Download pdf - Lab 9: VPNs – IPSec Remote Access VPN - Napier40001507/CSN11111/Lab9.pdf · Lab 9: VPNs – IPSec Remote Access VPN ... To test connectivity from the Remote User to the companys

Network Security VPNs: IPSec Remote Access VPN – Rich Macfarlane 1

Lab 9: VPNs – IPSec Remote Access VPN Rich Macfarlane 2015

Details

Aim: The aim of this lab is to introduce Virtual Private Network (VPN) concepts, using an IPSec

remote access VPN between a remote users system and a perimeter router. This will allow

a remote user to access the trusted organisational network securely, over an untrusted

network, such as the Internet, and allow us to analyse the setup and some tunnelled

traffic.

Activities

10.2.1 Create Virtual Topology

Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client.

Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be

assigned a group folder to work with which contains the VMs needed for the lab (check Moodle for

the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a Windows

Windows2003 VM running VPN Client application.

You can create a new project for the Lab, or a preconfigured starting project should be in the

Projects folder. If you wish to start with that just click Recent Projects button and select lab9_start,

then save as a project called lab9 or suchlike (save as, before you power on devices).

The topology, shown below, mimics an organisation and a remote User with the 10.1.Z,0 network

being the untrusted Internet. The R2 Router will be configured to provide VPN termination for

remote users.

Starting Topology

You will be assigned networks to address the host and router interfaces – see Moodle for: 192.168.X.0/24, 192.168.Y.0/24 and 10.1.Z.0/24

Additionally configure the MAC Address on the R1 Router f0/1 interface with the following commands, and using the format ca0 module code grpno 01 such as the following for csn11118 group 99:

R1(config)# int fa0/1

R1(config-if)# mac-address ca01.1118.9901


THE CORRECT ADDRESSING MUST BE USED BY EACH STUDENT AS WE ARE SHARING VIRTUAL NETWORKS. ANNOTATE YOUR DIAGRAM/TAKE NOTE OF THE ADDRESS RANGES FOR YOUR GRP.

PLEASE ONLY USE GROUP VMs AND NETWORK IP ADDRESSES ASSIGNED TO YOUR GROUP.

PLEASE DO NOT USE YOUR OWN ADDRESSES OR THE LAB DEMO ADDRESSES IN THIS DOCUMENT!

10.2.2 Test Connectivity

Test connectivity, from each router, to each local router interface, and each of the other routers

interfaces, and then the Remote user Windows VM, as shown below.

For example, from R2:

To test connectivity from the 192.168.X.0 network, again an extended ping can be used. For

example, from the R2 router:

R2# ping

Protocol [ip]:

Target IP address: 192.168.Y.10

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.X.254

Type of service [0]:

…

Sending 5, 100-byte ICMP Echos to 192.168.Y.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.X.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/72 ms

R2#


Q. Where the pings successful?

YES/NO

If not, troubleshoot the configuration, until connectivity is achieved.

Remember to save R1 and R2 running configurations to the routers NVRAM, and then save the GNS3

project is you want to use later/back them up.

To test connectivity from the Remote User to the company’s HQ network, ping and traceroute

can be used:

Q. Was the connectivity testing successful?

If not, troubleshoot the configuration, until connectivity is achieved.

10.2.3 Configure IPSec Remote Access VPN Server on R2

IPSec provides strong VPN security, using a suite of cryptographic security standards. It provides

Authentication and Encryption to the IP layer, as well as transparently to the layers above. Routers,

Firewalls and hosts can be configured as IPSec VPN endpoints (sometimes called VPN Terminators).

A Cisco VPN Server will be configured on the R2 Perimeter Router. It can manage IPSec VPN policies,

and push them out to VPN Clients on demand. This type of Cisco VPN Server could be configured on

Routers, ASA security devices, or Cisco VPN concentrator devices.

Authentication/Access Control for Client VPN Policy Lookup using Local AAA

AAA is used to authenticate a remote user, before a VPN policy is pushed to their VPN endpoint (The

remote user Windows VM in this case), and for authorisation for network access.

