Reconocimientos

El material de esta presentación fue confeccionado por Rogelio Alvez, con la colaboración de Julio Sanchez Avalos y Darío Ciccarone.

3

IOS 12.2(2)T

DF Bit Override Functionality with IPSec Tunnels

Quality of Service for Virtual Private Networks

SSH Terminal-Line Access

DF Bit Override Functionality with IPSec Tunnels

Problema:Ciertas aplicaciones TCP, cuando pasan por una VPN, no andan más .

Causa:Investigue sobre técnicas de fragmentación en IPSec

Solución

Olvidarse del STD y apagar el bit DF en el header IP. crypto ipsec df-bit [clear | set | copy]

Pregunta para los fanáticos del tema VPN: cómo se resuelve este problema en el VPN3000?cómo se resuelve este problema en el Firewall PIX?

DF Bit Override (cont.)

Internet

Server

Cliente VPN

IPTCP

UserData

Tamaño del paquete = 1500

DF Bit = activo

HASH

ESP50IP Encrypted Data

TúnelVPN

MTU = 1500 MTU = 1500

El paquete del server no va a caber en el siguiente link una vez encapsulado con IPSec, en la medida en que no se lo pueda fragmentar (bit DF).

Hay que poner el bit DF en cero para poder solucionar este problema.

Quality of Service for Virtual Private Networks

Cuál es el problema?La encripción con IPSec impide que QoS funcione

correctamente

Por qué?La información de los headers de TCP/UDP llega ya

encriptada al proceso de QoS

Cómo se resuelve?Con el comando qos pre-classify en el crypto map, en la

interface Tunnel, o en ambos (dependiendo del caso)

Antes de la encripción

class-map match-all med_prioritymatch access-group 103

class-map match-all high_prioritymatch access-group 102

!policy-map DEMOclass med_priority

bandwidth percent 20random-detect

class high_prioritypriority percent 30

access-list 102 permit tcp host 172.16.1.10 eq 22 any

access-list 103 permit tcp host 172.16.1.10 eq www any

interface Serial0/2

bandwidth 64

ip address 10.10.10.9 255.255.255.252

service-policy output DEMO

clockrate 64000

Interpretación: se quiere que el tráfico SSH sea más prioritarioque el tráfico web, y que éste a su vez sea mas prioritario que el resto de los tráficos

Antes de la encripción (cont)core#sh pol inter s0/2Serial0/2

Service-policy output: DEMO

Class-map: high_priority (match-all)108 packets, 66962 bytes5 minute offered rate 0 bps, drop rate 0 bpsMatch: access-group 102Queueing: Strict PriorityOutput Queue: Conversation 24 Bandwidth 30 (%)Bandwidth 19 (kbps) Burst 475

(Bytes)(pkts matched/bytes matched)

40/33944(total drops/bytes drops) 26/31536

Class-map: med_priority (match-all)

11 packets, 5369 bytes

5 minute offered rate 0 bps, drop rate 0 bps

Match: access-group 103

Queueing

Output Queue: Conversation 25

Bandwidth 20 (%)

Bandwidth 12 (kbps)

(pkts matched/bytes matched) 5/1859

(depth/total drops/no-buffer drops) 0/0/0

exponential weight: 9

mean queue depth: 0

Antes de la encripción (cont)

core#sh queue s0/2

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 27

Queueing strategy: weighted fair

Output queue: 4/1000/64/27 (size/max total/threshold/drops)

Conversations 1/2/16 (active/max active/max total)

Reserved Conversations 1/1 (allocated/max allocated)

Available Bandwidth 17 kilobits/sec

(depth/weight/total drops/no-buffer drops/interleaves) 4/32384/0/0/0

Conversation 12, linktype: ip, length: 1504

source: 172.16.1.10, destination: 172.16.31.10, id: 0x09FA, ttl: 127,

TOS: 0 prot: 6, source port 20, destination port 1090

Realizamos un FTP: como FTP es diferente de SSH y WWW, cae en latécnica weighted fair queuing que es comportamiento default del router para interfaces seriales de baja velocidad

Aplicamos el CM, y ahora . . .

core#sh queue s0/2Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 34Queueing strategy: weighted fairOutput queue: 4/1000/64/34 (size/max total/threshold/drops)

Conversations 1/2/16 (active/max active/max total)Reserved Conversations 1/1 (allocated/max allocated)Available Bandwidth 17 kilobits/sec

(depth/weight/total drops/no-buffer drops/interleaves) 4/32384/0/0/0Conversation 9, linktype: ip, length: 1500

source: 10.10.10.9, destination: 10.10.10.18, id: 0x0DA6, ttl: 255, prot: 50

Realizamos otro FTP, con el crypto-map ya aplicado:

PROBLEMA: Al decidir QoS, el router no ve los paquetes entre endpoints, porque primero encripta, y después encola para sacarlo por la WAN, previa decisión de QoS, pero todos los paquetes son iguales!

