Pages

Showing posts with label Enterprise. Show all posts
Showing posts with label Enterprise. Show all posts

Wednesday, 24 February 2021

Device Security using AAA (TACACS+, RADIUS and Local Database)

Authentication Authorization and Accounting

Authentication refers to the verification of the users accessing a device; it seeks answers to the question "Who are you?". Authorization defines what resources the user is allowed to access and which operations the user is allowed to perform. Accounting logs all user actions on the system.

AAA is usually used for device access and network access. Device access may require privileged access for administrative purposes.

Application of AAA in network access can be used to segregate users between employee access and guest access. Additionally, employee access can be further refined such that some employees can access some departmental resources and others should be unable to access network resources in other departments.

Authentication of a user can be performed using a username and password combination. Certificates (PKI) can also be used to authenticate users. The user may be a network device.

Authorization defines what resources the user has access to. It can also be defined as what actions the user is permitted to perform on a device.

AAA Components

AAA consists of three components: supplicant, authenticator and authentication server.

  1. Supplicant: device requesting access; this may be a laptop, printer, smartphone. The supplicant is either requesting for network access or device access. Supplicant may also refer to the software on the laptop that is used to authenticate the end user.
  2. Authenticator: this is the device being accessed; it is the device that is enforcing authentication (NAD). With device access, this device can be any network-connected device such as router, switch, wireless LAN controller. If the access request is for network access, the device is usually a wireless LAN controller or switch for wireless and wired network access respectively.
  3. Authentication server: validates the identity of the client and notifies the authenticator if the client is authorized to access the network or device. This authentication uses username/password combination or certificates (PKI) to authenticate users. RADIUS is an example of an authentication service.

    Cisco systems offers Identity Services Engine (ISE) and Access Control System (ACS) to provide AAA services for a network.

Protocols

AAA can be used to authenticate users for device administration or network access:

  1. Device administration: device access is done using console, SSH, Telnet and HTTP(S). The network device then uses RADIUS or TACACS+ to authenticate the user's network access with the authentication server.
  2. Network access: users can be authenticated using protocols such as EAPoL, HTTP(S), SSL, IKEv1 and IKEv2. RADIUS, TACACS+ are used between NAD and authentication server.

Privileges

Privileges are the list of commands that a user is authorized to execute. IOS defines different privilege levels with level 0, 1 and 15 defined by default. Privilege levels 2-14 are open for customization. The following table displays the different levels of privileges in Cisco IOS:

Privilege Level Origin Accessibility
0 Built-in No access. Few commands are available.
1 Built-in User mode, very limited access. It is the default exec user level and provides some show commands.
15 Built-in Privilege exec / enable mode, verification and full access.
2 - 14 User-defined Granular control over commands users are authorised to use

Custom Privileges

These custom privilege levels are defined in the range 2 – 14. Users can then be assigned these privileges based on the level of configuration depth that you would like them to make on the devices. The default privilege for remote access (SSH, Telnet) is 1(one) while console is 15. If a privilege level is not assigned to a line or user, then the default privilege is used.

When configuring allowable commands to privilege levels, higher privilege levels inherit commands allowed in lower privilege levels. For example assigning a privilege level of 7 to a user grants the user privileges to run commands that have been defined in privilege levels 0 – 6 in addition to level 7.

The following example configuration sets the commands that the custom privilege level 2 is permitted to run. Here, the user is permitted to access the configuration mode and shutdown or enable interfaces only. Privilege level 2 is then assigned to a user account on the local database.

R1(config)#privilege exec level 2 configure terminal
R1(config)#privilege configure level 2 interface
R1(config)#privilege interface level 2 shutdown
R1(config)#privilege interface level 2 no shutdown
R1(config)#privilege exec level 2 show privilege
R1(config)#username bob privilege 2 secret alice
R1(config)#privilege interface level 3 ip address
R1(config)#privilege configure level 3 ip domain-name
R1(config)#username user3 privilege 3 secret cisco3

When the privilege level is defined on the router as in the case above, by default, the router will use the local database for commands.

The use of role-based access control(RBAC) provides granular control over commands and privileges from a centralized point.

Line Privilege

Privilege level can be configured for a line rather than a user (see Local Database section). This can be accomplished using the line command privilege level <level>. Here, all users who login into the device through the configured line will be granted the same privilege level.

R1(config)#line vty 0 4
R1(config-line)#privilege level 10

If a user has a privilege configured in the local database and the user logs into the device through a VTY line that has a configured privilege, the user's local database configured-privilege supersedes the configured line privilege.

Verification

To verify privileges of the login session, use the command show privilege.

R2#192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: bob
Password:
R1#show privilege
Current privilege level is 2

From the output above, the VTY line was configured with a privilege level of 10. However, the user bob's session privilege is 2(two) which is the privilege level configured in the local database.

Local Database

The local database is a list of user accounts configured on the local device. The local database contains records of the username, password and configured privilege levels for users. The local database supports authentication and authorization features. However, it does not support accounting functionality. Authorization is supported through the configuration of privilege levels. This database can be used to authenticate many types of sessions such as login sessions.

A local user database is created using the global config command username <username> privilege <level> secret <password>. Use of the keyword secret is preferred to password because it encrypts the secret key in the configuration file. If password is used, then the secret key has to be encrypted in the configuration file using the command service password encryption.

R1(config)#username bob privilege 1 secret alice
R1(config)#username alice privilege 1 secret bob
R1(config)#username rasta privilege 1 password reggae
R1(config)#do show run | in username
username bob privilege 2 secret 5 $1$WHSh$PYERWv2eq6ud0txH8G4id.
username alice privilege 3 secret 5 $1$HxyA$IHet6l6lilvR7A2z7bYme.
username rasta password 0 reggae

Local Database for Authentication

If the local database is to be used for authenticating remote users through VTY lines or local console connections, then the following commands can be used.

R1(config)#ip domain-name emmanueltoko.blogspot.com
R1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: R1.emmanueltoko.blogspot.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 33 seconds)

R1(config)#
*Feb 22 13:29:06.599: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh version 2
R1(config)#do show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2ErQIRNGA/SVNcDfgoGZs2KTF3nNPXPC19zUVakD9
NGKyb88AhWu1kVJeOSBarZzivfezJY5E2QLzFw6FjZ6Tla41NOTduziwzHht2dvO3kDTCli61wW9bF5Q
ekjXc8HOwOXd2f0kslx8Il9QxELY1Sq01tPk/Q4Pgza3NOqC+oLHVLkJt5JBDn84AybjYn56OgXk1ETb
Mjj2VKy7M7WdNlhful17LHX/mkVVZSavpMfMhpjaz/Z+yHbgGsNu5r5wNS29+rMpjB4OCAbpATy/Ee1V
GsEEiQU8XChJk9kwM8ADxFJZKz5bHHlmbyiI9LS/jN3SaEtZbU2pKpQwMaKN
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#transport input ssh telnet

The above command enables authentication using the local database on vty lines 0 to 4 (5 simultaneous remote logins). In this snippet, SSH has been enabled as the primary remote access method with telnet as backup if SSH fails.

Note: It is recommended that remote access using telnet be disabled as it sends the authentication credentials and commands to the remote device in clear text.

Device Security With AAA

AAA refers to authentication, authorization and accounting. It is a refined approach to authenticating users, authorizing their activities and logging (accounting) for all their activities and commands issued on a network device. AAA supports the use of the local database, RADIUS and TACACS+ for authenticating and authorization, and only RADIUS and TACACS+ for accounting.

AAA features are not available until enabled globally using the global config mode command aaa new-model.

Local Database

When implementing AAA using the local database, the router authenticates the username and password using the local database and the user is authorized to access the network device based on the information in the local database. Local authentication is used on small networks and is not scalable.

Authentication with Local Database

  1. Turn on AAA services;

    R1(config)#aaa new-model

  2. Create a local user:

    R1(config)#username user secret pass

  3. Set the enable password:

    R1(config)#enable secret pass

  4. Configure login authentication to use the enable password as the default method:

    R1(config)#aaa authentication login default enable

    OR

    Create a login authentication method named local_auth and set it to authenticate users against the local database:

    R1(config)#aaa authentication login local_auth local

  5. Apply AAA authentication to the VTY lines;

    If using the default method:

    R1(config)#line vty 0 15
    R1(config-line)#login authentication default

    If using a configured authentication method:

    R1(config)#line vty 0 15
    R1(config-line)#login authentication local_auth

  6. SSH to above router: It uses the local database to authenticate;

    R1#ssh -l user7 192.168.1.1

Authorization using Local Database

If authorization is enabled for a line, and enable secret is configured, the enable secret is superseded by the aaa authorization. If authorization is not enabled for an authenticated user, the privilege level for a remote user (SSH) is set to 15. The user's configured privilege level is only enforced after enabling authorization.

To enable authorization,

  1. Create a user:

    R1(config)#username user secret pass

    Login to the above router from the remote host: What is the privilege level?
  2. Create an exec-authorization method: Create method list local-author. Configure authorization to be performed against the local router’s database

    R1(config)#aaa authorization exec local-author local

  3. Apply local-author as an authorization method for the vty lines

    R1(config)#line vty 0 4
    R1(config-line)#authorization exec local-author

  4. Configure local authorization for specific intefaces

    R1(config-if)#aaa authorization exec <interface-type> <interface-number>

  5. Configure local authorization for specific commands:

    R1(config)#aaa authorization commands <privilege-level> <command> local
    Replace privilege-level and command with the appropriate privilege level and command permitted respectively.