Use the following commands in Privileged command mode, to set up VPN policy lookup.

Start the AAA services on the router:

R2# config t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)# aaa new-model

Configure an authentication list VPNAUTHEN for the VPN connection login, to use the local AAA

users accounts:

R2(config)# aaa authentication login VPNAUTHEN local


Configure an authorisation list VPNAUTHOR for the VPN connection using the network, to use the

local AAA users accounts:

R2(config)# aaa authorization network VPNAUTHOR local

Define User Accounts in the local user account db:

R2(config)# username rich secret richpass

R2(config)# username bob secret bobpass

Check the configuration of AAA is correct, by viewing the router configuration.

Q. Where will the router look for user names and passwords to authenticate remote VPN clients?

Q. How have the user passwords been protected?

10.2.4 Configure Internet Key Exchange (IKE) Phase I Parameters – TUNNEL SETUP CONFIG

IKE facilitates the IPSec connections via Security Associations (SA). It manages and exchanges keys,

the hash algorithms, and the IPSec SA.

To configure IKE on Cisco devices, the crypto isakmp command is used to create an IKE policy

with a priority of 3 (1 is the highest). Each IKE policy is used to create a different VPN tunnel, as the

router may be the end point for several different VPNs.

R2(config)# crypto isakmp policy 3

Now we are in ISAKMP policy configuration command mode, shown by the change in prompt. Next,

we define that Pre-shared keys will be used to authenticate the peers at the end points of the VPN

tunnel. The pre-shared keys are used along with a hash algorithm for HMAC authentication of the

sender in IKE phase I.

R2(config-isakmp)# authentication pre-share

Define the hash algorithm which will be used in the authentication process.

R2(config-isakmp)# hash md5

Define the key exchange mechanism to be used; the Diffie-Hellman group. The groups represent the

length of keys generated: 768 bit Diffie-Hellman is Group 1, 1024 bit is group 2, and 1582 bit is group

3. Diffie-Hellman is used in phase I to exchange secret keys to be used for data encryption.

R2(config-isakmp)# group 2

Define the encryption algorithm which will be used for data encryption (other options are des, aes-

256 etc).

R2(config-isakmp)# encryption 3des

R2(config-isakmp)# exit

R2(config)#


Check the crypto policy has been created successfully (check for typo’s).

R2# show crypto isakmp policy

Global IKE policy

Protection suite of priority 3

encryption algorithm: Three key triple DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

R2#

Remote User Group – Policy Definition

A group of users can be defined, along with a VPN policy which is compatible with the client. The

VPN policy defines the VPN attributes pushed out to the VPN client(s).

Configure a local pool of IP Addresses to be allocated to VPN clients. In this case we will give the VPN

clients addresses on the same inside network subnet (this is not always the case).

R2(config)# ip local pool IPPOOL 192.168.X.20 192.168.X.30

Configure a User Group Policy for Remote User VPN clients called REMOTE.

R2(config)# crypto isakmp client configuration group REMOTE

R2(config-isakmp-group)#

Now we are in ISAKMP group configuration command mode, shown by the change in prompt. Add a

pre-shared key to the group policy, which will authenticate the VPN client application to the VPN

server.

R2(config-isakmp-group)# key vpn123

Assign an IP Address pool, which the VPN clients will be assigned from.

R2(config-isakmp-group)# pool IPPOOL

Define a domain name, and exit ISAKMP group configuration mode.

R2(config-isakmp-group)# domain HQ.com

R2(config-isakmp-group)# exit

View the running configuration to check the Remote User Group Policy has been created successfully

(check for typo’s).


10.2.5 Configure IKE Phase II Parameters – DATA ENCRYPTION CONFIG

An IPSec Transform Set must now be configured. A transform set specifies the encryption and

authentication algorithms used to protect the data within the IPSec VPN tunnel. IKE Phase I is the

control of the tunnel, Phase II is the transformation of the data being protected.

Create a new transform set REMOTE_USER_SET, which will use the Encapsulating Security Payload

(ESP) protocol, with AES for data encryption and SHA1 HMAC for data integrity.

