

Yang terakhir yang paling bagus adalah IPsec (RFC 4301)…jeleknya adalah settingannya aga banyak, plus harus disetting on both side of network, that’s why SSL more preferable in common user

——————————————————————

So…IPsec huh?

IPsec is quite complex (that’s why it secure…), why?

  • Because there must be some policy how to exchange and manage the key
  • Because there must be some protocol that can authenticate traffic
  • Or, there must be a protocol that CAN both encrypt and authenticate the traffic

From seeing above image, you’ll understand what I mean…

So, dalam membangun VPN terutama site2site…settingan IPsec pasti ada…

This guy itself support 2 encryption modes:

  • Transport mode: encrypt only payload (data), header ga diutak atik

ipsec-modes-transport-tunnel-3

  • Tunnel mode: default, more secure, header packet (inget…yg CCNA, PDU layer internet apa pada TCP/IP protocol?!?) juga di enkripsi

——————————————————–

Key Management, Policy, and Negotiation

Yup…we’re talking about IKE* (Internet Key Exchange)

Yang namanya VPN pasti ada tuker2an kunci (traffic VPN kan di enkripsi…cara buka-nya gimana…validasi peering VPN-nya juga gimana)

Nah, kita membahas how IKE works…

This protocol consist of 2 phase

  • Phase 1 (ISAKMP* Phase):
    • Specify gateway addresses (local ip buat VPN gateway traffic inbound dan remote ip VPN gateway traffic outbound)
    • Specify authentication…mau pake PSK* (pre-shared-key) atau mau pake Digital Certificate* (via CA*/PKI*)
    • Specify NAT-T* (NAT Traversal)
    • Specify Transform-set*
    • Phase 1 ada 2 mode:
      • Main Mode: more secure but slower…commonly used
      • Aggressive Mode: fast without encryption…biasanya klo salah satu IP Gateway ada yang dinamis, contoh:

    • All of those parameter above is called SA*

Don’t worry…I’ll explain those Terminology used in this article on the bottom chapter

  • Phase 2 (IPsec Phase):
    • Specify what traffic/network go through VPN (Access-list anyone?!?)
    • Specify the use of PFS*
    • Specify the proposal
      • authenticate and encrypt the traffic (ESP* – Encapsulating Security Payload)
      • or authenticate only (AH – Authentication Header), better performance-less secure
      • or both of them…AH and ESP (not common anymore, everyone prefers ESP now)
    • Specify Expiry Date…for Key and Session

Nah, IKE itu ada 2 versi…versi jadul yaitu IKEv1 dan versi robust and flexible one which called IKEv2

—————————————————————

IKEv1 and v2

IKEv1

  • Defined in RFC 2409
  • Use UDP port 500
  • Using “Phased” approach (ISAKMP – RFC 2408 on phase 1)

IKEv2

  • One of the document is RFC 4306 and RFC 5996
  • Same…use UDP port 500, and port 4500
  • Not backward compatible to IKEv1
  • Using Child SA instead of phase
  • Fewer exchanges data to form than IKEv1
  • Has built-in DPD*
  • Resistant to DoS attack because of cookie mechanism
  • Has built-in NAT-T
  • Can be used with EAP*

3 steps in IKEv2 exchange messages:

  • IKE_SA_INIT: tuker2 proposal SA sama peer, klo match…ke step selanjutnya (klo di IKEv1, mm-main mode alias phase 1-nya udah 4x bolak balik transaksi peering VPN)
  • IKE_AUTH & CREATE_CHILD_SA: authentikasi peers dan bikin child SA (ini kek Phase 2 di IKEv2, qm-quick mode)
    • CHILD_SA ini berguna untuk notifikasi peer mati, keepalive, authentication message, bikin key baru/rekeying dll
    • Klo ga ada child_sa, berarti balik lagi ke phase 1…repot
    • Ini artinya lebih cepet connect/reconnect-nya

IKEv2 provide better DoS prevention

Di IKE…hacker bisa ngirim SPI* (lets say peer initiation) to victim router with many spoofed IP address, hasilnya…consume CPU resources karena banyak “half open” initiation yang masuk, klo ga ada mekanisme prevention DoS…maka ketika victim router establish connection ke router peer DENGAN SPI/KEY YANG DIKASI HACKER…wassalam, ketauan semua isinya, soalnya hacker bisa generate sendiri key-nya (orang dia yang bikin) plus bisa decrypt traffic pake kunci itu