  6. Telnet to router and authenticate.

The main drawbacks of local user authentication are:

  • User credentials are stored locally i.e., on the device
  • Solution is not scalable if the network grows to hundreds of devices
  • More administrative overhead
  • No centralized control over authentication services

It is therefore recommended to deploy the services of external server-based authentication such as ISE, ACS, or any other platform that supports RADIUS or TACACS+ for network access control.

Verification

AAA operational state can be varied by the various sub-commands under the show aaa command.

R1#show aaa ?
  acct-stop-cache   Show Acct Session IDs of poisoned sessions
  attributes        Show attributes supported by AAA subsystem
  cache             Show contents of AAA caches
  clients           Show AAA Client statistics
  command           Show AAA command infomation
  dead-criteria     Show what criteria will be applied to mark the specified
                    server dead
  local             Show AAA local method options
  memory            Memory usage information
  method-lists      Show method lists defined in the AAA subsystem
  servers           Show All AAA Servers as seen by the AAA Server MIB
  service-profiles  Show AAA service profiles downloaded and stored
  sessions          Show AAA Sessions as seen by AAA Session MIB
  user              Show users active in the AAA subsyste

R1#show aaa sessions
Total sessions since last reload: 8
Session Id: 8
  Unique Id: 23
  User Name: etoko3
  IP Address: 192.168.2.2
  Idle Time: 0
  CT Call Handle: 0
R1#

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is a standards-based protocol for implementing AAA (RFC 2865). It combines authentication and authorization into a single resource. It offers robust accounting features. Previously (RFC 2138), the default ports for RADIUS servers are 1645 for authentication and 1646 for accounting. RFC 2138 sets the RADIUS ports on UDP to 1812 for authentication and 1813 for accounting. RADIUS uses both TCP and UDP as the transport protocol; however UDP is more commonly used. With RADIUS, only the password is encrypted. RADIUS combines authentication and authorization features. It offers robust accounting features.

The RADIUS server may be located in the same subnet or remote network. All that is required is for the local device to have IP connectivity to the RADIUS server.

Authentication

When configuring authentication of user credentials against a RADIUS server, the local device sends the authentication credentials entered by the user to the specificed IP address of the RADIUS server connecting to the port number 1812.

When configuring RADIUS authentication, ensure that a backup authentication method is configured to avoid being unable to access the device due to misconfiguration of the RADIUS authentication. Usually, this backup authentication method is the local database. When authenticating a user login session against a RADIUS server, IOS will attempt to connect to the RADIUS server up to five times by default, to make an access request. If the connection attempt fails all these five times, then the backup authentication method is used. A RADIUS server will not respond to an access request if the requester is not configured as a client. This happens regardless of whether IP connectivity between the client and the server exists.

RADIUS uses MD5 to generate a digest of the user's password by default.

If the RADIUS server does respond with an access denied message to an authentication request, then the IOS will deny access and not use the configured backup authentication method.

Configuration

  1. Enable AAA with aaa new-model command;

    R1(config)#aaa new-model

  2. Define the source of authentication: use local database as last resort; The default RADIUS authentication port is 1812 and accounting port 1813.

    R1(config)#radius-server host 192.168.1.2 auth-port 1812 acc-port 1813
    R1(config)#radius-server host 192.168.1.2 key password

    OR

    R1(config)#radius server RADIUS_SERVER01
    R1(config-radius-server)#address ipv4 192.168.1.2 auth-port 1812 acct-port 1813
    R1(config-radius-server)#key complexpassword
    R1(config)#radius server RADIUS_SERVER02
    R1(config-radius-server)#address ipv4 192.168.1.5 auth-port 1812 acct-port 1813
    R1(config-radius-server)#key complexkey

    Additional interaction with the RADIUS servers can be configured using the following options:

    • timeout <1-1000>: the time to wait(in seconds) for the server to respond when requesting for an authentication attempt. If access to the first server times out, an attempt to connect to the second server is initiated.
    • retransmit <0-100>: number of retries to active server after every failure. The default number of retransmit attempts is five times.

  3. Server groups
    1. Default Radius group:

      When configuring a server, it is automatically added to a group radius. If a server group is explicitly configured (step below), then the server will be added to this group. This can be verified using the command show radius server-group all:

      R1#show radius server-group all
      Server group radius                    
          Sharecount = 1  sg_unconfigured = FALSE
          Type = standard  Memlocks = 1      
          Server(192.168.1.2:1812,1813) Transactions:
          Authen: 0   Author: 0       Acct: 0
          Server_auto_test_enabled: FALSE    
           Keywrap enabled: FALSE            
          Server(192.168.1.5:1812,1813) Transactions:
          Authen: 0   Author: 0       Acct: 0
          Server_auto_test_enabled: FALSE    
           Keywrap enabled: FALSE            
      R1#

    2. Custom Server Group:
      1. Define a group name that will contain the list of servers: aaa group server radius <group-name>.

        R1(config)#aaa group server radius RADIUS_SERVERS

      2. Define each server in the group server <ip-address>

        R1(config-sg-radius)#server name RADIUS_SERVER01
        R1(config-sg-radius)#server name RADIUS_SERVER02

        Alternatively, IP address or server name (requires DNS server to be configured) of the RADIUS servers can be defined in place of the server names using the command server <ip-address|hostname>. The timeout and retransmit settings can also be configured for each server in this group.

        R1(config-sg-radius)#do show radius server-group all
        Server group radius                      
            Sharecount = 1  sg_unconfigured = FALSE
            Type = standard  Memlocks = 1        
            Server(192.168.1.2:1812,1813) Transactions:
            Authen: 0   Author: 0       Acct: 0  
            Server_auto_test_enabled: FALSE      
             Keywrap enabled: FALSE              
            Server(192.168.1.5:1812,1813) Transactions:
            Authen: 0   Author: 0       Acct: 0  
            Server_auto_test_enabled: FALSE      
             Keywrap enabled: FALSE              
        Server group RADIUS_SERVERS              
            Sharecount = 1  sg_unconfigured = FALSE
            Type = standard  Memlocks = 1        
            Server(192.168.1.2:1812,1813) Transactions:
            Authen: 0   Author: 0       Acct: 0  
            Server_auto_test_enabled: FALSE      
             Keywrap enabled: FALSE              
            Server(192.168.1.5:1812,1813) Transactions:
            Authen: 0   Author: 0       Acct: 0  
            Server_auto_test_enabled: FALSE      
             Keywrap enabled: FALSE              
                                                  
        R1(config-sg-radius)#

        If configuring a server as private, using server-private instead of server, it does not get added to the group radius but is only available in the group can it is defined in.

        R1(config)#aaa group server radius RADIUS_SERVERS
        R1(config-sg-radius)#server-private 192.168.1.7 auth-port 1645 acct-port 1646 key cisco

  4. Configure the purpose of the authentication and method of authentication:
    1. Purpose of authentication: authentication can be enabled for a list of services such as the following:
      • login: login to the device.
      • enable: executing the enable command to move into privileged mode. The authentication prompt for enable appears regardless of connection type i.e., console, SSH, telnet.
      • dot1x: End user network access.
    2. Authentication list: You can list authentication methods by giving the method a descriptive name or using the unnamed ‘default’ method; aaa authentication login <default | list-name method1, method2, method3>.
      1. default list: the default authentication list uses the keyword default to define the list;

        R1(config)#aaa authentication login default

        It is recommended to use the named list over the default list. The default list keyword gets attached to console, vty lines automatically; it is common to all the lines. This increases the possibilities of getting locked out due to misconfiguration. With the named lists, the different lines such as console, vty will require explicit configuration.

      2. Using a named list: here, the named list AAA_AUTHENTICATION is used:

        R1(config)#aaa authentication login AAA_AUTHENTICATION

    3. Define the authentication method(s):

      More than one method can be configured. The methods refer to the following;

      • tacacs+: each tacacs+ server is tried in configuration order
      • radius: each radius server is tried in configuration order
      • local: the local user database containing the username commands configured on the switch
      • local-case: use the local database with case sensitivity.
      • enable: use of the enable password for authentication.
      • line: line passwords authenticate any connected user. No usernames can be used.

      The following configuration uses the enable authentication as a backup for RADIUS authentication.

      R1(config)#aaa authentication login AAA_AUTHENTICATION group radius local enable

      The keyword group has the options RADIUS or TACACS and the authentication request will be forwarded to the configured RADIUS groups first, the next 'local' will be used if the RADIUS servers are unavailable/unreachable. Lastly, the enable password will be used for authentication. Note: Add the local, line and/or enable methods at the end of the list as a last resort authentication method.

      If the authentication using RADIUS fails, the next authentication method is not used. RADIUS authentication failure happens when a user account is not available in the RADIUS server or when a user's password is not correct. The second authentication method is only used if the RADIUS server is not reachable.

      However, if the local or local-case authentication method is configured as first authentication method and RADIUS as second, if an authentication request fails for the local method, then RADIUS authentication is attempted next. This fact can be used to ensure that some users are authenticated using the local database and others use RADIUS only.

