VPN means Virtual Private Network
Virtual Network here means a network created through the tunnel.
Private means it's confidential i.e. shared between two parties.
Authentication: Connecting to correct not some bogus server.
Confidentiality: Data encryption
Integrity: Data has not been changed.
Types of VPN
IPsec Site-to-Site VPNs:
The tunnel is created between the Head office and to Field Office or in between two field offices.
The tunnel is created between the Head office or field office to a business partner network.
Remote Access VPNs (RA)
a) SSL No Client S/W (Clientless SSL VPN)
It's used for computers not managed by the company and also for the case when users don't have admin rights and require only limited access.
Ex Bank webportal
b) SSL Full Tunnel with AnyConnect client S/W
Anyconnect client is a full tunnel solution that supports both SSL and IPsec.
In this VPN we are giving an IP to an internet user & from the pool is of the internal subnet (10.0.0.51-10.0.0.100).
Now user's system is transferred virtually on the LAN. Anyconnect VPN client must be installed on the system and needs admin rights for that but running it doesn't require admin rights.
c) IPsec RA full tunnel VPN client.
IPsec VPN is a full tunnel solution like Anyconnect client. It also gets ip from the internal pool.
Note: Both the Ipsec client & Anyconnect client can talk to each other.
Different users can have different policies configured say for some users authentication is by credentials but for others, it's a certificate & some others group both credentials as well as certificates.
The connection Profile is Tunnel Group which the user has to choose in order to connect to their group to access policies.
Connection Profile for Webtype ACL (For clientless SSL VPN)
User Mukesh when connect to SSL, can access only server A (1.1.1.10/24) & server B (1.1.1.11/24) but not the therest of any servers.
Let's say another requirement is to limit simultaneous connection or to set maximum connection time.
Now once the user is authenticated it will get policies in the following priority sequence.
Dynamic Access Policy: Say if system isn't running on the latest antivirus version or Anyconnect client then do not let the system access system.
User Profile: Let's say the maximum number of simultaneous connections is two & use group policy 3.
Group Policy in the user profile: Group Policy specifies WebType ACL.
Group Policy in connection profile: Let's say Group Policy 2 is configured which has a setting to not allow HTTP traffic.
Default Group Policy: For all remaining parameters this policy will apply.
Normally Group Policy in the user profile & in the Connection Profile is kept the same to avoid complexity.
In connection Profile, there is an option to bypass interface policy to VPN users as they have webacl or group policy being applied to restrict access.
"Enable inbound VPN sessions to bypass interface access lists. Group policy and per-user authorization access list still apply to the traffic".
Network Address Translation-Traversal (NAT-T)
The protocol used is IPSec whose protocol number is 50 which is neither TCP nor UDP.
NAT Traversal is a UDP encapsulation that allows traffic to get to the specified destination when a device does not have a public address.
NAT-T encapsulates ESP packets inside UDP and assigns both the Source and Destination ports as 4500.
Now ESP packets can be translated through a PAT device.
What is the difference between NAT-T and IPSec-over-UDP?
When NAT-T is enabled, it encapsulates the ESP packet with UDP only when it encounters a NAT device. Otherwise, no UDP encapsulation is done.
But, IPSec Over UDP, always encapsulates the packet with UDP.
NAT-T always uses the standard port, UDP-4500. It is not configurable. IPSec over UDP normally uses UDP-10000 but this could be any other port based on the
configuration on the VPN server.
Three ports in particular must be open on the device that is performing NAT for the VPN to work correctly. These ports are UDP port 4500 (used for NAT traversal), UDP port 500 (used for IKE), and IP protocol 50 (ESP).
ANYCONNECT SSL VPN CLIENT
Groups are just "GROUPS" they will be present & used in Anyconnect, IPSec, and Clientless SSL VPN.
Pools configured for SSL VPNs can be used by IPSec VPN & Anyconnect
If NAT is being used for the internal network then "NAT EXEMPTION" need to be done else if some internal host sends a reply to the VPN host then it needs to cross the firewall and its address will change to the global address.
The pools can be assigned to the connection profile as well as the group (shown here)
GROUP POLICY
Add internal group Policy --> address pool --> Create
From the advanced option access to users with this pool can be restricted to vlans if a sub-interface is configured.
The first option in advanced configuration is Split Tunnel (default is to tunnel everything) else Tunnel network list below or tunnel everything except the list below.