SOLUCION: Preclasificar el tráfico antes de encriptarlo con el comando qos pre-classify en el crypto map

Luego de QoS Pre-classificationcrypto map demo 10 ipsec-isakmp

set peer 10.10.10.18set transform-set strong

match address 101

qos pre-classify

core#sh queue s0/2

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 34

Queueing strategy: weighted fair

Output queue: 4/1000/64/34 (size/max total/threshold/drops)

Conversations 1/2/16 (active/max active/max total)

Reserved Conversations 1/1 (allocated/max allocated)

Available Bandwidth 17 kilobits/sec

(depth/weight/total drops/no-buffer drops/interleaves) 4/32384/0/0/0

Conversation 4, linktype: ip, length: 1500

source: 172.16.1.10, destination: 172.16.31.10, id: 0x0F5E, ttl: 127,

TOS: 0 prot: 6, source port 20, destination port 1098

Luego de QoS Pre-classification

core#sh cry mapCrypto Map "demo" 10 ipsec-isakmp

Peer = 10.10.10.18Extended IP access list 101

access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.31.0 0.0.0.255Current peer: 10.10.10.18Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={

strong, }QOS pre-classificationInterfaces using crypto map demo:

Serial0/2

SSH Terminal-Line AccessReverse Telnet provides very little security because all Telnet traffic goes over the network in the clear. The SSH Terminal-Line Access feature replaces reverse Telnet with secure shell (SSH). This feature may be configured to use encryption to access devices on the ttylines, which provide users with connections that support strong privacy and session integrity.Benefits

The SSH Terminal-Line Access feature provides users secure access to tty linesSSH Terminal-Line Access Configuration ExampleThe following example shows how to configure the SSH Terminal-Line Access feature on a modem used for dial-out on lines 1 through 200. To get any of the dial-out modems, use any SSH client and start a SSH session to port 2000 of the router to get to the next available modem from the rotary.line 1 200

no execlogin authentication defaultrotary 1transport input ssh

exitip ssh port 2000 rotary 1

TTY LinesSSH TunnelSSH Tunnel

15

IOS 12.2(4)T

Ability to Disable Extended Authentication for Static IPSec PeersDistinguished Name Based Crypto MapsIPSec - SNMP SupportL2TP Security NAT - Ability to Use Route Maps with Static Translations NAT - Static Mapping Support with HSRP for High Availability

Ability to Disable Extended Auth for Static IPSec PeersProblema:

Se pudre todo cuando combinamos VPNs site-to-site estáticasy de remote access, en particular cuando queremos autenticarcon AAA a los usuarios remotos

CausaLa autenticación de los remotos se hace con el conceptoxauth (extended authentication), que aplica en forma global al

crypto map de la interfaz. Entonces, se va a querer hacer un challenge al router site-to-site

SoluciónNo hacer xauth a los site-to-site

crypto isakmp key keystring address peer-address [mask] [no-xauth]

OBS; comando que colisionaba: crypto map xxx client authentication list zzzz

Distinguished Name Based Crypto Maps

Capacidad de que el router filtre a los candidatos a engancharse con IPSec basándose en el contenido de loscertificados que presentan

crypto map bigbiz 10 ipsec-isakmp set peer 172.21.114.196 set transform-set my-setmatch address 124 identity to-bigbiz

! crypto identity to-bigbiz

dn ou=XYZ

crypto map map-littlecom 10 ipsec-isakmp set peer 172.21.115.119 set transform-set my-set match address 125 identity to-little-com

! crypto identity to-little-com

fqdn laempresa.com

Usable por quienes se autentican por DN si son

de XYZ

Usables por quienes se autentican por hostname si pertenecen a laempresa.com

IPSec: SNMP Support & L2TP Security

IPSec - SNMP SupportL2TP Security vpdn-group pepe

l2tp security crypto-profile profile-name [keep-sa]

OBS: Comportamiento default para L2TP enWindows 2000 y XP

NAT - Ability to Use Route Maps with Static Translations

IPSec Tunnel

200.1.1.1

10.1.2.0/24192.10.1.1

192.1.1.1

.2

.3

.1

10.1.1.0/24

.2

.10

.1Internet

Multihomed internal networks now can host common services such as the WWW and DNS, which are accessed from different outside networks