  5. Apply a method list to a line (Console, VTY): To enable AAA authentication on VTY lines 0 to 4 (5 simultaneous connections).

    R1(config)#line vty 0 4
    R1(config-line)#login authentication AAA_AUTHENTICATION

Instead the default unnamed method list can be used if method list was not defined in Step 4.

Verification

RADIUS authentication can be verified using the command debug radius authentication. The following output shows an attempt to login remotely using telnet. The RADIUS servers in the server group are unreachable, so the backup authentication method, local-case is used and is successful:

!!On R1

R1#debug radius authentication


!--------------------------

!!On R2

R2#192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: bob
Password:

R1#

!!! Debug messages on R1
!---------------
*Apr 17 22:47:31.367: RADIUS/ENCODE(00000024): ask "Username: "
*Apr 17 22:47:31.367: RADIUS/ENCODE(00000024): send packet; GET_USER
R1(config)#
*Apr 17 22:47:37.479: RADIUS/ENCODE(00000024): ask "Password: "
*Apr 17 22:47:37.483: RADIUS/ENCODE(00000024): send packet; GET_PASSWORD
R1(config)#
*Apr 17 22:47:41.855: RADIUS/ENCODE(00000024):Orig. component type = Exec
*Apr 17 22:47:41.859: RADIUS: AAA Unsupported Attr: interface [221] 4 1797168952
*Apr 17 22:47:41.859: RADIUS/ENCODE(00000024): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Apr 17 22:47:41.859: RADIUS(00000024): Config NAS IP: 0.0.0.0
*Apr 17 22:47:41.859: RADIUS(00000024): Config NAS IPv6: ::
*Apr 17 22:47:41.863: RADIUS/ENCODE(00000024): acct_session_id: 19
*Apr 17 22:47:41.863: RADIUS(00000024): sending
*Apr 17 22:47:41.867: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.2
*Apr 17 22:47:41.867: RADIUS(00000024): Send Access-Request to 192.168.1.2:1812 id 1645/2, len 67
*Apr 17 22:47:41.867: RADIUS: authenticator 83 1D 62 A3 6C FD D2 D4 - A2 59 29 65 B0 96 39 3D
*Apr 17 22:47:41.867: RADIUS: User-Name [1] 5 "bob"
*Apr 17 22:47:41.867: RADIUS: User-Password [2] 18 *
*Apr 17 22:47:41.867: RADIUS: NAS
R1(config)#-Port [5] 6 2
*Apr 17 22:47:41.867: RADIUS: NAS-Port-Id [87] 6 "tty2"
*Apr 17 22:47:41.867: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Apr 17 22:47:41.867: RADIUS: NAS-IP-Address [4] 6 192.168.1.1
*Apr 17 22:47:41.867: RADIUS(00000024): Sending a IPv4 Radius Packet
*Apr 17 22:47:41.867: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:47:46.875: RADIUS(00000024): Request timed out!
*Apr 17 22:47:46.875: RADIUS: Retransmit to (192.168.1.2:1812,1813) for id 1645/2
*Apr 17 22:47:46.879: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:47:51.923: RADIUS(00000024): Request timed out!
*Apr 17 22:47:51.923: RADIUS: Retransmit to (192.168.1.2:1812,1813) for id 1645/2
*Apr 17 22:47:51.927: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:47:56.959: RADIUS(00000024): Request timed out!
*Apr 17 22:47:56.959: RADIUS: Retransmit to (192.168.1.2:1812,1813) for id 1645/2
*Apr 17 22:47:56.963: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:01.979: RADIUS(00000024): Request timed out!
*Apr 17 22:48:01.979: RADIUS: Fail-over to (192.168.1.5:1812,1813) for id 1645/2
*Apr 17 22:48:01.983: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:07.019: RADIUS(00000024): Request timed out!
*Apr 17 22:48:07.019: RADIUS: Retransmit to (192.168.1.5:1812,1813) for id 1645/2
*Apr 17 22:48:07.019: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:12.047: RADIUS(00000024): Request timed out!
*Apr 17 22:48:12.047: RADIUS: Retransmit to (192.168.1.5:1812,1813) for id 1645/2
*Apr 17 22:48:12.051: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:17.083: RADIUS(00000024): Request timed out!
*Apr 17 22:48:17.083: RADIUS: Retransmit to (192.168.1.5:1812,1813) for id 1645/2
*Apr 17 22:48:17.087: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:22.111: RADIUS(00000024): Request timed out!
*Apr 17 22:48:22.111: RADIUS: Fail-over to (192.168.1.7:1645,1646) for id 1645/2
*Apr 17 22:48:22.115: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:27.135: RADIUS(00000024): Request timed out!
*Apr 17 22:48:27.135: RADIUS: Retransmit to (192.168.1.7:1645,1646) for id 1645/2
*Apr 17 22:48:27.139: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:32.175: RADIUS(00000024): Request timed out!
*Apr 17 22:48:32.179: RADIUS: Retransmit to (192.168.1.7:1645,1646) for id 1645/2
*Apr 17 22:48:32.183: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:37.215: RADIUS(00000024): Request timed out!
*Apr 17 22:48:37.215: RADIUS: Retransmit to (192.168.1.7:1645,1646) for id 1645/2
*Apr 17 22:48:37.219: RADIUS(00000024): Started 5 sec timeout
R1(config)#
*Apr 17 22:48:42.243: RADIUS(00000024): Request timed out!
*Apr 17 22:48:42.243: RADIUS: No response from (192.168.1.7:1645,1646) for id 1645/2
*Apr 17 22:48:42.247: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Apr 17 22:48:42.247: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
R1(config)#

Authorization

AAA authorization determines what commands an authenticated user is permitted to issue to the network device. Authenticated users are by default put at EXEC level. Command authorization involves configuring the commands that an authenticated user is permitted to use. Here, an authorization request is sent to the RADIUS server each time that the user types a command. Authorization can be configured to set the login session to a configured privilege. If privileges have not been configured, then the default privilege is set (one for remote session and fifteen for a console session).

Configuring a privilege at the line level is not recommended as all users will have the same privilege. It is recommended to set the privilege for each user.

  1. Configure authorization by defining any RADIUS or TACACS+ servers. Follow steps 1 -3 of RADIUS and/or TACACS+ configurations above.
  2. Define a method list of authorization that will be tried in sequence using; aaa authorization <commands | config-commands | configuration | exec | network| reverse-access> <default | list-name> method1, method2, method3 …. methodn .

    Specify the function or service needing authorization with one of the following keywords;

    • commands: the server must return permission to use any command at any privilege level
    • config-commands: the server must return permission to use any configuration command.
    • configuration: The server must return permission to enter configuration mode.
    • exec: server must return permission for the user to run an EXEC session. The server can also return the privilege level for the user so that the user immediately can be put into privileged EXEC (enabled) mode without typing ‘enable’.
    • network: the server must return permission to use network-related services.
    • reverse-access: the server must return permission for the user to access a reverse telnet session.

    You can identify the method with a descriptive name (list-name) or use the single unnamed list (default). Each authorization method will be listed in the order it will be tried;

    • group <group-name>: requests are sent to servers in a group.
    • group <radius|tacacs+: requests are sent to all servers of this type.
    • if-authenticated: requests are granted if the user is already authenticated.
    • none: no external authorization is used; every user is authorised successfully.

    Only TACACS+ servers can authorise users with permission to use specific commands. RADIUS servers offer more of an all or nothing approach.

  3. Apply an authorization method list to a specific line; authorization <commands level | exec | reverse-access> <default | list-name>. If this command is not entered, the default group is used for all lines. To configure a switch / router to use AAA authorization for all lines using configured TACACS+ group, with the local user database as backup authorization.

    R1(config)#aaa authorization exec aaa-exec group tacacs+ local

    Another example:

    R1(config)#aaa authorization exec VTY group radius local

    Here authorization is attempted using configured RADIUS servers; if this fails, then the local database is used as backup.

  4. Apply the authorization to the line:
    1. For remote sessions(vty):

      R1(config)#line vty 0 98
      R1(config-line)#authorization exec VTY

    2. For console sessions:

      Authorization is not enabled on console by default. It should be explicitly enabled first.

      R1(config)#aaa authorization console

      R1(config)#line console 0
      R1(config-line)#authorization exec CON

autocommand logout

Given a user, bob, if we want to ensure that this account is authenticated for some purposes but not for login, one option available is not to use the aaa authentication for login. Another option is to use username bob autocommand logout. Under authorization, aaa authorization exec default local group MYRADIUS.

Accounting

AAA accounting logs all actions including configurations and show commands issued on the network device. To configure accounting, the following sequence of commands needs to be configured;

Enable AAA and configure RADIUS and TACACS+ server groups as described in steps 1 -3 of RADIUS and TACACS+ authentication procedures. Define a method list giving a sequence of accounting methods; aaa accounting [system | exec | commands <level>] [default | <list-name>] [start | stop | stop-only | wait-start | none] [method1 method2 method3 ..methodn] .

The function triggering the accounting can be one of the following;

  • system: major events such as reloading are recorded.
  • exec: user authentication into an EXEC session is recorded along with the user’s address, time, duration.
  • commands level: information about any command running at a specific privilege level is recorded, along with the user who issued the command.

You can specify that certain types of accounting records to be sent to the accounting server using;

  • start-stop: events are recorded when they start and stop-only
  • stop-only: event are recorded only when they stop.
  • none: no events are recorded.