R2(config)# crypto ipsec transform-set REMOTE_USER_SET esp-aes esp-sha-hmac

Set IPSec to use Tunnel mode, which means the entire IP Packet will be protected.

R2(cfg-crypto-trans)# mode tunnel

R2(cfg-crypto-trans)# exit

Q. What is the alternative to the ESP protocol?

Q. What does the Authentication Header (AH) protocol not provide which ESP does?

A Crypto map represents the IPSec configuration for a VPN, and must be created to allow the setup

of IKE Phase II Security Associations (SA) for traffic to be protected (1 SA in each direction).

Create a crypto map template, using the transform set REMOTE_USER_SET.

R2(config)# crypto dynamic-map DYN_MAP 10

R2(config-crypto-map)# set transform-set REMOTE_USER_SET

R2(config-crypto-map)# reverse-route

R2(config-crypto-map)# exit

R2(config)#

Create the crypto map REMOTE_USER_MAP, and specify client configuration settings. In this case

the router is set to respond to VPN Client requests.

R2(config)# crypto map REMOTE_USER_MAP client configuration address respond

For the REMOTE_USER_MAP crypto map, specify VPN clients User Authentication. Set the

authentication list to VPNAUTHEN we created earlier, to specify that user accounts are stored locally

on the router.

R2(config)# crypto map REMOTE_USER_MAP client authentication list VPNAUTHEN

For the REMOTE_USER_MAP crypto map, allow IKE group policy querying by VPN clients. Set the

authorisation list to VPNAUTHOR we created earlier, to specify the policy is stored locally.

R2(config)# crypto map REMOTE_USER_MAP isakmp authorization list VPNAUTHOR

For the REMOTE_USER_MAP crypto map, set the ipsec-isakmp parameter to specify IKE will be used

to establish security associations, and assign the dynamic crypto map template. The number 10 is

the sequence number; lower numbered maps are used before higher numbered.

R2(config)# crypto map REMOTE_USER_MAP 10 ipsec-isakmp dynamic DYN_MAP


Assign the IPSEC VPN crypto map to the outside network interface, which our clients will connect to:

R2(config)# int s1/0

R2(config-if)# crypto map REMOTE_USER_MAP

R2(config-if)# exit

*Mar 1 03:50:30.447: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Check the IPSec VPN Server configuration, and the interface it’s applied on, using the following.

R2# show crypto map

Crypto Map "REMOTE_USER_MAP" 10 ipsec-isakmp

Dynamic map template tag: DYN_MAP

Interfaces using crypto map REMOTE_USER_MAP:

Serial1/0

Check the IPSec ESP configuration, using the following.

R2# show crypto ipsec transform-set

Transform set REMOTE_USER_SET: { esp-aes esp-sha-hmac }

will negotiate = { Tunnel, }

10.2.6 Configure VPN Client on the Remote User System

The VPN Client should be installed on the Windows VM.

Create a new VPN Connection Entry

On the Windows VM, start the VPN Client software, with Start>Programs>Cisco Sytems VPN

Client>VPN Client, as shown below.


Select Connection Entries>New, or click the New icon, as shown below.

Enter the IP Address of the outside interface of the VPN Server device - 10.1.Z.2

Click on the Authentication tab, and click the Group Authentication radio button. Enter the VPN User

Group Name we configured earlier, and the Shared-Key defined for the group.

Q. What is the name of the VPN Remote User Group?

Q. What is the shared-key used to authenticate?

Q. Which IKE Phase is this used in?

Q. Which technique is used for authentication?

Save the VPN Connection Entry, and the VPN Client application should look like the below – note the

window title.


10.2.7 Test the Remote Access VPN

On the Remote User Windows VM, open a command window, and use the ipconfig command to

check the network interface configuration, as shown below.

From the Remote User Windows VM connect to the HQ network, using a VPN tunnel. From the VPN

Client window, Double click the HQ Connection. The following dialog box should be shown. Enter the

user and password of a user account.

Q. Was the authentication successful?

YES/NO

Q. Which user was successfully authenticated?

Q. Where are these user accounts defined?

Once connected, the VPN Client application window should look like the following – note the

window title.