Caso de uso: un Server de Casa Central es compartido para usuarios en Internet y para usuarios detrás de una VPN

rtr(config)# ip nat inside source static local-ip global-ip route-map map-name

NAT - Static Mapping Support with HSRP for High AvailabilityPermite que dos o más routers apareados con HSRP puedancompartir también una traducción estática NAT, de modo que el router activo HSRP sea el único con capacidad de responder al NAT en común

Configuración del router Activointerface BVI10ip address 192.168.5.54 255.255.255.255.0no ip redirectsip nat insidestandby 10 priority 105 preemptstandby 10 name HSRP1standby 10 ip 192.168.5.30standby 10 track Ethernet2/1!ip nat inside source static 192.168.5.33 3.3.3.5

redundancy HSRP1

Router Standbyinterface BVI10ip address 192.168.5.56 255.255.255.255.0no ip redirectsip nat insidestandby 10 priority 100 preemptstandby 10 name HSRP1standby 10 ip 192.168.5.30standby 10 track Ethernet3/1!ip nat inside source static 192.168.5.33 3.3.3.5

redundancy HSRP1

22

IOS 12.2(8)T

Certificate AutoenrollmentCertificate Enrollment Enhancements Easy VPN Server GRE Tunnel Keepalive IKE: Initiate Aggressive ModeIPSec VPN High Availability Enhancements (RRI y HSRP)Multiple RSA Key Pair support

Certificate Autoenrollment & Enhancements

Proporciona nuevas opciones para requerir certificados y facilita que los usuarios puedan incluir campos en la configuración que antes debían ser ingresados en forma interactiva.

crypto ca trustpoint nameauto-enroll [regenerate]

Hace que el router solicite en forma automática un certificado digital desde una autoridad certificante (CA)

crypto ca trustpoint nameip-address {ip-address | interface}subject-name [x.500-name] serial-number [none]usage method1 [method2, [method3]] password string

Easy VPN Server en IOS

Con el upgrade a 12.2(8)T y posteriores, se puedenterminar túneles del Cisco VPN Client hacia un router con IOS (como así también túneles de Easy VPN iniciados desde un VPN3002, o un PIX o IOS router en modo Easy VPN Client)

Easy VPN Server

El cliente Cisco VPN puede encriptarcontra cualquier plataforma de VPN

Cisco

VPN 3000

PIX

IOS

PIX 6.0

VPN 3.0

IOS 12.2(8)T

Beneficios:-Configuración cliente casi nula-El concentrador envía los parámetrosde sesión al cliente

Easy VPN Server & Easy VPN Client

PIX 501

806

VPN 3002

1700

VPN 3005

VPN 3015

PIX 515

Easy VPN Manejo dinámico de políticas

7200

7400

PIX 506

2600 / 3600

IPSec VPN

ServersRemotos

SOHO 91

VPN client Sólo en modalidad Pass thru VPN

Beneficios de Cisco Easy VPN

Sitio Central

Router Cisco IOS,VPN 3000 Concentrator,

PIX Firewall

GUI basada en browser, en Cisco 800, 900, Cisco PIX 501 FW & CVPN 3002

3. Se establece VPN desde el remoto, acorde a la política de

casa central

Internet

1. El remoto contacta al sitiocentral para autenticarse y proporcionar información

2. Política notificada a losequipos clientes remotos

Cisco 800, 900 Series Router,

Cisco PIX 501 FW, CVPN 3002

Cisco 1700, 2600, 3600 Series

Router, Cisco PIX Firewall, VPN

3002

VPN controlada desde casa central

HQ

Cisco 1700

SBO

El concentrador empuja la información que el remoto necesita para

funcionar

Atributos

Dirección IP lógica y máscara

DNS, WINS

Split tunnel: redes para las cuales Casa Central instruye al remoto que debe usar la VPN (resto del tráfico sigue por Internet)

Casa Central

Hogar, oficinaremota

Cisco Easy VPN Server (Cisco CVPN 3000, Cisco IOS Router, Cisco PIX Firewall)

Fuerza móvil

Internet

Easy VPN Server en IOSusername dciccaro password 0 pepeaaa new-modelaaa authentication login easyvpn localaaa authorization network easyvpn local

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group demo

key cisco

dns 172.16.1.20 172.16.1.30

wins 172.16.1.40 172.16.1.50

domain cisco.com

pool easyvpn_pool

acl 101

AAA

ISAKMP y parámetros grupales

crypto ipsec transform-set strong-aes esp-aes 256 !crypto dynamic-map demo_dyn 10set transform-set strong-aes reverse-route

!crypto map demo client authentication list easyvpncrypto map demo isakmp authorization list easyvpncrypto map demo client configuration address respondcrypto map demo 10 ipsec-isakmp dynamic demo_dyn

ip local pool easyvpn_pool 172.16.30.1 172.16.30.254

access-list 101 permit ip 172.16.0.0 0.0.255.255 any

Parámetros IPSec

interface Serial0/1ip address 10.10.10.5 255.255.255.252crypto map demo

crypto map en la interfaz de salida

GRE Tunnel KeepaliveCapability of configuring keepalive packets to be sent over IP-

encapsulated GRE tunnels. You can specify the rate at which keepalives will be sent and the

number of times that a device will continue to send keepalivepackets without a response before the interface becomes inactive. GRE keepalive packets may be sent from both sides of a tunnel, or

from just one side.