Apply an accounting method list to a specific line; accounting <commands level | connection | exec> <default | list-name>. If the above command is not used, default group will be used for all lines. User EXEC sessions will be recorded as they start and stop along with user information. Any commands that are entered while a user is in privilege 15 (enable mode) will also b recorded.

Example:

R1(config)#aaa accounting exec default start-stop group myauthserver
R1(config)#aaa accounting commands 15 default start-stop group myauthserver

RADIUS Server Configuration

The RADIUS server will have to configured to authorize users based on their authentication credentials. Some popular RADIUS servers include FreeRADIUS, daloRADIUS. The following is an example configuration of daloRADIUS:

# Define the RADIUS server server {
  # Set the server IP address and port
  ipaddr = 192.168.1.100
  port = 1812

  # Set the authentication protocol
  auth_protocol = PAP

  # Set the authentication server
  auth_server = mysql

  # Set the authorization server
  authz_server = mysql
}

# Define the MySQL database
mysql {
  # Set the MySQL server IP address and port
  ipaddr = 192.168.1.200
  port = 3306

  # Set the MySQL database name
  database = "radius"

  # Set the MySQL username
  username = "radius"

  # Set the MySQL password
  password = "password"
}

# Define the user database
users {
  # Define a user
  user {
  # Set the username
  username = "cisco"

  # Set the password
  password = "cisco123"

  # Set the service type
  service_type = Exec-User

  # Set the Cisco AVPair
  Cisco-AVPair = "shell:priv-lvl=15"
  }
}

TACACS+

Developed by Cisco systems, it is mainly used for device administration using ACS servers. It uses TCP port 49 for both the client and server. TACACS+ does not support EAPoL.

In networks supporting TACACS+ and RADIUS, it is common for TACACS+ to be used for device administration and RADIUS for network access.

Authentication using TACACS+

TACACS+ (Terminal Access Controller Access Control System) is Cisco-proprietary and uses port 49 on TCP (but also UDP). It provides separate services for authentication, authorization and accounting. TACACS+ offers basic accounting features. Unlike RADIUS where only the password is encrypted, with TACACS+, the entire packet is encrypted.

Configuration

  1. Enable AAA:

    R1(config)#aaa new-model

  2. Configure TACACS+ server settings on the client:

    R1(config)#tacacs server TACACS+_SERVER01
    R1(config-tacacs-server)#address ipv4 192.168.1.2
    R1(config-tacacs-server)#key complexpassword
    R1(config)#tacacs server TACACS+_SERVER02
    R1(config-tacacs-server)#address ipv4 192.168.1.5
    R1(config-tacacs-server)#key complexkey

    The TACACS+ port does not need to be explicitly configured as the default port of 49 is used. However, it can be explicitly configured if the TACACS+ server is listening on a port that is not the default TCP port 49.

    R1(config-tacacs-server)#port 65000

    Some prefer to configure TACACS+ server settings using the command tacacs-server host <server-ip-address>.

    R1(config)#tacacs-server host 192.168.1.2
    R1(config)#tacacs-server key complexpassword

  3. Configure TACACS+ server groups;

    R1(config)#aaa group server tacacs+ TACACS+_SERVER_GROUP
    R1(config-sg-tacacs)#server name TACACS+_SERVER01
    R1(config-sg-tacacs)#server name TACACS+_SERVER02

  4. Create a login authentication method named ‘AAA_AUTHENTICATION’ and configure it to authenticate against a TACACS+ server. The local user database should be the backup authentication method.

    R1(config)#aaa authentication login AAA_AUTHENTICATION group tacacs+ local

  5. Apply ‘AAA_AUTHENTICATION’ method to vty lines

    R1(config)#line vty 0 4
    R1(config-line)#login authentication AAA_AUTHENTICATION

  6. Telnet above router. What credentials were used and why?

Cisco Authentication Servers

Cisco offers access control system (ACS) and Identity Services Engine(ISE) servers as physical hardware or virtual images to implement access authentication. ACS and ISE support RADIUS and TACACS+:

  • Access Control System (ACS):
    • Used for both device access and network access
    • Supports both RADIUS and TACACS+ with TACACS+ particularly used for device access.
  • Identity Services Engine (ISE):
    • Mainly used for network access.
    • Mainly uses RADIUS. However, starting ISE 2.0, TACACS+ support has been added.
    • Supports RADIUS with Change of authorization (CoA).
    • Supports additional features such as profiling such as granting access to specific devices only, security posture assessment of the end-user device (device must meet certain minimum requirements), web portal services such as for guest user access.

Thursday, 18 February 2021

SECURING DMVPN TUNNELS WITH IPSEC, IKEv1 or IKEv2

Introduction and Overview

In unencrypted DMVPN packets, the original packets have GRE flags added to them, and then the new GRE IP header is added for routing the packets through the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, and the GRE flags add an extra 4 bytes of overhead. These packets use the protocol field of GRE (47). By default, GRE has no in-built security features to secure the data transiting the tunnel. IPSec is used to provide encryption, data integrity, replay protection features to GRE tunnels.

IPSec provides origin authentication, data confidentiality, data integrity, replay detection, periodic rekey, perfect forward secrecy. IPSec security architecture is composed of the following;

  • Security Protocols
  • Security Associations
  • Key Management

Security Protocols

Security protocols can be used individually or in combination. They include;

  1. Authentication Header (AH): AH provides data integrity, authentication, replay protection. AH uses IP protocol number 51.
  2. Encapsulating Security Payload (ESP): ESP provides data confidentiality, integrity, authentication and replay protection. ESP uses IP protocol number 50.

Key Management

Internet Key Exchange (IKE) negotiates the IPSec security associations (SAs). This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP (IKE) shared keys. IPSec uses IKEv2 by default. IKEv2 introduced Extensible Authentication Protocol (EAP) with reduction of bandwidth consumption, network address translation (NAT) and ability to detect whether a tunnel is still alive.

Security Associations

A security association (SA) is a relationship between two or more entities that describes how the entities will use security services to communicate securely.

Security Associations (SA) contain agreed upon security parameters. The two main security associations that will be used by DMVPN to secure traffic are IKE SA and IPSec SA:

  • IKE SA: used for control plane functions like IPSec key management and management of IPSec SAs.
  • IPSec SA: used for data plane functions to secure data transmitted between two different sites. IPSec SAs are unidirectional and require at least two IPSec SAs (one for inbound traffic and another for outbound traffic) for a secure connection to a DMVPN peer.
There can only be one IKE SA between end point devices but multiple IPSec SAs can be established between the same two endpoint devices.

IPSec DMVPN Tunnel Protection Modes

Traditional IPSec provides two modes of packet protection; tunnel and transport:

  1. Tunnel mode: the entire original packet is encrypted and a new set of IPSec headers is added. For encrypted DMVPN packets that use ESP tunnel mode, the original packets have the GRE flags added to them, and then the new GRE IP header is added for routing the packets in the transport (underlay) network. That portion of the packets is encrypted, a signature for the encrypted payload is added. Then a new IPSec IP header is added for routing the packets in the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, the GRE flags add an extra 4 bytes of overhead, the IPsec IP header adds an extra 20 bytes of overhead, and depending on the encryption mechanism, a varying number of additional bytes are added for the encrypted signature.

    It is important to note that the use of IPsec tunnel mode for DMVPN networks does not add any perceived value and adds 20 bytes of overhead. It is recommended that transport mode should be used for encrypted DMVPN tunnels.

    Additionally, the header added when tunnel is configured is redundant due to the already existing GRE header.

  2. Transport mode: In this mode, only the packet payload is encrypted. The GRE header is maintained. The packet is routed based on the original IP headers. For encrypted DMVPN packets that use ESP transport mode, the original packets have the generic routing encapsulation (GRE) flags added to them, and then that portion of the packets is encrypted. A signature for the encrypted payload is added, and then the GRE IP header is added for routing the packets on the transport (underlay) network. The GRE IP header adds an extra 20 bytes of overhead, the GRE flags add an extra 4 bytes of overhead, and depending on the encryption mechanism, a varying number of additional bytes are added for the encrypted signature.

DMVPN Tunnel Protection using IPSec

Enabling IPsec protection on a DMVPN network requires that all devices enable IPsec protection. If some routers have IPsec enabled and others do not, devices will not be able to establish a connection on the tunnel interfaces with each other.

Key management and IPSec parameter negotiation is implemented using IKEv1 or IKEv2.

IKEv1

Originally DMVPN tunnel protection was provided by IPSec IKEv1. To enable DMVPN tunnel protection using IPsec static pre-shared keys involves the creation of the following:

  1. ISAKMP policy
  2. ISAKMP key and addresses of remote hosts.
  3. IPSec transform set
  4. IPSec profile

The configuration of DMVPN tunnel protection using DMVPN follows:

Step 1: Create the IKEv1 policy:

This is used for phase 1 negotiations (control-plane) in IPsec to generate the key information used in phase 2 for the actual data-plane.

  1. Define an IKE policy

  2. The IKE policy is configured using the command crypto isakmp policy <1-10000> where 1-10000 is the priority of the protection suite.

