Cisco VPN Client to PIX with AES

Message Topic Search Topic Options Post Reply Create New Topic Printable Version

This was a great document I found.
Introduction¶
This guide provides information that can be used to configure a Cisco PIX/ASA device running firmware version 7.x to support IPsec VPN client connectivity. If you have a PIX device running firmware version 6.x, please consult the HowtoCiscoPix. The Shrew Soft VPN Client has been tested with Cisco products to ensure interoperability. 
Overview¶
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway. 

IP Address 
IP Netmask 
DNS Servers 
DNS Default Domain Suffix 
DNS Split Network Domain List 
WINS Servers 
PFS Group 
Remote Network Topology 
Login Banner 
Gateway Configuration¶
This example assumes you have knowledge of the Cisco ASA gateway command line configuration interface. For more information, please consult your Cisco product documentation. 
Interfaces¶
Two network interfaces are configured. The outside interface has a static public IP address of 1.1.1.20 which faces the internet. The inside interface has a static private IP address that faces the internal private network. The default gateway is configured as 1.1.1.3 via the outside interface. 
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.2.20 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.1.1.20 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!

Access List¶
An access lists must be configured to define the IPSec policies. This is expressed with the source matching the local private network(s) and the destination matching any as the VPN client address will be assigned by the gateway. 
object-group network group-inside-vpnclient
 description All inside accessible networks
 network-object 10.1.2.0 255.255.255.0

access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any

Address Pool¶
The IP address pool must be configured. Clients will be assigned private network addresses from a pool of 10.2.20.1-10.2.20.126. 
ip local pool ippool-vpnclient 10.2.20.1-10.2.20.126 mask 255.255.255.0

User Authentication¶
User authentication must be configured to support IKE extended authentication ( XAuth ). In this example, we use define user accounts locally on the ASA. It is possible to pass this authentication to a radius or an LDAP account server using the Cisco AAA authentication mechanism. For more information, please consult your cisco product documentation. 
aaa authentication ssh console LOCAL
username bill password XXX encrypted
username bob password XXX encrypted

IPsec Parameters¶
A transform set and dynamic IPsec crypto map must be configured to support client VPN connections. The dynamic crypto map is then assigned to a standard crypto map and bound to the outside ( public ) interface. 
crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside

ISAKMP Parameters¶
The ISAKMP protocol must be enabled on the outside ( public ) interface and an ISAKMP policy must be configured. NAT Traversal is also enabled to allow clients to communicate effectively when their peer address is being translated. The keep alive packet rate is set to 20 seconds. 
crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp nat-traversal 20
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

Group Policy¶
A group policy must be configured to provide the client with dynamic configuration information. 
group-policy group-policy-default internal
group-policy group-policy-default attributes
 banner value Welcome to the shrew.net ciscoasa
 wins-server value 10.1.2.100 10.1.2.1
 dns-server value 10.1.2.100 10.1.2.1
 vpn-tunnel-protocol IPSec
 password-storage disable
 re-xauth disable
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl-vpnclient
 default-domain value shrew.net
 split-dns value shrew.net example.com

Tunnel Group¶
A tunnel group must be configured to define the VPN Client tunnel parameters. It is created using the type ipsec-ra for IPsec remote access. The client uses the tunnel group name as its FQDN identity value and the tunnel group pre-shared-key as its pre-shared key value. 
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
 address-pool ippool-vpnclient
 default-group-policy group-policy-default
tunnel-group vpnclient ipsec-attributes
 pre-shared-key mypresharedkey

Client Configuration¶
The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs. 
General Tab¶
The Remote Host section must be configured. The Host Name or IP Address is defined as 10.1.1.20 to match the ASA outside ( public ) interface address. The Auto Configuration mode should be set to ike config pull. 
Phase 1 Tab¶
The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the ASA ISAKMP policy definition. 
Authentication Tab¶
The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth. 
Local Identity Tab¶
The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "vpnclient" to match the ASA tunnel group name. 
Remote Identity Tab¶
The Remote Identity parameters are set to IP Address with the Use a discovered remote host address option checked to match the ASA ISAKMP identity parameter. 
Credentials Tab¶
The Credentials Pre Shared Key is defined as "mypresharedkey" to match the ASA tunnel group pre-shared-key. 
Known Issues¶
Cisco gateways support a proprietary form of hybrid authentication which does not conform to RFC draft standards. At this time the Shrew Soft VPN Client does not support this authentication mode. We hope to add support for this in the future. 
Resources¶