Router# configure terminal Router(config)# interface tunnel numberRouter(config-if)# keepalive [seconds [retries]]

IKE: Initiate Aggressive ModeAllows to configure IKE preshared keys as RADIUS tunnel attributes for

IPSec peers.Keys are stored in the AAA as IETF RADIUS tunnel attributes and are

retrieved when a user tries to "speak" to the hub routeraaa new-model aaa authorization network ike group radius aaa authentication login default group radius ! ! The Radius configurations are as follows: radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 radius-server key rad123 ! The IKE configurations are as follows: crypto isakmp policy 1 authentication pre-share ! ! The IPSec configurations are as follows: crypto ipsec transform-set trans1 esp-3des esp-sha-hmac crypto dynamic-map Dmap 10 set transform-set trans1 ! crypto map Testtag isakmp authorization list ike crypto map Testtag 10 ipsec-isakmp dynamic Dmap ! interface Ethernet0 ip address 4.4.4.1 255.255.255.0 crypto map Testtag

The IKE configurations are as follows: crypto isakmp policy 1 authentication pre-share

! ! The IPSec configurations are as follows: crypto ipsec transform-set trans1 esp-3des esp-sha-hmac access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255 ! ! Initiate aggressive mode using Radius tunnel attributescrypto isakmp peer address 4.4.4.1

set aggressive-mode client-endpoint user-fqdn user@cisco.com set aggressive-mode password cisco123

! crypto map Testtag 10 ipsec-isakmp

set peer 4.4.4.1 set transform-set trans1 match address 101

! interface Ethernet0

ip address 5.5.5.1 255.255.255.0 crypto map Testtag

! interface Ethernet1

ip address 3.3.3.1 255.255.255.0

HUB

SPOKE

VPN High Availability Enhancements (RRI & HSRP)

IPSec VPN High Availability feature consists of two new features Reverse Route Injectionand Hot Standby Router Protocol and IPSec that work together to provide users with a simplified network design for VPNs and reduced complexity on remote peers with respect to defining gateway lists.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

standby 1 ip 172.16.172.53 standby 1 priority 200 standby 1 preempt standby 1 name VPNHAstandby 1 track Ethernet1/1 150

crypto map vpn 10 ipsec-isakmp set peer 172.16.172.69 set transform-set myset match address 101 reverse-route

crypto map vpn redundancy VPNHA

7204-VXR-1

12.2(8)T Reverse Route Injection

Descripción del problemaDescripción del problema

Hasta este release no había forma de mantener memoria del flujo de conexiones IPSec en una

configuración de múltiples concentradores VPN (o mejor dicho, cuál concentrador era el responsable por cada flujo).HSRP no tenía el concepto de ser aceptado como una dirección IP válida para terminar túneles VPN.

12.2(8)T Reverse Route Injection

Reverse Route Injection

Evita los problemas de asimetría de ruteo

Inyecta rutas en forma dinámica, con lo que evita las inconsistencias de las rutas estáticas

HSRP+ API

Una dirección HSRP ahora puede terminar túneles VPN

En el caso de una falla, HSRP ejecuta los cambios a nivel VPN

Los equipos remotos no necesitan conocer que existen múltiples concentradores centrales, porque HSRP esconde esta complejidad

Ejemplo Inside

Outside

P S

Un cliente se conecta a la IP de HSRPP es elegido como el router activoP anuncia a la intranet de casa central que es el responsable por llegar al sitio remotoEl tráfico de la casa central hacia el sitio remoto será entonces destinado a PSi P falla, S se hará cargo del túnel

1.1.1.0/255.255.255.0

ip route 1.1.1.0/24 P

12.2(8)T Reverse Route Injection

Multiple RSA Key Pair SupportMultiple RSA Key Pair permite que un usuario pueda definir múltiples pares de claves RSA en el mismo router. Un uso podría ser que el router contenga diferentes pares de claves para diferentes certificados digitales

Router(config)# crypto key generate rsa [usage-keys |general-keys] [key-pair-label]