    HUB(config)#crypto isakmp policy 100

  3. Configure encryption method

  4. The encryption method is usually any of the synchronous encryption algorithms aes, 3des or des: encryption <aes | 3des | des> <128-256>

    • aes | 3des | des: are the synchronous encryption versions supported by the platform.
    • 128 - 256: the supported encryption key sizes. More modern platforms support a larger key size.

    HUB(config-isakmp)#encryption aes 256

  5. Configure the authentication method

  6. The authentication method can be either preshared keys or RSA-signatures: authentication <pre-share | rsa-encr | rsa-sig>. In this configuration, we opt to use preshared keys for authentication.

    HUB(config-isakmp)#authentication pre-share

  7. Configure the Diffie-Helman group for integrity

  8. Define the diffie-helman group using the command group <1|14|15|16|19|2|20|21|24|5>. The Diffie-Hellman groups include the following;

    • Group 1 (768 bits)
    • Group 14 (2048 bits)
    • Group 15 uses 3072 bits
    • Group 16 (4096 bits)
    • Group 19 (256 bit ecp)
    • Group 2 (1024 bit)
    • Group 20 (384 bit ecp)
    • Group 21 (521 bit ecp)
    • Group 24 (2048 bit, 256 bit subgroup)
    • Group 5 (1536 bit)

    HUB(config-isakmp)#group 16

    If not specified, the default group is enabled.

  9. Configure the hash function for data integrity

  10. The hash algorithm provides a check for data integrity i.e, a check to ensure that the data was not altered in transit. The main hashing functions in use are MD5 and the various versions of SHA i.e, SHA, SHA256, SHA384, SHA512. The command is hash <md5 | sha | sha256 | sha384 | sha512>.

    HUB(config-isakmp)#hash sha512

Step 2: Configure the IKE key

The IKE key is defined using the command crypto isakmp key <password> address <ip_address>. Use of the address 0.0.0.0 0.0.0.0 is not recommended as it allows a host with any IP address to connect. However, it may be helpful only when many spokes connect to the hub and administrative overhead is high with managing this scalability. Otherwise, to add additional level of security, a key should be defined for each spoke whose IP address is explicitly configured.

HUB(config)#crypto isakmp key simplesimple address 0.0.0.0

The recommended approach is to use public-key infrastructure (PKI); here a certificate is issued to the spokes. The hub can verify that certificate with the certificate authority when spokes attempt to register.

Step 3: Configure an IPSec transform set

In phase 2 of the creation of the IPsec security, the data-plane traffic is treated to the encryption and hashing functions configured under the transform-set.

  1. Define the transform set and ESP or AH settings

    Define the ESP authentication and ESP encryption or AH authentication algorithms for encryption or authentication.

    Here one SA is created for inbound traffic and one for outbound traffic to a DMVPN peer using the global configuration command; crypto ipsec transform-set <transform-set-tag> [<esp-encryption-function> <esp-authentication-function> | <ah-authentication>].

    The AH options available include the following:

    • ah-md5-hmac: AH-HMAC-MD5 transform
    • ah-sha-hmac: AH-HMAC-SHA transform
    • ah-sha256-hmac: AH-HMAC-SHA256 transform
    • ah-sha384-hmac: AH-HMAC-SHA384 transform
    • ah-sha512-hmac: AH-HMAC-SHA512 transform
    • comp-lzs: IP Compression using the LZS compression algorithm

    The ESP options include the following:

    • esp-3des: ESP transform using 3DES(EDE) cipher (168 bits)
    • esp-aes : ESP transform using AES cipher
    • esp-des : ESP transform using DES cipher (56 bits)
    • esp-gcm : ESP transform using GCM cipher
    • esp-gmac: ESP transform using GMAC cipher
    • esp-md5-hmac: ESP transform using HMAC-MD5 auth
    • esp-null: ESP transform w/o cipher
    • esp-seal: ESP transform using SEAL cipher (160 bits)
    • esp-sha-hmac: ESP transform using HMAC-SHA auth
    • esp-sha256-hmac: ESP transform using HMAC-SHA256 auth
    • esp-sha384-hmac: ESP transform using HMAC-SHA384 auth
    • esp-sha512-hmac: ESP transform using HMAC-SHA512 auth

    If an encryption algorithm is configured, the key size should be defined.

    HUB(config)#crypto ipsec transform-set DMVPN_IPSEC_TSET esp-aes esp-sha512-hmac

  2. Define the tunnel mode

    tunnel mode can be transport or tunnel

    HUB(cfg-crypto-trans)#mode transport

Step 4 Create an IPSec profile

The IPsec profiile is created and the references the IPsec transform set previously defined.

HUB(config)#crypto ipsec profile DMVPN_IPSEC_PROFILE
HUB(ipsec-profile)#set transform-set DMVPN_IPSEC_TSET
HUB(ipsec-profile)#exit

Step 5: Associate the DMVPN tunnel interface with the IPSec profile

To protect the tunnel using IPsec, reference the configured IPsec profile under the tunnel configuration using the command tunnel protection ipsec profile <ipsec_profile_name>.

HUB(config)#interface tunnel 0
HUB(config-if)#tunnel protection ipsec profile DMVPN_IPSEC_PROFILE

Step 1 - 5 configurations are common to both the hub and spoke. This is an example of the templating that can be used with DMVPN. To configure a specific key for each spoke, enter the spoke address. This IP address should be the one configured on the interface that is defined as the tunnel source when configuring the DMVPN tunnel interface on the spoke. The hub and spoke must share the same key.

IPsec with Frontdoor VRF

When a front-door VRF(FVRF) has been configured, to protect the tunnel using IPsec requires a slightly different configuration particularly when defining the ISAKMP key. Using the configuration process for IKEv1 above, the configuration of IPsec for a front-door VRF tunnel can be accomplished using the following sequence:

Step 2: Configure the IKEv1 key

  1. The key is configured using the command crypto keyring <keyring-name> vrf <vrf-name> where:
    • keyring-name: is the suggested name of the keyring.
    • vrf-name: is the VRF under which the key will be used.

    SPOKE4(config)#crypto keyring DMVPN_ISAKMP_KEYRING vrf FVRF

  2. Then define the key using the command pre-shared-key address <ip-address> <netmask> key <key>.

    SPOKE4(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 key simplesimple

Step 3: Configure the IKEv1 Profile

  1. Create an IKEv1 profile: create isakmp profile <profile-name>.

    SPOKE4(config)#crypto isakmp profile DMVPN_ISAKMP_PROFILE

  2. Configure the VRF that the profile will be used under: vrf <VRF-name>

    SPOKE4(conf-isa-prof)#vrf FVRF

  3. Reference the configured keyring: keyring <keyring-name>

    SPOKE4(conf-isa-prof)#keyring DMVPN_ISAKMP_KEYRING

  4. Define the IP address and VRF that this profile will be checked against and applied to: match identity address <ip-address> <vrf>

    SPOKE4(conf-isa-prof)#match identity address 0.0.0.0 FVRF

Step 4: Configure the IPsec Transform-set

The IPsec transform-set is configured as in step 3 above:

SPOKE4(config)#crypto ipsec transform-set DMVPN_IPSEC_TSET esp-aes esp-sha512-hmac
SPOKE4(cfg-crypto-trans)#mode transport

Step 5: Configure the IPsec Profile

  1. Define the IPsec profile:crypto ipsec profile <profile-name>

    SPOKE4(config)#crypto ipsec profile DMVPN_IPSEC_PROFILE

  2. Reference the configured IPsec transform-set: set transform-set <transform-set-name>

    SPOKE4(ipsec-profile)#set transform-set DMVPN_IPSEC_TSET

  3. Reference the ISAKMP/IKEv1 profile: set isakmp-profile <isakmp-profile-name>

    SPOKE4(ipsec-profile)#set isakmp-profile DMVPN_ISAKMP_PROFILE

Step 6: Reference the IPsec Profile under the tunnel

Tunnel protection using IPsec is configured under the tunnel interface:

SPOKE4(config)#interface tunnel 0
SPOKE4(config-if)#tunnel protection ipsec profile DMVPN_IPSEC_PROFILE

Verification of IKEv1 Configuration

The following commands can be used to verify tunnel protection using IPsec:

  • show dmvpn detail
  • show crypto isakmp sa
  • show crypto isakmp policy
  • show crypto isakmp peers
  • show crypto isakmp key
  • show crypto ipsec sa
  • show crypto ipsec profile

show dmvpn detail

SPOKE2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
                
Interface Tunnel0 is up/up, Addr. is 172.30.1.2, VRF ""
   Tunnel Src./Dest. addr: 99.255.30.1/MGRE, Tunnel VRF ""
   Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_IPSEC_PROFILE"
   Interface State Control: Disabled
   nhrp event-publisher : Disabled
                
IPv4 NHS:        
172.30.1.1  RE NBMA Address: 99.255.10.2 priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 4
                
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------          
    1 99.255.10.2          172.30.1.1    UP 03:15:04    S      172.30.1.1/32
    1 99.255.30.1          172.30.1.2    UP 00:48:01  DLX      172.30.1.2/32
    1 99.255.60.6          172.30.1.7    UP 00:12:13    D      172.30.1.7/32
    1 99.255.60.2          172.30.1.8    UP 00:48:01    D      172.30.1.8/32
                
                
Crypto Session Details:
--------------------------------------------------------------------------------
                