Example ASA configuration 
Example Client configuration 

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version
lodogg Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 25 January 2003 Online Status: Offline Posts: 1831	Quote Reply Topic: Cisco VPN Client to PIX with AES Posted: 12 January 2009 at 10:48pm
	This was a great document I found. Introduction¶ This guide provides information that can be used to configure a Cisco PIX/ASA device running firmware version 7.x to support IPsec VPN client connectivity. If you have a PIX device running firmware version 6.x, please consult the HowtoCiscoPix. The Shrew Soft VPN Client has been tested with Cisco products to ensure interoperability. Overview¶ The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway. IP Address IP Netmask DNS Servers DNS Default Domain Suffix DNS Split Network Domain List WINS Servers PFS Group Remote Network Topology Login Banner Gateway Configuration¶ This example assumes you have knowledge of the Cisco ASA gateway command line configuration interface. For more information, please consult your Cisco product documentation. Interfaces¶ Two network interfaces are configured. The outside interface has a static public IP address of 1.1.1.20 which faces the internet. The inside interface has a static private IP address that faces the internal private network. The default gateway is configured as 1.1.1.3 via the outside interface. interface Vlan1 nameif inside security-level 100 ip address 10.1.2.20 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.1.1.20 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! Access List¶ An access lists must be configured to define the IPSec policies. This is expressed with the source matching the local private network(s) and the destination matching any as the VPN client address will be assigned by the gateway. object-group network group-inside-vpnclient description All inside accessible networks network-object 10.1.2.0 255.255.255.0 access-list acl-vpnclient extended permit ip object-group group-inside-vpnclient any Address Pool¶ The IP address pool must be configured. Clients will be assigned private network addresses from a pool of 10.2.20.1-10.2.20.126. ip local pool ippool-vpnclient 10.2.20.1-10.2.20.126 mask 255.255.255.0 User Authentication¶ User authentication must be configured to support IKE extended authentication ( XAuth ). In this example, we use define user accounts locally on the ASA. It is possible to pass this authentication to a radius or an LDAP account server using the Cisco AAA authentication mechanism. For more information, please consult your cisco product documentation. aaa authentication ssh console LOCAL username bill password XXX encrypted username bob password XXX encrypted IPsec Parameters¶ A transform set and dynamic IPsec crypto map must be configured to support client VPN connections. The dynamic crypto map is then assigned to a standard crypto map and bound to the outside ( public ) interface. crypto ipsec transform-set xform-3des-md5 esp-3des esp-md5-hmac crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5 crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient crypto map cmap-vpncient interface outside ISAKMP Parameters¶ The ISAKMP protocol must be enabled on the outside ( public ) interface and an ISAKMP policy must be configured. NAT Traversal is also enabled to allow clients to communicate effectively when their peer address is being translated. The keep alive packet rate is set to 20 seconds. crypto isakmp enable outside crypto isakmp identity address crypto isakmp nat-traversal 20 crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 Group Policy¶ A group policy must be configured to provide the client with dynamic configuration information. group-policy group-policy-default internal group-policy group-policy-default attributes banner value Welcome to the shrew.net ciscoasa wins-server value 10.1.2.100 10.1.2.1 dns-server value 10.1.2.100 10.1.2.1 vpn-tunnel-protocol IPSec password-storage disable re-xauth disable pfs disable split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-vpnclient default-domain value shrew.net split-dns value shrew.net example.com Tunnel Group¶ A tunnel group must be configured to define the VPN Client tunnel parameters. It is created using the type ipsec-ra for IPsec remote access. The client uses the tunnel group name as its FQDN identity value and the tunnel group pre-shared-key as its pre-shared key value. tunnel-group vpnclient type ipsec-ra tunnel-group vpnclient general-attributes address-pool ippool-vpnclient default-group-policy group-policy-default tunnel-group vpnclient ipsec-attributes pre-shared-key mypresharedkey Client Configuration¶ The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs. General Tab¶ The Remote Host section must be configured. The Host Name or IP Address is defined as 10.1.1.20 to match the ASA outside ( public ) interface address. The Auto Configuration mode should be set to ike config pull. Phase 1 Tab¶ The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the ASA ISAKMP policy definition. Authentication Tab¶ The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth. Local Identity Tab¶ The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "vpnclient" to match the ASA tunnel group name. Remote Identity Tab¶ The Remote Identity parameters are set to IP Address with the Use a discovered remote host address option checked to match the ASA ISAKMP identity parameter. Credentials Tab¶ The Credentials Pre Shared Key is defined as "mypresharedkey" to match the ASA tunnel group pre-shared-key. Known Issues¶ Cisco gateways support a proprietary form of hybrid authentication which does not conform to RFC draft standards. At this time the Shrew Soft VPN Client does not support this authentication mode. We hope to add support for this in the future. Resources¶ Example ASA configuration Example Client configuration
	The only bad question is the question that is not asked.