Router(config)# crypto ca trustpoint

Router(ca-trustpoint)# rsakeypair key-label [key-size [encryption-key-size]]

39

IOS 12.2(13)TAdvanced Encryption Standard (AES) Cisco Easy VPN Remote - Phase IDynamic Multipoint VPN (DMVPN) IPSec NAT Transparency Low Latency Queuing (LLQ) for IPSec Encryption EnginesManual Certificate Enrollment (TFTP and Cut-and-Paste)NAT Default Inside ServerNAT Integration with MPLS VPNsNAT Stateful Failover of Network Address TranslationPre-fragmentation for IPSec VPNsPrivilege Command EnhancementVPN Device Manager IOS Feature DocumentVPN crypto/Compr Module (AIM-VPN/EPII & AIM-VPN/HPII)Software IPPCP (LZS) with Hardware Encryption

Soporte de AES (128, 192, 256)

NIST Standard para reemplazar DESOpcion: usar 3DES o usar AES-128 similar strength

AES-256 es para paranoia profunda Usando 12.2(13)T tenemos soporte de AES en software los nuevos VPN Modules incorporan soporte en hwPara mas información:

http://csrc.nist.gov/CryptoToolkit/aes/

Soporte de AES (128, 192, 256)core(config)#cry isak pol 20

core(config-isakmp)#enc ?

3des Three key triple DES

aes AES - Advanced Encryption Standard.

des DES - Data Encryption Standard (56 bit keys).

core(config-isakmp)#enc aes ?

128 128 bit keys.

192 192 bit keys.

256 256 bit keys.

<cr>

core(config)#cry ipsec transform-set new-aes ?

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

comp-lzs IP Compression using the LZS compression algorithm

esp-3des ESP transform using 3DES(EDE) cipher (168 bits)

esp-aes ESP transform using AES cipher

esp-des ESP transform using DES cipher (56 bits)

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-null ESP transform w/o cipher

esp-sha-hmac ESP transform using HMAC-SHA auth

core(config)#cry ipsec transform-set new-aes esp-aes ?

128 128 bit keys.

192 192 bit keys.

256 256 bit keys.

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

comp-lzs IP Compression using the LZS compression algorithm

esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-sha-hmac ESP transform using HMAC-SHA auth

<cr>

Cisco Easy VPN Remote - Phase ITambién llamado Easy VPN Client . Este feature había salido al mercado con el release 12.2(4)YA y se junta en este release 13 a la línea T

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftezvpcm.htm

En qué versión de PIX se soporta el modo server?

En qué version de IOS se soporta el modo server?

En que versión de VPN3000 se soporta el modo server?

Dynamic Multipoint VPN

Cuál es el problema?En una topología full-meshed física, con remotos con

dirección IP dinámica, es imposible la comunicación directaentre spokes la misma debe pasar por el hub con direcciónIP fija

Por qué?Ninguno de los dos spokes conoce la dirección del otro

imposible usar ni un CM standard, ni un dinámico en ningunode ellos, ni TED

Cómo se resuelve?Usando DMVPN, que combina GRE con IPSec y un método de

registración en el centro de la estrella (hub).

Dynamic Multipoint VPN: Concepto

Sucursal

Direcciones IP públicas

dinámicas (broadband)

192.168.1.0/24

192.168.2.0/24

192.168.2.1

192.168.1.1= túneles dinámicos entre casa central

y sucursales

Túneles temporarios, fabricados entre sucursales en forma dinámica

Dirección IP estática

192.168.3.0/24

192.168.3.1

130.25.13.1

interface Tunnel0ip address 192.168.1.1 255.255.255.0no ip redirectsip mtu 1416ip nhrp authentication cisco123ip nhrp map multicast dynamicip nhrp network-id 1001no ip split-horizontunnel source Serial0/1tunnel mode gre multipointtunnel key 250872tunnel protection ipsec profile DMVPN

DMVPN configuración en hubcrypto isakmp policy 10

encr 3desauthentication pre-share

crypto isakmp key topsecret address 0.0.0.0 0.0.0.0

!crypto ipsec transform-set strong esp-3des !crypto ipsec profile DMVPNset transform-set strong

!interface Ethernet0/0

ip address 172.16.1.1 255.255.255.0

!

interface Serial0/1

ip address 10.10.10.5 255.255.255.252

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.6

DMVPN configuración en spokecrypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key topsecret address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set strong esp-3des

!

crypto ipsec profile DMVPN

set transform-set strong

interface Ethernet0/0

ip address 172.16.31.1 255.255.255.0

!