Interface: Tunnel0
Session: [0x680251DC]
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.10.2/500 Active
          Capabilities:(none) connid:1001 lifetime:20:44:52
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 99.255.10.2
  IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.10.2
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 2510 drop 0 life (KB/Sec) 4254210/2162
        Outbound: #pkts enc'ed 2578 drop 0 life (KB/Sec) 4254210/2162
   Outbound SPI : 0xB80CDF30, transform : esp-256-aes esp-sha512-hmac
    Socket State: Open
                
Interface: Tunnel0
Session: [0x68024FEC]
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.6/500 Active
          Capabilities:(none) connid:1004 lifetime:23:47:43
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.6/500 Active
          Capabilities:(none) connid:1005 lifetime:23:47:43
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 99.255.60.6
  IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.60.6
        Active SAs: 4, origin: crypto map
        Inbound: #pkts dec'ed 1 drop 0 life (KB/Sec) 4608000/2866
        Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4608000/2866
   Outbound SPI : 0x5D0DE203, transform : esp-256-aes esp-sha512-hmac
    Socket State: Open
                
Interface: Tunnel0
Session: [0x680250E4]
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.2/500 Active
          Capabilities:(none) connid:1002 lifetime:23:11:55
  IKEv1 SA: local 99.255.30.1/500 remote 99.255.60.2/500 Active
          Capabilities:(none) connid:1003 lifetime:23:11:55
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 99.255.60.2
  IPSEC FLOW: permit 47 host 99.255.30.1 host 99.255.60.2
        Active SAs: 4, origin: crypto map
        Inbound: #pkts dec'ed 6 drop 0 life (KB/Sec) 4254542/718
        Outbound: #pkts enc'ed 6 drop 0 life (KB/Sec) 4254542/718
   Outbound SPI : 0xBB52CAA0, transform : esp-256-aes esp-sha512-hmac
    Socket State: Open

Pending DMVPN Sessions:
SPOKE2#

show crypto isakmp sa

Command displays security association information when for the ISAKMP exchange.

SPOKE2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
99.255.10.2     99.255.30.1     QM_IDLE           1001 ACTIVE
99.255.30.1     99.255.60.2     QM_IDLE           1003 ACTIVE
99.255.30.1     99.255.60.6     QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

SPOKE2#

Additional keywords to the above command display the following output:

SPOKE2#show crypto isakmp sa ?
  active   Shows HA-enabled ISAKMP SAs in the active state
  count    Show the number of ISAKMP Security Associations
  detail   Show ISAKMP SA Detail
  nat      Show ISAKMP SA NAT Detail
  standby  Shows HA-enabled ISAKMP SAs in the standby state
  vrf      Show ISAKMP SA as per VRF

SPOKE2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection                          
       K - Keepalives, N - NAT-traversal                                            
       T - cTCP encapsulation, X - IKE Extended Authentication                      
       psk - Preshared key, rsig - RSA signature                                    
       renc - RSA encryption                                                        
IPv4 Crypto ISAKMP SA                                                              
                                                                                    
C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.
                                                                                    
1001  99.255.30.1     99.255.10.2            ACTIVE aes  sha512 psk  16 23:21:51    
       Engine-id:Conn-id =  SW:1                                                    
                                                                                    
1003  99.255.30.1     99.255.60.2            ACTIVE aes  sha512 psk  16 23:34:21    
       Engine-id:Conn-id =  SW:3                                                    
                                                                                    
1002  99.255.30.1     99.255.60.6            ACTIVE aes  sha512 psk  16 23:33:22    
       Engine-id:Conn-id =  SW:2                                                    
                                                                                    
IPv6 Crypto ISAKMP SA                                                              
                                                                                    
SPOKE2#

SPOKE2#show crypto isakmp sa count
Active ISAKMP SA's: 3
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

show crypto isakmp policy

SPOKE2#show crypto isakmp policy

Global IKE policy
Protection suite of priority 100
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard 2 (512 bit)
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #16 (4096 bit)
        lifetime:               86400 seconds, no volume limit
SPOKE2#

show crypto isakmp peers

SPOKE2#show crypto isakmp peers Peer: 99.255.10.2 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.10.2
Peer: 99.255.20.2 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.20.2
Peer: 99.255.60.2 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.60.2
Peer: 99.255.60.6 Port: 500 Local: 99.255.30.1
 Phase1 id: 99.255.60.6
SPOKE2#

show crypto isakmp key

SPOKE2#show crypto isakmp key
Keyring      Hostname/Address                            Preshared Key
                                                                      
default      0.0.0.0        [0.0.0.0]                    simplesimple
SPOKE2#

show crypto ipsec sa

HUB#show crypto ipsec sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.10.1.1
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.3/255.255.255.255/47/0)
   current_peer 10.10.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.3
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x566CA6C2(1449961154)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0xE65C1095(3864793237)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4266073/3469)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0x566CA6C2(1449961154)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4266074/3469)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.2/255.255.255.255/47/0)
   current_peer 10.10.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.2
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x11E881C1(300450241)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0xC5D936AE(3319346862)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4321569/3249)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0x11E881C1(300450241)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4321569/3249)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
HUB#
HUB#

IKEv2

IKEv2 was developed to eliminate the weaknesses of IKEv1. Cryptographic functions consume CPU resources, so the CPU should be protected by limiting the number of packets required to process IKE establishment. CPU utilization increases to maintain SA state including negotiation of a session. If CPU utilization is high (for any other reasons), a session that has been started may not complete due to limited CPU resources.

IKEv2 advantages over IKEv1 include:

  • Protection against DoS attacks
  • Support for new encryption algorithms for phase 2 (suite B).

With IKEv2, asymetric authentication methods are possible where one end uses preshared keys and the other PKI.

DMVPN tunnel protection using IPSec IKEv2 through the use of a static pre-shared key involves configuration of the following:

  1. IKEv2 keyring
  2. IKEv2 profile
  3. IPSec transform set
  4. IPSec profile

Step 1: Configure the IKEv2 Keyring

The IKEv2 keyring is a repository for configured pre-shared keys. In a keyring, it is possible to define which keys apply to which hosts. Identification of the password is based on the IP address of the remote router. The IKEv2 keyring is created with the following steps:

  1. Define the keyring instance: It is created with the global configuration command crypto ikev2 keyring <keyring-name>.

    HUB(config)#crypto ikev2 keyring IKEv2_KEYRING

  2. Create a peer name: Multiple peers can exist in a keyring. Each peer has a matching qualifier and can use a different password. The peer is created with the command peer <peer-name>.

    HUB(config-ikev2-keyring)#peer ANY

  3. Identify the IP address for the peer: Multiple peers can reside in a keyring. The IP address is identified so that the appropriate peer configuration is used based upon the remote device’s IP address. The command address network netmask defines the IP address/range. Though not recommended for a production network, the value of 0.0.0.0 0.0.0.0 may be used to match against any peer. For IPv6, the address ::/0 matches any IPv6 address.

    HUB(config-ikev2-keyring-peer)#address 0.0.0.0

  4. Define a preshared key: Define the preshared key with pre-shared-key <password>:

    HUB(config-ikev2-keyring-peer)#pre-shared-key cisco123

Step 2: IKEv2 Profile

IKEv2 profile is a collection of non-negotiable security parameters used during IKE security association. The IKEv2 profile is later associated with the IPSec profile. Within the IKEv2 profile, local and remote authentication methods must be defined as well as a match statement.

  1. Define the IKEv2 profile: crypto ikev2 profile <profile_name>:

    HUB(config)#crypto ikev2 profile IKEv2_PROF

  2. Identify the IP address for the remote router: the IP address must be identified for the initial IKEv2 session to establish. The peer IP address is defined with the command match identity remote address <ip_address>. This can be 0.0.0.0 0.0.0.0 to match against any peer. For IPv6, it can be ::/0.

    HUB(config-ikev2-profile)#match identity remote address 0.0.0.0

  3. (Optional) Configure the local router’s identity: the local router’s identity can be set based on an IP address with the command identity local address <ip-address>. A loopback address is recommended as it is always ‘up’. Note that the IP address configured here should match the IP address used during the certificate registration. This step is really not needed with preshared key authentication but is very important in the deployment of public key infrastructure.
  4. Identify the Front-door VRF (FVRF) for the tunnel end: if a front-door VRF is used on the DMVPN tunnel, then the FVRF must be associated to the IKEv2 profile with the command match fvrf <vrf_name | any>. Keyword any allows any configured FVRF to be selected.
  5. Define the local authentication method: The authentication method must be defined for connection requests that are received by remote peers. The command authentication local <pre-share | rsa-sig> defines the local authentication. Only one local authentication can be selected. The pre-share keyword is for pre-shared static keys and rsa-sig is used for certificate based authentication.

    HUB(config-ikev2-profile)#authentication local pre-share

  6. Define the remote authentication method: The authentication method must be defined for connection requests that are sent to remote peers. The command authentication remote [pre-share | rsa-sig] defines the remote authentication. The pre-share keyword is used for pre-shared static keys and rsa-sig is used for certificate-based authentication.

    HUB(config-ikev2-profile)#authentication remote pre-share

  7. Define the IKEv2 keyring (for preshared authentication): preshared authentication requires that the IKEv2 keyring be associated to the IKEv2 profile. The command keyring local <keyring-name> associates the IKEv2 keyring.