The VPN client lock icon should be shown in the Windows system tray, as shown below.

Q. Hover the mouse over the lock icon. What is displayed?

On the R2 router the similar to the following should be shown.

R2(config)#

04:50:35.370: %CRYPTO-4-SESSION_STATUS: Crypto tunnel is UP . Peer

192.168.Y.10:500 Id: REMOTE

On the Remote User Windows VM, open a command window, and use the ipconfig command to

check the interfaces and IP Addresses now.

Q. What has changed?

Q. What is the IP Address?

Q. Where is this from?

A second virtual interface should have been created by the VPN Client, as shown below.

Disconnect from the VPN using the Disconnect button on the VPN client, and then reconnect, and

log in again. On the Windows VM, use the ipconfig command again.

Q. What is the IP Address of the virtual interface?

Q. Where is this created from, and how many are left?


Right click the lock icon in the sytem tray and select Notifications, as shown below. This shows the

connection history.

Right click the lock icon in the system tray and select Statistics, and select the Tunnel Details tab, as

shown below. The Tunnel Details tab shows

Q. What is the IP Address of the IPSec VPN server?

Q. What is the Client IP Address of the current IPSec VPN Tunnel?

Q. Which encryption algorithm is being used?

Q. Which algorithm is being used for authentication?

Q. Which type of algorithm is this?


Click the Reset button, and Leave the Statistics window open. From a command window ping the

192.168.X.254 interface with 3 packets.

Q. How many packets have been encrypted and sent through the VPN tunnel?

Q. How many packets have been received through the VPN tunnel, and decrypted?

The window should look similar to the below.

Start Wireshark on the Remote User Windows VM. Select the Capture>Interfaces menu item. From

a command window ping the inside network, at 192.168.X.254.

Q. Which interface does Wireshark report packets passing through?

You should see packets being sent through the VPN tunnel interface:

Click Start on the VPN interface. Ping again if packets are not displayed. Click on a packet and click

on ICMP protocol, in the protocols pane.

Q. Which protocol do of the packets contain?

Q. What is the source IP Address of the packets?

Q. What is the destination IP Address of the packets?


Q. What are the contents of the packets?

Q. Are the packet contents encrypted?

The Wireshark window, packets pane, should look something like the following.

The Wireshark window, packet detail, and packet contents panes, should look something like the

following. Note: the ICMP payload.

Start Wireshark on the R1 Fa0/1 interface:

From the Windows remote VM, from a command window again ping the inside network, at

192.168.X.254.

Ping again if packets are not displayed. Click on a packet and click on ICMP protocol, in the protocols

pane.


Q. Which protocol do of the packets contain?

Q. What is port number used by the protocol?

Q. What is the source IP Address of the packets?

Q. What is the destination IP Address of the packets?

Q. What are the contents of the packets?

Q. What has happened to the ICMP packets?

These are the same ping packets, but have been encrypted and encapsulated with an ESP header, at

each end of the IPSec VPN tunnel. The Wireshark window should look something like the following.

In the Packet detail (protocols) pane, expand out on the IP header.

Q. Is this the original ICMP packet IP header?

Q. What are the 3 parts of the ESP header structure?

Q. What does ESP header part 3 contain?


The structure of the ESP packet is shown below. The ICMP packets have been encrypted along with

the original IP header (to the inside network) and they are decrypted and routed on by the VPN

server on Router 2.

New IP

headerESP Header

Security Parameters Index

Sequence Number

Payload Data

IP header DATA

Encrypted

Authenticated

On the R2 router use the following to display the current VPN tunnels.

R2# show crypto session

Q. How many Active Security Associations are there?

Q. Why?

On the R2 router the following can be used to display the current state of the IPSec Security

Associations. The following command shows initialised IPSec SAs.

R2# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.1.99.2 192.168.199.10 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

The following can be used to display the IPSec SA encrypted traffic in detail.

R2# show crypto ipsec sa

The following shows part of the output.