interface Serial0/0

ip address 10.10.10.18 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.10.10.17

interface Tunnel0

ip address 192.168.1.9 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp authentication cisco123

ip nhrp map 192.168.1.1 10.10.10.5

ip nhrp map multicast 10.10.10.5

ip nhrp network-id 1001

ip nhrp nhs 192.168.1.1

tunnel source Serial0/0

tunnel mode gre multipoint

tunnel key 250872

tunnel protection ipsec profile DMVPN

Dirección IP Fijade Casa Central

Dirección del servidor de next hopts

DMVPN CMs creados al vuelocore#sh cry map

Crypto Map "Tunnel0-head-0" 1 ipsec-isakmp

Profile name: DMVPN

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

strong,

}

Crypto Map "Tunnel0-head-0" 2 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 10.10.10.18

Extended IP access list

access-list permit gre host 10.10.10.5 host 10.10.10.18

Current peer: 10.10.10.18

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

strong,

}

Crypto Map "Tunnel0-head-0" 3 ipsec-isakmp

Map is a PROFILE INSTANCE.

Peer = 172.16.4.8

Extended IP access list

access-list permit gre host 10.10.10.5 host 172.16.4.8

Current peer: 172.16.4.8

Security association lifetime: 4608000 kilobytes/3600

seconds

PFS (Y/N): N

Transform sets={

strong,

}

Interfaces using crypto map Tunnel0-head-0:

Tunnel0

IPsec NAT Transparency (IETF UDP wrapper)

A continuación se explican dos posibles soluciones:

Solución IPSec standardSolución IPSec IETF basada en UDPwrappers

ISP InternetCasa

Central

VPN Client

DHCP10.1.1.1

10.1.1.2

VPN Client

10.x.x.x 130.x.x.x 130.40.1.1

IPTCP

UserData

HASH

ESP50IP encriptado

PAT

origen IP 10.1.1.1origen IP 10.1.1.2 origen IP 130.1.1.2

HASH

ESP50IP encriptado

HASH

ESP50IP Encrypted Data

HASH

ESP50IP encriptado

ERROR

Túnel VPN

Problema: solución iPSec STD

IPsec NAT Transparency (cont)

IPsec NAT Transparency (cont.)

PSTN ISP InternetCasa

Central

VPN Client

DHCP

10.1.1.2

VPN Client

10.x.x.x 130.x.x.x 130.40.1.1

NAT/PAT

Origen IP 10.1.1.1origen IP 10.1.1.2 origen IP 130.1.1.2

UDP

IP PayloadUDP

IP Payload

OK

UDP

IP Payload

UDP

IP Payload

S=10.1.1.1S=130.40.20.1

Solución: UDP wrapper (IETF)

Túnel VPN

10.1.1.1

IPTCP

UserData

Low Latency Queuing for IPsec

Low Latency Queueing

Para asegurar un tratamiento adecuado de la voz encriptada en redes IP

Manual Certificate Enrollment (TFTP, Cut-and-Paste)

Útil cuando el CA no soporta el método más conocido de Cisco (SCEP) Debe ser usado cuando no hay una conexión de red previa entre el router y la CA

NAT Default Inside ServerNormalmente, si el router que hace NAT ve llegar un paquete desde el exterior para el cual no tiene unatraducción armada, lo tira.NAT Default Inside Server permite dirigir lospaquetes a una máquina definida como destinatariodefault de paquetes desconocidos.Aplicación: típico en Gaming Devices que recibenpaquetes en cualquier port UDP, y que se encuentran detras de un router con única direcciónIP, dinámica, que es cedida por un ISP.

OBS; comando : ip nat inside source static local-ip interface type number

NAT Integration with MPLS VPNsEscenario: Service Provider que ofrece salida Internet a sucliente via un router de borde de su red MPLS-VPNs. Usualmente el cliente tiene direccionamiento RFC 1918 (privado)El tráfico dirigido a Internet debe pasar por una función de NAT. Se lo resuelve:

Haciendo que el CPE de cliente haga el NAT y ya salga con una dirección consistenteQue el router de borde Internet/MPLS-VPN haga NAT en

cada contexto de cliente! Ejemplo:

ip nat inside source [list {ACL-nbr | ACL-name} | route-map name]interface type number | pool pool-name] vrf vrf-name [overload]

Stateful Failover of NATIt introduces support for two or more network address translators to function as a translation group. A backup router running NAT provides translation services in the event of failure of the active translator.

interface interface-number port-numberstandby [group-name ip ip-address [secondary]]

exit

ip snat stateful id ip-address redundancy group-name mapping-id map-numberip nat pool name start-ip end-ip prefix-length prefix-lengthip nat inside source {route-map name pool pool-name mapping-id map-nbr}