Split Tunnel
Full tunneling means using your VPN for all your traffic, whereas split tunneling means sending part of your traffic through a VPN and part of it through the open network.
Full tunneling is more secure than split tunneling because it encrypts all your traffic.
CONNECTION PROFILE
It is better to use the same Group Policy which is used is already being used in a user profile.
It's best to practice to avoid confusion & complexity.
USER PROFILE
Here we need to define what level of access is required to give to the user on the firewall.
Full access, CLI access, or no access at all.
Also other parameters like the number of simultaneous logins.
SMART TUNNEL
Adding plugins will add additional functionality to the VPN client. Let's say we configured smart tunnel for a remote desktop.
Then when the user starts the remote desktop application then it automatically creates a tunnel with a firewall and sends all traffic through an encrypted tunnel.
Smart tunnel is applied to the user profile
REVERSE ROUTE INJECTION
Internal routers behind the firewall (Gateway) do have the network and if they too need to know about the VPN site-to-site users on another side then RRI (reverse route injection) & redistribute static route entry in IGP routing protocols.
DMVPN and FlexVPN both are Cisco's proprietary technologies.
Difference between IKEv1 & IKEv2
IKEv2 consumes less bandwidth compared to IKEv1.
IKEv1 generates:
main mode: 6 messages
aggressive mode: 3 messages
IKEv2 generates only 4 messages at all
IKEv2 supports EAP authentication whereas IKEv1 does not support it.
IKEv2 is having built-in NAT traversal whereas IKEv1 is optional.
IKEv2 supports MOBIKE i.e. IKEv2 to be used in Mobile platforms whereas IKEv1 doesn't.
IKEv2 supports Asymmetric authentication i.e. one side can use a preshare key for authentication whereas another side can be a certificate whereas IKEv1 must be Symmetric only.
IKEv2 supports separate authentication preshare keys for each peer but for IKEv1 preshare keys must be the same.
IKEv2 is not backward compatible with IKEv1.
FlexVPN is Cisco's implementation of the IKEv2 standard.
show crypto IKEv2 sa
show crypto engine connections active.
DIGITAL SIGNATURE
When a client opens a browser & tries to connect with any site with https say https://mukeshchanderia.com.
The server presents its certificate.
Server & Client
Server: This is my Certificate
Client: Why Should I trust you? You may be a fake server.
Server: Ok If GoDabby (CA) confirms that I am the correct server then will you trust me ?
Client: Yes, if GoDabby (CA) tells me that you are the correct server then I will trust you.
Server: ok Thanks let me talk to GoDabby (CA)
Server & GoDabby (CA)
GoDabby (CA): I checked all your records you are IDBI.COM
Server: Please issue me a certificate.
GoDabby (CA): Ok give me your public key and organization details to create the certificate.
Server: Here is my Public Key and required details.
GoDabby (CA: ThankYou ... Let me create a certificate for you.
GoDabby (CA) : Here is your certificate.
Server: ThankYou
Server & Client
Server: This is my Certificate issued by GoDaddy.
Client: Great. I trust GoDaddy but how can I validate that this certificate is correct and not manipulated or modified?
Server & GoDabby (CA)
Server: How can the Client validate that the certificate issue by You is valid ?
GoDabby (CA) : Let me associate digital signature to certificate.
Server : What does that mean ?
GoDabby (CA) : I generated HASH for certificate & encrypted it with my Private Key. Client has my public key so he can generate his own hash & also decrypt hash value which I attached and compare both and if found same then will trust this certificate.
Server & Client
Server : This is my Certificate issued by GoDaddy with his digital signature.
Client : Yes I could generate hash and it matched with hash provided by GoDaddy. So now I can TRUST You.
Server : ThankYou
Client : Now I will trust your public key provided in certificate.
Now Client has piublic key of server mukeshchanderia.com . Hence it can now decrypt data with it and send to server.
Only Server can decrypt this data as he is only one who has private key.
Note : Data encrypted by Public key is only decrypted by Private key. So evenif some hacker see this data then also he won't be able to decrypt it as Private key isn't shared with anyone.
Basically client generate session key and encrypt it with Public Key & send it to server which use that key to encrypt and decrypt data.
In Reality complete session key isn't generated but just a part of it by client and send to server .
Now as server and client both have part of session key so they will now apply certain algorithm (Diffie Hellman Group) to generate remaining key.
Comments