lodogg Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 25 January 2003 Online Status: Offline Posts: 1831	Quote Reply Posted: 12 January 2009 at 10:45pm
	uploads/1/vpnrmote.pdf Here is another document on terminating a VPN connection on an ASA / PIX.
	The only bad question is the question that is not asked.

lodogg Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 25 January 2003 Online Status: Offline Posts: 1831	Quote Reply Posted: 12 January 2009 at 8:15pm
	uploads/1/vpnclient-pix-aes.pdf I found this to be a solid config I have attached the .pdf article above. PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Pixfirewall fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names !--- Define the access list to enable split tunneling.* access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0 access-list 101 permit ip 10.10.11.0 255.255.255.0 10.10.8.0 255.255.255.0 !--- Define the access list to avoid network address !--- translation (NAT) on IPsec packets. access-list 102 permit ip 10.10.10.0 255.255.255.0 10.10.8.0 255.255.255.0 access-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.8.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu intf2 1500 !--- Configure the IP address on the interfaces. ip address outside 172.16.10.1 255.255.255.0 ip address inside 10.10.10.2 255.255.255.0 no ip address intf2 ip audit info action alarm ip audit attack action alarm !--- Create a pool of addresses from which IP addresses are assigned !--- dynamically to the remote VPN Clients. ip local pool vpnpool1 10.10.8.1-10.10.8.254 pdm history enable arp timeout 14400 !--- Disable NAT for IPsec packets. nat (inside) 0 access-list 102 route outside 0.0.0.0 0.0.0.0 172.16.10.2 1 route inside 10.10.11.0 255.255.255.0 10.10.10.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable !--- Permit packet that came from an IPsec tunnel to pass through without !--- checking them against the configured conduits/access lists. sysopt connection permit-ipsec !--- Define the transform set to be used during IPsec !--- security association (SA) negotiation. Specify AES as the encryption algorithm. crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac !--- Create a dynamic crypto map entry !--- and add it to a static crypto map. crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 !--- Bind the crypto map to the outside interface. crypto map map1 interface outside !--- Enable Internet Security Association and Key Management !--- Protocol (ISAKMP) negotiation on the interface on which the IPsec !--- peer communicates with the PIX Firewall. isakmp enable outside isakmp identity address !--- Define an ISAKMP policy to be used while !--- negotiating the ISAKMP SA. Specify !--- AES as the encryption algorithm. The configurable AES !--- options are aes, aes-192 and aes-256. !--- Note: AES 192 is not supported by the VPN Client. isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 !--- Create a VPN group and configure the policy attributes which are !--- downloaded to the Easy VPN Clients. vpngroup groupmarketing address-pool vpnpool1 vpngroup groupmarketing dns-server 10.10.11.5 vpngroup groupmarketing wins-server 10.10.11.5 vpngroup groupmarketing default-domain org1.com vpngroup groupmarketing split-tunnel 101 vpngroup groupmarketing idle-time 1800 vpngroup groupmarketing password ******** telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:c064abce81996b132025e83e421ee1c3 : end
	The only bad question is the question that is not asked.