[overload]

Pre-fragmentation for IPSec VPNs

Si se fragmenta un paquete IPSecEl router que desencapsula tiene que desfragmentarGenera una alta penalidad en CPU

Un router puede perder un 70% de capacidad si no se tiene en cuenta este problema

Pre-fragmentation for IPSec VPNs

A nivel de interfaz donde se aplica el crypto maprouter(config-if)# crypto ipsec fragmentation before-encryptionrouter(config-if)# crypto ipsec fragmentation after-encryption

O a nivel global, o sea para cualquier posible interfazrouter(config)# crypto ipsec fragmentation before-encryptionrouter(config)# crypto ipsec fragmentation after-encryption

VPN Device Manager IOS Feature(http://www.cisco.com/cgi-bin/tablebuild.pl/vdm)

VDM software is installed directly onto Cisco VPN devices. It allows network administrators to use a web browser to manage and configure site-to-site VPNs on a single device

Plataformas soportadas:Cisco 1700Cisco 2600 Cisco 3620, 3640, and 3660 Cisco 7100 Cisco 7200 Cisco 7400 Cisco Catalyst 6500 with IPSec VPN Module Cisco 7600 with IPSec VPN Module

60

IOS 12.2(15)TCertificate Security Attribute-Based Access ControlCisco Easy VPN Remote EnhancementsExporting and Importing RSA KeysFirewall Stateful Inspection of ICMP packetsFirewall Intrusion Detection System Signature EnhancementsFirewall Support for N2H2 & Websense URL Filtering Firewall Support for SIP & HTTPS Authentication ProxyHTTPS - HTTP Server and Client with SSL 3.0IP Access List Entry Sequence NumberingIPSec Security Association Idle TimersIPSec VPN AccountingNAT Support for IPSec ESP - Phase IIVRF-Aware IPSecXML Interface to Syslog Messages

Certificate Security AttributeBased Access Control

Allows applications within IOS to perform authorization based on the fields in the certificate. In this way from a user's view a certificate is used for both authentication and authorization.

crypto ca certificate map Group 10 issuer-name co Cisco Systems subject-name co DIAL

crypto ca certificate map Group 20 issuer-name co Cisco Systems subject-name co WAN

! crypto ca trustpoint Access2

match certificate Group

Ejemplo: accepts any certificate issued by Cisco Systemsfor an entity with the subject name DIAL or WAN

subject-name issuer-name unstructured-subject-name alt-subject-name name valid-start expires-on

eq equalne not equal co contains nc does not contain lt less than ge greater than or equal

Easy VPN Remote Enhancements

Negotiating tunnel parametersAddresses, algorithms, lifetime, and so on.

Establishing tunnels according to the parameters.

Automatically creating the NAT/PAT translation and associated access lists that are needed, if any.

Authenticating users Making sure users are who they say they are, by way of usernames, group names and passwords.

Managing security keys for encryption and decryption.

Authenticating, encrypting, and decrypting data through the tunnel.

Manual Tunnel ControlMultiple Inside Interface

EnhancementsMultiple Outside Interfaces SupportNAT Interoperability SupportLocal Address Support for Easy VPN

RemoteCable DHCP Proxy EnhancementPeer Hostname EnhancementProxy DNS Server SupportPIX Interoperability SupportCisco IOS Firewall SupportSimultaneous Easy VPN Client and

Server SupportCisco Easy VPN Remote Web Manager

12.2(4)YA Enhancements in 12.2(15)T

Exporting and Importing RSA KeysAllows to share the private RSA key pair of a router with standby routers, therefore transferring the security credentials between networking devices. The key pair that is shared between two routers will allow one router to immediately and transparently take over the role of the other router. If the main router were to fail, the standby router could be dropped into the network to replace the failed router without the need to regenerate keys, reenroll in CA, or manually redistribute keys.

En ambos routerscrypto key generate rsa {general-purpose | usage-keys} [label key-

label] exportable En el router que exporta sus credencialescrypto ca trustpoint namersakeypair key-label [key-size [encryption-key-size]]crypto ca export trustpointname pkcs12 destination url passphrase

En el router que importa las credenciales de su vecinocrypto ca import trustpointname pkcs12 source url passphrase

Stateful Inspection of ICMP packetsAntes de este feature, quien activaba la función de firewall, debía admitirexplícitamente la vuelta de paquetes ICMP como respuesta a la salida de paquetes a través del firewall, porque la inspección stateful solo incluía a losprotocolos UDP y TCP.

