Click here to load reader

Lab 9: VPNs – IPSec Remote Access VPN - 40001507/CSN11111/Lab9.pdf · PDF fileLab 9: VPNs – IPSec Remote Access VPN ... To test connectivity from the Remote User to the companys

  • View
    216

  • Download
    0

Embed Size (px)

Text of Lab 9: VPNs – IPSec Remote Access VPN - 40001507/CSN11111/Lab9.pdf · PDF fileLab...

  • Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 1

    Lab 9: VPNs IPSec Remote Access VPN Rich Macfarlane 2015

    Details

    Aim: The aim of this lab is to introduce Virtual Private Network (VPN) concepts, using an IPSec

    remote access VPN between a remote users system and a perimeter router. This will allow

    a remote user to access the trusted organisational network securely, over an untrusted

    network, such as the Internet, and allow us to analyse the setup and some tunnelled

    traffic.

    Activities

    10.2.1 Create Virtual Topology

    Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client.

    Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be

    assigned a group folder to work with which contains the VMs needed for the lab (check Moodle for

    the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a Windows

    Windows2003 VM running VPN Client application.

    You can create a new project for the Lab, or a preconfigured starting project should be in the

    Projects folder. If you wish to start with that just click Recent Projects button and select lab9_start,

    then save as a project called lab9 or suchlike (save as, before you power on devices).

    The topology, shown below, mimics an organisation and a remote User with the 10.1.Z,0 network

    being the untrusted Internet. The R2 Router will be configured to provide VPN termination for

    remote users.

    Starting Topology

    You will be assigned networks to address the host and router interfaces see Moodle for: 192.168.X.0/24, 192.168.Y.0/24 and 10.1.Z.0/24

    Additionally configure the MAC Address on the R1 Router f0/1 interface with the following commands, and using the format ca0 module code grpno 01 such as the following for csn11118 group 99:

    R1(config)# int fa0/1

    R1(config-if)# mac-address ca01.1118.9901

  • Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 2

    THE CORRECT ADDRESSING MUST BE USED BY EACH STUDENT AS WE ARE SHARING VIRTUAL NETWORKS. ANNOTATE YOUR DIAGRAM/TAKE NOTE OF THE ADDRESS RANGES FOR YOUR GRP.

    PLEASE ONLY USE GROUP VMs AND NETWORK IP ADDRESSES ASSIGNED TO YOUR GROUP.

    PLEASE DO NOT USE YOUR OWN ADDRESSES OR THE LAB DEMO ADDRESSES IN THIS DOCUMENT!

    10.2.2 Test Connectivity

    Test connectivity, from each router, to each local router interface, and each of the other routers

    interfaces, and then the Remote user Windows VM, as shown below.

    For example, from R2:

    To test connectivity from the 192.168.X.0 network, again an extended ping can be used. For

    example, from the R2 router:

    R2# ping

    Protocol [ip]:

    Target IP address: 192.168.Y.10

    Repeat count [5]:

    Datagram size [100]:

    Timeout in seconds [2]:

    Extended commands [n]: y

    Source address or interface: 192.168.X.254

    Type of service [0]:

    Sending 5, 100-byte ICMP Echos to 192.168.Y.10, timeout is 2 seconds:

    Packet sent with a source address of 192.168.X.254

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/72 ms

    R2#

  • Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 3

    Q. Where the pings successful?

    YES/NO

    If not, troubleshoot the configuration, until connectivity is achieved.

    Remember to save R1 and R2 running configurations to the routers NVRAM, and then save the GNS3

    project is you want to use later/back them up.

    To test connectivity from the Remote User to the companys HQ network, ping and traceroute

    can be used:

    Q. Was the connectivity testing successful?

    If not, troubleshoot the configuration, until connectivity is achieved.

    10.2.3 Configure IPSec Remote Access VPN Server on R2

    IPSec provides strong VPN security, using a suite of cryptographic security standards. It provides

    Authentication and Encryption to the IP layer, as well as transparently to the layers above. Routers,

    Firewalls and hosts can be configured as IPSec VPN endpoints (sometimes called VPN Terminators).

    A Cisco VPN Server will be configured on the R2 Perimeter Router. It can manage IPSec VPN policies,

    and push them out to VPN Clients on demand. This type of Cisco VPN Server could be configured on

    Routers, ASA security devices, or Cisco VPN concentrator devices.

    Authentication/Access Control for Client VPN Policy Lookup using Local AAA

    AAA is used to authenticate a remote user, before a VPN policy is pushed to their VPN endpoint (The

    remote user Windows VM in this case), and for authorisation for network access.