Di IKEv2, mereka pake cookies pas pertama kali peering VPN (ada semacam fingerprint lah)…jadi klo hacker ngirim SPI intended for man-in-the-middle attack…si victim router tinggal ngomong…”bener ga lu ngirim ginian?
Ke router asli-nya….karena router asli-nya punya cookie pas pertama kali peering…tinggal di cek…klo salah, di drop

Nah, di Cisco…mereka punya teknologi yang bernama FlexVPN* that relies heavily on IKEv2…

—————————————————————

Terminology

ISAKMP (Internet Security Association and Key Management Protocol): this is a framework…of protocol, kek lu mau masuk ke istana Negara…pasti ada protocol yang harus dipenuhi sebelum lu bisa masuk, nah protocol2 itu kan ga Cuma 1…pasti ada parameter2 lain yang harus dipenuhi. Kumpulan protocol2 ini di VPN dinamakan SA (security association)

Framework: i might have to explain this because I’ve used this words many times…klo protocol itu aturan, nah framework itu adalah kumpulan peraturan2

PSK (Pre-shared-key): think this as a password or key to enter a door…password being said must exactly same like password remembered by door guard (key also…must match in order to unlock the door), lawannya PSK? Digital Certificate

Digital Certificate: tired remembering all the password for site A, site B, site C, and so on…?? Or exhausted from bringing all keys in “Key-chain” to unlock all the doors?…this is the solution, it like ID Card for US…as long as You (as ID Card bearer) and Door Guard recognize the Card (who made it of course) then you ready to go…

PKI (Public Key Infrastucture): this is a framework explaining how to create digital certificate, which mentioned above

CA (Certificate Authority): ini server yang bikin digital certificate, dia yang bikin, dia juga yang verifikasi keasliannya

RA (Registration Authority): ini optional, klo lu mau CA cuma bikin sertifikat dan yang nge-cek validitasnya server lain…si RA ini untuk ngecek validitas certificate-nya

CRL (Certificate Revocation List): ini serial number-nya certificate…di dalemnya ada masa berlaku ini sertifikat (expiry date)

SCEP (Simple Certificate Enrollment Protocol): Cisco punya, kek PKI Framework-nya Cisco…simple, Cuma pake HTTP untuk ngirim dan nerima request dan sertifikat

NAT-T (NAT Traversal): NAT and IPsec is not compatible each other, NAT itu kan ganti IP…jelas akan break salah satu rules dari VPN yaitu integrity (make sure data hasn’t been changed). NAT-T ini bikin header UDP di”depan”nya IPsec…jadi yang dibaca UDP NAT-nya dulu bukan IPsec-nya…both side harus aware klo mereka pake NAT-T (bahasa mudahnya…2-2nya harus dienable NAT-T klo mau pake VPN). Workaround for NAT-T? just use IP PUBLIC on your Firewall/Gateway

SA (Security Association): men-define mau pake apa enkripsinya, integritynya (hashing), bikin key sama tuker2annya mau pake apa

  • Encryption mode: aes, des, 3des
  • Hashing mode: md5 atau sha
  • Key exchange mechanism: DH = diffie-hellman, all variant
  • Expiry date untuk key-nya

Transform Set: isinya adalah metode yang akan digunakan oleh IPsec…mau pake ESP apa AH

PFS (Perfect Forward Secrecy): ensure itu VPN peer ga make key yang sama klo mau bikin session VPN baru

ESP (Encapsulation Security Payload): defined in RFC 4303 using IP Protocol* 50, isinya bagaimana caranya kita bisa authenticate dan encrypt itu traffic lewat VPN

IP Protocol: tipe2 sub-protocol didalam IP itu sendiri, contoh: 50 – ESP, 51 – AH, 46 – RVSP buat QoS, dll…(link)

AH (Authentication Header): more fast but less secure than ESP, only authenticate header with no encryption

DPD (Dead Peer Detection): teknologi untuk memastikan VPN peering kita ga down…kek IP SLA-nya VPN lah (default di IKEv2 sudah bisa setting ginian, ga perlu konfigurasi khusus kek di IKEv1)

EAP (Extensible Authentication Protocol): sebuah framework untuk extend PPP protocol yang mengatur bagaimana caranya mengauthentikasi user (bisa pake password, AAA, LEAP-nya Cisco, EAPOL-nya ethernet LAN, dll)

SPI (Security Parameter Indexes): mekanisme identifikasi SA ke packet yang datang (besarnya 32 bit)

——————–

References:

ISAKMP – https://tools.ietf.org/html/rfc2408

IKE – https://www.ietf.org/rfc/rfc2409.txt

Security Architecture for IP – https://tools.ietf.org/html/rfc4301

IPsec – https://tools.ietf.org/html/rfc4303

IKEv2 – https://tools.ietf.org/html/rfc4306

IKEv2 Updated – https://tools.ietf.org/html/rfc5996

http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html

https://tools.ietf.org/html/draft-ietf-ipsec-ikev2-tutorial-01

http://www.juniper.net/documentation/en_US/junos12.3×48/topics/concept/vpn-security-ikev2-understanding.html

http://security.stackexchange.com/questions/56434/understanding-the-details-of-spi-in-ike-and-ipsec

https://supportforums.cisco.com/document/21746/what-extensible-authentication-protocol

https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

CCNP Security SIMOS powerpoint slide

Advertisements

Configuring IKEv2 Site-to-Site VPN with IOS 15 and ASAv

Leave a comment

What we are going to learn

  • The theory of IKEv2
  • How to configure IKEv2 site-to-site VPN with Cisco Router (IOS v15 mandatory)
  • How to configure IKEv2 site-to-site VPN with Cisco ASAv
  • Hopefully, how to develop it using Juniper Junos and with vSRX (part 2, coming soon)

Requirement:

  • GNS3
  • IOS 15 (search: C7200-ADVIPSERVICESK9-M Version 15.2(4), google it yourself)
  • ASAv .vmdk (same, look it up yourself)
  • WinXP VM .vmdk (same, but you can use your loopback interface if you wish)

Prerequisite for learning:

  • VPN knowledge
  • ASA basic configuration

———————

The Idea

Design

IKEv2 Router-ASAv.png

—————————

What is IKEv2? Even more…what is IKE itself??

Ada baiknya baca kriptografi fundamental dulu…but if you want to skip, I’ll explain it to you briefly

Before IKE, there was ISAKMP (Internet Security Association and Key Management Protocol)…sebuah protocol yang berisi framework bagaimana cara mengatur SA (security Association) dan metode2 kriptografi di jaringan

Apa itu SA? Parameter2 seperti hashing, enkripsi, authentikasi, dsb yang harus dipenuhi dan disepakati oleh kedua belah pihak (peer) untuk bikin VPN

Nah, protocol ISAKMP itu hanya untuk securing “channel”nya (jaringannya saja, phase 1), dengan IKE kita bisa securing traffic-nya juga (with IPsec, phase 2)

So, ISAKMP is a part of IKE, and IKEv2 add more robustness to Key Exchange mechanism…one of them is by supporting EAP (Extensible Authentication Protocol) by default, itu loh yang digunain ama 802.1x alias EAP over LAN alias EAPOL, yang pake AAA Server itu

Sebenernya banyak lagi keunggulan IKEv2, hanya saja gw sendiri ga terlalu dig deeper, perbedaan lebih banyak bisa dilihat disini

And last…IKEv1 dan IKEv2 not compatible with each other…

Eh…IKEv1 config-nya yang kek mana? Ya itu…yang site-to-site VPN biasa…itu IKEv1 (yang securing DMVPN gw waktu itu pun termasuk IKEv1)

——————————-

The Configuration

IKEv2 ada beberapa step…

  • Bikin domain sama rubah default hostname
  • Bikin ACL, bikin list IP-IP mana aja yang bisa VPN (important note ada dibawah)
  • Bikin Proposal, ini kek ISAKMP-nya IKEv2
  • Bikin Policy, kita bikin policy yang dimana policy itu ada proposal-nya
  • Bikin Keyring (gantungan kunci?!?)
  • Bikin Transform-set, settingan IPsec-nya
  • Bikin Mapping, join all pieces above together
  • Mapping itu IKEv2 ke interface, ke outside/peer tentunya

On Cisco Router (mau bikin site2site VPN antar router juga bisa pake contoh ini)

Pertama2, ganti hostname dan domain dulu…

The truth is, gw juga ga tau apa hubungannya domain & hostname dengan IKEv2 (di GNS3 dengan IOS yang gw punya…entah kenapa klo ga pake 2 command ini, ga jalan IKEv2-nya)

Next, the Access-list

ACL IKEv2

Important: jangan bikin “permit ip ANY ANY“…kadang suka ga jalan (I learned it the hard way *Sad*), biasain spesifik bikinnya

The Third one is, The Proposal

Biasa…nego2 dulu sama peer sebelah…gw maunya pake enkripsi ini, pake hashing anu…harus sama satu sama lain

encryption: bikin data ga bisa dibaca

integrity: bikin data ga bisa dirubah

group:…ini diffie-hellman algorithm…untuk secure key exchange, angka 5 dan 2 itu tingkat kesulitan algorithmanya (dont ask me the detail, i dont know either lol)