    HUB(config-ikev2-profile)#keyring local IKEv2_KEYRING
    HUB(config-ikev2-profile)#exit

Step 3: Configure the IPSec Transform Set

The transform set identifies the security protocols for encrypting traffic (ESP) or protocols for authenticating the data (AH). The transform set is created with the following steps;

  1. Create the transform set and identify the transforms: Only one transform set can be selected for ESP encryption, ESP authentication, AH authentication using the command crypto ipsec transform-set <transform_set_name> <esp-encryption esp-authentication | ah-authentication>

    HUB(config)#crypto ipsec transform-set IPSEC_TSET esp-aes esp-sha512-hmac

  2. Specify the Transform Set mode: the transform set mode is configured with mode <transport | tunnel>. Tunnel mode is the default mode. However, it adds 20bytes of additional IPSec header to the overall packet.

    HUB(cfg-crypto-trans)#mode transport

Step 4: Configure the IPSec Profile

The IPSec profile combines the IPSec transform set and the IKEv2 profile. The IPSec profile is created with the following steps;

  1. Create the IPSec profile: use the command crypto ipsec profile <profile-name>

    HUB(config)#crypto ipsec profile IPSEC_PROF

  2. Specify the transform set: The transform set is specified with the command set transform-set <transform-set-name>.

    HUB(ipsec-profile)#set transform-set IPSEC_TSET

  3. Specify the IKEv2 profile: the IKEv2 profile is specified with the command set ikev2-profile <ike2-profile-name>.

    HUB(ipsec-profile)#set ikev2-profile IKEv2_PROF
    HUB(ipsec-profile)#exit

Securing the DMVPN Tunnel

To secure the DMVPN tunnel, the IPSec profile should be associated with the DMVPN tunnel interface with the command; tunnel protection ipsec profile <profile-name> [shared]. The shared keyword is required for routers that terminate multiple secured DMVPN tunnels on the same transport interface.

HUB(config)#interface tunnel 0
HUB(config-if)#tunnel protection ipsec profile IPSEC_PROF

The command shares the IPSec security association database (SADB) among multiple DMVPN tunnels. Because the SADB is shared, a unique tunnel key must be defined on each DMVPN tunnel interface to ensure that the encrypted/decrypted traffic aligns to the proper DMVPN tunnel.

Verification of IKEv2 Tunnels

show crypto ipsec profile

show dmvpn

HUB#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete              
        N - NATed, L - Local, X - No Socket                              
        T1 - Route Installed, T2 - Nexthop-override                      
        C - CTS Capable, I2 - Temporary                                  
        # Ent --> Number of NHRP entries with same NBMA peer          
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel                    
==========================================================================
                                                                          
Interface Tunnel0 is up/up, Addr. is 192.168.1.1, VRF ""                  
   Tunnel Src./Dest. addr: 10.10.1.1/Multipoint, Tunnel VRF ""            
   Protocol/Transport: "multi-GRE/IP", Protect "IPSEC_PROF"              
   Interface State Control: Disabled                                      
   nhrp event-publisher : Disabled                                        
Type:Hub, Total NBMA Peers (v4/v6): 2                                    
                                                                          
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 10.10.1.2           192.168.1.2    UP 00:13:26     D     192.168.1.2/32
    1 10.10.1.3           192.168.1.3    UP 00:02:57     D     192.168.1.3/32
                                                                          
                                                                          
Crypto Session Details:                                                  
--------------------------------------------------------------------------------
                                                                          
Interface: Tunnel0                                                        
Session: [0x1110A890]                                                    
  Session ID: 2                                                          
  IKEv2 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Active              
          Capabilities:(none) connid:1 lifetime:23:46:29                  
  Crypto Session Status: UP-ACTIVE                                        
  fvrf: (none), Phase1_id: 10.10.1.2                                      
  IPSEC FLOW: permit 47 host 10.10.1.1 host 10.10.1.2                    
        Active SAs: 2, origin: crypto map                                
        Inbound:  #pkts dec'ed 1020 drop 0 life (KB/Sec) 4173553/2789    
        Outbound: #pkts enc'ed 1020 drop 0 life (KB/Sec) 4173553/2789    
   Outbound SPI : 0xD07B32DF, transform : esp-aes esp-sha512-hmac        
    Socket State: Open                                                    
                                                                          
Interface: Tunnel0                                                        
Session: [0x1110A798]                                                    
  Session ID: 3                                                          
  IKEv2 SA: local 10.10.1.1/500 remote 10.10.1.3/500 Active              
          Capabilities:(none) connid:2 lifetime:23:56:23                  
  Crypto Session Status: UP-ACTIVE                                        
  fvrf: (none), Phase1_id: 10.10.1.3                                      
  IPSEC FLOW: permit 47 host 10.10.1.1 host 10.10.1.3                    
        Active SAs: 2, origin: crypto map                                
        Inbound:  #pkts dec'ed 1022 drop 0 life (KB/Sec) 4181658/3383    
        Outbound: #pkts enc'ed 1014 drop 0 life (KB/Sec) 4181659/3383    
   Outbound SPI : 0xB5895749, transform : esp-aes esp-sha512-hmac        
    Socket State: Open                                                    
                                                                          
Pending DMVPN Sessions:                                                  
                                                                          
HUB#

On the spoke

SPOKE1(config-if)#do show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        T1 - Route Installed, T2 - Nexthop-override
        C - CTS Capable, I2 - Temporary
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel0 is up/down, Addr. is 192.168.1.2, VRF ""
   Tunnel Src./Dest. addr: 10.10.1.2/10.10.1.1, Tunnel VRF ""
   Protocol/Transport: "GRE/IP", Protect "IPSEC_PROF"
   Interface State Control: Disabled
   nhrp event-publisher : Disabled

IPv4 NHS:
192.168.1.1   E NBMA Address: 10.10.1.1 priority = 0 cluster = 0            
Type:Spoke, Total NBMA Peers (v4/v6): 1                                      
                                                                            
# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
----- --------------- --------------- ----- -------- ----- -----------------
    1 10.10.1.1           192.168.1.1  INTF 00:04:17     S     192.168.1.1/32


Crypto Session Details:
--------------------------------------------------------------------------------

Interface: Tunnel0
Session: [0x10F9C2E8]          
  Session ID: 0                
  IKEv1 SA: local 10.10.1.2/500 remote 10.10.1.1/500 Inactive
          Capabilities:(none) connid:0 lifetime:0
  Crypto Session Status: DOWN-NEGOTIATING
  fvrf: (none),   IPSEC FLOW: permit 47 host 10.10.1.2 host 10.10.1.1
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
   Outbound SPI : 0x       0, transform :
    Socket State: Closed      
                              
Pending DMVPN Sessions:

SPOKE1(config-if)#

show crypto ipsec sa detail

HUB#show crypto ipsec sa detail
          
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 10.10.1.1
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.3/255.255.255.255/47/0)
   current_peer 10.10.1.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1016, #pkts encrypt: 1016, #pkts digest: 1016
    #pkts decaps: 1024, #pkts decrypt: 1024, #pkts verify: 1024
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.3
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xB5895749(3045676873)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0x70EA8A16(1894418966)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: SW:7, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4181657/2972)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xB5895749(3045676873)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: SW:8, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4181659/2972)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
          
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.10.1.2/255.255.255.255/47/0)
   current_peer 10.10.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1022, #pkts encrypt: 1022, #pkts digest: 1022
    #pkts decaps: 1022, #pkts decrypt: 1022, #pkts verify: 1022
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
          
     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.2
     plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xD07B32DF(3497734879)
     PFS (Y/N): N, DH group: none
          
     inbound esp sas:
      spi: 0x75C10060(1975582816)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4173553/2378)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xD07B32DF(3497734879)
        transform: esp-aes esp-sha512-hmac ,
        in use settings ={Transport, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000000, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4173552/2378)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:
          
     outbound pcp sas:
HUB#      

show crypto ikev2 sa detailed

HUB#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2 SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.10.1.1/500         10.10.1.3/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/610 sec                                          
      CE id: 1004, Session-id: 2                                              
      Status Description: Negotiation done                                    
      Local spi: A0F8071EC395BD3C       Remote spi: 97AE858B6CAA71A2          
      Local id: 10.10.1.1                                                      
      Remote id: 10.10.1.3                                                    
      Local req msg id:  0              Remote req msg id:  2                  
      Local next msg id: 0              Remote next msg id: 2                  
      Local req queued:  0              Remote req queued:  2                  
      Local window:      5              Remote window:      5                  
      DPD configured for 0 seconds, retry 0                                    
      Fragmentation not  configured.                                          
      Dynamic Route Update: disabled                                          
      Extended Authentication not configured.                                  
      NAT-T is not detected                                                    
      Cisco Trust Security SGT is disabled                                    
      Initiator of SA : No                                                    
                                                                              
Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.10.1.1/500         10.10.1.2/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1204 sec                                        
      CE id: 1003, Session-id: 1                                              
      Status Description: Negotiation done                                    
      Local spi: B085F9ECBA72967E       Remote spi: 69A6A65ED87EC303          
      Local id: 10.10.1.1                                                      
      Remote id: 10.10.1.2                                                    
      Local req msg id:  0              Remote req msg id:  2                  
      Local next msg id: 0              Remote next msg id: 2                  
      Local req queued:  0              Remote req queued:  2                  
      Local window:      5              Remote window:      5                  
      DPD configured for 0 seconds, retry 0                                    
      Fragmentation not  configured.                                          
      Dynamic Route Update: disabled                                          
      Extended Authentication not configured.                                  
      NAT-T is not detected                                                    
      Cisco Trust Security SGT is disabled                                    
      Initiator of SA : No                                                    
                                                                              