    Use the following commands in Privileged command mode, to set up VPN policy lookup.

    Start the AAA services on the router:

    R2# config t

    Enter configuration commands, one per line. End with CNTL/Z.

    R2(config)# aaa new-model

    Configure an authentication list VPNAUTHEN for the VPN connection login, to use the local AAA

    users accounts:

    R2(config)# aaa authentication login VPNAUTHEN local

  • Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 4

    Configure an authorisation list VPNAUTHOR for the VPN connection using the network, to use the

    local AAA users accounts:

    R2(config)# aaa authorization network VPNAUTHOR local

    Define User Accounts in the local user account db:

    R2(config)# username rich secret richpass

    R2(config)# username bob secret bobpass

    Check the configuration of AAA is correct, by viewing the router configuration.

    Q. Where will the router look for user names and passwords to authenticate remote VPN clients?

    Q. How have the user passwords been protected?

    10.2.4 Configure Internet Key Exchange (IKE) Phase I Parameters TUNNEL SETUP CONFIG

    IKE facilitates the IPSec connections via Security Associations (SA). It manages and exchanges keys,

    the hash algorithms, and the IPSec SA.

    To configure IKE on Cisco devices, the crypto isakmp command is used to create an IKE policy

    with a priority of 3 (1 is the highest). Each IKE policy is used to create a different VPN tunnel, as the

    router may be the end point for several different VPNs.

    R2(config)# crypto isakmp policy 3

    Now we are in ISAKMP policy configuration command mode, shown by the change in prompt. Next,

    we define that Pre-shared keys will be used to authenticate the peers at the end points of the VPN

    tunnel. The pre-shared keys are used along with a hash algorithm for HMAC authentication of the

    sender in IKE phase I.

    R2(config-isakmp)# authentication pre-share

    Define the hash algorithm which will be used in the authentication process.

    R2(config-isakmp)# hash md5

    Define the key exchange mechanism to be used; the Diffie-Hellman group. The groups represent the

    length of keys generated: 768 bit Diffie-Hellman is Group 1, 1024 bit is group 2, and 1582 bit is group

    3. Diffie-Hellman is used in phase I to exchange secret keys to be used for data encryption.

    R2(config-isakmp)# group 2

    Define the encryption algorithm which will be used for data encryption (other options are des, aes-

    256 etc).

    R2(config-isakmp)# encryption 3des

    R2(config-isakmp)# exit

    R2(config)#

  • Network Security VPNs: IPSec Remote Access VPN Rich Macfarlane 5

    Check the crypto policy has been created successfully (check for typos).

    R2# show crypto isakmp policy

    Global IKE policy

    Protection suite of priority 3

    encryption algorithm: Three key triple DES

    hash algorithm: Message Digest 5

    authentication method: Pre-Shared Key

    Diffie-Hellman group: #2 (1024 bit)

    lifetime: 86400 seconds, no volume limit

    Default protection suite

    encryption algorithm: DES - Data Encryption Standard (56 bit keys).

    hash algorithm: Secure Hash Standard

    authentication method: Rivest-Shamir-Adleman Signature

    Diffie-Hellman group: #1 (768 bit)

    lifetime: 86400 seconds, no volume limit

    R2#

    Remote User Group Policy Definition

    A group of users can be defined, along with a VPN policy which is compatible with the client. The

    VPN policy defines the VPN attributes pushed out to the VPN client(s).

    Configure a local pool of IP Addresses to be allocated to VPN clients. In this case we will give the VPN

    clients addresses on the same inside network subnet (this is not always the case).

    R2(config)# ip local pool IPPOOL 192.168.X.20 192.168.X.30

    Configure a User Group Policy for Remote User VPN clients called REMOTE.

    R2(config)# crypto isakmp client configuration group REMOTE

    R2(config-isakmp-group)#

    Now we are in ISAKMP group configuration command mode, shown by the change in prompt. Add a

    pre-shared key to the group policy, which will authenticate the VPN client application to the VPN

    server.

    R2(config-isakmp-group)# key vpn123

    Assign an IP Address pool, which the VPN clients will be assigned from.

    R2(config-isakmp-group)# pool IPPOOL

    Define a domain name, and exit ISAKMP group configuration mode.

    R2(config-isakmp-group)# domain HQ.com

    R2(config-isakmp-group)# exit

    View the running configuration to check the Remote User Group Policy has been created successfully

    (check for typos).

Search related