Q. How many packets have been encrypted by the router?

Q. What are the end point IP Addresses of the encrypted VPN tunnel?

You can review the final VPN server configuration for Router R2 in Appendix B.

Explore Crypto Ciphers

Power on an Ubuntu VM, and we can explore some ciphers using the OPenSSL crypto library built

into Linux.

Use the OpenSSL command line tool; first check the help:

openssl –h

Check the available encryption cipher and hash algorithm commands:

openssl list-cipher-commands

openssl list-messager-digest-commands

Check the ciphers available for SSL/TLS use:

openssl ciphers

Try encrypting with the 3DES cipher similar to the ISAKMP tunnel setup encryption.

First create a file payload.txt and add some chars to it such as ‘abcdefg… etc’. cat the file to check

the contents.

Then use the openssl enc command to check the encryption algorithms available:

openssl enc -h

Then use the openssl enc command to encrypt:

sudo openssl enc –des3 –in payload.txt –out enc_payload.bin

(use vpn123 as passwd)


cat the file to check the contents.

Use the –base64 flag to encrypt and output a txt file:

sudo openssl enc –des3 –in payload.txt –out enc_payload.txt –base64

(use vpn123 as passwd)

cat the file to check the contents.

Then use the openssl enc command to decrypt:

sudo openssl enc –d –des3 –in enc_payload.txt –-pass pass:vpn123 –base64

Try encrypting files other ciphers such as with the aes cipher used in the VPN tunnel itself.

Appendix A – Starting router configurations

R1 version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

interface FastEthernet0/0

description int to the 192.168.5.0/24 network

ip address 192.168.Y.254 255.255.255.0

duplex auto

speed auto

no shutdown

!


no ip address

shutdown

duplex auto

speed auto


!

interface Serial1/0

description int to the Internet

ip address 10.1.Z.1 255.255.255.252

duplex auto

speed auto

no shutdown

!

router rip

network 0.0.0.0

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

R2 version 12.4




!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup



!

!


ip address 192.168.X.254 255.255.255.0

duplex auto

speed auto

no shutdown

!


no ip address

duplex auto

speed auto

!


ip address 10.1.Z.2 255.255.255.252

duplex auto

speed auto

no shutdown

!

router rip

network 0.0.0.0


!


!

ip http server


!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

Appendix B – Remote Access IPSec VPN router configurations

R1 !

Same as previous config

!

R2 !

version 12.4




!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

! AAA for user authentication and authorisation

aaa new-model

!

aaa authentication login VPNAUTHEN local

aaa authorization network VPNAUTHOR local

!

aaa session-id common

memory-size iomem 5

ip cef

!

!




!

!

! Local user accounts

username rich password 0 richpass

username bob password 0 bobpass

!

!

! IPSec Phase 1 SA parameters - IKE

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

!

! Remote VPN User Group parameters

crypto isakmp client configuration group REMOTE

key vpn123

domain HQ.com

pool IPPOOL

!

!

! IPSec encryption and authentication algorithms

crypto ipsec transform-set REMOTE_USER_SET esp-aes esp-sha-hmac

!

! IPsec Phase 2 SA parameters

crypto dynamic-map DYN_MAP 10

set transform-set REMOTE_USER_SET

reverse-route

!

!

crypto map REMOTE_USER_MAP client authentication list VPNAUTHEN

crypto map REMOTE_USER_MAP isakmp authorization list VPNAUTHOR

crypto map REMOTE_USER_MAP client configuration address respond

crypto map REMOTE_USER_MAP 10 ipsec-isakmp dynamic DYN_MAP

!

!


duplex auto

speed auto

!

! Inside network


ip address 192.168.X.254 255.255.255.0

shutdown

duplex auto

speed auto

!

! IPSec crypto map on outside interface

interface Serial1/0

ip address 10.1.Z.2 255.255.255.252

crypto map REMOTE_USER_MAP

!

!

! Advertise all connected routes

router rip

network 0.0.0.0

!

!

! IP Address pool for VPN remote users

ip local pool IPPOOL 192.168.X.20 192.168.X.30


!

!

ip http server