IPv6 Crypto IKEv2 SA

On the client

SPOKE2#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2 SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status  
1         10.10.1.3/500         10.10.1.1/500         none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/78 sec                                              
      CE id: 1002, Session-id: 1                                                  
      Status Description: Negotiation done                                        
      Local spi: 97AE858B6CAA71A2       Remote spi: A0F8071EC395BD3C              
      Local id: 10.10.1.3                                                          
      Remote id: 10.10.1.1                                                        
      Local req msg id:  2              Remote req msg id:  0                      
      Local next msg id: 2              Remote next msg id: 0                      
      Local req queued:  2              Remote req queued:  0                      
      Local window:      5              Remote window:      5                      
      DPD configured for 0 seconds, retry 0                                        
      Fragmentation not  configured.                                              
      Dynamic Route Update: disabled                                              
      Extended Authentication not configured.                                      
      NAT-T is not detected                                                        
      Cisco Trust Security SGT is disabled                                        
      Initiator of SA : Yes                                                        
                                                                                  
 IPv6 Crypto IKEv2  SA                                                            

show crypto ikev2 profile

HUB#show crypto ikev2 profile

IKEv2 profile: IKEv2_PROF
 Ref Count: 6
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 0.0.0.0
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEv2_KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 mode auto: none
 AAA AnyConnect EAP authentication mlist: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
HUB#

show crypto ikev2 stats

SPOKE1#show crypto ikev2 stats
--------------------------------------------------------------------------------
                          Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit:   0        Max IKEv2 SAs: 0        Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count:    0        active:        0        negotiating: 0
Total outgoing IKEv2 SA Count:    1        active:        1        negotiating: 0
Incoming IKEv2 Requests: 0        accepted:      0        rejected:    0  
Outgoing IKEv2 Requests: 1        accepted:      1        rejected:    0  
Rejected IKEv2 Requests: 0        rsrc low:      0        SA limit:    0  
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
    accepted: 0        rejected: 0        rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0

SPOKE1#

show crypto ipsec profile

SPOKE1(config-if)#do show crypto ipsec profile
IPSEC profile IPSEC_PROF
        IKEv2 Profile: IKEv2_PROF
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                IPSEC_TSET: { esp-aes esp-sha512-hmac } ,
        }          
                  
IPSEC profile default
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                default:  { esp-aes esp-sha-hmac } ,
        }          
                  
SPOKE1(config-if)#

show crypto ikev2 profile

SPOKE1#show crypto ikev2 profile

IKEv2 profile: IKEv2_PROF
 Ref Count: 5
 Match criteria:
  Fvrf: global
  Local address/interface: none
  Identities:
   address 0.0.0.0
  Certificate maps: none
 Local identity: none
 Remote identity: none
 Local authentication method: pre-share
 Remote authentication method(s): pre-share
 EAP options: none
 Keyring: IKEv2_KEYRING
 Trustpoint(s): none
 Lifetime: 86400 seconds
 DPD: disabled
 NAT-keepalive: disabled
 Ivrf: none
 Virtual-template: none
 mode auto: none
 AAA AnyConnect EAP authentication mlist: none
 AAA EAP authentication mlist: none
 AAA Accounting: none
 AAA group authorization: none
 AAA user authorization: none
SPOKE1#

show crypto ikev2 policy

SPOKE1#show crypto ikev2 policy

 IKEv2 policy : default
      Match fvrf : any
      Match address local : any
      Proposal    : default
SPOKE1#

show crypto ikev2 session

SPOKE1#show crypto ikev2 session
 IPv4 Crypto IKEv2 Session

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.10.1.2/500         10.10.1.1/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/132 sec
Child sa: local selector  10.10.1.2/0 - 10.10.1.2/65535
          remote selector 10.10.1.1/0 - 10.10.1.1/65535
          ESP spi in/out: 0xD07B32DF/0x75C10060
                          
&bnsp;IPv6 Crypto IKEv2 Session

SPOKE1#

show crypto ikev2 session detail

SPOKE1#show crypto ikev2 session detail
IPv4 Crypto IKEv2 Session

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.10.1.2/500         10.10.1.1/500         none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/137 sec
      CE id: 1002, Session-id: 1
      Status Description: Negotiation done
      Local spi: 69A6A65ED87EC303       Remote spi: B085F9ECBA72967E
      Local id: 10.10.1.2                
      Remote id: 10.10.1.1                
      Local req msg id:  2              Remote req msg id: 0
      Local next msg id: 2              Remote next msg id: 0
      Local req queued:  2              Remote req queued: 0
      Local window:      5              Remote window: 5
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Dynamic Route Update: disabled
      Extended Authentication not configured.
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes
Child sa: local selector 10.10.1.2/0 - 10.10.1.2/65535
          remote selector 10.10.1.1/0 - 10.10.1.1/65535
          ESP spi in/out: 0xD07B32DF/0x75C10060
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 128, esp_hmac: SHA512
          ah_hmac: None, comp: IPCOMP_NONE, mode transport
          
IPv6 Crypto IKEv2 Session

SPOKE1#

Protection and Optimisation of DMVPN Tunnel

Protection of IKEv2

The command crypto ikev2 limit max-in-negotiation-sa limit | max-sa limit outgoing limits the number of sessions being established or that are allowed to establish.

  • Max-sa: limits the total count of SAs that a router can establish under normal conditions. The value should be set to double the number of ongoing sessions in order to cater for renegotiation.
  • Max-in-negotiation-sa: limits the number of SAs being negotiated at any one time.

To protect the IKE from half open sessions, a cookie can be used to validate that sessions are valid IKEv2 sessions and not a Denial of Service (DoS) attack. The command crypto ikev2 cookie-challege <challenge-number> defines the threshold of half-open SAs before issuing an IKEv2 challenge.

Verification

show crypto ikev2 stats

IPSec Packet Replay Protection

The IPSec implementation includes an anti-replay mechanism that prevents intruders from duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. When a router decrypts the IPSec packets, it keeps track of the packets it has received. The IPSec anti-replay service rejects (discards) duplicate packets or old packets.

The router identifies acceptable packet age according to the following logic; the router maintains a sequence number window size (default of 64 packets). The minimum sequence number is defined as the highest sequence number for a packet minus the window size. A packet is considered of age when the sequence number is between the minimum sequence number and the highest sequence number.

At times, the default 64-packet window size is not adequate. Encryption is where the sequence number is set and this happens before any Quality of Server (QoS) policies are processed. Packets can be delayed because of QoS priorities, resulting in out-of-order packets where low-priority packets are queued, whereas high-priority packets are immediately forwarded. The sequence number increases on the receiving router because the high-priority packets shift the window ahead and when the lower priority packets arrive, they are discarded.

Increasing the anti-replay window size does not impact throughput or security. An additional 128 bytes per incoming IPSec SA are needed to store the sequence number on the decryptor. The window size is increased globally with the command crypto ipsec security-association replay window-size <size>. Cisco recommends using the largest window size possible for the hardware. Usually it is 1024.

Dead Peer Detection (DPD)

When two routers establish an IPSec VPN tunnel between them, it is possible that connectivity between the two routers can be lost for some reason. In most scenarios, IKE and IPSec do not natively detect a loss of peer connectivity, which results in network traffic being black-holed until the SA lifetime expires.

The use of dead peer detection (DPD) helps detect the loss of connectivity to a remote IPSec peer.

Cisco supports two types of DPD: on-demand and periodic. When DPD is enabled in on-demand mode, the two routers check for connectivity only when traffic needs to be sent and the peer’s liveliness is questionable. In such scenarios, the router sends a DPD R-U-THERE request to query the status of the remote peer. If the remote peer does not respond, the requesting router starts to transmit additional R-U-THERE messages every retry interval for a maximum of five retries. If no response is received, that peer is declared dead.

DPD is supported by IKEv1 and IKEv2:

  • IKEv2: DPD is configured with the global configuration command crypto ikev2 dpd <interval-time> <retry-time> [on-demand | periodic]. DPD is also configured using the IKEV2 profile mode command dpd <interval-time> <retry-time> [on-demand | periodic]. It is recommended that the interval time be set to twice that of the routing protocol hold time.
  • As it consumes CPU, it is recommended that DPD be configured on the spokes and not on the hubs because a hub may have to maintain state of hundreds of branch routers.

Network Address Translation (NAT) Keepalives

NAT keepalives are enabled to keep the dynamic NAT mapping alive during a connection between two peers. NAT keepalives are UDP packets that contain an unencrypted payload of 1 byte. When DPD is used to detect peer liveliness, NAT keepalives are sent if the IPSec entity has not transmitted or received a packet within a specified period of time. It is configured on sopes because the routing protocol messages such as Hello and update messages between the hub and spoke keeps the NAT state active whereas spoke to spoke tunnels do not maintain a routing neighborship so NAT state is not maintained. NAT keepalives are enabled with the command crypto isakmp nat keepalive <seconds>.