The Fourth One is, Policy

Ibarat kata, klo mau pake IKEv2…harus ada policy (dimana policy-nya pake proposal yang kita buat tadi)

And the Fifth one is, define Keyring

Konsepnya memang gantungan kunci…kunci A buat pintu A, kunci B buat pintu B, dimana Peer = Kunci (Peer Branch = Kunci ke Branch), semuanya dikumpulkan di…gantungan kunci wkwkwk

And the Sixth one is, Transform-set

transform-set IKEv2

Transform ini untuk IPsec yang mau kita gunakan apakah mau pake encapsulating security payload (esp) yang mana…disini gw pake aes untuk authentikasi dan pake sha512-hmac buat hashing key-nya

Next, the Seventh one, Profile

Kita bikin profile, klo mau ke peer pake authentikasi model apa (match address local sama identity remote address), disini gw pake pre-shared-key

And the eighth one, joining all pieces togetherMapping

And last, taro itu crypto map di interface OUTSIDE alias yang ke WAN alias yang kearah Peer VPN kita

On ASA

Untuk ASA sebenernya ada Site-to-Site VPN Wizards-nya, but im not gonna do that way (menyusahkan diri sendiri sih)…in case of some troubleshooting…

(Disclaimer: entah kenapa kadang IKEv2 nya ga jalan…gw konfig IKEv1 dulu trus bikin IKEv2 baru tuh traffic jalan, termasuk di Router-nya juga, kek ga mau “ngangkat” gitu VPN-nya…pas IKEv2 udah jalan, gw apus yg IKEv1 masih normal2 aja, let me know why that happen)

Step2-nya adalah

  • Bikin Object group dulu (contoh: INSIDE-NET Object buat network 10.2.1.0-nya kita)
  • Bikin ACL, biar INSIDE object (yg isinya network 10.2.1.0) bisa ke OUTSIDE (bikin juga object ini, ke 10.1.1.0)
  • Routing nya jgn lupa (biar bisa ping lah -_- )
  • Bikin IKEv2 Policy dan Proposal
  • Pastikan koneksi IKEv2 dari luar di enable
  • Bikin group policy sama tunnel group
  • Dan bikin crypto-map nya

On Firewall Menu Configuration (Object network & access-list)

On Configuration (next to Home icon) > Firewall > Objects > Network Objects/Groups > add

Trus ke Firewall > Advanced > ACL Manager > add

ACL Manager

Versi CLI-nya (I know some of you are “CLI-freak” hahaha)

trus ke Device Setup menu untuk setting Routing-nya

masuk ke Device Setup > Routing > Static Routes > add

Versi CLI-nya:”route outside 10.1.1.0 255.255.255.0 1.1.1.1” (pendek ya, daripada klak klik ga jelas, that’s why I know some people prefer the “old fashioned way”)

Trus bikin Policies-nya di Site-to-Site VPN menu

Site-to-Site VPN > Advanced > IKE Policies > add (IKEv2 policies)

Versi CLI:

Jgn lupa di centang “Allow IKEv2 Access” (klo pake cli:”crypto ikev2 enable outside“, gambar dibawah ini)

Next, the proposal…Site-to-Site VPN > Advanced > IPsec Proposals > add (IKE v2 IPsec Proposals)

Versi CLI:

Trus configure group policy-nya…klo mau konek ke peer 1.1.1.1 pake tunnel apa (ikev1/ikev2)

Site-to-Site VPN > Group Policies > add

The CLI way:

Trus configure tunnel-group-nya on Site-to-Site VPN > Advanced > Tunnel Groups > add

The CLI way:

Last, define crypto map, Site-to-Site VPN > Advanced > Crypto Maps > add

crypto-map

The CLI way:

————————————————————————–

Verification

On Router, we can type “show crypto session

Alrite, IKEv2 is UP and ACTIVE

On ASA…masuk ke Monitoring > VPN > VPN Connection Graphs > IPsec Tunnels (atau sessions juga bisa)

screenshot pingnya lupa gw pasang, nanti klo ada waktu gw tambahin

——————————————-

References:

http://www.omnisecu.com/ccna-security/how-to-configure-site-to-site-ikev2-ipsec-vpn-using-pre-shared-key-authentication.php

https://www.fir3net.com/Firewalls/Cisco/cisco-how-to-configure-an-ikev2-site-to-site-vpn.html

http://rockhoppervpn.sourceforge.net/techdoc_ikev1vsikev2.html

Keith Barker SIMOS cbtnuggets video

Older Entries