Con esta nueva funcionalidad, es posible construir una política de inspecciónque tenga en cuenta al protocolo ICMP.

access-list 101 remark ## some needed ICMPaccess-list 101 permit icmp any any echo-replyaccess-list 101 permit icmp any any time-exceededaccess-list 101 permit icmp any any packet-too-bigaccess-list 101 permit icmp any any unreachable

Interface <exterior>ip inspect xxxx outip access-group 101 in

ip inspect name xxxx icmp [alert {on | off}] [audit-trail {on |off}] [timeout secs]

IDS Signature Enhancements

21 of the 28 most commonly seen signatures in our research Six of the 7 PIX signatures that were unavailable in IDS

All 15 of the most dangerous HTTP signatures

Before this feature, the Cisco Firewall IDS contained 59 signatures, which was only a small subset of the signatures supported by Cisco Secure IDS. The Firewall IDS Signature Enhancements feature introduces 42 additional signatures that are supported by other Cisco products, such as PIX;are categorized as follows:

ip audit name EXAMPLE attack action alarm drop reset ip audit name EXAMPLE info action alarm

interface Serial0 ip address 191.1.1.1 255.255.255.0 ip audit EXAMPLE in

EJEMPLO

Support of N2H2 and Websense, IOS firewall works with the N2H2 or Websense server to know whether a particular URL should be allowed or denied (blocked).

ip inspect name xxxx http [urlfilter] [java-list access-list] ip urlfilter server vendor {websense | n2h2} ip-address [port port-nbr] [timeout secs]

[retransmit nbr]

Cisco IOS Firewall Support for SIP

config# ip inspect name XXXX sip [alert {on | off}] [audit-trail {on | off}] [timeout secs]

SIP signaling responses can travel the same path as SIP signaling requests.

Subsequent signaling requests can travel directly to the endpoint (destination gateway).

Media endpoints can exchange data between each other.

HTTPS Authentication Proxy

1. HTTP or HTTPS client requests a web page.2. HTTP or HTTPS request is intercepted by the router with authentication proxy.3. The router marks the TCP/IP connection and forwards the request (with the client address) to the web server, if authentication is required.4. The web server builds the authentication request form and sends it to the HTTP or HTTPS client via the original request protocol HTTP or HTTPS.5. The HTTP or HTTPS client receives the authentication request form.6. The user enters his or her username and password in the HTTPS POST form and returns

the form to the router. At this point, the authentication username and password form is sent via HTTPS. The web server will negotiate a new SSL connection with the HTTPS client.

Encrypts the exchange of username and password between the HTTP client and the router via SSL when authentication proxy is enabled on the IOS firewall, thereby ensuring confidentiality of the data passing between the HTTP client and the Cisco IOS router.

ip http secure-server

HTTP Server and Client, SSL 3.0

This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within CiscoIOS software. SSL provides server authentication, encryption, and message integrity to allow secure HTTP communications. SSL also provides HTTP client authentication. HTTP over SSL is abbreviated as HTTPS.

ip http secure-serverip http secure-port ip http secure-ciphersuite ip http secure-client-auth ip http secure-trustpoint

IP Access List Entry Sequence Numbering

Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list

ip access-list resequence <name> starting-sequence-number increment

ip access-list {standard | extended} <name><sequence-number> {permit|deny} <sequence-number> {permit|deny}

router# show access-list 150 Extended IP access list 150 10 permit ip host 10.3.3.3 host 172.16.5.34 20 permit icmp any any 30 permit tcp any host 10.3.3.3 Ejemplo

IPSec VPN Accounting

The IPSec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.

**Aug 23 04:06:20.135: RADIUS: User-Name [1] 13 "joe@cclient"Aug 23 04:20:16.519: RADIUS(00000003):Using existing nas_port 0

*Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147 *Aug 23 04:20:16.519: RADIUS: Acct-Session-Id [44] 10 "00000002" *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 20 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 35 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=11.1.1.2"*Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 36 *Aug 23 04:20:16.519: RADIUS: Acct-Session-Time [46] 6 709 *Aug 23 04:20:16.519: RADIUS: Acct-Input-Octets [42] 6 152608 *Aug 23 04:20:16.519: RADIUS: Acct-Output-Octets [43] 6 152608 *Aug 23 04:20:16.519: RADIUS: Acct-Input-Packets [47] 6 1004

config# aaa accounting network list-name start-stop group group-name

EJEMPLO

VRF-Aware IPSec

IOS 12.2(15)T: MPLS integration with VRF-aware Ipsec

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/index.htm

XML Interface to Syslog Messages

logging console xml logging monitor xml logging buffered xml logging host {ip-address | host-name} xml

Logs in a standardized XML format, instead of SYSLOG, can be more readily used in external customized monitoring tools.